Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    2024.7.0
    2024.10.0
    2024.9.0
    2024.7.0

    Adding queries to an investigation

    Adding queries to an investigation

    You can add one or more queries to an investigation.

    To add a query to an investigation:
    1. Go to Investigations and click an investigation the list.
    2. Click Add Query. The Add a New Query page opens.
    3. Configure the query settings.

      NameEnter a name for the query.
      Select Saved QueryClick to base the new query on a saved query.
      QueryEnter the query string.
      Actions

      Options are:

      • Bulk Add Indicators

      • Create a Detection

      Sort by timestampSelect Ascending or Descending.
      Last 7 DaysUse the date picker to update the date range and click Apply.
      Retrieve up to xxx rowsSelect between 100 to 10,000 rows.
      Enable Facets

      Select to return the panel that allows narrowing the search. This may make the query longer to complete. For more information, see Facet Search.

      Add a query with facets

    4. Click Add Query.
    5. (Optional) To add another query to the investigation, click Add Query.
    To rename a query:

    1. From the Investigation Detail page, locate the query you want to rename.

    2. Click the Actions menu on the right side of the page and select Rename.

    3. Enter the name in the Query name field.

      Rename an existing query

    4. Click Rename.

    To clone a query:
    Note

    You can clone a query in a closed investigation. However, the cloned query must be added to a different investigation.

    1. Click Investigations.

    2. Click the investigation that contains the query you want to clone.

    3. Click the Actions menu on the right side of the page and select Clone. The Add Query to Investigation dialog opens.

    4. Configure the query settings.

    5. Create a new investigation or save the query to an existing investigation.

      Create a New Investigation

      Enter an Investigation Name and Description.

      Add to Existing Investigation

      From the Choose Investigation dropdown, select an investigation.

      By default the cloned query is added to current investigation.

      Run a Private Query

      Select this option to add a query to an adhoc search.

      6. Clone Query Pop Up updated

    6. Click Add Query.

    To delete a query:

    1. Click Investigations.

    2. Click the investigation that contains the query you want to delete.

    3. Click the Actions menu on the right side of the page and select Delete. The Delete Query dialog opens.

    4. Click Confirm.

    To save a query:

    1. Click Investigations.

    2. Click the investigation that contains the query you want to save.

    3. Click the Actions menu on the right side of the page and select Save. The Save Query dialog opens.

    4. Enter a Query Name and Description.

    5. Click Save.

    Previous
    Next

    Adding queries to an investigation

    Adding queries to an investigation

    You can add one or more queries to an investigation.

    To add a query to an investigation:
    1. Go to Investigations and click an investigation the list.
    2. Click Add Query. The Add a New Query page opens.
    3. Configure the query settings.

      NameEnter a name for the query.
      Select Saved QueryClick to base the new query on a saved query.
      QueryEnter the query string.
      Actions

      Options are:

      • Bulk Add Indicators

      • Create a Detection

      Sort by timestampSelect Ascending or Descending.
      Last 7 DaysUse the date picker to update the date range and click Apply.
      Retrieve up to xxx rowsSelect between 100 to 10,000 rows.
      Enable Facets

      Select to return the panel that allows narrowing the search. This may make the query longer to complete. For more information, see Facet Search.

      Add a query with facets

    4. Click Add Query.
    5. (Optional) To add another query to the investigation, click Add Query.
    To rename a query:

    1. From the Investigation Detail page, locate the query you want to rename.

    2. Click the Actions menu on the right side of the page and select Rename.

    3. Enter the name in the Query name field.

      Rename an existing query

    4. Click Rename.

    To clone a query:
    Note

    You can clone a query in a closed investigation. However, the cloned query must be added to a different investigation.

    1. Click Investigations.

    2. Click the investigation that contains the query you want to clone.

    3. Click the Actions menu on the right side of the page and select Clone. The Add Query to Investigation dialog opens.

    4. Configure the query settings.

    5. Create a new investigation or save the query to an existing investigation.

      Create a New Investigation

      Enter an Investigation Name and Description.

      Add to Existing Investigation

      From the Choose Investigation dropdown, select an investigation.

      By default the cloned query is added to current investigation.

      Run a Private Query

      Select this option to add a query to an adhoc search.

      6. Clone Query Pop Up updated

    6. Click Add Query.

    To delete a query:

    1. Click Investigations.

    2. Click the investigation that contains the query you want to delete.

    3. Click the Actions menu on the right side of the page and select Delete. The Delete Query dialog opens.

    4. Click Confirm.

    To save a query:

    1. Click Investigations.

    2. Click the investigation that contains the query you want to save.

    3. Click the Actions menu on the right side of the page and select Save. The Save Query dialog opens.

    4. Enter a Query Name and Description.

    5. Click Save.

    Previous
    Next