You can run searches using the search bar in most Sophos Cloud Optix pages. To save, run, view, edit, and delete searches, go to Search.
Administrators using the same Sophos Cloud Optix account can see and update each others' searches. This allows administrators to create searches for other administrators to use. The search creator's name and the name of the person who last edited it are shown in the saved searches list.
Super Admins can configure saved searches to generate alerts.
To save a search and configure it to generate an alert, do as follows.
- Go to Search.
- Create and test your search, then click Save search query.
- Enter a name for the search.
- Click Create Alert.
- Enter a summary that describes the alert.
- Choose a Severity.
Choose the environments and tags to include in the search.
If you don't enter any environments or tags, all your environments are searched.
The search appears in Saved Searches.
Alerts for saved searches are generated or updated during the next and subsequent scans of your environment. You can see if an alert is generated in the Actions column. Click on the alert icon to go to Alerts.
The alert icon also shows the number of affected environments found by the search. The number shown depends on the privilege level of the user. For example a Super Admin sees all affected resources, and an Admin or Read-only user sees only the ones they can access.
Admin and Read-only users can view searches created with alerts. They can't edit or delete them.
If a search finds more resources than an alert can list, a warning appears. You should refine your search to return fewer resources.
You can search for terms used by the various cloud services supported by Sophos Cloud Optix.
The format is
<fieldName>:<fieldValue>. If you don't specify a
fieldName, all valid fields are searched for the
fieldValue. Where you have nested fields you can match that by nesting
fieldName terms in your search string.
Valid expressions for
fieldValue are single word tokens, phrases, boolean and numeric values. Regular expressions and wildcards are also supported in
EC2 or instanceId:i-123456 OR isPublic:true or nodeCount:5 OR tags.Name:test OR tags.\*:security
Use of wildcards
fieldValue you can use a question mark to match a single character, or an asterisk to match several characters. The only supported wildcard for
fieldName is the asterisk. You must precede it with a backslash as an escape character.
test* OR tags.Name:Cluster?-nodepool* OR tags.\*_cluster_\*:test*
For a full list of field names and values you can use, see Supported search field names.
You can use phrases contained within double quotes in
fieldValue. This is useful when searching for a continuous string of characters separated by white space.
"testing purposes" OR description:"security group" OR kubeNode\*:"test container"
You can use regular expressions in
/.*test*./ or name:/Cluster.*DoNotRemove/ or \*container\*:test
You can use dates in range queries in the format yyyy-MM-dd. You can also use
now to represent the current time.
You can also perform date math operations in date queries.
Upper case M refers to months, lower case m refers to minutes.
|Required date range||Search string|
|A specific date, for example 2020-06-05|| |
|The last month|| |
|This calendar year|| |
|A time between two specific dates|| |
|The last 15 days|| |
|The last week|| |
You can search for the existence of a field and get its value. If a field doesn't exist, or contains a null value, it's not included in the search results. You can also search for the absence of a field.
You can use the
* wildcard with
fieldValue. You must escape the wildcard.
Here are examples of a search for the existence of a field.
Here's an example of a search for the absence of a field.
You can't use the period character in
fieldName and you must use a backslash as an escape character before special characters like colons.
fieldValue special characters like the colon or backslash can either be contained within double quotes or preceded by a backslash as an escape character.