Overview
The Advanced Search feature in AirMDR Case Manager enables analysts and administrators to run structured queriesto locate cases more precisely. Instead of relying on simple keyword searches, users can construct queries that filter cases by specific case attributes, logical conditions, and exact phrases. Advanced search helps users:- Locate cases based on specific fields (such as case name, status, disposition, or reporter).
- Combine multiple criteria using logical operators.
- Exclude unwanted results.
- Perform exact phrase searches across case investigation content.
/advanced prefix in the Case Manager search bar.
Accessing Advanced Search
UI Navigation
AirMDR UI → Case Manager → Case Search Bar To use advanced search:- Navigate to Case Manager.
- Locate the search bar.
-
Begin your query using the prefix:
- Enter the query conditions.
- Press Enter to execute the search.
Query Syntax
Advanced queries allow filtering using logical operators and field-based searches.Logical Operators Supported
| Operator | Syntax | Purpose |
|---|---|---|
| AND | && | Returns results that satisfy both conditions. |
| OR | || | Returns results that match either one of the specified conditions in the query. |
| NOT | ! | Excludes cases that match the specific condition from the search results. |
- Case name = Impossible Travel
- Disposition = Malicious
Query Precedence Rules
&&(AND) has higher precedence than||(OR).- Parentheses are currently not supported in advanced queries.
Basic Search Examples
Search by IP Address
Search by IP Address
Search by Case Name
Search by Case Name
Combine Conditions (OR)
Combine Conditions (OR)
Combine Conditions (AND)
Combine Conditions (AND)
Exclude Results
Exclude Results
Multiple Exclusion Conditions
Multiple Exclusion Conditions
- Are Impossible Travel
- Are not closed
- Do not contain Manchester
Filter by Assignee Context
Filter by Assignee Context
Query Structure
Advanced queries follow a structured syntax that allows users to filter cases using specific fields and logical conditions.Query Format
Components
| Component | Description | Example |
|---|---|---|
/advanced | Prefix required to trigger advanced search mode | /advanced |
field_name | The case field used for filtering | status |
: | Separates field and value | status: Open |
value | Value to match in the field | Malicious |
operator | Logical operator used to combine conditions | && |
Example Query Structure
- Case name = Impossible Travel
- Status = Open
Query With Multiple Conditions
Query With Multiple Conditions
Query With OR Condition
Query With OR Condition
Query With Exclusion
Query With Exclusion
Common SOC Search Queries
Security analysts often search cases using specific operational patterns. The examples below demonstrate common investigation scenarios.Find Open High-Severity Cases
Find Open High-Severity Cases
Find Cases Assigned to a Specific Analyst
Find Cases Assigned to a Specific Analyst
Find Malicious Cases
Find Malicious Cases
Find Cases Related to a Specific Detection Type
Find Cases Related to a Specific Detection Type
Find Open Cases Excluding Closed Investigations
Find Open Cases Excluding Closed Investigations
Find Cases Containing a Specific User or Indicator
Find Cases Containing a Specific User or Indicator
Case Fields Supported in Advanced Queries
The following table lists supported case fields that can be referenced in advanced queries.Core Case Fields
| Case Field | Query Field | Example |
|---|---|---|
| Case ID | case_id | case_id: ASO-1234 |
| Archived | archived | archived: true |
| Assignee | assignee | assignee: John Doe |
| Reporter | reporter | reporter: Jane Smith |
| Created At | created_at | created_at: 2025-01-01 |
| Modified At | modified_at | modified_at: 2025-01-15 |
| Case Name | name | name: Impossible Travel |
| Disposition | disposition | disposition: Malicious |
| Escalated to Customer | escalated_to_customer | escalated_to_customer: true |
| Organization Code | organization_code | organization_code: ACME |
| Priority | priority | priority: High |
| Severity | severity | severity: Critical |
| Status | status | status: Open |
| Category | category | category: Authentication |
| Sub Category | sub_category | sub_category: Impossible Travel |
| Marked for Review | marked_for_review | marked_for_review: true |
| Reviewed | reviewed | reviewed: true |
| Case Reinvestigated | case_reinvestigated | case_reinvestigated: true |
| Confidence | confidence | confidence: High |
Case Score Fields
| Field | Query Field |
|---|---|
| Case Score | case_score.score |
| Case Score Summary | case_score.summary |
| Case Score Completed At | case_score.completed_at |
Case Detail Fields (Advanced Query Support)
These fields search inside case investigation details.| Case Detail Field | Query Field |
|---|---|
| Actions Title | case_detail_fields.actions.title |
| Alert | case_detail_fields.alert |
| Summary | case_detail_fields.summary |
| Findings Title | case_detail_fields.findings.title |
| Findings Summary | case_detail_fields.findings.summary |
| Investigation Summary | case_detail_fields.investigation_summary |
| Provider | case_detail_fields.provider |
| Linked Alerts | case_detail_fields.linked_alerts |
| Custom Field Values | case_detail_fields.custom_field_value_map |
| Conclusion | case_detail_fields.conclusion |
| Activity Timeline | case_detail_fields.activity_timeline |
| FAQs | case_detail_fields.faqs |
| Custom Questions | case_detail_fields.custom_questions |
| Explore Deeper Questions | case_detail_fields.explore_deeper_questions |
Best Practices
Use Field Filters
Instead of searching raw keywords:Use Exclusions to Reduce Noise
Example:Combine Multiple Conditions
Example:Limitations
- Parentheses are not supported in queries
&&has higher precedence than||- Queries must start with
/advanced
Troubleshooting
No Results Returned
Check the following:- Ensure
/advancedprefix is included. - Verify the field name spelling.
- Confirm field values exist in the dataset.
Unexpected Results
Possible reasons:- Incorrect logical operator precedence
- Typo in field name
- Field not supported in advanced queries.