Working with Queries and Filters
You can create queries with specific parameters and conditions to search through large volumes of data from across your network, filtering and retrieving relevant information from sources such as logs, network traffic, and security events. You can then include the results in various areas of the platform such as automation rules, visualization tools, and reports. Additionally, you can build a library of queries to meet your exact needs, whether you're searching for particular IP addresses, user activities, or suspicious trends or patterns of network behavior.
Alert filtering helps you manage large numbers of alerts that the Stellar Cyber Platform generates. Depending on the size of your network, there might be hundreds or even thousands of alerts generated daily. Therefore, it’s important to filter out those that can be ignored so you can focus on and respond to the more serious alerts.
When you filter out specific types of alerts, Stellar Cyber still continues to generate them, but it then discards them so they don’t populate the system and don’t appear in the UI. There might be situations where filtered alerts would have provided more context to a case, so consider when to continue displaying alerts that don’t require analysts’ attention but do provide a fuller view of the activity occurring and when to filter them so analysts aren’t inundated with too many low-priority alerts.
The Query and Filter Manager (System | Queries and Filters) is a centralized hub for managing search queries and alert filters. It consists of a query and filter builder, a queries table, and an alert filters table. The builder lets you create and test queries while the tables let you easily view, modify, and delete them in one place. With these capabilities combined, the Query and Filter Manager streamlines how you interact with queries and filters, whether they were created in the Query and Filter Manager or on feature pages throughout the Stellar Cyber user interface (UI).
The query and filter builder is a robust tool that not only lets you construct complex searches and exclusion filters—as the query builders and filter builders on individual feature pages also do—but it also includes Run and Save As functions. The Run option lets you test queries before applying them, ensuring you get expected results without leaving the page. The Save As function lets you make copies of queries and filters and adjust settings, working on up to ten variations in tabbed dialog boxes simultaneously. For details about creating queries and alert filters, see Queries and Alert Filters.
Stellar Cyber automatically updates the tables with the queries and filters that you create using the builder in the manager and the builders that appear on various pages throughout the Stellar Cyber UI. It's these feature pages themselves where you apply queries to retrieve the data you want and apply alert filters to exclude the alerts you don't want:
-
Investigate | Threat Hunting | Correlation Search | for New query in the Configure section
-
Respond | Automation | Create to add a new playbook or ("Edit this row" icon) to edit an existing playbook | New Query
-
Respond | Reports | Filters | Queries | ("Open Query Builder" icon) | New Query
-
Visualize | Charts | Create to add a new chart or ("Edit this row" icon) to edit an existing chart | New Query on the Query step in the chart builder
-
Visualize | XDR Kill Chain | Filters | Queries | ("Open Query Builder" icon) | New Query
-
Alerts | View for an Alert Type | ("More info" icon) for an alert event | Actions | Add an Alert Filter
The tables in the Query and Filter Manager share common behaviors with all tables in Stellar Cyber, such as column management, sorting, editing, and deleting.
The Query and Filter Manager groups queries and alert filters together because both use similar logic in their construction. By combining the builder and tables, the Query and Filter Manager provides a single location where you can create, edit, and delete queries and alert filters, streamlining their creation and management.