Technical Note: ZoneFox 4.0 - How does the search bar work

FAQ

The Search Pill
Searches are conducted on individual fields within the data, so each search consists of a selection of the field to search upon, and the value to search for. Each combination of field and term forms a search pill. There is a third element within each search pill, which allows for a selection of the type of comparison to be used for that pill.

Types of search pill
By default, every search pill will default to a normal text search. This is referred to as a Terms search, but there are multiple options to provide fine control:

Terms
This type of search is selected by default, and allows for a normal text-based search. Values that match will be returned as part of the search. Terms searches also support two special characters: * acts as a wildcard to represent one more more unknown characters, and ? acts as a wildcard for a single unknown character
Less Than, Greater Than, Less Than or Equal To, and Greater Than or Equal To
These types of searches are useful for numerical comparisons such as searching based on port number or severity. They also allow for alphabetical comparison, such as results that appear later alphabetically than the entered value

Regular Expression
For advanced users, the search pill also supports Regular Expression searches.

Available Search Fields
The list of available search fields varies according to the type of ZoneFox data being searched. As you type, the list of available fields will be shown. Using the cursor keys, the tab key, the enter key or your mouse, you can select or change a field and add it to your search. You can also alter the selected field for an existing search pill by clicking on the disclosure arrow beside the pill's term.

Navigating the search bar
The search bar supports interaction using both your keyboard and mouse. With the cursor flashing to the right of a completed search pill, use the Left Arrow key while holding SHIFT to enter the pill value and edit. You can use the cursor keys without pressing shift to move between pills, and update the search concatenators.

Search Concatenators
By default, each combination of search pill entered into the search bar will be joined with an AND concatenator. This means that both pills must evaluate as true in order for a result to be returned. As well as AND, the search bar supports OR concatenation, which means that either pill can evaluate as true.

In addition to AND and OR, a specific pill be inverted by using the NOT keyword. NOT can be added to your search before entering a pill by typing NOT, or by typing an exclamation mark (!)

Hints for Concatenators
There is no need to explicitly type AND between search pills, as the search bar will enter this for you automatically. Typing OR will force the search pill concatenator to be an OR rather than an AND. Altnatively, click on an existing concatenator to cycle between the two options.

Bracketing pills
The search bar supports the use of brackets to group pills, allowing for complex queries to be constructed. To enter a bracketed collection of pills, simply type an opening parentheis character ( to open the bracketed collection. Close a bracketed collection of pills with the closing parentheis character ). If you don't enter brackets, the search bar will intelligently add brackets behind the scenes in order to interpret your intentions. This is best seen in action when entering a search query within a Policy as this allows you to review a search easily at a later date.

Clearing or deleting a search
You can clear the search bar quickly by clicking on the  icon on the right side of the search bar. Alternatively, with your cursor active in the search bar, use the backspace key to remove the previous pill.

Limiting searches by date range
Most search bars have the option to limit a search by a specific date range. By default a search will be conducted over an open period of time; searching all the data held in the index by ZoneFox. If you want to narrow down the period of time you're searching over, click on either the From or To boxes, and choose a date and time. You can enter a date and time in both, or just in one of the two in order to limit to older, newer, or a specific set of date ranges.

Sticky searches
In the ZoneFox console, searches are sticky within a particular data type. This means that when you enter a search that searches the events captured by ZoneFox, any other search bar that searches events will prefill your last entered search automatically. You can quickly clear any prefilled search by using the  icon in the search bar.

Different types of data each have their own sticky search recorded for your ease. Note that searches are not currently sticky across multiple sessions, so when you first log in to the ZoneFox system, any searches from previous sessions will not be automatically pre-filled.