Documentation forSecurity Event Manager

Manage and load saved search queries

Historical event queries can be divided into four categories:

Favorites: Queries that have been created in other categories but marked as favorites appear here. See Manage search queries below for more information.

User-created: These are queries that have been created by the current user for their own use and have not been made accessible or editable by other users. By default, all queries that you create are only visible to, and usable by, you. However, you can share queries, and also make them editable if required. See Manage search queries below for more information.

Predefined: These are a set of the most commonly required queries set up in advance.

Public: Queries that have been made public can be used by any SEM user on your system. If followed by the Use Only icon a query can be used but cannot not edited. (However, it can be copied and the copy can be edited.) If followed by the Editable icon , the query can be edited, renamed and saved. Once a query has been made editable, it cannot be made non-editable or made private.

To access queries:

  1. Navigate to the Historical Events page.
  2. Select the Queries tab in the left column.

  3. Click on the required query type.

    If a query has a clock icon after its name then it has a schedule running.

  4. Click a query to load it.

Manage search queries

Search queries can be managed individually by moving the cursor over the query name and clicking the vvertical ellipsis icon that is displayed as shown below:

The available options are mostly self explanatory:

  • Click Schedule this query to open the Schedule window for this query. A scheduled query can be unscheduled.
  • Click Rename to change the name of a query. Note you cannot rename a Public query if it has a Use Only icon by it, and the option is not displayed.
  • Click Create Copy to create an identical copy of a query prefixed with "Copy of". This copy will be placed in the User-Created category.
  • Click Sharing options if you want to make a query public, that is usable by other SEM users on your network. You can specify whether you want other SEM users to be able to edit this query (in which case it will be marked with the icon) or if they are only allowed to use the query exactly as it is (this is indicated by the icon.)

  • Click Export to export this query as a JSON file. To export more than one query, see Import and export queries for information.
  • Click Favorite to highlight this query with a star icon and place it in the Favorites category.
  • Click Manage queries option to open the Manage Saved queries window. This allows you to perform the above options on multiple queries by searching, sorting and selecting the queries. You can also import and export filtered queries from this window.

    In this window, schedules (if created) and query timeframes are displayed.

    The Manage Saved queries window is also available by clicking the gear icon at the top of the queries list.

Load queries

When you load a query, its name is displayed in the upper left and the query is displayed in the search query builder box.

If there is a icon after the name, this indicates that the query has a schedule. Move the cursor over this icon to display the schedule details.

If you make any changes to a saved search query, this is indicted by the icon after the name. Click this icon if you want to revert to the original query.

You can now save this updated search query as either a new query with a new name or update the existing query.

Click the Unload Current Query icon if you do not want to use the loaded query. Note that the contents of the search query builder box are not automatically cleared by this action.