Perform Advanced Incident Searches

The advanced search feature in the Incidents page allows you to create complex queries that can combine with selected filters to further refine your incident search results. To access the advanced search feature, click advanced search under the search bar.

In the advanced search field, type a query statement using available fields and operators. If needed, you can use subsequent search fields to add OR statements and create a search that tests for multiple conditions. As you type a search statement, a warning icon () appears to the left of the search field until the query contains valid syntax. You cannot submit a search with invalid syntax.

Advanced search syntax

Each search field requires you to enter values available for that field within a set of quotes. You can create a search that provides results for more than one value in a field by placing values parenthesis and separating them with commas.

The query below searches for critical incidents.

ThreatLevel="Critical"

The query below searches for critical and high threat level incidents.

ThreatLevel IN("Critical","High")

For additional examples that illustrate search syntax, see Advanced search examples.

Advanced search options

The advanced search feature allows you to make simple and complex incident queries using one or more of the following available fields:

DetectionSource — This field refers to the service or feature that detected the incident.

IncidentID — This field refers to the ID Alert Logic assigns to the incident.

IP — This field refers to any IP address that appears in the incident. You can also use CIDR values in this field.

SourceIP — This field refers to the IP address from which the attack occurred. You can also use CIDR values in this field.

DestinationIP — This field refers to the IP address of the asset on which the incident occurred. You can also use CIDR values in this field.

Account — This field refers to the customer account in which the incident occurred.

Deployment — This field refers to the deployment in which the target asset appears.

Advanced search operators

The advanced search feature allows you to use the following operators to create your queries:

AND — This operator allows you to string together multiple items and will display a list of incidents where all the conditions separated by AND are true.
OR — This operator is inclusive and allows for wider searches by displaying a list of incidents where any of the OR statements is true. Each additional line in the advanced search feature is an OR statement.
IN — This operator allows you to specify multiple values in a clause to display a list of incidents with multiple field values. For example, if you use the IN operator with the ThreatLevel field, you can display incidents with Critical and High threat levels.

In addition, you can use the following operators to show the relationship between a value and the desired result:

= — You want to see results that match a given value.
!= — You want to see results that do not match a given value.
> — You want to see results that are greater than a given value.
< — You want to see results that are less than a given value.
=< — You want to see results that are equal to or less than a given value.
=> — You want to see results that are equal to or greater than a given value.

Advanced search examples

Use the examples in this section to understand how to create queries that help you investigate incidents.

Find incidents that occurred in a specified deployment (MyDeploymentName) and include a specified IP address (172.31.3.10).

Deployment="MyDeploymentName" AND IP="172.31.3.10"

Find incidents that occurred in the last seven days, with Critical and High threat levels, and in a specified deployment (MyDeploymentName). Order the results by threat level and the date of incident creation.

ThreatLevel IN("Critical", "High") AND Deployment="MyDeploymentName"

To order the results by threat level, click the drop-down menu above the Incident List, and then select Organize by Threat Level.
To limit the results to incidents from the last seven days, click the date selector drop-down menu at the upper right of the page, and then select the appropriate date range.

Find incidents that occurred in the last 30 days, from a specified source IP address (118.123.15.210), and to a specified destination IP address (172.31.17.117).

SourceIP="118.123.15.210" AND DestinationIP="172.31.17.117"

To display results for only the last 30 days, click the date selector drop-down menu at the upper right of the page, and then customize the date range for the last 30 days.