Create a Saved Search
Intel Exchange enables analysts to save the frequently searched threat data elements and the CQL queries. As an analyst, when you save a search, it allows you to easily access the target results and save time. You can share a saved search globally, allowing other users to directly access the targeted results.
Before you Start
Ensure that you have the View Threat Data permission to view the Threat Data module and create saved searches.
Create a Saved Search Using Filters
Create a saved search using filters, such as the object type, source, source collections, published collections, created on, TLP, tags, and more.
Steps
To create a saved search using filters, follow these steps:
From Main Menu, open Threat Data under Collection.
Select Filters on the right side of the page.
Select from the required filter types on the left side of the page.
Click Save Search and enter a title.
To make the saved search available to everyone, select Share it globally.
Click Save.
Create a Saved Search Using CQL Queries
Create a saved search by writing CQL queries to analyze huge volumes of data efficiently and obtain faster results.
Steps
To create a saved search using CQL queries, follow these steps:
From Main Menu, open Threat Data under Collection.
Select CQL on the right side of the page.
Place the cursor in the search bar and enter a CQL query.
For example, you want to search for indicators coming from import, you write the following query: 'Object Type' = "Indicator" AND 'Source' = "Import".
For more information, refer to Cyware Query Language (CQL) and Learn CQL Syntax.
Click search and click Save Search on the right side of the page.
To create a new search, select Create New and enter a title.
To overwrite an existing saved search, select Overwrite Existing and enter a title.
To make the saved search available to everyone, select Share it globally.
Note
Read-only users can only create private saved search queries and cannot share them with other Intel Exchange users.
Click Save.
Manage a Saved Search
To manage a saved search, follow these steps:
From Main Menu, open Threat Data under Collection.
Click Switch To Saved Search on the left side of the page.
In the saved searches list, locate the required saved search.
For personal saved searches, you can rename, remove, share globally, and set them as default.
For saved searches shared by other users, you can view and use them. You can also set them as default, but you cannot rename or remove them.
Click the ellipsis(...) next to the saved search, and select one of the following:
Rename: Updates the name of the saved search.
Remove: Deletes the saved search.
Share it globally: Makes the saved search available to all Intel Exchange users.
Mark as Default: Sets the saved search as your default. The selected search is automatically applied when you open the Threat Data page. Only one saved search can be set as the default at a time.
To pin a saved search, click the Pin icon.
Note
Read-only users can create personal saved searches but cannot share them.
Saved searches shared by other users are read-only and cannot be modified or deleted.