Save a query

Data Explorer allows you to save queries so that you can run them again later. With specific Data Explorer licenses, you can also configure custom alert settings for a saved query. When custom alert settings are configured for a saved query, a custom alert is generated each time the query runs as scheduled.

Note: Custom alerts are considered non-emergency events for self-service reporting purposes only. When you configure a custom alert rule, the results of each query run are sent only to members of the recipient group you select. These events are not submitted to the Arctic Wolf® Security Operations Center for review or alerting.

Before you begin

  • Configuring custom alert settings is an optional step in this task. This step requires a valid license.

    For more information, see Data Explorer license options.

  • A maximum of 10 custom alert rules can be enabled at the same time. If you have reached this limit, consider disabling a custom alert rule. For more information, see Enable or disable a custom alert rule.

Steps

  1. Run an analyzed log search.
  2. Click Save New Query.
  3. In the Name field, enter a name for the query.
    If you choose to configure custom alert settings for this query, the custom alert will have the same name.
  4. Optional: In the Description (Optional) field, enter a short description of the query.
  5. Select a privacy setting:
    • Not Restricted — Makes the query visible to everyone in your organization.
    • Restricted — Restricts access to only primary and secondary contacts in your organization.
    The option that you select determines if other users can view the saved query in Data Explorer.
  6. Optional: Configure custom alert settings:
    1. Click the Enable Custom Alert toggle to the on position.
    2. In the Select Notification field, configure who receives the custom alert:
      • To create a recipient group — Click Create Recipient Group, enter a name for the group, and then add recipients to the To field. If desired, add recipients to the CC field. Then, click Create.
      • To select an existing recipient group — In the Select Notification field, select a group.
      After selecting a recipient group, a list of group members displays.
    3. In the Notification Frequency field, select how often you want to generate a custom alert.
  7. Click Save.
    If you configured custom alert settings, a new rule is added to the Custom Alert Rules tab of the Alert Configuration Rules page. You can manage custom alert settings in Data Explorer or from the Alert Configuration Rules page. For more information, see View a custom alert rule.