Advanced Hunting
Use this tab to run predefined hunting queries created by our Threat Research team. Manager and Analyst users can create and manage custom queries alongside the predefined ones.
About Predefined Hunting Queries
Predefined queries are created by the Qualys Threat Research team. These queries help users quickly and efficiently identify potential threats, suspicious activities, or environmental anomalies.
Here are some points to note:
- These queries can be identified by the Qualys () logo.
- These queries cannot be modified or deleted.
- These queries can be run, edited, and saved as new queries.
Run Predefined Queries
To run predefined queries, perform the following steps:
- Identify the query you want to run.
- Click Run.
- Customize the query and then click Save as New Query.
Save Predefined Queries
After customizing a predefined query, you can save it as a new query. However, you do not have permission to modify and save the original predefined query.
To save the predefined query, perform the following steps:
- After you have made changes to the predefined query, click Save as New Query, which is at the top-right of the window.
- In the Save Query window, perform the following steps:
- Provide a name and description for the query.
- Choose a category. You can also add a new category by scrolling to the bottom of the Category drop-down and clicking Add New. Enter a new category name and click the tick mark.
- Select Mark as Favorite if you want to mark your query as favorite.
- Click Save.
When you click Save, you are redirected to the Advanced Hunting tab. Your query will appear at the top of the list.
About Custom Hunting Queries
You can create and manage custom queries in addition to the predefined queries. These custom queries are great for finding specific event data and can be saved for later. Saving a query means you can rerun it without having to type in the search details each time, which makes threat hunting quicker and easier.
Create Custom Queries
To create custom queries, perform the following steps:
- Click New Query.
- Enter your query and then click Run Query.
- Customize the query and then click Save Query.
Query customization includes the following steps:
providing a name and description for the query, choosing an existing category or creating a new one,
marking query as favorite. See, Save Predefined Queries.
Customization Options
You can tailor your query results with a variety of customization options.
You can copy queries to the clipboard for easy reuse, integrate them into existing queries, or add specific query results as new fields in your table columns. | |
You can combine your current query with an existing one, expanding your search criteria. | |
You have the flexibility to manage columns by adding fields from the search results, ensuring that the displayed data meets their precise needs. |
These features empower users to streamline their workflow, enhancing productivity and making data insights more accessible and actionable.
Customizable Table View
You can customize the table view by adding or removing columns to display the most relevant data for your current threat-hunting session.
To customize the table view, perform the following steps:
- Click from the top of the page.
- In the Manage Columns window, select the columns to add. To remove a column, click the X next to its name. To restore the column selection to its original default configuration, click Reset to Default Columns.
- Click Apply.
Filter Queries
You can refine your search results and focus on the most relevant data during threat hunting with the various filters.
All Queries: Click All to view the complete list of all queries (predefined + custom).
Favorite Queries: Click Favorites to view queries marked as favorites.
Qualys Research: Access expert-curated queries developed by Qualys Research, focused on the latest security threats and vulnerabilities.
Filters: Filter custom and predefined queries based on categories.
To filter based on categories, perform the following steps:
- In the Advanced Hunting tab, click Filters.
- Select the categories.
- Click anywhere in the window to display events for the selected categories.
Manage Queries
You can edit and delete custom queries via the Quick Actions drop-down. These actions are disabled for the predefined queries the Qualys Threat Research team created.
Edit Custom Queries
You can edit custom queries. When saving a custom query, you will have two options: save the query or save the query as new. The difference between Save the Query and Save the Query as New lies in how the query is stored and whether the original query is affected. Save the Query modifies the current query, while Save as New preserves the original and creates a new, separate query.
To edit a custom query, perform the following steps:
- Identify the custom query you want to edit.
Tip: Predefined queries are indicated by the Qualys logo. - Point your mouse to the query name, click the Quick Actions drop-down menu, and click Edit.
- Make changes to your query.
- Choose how you want to save the query. If you select Save as New Query, the Save Query window will display, and you will provide the information requested in the dialog.
Delete Custom Queries
To delete a custom query, perform the following steps:
- Identify the custom query you want to delete.
Tip: Predefined queries are indicated by the Qualys logo. - Point your mouse to the query name, click the Quick Actions drop-down menu, and click Delete.
- Click Yes to confirm your action. Once the query is deleted, you will receive a confirmation message on the UI.