Query objects (which comprise queries bundled with additional metadata) are used as the basis for designing reports. Logger Reporting provides a set of pre-built queries, which are used as the basis for the System-defined Reports and Solutions Reports to address common security use cases.
You can browse or select query objects in Explorer. See Reports Explorer. You can use a provided query object as is, as the basis for your own reports, or design new query objects on the Query Object List page. You can use existing query objects as a starting point for new ones.
Note: Some queries may require parameters. We recommend first designing all needed parameter objects before creating the query object that will use those parameter objects.
For information on developing parameter objects, see Parameters.
For instructions on how to view a list of the default search fields, see Default Fields. For information about custom schema fields added to the default schema, see Adding Fields to the Schema.
Reports that directly invoke SQL queries can use the standard insubnet SQL function as follows: insubnet( "subnet string", address_column )
Caution: Modifications to reports and other ArcSight-defined content may be overwritten without warning when the content is upgraded. It is not good practice to modify ArcSight-defined content directly.
Make modifications to a copy of any ArcSight-defined content as a general practice, and subsequent upgrades will not affect the modifications.
This topic explains how to design new query objects (either from scratch or based on existing ones).