Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiRecon 25.1.a User Guide
    25.1.a
    25.1.a
    25.1.0
    24.4.b
    24.4.a
    24.4.0
    24.3.a
    24.3.0
    24.2.b
    24.2.a
    24.2.0
    24.1.b
    24.1.a
    24.1.0
    23.4.a
    23.4.0
    23.3.a
    23.3.0
    23.2.b
    23.2.a
    23.2.0
    23.1.b
    23.1.a
    23.1.0
    22.4.a
    22.4.0
    22.3.0
    22.2.0

    Search Query

    Search Query

    You will able to search from the available intelligence sources using search query including keywords and operators.

    Creating and running a search query

    To create and run a search query:

    1. Navigate to Adversary Centric Intelligence > Investigation page.

    2. Enter the search query using keywords and operators you want to search in the search box. For supported query syntax, see

    3. Search Query Syntax.

    4. Select the required sources, from the list. Supported sources include the following:

      • All(default)

      • Cyber-Crime Forums Posts

      • Ransomware Posts

      • Telegram Messages

      • Leaked Documents

      • Cyber-Crime Forums Posts Old

      • Paste Site Posts

      • Defacement Websites

      • OSINT- Cyber Stores

    5. Click search icon.

    Saving a search query

    You will be able to save your custom search queries for future use and to get notified. There are two types of saved queries:

    • System queries - These queries are automatically generated for each organization based on their organization name, brand names, and primary domain. System queries cannot be edited.

    • User queries - You can save custom search queries that are specific to your requirements.

    To save a user search query:

    1. Navigate to Adversary Centric Intelligence > Investigation page.

    2. Enter and run the search query.

    3. Click Save icon.

    4. In the Query Details window, provide the Query Name.

    5. Select Notify checkbox, if you want to enable notifications for the query.

    6. Click Save.

    To run a saved search query:

    1. Navigate to Adversary Centric Intelligence > Investigation page.

    2. Click Saved Queries icon.

    3. Select the required saved search query.

    To delete a saved search query:

    1. Navigate to Adversary Centric Intelligence > Investigation page.

    2. Click Saved Queries icon.

    3. Click X icon.

    To update a saved search query:

    1. Select the saved search query.

    2. Update the search query in the search box if required.

    3. Click Save icon.

    4. Update the Query Name if required.

    5. Click Update to update the existing search query or click Save As New to save as a new search query.

    Search Query Syntax

    Lucene query language is used to search for specific posts/messages. Following are the examples for using the query language.

    Use Case Query
    To filter messages for exact domain match. "knowbe4.com"
    To filter messages for wildcard match containing the domain name. *google.com
    To filter messages for specific keyword with exact match. "Cyber"
    To filter messages for keyword with wildcard match. *Cyber*
    To find matches for multiple keywords. ("bank" OR "banco" OR "ATM malware")
    To find matches for multiple keywords with AND condition ("stealer" OR "worm" OR "malware") AND ("bank")
    To find matches for multiple keywords while excluding some keywords. (healthcare OR medical*) NOT ("healthy" OR "Medical Cannabis")

    Following operators and modifiers are supported.

    Operators and Modifier Description
    AND Use this option to find both terms that exist in the text.
    OR Use this option to find at least one term that exists in the text.
    NOT Use this option to exclude that exists in the text.
    * Use this option to perform wildcard search.

    Previous
    Next

    Search Query

    Search Query

    You will able to search from the available intelligence sources using search query including keywords and operators.

    Creating and running a search query

    To create and run a search query:

    1. Navigate to Adversary Centric Intelligence > Investigation page.

    2. Enter the search query using keywords and operators you want to search in the search box. For supported query syntax, see

    3. Search Query Syntax.

    4. Select the required sources, from the list. Supported sources include the following:

      • All(default)

      • Cyber-Crime Forums Posts

      • Ransomware Posts

      • Telegram Messages

      • Leaked Documents

      • Cyber-Crime Forums Posts Old

      • Paste Site Posts

      • Defacement Websites

      • OSINT- Cyber Stores

    5. Click search icon.

    Saving a search query

    You will be able to save your custom search queries for future use and to get notified. There are two types of saved queries:

    • System queries - These queries are automatically generated for each organization based on their organization name, brand names, and primary domain. System queries cannot be edited.

    • User queries - You can save custom search queries that are specific to your requirements.

    To save a user search query:

    1. Navigate to Adversary Centric Intelligence > Investigation page.

    2. Enter and run the search query.

    3. Click Save icon.

    4. In the Query Details window, provide the Query Name.

    5. Select Notify checkbox, if you want to enable notifications for the query.

    6. Click Save.

    To run a saved search query:

    1. Navigate to Adversary Centric Intelligence > Investigation page.

    2. Click Saved Queries icon.

    3. Select the required saved search query.

    To delete a saved search query:

    1. Navigate to Adversary Centric Intelligence > Investigation page.

    2. Click Saved Queries icon.

    3. Click X icon.

    To update a saved search query:

    1. Select the saved search query.

    2. Update the search query in the search box if required.

    3. Click Save icon.

    4. Update the Query Name if required.

    5. Click Update to update the existing search query or click Save As New to save as a new search query.

    Search Query Syntax

    Lucene query language is used to search for specific posts/messages. Following are the examples for using the query language.

    Use Case Query
    To filter messages for exact domain match. "knowbe4.com"
    To filter messages for wildcard match containing the domain name. *google.com
    To filter messages for specific keyword with exact match. "Cyber"
    To filter messages for keyword with wildcard match. *Cyber*
    To find matches for multiple keywords. ("bank" OR "banco" OR "ATM malware")
    To find matches for multiple keywords with AND condition ("stealer" OR "worm" OR "malware") AND ("bank")
    To find matches for multiple keywords while excluding some keywords. (healthcare OR medical*) NOT ("healthy" OR "Medical Cannabis")

    Following operators and modifiers are supported.

    Operators and Modifier Description
    AND Use this option to find both terms that exist in the text.
    OR Use this option to find at least one term that exists in the text.
    NOT Use this option to exclude that exists in the text.
    * Use this option to perform wildcard search.

    Previous
    Next