Investigation - Query Dialog

Document created by RSA Information Design and Development on May 5, 2016Last modified by Susan Ewald on May 5, 2016
Version 4Show Document
  • View in full screen mode
 

In the Investigation > Navigate view or Events view, you can create a query rather than clicking through the meta keys and values to drill down into the meta data. The dialogs for creating a query offer syntax help with drop-down lists of applicable meta keys and operators. Related procedures are available in Query Data in Navigate View.

To access this dialog:

  1. In the Security Analytics menu, select Investigation > Navigate or Events. Both views provide access to the Query dialog.
    The Investigate dialog is displayed.
  2. Select a service, then click Navigate.
  3. In the toolbar, select Query.
    The Query dialog is displayed.
    QueryDDSimple.png

Features

The Query dialog has three views:

  • Simple
  • Advanced
  • Recent

In the Simple view, you can create a query using the options displayed in the dialog. In the Advanced view, you can create a query without guidance. In the Recent view, you can select a query from a drop-down list of recent queries.

Simple View

QueryDDSimple.png

Advanced View

QueryDDAdv.png

Recent View

QryDDRecent.png

The following table describes of theQuery dialogs.

                                                    
FeatureDescription
Select MetaDisplays a drop-down list of meta groups.
OperatorDisplays a drop-down list of operators (=, !=, exists, !exists)
ValueAllows you to enter a value to complete the query.
NetworkLimits the query to packets if Log is not selected.
LogLimits the query to logs if Network is not selected.
Query boxAllows you to enter a query in the Advanced view. When you begin typing, a drop-down list of available meta keys for the service is displayed, then a drop-down of operators is displayed as you type. If the expression currently entered in the query box is invalid, a warning appears near the box. When the query is valid, the warning is removed.
Query listAllows you to select a query from a list of recent queries in the Recent view. Double-clicking a query automatically applies it.
ApplyApplies the new query to the current Investigation view.

Cancel

Closes the dialog without applying changes.

ResetResets all fields.

 

You are here: Investigation Reference Materials > Query Dialog

Attachments

    Outcomes