Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Use Query Profiles to Encapsulate Common Areas for Investigation

Document created by RSA Information Design and Development Employee on Sep 18, 2017Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 21Show Document
  • View in full screen mode
 

Query profiles offer a quick and easy way to define a meta group, column group, and a limiting filter (pre-query condition) that you can apply in the Navigate view, the Events view, and the Legacy Events view. The same query profiles are shared between all views, and they are available in the Springboard (Version 11.5) for use in panels. Private query profiles created in the Events view are only available in the Events view for the analyst who created them.

Each query profile specifies a meta group, column group, and sometimes includes a pre-query condition appropriate for the type of investigation.

In a query profile:

Built-In Query Profiles

You cannot edit or delete built-in profiles, but you can copy an existing profile and edit the copy in the Navigate view, the Legacy Events view, or the Events view. In the Navigate view, the built-in profile names begin with the RSA prefix and are grouped under Default Profiles. The Events view does not support grouping of query profiles. This figure is an example of a built-in query profile as listed in the Query Profiles menu.

example of a built-in query profile

NetWitness Platform has these built-in profiles:

  • RSA Email Analysis
  • RSA Endpoint Analysis
  • RSA File Analysis
  • RSA Threat Analysis
  • RSA User & Entity Behavior Analysis
  • RSA Web Analysis

Built-in query profiles make it easy for you to query a specific area of interest; for example, selecting the built-in RSA Email Analysis query profile automatically specifies the meta group, and column group, and pre-query conditions that are most useful for investigating email activity. As you become familiar with the meta keys, you can create your own custom query profiles.

Custom Query Profiles

Custom query profiles are shared globally within your organization in Version 11.4. In Version 11.5 and later, you can create shared query profiles as before, and can also create private query profiles. If you edit a shared custom query profile, your changes are applied globally. If you delete a shared custom query profile, the profile is deleted and no longer available for all analysts.

Note: If a Springboard panel is using a query profile as a filter, the profile can be edited, but cannot be deleted in the Events view. However, nothing prevents deletion of the profile in the Navigate view or the Legacy Events view. In this case, Springboard panels that use the deleted query profile as a filter continue to work, but the filter is removed and unexpected results may be displayed in the panel. Refer to "Managing the Springboard" in the NetWitness Platform Getting Started Guide for details.

When you create a query profile in Version 11.5, you can choose to share it or you can keep it private (default); you cannot change a shared profile to private or a private profile to shared. Private query profiles are not visible or usable in the Navigate view, the Legacy Events view, or the Springboard. Icons identify the profile type in the Query Profile menu. These are examples of a shared and a private custom query profile as listed in the Query Profile menu, with the edit icon displayed at the end of the row.

a private custom profile a shared custom profile

Dialogs for Managing Query Profiles

The profiles are listed in alphabetical order in the Query Profiles menu in a way that makes built-in profiles distinguishable from custom profiles that you imported or created. While the functionality for managing query profiles is similar in the Navigate view, the Legacy Events view, and the Events view, the dialogs are different. The following figure illustrates the Query Profiles menu in the Version 11.5 Events view. This menu lists the same profiles that are available in the Navigate view and the Legacy Events view. You can create, copy, edit, delete, and apply profiles. You can filter the list of profiles using the filtering buttons (Private, Shared, and RSA) at the top to display any combination of private, shared, and built-in query profiles.

the Query Profiles menu

This is an example of the Manage Profiles dialog in the Navigate and Legacy Events views.

the Manage Profiles dialog showing several Profile Groups (Version 11.2 and later)

Note: Query profiles are available in the Navigate view, the Legacy Events view, and the Events view; in Version 11.4.1 and earlier, they are shared globally across users. If one user modifies or deletes a custom query profile it has an effect on what is available to the other users. In the Events view, use the Query Profiles menu to work with profiles. In the Navigate or Legacy Events view toolbar, select Profile > Manage Profiles to open the Manage Profiles dialog. In Version 11.5, custom profiles can be shared globally, but private custom profiles created in the Events view are not available in the Navigate view or the Legacy Events view.

From the Query Profiles menu (11.4 and later Events view):

  • You can apply a query profile and use options in the menu to create (Create Query Profile dialog), copy, edit, and delete (Query Profile Details dialog) custom query profiles.
  • Selecting a profile applies the meta group, column group, and pre-query condition, and these are visible in the Meta Group menu title, Column Group menu title, and the query bar.
  • In Version 11.4, the Events view does not use meta groups or profile groups defined in other views. Version 11.5 allows you to use meta groups and to create private custom query profiles, in addition to the previously available shared custom query profiles.
  • If a query profile created in the Legacy Events view uses the Log View, Detail View, or List View instead of a column group, the same profile in the Events view uses the Summary List column group.

From the Manage Profiles dialog (Navigate view and Legacy Events view):

  • You can configure, add, delete, import, and export profiles and profile groups.
  • You can organize your custom query profiles in profile groups (Version 11.2 and later). When upgrading to Version 11.4 from an earlier version, only profile groups that contain profiles are imported. The built-in query profiles are in the Default Profiles group, which cannot be edited. Analysts can create new query profile groups, which anyone can use.
  • After creating profiles, you can edit a profile group to add profiles, remove profiles, or move profiles from one group to another. When you create a profile, it is not added to any profile group by default.
  • Selecting a profile applies the meta group, column group, and pre-query condition, and the label of the Profile menu is replaced with the query profile name. The following figure illustrates the RSA Email Analysis query profile selected in the Navigate view or Legacy Events view.

    Profile Name to the right of the Query option

View Query Profile Details (Events View)

If you want to know which meta groups, column groups, and limiting filters (called pre-query conditions) define a query profile, you can view the details of the profile.

To view the details:

  1. Go to Investigate > Events and click Query Profiles in the query bar.
    The Query Profiles menu opens with a list of available profiles. The Version 11.5 menu displays a list a list of built-in query profiles (RSA), shared custom profiles, and your private custom profiles with visibility options and a filter field make it easier to find a particular query profile. The figure on the left shows the Version 11.4 menu. The figure on the right shows the Version 11.5 menu initially with all types of profiles visible: Private, Shared, and RSA.
    an example of the Query Profiles menu the Query Profiles menu
  2. Hover over a query profile in the list and click the information icon (the info icon) to see the meta group, column group, and pre-query conditions configured for the profile.
    This figure shows the details for the RSA Email Analysis profile, one of the built-in profiles.
    an example of the Query Profile Details for a built-in profile
  3. Do one of the following:
    1. To close the dialog, click Close.
    2. If you want to apply the profile, click Select Query Profile.
      The dialog closes. The Events list is updated to reflect the selected query profile. If the profile uses a different column group, the query is re-executed with the pre-query conditions and column group for the selected profile. If only the pre-query conditions are different, existing filters in the query bar are removed and the pre-query conditions (for example, this filter: service=24,25,109,110,995,143,220,993) is added in the query bar, but the query is not submitted. The first 15 columns in the associated column group are used in the Events list.
      1. (Optional) Create additional filters in the query bar before executing the query (see Filter Results in the Events View).
        the PreQuery in the query bar
      2. (Optional) If you want to select different columns from the associated column group before executing the query, click the settings icon above the Events list on the right.
        The Column Selection list is displayed and you can choose up to 40 columns to display (see Use Columns and Column Groups in the Events List.
        the first 15 columns automatically selected for display in the Events list

Apply a Query Profile (Events View)

When a query profile is applied, there is no indication of it in the Query Profile menu, but you can see if a column group or meta group is in effect. If pre-query conditions are applied, the filters are visible at the beginning of the query bar as shown in this figure:

the PreQuery in the query bar

Note: If you do not see enough results or the right results in the Events view, an applied profile may be limiting results with pre-query conditions.

To apply a query profile:

  1. Go to Investigate > Events and click Query Profiles in the query bar.
    The Query Profiles menu opens with a list of available profiles.
    the Query Profiles menu
  2. Use the Down and Up arrow keys or the mouse to highlight a profile.
  3. Click the highlighted profile.
    The query profile settings are applied immediately. The Events list is updated to reflect the selected profile. If the profile uses a different column group the query is re-executed with the pre-query conditions and column group for the selected profile. If only the pre-query conditoins are different, existing filters in the query bar are removed and the pre-query conditions are added in the query bar. The the submit query icon button becomes active so that you can resubmit the query with the new pre-query conditions. You can add more filters as usual before or after resubmitting the query.

Create or Edit a Custom Query Profile (Events View)

To create or edit a custom query profile:

  1. Go to Investigate > Events and click Query Profiles in the query bar.
    The Query Profiles menu opens with a list of available profiles. Version 11.5 (figure on the right) supports both private and shared custom profiles; Version 11.4 (figure on the left) supports only shared custom profiles.
    the Query Profile menu with an editable custom profile the Query Profiles menu
  2. Do one of the following:
    1. To create a new query profile, click + New Query Profile.
      The Create Query Profile dialog is displayed. The Create Query dialog shows a new empty profile that includes the currently selected meta group, column group, and filter that you have currently typed in the Query bar as a pre-query condition.
      the Version 11.5 Create Query Profile dialog with the Sharing option
    2. To edit an existing query profile, highlight a custom query profile in the menu, and click the edit (the edit icon) icon.
      The Query Profile Details dialog is displayed.
      the Query Profile Details dialog
  3. In the Profile Name field, type a unique profile name that has no more than 80 characters.
    In the Create Query dialog, the Save Query Profile button is activated. In the Query Profile Details dialog, the Select Query Profile button is relabeled as Update Query Profile.
  4. (Version 11.5 and later), do one of the following
    1. If you want to share the new query profile with your organization, set the Share with my organization option. You cannot change a query profile from shared to private after it is created.
    2. If you want to create a private query profile that only you can see and manage, leave the Share with my organization checkbox empty. You cannot change a query profile from private to shared after it is created.
  5. (Version 11.5 and later) Select a meta group from the Meta Group drop-down list. If a shared group and a private group have the same name, the private group is listed before the shared group.
  6. Select a column group from the Column Group drop-down list. In Version 11.5, there can be shared or private groups and they can have the same name. In this case, the private group is listed before the shared group.
  7. In the Pre-Query Conditions field, check the default filters from the query bar and add or remove filters if you wish.
  8. Click Save Query Profile or Update Query Profile.
    The new profile is saved or the edited profile is updated with your changes.
  9. To close the dialog, click Close.

Delete a Custom Query Profile (Events View)

Built-in query profiles are read only, and cannot be deleted, but you can delete any custom query profile. A confirmation message allows you to confirm or cancel the deletion. When you delete a shared query profile, the effect is global and the profile is no longer available to any analyst.

Note: If a Springboard panel is using a query profile as a filter, the profile can be edited, but cannot be deleted in the Events view. However, nothing prevents deletion of the profile in the Navigate view or the Legacy Events view. In this case, Springboard panels that use the deleted query profile as a filter continue to work, but the filter is removed and unexpected results may be displayed in the panel. Refer to "Managing the Springboard" in the NetWitness Platform Getting Started Guide for details.

To delete a custom query profile:

  1. Go to Investigate > Events and click Query Profiles in the query bar.
    The Query Profiles menu opens with a list of available profiles.
    the Query Profile menu with an editable profile selected
  2. Highlight a custom query profile that you want to delete, and click the edit (the edit icon)icon.
    The Query Profile Details dialog is displayed.
    the Query Profile Details dialog
  3. Click the delete icon (the delete icon).
    In Version 11.5, a confirmation message gives you the opportunity to confirm or cancel the deletion. Click Cancel or Delete Query Profile.
    In Version 11.4, if the query profile is not a built-in profile, there is no request for confirmation.
    The profile is deleted and removed from the Query Profiles menu. The profile no longer appears anywhere for any analyst working in Investigate.

Copy a Query Profile (Version 11.5 and Later)

You can copy any query profile, built-in or custom, shared or private, as long as it does not have unsaved edits in progress. This is useful when you want a customized version of a built-in profile. Also since you cannot change a custom profile from private to shared or from shared to private, creating a copy allows you to select a different Sharing setting. When you copy a profile, the same name is used with a number appended. For example, if you copy RSA Email Analysis, the first copy is named RSA Email Analysis-1, and a second copy of the same profile is named RSA Email Analysis-2. After you create the copy, you can edit the new profile to give it a new name and edit the pre-query conditions, meta group, and column group in the profile.

Note: If you are making a shared copy of a private query profile that uses a private meta group or column group, a message notifies you that a shared copy of the meta group or column group is being created and used in the query profile. It may take a little longer to copy the query profile when a private meta group or column group has to be copied.

To copy a query profile:

  1. Go to Investigate > Events and click Query Profiles in the query bar.
    The Query Profiles menu opens with a list of available profiles.
  2. Highlight the query profile that you want copy. This figure shows RSA Email Analysis highlighted. The information icon (information icon) is displayed to the right.
    example of the Version 11.5 Query Profile menu
  3. Do one of the following:
    1. Click the information icon (information icon).
    2. For a custom profile, click the edit icon (the edit icon).
      The Query Profile Details dialog is displayed. This figure shows the dialog for a built-in profile.
  4. Click the Copy icon (the Copy icon).
    The Copy Query Profile dialog is displayed with a number appended to the profile name to create a unique name among all query profiles.
    the Copy Query Profile dialog
  5. (Optional) In the Query Profile Name field, edit the name of the query profile.
  6. If you want to share the new profile with your organization, set the Share with my organization option. By default the new profile is private. If the profile being copied has a private column group or meta group, a shared copy is created and used in the copy of the profile.
  7. Do one of the following:
    1. To close the dialog without copying the profile, click Cancel.
    2. To save the clone of the query profile, click Save Query Profile.
      The clone is saved, and the Query Profile Details dialog for the cloned profile is displayed.
  8. Do one of the following:
    1. To close the dialog, click Close.
    2. To close the dialog and select the new profile, click Select Query Profile.
      The clone is added to the Query Profiles menu.

Navigate to the Manage Profiles Dialog (Navigate and Legacy Events Views)

  1. Go to Investigate > Navigate or Legacy Events. (If the Investigate dialog is displayed, select a service and click Navigate.)
  2. In the toolbar, select Profile > Manage Profiles.
    the Manage Profiles option selected
    The Manage Profiles dialog is displayed.

Create, Edit, or Delete a Profile Group (Navigate or Legacy Events View)

You can create a custom profile group to organize different profiles. Once created, the only edit you can make directly to a profile group is to edit the name of the profile group. To add or remove a profile in a group, edit the profile and assign it to a different profile group as described in Create and Edit Profiles (Navigate or Legacy Events View).

Note: If you migrated profile groups from Version 11.3, empty groups were not migrated.

  1. In the Manage Profiles dialog, do one of the following:

    • To select an existing profile group to edit, double-click the profile group.
    • To add a new profile group, click Add icon and select Add New Profile Group.

    Note: If you want to edit one of the built-in profile groups, click the duplicate icon to make an editable copy.

    A folder with a blank field is displayed at the bottom of the Profiles list in the left column.
    the Profile Group Name entry field

  2. To edit or enter the name of the profile group, double-click the Profile Group and type in the entry field. The name must be between 2 and 80 characters.
    The profile group name is applied to a new profile group or to the profile group you edited. The profile group is now available when configuring a profile.
  3. To delete a profile group do one of the following:
    • If you want to delete a profile group but keep the profiles, click the checkbox to select the group, uncheck the profiles in the group, and click delete.
    • If you want to delete a profile group and the profiles that the group contains, click the checkbox to select the group, and leave the profiles that you want to delete checked.
      A dialog asks for confirmation that you want to delete the group. If you left the mark in the checkbox next to the profiles, the group and the profiles in the group are deleted. If you unchecked the profiles, only the profile group is deleted and the profiles are moved out of the group and available to add to another profile group.

Create and Edit Profiles (Navigate or Legacy Events View)

  1. In the Manage Profiles dialog, do one of the following:

    • To select an existing profile to edit, click the checkbox beside the name.
    • To add a new profile in Version 11.2 and later, click Add icon or click the down arrow next to Add icon and select Add New Profile.
    • To create a new profile in versions prior to 11.2, click Add icon.

    Note: If you want to edit one of the built-in profiles, click the duplicate icon to create a copy, and edit the copy.

    The definition of the profile is available to edit in the right panel. This figure illustrates the definition of one of the built-in profiles.
    the properties of an out-of-the-box profile

  2. Edit or enter the profile name by typing in the Name field. The name must be between 2 and 80 characters.
  3. (Optional for Version 11.2 and later) If you want to add the profile to a profile group, select a profile group from the Profile Group drop-down list.
    If you select a profile group, the profile is added to the group when you save the changes. If you do not select a profile group, the profile is not part of a group.
  4. Select a meta group from the Meta Group drop-down list. You can add custom meta groups as described in Use Meta Groups to Focus on Relevant Meta Keys. Private meta groups created in the Events view are not available in the Navigate view.
  5. Select a column group for the Column Group drop-down list. You can add custom column groups as described in Use Columns and Column Groups in the Events List. Private column groups created in the Events view are not available in the Navigate view.
  6. Type queries to filter results in the PreQuery field. PreQuery follows the same syntax as the Query builder. The PreQuery in the figure uses a meta group called service = 24,25,109,110,995,143,220,993.
  7. Click Save to save the profile without using it, or click Save and Apply to save the profile and use it immediately.
    If you click Save and Apply, a confirmation dialog is displayed before applying the selected profile. For Version 11.2 and later, the PreQuery that you entered in the Manage Profiles dialog is displayed in the breadcrumb.
    Profile Pre-Query displayed in the Events view

Delete a Profile (Navigate or Legacy Events View)

  1. In the Manage Profiles dialog, select a profile by clicking the checkbox beside the name.

    Note: You cannot delete any of the built-in profiles.

  2. Click the Delete option.
    A prompt requests confirmation that you want to delete the profile, and the profile is deleted. The option name in the toolbar reverts to Profile to show that no profile is in effect.

Change the Active Profile (Navigate or Legacy Events View)

If you do not see enough results or the right results in the Navigate or Events views, you may have an active profile that is applying a PreQuery. If you do not want to use any profiles, you can click Deactivate Profile in the Profile drop-down menu.

To use a different profile:

  1. In the Navigate or Legacy Events view toolbar, open the Profiles drop-down menu.
  2. Hover over the Profile option to display a drop-down list of available profiles.
  3. Select the profile you want to use.
    The profile settings are applied immediately.

If you want to change the active profile from the Manage Profile dialog:

  1. In the Navigate or Legacy Events view toolbar, select Profiles > Manage Profiles.
    The Manage Profiles dialog is displayed.
  2. Select a profile from the left panel and click Save and Apply.
    A confirmation dialog is displayed.
  3. Click Yes.
    The profile settings are applied immediately.

Import Profiles (Navigate or Legacy Events View)

In the Navigate view and the Legacy Events view, you can upload or import .jsn files that have been downloaded from another service. When profile groups are exported and then imported, the grouping of profiles is maintained.

  1. In the Manage Profiles dialog, click Import in the left panel toolbar.
    The Profile Import dialog is displayed.
  2. Click Browse or the Upload File field to select a file from your computer.
  3. When the file is selected, click Upload.
    The profile is displayed in the left panel.

Download Profiles (Navigate or Legacy Events View)

In the Navigate view and the Legacy Events view, profiles are downloaded as .jsn files.

  1. In the Manage Profiles dialog, select one or more profiles from the left panel.
  2. In the left panel toolbar, click Export.
    The download begins immediately.

You are here
Table of Contents > Refining the Results Set > Use Query Profiles to Encapsulate Common Areas for Investigation

Attachments

    Outcomes