Working with the Queries List
The System | Configuration | Queries list is automatically updated with queries created using the Query Builder that appears in many areas within Stellar Cyber, such as:
This feature is specifically for reusable content in Query editors and is not applicable for use with Alert Filters.
As of v4.3.0, the availability of certain components (such as charts, correlations, ATH rules) with tenant visibility settings has changed. Specifically, the top level component cannot have a less restrictive visibility than its children components.
-
For any component, such as a query you create, with visibility set to All Tenants, then all its sub-components (such as a lookup list) must also be set to All Tenants.
-
Similarly, if a component is set for a specific tenant, then all its sub-components must be specified for either that tenant or All Tenants.
Use this table to manage queries created throughout the Stellar Cyber product centrally and create new queries. The table has common behaviors to all tables in Stellar Cyber, such as column management, sorting, editing, or deleting.
About the "In Use" Column
The Queries list also includes an In Use column to help you identify the features using a query before you consider modifying or deleting it. As illustrated in the image above, this column shows a sum of the charts, reports, correlation queries, and ATH Playbooks using the query. An entry of zero indicates the query is not in use.
You can hover your mouse cursor over the usage count to see a popup listing exactly which features are using the query. For example, the figure above shows a query that's used by a combination of seven different ATH Playbooks and charts. Any change you make to this query affects all seven of those cases. If you want to delete the query, you must first remove it from all associated features.
The timestamps in the Used In popup above indicate that the corresponding items were created by cloning and not renamed.