Limiting the complexity of queries in alert investigation mode

Support

Support for business applications

Kaspersky Unified Monitoring and Analysis Platform

User guide

KUMA resources

Working with events

Filtering and searching events

Limiting the complexity of queries in alert investigation mode

April 8, 2024

ID 230248

Get as PDF

When investigating an alert, the complexity of SQL queries for event filtering is limited if the Related to alert option is selected in the EventSelector drop-down list. If this is the case, only the functions and operators listed below are available for event filtering.

If the All events option is selected from the EventSelector drop-down list, these limitations are not applied.

SELECT
- The * character is used as a wildcard to represent any number of characters.
WHERE
- AND, OR, NOT, =, !=, >, >=, <, <=
- IN
- BETWEEN
- LIKE
- inSubnet
Examples:
- WHERE Type IN ('Base', 'Correlated')
- WHERE BytesIn BETWEEN 1000 AND 2000
- WHERE Message LIKE '%ssh:%'
- WHERE inSubnet(DeviceAddress, '10.0.0.1/24')
ORDER BY
Sorting can be done by column.
OFFSET
Skip the indicated number of lines before printing the query results output.
LIMIT
The default value is 250.

If you are filtering events by user-defined period and the number of strings in the search results exceeds the defined value, you can click the Show next records button to display additional strings in the table. This button is not displayed when filtering events by the standard period.

When filtering by alert-related events in alert investigation mode, you cannot perform operations on the data of event fields or assign names to the columns of displayed data.

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.