Use cases for parameters in AQL-based widgets
Parameters help make it simple to reuse common elements in multiple AQL queries so that it's easier to create widgets and share them. You no longer need to create single queries for similar entities. Any query that uses the parameter can automatically use the value.
Use parameters to represent common entities, such as the IP of your console. For example, rather than typing the unique IP address into each query of every relevant chart, add the specific IP address into the Console_IP parameter. Any workspace widgets that use that parameter is instantly updated.
Search events for a specific user
You’re a senior analyst in a SOC and want to investigate some suspicious behavior of one of your users, Bob. Build a dashboard that captures information you need to care about when Bob does something malicious. For example, how many logins are associated with Bob in the last hour? Create parameters for username, events per user, time period, time value, sourceip, and destinationip.
Include widgets that cover the top event categories, top 10 log sources, location of events, events per user, and time of day. When you export and share the dashboard with others, they can replace Bob's user name with the user name of their choice.
Investigate events during specific time periods
In a time series chart, you see a large spike in the number of login failure events. Change the time period and run the query again to see when the spike started. For example, if you change the time period to the last 30 days instead of the last 4 days, was that when the spike started?
Sharing dashboards with others
Your team shares responsibility for managing several managed hosts around the world. You create a dashboard that monitors specific servers for various health metrics, such as top disk usage and disk usage distribution. Create a parameter for servername, and then share the dashboard with your colleagues. All that they need to do is add the server names that they monitor into the parameter values, and they get results specific to their servers.