Create an advanced query

The advanced query feature allows you to build custom queries to enhance your threat hunting activities. Advanced query offers deep visibility into your Aurora Focus environment, expansive query options, and optimized workflows that allow you to combine related searches to reveal new insights. Advanced query is supported for devices with the Aurora Focus agent version 3.0 or later.

Advanced query relies on the use of EQL syntax. You use EQL to construct queries for events, and the results provide information about the artifacts that were involved in those events. The advanced query UI includes syntax information to help you build EQL queries.

Review Supported EQL syntax for advanced query and Sample Aurora Focus EQL queries.
  1. In the management console, on the menu bar, click CylanceOPTICS > Advanced Query.
  2. Do one of the following:

    Task

    Steps

    Create a new advanced query
    If you want to use an existing query template to create a new query, click Show Template List and click a template, then skip the first step below.
    1. In the query field, type or paste the EQL syntax for the query. As you type, syntax options and validation messages will display to help you build your query.

      If you want to save the current query as a template, click Save As Template. Type a name and description and select whether you want the template to be private or available to all administrators. Click Save. You can pin, edit, and delete queries from the templates list.

    2. To set the scope of the query, under Search devices, click By Zone or By Device (an icon next to each device indicates whether the device is online). Select one or more zones or devices, then click Save. If you don't set the scope, the query applies to all zones and devices.
    3. To set a date and time range for the query, click Date range icon and configure the range. Click Apply. If you don't set a range, the query applies to all available data.
    4. Do one of the following:
      • If you want to run the query, click Run Query.
      • If you want to schedule the query to run at a specific date and time or on a regular interval, click Schedule Query. Type a name and description, select whether you want the query to be private or visible to all users, and set the date, time, and optional recurrence settings. If you want to restrict the query to the data that has been collected since the previous run, select the Query only new data check box. Click Schedule Query.

        On the Scheduled Queries tab you can view and edit scheduled queries and view and export the results. You can have a maximum of 25 queries that are actively running or scheduled to run. Stopped queries or single run queries that have completed do not count towards this limit.

    If you want to save query results to view them later from the Query Snapshots tab, in the results section, click Save icon. Type a name and description and select whether you want the results to be private or visible to all users.

    View a query snapshot

    On the Query Snapshots tab, click a query snapshot.

    Note that this displays the original results of the query when it was saved and is not a new query.
  3. If you want to filter the query results, do any of the following:
    • To filter query results by date and timestamp, click one or more bars of the histogram to filter by that date and time range. Click any bar in the selected range to remove the date and time filter.
    • To filter query results by a column, click Filter icon for that column (for example, Device) and select the filter criteria.
    • To filter query results by a value that you specify, click Search icon above the query results, then type or paste the value into the search field (for example, a specific timestamp, an event detail value, and so on).
  4. Expand a result to display details. Click Result details icon to open a panel that includes event details and information about associated alerts (you may need to scroll to the right in the results window). To filter the query results to show the matches for one or more specific facets, click Filter icon for those facets. Click the icon again to remove the filter.
  5. In the query results, expand the Options icon menu to view the available actions for each result. Depending on the type of result, this can include:
    • Request and view focus data.
    • Globally quarantine a file. The file appears in Settings > Global List > Global Quarantine, in Protection > Threats, and in the Threats section of the device details.
    • Request and download a file. If path information is available for files associated with other artifact types, you can also download those files. The file is compressed and password-protected to ensure that it is not accidentally executed. The password is “infected". The size limit for file retrieval is 50 MB. Artifacts and files are retained by Aurora Focus for 30 days.
  6. If you want to pin a result so that it displays with a visual marker if it shows up in subsequent queries, click Pin icon.
  • If you want to export the query results to a .csv file, click The Export icon. Type a name and description, specify whether you want the exported results to be private or visible to all administrators, and click Export. You can download the file from the Exported Results tab when it is ready.
  • To add a new query, click Add icon next to the current query tab.
  • To copy an existing query, hover over that query tab and click Clone icon.