Queries Page

Use the Queries page to manage the queries on your system. You can see a centralized summary of information about all saved queries in the system. You can manage all queries, see who updated a query, view when a query was last used, and more.
To open the Queries page, click (Queries icon).
The Queries page opens.

Queries are organized in folders. The Folders pane is shown at the left side of the page.

See Managing Queries for more information about using the Folders pane.

When you save a query, the access permission you configure and the folder you select determines its folder location.

The total number of saved queries in the selected folder is displayed on the top left side of the table:

See Managing Queries for more information.

A link to Query History is displayed at the top of the page. Click Query History to see information about queries run on the system.

The following information is displayed on the Queries page.

• Name - The name of the saved query.
• Module - The system modules on which the query runs, which include: Devices, Users, Vulnerabilities, Software, Activity Logs, Adapters Fetch, Asset Investigation - Devices/Users etc.
• Tags - The tags associated with the saved query, if these exist.
• Access - The access permissions for the saved query.
  • Private - Only the user can view this saved query.
  • Public - All users can view this saved query. It can be used in all Dashboard, Enforcement Center, Reports and Query Wizard.
• Used In - an icon shows the component in which the Query is used. Mouse over to see more details. Click on the icon of the component to open the query in the relevant place in the system. For example, in the Enforcement page or Dashboard. In this way, you can see where queries are used and decide whether you can delete them from the system, or what will be affected if you edit them.
  Note:

  Used In is only available for Administrators.

• Last Used by User – The last time the query was run by any user manually.
• Last Updated - The date and time the saved query was updated.
• Updated By - The user who made the last update to the query.
  • The username is displayed with a prefix:
    • Internal - A user who was defined internally in Axonius by one of the system admins.
    • SAML or LDAP - A user who logged in using the LDAP or SAML based login options.
  • If the user no longer exists in the system, the displayed username is displayed with a “(deleted)” suffix.
  • Hover over the field to display the user's first and last name in addition to the user name, if this exists.
  • For predefined saved queries, that were preconfigured by Axonius, the Updated by value is Predefined.
  • Folder – the folder the query is stored in
• Created by – the name of the user who created the query.
• Folder Path – the path where the saved query is stored. If the path is long, and not fully displayed, mouse over to see it.

When you click on a query, the Saved Query drawer opens. Refer to Viewing and Editing Query Details to learn more about the Saved Query drawer.
You can select Run Query to run the query.

Search and Filter Saved Queries

You can filter the queries as follows:

• Query Name - Enter a query name to search by. The system returns all relevant queries.

• Module - Select one or more system modules on which the query runs. The system returns all relevant queries.

• Tags - Select one or more tags from a list of all the tags associated with the saved queries to filter the display by tags. All saved queries tagged with at least one of the selected tags are displayed. Click Clear All to clear all selections.

• Access - Select an access type to filter the display by access type. All queries with the selected Access Type are displayed. Click Clear All to clear all selections.

• Used In - Select a component to filter the display by component, such as the Enforcement page or Dashboard.

• Created By - Select one or more users. The system returns all relevant queries.

• Adapter - Select one or more adapters to filter. The system returns all relevant queries using the selected adapters.

• Folder Path - Select one or more query paths inside the parent folder.

• Last used by user from date - Last used by user to date - Click the Date Range picker to filter the date queries were run by.

  • Select two dates to set the date range for which queries will be displayed.
  • To filter queries only for a specific date, select the same date twice.
  • Click Select Time in the date range picker to include specific times in the date range.
  • Click OK to set the Date Range filter.

Click Reset to clear the search and filters.

Sorting Queries

You can sort queries to see where they are used. Click on the following column titles to sort by that title.

• Name
• Module
• Tags
• Access
• Last Used by User
• Last Updated
• Updated by
• Created by
• Folder Path

Saved Query Actions

Deleting Queries

To delete queries

1. On the Queries page, select one or more queries. When at least one query is selected, the Actions button is displayed above the Saved Queries table.

2. Select Delete to delete one or more queries.

Or delete queries from the Saved Queries drawer.

Tagging Queries

You can add tags to one or more queries. You can't tag predefined queries, only queries created by users.

1. On the Queries page, select one or more queries. When at least one query is selected, the Actions button is displayed above the Saved Queries table.

2. Select Tag to tag one or more queries. The Tag Saved Queries dialog opens.
   

3. Select a tag from the dropdown list of tags available in the system, or start typing to add a new tag. The list of tags used in queries is the same across the entire system. When you add a new tag, click Add New to add the tag to the system.

6. Click Save.

Moving to a Folder

You can move one or more queries to a different folder. Moving Queries

Editing the Query Column Display

Your system comes with a set of pre-defined columns in each asset table that determines which columns are displayed on the asset page and asset list view. The Column view is set on each asset page separately and displays columns appropriate for that asset.

You can edit the columns displayed for a group of queries. Note that you can also edit the Query column display for a single query, from the relevant asset page. Refer to Changing Columns Displayed.

1. Select one or more queries. They should be queries on the same module.
   

2. From the Action menu, select Edit Query Column Display. The Edit Columns dialog opens.

3. Select the fields you want to add, and click Add.
4. Alternatively, select the fields you want to remove from the display and click Remove. Editing columns overrides the existing columns displayed in these queries and any data refinements set for the columns, and sets a new columns display.

The columns you selected are now saved as part of the queries you selected. The Query drawer displays the columns that are displayed as part of the saved query.

Creating an Enforcement Set

You can create an enforcement set directly from a query.

1. Select a query.
2. From the Actions menu select Create Enforcement Set.

The Enforcement Set Configuration page opens. For more details, see Creating Enforcement Sets.

Duplicating Queries

If you want to work with or create similar queries, you can duplicate queries either from the Queries page or from the Query Drawer.

From the Queries Page

1. Click (Queries icon) on the left navigation panel. The Queries page opens.
2. Select the checkbox next to the query you want to duplicate.
3. From the Actions menu, select Duplicate. The Copy of Query Name dialog opens.

4. Edit the query as required.

5. Click Save. The Query drawer opens in review mode.

6. Click Run Query to run the new query.
   The new query now appears in the Queries page.

From the Query Drawer

You can also duplicate a query from the Query Drawer.

1. From the Queries page, click on a query that you want to duplicate. The Query Drawer opens.
2. From the top row, click . The Copy of Query Name dialog opens.
3. Edit the query as required.
4. When done, click Save. The new query is saved.

Viewing and Editing Query Details

Use Saved Query drawer to view query details, edit them, and perform actions on the query.

On the Queries page, click a saved query record to view its details; the Saved Query drawer opens. When you open a query saved in AQL format it is displayed in the Query Wizard in AQL format.
You can view and edit the following saved query details:

Click to edit the following query details

• Name
• Description (optional, limited to 300 characters)
• Tags
• Always keep Cached
• View the following saved query details:
  • Query Wizard expressions
  • Last updated
  • Updated by

Viewing Saved Queries

When a saved query is based on one or more saved query, you can see the details of the saved query.
Mouse over a saved query nested in another query. An expand arrow is displayed.

Click the expand arrow, the details of the nested saved query are displayed.

You can continue to expand nested queries as required. The number of queries which can be expanded may depend on screen size and resolution, a message is displayed when you can't expand any more queries. You can use the arrow to collapse the query display.

Actions on Saved Queries

In addition, you can perform the following actions:

• Click Run Query to run the query and display the results in the asset page.

• Click to open the query history runs of this query in the Query History page.

• Click Copy Query Link to copy the link to the query and share it with others.

• Click New Enforcement to create a new Enforcement Set using the saved query to select the assets. The Enforcement Set Configuration page opens. For more details, see Creating Enforcement Sets.

• Click Set access to public on private saved queries to set the access to public. Changing the access of a saved query to public will make it publicly available to all users and cannot be reset to private.

• Keep saved query always cached - The Keep always cached checkbox lets you keep a saved query always cached.

  • If enabled, the saved query will always be cached. The saved query will be executed and cached each TTL interval defined in Cache Settings.
  • If disabled, the saved query will not be always cached.
  • This checkbox is only visible when Caching is enabled in the system.

• Click Delete to delete the saved query.

Analyzing Query Results

You can run a query and analyze the results in the Data Analytics page.

1. Select a query and, from the Actions menu, select Analyze. The query is run and the results opened in the Data Analytics page. See Analyzing Query Data - Creating Data Analytics Reports for more about using the Data Analytics page.