Predefined queries
Use predefined queries to retrieve observation data by supplying typed parameters. You do not need to know the underlying query language.
Each query has a stable identifier, such as observations-by-domain. To discover what parameters a query accepts, call the Describe a predefined query endpoint, then run it by POSTing a request body with your parameter values.
Key concepts
- Organization ID
- The identifier for your organization, supplied as a path segment in every request. It must contain only letters, numbers, underscores, and hyphens.
- Data source
- The named dataset that you want to query, supplied as a path segment. It must contain only letters, numbers, underscores, and hyphens. For more information about finding available data sources, see Discovering data sources.
- Personal API key
- Personal API keys (PAKs) integrate third-party systems with Arctic Wolf. PAKs are tied to your user account and inherit your access rights. PAKs expire after a certain number of days, which is configured when the key is created. For more information, see Create a personal API key.
- Observation
- In the Arctic Wolf context, an observation is a normalized, parsed, and enriched log received from a customer environment. It's the foundational data unit in the Arctic Wolf security pipeline.
- Accessible retention
- The portion of the total retained data that is available to the customer, based on their licensing and entitlement level.