Documentation forSecurity Event Manager

Search query tags and thresholds

SEM 2022.4 enables you to apply tags to queries so they can be grouped for use with the Scheduled Query Severity and Scheduled Query Table Severity widgets on the SEM dashboard. For example you could apply the End User Monitoring tag to all queries relating to End User Monitoring.

To apply tags to a query:

  1. From the Historical Events screen, select Queries.
  2. Open the appropriate query category and select the required query.
  3. From the Options drop-down menu in the top right corner, select Edit saved query.

    The Edit screen for the query is displayed.

  4. Click Add tag and select the required tag or tags to apply to this query. Tags applied to the query are displayed above the Add tags link.

Once you have selected a tag or tags, you can specify the thresholds that determine whether event search results are shown as Critical, Warning or OK on the dashboard widgets.

Thresholds

You can apply threshold values to search queries to set the number of occurrences per evaluation (that is, when the query was last run) that result in an event query result being deemed critical, warning or OK severity.

Once you have set up tags and thresholds for a query, you can use this data to set up widgets on the SEM dashboard.

Widgets

The scheduled query widgets are created and customized in the same way as other SEM Dashboard widgets.

The Scheduled Query Table Severity widget

The following widget has been customized to list all search queries that have returned one or more event within the most recent evaluation. It shows the number of occurences and the time the query was last run.

The Scheduled Query Severity widget

Click on the red, yellow or green area of the query severity widget to display the corresponding query on the Historical Events page. If more than one query is tagged, the Manage Saved queries window will be displayed listing all the queries to which this severity level applies.