Knogin
[Developers]

Advanced Alert Filtering & Search

An incident responder gets a call at 7am: suspected ransomware lateral movement, believed to have started sometime in the last 72 hours. They need every alert involving the affected subnet, filtered to the relevant time

Back to All Modules
Category: CollaborationLast Updated: Feb 23, 2026
collaborationcompliance

title: "Advanced Alert Filtering & Search" description: "High-performance multi-criteria alert search with 20+ filter attributes, saved presets, and fast query response for large alert datasets" category: "alert" icon: "search-filter" audience: ["SOC Analysts", "Threat Hunters", "Incident Responders", "Compliance Investigators", "Security Researchers"] capabilities:

  • "Multi-criteria advanced filtering (20+ attributes)"
  • "Full-text search across all alert fields"
  • "Complex query builder with boolean logic"
  • "Saved filter presets and templates"
  • "Real-time search suggestions"
  • "Query performance optimisation" integrations: ["SIEM Platforms", "BI Tools", "Threat Intelligence", "Case Management"]

Advanced Alert Filtering & Search#

Overview#

An incident responder gets a call at 7am: suspected ransomware lateral movement, believed to have started sometime in the last 72 hours. They need every alert involving the affected subnet, filtered to the relevant time window, with network-type sources prioritized. In a dataset of 200,000 alerts, finding those needles manually is not a realistic option. A search system that returns the right results in under a second is.

The Advanced Alert Filtering & Search system delivers fast query performance across large alert datasets while maintaining high relevance accuracy. Security analysts can discover critical intelligence faster than any manual review process, whether they are threat hunting, responding to an active incident, or preparing for a compliance examination. Powerful multi-criteria filtering, full-text search, and query optimisation combine to make massive alert volumes navigable for analysts at every skill level.

Key Features#

Multi-Criteria Filtering#

  • 20+ filterable attributes including severity, status, source type, entity identifiers, date ranges, and assigned analyst
  • Compound filters combine multiple criteria with AND/OR logic
  • Nested filter groups support complex investigative queries that would be impractical to build manually
  • Range filters for numeric and date fields with configurable boundaries
  • Null and existence checks for fields with optional data

Full-Text Search#

  • Content search spans all alert fields including titles, descriptions, and enrichment data
  • Relevance ranking surfaces the most pertinent results first, not just the most recent
  • Highlighted search terms in results for quick visual identification
  • Phrase matching and proximity search for precise investigative queries
  • Fuzzy matching handles misspellings and partial identifiers

Query Builder#

  • Visual query builder enables construction of complex filters without query syntax knowledge
  • Drag-and-drop condition arrangement for intuitive query design
  • Real-time result preview shows the matching count as conditions are added
  • Query validation prevents invalid combinations before execution wastes time
  • Export and share queries across team members for collaborative investigations

Saved Filter Presets#

  • Save frequently used filter combinations as named presets for one-click reuse
  • Team-shared presets cover common investigation patterns across the SOC
  • Quick-access preset bar applies filters instantly without rebuilding them
  • Preset versioning maintains history as search patterns evolve
  • Preset analytics show usage frequency, helping teams understand which investigations recur most

Search Suggestions#

  • Real-time suggestions appear as analysts type search terms
  • Recently used search terms and filter combinations surface automatically
  • Popular team searches highlight common investigative patterns
  • Entity auto-completion for known identifiers reduces input errors
  • Related search suggestions based on current query context guide analysts toward adjacent findings

Use Cases#

Threat Hunting#

Threat hunters use complex boolean queries to search for indicators of compromise across the alert population, combining entity identifiers, temporal ranges, and behavioural attributes to discover hidden threats that no single rule would catch.

Incident Investigation#

Incident responders filter alerts related to an active incident by entity, time window, and source type in seconds. A comprehensive picture of the attack scope emerges far faster than any manual review would allow.

Compliance Review#

Compliance investigators filter alert populations by regulatory category, disposition status, and review period to prepare for regulatory examinations and identify coverage gaps before examiners arrive.

Trend Analysis#

Security leadership uses saved filter presets to monitor alert volume trends by category, source, and severity over time, identifying emerging patterns that call for resource allocation or process changes.

Cross-Investigation Correlation#

Analysts search across alerts using shared indicators to find connections between separate investigations, uncovering relationships that would remain invisible inside isolated alert queues.

Integration#

Connected Systems#

  • SIEM Platforms: Search results can be cross-referenced with SIEM data for deeper analysis
  • BI Tools: Export filtered datasets for custom visualisation and trend analysis
  • Threat Intelligence: IOC-based search queries draw on threat feed data for enriched results
  • Case Management: Search results link directly to investigation cases for seamless workflow

Access Controls#

  • Role-based search permissions ensure analysts see only authorized alert data
  • Audit logging tracks all search queries for compliance and governance
  • Saved presets respect team-based visibility controls

Open Standards#

  • GraphQL (June 2018 specification): the entire alert search and filter API is exposed as a typed GraphQL schema, with queries, mutations, and paginated connections defined using the Strawberry framework.
  • JSON Web Token (RFC 7519) and Bearer Token Usage (RFC 6750): all search and filter operations require a valid RS256 JWKS-backed JWT presented as a Bearer token; the middleware rejects any unauthenticated or incorrectly signed request.
  • OAuth 2.0 (RFC 6749): the token issuance framework underlying the Bearer credentials presented to search and filter endpoints, providing the authorisation grant model for analyst and service-to-service access.
  • ISO 8601 date and time format: all date-range filter boundaries, result timestamps, and job-log entries are expressed as ISO 8601 UTC strings, ensuring interoperability with any conformant client or export consumer.
  • SQL full-text search (ISO/IEC 9075, BM25-style ts_rank): alert content is indexed as PostgreSQL tsvector and queried with plainto_tsquery plus ts_rank scoring, implementing the SQL standard full-text retrieval model with BM25-equivalent relevance ranking.
  • Role-Based Access Control (NIST SP 800-207 aligned RBAC): every search query and mutation resolver enforces ontology-level permission checks against a structured role hierarchy, scoping results strictly to the authenticated analyst's authorised tenant and object types.
  • JSON (ECMA-404 / RFC 8259): all filter condition inputs, query builder payloads, and search result documents are serialised as JSON, enabling straightforward integration with SIEM platforms, BI tools, and case management systems.

Last Reviewed: 2026-02-23 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.