Skip to content

Commit

Permalink
Merge pull request #2029 from SEKOIA-IO/alerts-in-qb
Browse files Browse the repository at this point in the history
Add alerts in Query builder
  • Loading branch information
ka0ula authored Oct 1, 2024
2 parents f61a977 + 54191ff commit 3c7763f
Showing 1 changed file with 56 additions and 8 deletions.
64 changes: 56 additions & 8 deletions docs/xdr/features/investigate/query_builder.md
Original file line number Diff line number Diff line change
@@ -1,17 +1,16 @@
# Query Builder (beta)
# Query Builder

Start exploring your data with the Query Builder. Hunt for threats, get analytics, create reports. The Query Builder is a simple form which allows you to build queries to explore your data.
Using this form, you can now aggregate your data to extract new insights. The Query Builder also offers the possibility to visualize data through different kinds of charts.
Start exploring your data with the Query Builder. Hunt for threats, obtain analytics, and create insightful dashboards and reports. The Query Builder is a simple tool that allows you to build queries to explore your data effectively.

At the moment, only the `Events` table is available but more tables are coming.
With this form, you can aggregate data to extract new insights, helping you make informed decisions. Additionally, the Query Builder enables the visualization of data through various types of charts, enriching your reporting capabilities.

Currently, the Alerts data source is available, along with the Events source and the Cases source, with plans to introduce more sources in the future.

![query builder](/assets/operation_center/events/qb-run.gif){: style="max-width:100%"}

## Build your query

Select a table to query in the `From` clause and use `Add clause` button to refine your query.

![clauses](/assets/operation_center/events/qb-clauses.gif){: style="max-width:100%"}
Select a data source to query in the `From` clause and use `Add clause` button to refine your query.

The Query Builder comes with the following clauses:

Expand Down Expand Up @@ -63,6 +62,51 @@ Use the following operators to define your conditions in the `WHERE` clause.
| > | Strictly more than |
| >= | More than or equal to |

### Alert properties

When using the Query Builder with Alerts as a source, users can filter and manipulate queries based on the following alert properties:

| **Alert Property** | **Description** |
|---------------------------|----------------------------------------------------------------------------------------------|
| Creation date | The date and time when the alert was initially created. |
| Update date | The date and time when the alert was last updated. |
| Entity UUID | A unique identifier representing the entity associated with the alert. |
| Entity name | The name of the entity linked to the alert. |
| Rule UUID | A unique identifier for the rule that generated the alert. |
| Rule name | The name assigned to the rule that triggered the alert. |
| Status | The current state of the alert (e.g., open, acknowledged, resolved). |
| Urgency | The level of urgency assigned to the alert. |
| Similar | Properties related to similar alerts. |
| Short ID | A concise identifier for quick reference to the alert. |
| Time to detect | Duration taken to identify the alert from its occurrence in seconds. |
| Time to acknowledge | Time elapsed from detection to official acknowledgment of the alert in seconds. |
| Time to respond | Duration taken to take action after acknowledgment in seconds. |
| Time to resolve | The total time taken to completely resolve the alert in seconds. |
| Time to ingest | The duration from alert generation to its final ingestion into the system in seconds. |
| Detection type | The method by which the alert was detected. |
| Community UUID | A unique identifier for the community the alert belongs to. |

### Case properties

When using the Query Builder with Cases as a source, users can filter and manipulate queries based on the following case properties:

| **Property** | **Description** |
|---------------------------|--------------------------------------------------------------------------------------------|
| Case Status Name | The name of the status associated with the case. |
| Community UUID | A unique identifier for the community related to the case. |
| Created at | The date and time when the case was created. |
| Created by | The user or system that created the case. |
| Created by type | The type of entity that created the case (e.g., user, automated system). |
| Description | A detailed description outlining the case's context or issues. |
| First seen at | The date and time when the case was first detected. |
| Last seen at | The date and time when the case was last observed or updated. |
| Priority | The importance level assigned to the case, indicating its urgency. |
| Short ID | A concise identifier for quick reference to the case. |
| Tags | The names of tags associated with the case for categorization and filtering. |
| Title | The title or subject line of the case. |
| Updated at | The date and time when the case was last updated. |
| Updated by | The user or system that last updated the case. |

## Run your query

Click on `Run query` to perform a search.
Expand Down Expand Up @@ -123,4 +167,8 @@ You can export your results in JSON Lines format. Export file will have `.jsonl`

JSON Lines is a convenient format for storing structured data that may be processed one record at a time. It works well with unix-style text processing tools and shell pipelines.

See [JSON Lines documentation](https://jsonlines.org/) for more details.
See [JSON Lines documentation](https://jsonlines.org/) for more details.

## Add query to dashboard

Queries can be added to dashboards. To read more about this feature, check our documentation on [dashboards](/xdr/features/report/dashboards/#query-builders-widgets).

0 comments on commit 3c7763f

Please sign in to comment.