AlienVault® USM Anywhere™

Searching Events by Using the Search Box

Use the search phrase box to enter your queries and refine your search. You can enter a free text, use wildcards, and the advanced search syntax if you need it. Keep in mind the content of this table:

Accepted Query String Syntax
Type of Query Meaning Example
Standard query with a blank space between terms By default, a space between query terms is the equivalent is considered an implicit “OR”. blacklist malicious
Literal, using double quotes Matches entries which contains the exact terms. "blacklist malicious"
Boolean operators, using parentheses They are AND, OR, NOT. Parenthesis can be used to group terms for precedence. Parenthesis are also used to designate subsearches.

(http OR tcp) AND ftp

Wildcards, asterisk (*) Matches any number of characters. You can use the asterisk (*) anywhere in a character string. instance*
Wildcards, question mark (?) Matches a single alphabet in a specific position. qu?ck
Regexp, using /expression/ Regular expression inside forward slash characters. A dialog box displays to confirm the search. /Describe.*Instances/

Note: It is not possible to use the wildcards * and ? at the beginning of a term.

Any characters may be used, but certain characters are reserved and must be escaped. The reserved characters are these:

+ - = & | > < ! { } [ ] ^ " ~ : \ /

Use a backslash (for example, "\>") to escape any reserved character (including a backslash).

Note: The characters " * ? ( ) are special characters included in expressions. If you want to search by these characters, you need to manually escape them by adding a backslash.

To search Events using the search box

  1. Enter your search in the Enter search phrase box.
  2. If you want to search for an exact phrase having two or more words, you need to put quotation marks around the words in the phrase.

    Important: The indexed fields are Event Name, Raw Log, Rep Device Asset ID, Source Asset ID, and Destination Asset ID.

    Note: Keep in mind that wildcard characters are considered as literals.

  3. Click the icon.
  4. The result of your search displays with the items identified.

Example: Search for IP Addresses in a Network with Regex

You can use regular expressions (regex) to broaden your search in a number of ways. One of the most common applications for regex in a search is to search for an IP address range in a network.

As an example, to search for hosts in the 25. network range, enter the following regex into the search box:


Here is a more detailed anatomy of this example:

  • / ... /: The regex search is indicated by the expression contents being contained between forward slashes.

  • 25.: Indicates the network range being searched.
  • [0-9]: This set of brackets in the expression is a variable number range.
  • {1,3} The numbers in this set of braces indicates that the search will look for any pattern using the preceding number range a minimum 1 time, to a maximum 3 times.
  • [0-9]{1,3}Because an IPv4 address consists of four sets of numbers, from 0–255, separated by periods, the [0-9]{1,3} part of this regular expression is used to include any possible number from that range.

Note: Because the search box does not search all fields in an event, the results will be limited to IP addresses in the Event Name, Raw Log, Rep Device Asset ID, Source Asset ID, and Destination Asset ID fields.