Investigation: Query Dialog

Document created by RSA Information Design and Development on Jul 28, 2016
Version 1Show Document
  • View in full screen mode

In the Investigation > Navigate view or Events view, you can create a query rather than clicking through the meta keys and values to drill down into the meta data. The dialogs for creating a query offer syntax help with drop-down lists of applicable meta keys and operators. Related procedures are available in Query Data in Navigate View.

To access this dialog:

  1. In the Security Analytics menu, select Investigation > Navigate or Events. Both views provide access to the Query dialog.
    The Investigate dialog is displayed.
  2. Select a service, then click Navigate
  3. In the toolbar, select Query.
    The Query dialog is displayed.


The Query dialog has three views:

  • Simple
  • Advanced
  • Recent

In the Simple view, you can create a query using the options displayed in the dialog. In the Advanced view, you can create a query without guidance. In the Recent view, you can select a query from a drop-down list of recent queries.

The following table describes the buttons at the bottom of the Query dialog.

ApplyApplies the new query.
CancelCloses the dialog without applying changes.
ResetResets all fields.

Simple View


The following table describes the features of the Simple view.

Select MetaDisplays a drop-down list of meta groups.
OperatorDisplays a drop-down list of operators (=!=exists!exists)
ValueAllows you to enter a value to complete the query.
NetworkLimits the query to packets if Log is not selected.
LogLimits the query to logs if Network is not selected.

Advanced View


The following table describes the features of the Advanced view.

Query boxAllows you to enter a query. When you begin typing, a drop-down list of available meta keys for the service is displayed, then a drop-down of operators is displayed as you type. If the expression currently entered in the query box is invalid, a warning appears near the box. When the query is valid, the warning is removed.

Recent View


The following table describes the features of the Recent view.

Query listAllows you to select a query from a list of recent queries. Double-clicking a query will automatically apply it.
You are here: Investigation Reference Materials > Query Dialog