Add info on regular expressions (#4924)

Author: jpipkin1

docs/cse/administration/create-custom-threat-intel-source.md

@@ -12,7 +12,7 @@ This topic has information about setting up a *custom threat intelligence source
 
 You can set up and populate custom threat intelligence sources interactively from the Cloud SIEM UI, by uploading a .csv file, or using Cloud SIEM APIs. You can populate the sources with IP addresses, hostnames, URLs, email addresses, and file hashes.
 
-### How Cloud SIEM uses indicators
+## How Cloud SIEM uses indicators
 
 When Cloud SIEM encounters an indicator from your threat source in an incoming
 record it adds relevant information to the record. Because threat intelligence
@@ -24,7 +24,7 @@ this way.
 Rule authors can also write rules that look for threat intelligence information in records. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Tuning Expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence](/docs/cse/rules/about-cse-rules/#threat-intelligence) in the
 *About Cloud SIEM Rules* topic.
 
-### Create a threat intelligence source from Cloud SIEM UI
+## Create a threat intelligence source from Cloud SIEM UI
 
 1.  [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Threat Intelligence**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.  
 1. Click **Add Source** on the **Threat Intelligence** page. 
@@ -34,6 +34,8 @@ Rule authors can also write rules that look for threat intelligence information
 
 Your new source should now appear on the **Threat Intelligence** page.
 
+## Add threat indicators
+
 ### Enter indicators manually
 
 1. On the **Threat Intelligence** page, click the name of the source you want to update.  
@@ -87,5 +89,10 @@ value,description,expires,active
 
 ### Manage sources and indicators using APIs
 
-You can use Cloud SIEM threat intelligence APIs to create and manage indicators and custom threat sources. For information about Cloud SIEM APIs and how to access the API documentation, see [Cloud SIEM APIs](/docs/cse/administration/cse-apis/).  
- 
+You can use Cloud SIEM threat intelligence APIs to create and manage indicators and custom threat sources. For information about Cloud SIEM APIs and how to access the API documentation, see [Cloud SIEM APIs](/docs/cse/administration/cse-apis/).
+
+## Search indicators
+
+To search threat indicators, click the **Search All Indicators** button at the top of the **Threat Intelligence** page. 
+
+You can search using the same functionality available for other Cloud SIEM searches, including regular expressions. For more information, see [Filter and Search Cloud SIEM List Pages](/docs/cse/administration/filter-search).

docs/cse/administration/filter-search.md

@@ -11,18 +11,20 @@ keywords:
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-You can filter and search the list pages in Cloud SIEM—**Insights**, **Signals**, **Entities**, **Records**, **Rules**, and **Network Blocks**—using the **Filters** bar near the top of the page.
+## Search in Cloud SIEM
 
-<img src={useBaseUrl('img/cse/list-page-search.png')} alt="Filters box at the top of the page " width="500" />
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Cloud SIEM**.<br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Search Cloud SIEM**. You can also click the **Go To...** menu at the top of the screen and select **Search Cloud SIEM**. 
+1. Click in the **Find Insights, Signals, Entities and more...** search bar at the top of the page.<br/><img src={useBaseUrl('img/cse/list-page-search.png')} alt="Search box at the top of the page" width="400" />
+1. Enter text to search.
+1. To filter, click the filter icon <img src={useBaseUrl('img/cse/filter-icon.png')} alt="Filter icon" width="20" /> on the right side of the search box.
+1. Select a source to filter on. <br/><img src={useBaseUrl('img/cse/search-sources.png')} alt="Search sources" width="250" />
+1. A dropdown list of filters appears for that source. Select a field to filter on, or pick a suggestion.<br/><img src={useBaseUrl('img/cse/filter-options.png')} alt="List of fields to filter on" width="400"/>
+1. Continue to select options to filter on from the options presented.
 
-## Filter items
-When you click in the **Filters** bar, a dropdown list of filters appears. After you select a filter you’ll be presented with a dialog so you can specify your filtering criteria.
+## Search using regular expressions
 
-<img src={useBaseUrl('img/cse/filter-options.png')} alt="List of fields to filter on" width="250"/>
+You also enter a search string or regex in the search bar, and press Return to run a search. Note that Cloud SIEM's regular expression engine will return items that contain text matching the complete string. The engine implicitly adds anchors  (`^` and `$`) to the beginning and end of your regex.
 
-## Search items
-You also enter a search string or regex in the **Filter** bar, and press Return to run a search. Note that Cloud SIEM's regular expression engine will return items that contain text matching the complete string. The engine implicitly adds anchors  (`^` and `$`) to the beginning and end of your regex.
+Cloud SIEM search uses Elasticsearch. For regular expressions allowed for use in Cloud SIEM search, see [Regular expression syntax](https://www.elastic.co/guide/en/elasticsearch/reference/current/regexp-syntax.html) in the Elastic documentation.
 
-You can use `not` to search for items that do not contain a particular keyword, for example:
-
-`not:Initial Access`  
+You can use `not` to search for items that do not contain a particular keyword, for example: `not:Initial Access`