You can create, run, and edit a saved search for Ariel Query Language (AQL), Kusto Query
Language (KQL), and STIX queries. Saved searches allow security analysts to share and reuse search
queries, saving time and effort.
Procedure
- Go to .
- From the query type list, select Federated (STIX),
QRadar (AQL), or Logs/Alerts (KQL).
- Create your query by following the instructions in Building search queries.
- Click Save search.
- Complete the fields, click Next, review the search query, and then
click Save.
- To view saved searches, click the Saved searches tab on the
Data Explorer - Search page.
- Click the column header to sort the list.
- Click the Play icon to run the selected saved search.
- Optional: Click More options to take one of the
following actions.
- Load in builder: Open the query builder with the selected saved search to
edit or run the query.
- Edit: Edit the properties of the selected saved search, such as name,
description, and comments.
- Duplicate: Create a direct copy of the selected saved search.
- Delete: Remove the selected saved search.
Note: You cannot edit or delete a System saved search.