Adding queries to an investigation

You can add one or more queries to an investigation.

To add a query to an investigation:

Go to Investigations and click an investigation the list.
Click Add Query. The Add a New Query page opens.

Configure the query settings.

Name	Enter a name for the query.
Select Saved Query	Click to base the new query on a saved query.
Query	Enter the query string.
Actions	Options are: Bulk Add Indicators Create a Detection
Sort by timestamp	Select Ascending or Descending.
Last 7 Days	Use the date picker to update the date range and click Apply.
Retrieve up to xxx rows	Select between 100 to 10,000 rows.
Enable Facets	Select to return the panel that allows narrowing the search. This may make the query longer to complete. For more information, see Facet Search.

Add a query with facets

Click Add Query.
(Optional) To add another query to the investigation, click Add Query.

To rename a query:

From the Investigation Detail page, locate the query you want to rename.
Click the Actions menu on the right side of the page and select Rename.
Enter the name in the Query name field.
Click Rename.

To clone a query:

You can clone a query in a closed investigation. However, the cloned query must be added to a different investigation.

Click Investigations.
Click the investigation that contains the query you want to clone.
Click the Actions menu on the right side of the page and select Clone. The Add Query to Investigation dialog opens.
Configure the query settings.

Create a new investigation or save the query to an existing investigation.

Create a New Investigation

Enter an Investigation Name and Description.

Add to Existing Investigation

From the Choose Investigation dropdown, select an investigation.

By default the cloned query is added to current investigation.

Run a Private Query

Select this option to add a query to an adhoc search.

Clone Query Pop Up updated

Click Add Query.

To delete a query:

Click Investigations.
Click the investigation that contains the query you want to delete.
Click the Actions menu on the right side of the page and select Delete. The Delete Query dialog opens.
Click Confirm.

To save a query:

Click Investigations.
Click the investigation that contains the query you want to save.
Click the Actions menu on the right side of the page and select Save. The Save Query dialog opens.
Enter a Query Name and Description.
Click Save.

Adding queries to an investigation

You can add one or more queries to an investigation.

To add a query to an investigation:

Go to Investigations and click an investigation the list.

Click Add Query. The Add a New Query page opens.

Configure the query settings.

Name	Enter a name for the query.
Select Saved Query	Click to base the new query on a saved query.
Query	Enter the query string.
Actions	Options are: Bulk Add Indicators Create a Detection
Sort by timestamp	Select Ascending or Descending.
Last 7 Days	Use the date picker to update the date range and click Apply.
Retrieve up to xxx rows	Select between 100 to 10,000 rows.
Enable Facets	Select to return the panel that allows narrowing the search. This may make the query longer to complete. For more information, see Facet Search.

Add a query with facets

Click Add Query.

(Optional) To add another query to the investigation, click Add Query.

To rename a query:

From the Investigation Detail page, locate the query you want to rename.

Click the Actions menu on the right side of the page and select Rename.

Enter the name in the Query name field.

Rename an existing query

Click Rename.

To clone a query:

You can clone a query in a closed investigation. However, the cloned query must be added to a different investigation.

Click Investigations.

Click the investigation that contains the query you want to clone.

Click the Actions menu on the right side of the page and select Clone. The Add Query to Investigation dialog opens.

Configure the query settings.

Create a new investigation or save the query to an existing investigation.

Create a New Investigation

Enter an Investigation Name and Description.

Add to Existing Investigation

From the Choose Investigation dropdown, select an investigation.

By default the cloned query is added to current investigation.

Run a Private Query

Select this option to add a query to an adhoc search.

Clone Query Pop Up updated

Click Add Query.

To delete a query:

Click Investigations.

Click the investigation that contains the query you want to delete.

Click the Actions menu on the right side of the page and select Delete. The Delete Query dialog opens.

Click Confirm.

To save a query:

Click Investigations.

Click the investigation that contains the query you want to save.

Click the Actions menu on the right side of the page and select Save. The Save Query dialog opens.

Enter a Query Name and Description.

Click Save.

User Guide

Adding queries to an investigation

Adding queries to an investigation

To add a query to an investigation:

To rename a query:

To clone a query:

To delete a query:

To save a query:

Adding queries to an investigation

To add a query to an investigation:

To rename a query:

To clone a query:

To delete a query:

To save a query: