Skip to content

The Query Builder

Start exploring your data with the Query Builder. Hunt for threats, obtain analytics, and create insightful dashboards and reports. The Query Builder is a simple tool that allows you to build queries to explore your data effectively.

Overview

With this form, you can aggregate data to extract new insights, helping you make informed decisions. Additionally, the Query Builder enables the visualization of data through various types of charts, enriching your reporting capabilities.

query builder

Currently, the following data sources are available:

  • Alerts: Monitor and analyze security alerts.
  • Events: Query raw telemetry and logs.
  • Cases: Analyze investigation workflows and case management metrics.

Future updates will introduce more sources to expand your investigation capabilities.

Query modes

The Query Builder provides two distinct ways to interact with your data:

  • Form mode: A wizard-like interface using dropdowns and buttons. It is ideal for quick explorations and users unfamiliar with query languages.
  • Code mode (Default): A powerful editor using SOL (Sekoia.io Query Language). This mode allows for maximum precision, complex filtering, and advanced logic that the wizard might not cover.

Key use cases

  • Threat hunting: Search for specific indicators of compromise across your telemetry.
  • Security analytics: Aggregate logs to identify patterns or anomalies in user behavior.
  • Operational reporting: Power your dashboards with real-time queries to track SOC performance.