2.4 Saving a Search Query

You can save a search query, then repeat it as desired. To save a search query, you must first perform a search. When you are satisfied with the search results, you save the search query.

NOTE:You must have the necessary permission to access the specific options. For example, only users in the Report Administrator role can save the search query as a report template.

2.4.1 Saving a Search Query as a Search Template

  1. Perform and refine a search until you are satisfied with the search results.

    For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.

  2. Click Save as, and then click Save search.

  3. Specify a unique name for the search and provide an optional description.

  4. Specify the following information in the Default Parameters section:

    Targets: Displays the number of servers that Sentinel will search for events. This option is useful if distributed search is enabled. To select the targets you want to search, click selected targets, then select the targets.

    Email to: To e-mail the report template to others, specify the e-mail address. To send the report template to more than one person, specify multiple e-mail addresses separated by a comma.

    Result limit: Specify the number of results to be stored in the search template. By default, 1000 results are stored in a report template.

  5. Click Save.

2.4.2 Saving a Search Query as a Filter

  1. Perform a search, and refine the search results as desired.

    For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.

  2. When you are satisfied with the search results, click Save as, then click Save search as filter.

  3. Specify a unique name for the filter and an optional description.

  4. In the drop-down list, select one of the following options to specify the access for this filter:

    • Private: Allows you to make this filter private. Other users cannot view or access this filter.

    • Public: Allows you to share this filter with all users.

    • Users in same role: Allows you to share this filter with users who have the same role as yours.

    • Users in selected roles: Allows you to share this filter with users in specific roles. If you select this option, a blank field is displayed where you can specify the roles. As you type the role name, a list of roles is displayed.

      Select one or more roles.

      NOTE:This option is available only for users in the administrator role.

  5. Click Save.

    The saved filter is listed in the Filters panel. For more information on filters, see Section 3.0, Configuring Filters.

2.4.3 Saving a Search Query as a Report Template

You can save the search query as a search report.

NOTE:You must have the Manage Reports permission to save the search query as a report template.

  1. Perform a search, and refine the search results as desired.

    For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.

  2. When you are satisfied with the search results, click Save as, then click Save search as report.

  3. Specify the following parameters:

    Parameter

    Description

    Report name

    Specify a unique name for the report. The name should not exceed 200 characters.

    Based on

    Select the base report from which you want to create the report.

    You can view a sample report by clicking the View Sample button.

    Description

    The description is automatically displayed based on the report that is selected and you can edit the description.

    Criteria

    Criteria is automatically populated based on the report selected and is not editable.

    Additional Criteria

    Specify additional search criteria to the existing criteria. To build a new criteria on your own, click Edit Criteria. To build a new criteria from available system objects containing criteria, click Add Criteria.

    The criteria that you add here is appended to the existing criteria.

    Targets

    Select the source machines on which the reports can be run by clicking the Selected Targets link. You can select the targets only if your Sentinel is configured for distributed search.

    For more information, see Searching and Reporting Events in a Distributed Environmentin the NetIQ Sentinel 7.1 Administration Guide.

    Additional Criteria

    Specify additional criteria to refine the results. The criteria that you specify here can be edited while scheduling the report. If you specify Criteria name, the name is displayed at the end of the report results.

    NOTE:This parameter is not available for all reports.

    Time Zone

    Specify the time zone with which you want to populate the report. When you schedule the report, the time zone that you specify here is displayed in the report data.

    For example, if the Time Zone is set to US/Pacific-New time, the report data displays the selected time zone.

    By default, it displays the time zone that is set in the client system.

    NOTE:This parameter is not available for all reports.

    Date Range

    If the report includes time period parameters, choose the date range. All time periods are based on the local time for the browser. The From Date and the To Date automatically change to reflect the option you selected.

    • Current Day: Shows events from midnight of the current day until 11:59:00 PM of the current day. If the current time is 8:00:00 AM, the report shows 8 hours of data.

    • Previous Day: Shows events from midnight yesterday until 11:59:00 PM yesterday.

    • Week To Date: Shows events from midnight Sunday of the current week until the end of the selected day.

    • Previous Week: Shows events for the last seven days.

    • Month to Date: Shows events from midnight the first day of the current month until the end of the selected day.

    • Previous Month: Shows events for a month, from midnight of the first day of the previous month until 11:59:00 PM. of the last day of the previous month.

    • Custom Date Range: Shows events for a period whose start and end date are chosen. If you select Custom Date Range, set the start date (From Date) and the end date (To Date) for the report.

    Group By

    Group the events according to specific event field by selecting the event field from the Group by drop-down list.

    NOTE:This parameter is not available for all reports.

    Language

    Choose the language in which the report labels and descriptions should be displayed. The possible values are English, French, German, Italian, Japanese, Traditional Chinese, Simplified Chinese, Spanish, or Portuguese.

    The default value is the language with which the current user logged in, if that language is supported by the report. If the report does not support the language, the report’s default language (typically English) is used.

    The data in the report is displayed in the language that was originally used by the event source.

    Email to

    Specify an e-mail address in the Email to field. If you want to mail the report to more than one user, separate the e-mail addresses with a comma.

    Result limit

    Specify the number of results to be displayed or stored when you run or schedule the report. By default, 1000 results are stored.

    If you specify a value in Group By field, the result limit is based on grouping.

  4. Click Save to save the search as report definition.

    You can see the saved report definition in the Reports and Searches panel in the Sentinel Web interface. To view the reports, see Viewing Events.

2.4.4 Saving a Search Query as a Routing Rule

You must be in the administrator role to save the search query as a routing rule.

  1. Perform a search, and refine the search results as desired.

    For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.

  2. When you are satisfied with the search results, click Save as, then click Save search as routing rule.

  3. Specify a name for the rule.

  4. (Conditional) To associate one or more tags to the events, click Select tag, select the desired tags, then click Set.

  5. Select where you want to route the events to:

    • All: Events are routed to all Sentinel services, including Correlation and Security Intelligence.

    • Event store only: Events are sent directly to the event store, and are not displayed in Active Views and the search results page.

    • None (drop): Events are dropped or ignored, and are not sent to any Sentinel service.

  6. Select one or more actions to be performed on each event that meets the search criteria. Click the plus and minus icons to add and remove actions.

  7. Click Save.

2.4.5 Saving a Search Query as a Retention Policy

You must be in the administrator role to save the search query as a retention policy.

  1. Perform a search, and refine the search results as desired.

    For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.

  2. When you are satisfied with the search results, click Save as, then click Save search as retention policy.

  3. Specify a name for the retention policy.

  4. In the Keep at least field, specify the minimum number of days to retain the events in the system. The value must be a valid positive integer.

  5. (Optional) In the Keep at most field, specify the maximum number of days for which the events should be retained in the system.

    The value must be a valid positive integer and must be greater than or equal to the Keep at least value. If no value is specified, the system retains the events in the system until the space is available in local storage.

  6. Click Save.

    The newly created policy is displayed in the data retention table. For more information on retention policies, see Configuring Data Retention Policies in the NetIQ Sentinel 7.1 Administration Guide.

2.4.6 Creating a Dashboard

You must have the Manage and View Security Intelligence Dashboards permission to create a dashboard.

  1. Perform a search, and refine the search results as desired.

    For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.

  2. When you are satisfied with the search results, click Save as, then click Save search as dashboard.

  3. Specify the following information to create the dashboard:

    • Name: Specify a unique name for the dashboard.

    • Classifier: Select the classifier that determines the categories displayed in the dashboard. Click the Info link for information on each category.

    • Data Retention Period: Select how long the data for the dashboard is retained.

  4. Click Create dashboard to create the dashboard.

The dashboard is displayed in a new browser tab. A new dashboard is empty because it has not had time to collect any data. For more information on dashboards, see Section 5.0, Analyzing Trends in Data.