Query profiles offer a quick and easy way to define a meta group, column group, and a limiting filter (pre-query condition) that you can apply in the Navigate view, the Events view, and the Legacy Events view (see Use Query Profiles to Encapsulate Common Areas for Investigation). The same query profiles are shared between all views, and they are available in the Springboard (Version 11.5) for use in panels. Private query profiles created in the Events view are only available in the Events view for the analyst who created them.
Each query profile specifies a meta group, column group, and sometimes includes a pre-query condition appropriate for the type of investigation.
In a query profile:
- The meta group defines the meta keys that are queried (see Use Meta Groups to Focus on Relevant Meta Keys).
- The column group defines which meta keys from the meta group are displayed as columns in the Events list. (see Use Columns and Column Groups in the Events List).
- When the query profile is in effect, the optional pre-query conditions add a limiting filter in the query bar. You can edit or delete the limiting filter and then create additional filters for your query (see Filter Results in the Events View)
You can manage profiles in the Manage Profiles dialog, the Create Query Profile dialog and the Query Profile Details dialog.
- The Manage Profiles dialog is for the Navigate view, the Legacy Events view (Version 11.4 and later) , and the Events view (Version 11.3 and earlier). To access this dialog, select Profile > Manage Profiles in the Navigate or Legacy Events view toolbar.
- The Create Query Profile dialog is for the 11.4 and later Events view. To access this dialog, select Query Profiles > New Query Profile in the Events view query bar.
- The Query Profile Details dialog is for the 11.4 and later Events view. To access this dialog, select Query Profiles in the Events view query bar, then click the edit icon () next to a custom profile name.
- How NetWitness Investigate Works
- Use Query Profiles to Encapsulate Common Areas for Investigation
- Navigate View
- Events View
- Legacy Events View
Quick Look - Query Profile Menu, Create Query Profile Dialog, and Query Profile Details Dialog
This section introduces the Query Profile menu, Query Profile dialog, and the Query Profile Details dialog. The following figure is an example of the Query Profiles menu and the table describes the options. The example on the left has built-in profile highlighted so that the information icon is visible. The Version 11.4 menu is on the left and the Version 11.5 menu is on the right.
|Visibility Options|| Control the types of query profiles that are visible in the list. You can use any combination of the visibility options: Private, Shared, or RSA (blue = selected, black = not selected). Initially none of the buttons are selected and all profile types are visible. This is the same result as if all three buttons are selected. The visibility options work together with text in the Filter Query Profiles field. If the visibility option is hiding built-in profiles (which include "RSA" in the name) and you search for a name that contains "RSA," the list is empty. |
Private = display private groups that only you can manage
Shared = display shared groups that anyone in your organization can manage
RSA = display built-in groups that only RSA can manage
|Filter Query Profiles||Filters the list of query profiles as you type text so that only profile names that contain that text are displayed.|
|Query Profile List||The list of profiles consists of custom and built-in profiles, which are distinguished by the icons that precede the name. In the example, RSA Email Analysis-1 and RSA Email Analysis-2 are custom profiles. The RSA Email Analysis is a built-in profile.|
|New Query Profile||Displays the Create Query Profile dialog, where you can create a custom profile.|
The Create Query Profile dialog, shown in the figure on the left, allows you to define a custom profile. The figure on the right illustrates the Query Profile Details dialog, in which you can edit a custom profile. The table describes the fields and options in the dialogs.
|Creates a clone of the meta group so that you can edit a copy. This is useful if you want your own copy of a built-in group, a shared copy of a private group, or a private copy of a shared group.|
|Deletes the custom profile in the Query Profile Details dialog. This action is irreversible and applies globally; the profile is no longer available to anyone who is using the profiles on this service.|
|Query Profile Name||Displays the name of the profile. The name must be unique and contain fewer than 64 characters. You can edit the name in a custom profile.|
|Column Group||Displays a drop-down menu listing available column groups, with the currently selected column group from the Events list already selected. You can change the column group in a custom profile.|
|Pre-Query Conditions|| Defines a limiting filter for results in the Events view. If you had a query active in the query bar when you began to create the new profile, the active query is added to the pre-Query field. In a custom profile, you can delete the prepopulated pre-query condition and type additional text for a text search or additional filters in the Pre-Query Conditions field. This is an example of a pre-query condition: |
Closes the dialog.
|Save Query Profile||For the Create Query Profile dialog only, saves the new profile.|
|For the Query Profile Details dialog only, reverts the edited profile to the last saved state.|
Update Query Profile
|For the Query Profile Details dialog only, applies changes to an edited profile.|
Select Query Profile
|Applies the query profile.|
Quick Look - Manage Profiles Dialog
This is an example of the Manage Profiles dialog showing several profile groups.
The Profile panel on the left side of the dialog displays available profiles and allows you to add, delete, import, and export profiles. The following table describes the fields in the Profile panel.
|Adds a new profile using the Settings panel on the right side of the Manage Profiles dialog.|
|Deletes the selected profile. A confirmation dialog is displayed before the profile is deleted.|
Creates a copy of the selected profile.
|Displays the Profile Import dialog, where you can upload a file.|
|Exports the selected profile to your computer.|
|Profile Name||Lists all profile names.|
The Settings panel on the right side of the dialog offers options to configure profiles. It can only be used when one profile is selected. The following table describes the fields in the Settings panel.
|Name||Displays the name of the profile.|
|Meta Group||Displays a drop-down menu listing available meta groups.|
|Column Group|| Displays a drop-down menu listing available column groups. The OOTB column groups and these three groups are available by default: |
|PreQuery|| Defines a limiting query for filtering Investigate results. This query is used when the associated profile is activated and the preQuery applies to any queries used in the Navigate and Events views. This is an example of a preQuery: |
The following table describes the buttons.
|Close||Closes the dialog.|
|Cancel||Cancels all changes.|
|Save||Saves all changes.|
|Save and Apply||Saves and applies all changes immediately.|