Version:

Version:

Version:

Version:

Version:


Table of Contents

User Guide

Searches and Filters

Search in FortiSOAR is based upon an included Elasticsearch database.

FortiSOAR provides you search at two levels:

  • Global Search: Searches for the keywords you have specified across all records in FortiSOAR.

  • List Search: Searches for the keywords you have specified in all records in a specific module.

Filters: You can filter records belonging to a module and also save filters for future use.

Note

You cannot search or filter encrypted fields.

Global Search

Keyword Search

Global Search searches the titles, descriptions, or tags across all records in FortiSOAR, including file attachments.

Note

From version 7.0.2 onwards, you can perform an 'Exact Text Search' so that the search does not split up text with spaces, @, etc and the search results contain the complete text.

The Search bar at the top of the FortiSOAR interface allows for fast access to the Global Search feature. Entering any keyword in the Search bar and hitting Enter begins the search for the keyword.

Using Global Search, you can search for playbooks and rules based on tags, name, and description. You can add special characters and spaces in tags from version 6.4.0 onwards. However, the following special characters are not supported in tags: ', , , ", #, ?, and /. For example, if you have added sample as a tag to the playbook and you type sample in Global Search, the search results will contain the playbook with the sample tag.

Tooltip

If you want to search for tags in custom modules based on Tags, then you must ensure that you assign a minimum of Read permission to the custom module in a role(s) that has permissions on the Appliances module. This is required since custom modules require to be given permission in the playbook appliance for the record to get indexed and be searchable.

Term Matching

The Global Search function accessible from the Search bar uses the full-text match query function within Elasticsearch. This passes the search string through the standard analyzer, stripping any extra characters to the root term. For instance, the term login failure would be searched the same way as the term "Login Failure!", for text fields such as description or name as shown in the following image:

Search for 'Login Failure!'

In the case of tags, search results will be displayed only in case of an exact match, without case sensitivity, for example, if you have added phishing as a tag and you search for phish, there will be no search results. However, if you search for Phishing, you will get a search result:

Search for 'login failure'

You can search for multiple terms using the search function by adding a term in the Add Search Term field. If multiple terms are entered, they are searched using the AND operation. FortiSOAR displays the results only when the results contain all the terms that you have entered.

Global Search also works for stop words such as dots, @, etc. For example, if you are searching for the text google.com, then the results are displayed for both com and google. If however, you want to search for the complete 'google.com' text, you can select the match type as Exact Text Search.

Search Results

Search results are returned as a listing with a summary of the record metadata that provides information such as, the record name, the record type (the model of the record, such as an Incident), the created date and the last modified date of the record, and a contextual preview of the search term or terms position within the resulting record text.

You can set the Match Type as 'Broad Search' or 'Exact Text Search'. An exact text search does not split up text with spaces, @, etc and the search results contain the complete text. For example, set the match type as Exact Text Search, if you want to search for records that contain 'user01@mydomain.local'.
Match Type: Exact Text Search
However, if you want to search records of that contain any mention of 'user01', then you can set the match type as Broad Search.

You can sort the search result by Relevance, which is based on the number of instances of the keyword within the record body. You can also sort the results by when the record was modified, the Most Recently Modified record or the Least Recently Modified record. Clicking on a search result displays the record details.

Search Results by Relevance

Filter By Pane

Use the Filter By pane to perform additional filtering of the results returned after a Global Search has been performed. When using the Filter bar, the term being searched on is applied directly to the already returned search results. This does not repeat the full-text match query from the Global Search function. This feature enables you to filter out a larger batch of returned results without repeating the search of the entire database.

For example, as shown in the previous image we had searched for the keyword phishing using Global Search, and the search result had returned 3 results. Now we can perform additional filtering on the search results by adding an additional keyword, email. The search records are filtered using the AND operator, and then the search result displays 2 search results as shown in the following image:

Search using an 'And' operator for both words 'phishing' and 'email'

The contextual preview of the term context from the original Global Search function is not updated with applied filters. The preview remains the same, but the records returned in the table are filtered according to the AND combination of terms as displayed above in the table.

Filtering Results

You can perform additional filtering in the Filter By pane on the search results based on the Module and Date of the records. All modules are filterable. The date search uses the Created On date field to filter the records based on the period you have specified. You can either specify the From and To dates, or select relative dates, such as Last 90 Days, Last 7 days, Today, etc. These additional filters refine the returned search results to the applied scope.

By default, all File record types are excluded from the search, but you can select the Include Files check box to enable this if you so desire. Files is an associated module that stores the raw binary information uploaded with an attachment.

Authorization

Global Search respects authorization permissions based on the context of the user who is performing the search. This means that records not owned by the user's teams, any child or sibling teams, or not within the user's role permissions scope, are not displayed within the results.

Searching Record Contents

All records, such as Incidents, Alerts, and Assets, are included in the Elasticsearch database in addition to Attachments. The record contents do not store field labels, Picklist values, or model information. This is so that the search results do not contain results based on the field label values or terms in the model information, which would lead to meaningless results. For instance, if you perform a Global Search for the keyword Source, the Global Search will not return any result even though in an Alert record, the term Source, represents a field label in the record. Similarly, Brute Force Attempt might be set as a picklist value of the Type field in an Alert record, but the Global Search will not return any matches for Brute Force Attempt even if records existed with that picklist value. However, you could search for the same using tags, if you have added tags to the record. For example, if you have added a tag BruteForceAttempt or BFA in the record, then you can search for that record using BFA.

FortiSOAR essentially searches the record content, i.e., text saved into the field values, such as the Name, or Description and also searches for tag values.

Searching File Attachments

When files are uploaded using the Attachment module, the contents of the files are passed through a conversion process to remove any formatting and preserve the record text.

Note

Any tags or special characters from the file format are removed during the insertion process using the standard analyzer. Only text terms are retained and searchable.

FortiSOAR attempts to parse all types of files, except for audio and video files.

File Metadata

While many file types can be uploaded, metadata is purposely excluded from the search database. This is to prevent excessive search noise resulting from verbose and many times meaningless metadata that may be a part of the file format itself.

Files with no metadata or searchable contents can still be stored. The name of the file and any other details that are associated with the file attachment are searchable. These names should be descriptive to ensure that the file can be found through keyword searches related to the file content.

List Search

Keyword Search

List Search searches for data or keywords across a module in FortiSOAR. The search also includes file attachments if they are part of any record within that module.

For list search, use the Search bar at the top of the record list in a particular module in FortiSOAR. Type any keyword in the Search bar and hit Enter to begin the search for the keyword.

Term Matching, Authorization, and Searching File Attachments in 'List Search' works the same way as in 'Global Search.'

Search Results

Search results are returned in a tabular format as shown in the following image:

List Search Example - Search for 'Incidents that contain business'

The above image displays the results of a search performed in the Alerts module, with the keywords suspicious. The search results are displayed in a tabular form, and you can use the Menu button to specify the visible columns in the table by selecting or deselecting the columns from the Columns list. You can also choose to export the table results to a .csv or a .pdf file. You can download the search result and store the results for future reference, potentially even as an attachment within FortiSOAR to a particular record.

FortiSOAR Search Errors

FortiSOAR might display an Internal Server Error or any of the following errors when you are performing a search operation in FortiSOAR:

  • Search indexing is in progress. Partial results are returned.
  • Search indexing has stopped. You must manually rerun indexing (see product documentation for instructions) or raise support ticket for the same.
  • We are sorry, but the server encountered an error while handling your search request. Please contact your administrator for assistance.

For troubleshooting any errors with FortiSOAR Search, please contact your administrator.

Filtering Records

You can filter records on the listing view by typing the filter term, tag, or selecting the option based on which you want to filter records in the first row of the record listing.

Users can quickly and easily switch between saved filters since filters are directly exposed on the grid making it easy for you to select and apply available saved filters without having to edit the filters by opening the filter editing mode. In the filter editing mode, you can easily view and modify the filter definitions of a saved filter, without having to save that particular filter (you can save the modified filter if you want). You can also easily clear all or a particular filter applied on the grid.

Filtering example

The following example explains how to filter alert records based on Severity, i.e., it only displays records whose Severity is set to Critical. In this example, you are setting a filter criterion from the UI, i.e., selecting a column (field) based on which you are filtering records.

Open the Incidents Response > Alerts and from the Severity column select Critical and click Apply.

Filtering Records based on Severity set as 'Critical'

Once you click Critical as shown in the above image and click Apply, a filter is set on the Severity column, and the value of the filter is set to Critical. Therefore, based on the set filter criterion, only records whose Severity is Critical are displayed in the list of records as shown in the following image:

Records with Severity set as critical

To clear all the filters applied on the grid or records, click the Clear All link.

You can also edit an existing filter by selecting that filter from the Filters drop-down list, and then again clicking the filter, which will open the filter editing mode using which you can edit filters.

Filter Settings pane

In the filter editing mode, you can perform the following operations:

  • Save a filter, for future use, by clicking the Save Filter button. When you click Save Filter button, the Save New Filter dialog is displayed, type the name of the filter in the Name field and click Save. For example, type the filter name as Critical Alerts and click Save. If you are an administrator, then you can also save a filter as a System Filter by clicking Save Filter > Save As System. System Filters are displayed to all users of the system.
  • Edit the name of an existing filter by clicking the Edit Name icon
  • Mark an existing filter as a default filter by clicking the Set Default Filter (star) icon.
  • Delete an existing filter by clicking the Save Filter drop down list and select the Delete option.
  • To remove a particular filter criterion that has been applied on the grid, click the Clear Filter Criteria link.

Click the Filters icon to view a list of all existing filters that have been defined for the grid or record, as shown in the following image:

Viewing defined filters

Using this filtering option, you can filter records using only the AND condition, for example, you can filter records, whose Type is Phishing AND Status is Investigating. When you apply this filter, in our example, only one record is displayed, as shown in the following image:

Records whose Type is Phishing AND Status is Investigating

Tooltip

You cannot use the OR condition to filter records using this method.

You can also filter records using a complex set of conditions when you define the grid for the listing view. The Grid Widget contains the Nested Filters component that allows you to filter group conditions at varying levels and use AND and OR logical operators. See the Dashboards, Templates, and Widgets chapter for information on the Grid widget and the Nested Filters component.

Note

The filter condition defined on the listing view will override the filter condition defined in the grid widget.

FortiSOAR has enhanced the filter operator for date fields to include a number of pre-defined options such as Last Year, Last 7 days, Next 24 hours, etc., making it easier for you to filter records for a relative time range of your choice. You can also now specify static custom date ranges for filters. For information on what defines a time range in filter, see the Nested Filters section in the Dashboards, Templates, and Widgets chapter.

For example, if you want to filter alerts that were assigned in the last 24 hours and whose severity is High, do the following:

Click High in the Severity column and then in the Search box in the Assigned Date column and select Last 24 Hours:

Filtering Records by Assigned Date

Filtered alerts will be displayed as shown in the following image:

Filtering Records by Assigned Date and Severity

Select the Custom option to filter records according to custom static date ranges. For example, select Custom and in the Define Custom Date Range dialog, from the From date field select the date and time from the Calendar, from when you want to filter records, for example, 10/01/2019 02:00 PM, and in the To field select the date and time till when you want to filter records, for example, 11/18/2019 09:00 AM:

Define Custom Date Range Dialog

Searches and Filters

Search in FortiSOAR is based upon an included Elasticsearch database.

FortiSOAR provides you search at two levels:

  • Global Search: Searches for the keywords you have specified across all records in FortiSOAR.

  • List Search: Searches for the keywords you have specified in all records in a specific module.

Filters: You can filter records belonging to a module and also save filters for future use.

Note

You cannot search or filter encrypted fields.

Global Search

Keyword Search

Global Search searches the titles, descriptions, or tags across all records in FortiSOAR, including file attachments.

Note

From version 7.0.2 onwards, you can perform an 'Exact Text Search' so that the search does not split up text with spaces, @, etc and the search results contain the complete text.

The Search bar at the top of the FortiSOAR interface allows for fast access to the Global Search feature. Entering any keyword in the Search bar and hitting Enter begins the search for the keyword.

Using Global Search, you can search for playbooks and rules based on tags, name, and description. You can add special characters and spaces in tags from version 6.4.0 onwards. However, the following special characters are not supported in tags: ', , , ", #, ?, and /. For example, if you have added sample as a tag to the playbook and you type sample in Global Search, the search results will contain the playbook with the sample tag.

Tooltip

If you want to search for tags in custom modules based on Tags, then you must ensure that you assign a minimum of Read permission to the custom module in a role(s) that has permissions on the Appliances module. This is required since custom modules require to be given permission in the playbook appliance for the record to get indexed and be searchable.

Term Matching

The Global Search function accessible from the Search bar uses the full-text match query function within Elasticsearch. This passes the search string through the standard analyzer, stripping any extra characters to the root term. For instance, the term login failure would be searched the same way as the term "Login Failure!", for text fields such as description or name as shown in the following image:

Search for 'Login Failure!'

In the case of tags, search results will be displayed only in case of an exact match, without case sensitivity, for example, if you have added phishing as a tag and you search for phish, there will be no search results. However, if you search for Phishing, you will get a search result:

Search for 'login failure'

You can search for multiple terms using the search function by adding a term in the Add Search Term field. If multiple terms are entered, they are searched using the AND operation. FortiSOAR displays the results only when the results contain all the terms that you have entered.

Global Search also works for stop words such as dots, @, etc. For example, if you are searching for the text google.com, then the results are displayed for both com and google. If however, you want to search for the complete 'google.com' text, you can select the match type as Exact Text Search.

Search Results

Search results are returned as a listing with a summary of the record metadata that provides information such as, the record name, the record type (the model of the record, such as an Incident), the created date and the last modified date of the record, and a contextual preview of the search term or terms position within the resulting record text.

You can set the Match Type as 'Broad Search' or 'Exact Text Search'. An exact text search does not split up text with spaces, @, etc and the search results contain the complete text. For example, set the match type as Exact Text Search, if you want to search for records that contain 'user01@mydomain.local'.
Match Type: Exact Text Search
However, if you want to search records of that contain any mention of 'user01', then you can set the match type as Broad Search.

You can sort the search result by Relevance, which is based on the number of instances of the keyword within the record body. You can also sort the results by when the record was modified, the Most Recently Modified record or the Least Recently Modified record. Clicking on a search result displays the record details.

Search Results by Relevance

Filter By Pane

Use the Filter By pane to perform additional filtering of the results returned after a Global Search has been performed. When using the Filter bar, the term being searched on is applied directly to the already returned search results. This does not repeat the full-text match query from the Global Search function. This feature enables you to filter out a larger batch of returned results without repeating the search of the entire database.

For example, as shown in the previous image we had searched for the keyword phishing using Global Search, and the search result had returned 3 results. Now we can perform additional filtering on the search results by adding an additional keyword, email. The search records are filtered using the AND operator, and then the search result displays 2 search results as shown in the following image:

Search using an 'And' operator for both words 'phishing' and 'email'

The contextual preview of the term context from the original Global Search function is not updated with applied filters. The preview remains the same, but the records returned in the table are filtered according to the AND combination of terms as displayed above in the table.

Filtering Results

You can perform additional filtering in the Filter By pane on the search results based on the Module and Date of the records. All modules are filterable. The date search uses the Created On date field to filter the records based on the period you have specified. You can either specify the From and To dates, or select relative dates, such as Last 90 Days, Last 7 days, Today, etc. These additional filters refine the returned search results to the applied scope.

By default, all File record types are excluded from the search, but you can select the Include Files check box to enable this if you so desire. Files is an associated module that stores the raw binary information uploaded with an attachment.

Authorization

Global Search respects authorization permissions based on the context of the user who is performing the search. This means that records not owned by the user's teams, any child or sibling teams, or not within the user's role permissions scope, are not displayed within the results.

Searching Record Contents

All records, such as Incidents, Alerts, and Assets, are included in the Elasticsearch database in addition to Attachments. The record contents do not store field labels, Picklist values, or model information. This is so that the search results do not contain results based on the field label values or terms in the model information, which would lead to meaningless results. For instance, if you perform a Global Search for the keyword Source, the Global Search will not return any result even though in an Alert record, the term Source, represents a field label in the record. Similarly, Brute Force Attempt might be set as a picklist value of the Type field in an Alert record, but the Global Search will not return any matches for Brute Force Attempt even if records existed with that picklist value. However, you could search for the same using tags, if you have added tags to the record. For example, if you have added a tag BruteForceAttempt or BFA in the record, then you can search for that record using BFA.

FortiSOAR essentially searches the record content, i.e., text saved into the field values, such as the Name, or Description and also searches for tag values.

Searching File Attachments

When files are uploaded using the Attachment module, the contents of the files are passed through a conversion process to remove any formatting and preserve the record text.

Note

Any tags or special characters from the file format are removed during the insertion process using the standard analyzer. Only text terms are retained and searchable.

FortiSOAR attempts to parse all types of files, except for audio and video files.

File Metadata

While many file types can be uploaded, metadata is purposely excluded from the search database. This is to prevent excessive search noise resulting from verbose and many times meaningless metadata that may be a part of the file format itself.

Files with no metadata or searchable contents can still be stored. The name of the file and any other details that are associated with the file attachment are searchable. These names should be descriptive to ensure that the file can be found through keyword searches related to the file content.

List Search

Keyword Search

List Search searches for data or keywords across a module in FortiSOAR. The search also includes file attachments if they are part of any record within that module.

For list search, use the Search bar at the top of the record list in a particular module in FortiSOAR. Type any keyword in the Search bar and hit Enter to begin the search for the keyword.

Term Matching, Authorization, and Searching File Attachments in 'List Search' works the same way as in 'Global Search.'

Search Results

Search results are returned in a tabular format as shown in the following image:

List Search Example - Search for 'Incidents that contain business'

The above image displays the results of a search performed in the Alerts module, with the keywords suspicious. The search results are displayed in a tabular form, and you can use the Menu button to specify the visible columns in the table by selecting or deselecting the columns from the Columns list. You can also choose to export the table results to a .csv or a .pdf file. You can download the search result and store the results for future reference, potentially even as an attachment within FortiSOAR to a particular record.

FortiSOAR Search Errors

FortiSOAR might display an Internal Server Error or any of the following errors when you are performing a search operation in FortiSOAR:

  • Search indexing is in progress. Partial results are returned.
  • Search indexing has stopped. You must manually rerun indexing (see product documentation for instructions) or raise support ticket for the same.
  • We are sorry, but the server encountered an error while handling your search request. Please contact your administrator for assistance.

For troubleshooting any errors with FortiSOAR Search, please contact your administrator.

Filtering Records

You can filter records on the listing view by typing the filter term, tag, or selecting the option based on which you want to filter records in the first row of the record listing.

Users can quickly and easily switch between saved filters since filters are directly exposed on the grid making it easy for you to select and apply available saved filters without having to edit the filters by opening the filter editing mode. In the filter editing mode, you can easily view and modify the filter definitions of a saved filter, without having to save that particular filter (you can save the modified filter if you want). You can also easily clear all or a particular filter applied on the grid.

Filtering example

The following example explains how to filter alert records based on Severity, i.e., it only displays records whose Severity is set to Critical. In this example, you are setting a filter criterion from the UI, i.e., selecting a column (field) based on which you are filtering records.

Open the Incidents Response > Alerts and from the Severity column select Critical and click Apply.

Filtering Records based on Severity set as 'Critical'

Once you click Critical as shown in the above image and click Apply, a filter is set on the Severity column, and the value of the filter is set to Critical. Therefore, based on the set filter criterion, only records whose Severity is Critical are displayed in the list of records as shown in the following image:

Records with Severity set as critical

To clear all the filters applied on the grid or records, click the Clear All link.

You can also edit an existing filter by selecting that filter from the Filters drop-down list, and then again clicking the filter, which will open the filter editing mode using which you can edit filters.

Filter Settings pane

In the filter editing mode, you can perform the following operations:

  • Save a filter, for future use, by clicking the Save Filter button. When you click Save Filter button, the Save New Filter dialog is displayed, type the name of the filter in the Name field and click Save. For example, type the filter name as Critical Alerts and click Save. If you are an administrator, then you can also save a filter as a System Filter by clicking Save Filter > Save As System. System Filters are displayed to all users of the system.
  • Edit the name of an existing filter by clicking the Edit Name icon
  • Mark an existing filter as a default filter by clicking the Set Default Filter (star) icon.
  • Delete an existing filter by clicking the Save Filter drop down list and select the Delete option.
  • To remove a particular filter criterion that has been applied on the grid, click the Clear Filter Criteria link.

Click the Filters icon to view a list of all existing filters that have been defined for the grid or record, as shown in the following image:

Viewing defined filters

Using this filtering option, you can filter records using only the AND condition, for example, you can filter records, whose Type is Phishing AND Status is Investigating. When you apply this filter, in our example, only one record is displayed, as shown in the following image:

Records whose Type is Phishing AND Status is Investigating

Tooltip

You cannot use the OR condition to filter records using this method.

You can also filter records using a complex set of conditions when you define the grid for the listing view. The Grid Widget contains the Nested Filters component that allows you to filter group conditions at varying levels and use AND and OR logical operators. See the Dashboards, Templates, and Widgets chapter for information on the Grid widget and the Nested Filters component.

Note

The filter condition defined on the listing view will override the filter condition defined in the grid widget.

FortiSOAR has enhanced the filter operator for date fields to include a number of pre-defined options such as Last Year, Last 7 days, Next 24 hours, etc., making it easier for you to filter records for a relative time range of your choice. You can also now specify static custom date ranges for filters. For information on what defines a time range in filter, see the Nested Filters section in the Dashboards, Templates, and Widgets chapter.

For example, if you want to filter alerts that were assigned in the last 24 hours and whose severity is High, do the following:

Click High in the Severity column and then in the Search box in the Assigned Date column and select Last 24 Hours:

Filtering Records by Assigned Date

Filtered alerts will be displayed as shown in the following image:

Filtering Records by Assigned Date and Severity

Select the Custom option to filter records according to custom static date ranges. For example, select Custom and in the Define Custom Date Range dialog, from the From date field select the date and time from the Calendar, from when you want to filter records, for example, 10/01/2019 02:00 PM, and in the To field select the date and time till when you want to filter records, for example, 11/18/2019 09:00 AM:

Define Custom Date Range Dialog