Learn how to create Graph Search queries in Cortex Cloud.
Prerequisite
Graph Search requires View or View/Edit RBAC permissions for Graph Search under → .
Review the following topics:
Build Graph Search queries to search your assets and findings by their relationship types and map them out in a unified and understandable view. You can build Graph Search queries using the built-in query interface embedded in the Query Builder.
Select → → → .
From inside the Graph Search query interface at the top of the Graph Search page, click Select to open the entity picker dialog box.
Choose the assets and findings nodes that you want to query.
Keep in mind that multiple nodes are defined with an
ORrelationship between them. The top level node selection acts as the root of the query.To apply a condition to the assets or findings nodes that you've selected, click WHERE. Otherwise, skip to the next step.
Select the applicable field (termed node attribute), operator, and value for the condition you want to define. The operators and values change according to the node attribute (field) that you select. At each level of the query, the relationship between node attribute conditions is
AND. No other logical operator is available.To define a relationship between the assets or findings nodes already selected and a new node, click +.
Define the THAT statement by selecting the new assets and findings nodes that you want to relate to the other nodes.
To apply a condition to the new asset and findings nodes that you've selected, repeat step #4.
Repeat steps #5 to #7 until you've finished building your query logic.
When your query is complete, or at any time that you want to view the query results, click Search.
The Graph Search results are displayed in a graph format by default. You can toggle to Table to view the results in a table format. In addition, you can export the graph results using the icon at the top of the page to a PNG, SVG, or TSV file.
Tip
After running the query, you can view the complete query by hovering over the last THAT... in the Graph Search query interface, and the query is displayed in a tooltip.
If your query doesn't find any results or you want to change your query for any reason, you can always click anywhere in the Graph Search query interface, where your existing query is defined, to display the complete query, update your query, and rerun the search.
You can save your query to the Query Library by clicking Save Query.
Set these parameters:
Query Name: Specify a unique name for the Graph Search query. Query names must be unique in both private and shared lists, which includes other people’s queries.
Query Description (Optional): Specify a descriptive name for your Graph Search query.
Labels (Optional): Specify a label that is associated with your Graph Search query. You can add a label and then select Create Label, or select a label from the list, if any exist from a previous query. Adding a label to your Graph Search query enables you to search for queries using this label in the Query Library.
Share with others: You can either set the Graph Search query to be private and only accessible by you (default) or move the toggle to Share with others the query, so that other users using the same tenant can access the query in their Query Library.
Click Save.
A notification appears confirming that the query was saved successfully to the library, and closes on its own after a few seconds.
The Graph Search query that you added is now listed as the first entry in the Query Library.
Note
For more information about the Query Library, see Manage the Graph Search Query Library.