Working with the Queries List

The System | Configuration | Queries list is automatically updated with queries created using the Query Builder that appears in many areas within Stellar Cyber, such as: 

This feature is specifically for reusable content in Query editors and is not applicable for use with Alert Filters.

The scope of a query determines which tenants can use it. Whether it's possible to create a query for All Tenants depends on the scope of the object being queried, such as charts, correlations, and Automated Threat-Hunting (ATH) rules. In short, the scope of a queried object cannot be more restrictive than the scope of the query itself. For example, if you create an ATH rule for All Tenants, then the query for this ATH rule can either be All Tenants or just a single tenant, such as "Tenant A" for example. However, if you create an ATH rule for Tenant A, then the query cannot be for All Tenants because the other tenants won’t have this ATH rule and won’t be able to query it. In this case, the query can only be for Tenant A.

Use this table to manage queries created throughout the Stellar Cyber product centrally and create new queries. The table has common behaviors to all tables in Stellar Cyber, such as column management, sorting, editing, or deleting.

About the "In Use" Column

The Queries list also includes an In Use column to help you identify the features using a query before you consider modifying or deleting it. As illustrated in the image above, this column shows a sum of the charts, reports, correlation queries, and ATH Playbooks using the query. An entry of zero indicates the query is not in use.

You can hover your mouse cursor over the usage count to see a popup listing exactly which features are using the query. For example, the figure above shows a query that's used by a combination of seven different ATH Playbooks and charts. Any change you make to this query affects all seven of those cases. If you want to delete the query, you must first remove it from all associated features.

The timestamps in the Used In popup above indicate that the corresponding items were created by cloning and not renamed.