Working with Queries and Filters

The Query and Filter Manager (System | Queries and Alert Filters) is a centralized hub for managing search queries and alert filters. It consists of a query and filter builder, a queries table, and an alert filters table. The builder lets you create and test queries while the tables let you easily view, modify, and delete them in one place. With these capabilities combined, the Query and Filter Manager streamlines how you interact with queries and filters, whether they were created in the Query and Filter Manager or on feature pages throughout the Stellar Cyber user interface (UI).

Illustration of the Query and Filter Manager

The query and filter builder is a robust tool that not only lets you construct complex searches and exclusion filters—as the query builders and filter builders on individual feature pages also do—but it also includes Run and Save As functions. The Run option lets you test queries before applying them, ensuring you get expected results without leaving the page. The Save As function lets you make copies of queries and filters and adjust settings, working on up to ten variations in tabbed dialog boxes simultaneously. For details about creating queries and alert filters, see Queries and Alert Filters.

Stellar Cyber automatically updates the tables with the queries and filters that you create using the builder in the manager and the builders that appear on various pages throughout the Stellar Cyber UI. It's these feature pages themselves where you apply queries to retrieve the data you want and apply alert filters to exclude the alerts you don't want: 

  • Investigate | Threat Hunting | Correlation Search | for New query in the Configure section

  • Respond | Automation | Create to add a new playbook or ("Edit this row" icon) to edit an existing playbook | New Query

  • Respond | Reports | Filters | Queries | ("Open Query Builder" icon) | New Query

  • Visualize | Charts | Create to add a new chart or ("Edit this row" icon) to edit an existing chart | New Query on the Query step in the chart builder

  • Visualize | XDR Kill Chain | Filters | Queries | ("Open Query Builder" icon) | New Query

  • Alerts | View for an Alert Type | ("More info" icon) for an alert event | Actions | Add an Alert Filter

The tables in the Query and Filter Manager share common behaviors with all tables in Stellar Cyber, such as column management, sorting, editing, and deleting.

Through the combination of the builder and tables, the Query and Filter Manager provides a single place where you create, edit, and delete queries and alert filters.