Visual editor

Use the Visual editor to create powerful and flexible investigations without the need to write and master NQL and the NQL data model.

The Visual editor is a graphical NQL tool that allows you to:

• List and visualize collections of data such as users, devices, binaries or events.

• Add additional columns with various properties and metrics.

• Fine-tune the results using conditions and filters based on properties and metric values.

• Aggregate metrics and group them by various dimensions.

• Switch between the Visual editor and NQL editor, or use both modes to build queries.

Querying data using the Visual editor

1. Select Investigations from the main menu to create or edit an existing investigation.

2. Under the Visual editor, use the Display drop-down menu to select an option from the available data:

   • Objects tables such as Users, Devices and Binaries.

   • Events tables such as Execution crashes and Device performance events.

3. After choosing an option from the Display drop-down, a set of default columns appears in the results table.

   • The Visual editor displays the Devices results table by default.

   • The metrics in the Display drop-down under Campaigns and Remote actions have an extra drop-down to target specific campaigns and remote actions. See the image below.

   • When you select sampled event tables from the Display drop-down the Visual editor summarizes the results by default. Refer to Summarizing investigation results for more information.

   • To modify the columns in the results table, refer to the Adding fields, conditions and filters sections on this page.

Selecting connection events for Network view

Choosing Connection events from the Display drop-down of the Visual editor on the Investigations page enables the Network tab with a Network view visualization.

Adjusting the timeframe

From the Visual editor on the Investigations page, select a timeframe from the active during drop-down.

The timeframe is set to Past 7 days by default.

Unlike in the NQL editor, the timeframe selection is mandatory to query objects and events in the Visual editor.

Adding fields to an investigation

To change the displayed columns in the investigation results table from the Investigations page > Visual editor:

1. Click the Add field button in the Fields right-side panel to open the Add field pop-up.

2. Search for or choose field metrics and properties available from the source collections and associated collections.

   • The system organizes available metrics and properties into categories.

   • The system displays selected fields under Current fields. If needed, remove any field.

3. Depending on the selected field, the system opens a pop-up to Add condition. Refer to the Adding conditions to a field section on this page.

4. Click done to add all selected fields and subsequently, change the displayed columns in the Investigations results table. See the image below.

Switch to the NQL editor to check the active aggregation method. For example, the sum aggregation function applied to the selected metric for the number_of_crashes:

devices during past 7d
| include execution.crashes during past 7d
| compute number_of_crashes__0 = crash.number_of_crashes.sum()
| list device.entity, device.hardware.model, device.hardware.type, device.operating_system.name, number_of_crashes__0

Filtering investigation results

To filter investigation results in Visual Editor, you have the following options:

• Add filter button from the Visual editor on the Investigations page.

• Add filter option from a specific field's action menu in the right-side panel.

• Add filter option from the action menu of a selected cell in a results table to apply its value or property as a filter.

• Add filter option from the action menu of a column header.

Adding filters from the 'Add filter' button

Click on the Add filter button from the Visual editor on the Investigations page.

The example below describes the steps for adding a TCP filter to a Connection events investigation result:

1. Click the Add filter button from the Visual editor on the Investigations page to open the Add filter pop-up.

2. Select Connection events from the first drop-down.

3. Select or search Transport protocol from the second drop-down.

4. Select the is operation and add TCP as the item.

   • Optionally, add multiple conditions.

5. Click done to save the filter.

Adding filters from the field's action menu

• Click on the Add filter option from a specific field's action menu in the right-side panel of Visual editor.

• In the pop-up window, select the operator and the value to filter by.

Adding filters from the results cell

The example below describes the steps for adding a is '1' filter to the Total number of connections field directly from an investigation result item.

1. Right-click on the desired item metric value from the results table to open the action menu. In this example, the value of 1 under the Total number of connections field column.

2. From the Add filter… action menu of a selected item, click the is '1' and filter the entire field column to show that item value.

Adding filters from the results columns

The example below describes the steps for setting a filter value on the Total number of connections field directly from the Investigations field header.

From the Investigations page > Visual editor:

1. Right-click on the field column header from the results table to open the action menu. In this example, the Total number of connections field column from the Connection events investigation result.

2. Click the Add filter… option from the column header action menu to open the Set filter pop-up. Choose the condition operator and one or multiple values for the conditions. In this case, Is greater than '2'.

Editing or removing filters

The system lists added filters next to the Add filter button on the Investigations page. Right-click on an added filter to Edit or Remove the filter.

Adding conditions to a metric

The following steps show an example of adding condition values to the Incoming traffic field for different binaries:

1. Click the Add field button in the Fields right-side panel on the Investigations page > Visual editor to open the Add field pop-up.

2. In this example, you create two separate columns to display incoming traffic from the Skype and Zoom binaries. Therefore, you must repeat these steps for each binary:

   • Select the Incoming traffic field to add conditions on the Skype or Zoom binary.

   • Add condition(s) to restrict the metric value of Incoming traffic.

   • Save the condition-specific field under a unique Column name.

See the image below for a visual representation.

Field conditions considerations

• Adding multiple conditions automatically adds the and logical operator between them.

• Adding multiple metric values or properties to the same condition automatically adds the or logical operator.

• The autocomplete feature suggests existing property values. If needed, use wildcards:

  • * to substitute for zero or more characters

  • ? to substitute for zero or one character

Summarizing investigation results from the Visual editor

Summarize mode in the Visual editor allows you to aggregate and break down investigation metrics and properties into groups and time periods.

To activate summarize mode from the Investigations page > Visual editor, choose one of the following options:

• Enable the Summarize results toggle button in the Fields right-side panel.

• Right-click the column header from the Investigations results table to open the action menu and select the Summarize or Group by option.

The system uses the default aggregation function for each metric. The Visual editor does not currently support changing the default aggregation. Switch to NQL editor to edit the aggregation function.

Exit summarize mode by disabling the Summarize results toggle button.

Adding fields in summarize mode

When adding fields in summarize mode from the Investigations page > Visual editor, consider the following:

• The system adds properties of supported data types—string, UID, Boolean, enumeration, version—to the results list as a group by field.

• The system adds metrics to the results list and aggregates the data by default.

Adding filters when in summarize mode

When adding filters in summarize mode from the Investigations page > Visual editor, consider the following:

• Filters on properties used in group by are reflected in the results.

• Filters on metric numerical values still affect the Investigations results table after disabling the Summarize results toggle button.

Visualizing investigation results as a line chart in summarize mode

To see investigation results as a line chart visualization, from the Investigations page > Visual editor:

1. Enable the Summarize results toggle button in the Fields right-side panel.

2. Click on the eye icon in the Start time field in the right-side panel to show the results by days.

   • Adding the Start time field in the Visual editor is equivalent to querying the breakdown summarize... by 1d in the NQL editor. See the query below.

3. Once the summarized results are displayed by days, click the Toggle to chart view button.

campaign.responses during past 7d
| summarize no_of_users = user.count(), no_of_devices = device.count(), no_of_campaigns = campaign.campaign.name.count() by 1d
| list start_time, no_of_users, no_of_devices, no_of_campaigns

Visualizing investigation results as a bar chart in summarize mode

To see investigation results as a bar chart visualization, from the Investigations page > Visual editor:

1. Enable the Summarize results toggle button in the Fields right-side panel.

2. Open the Add field pop-up to break down the current summarized fields into properties. In this case, Hardware -> Product ID.

   • Adding the Hardware -> Product ID field in the Visual editor is equivalent to querying the breakdown summarize... by device.hardware.product_id in the NQL editor. See the query below.

3. Once the summarized breakdown is displayed, click the Toggle to chart view button.

devices during past 7d
| summarize no_of_devices = count() by device.hardware.model
| list no_of_devices, device.hardware.model

Switching from the Visual editor to the NQL editor

Investigations created in the Visual editor always have an associated NQL query that you can view by switching to the NQL editor tab, and vice-versa for supported cases.

The system alerts you if the Visual editor does not support modifications typed into the NQL editor.

Visual editor unsupported NQL statements

The following features are not supported by the Visual editor:

• Arithmetic operators.

• with statement—all metrics from associated events are added using include.

• sort statement on multiple columns.

• limit statement.

• as() function.

• contains comparator. For example: events during past 7d | where primary_physical_adapter . dns_ips contains 156.64.0.39 / 255

• custom_trend as source.

• Object association tables—linkages— that map the relationships between multiple objects, as source. For instance, installed_packages.

• Business-configured objects (BCO) as source. For example, a specific alert is unsupported—only remote actions and campaigns are supported.

• Changing aggregation of the metrics.

• Conditional aggregation and pseudo-aggregates.

The Visual editor loads and displays Advanced filters and complex conditions created in the NQL editor. This includes, for example, queries with or operators and nested and combinations. Switch back to the NQL editor to edit advanced filters.

RELATED TOPIC

• NQL editor

• Roles