Save Queries

L1, L2, and L3 analysts can save and load custom queries from the Investigation screen. Saving and loading custom queries allows analysts to quickly and accurately retrieve frequently-required information.

Note

Users with the local analyst roles cannot save queries.

Saved query benefits

You might want to save a query if:

  • You have specific queries you run periodically.

  • You have a basic set of query conditions that you want to reuse in different queries

  • You have complex queries you run frequently.

The system saves queries from all users, providing you access to queries saved by other users.

Build and save a query

When you open the Investigation screen, you see the Build a query pane on the top and the My saved queries pane below it. The My saved queries pane displays only the sample queries provided with the system. These sample queries investigate various malicious behavior patterns. When you save your queries, your queries will display in the My saved queries pane.

Investigation Screen, Build Query Pane, My Saved Queries Pane

  1. Build your query. For details on how to build a query, see Build a Query.

  2. When your query is complete, click Save Query.

    Click Save Query

  3. In the Save new query box, enter a name and description.

  4. Click Save. Cybereason displays your query as the loaded query in the Query Details screen. This example query finds all machines affected by Malop processes.

    Loaded Query, Malop Affected Machines

  5. To see your new query in the list of your saved queries, click Clear below the name of your loaded query, or select Investigation in the sidebar main menu. Cybereason displays the Investigation screen, with your new query at the top of the My saved queries pane.

    Important

    A user can currently save a new query with the same name as an existing query, by substituting that name for the default unique query name provided in the Save new query box. The platform does not alert you or prevent you from saving queries with duplicate names. Both queries display in the My saved queries pane in the Investigation screen. This is not recommended.

Load a saved query

To load a previously saved query, in the My saved queries pane in the Investigation screen, click the query name. Cybereason loads the query and displays it in the Query Details screen.

Loaded Query, Malop Affected Machines

Modify name and description of a saved query

  1. To edit a previously saved query, in the My saved queries pane in the Investigation screen, hover over the query name. The Delete (trash can) and Edit (pencil) icons display to the right of the query save date.

    Hover on Query Name to See Delete and Edit Icons

  2. Click the Edit icon (the pencil) to the right of the query name. The Edit query box displays.

  3. In the Query name and Description fields, edit the name and description of the query.

  4. Click Save to save the query with the modified name and description.

    Note

    You can edit the query name and description, but you cannot edit the query conditions.

Build a new query from a saved query

  1. In the My saved queries pane in the Investigation screen, click the query to use as the basis for your new query.

  2. Click any Element to make your first desired change to the conditions of the existing query. Cybereason opens a new draft query in the Query Details screen. The new query includes the conditions of the original query, as modified by the change or Element you clicked.

  3. Continue selecting Elements and adding filters to refine your query.

  4. When your query is complete, click Save Query. The Save new query box opens.

  5. Enter a new query name and description.

  6. Click Save to save your query. Your query now appears in the My saved queries pane. The platform saves it as a new query and does not alter the query you used as a starting point.