Skip to content

Filters: Creating and Editing Forensics Query

A query is a collection of one or more filters that let you select from a list of parameters to select user types, permissions, user scenarios or permission scenarios to analyze.


When searching for queries using the search bar, the results that are returned will only match words that start with the search term. Example: When typing "ser", that will match results like "server". It will not display results like "users".

  1. Select Clear All to clear the current filters and to clear the grid.
  2. Select + to add a filter to the query.
  3. Select a field to filter by from the Select Field dropdown menu and the filter criteria, according to the filed type and parameters.
  4. Select Save to add the filter line to the query or Cancel to start over.
  5. Add more filter lines by repeating these steps as required.

    For example:

    "Last login date older than 100 days and Password not required equals True”

  6. Select Apply to run the query.


For Permission Forensics, the data retrieved depends on the user scope of the user running the query. The data returned will only be within the applications and resources within each application the user has access to.


A query can be deleted only by the user who created it.

Search for Resources Using a Resource Tree

Add resources for the filter by navigating down the resource tree and selecting the requested branch.

  1. Open a new filter line.
  2. Select Resource from the Select Field dropdown list.
  3. Open the Select Resource dropdown menu to view the resource tree.

Save a Query

  1. Select Save. That will open a popup screen to enter the query name.
  2. Select Save or Cancel to continue.

Retrieve a Saved Query


If you select a saved query, the contents of your current query will be overwritten.

  1. Select Saved Queries.
  2. Select a query from one of the saved query lists:
    1. Recent – a list of your recently used queries. These queries are named and ordered by the timestamp.
    2. Saved – a list of queries saved by the user.
    3. Shared – a list of queries shared with the user.

Clicking on a query loads the filters and displayed columns for the query. A query object cannot be edited and changes made after loading a query do not impact the loaded query object. However, these changes can be saved in a new query.

Share a Query

Sharing a query makes it available in the query list for other users.

  1. Create a query as described above.
  2. Select Save.
  3. Type a name for the query.
  4. Type the name or part of a name of the user you want to share the query with.
  5. Select the user from the dropdown list.
  6. Select Save to save the query to your list and the assigned user’s query list.
  7. The query will be stored in the other user’s list under Shared.

Documentation Feedback