Global Search

DFIRe provides a powerful full-text search that spans cases, evidence items, files, entities, projects, notes, and IOC indicators. Access it from the search icon in the header bar or navigate to the dedicated search page.

Searching

To perform a search, type your query in the search box and press Enter. DFIRe will return results ranked by relevance with keyword highlighting so you can quickly identify the most pertinent matches.

Search matches against a wide range of content fields, including:

  • Titles - Case titles, evidence item names, project names, and entity names
  • Descriptions - Case descriptions, item descriptions, and project descriptions
  • Content - Note content, report text, and other rich-text fields
  • Metadata - Case numbers, file names, hash values, and other identifying metadata
  • Custom fields - Any custom field values defined by your case type schema

Each result displays the object type (Case, Item, File, Entity, Project, Note, or Indicator), the title, an excerpt with highlighted matches, the date, and a relevance level indicator.

Filtering Results

After performing a search, you can narrow down the results using the category filter buttons displayed above the result list:

  • All - Show all matching results across every category
  • Case - Show only matching cases
  • Item - Show only matching evidence items
  • File - Show only matching file attachments
  • Entity - Show only matching persons and organizations
  • Project - Show only matching projects
  • Note - Show only matching notes
  • Indicator - Show only matching IOC indicators (values, tags, public notes)

Each filter button displays the count of matches in that category, making it easy to see at a glance where your search terms appear most frequently. Click a category button to narrow the results to that type only.

Search Tips

Click the "Search Tips" link on the search page for a quick reference on search syntax and behavior. Here are the key points to keep in mind:

  • Case-insensitive - Search queries are case-insensitive, so "Malware", "malware", and "MALWARE" all return the same results
  • AND logic - When you enter multiple words, all words must be present in a result for it to match (AND logic)
  • Permission-aware - Results respect your access permissions. You only see results from cases you are assigned to, unless you have the global view permission (core.view_all_cases)

Search indexes are updated in real-time as content changes. When a case, item, note, or other object is created or modified, it becomes searchable immediately without any delay or manual reindexing.