Quick filter search options

Search event and flow payloads by typing a text search string that uses simple words or phrases.

Quick filter is one of the fastest methods that you use to search for event or flow payloads for specific data. For example, you can use quick filter to find these types of information:
  • Every firewall device that is assigned to a specific address range in the past week
  • A series of PDF files that were sent by a Gmail account in the past five days
  • All records in a two-month period that exactly match a hyphenated user name
  • A list of website addresses that end in .ca
You can filter your searches from these locations:
Log Activity toolbar and Network Activity toolbars
Select Quick Filter from the list box on the Search toolbar to type a text search string. Click the Quick Filter icon to apply your Quick Filter to the list of events or flows.
Add Filter Dialog box
Click the Add Filter icon on the Log Activity or Network Activity tab.
Select Quick Filter as your filter parameter and type a text search string.
Flow search pages
Add a quick filter to your list of filters.
Note: Quick Filter searches that use a time frame outside of the Payload Index Retention setting can trigger slow and resource-intensive system responses. For example, if the payload index retention is set for 1 day, and you use a time frame for the last 30 hours in the search.
When you view flows in real-time (streaming) or last interval mode, you can type only simple words or phrases in the Quick Filter field. When you view events or flows in a time-range, follow these syntax guidelines:
Table 1. Quick filter syntax guidelines
Description Example
Include any plain text that you expect to find in the payload. Firewall
Search for exact phrases by including multiple terms in double quotation marks. "Firewall deny"
Include single and multiple character wildcards. The search term cannot start with a wildcard. F?rewall or F??ew*
Group terms with logical expressions, such as AND, OR, and NOT. To be recognized as logical expressions and not as search terms, the syntax and operators must be uppercase. (%PIX* AND ("Accessed URL" OR "Deny udp src") AND 10.100.100.*)
When you create search criteria that includes the NOT logical expression, you must include at least one other logical expression type, otherwise, no results are returned. (%PIX* AND ("Accessed URL" OR "Deny udp src") NOT 10.100.100.*)
Precede the following characters by a backslash to indicate that the character is part of your search term: + - && || ! () {} [] ^ " ~ * ? : \. "%PIX\-5\-304001"

Limitations

Quick filter searches operate on raw event or flow log data and don't distinguish between the fields. For example, quick filter searches return matches for both source IP address and destination IP address, unless you include terms that can narrow the results.

Search terms are matched in sequence from the first character in the payload word or phrase. The search term user matches user_1 and user_2, but does not match the following phrases: ruser, myuser, or anyuser.

Quick filter searches use the English locale. Locale is a setting that identifies language or geography and determines formatting conventions such as collation, case conversion, character classification, the language of messages, date and time representation, and numeric representation.

The locale is set by your operating system. You can configure QRadar to override the operating system locale setting. For example, you can set the locale to English and the QRadar Console can be set to Italiano (Italian).

If you use Unicode characters in your quick filter search query, unexpected search results might be returned.

If you choose a locale that is not English, you can use the Advanced search option in QRadar for searching event and payload data.

How does Quick Filter search and payload tokens work?

Text that is in the payload is split into words, phrases, symbols, or other elements. These tokens are delimited by space and punctuation. The tokens don't always match user-specified search terms, which cause some search terms not to be found when they don't match the generated token. The delimiter characters are discarded but exceptions exist such as the following exceptions:
  • Periods that are not followed by white space are included as part of the token.

    For example, 192.0.2.0:56 is tokenized as host token 192.0.2.0 and port token 56.

  • Words are split at hyphens, unless the word contains a number, in which case, the token is not split and the numbers and hyphens are retained as one token.
  • Internet domain names and email addresses are preserved as a single token.

    192.0.2.0/home/www is tokenized as one token and the URL is not separated.

    192.0.2.7:/calling1/www2/scp4/path5/fff is tokenized as host 192.0.2.7 and the remainder is one token /calling1/www2/scp4/path5/fff

File names and URL names that contain more than one underscore are split before a period (.).

Example of multiple underscores in a file name:

If you use hurricane_katrina_ladm118.jpg as a search term, it is split into the following tokens:
  • hurricane
  • katrina_ladm118.jpg

Search the payload for the full search term by placing double quotation marks around the search term: "hurricane_katrina_ladm118.jpg"

Example of multiple underscores in a relative file path:

The thumb.ladm1180830/thumb.ladm11808301806.hurricane_katrina_ladm118.jpg is split into the following tokens:
  • thumb.ladm1180830/thumb.ladm11808301806.hurricane
  • katrina_ladm118.jpg
To search for hurricane_katrina_ladm118.jpg, which consists of one partial and one full token, place an asterisk in front of the query term, *hurricane_katrina_ladm118.jpg