Search capabilities

Learn how to use search terms on your inventory data.

In Sophos Cloud Optix there are many search options. You can do as follows:

  • Perform simple searches, for example you can enter an AWS EC2 name to find alerts related to that instance.
  • Combine different search terms for advanced queries.
  • Save searches so that you or other members of your team can run them.
  • Search all of your inventory data or restrict your search to specific areas, for example Alerts or Containers. To do this use the drop-down list. If you are within a specific section of Sophos Cloud Optix, for example Storage - AWS, search defaults to that area. You can over-ride this using the drop-down list.
  • Use the logical operators NOT, AND, and OR. They are not case sensitive.
  • Specify date ranges.
  • Combine different query terms in queries using logical operator precedence. You can modify the order expressions are used in with ellipses.

Example:

s3 AND (tags.name:test* OR isPublic:true)

For examples of complex searches, see Search examples.

Saved searches can be viewed, run, edited, and deleted from the Search page. Administrators using the same Sophos Cloud Optix account can see and update each others' searches. This allows administrators to create searches for other administrators to use. The names of the creator of a search and the person who last edited it are shown in the saved searches list.

Terms

You can search for terms used by the various cloud services supported by Sophos Cloud Optix.

The format is <fieldName>:<fieldValue>. If you don't specify a fieldName, all valid fields are searched for the fieldValue. Where you have nested fields you can match that by nesting fieldName terms in your search string.

Valid expressions for fieldName and fieldValue are single word tokens, phrases, boolean and numeric values. Regular expressions and wildcards are also supported in fieldValue.

Example:

EC2 or instanceId:i-123456 OR isPublic:true or nodeCount:5 OR tags.Name:test OR tags.\*:security

Use of wildcards

In fieldValue you can use a question mark to match a single character, or an asterisk to match several characters. The only supported wildcard for fieldName is the asterisk. You must precede it with a backslash as an escape character.

Example:

test* OR tags.Name:Cluster?-nodepool* OR tags.\*_cluster_\*:test*

For a full list of field names and values you can use, see Supported search field names.

Phrases

You can use phrases contained within double quotes in fieldValue. This is useful when searching for a continuous string of characters separated by white space.

Example:

"testing purposes" OR description:"security group" OR kubeNode\*:"test container"

Regular expressions

You can use regular expressions in fieldValue.

Example:

/.*test*./ or name:/Cluster.*DoNotRemove/ or \*container\*:test

Date ranges

You can use dates in range queries in the format yyyy-MM-dd. You can also use now to represent the current time.

You can also perform date math operations in date queries.

Note Upper case M refers to months, lower case m refers to minutes.
Table 1. Date range examples

Required date range

Search string

A specific date, for example 2020-06-05

<fieldName>:[2020-06-05 TO 2020-06-05]

The last month

<fieldName>:[now-1M TO *]

This calendar year

<fieldName>:[now/y TO *]

A time between two specific dates

<fieldName>:[2020-01-01 TO 2020-06-05]

The last 15 days

<fieldName>:[now-15d TO *]

The last week

<fieldName>:[now-1w TO *]

Special characters

You can't use the period character in fieldName and you must use a backslash as an escape character before special characters like colons.

In fieldValue special characters like the colon or backslash can either be contained within double quotes or preceded by a backslash as an escape character.