Saved Queries
The Saved Queries tab allows you to create and manage reusable queries primarily for policy exclusions. These queries define exclusion criteria that can be reused across multiple Protection and Inspection policies.
Adding a New Saved Query
- Navigate to Object Management > Saved Queries.
- Click the Create new button in the top-right corner.
- Select Create new query on the Import or create query pop-up window.
- Enter a descriptive Name and an optional Description for your query.
- Define your query criteria using the search builder interface.
- Use the Live Preview section to see a real-time count of events matching your criteria over the past 7 days.
- Click Save to create the query. It will now be available for use as a policy exclusion.
Editing and Managing Saved Queries
Editing a Saved Query
- Navigate to Object Management > Saved Queries.
- In the table, find the query you want to edit and click the Actions menu (three dots).
- Select Details.
- Modify the query's name, description, or criteria as needed.
- Use the Live Preview to monitor how your changes affect the query results.
- Click Save to apply your changes.
Changes to a saved query will immediately affect all policies where it is applied as an exclusion.
Other Actions
- Duplicate: To create a copy of a query, select Duplicate from the Actions menu.
- Delete: To permanently delete a query, select Delete from the Actions menu.
Note
You cannot delete a query that is currently in use within a policy.
Critical Policy Exclusion Requirement
- This feature requires a minimum endpoint sensor version 25.09.01 or later.
- Policies with saved query exclusions cannot be saved if any sensors in the environment are running older versions.
- The console automatically validates sensor versions when attempting to save policies that include saved query exclusions.