Overview
The Advanced Search feature in AirMDR Case Manager enables analysts and administrators to run structured queries to locate cases more precisely. Instead of relying on simple keyword searches, users can construct queries that filter cases by specific case attributes, logical conditions, and exact phrases. Advanced search helps users:- Locate cases based on specific fields (such as case name, status, disposition, or reporter).
- Combine multiple criteria using logical operators.
- Exclude unwanted results.
- Perform exact phrase searches across case investigation content.
/advanced prefix in the Case Manager search bar.
When to Use Advanced Search
Use Advanced Search when:- You need precise filtering using case fields
- You want to combine conditions using AND / OR / NOT
- You need to exclude specific results
- You are performing structured investigation queries
Accessing Advanced Search
UI Navigation
AirMDR UI → Case Manager → Case Search Bar To use advanced search:- Navigate to Case Manager.
- Locate the search bar.
- Begin your query using the prefix:
- Enter the query conditions.
- Press Enter to execute the search.
Query Syntax
Advanced queries allow filtering using logical operators and field-based searches.Logical Operators Supported
| Operator | Syntax | Purpose |
|---|---|---|
| AND | && | Returns results that satisfy both conditions. |
| OR | || | Returns results that match either one of the specified conditions in the query. |
| NOT | ! | Excludes cases that match the specific condition from the search results. |
- Case name = Impossible Travel
- Disposition = Malicious
Exact Phrase Search
In Normal Search (Recommended)
You can use double quotes (" ") to search for exact phrases.
| Input | Behavior |
|---|---|
lateral movement | Matches words anywhere |
"lateral movement" | Matches exact phrase only |
In Advanced Search
Quotes do not work in/advanced mode. Use:
Limitations of Advanced Search
Limitations of Advanced Search
- Quotes (
" ") are not supported - Use
exact:for phrase matching - Comments are not searched
- Parentheses are not supported
- Operator precedence applies:
!→&&→||
Search by Specific Fields
You can narrow searches to specific sections of a case.| Field | Description |
|---|---|
| name | Case title |
| summary | Investigation summary |
| assignee | Assigned user |
| alert | Alert details |
| findings | Findings section |
| linked_alerts | Linked alerts |
| iocs | Indicators (IP/domain/user) |
| custom_fields | Custom fields |
| all | Entire case |
Query Precedence Rules
&&(AND) has higher precedence than||(OR).- Parentheses are currently not supported in advanced queries.
Basic Search Examples
Search by IP Address
Search by IP Address
Search by Case Name
Search by Case Name
Combine Conditions (OR)
Combine Conditions (OR)
Combine Conditions (AND)
Combine Conditions (AND)
Exclude Results
Exclude Results
Multiple Exclusion Conditions
Multiple Exclusion Conditions
- Are Impossible Travel
- Are not closed
- Do not contain Manchester
Filter by Assignee Context
Filter by Assignee Context
Query Structure
Advanced queries follow a structured syntax that allows users to filter cases using specific fields and logical conditions.Query Format
Components
| Component | Description | Example |
|---|---|---|
/advanced | Prefix required to trigger advanced search mode | /advanced |
field_name | The case field used for filtering | status |
: | Separates field and value | status: Open |
value | Value to match in the field | Malicious |
operator | Logical operator used to combine conditions | && |
Example Query Structure
- Case name = Impossible Travel
- Status = Open
Query With Multiple Conditions
Query With Multiple Conditions
Query With OR Condition
Query With OR Condition
Query With Exclusion
Query With Exclusion
Case Fields Supported in Advanced Queries
The following table lists supported case fields that can be referenced in advanced queries.Core Case Fields
| Case Field | Query Field | Example |
|---|---|---|
| Case ID | case_id | case_id: ASO-1234 |
| Archived | archived | archived: true |
| Assignee | assignee | assignee: John Doe |
| Reporter | reporter | reporter: Jane Smith |
| Created At | created_at | created_at: 2025-01-01 |
| Modified At | modified_at | modified_at: 2025-01-15 |
| Case Name | name | name: Impossible Travel |
| Disposition | disposition | disposition: Malicious |
| Escalated to Customer | escalated_to_customer | escalated_to_customer: true |
| Organization Code | organization_code | organization_code: ACME |
| Priority | priority | priority: High |
| Severity | severity | severity: Critical |
| Status | status | status: Open |
| Category | category | category: Authentication |
| Sub Category | sub_category | sub_category: Impossible Travel |
| Marked for Review | marked_for_review | marked_for_review: true |
| Reviewed | reviewed | reviewed: true |
| Case Reinvestigated | case_reinvestigated | case_reinvestigated: true |
| Confidence | confidence | confidence: High |
Case Score Fields
| Field | Query Field |
|---|---|
| Case Score | case_score.score |
| Case Score Summary | case_score.summary |
| Case Score Completed At | case_score.completed_at |
Case Detail Fields (Advanced Query Support)
These fields search inside case investigation details.| Case Detail Field | Query Field |
|---|---|
| Actions Title | case_detail_fields.actions.title |
| Alert | case_detail_fields.alert |
| Summary | case_detail_fields.summary |
| Findings Title | case_detail_fields.findings.title |
| Findings Summary | case_detail_fields.findings.summary |
| Investigation Summary | case_detail_fields.investigation_summary |
| Provider | case_detail_fields.provider |
| Linked Alerts | case_detail_fields.linked_alerts |
| Custom Field Values | case_detail_fields.custom_field_value_map |
| Conclusion | case_detail_fields.conclusion |
| Activity Timeline | case_detail_fields.activity_timeline |
| FAQs | case_detail_fields.faqs |
| Custom Questions | case_detail_fields.custom_questions |
| Explore Deeper Questions | case_detail_fields.explore_deeper_questions |
Search Result Ordering
- Results are sorted by creation time (newest first)
- Not sorted by relevance
Match Weight (for finding results)
| Field | Priority |
|---|---|
| Case ID | Highest |
| Case Name | High |
| Summary / Findings | Medium |
| Others | Lower |
Single vs Multi-word Search Behavior
| Input | Behavior |
|---|---|
malware | Exact word match |
lateral movement | At least 1 word matches |
3-word query | At least 2 words match |
Multi-word queries follow ~75% match logic.
Entity / IOC Filtering
You can filter cases using entities such as IPs, domains, or usernames.Steps
- Open filter panel
- Add entity value
- Select type (optional)
- Choose:
- AND → all must match
- OR → any can match
Examples
- IP search →
192.168.1.100 - User search →
user@company.com - Domain search →
evil.com
Case ID Partial Search
- Supports substring search
- Minimum 3 characters required
| Input | Result |
|---|---|
1234 | Matches SEC-1234 |
SEC | Matches all SEC cases |
Common SOC Search Queries
Security analysts often search cases using specific operational patterns. The examples below demonstrate common investigation scenarios.Find Open High-Severity Cases
Find Open High-Severity Cases
Find Cases Assigned to a Specific Analyst
Find Cases Assigned to a Specific Analyst
Find Malicious Cases
Find Malicious Cases
Find Cases Related to a Specific Detection Type
Find Cases Related to a Specific Detection Type
Find Open Cases Excluding Closed Investigations
Find Open Cases Excluding Closed Investigations
Find Cases Containing a Specific User or Indicator
Find Cases Containing a Specific User or Indicator
Best Practices
Use Field Filters
Instead of searching raw keywords:Use Exclusions to Reduce Noise
Example:Combine Multiple Conditions
Example:Limitations
- Parentheses are not supported in queries
&&has higher precedence than||- Queries must start with
/advanced
Troubleshooting
No Results Returned
Check the following:- Ensure
/advancedprefix is included. - Verify the field name spelling.
- Confirm field values exist in the dataset.
Unexpected Results
Possible reasons:- Incorrect logical operator precedence
- Typo in field name
- Field not supported in advanced queries.