Skip to main content

Search Profiles

Setting up and managing profiles to simplify search

S
Written by Sergey Bayrachny

In this article:

Overview

Use Search Profiles to tailor your content search to your organization’s infrastructure, MITRE ATT&CK® priorities, or even specific CVEs or APTs. Configure a Search Profile once and apply it anytime on the fly.

Search Profiles can be applied in the following places of the Threat Detection Marketplace:

  • Advanced Search. Turn on the Default on Search toggle to apply the corresponding profile by default in Advanced Search when searching for detections. Search results will be filtered according to the parameters set in this profile. You can select a different profile from the dropdown in Advanced Search. Keep in mind:

    • The search displays the content that matches all configured Search Profile fields (fields are combined with AND operator)

    • If a Search Profile field contains multiple values, the search displays the results that match at least one of the values (values are combined with OR operator).

  • Log Source Coverage and MITRE ATT&CK Coverage. Turn on the Default on Coverages toggle to apply the corresponding profile when you open the Log Source Coverage or MITRE ATT&CK Coverage page to filter the statistics. You can select a different profile from the dropdown on Log Source Coverage or MITRE ATT&CK Coverage pages. Keep in mind:

    • In Log Source Coverage, only Platform and Log Source Product fields of the applied Search Profile are used to filter the statistics.

    • In MITRE ATT&CK Coverage, only the following fields of the applied Search Profile are used to filter the statistics: Platform, Log Source Product, Tool, Actor, Technique, Data Component, Event ID, and CVE ID.

There are two types of search profiles:

  • My — created by the specific user and not shared across the company

  • Company — company-wide search profiles shared across all company users. This tab is displayed only if there are shared profiles in the user's company.

Create a Profile

To create a Search Profile:

  1. Go to Account icon > Platform Settings > Search Profiles, click the Add Search Profile button.

  2. Enter the name of a profile in the Profile Name field.

  3. Adjust the following settings if needed:

    • Share to Company. Turn on this toggle if you'd like to make the profile available for viewing and editing to all users from your company.

    • Do not show deployed. When the profile is applied in Search, the rules your team has deployed automatically or marked as deployed manually are excluded from the search results. Note that this option does not affect your organization’s insights in Analytics.

  4. In the Configuration section, in the relevant to you fields, select the required options from the dropdown lists or type directly into the fields. To include additional filters, click Add More Filters and select the appropriate checkboxes.

  5. Select Import ATT&CK Navigator to import an ATT&CK Navigator JSON file where your prioritized techniques are highlighted. ATT&CK Navigator is an open-source tool for annotating and exploring ATT&CK matrices. For example, it's often used to determine an organization's focus areas or compare behaviors of different APTs.

  6. When configured, select Create Profile.

Note: If a user changes their company, their Search Profiles shared with the previous team automatically become personal and are removed from other users.

Copy a Profile

You can take an existing Search Profile and use it as a basis for a new one.

To copy a Search Profile:

  1. Go to Account icon > Platform Settings > Search Profiles, select the three dots on the right on the profile you want to copy, and select Copy.

  2. The Create Search Profile modal opens, pre-filled with values from the original profile.

    1. Click Save Changes to create a new profile that is absolutely identical to the original one. "- Copy" will be appended to the profile name.

      OR

    2. Update field values and click Save Changes.

Edit or Delete a Profile

To edit or delete a Search Profile, click the three dots on the right, select Edit or Delete, and make edits/confirm your action.

Profile Created During Onboarding

When you complete the Search Profile step in the Onboarding Wizard, it automatically creates a profile named Onboarding Search Profile. The profile contains the security platform and log source products you've specified.

You can edit the profile to enhance it with additional details and make your search results even more relevant.

Use Cases

There are multiple ways of using Search Profiles to streamline your content search. Below, you can see some of the use cases:

  1. Based on their organization’s industry, location and activity, users can set up several Search Profiles for different APTs in the Actor field. This allows easy tracking of any new content associated with the threat actor of interest.

  2. Some users create a Search Profile with all their log sources to instantly see what suspicious activity they can detect with the data they collect.

  3. Organizations with several security platforms in their infrastructure can configure Search Profiles for each of their SIEM, EDR, or XDR.

Note: With the sharing option, a more knowledgeable member of your team can set up several profiles to be applied by all users from your organization.

Did this answer your question?