Search capabilities
You can run searches using the search bar in most Sophos Cloud Optix pages. To save, run, view, edit, and delete searches, go to Search.
Administrators using the same Sophos Cloud Optix account can see and update each others' searches. This allows administrators to create searches for other administrators to use. The search creator's name and the name of the person who last edited it are shown in the saved searches list.
Super Admins can configure saved searches to generate alerts.
Creating alerts
To save a search and configure it to generate an alert, do as follows.
- Go to Search.
- Create and test your search, then click Save search query.
- Enter a name for the search.
- Click Create Alert.
- Enter a summary that describes the alert.
- Choose a Severity.
-
Choose the environments and tags to include in the search.
If you don't enter any environments or tags, all your environments are searched.
-
Click Save.
The search appears in Saved Searches.
Alerts for saved searches are generated or updated during the next and subsequent scans of your environment. You can see if an alert is generated in the Actions column. Click on the alert icon to go to Alerts.
The alert icon also shows the number of affected environments found by the search. The number shown depends on the privilege level of the user. For example a Super Admin sees all affected resources, and an Admin or Read-only user sees only the ones they can access.
Admin and Read-only users can view searches created with alerts. They can't edit or delete them.
If a search finds more resources than an alert can list, a warning appears. You should refine your search to return fewer resources.
Terms
You can search for terms used by the various cloud services supported by Sophos Cloud Optix.
The format is <fieldName>:<fieldValue>
. If you don't specify a fieldName
, all valid fields are searched for the fieldValue
. Where you have nested fields you can match that by nesting fieldName
terms in your search string.
Valid expressions for fieldName
and fieldValue
are single word tokens, phrases, boolean and numeric values. Regular expressions and wildcards are also supported in fieldValue
.
Example: EC2 or instanceId:i-123456 OR isPublic:true or nodeCount:5 OR tags.Name:test OR tags.\*:security
Use of wildcards
In fieldValue
you can use a question mark to match a single character, or an asterisk to match several characters. The only supported wildcard for fieldName
is the asterisk. You must precede it with a backslash as an escape character.
Example: test* OR tags.Name:Cluster?-nodepool* OR tags.\*_cluster_\*:test*
For a full list of field names and values you can use, see Supported search field names.
Phrases
You can use phrases contained within double quotes in fieldValue
. This is useful when searching for a continuous string of characters separated by white space.
Example: "testing purposes" OR description:"security group" OR kubeNode\*:"test container"
Regular expressions
You can use regular expressions in fieldValue
.
Example: /.*test*./ or name:/Cluster.*DoNotRemove/ or \*container\*:test
Date ranges
You can use dates in range queries in the format yyyy-MM-dd. You can also use now
to represent the current time.
You can also perform date math operations in date queries.
Note
Upper case M refers to months, lower case m refers to minutes.
Required date range | Search string |
---|---|
A specific date, for example 2020-06-05 | <fieldName>:[2020-06-05 TO 2020-06-05] |
The last month | <fieldName>:[now-1M TO *] |
This calendar year | <fieldName>:[now/y TO *] |
A time between two specific dates | <fieldName>:[2020-01-01 TO 2020-06-05] |
The last 15 days | <fieldName>:[now-15d TO *] |
The last week | <fieldName>:[now-1w TO *] |
Field existence
You can search for the existence of a field and get its value. If a field doesn't exist, or contains a null value, it's not included in the search results. You can also search for the absence of a field.
You can use the *
wildcard with fieldValue
. You must escape the wildcard.
Here are examples of a search for the existence of a field.
Examples
_exists_:tags
_exists_:tags.name
Here's an example of a search for the absence of a field.
Example
not _exists_:tags
Special characters
You can't use the period character in fieldName
and you must use a backslash as an escape character before special characters like colons.
In fieldValue
special characters like the colon or backslash can either be contained within double quotes or preceded by a backslash as an escape character.