Skip to content

Search capabilities

You can run searches using the search bar in most Sophos Cloud Optix pages. To save, run, view, edit, and delete searches, go to Search.

Administrators using the same Sophos Cloud Optix account can see and update each others' searches. This allows administrators to create searches for other administrators to use. The search creator's name and the name of the person who last edited it are shown in the saved searches list.

Super Admins can configure saved searches to generate alerts.

Creating alerts

To save a search and configure it to generate an alert, do as follows.

  1. Go to Search.
  2. Create and test your search, then click Save search query.
  3. Enter a name for the search.
  4. Click Create Alert.
  5. Enter a summary that describes the alert.
  6. Choose a Severity.
  7. Choose the environments and tags to include in the search.

    If you don't enter any environments or tags, all your environments are searched.

  8. Click Save.

The search appears in Saved Searches.

Alerts for saved searches are generated or updated during the next and subsequent scans of your environment. You can see if an alert is generated in the Actions column. Click on the alert icon to go to Alerts.

The alert icon also shows the number of affected environments found by the search. The number shown depends on the privilege level of the user. For example a Super Admin sees all affected resources, and an Admin or Read-only user sees only the ones they can access.

Admin and Read-only users can view searches created with alerts. They can't edit or delete them.

If a search finds more resources than an alert can list, a warning appears. You should refine your search to return fewer resources.


You can search for terms used by the various cloud services supported by Sophos Cloud Optix.

The format is <fieldName>:<fieldValue>. If you don't specify a fieldName, all valid fields are searched for the fieldValue. Where you have nested fields you can match that by nesting fieldName terms in your search string.

Valid expressions for fieldName and fieldValue are single word tokens, phrases, boolean and numeric values. Regular expressions and wildcards are also supported in fieldValue.

Example: EC2 or instanceId:i-123456 OR isPublic:true or nodeCount:5 OR tags.Name:test OR tags.\*:security

Use of wildcards

In fieldValue you can use a question mark to match a single character, or an asterisk to match several characters. The only supported wildcard for fieldName is the asterisk. You must precede it with a backslash as an escape character.

Example: test* OR tags.Name:Cluster?-nodepool* OR tags.\*_cluster_\*:test*

For a full list of field names and values you can use, see Supported search field names.


You can use phrases contained within double quotes in fieldValue. This is useful when searching for a continuous string of characters separated by white space.

Example: "testing purposes" OR description:"security group" OR kubeNode\*:"test container"

Regular expressions

You can use regular expressions in fieldValue.

Example: /.*test*./ or name:/Cluster.*DoNotRemove/ or \*container\*:test

Date ranges

You can use dates in range queries in the format yyyy-MM-dd. You can also use now to represent the current time.

You can also perform date math operations in date queries.


Upper case M refers to months, lower case m refers to minutes.

Required date range Search string
A specific date, for example 2020-06-05 <fieldName>:[2020-06-05 TO 2020-06-05]
The last month <fieldName>:[now-1M TO *]
This calendar year <fieldName>:[now/y TO *]
A time between two specific dates <fieldName>:[2020-01-01 TO 2020-06-05]
The last 15 days <fieldName>:[now-15d TO *]
The last week <fieldName>:[now-1w TO *]

Field existence

You can search for the existence of a field and get its value. If a field doesn't exist, or contains a null value, it's not included in the search results. You can also search for the absence of a field.

You can use the * wildcard with fieldValue. You must escape the wildcard.

Here are examples of a search for the existence of a field.



Here's an example of a search for the absence of a field.


not _exists_:tags

Special characters

You can't use the period character in fieldName and you must use a backslash as an escape character before special characters like colons.

In fieldValue special characters like the colon or backslash can either be contained within double quotes or preceded by a backslash as an escape character.