>
    Strata Copilot
    Query Creation and Management
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Create Dashboards and Reports
    4. Query Creation and Management
    Download PDF
    Device Security

    Query Creation and Management

    Table of Contents

    Query Creation and Management

    Device Security Query Builder provides advanced search and filter capabilities to find devices, alerts, and vulnerabilities across your network infrastructure.
    Where Can I Use This?What Do I Need?
    • Device Security (Managed by Strata Cloud Manager)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise, OT, or Medical)
    • Device Security X subscription
    Device Security Query Builder provides advanced search and filter capabilities to find devices, alerts, and vulnerabilities across your network infrastructure. Use the Query Builder when you need to identify particular assets based on complex criteria that go beyond basic filtering, such as matching multiple attributes or excluding assets with certain values in an attribute field.
    The Query Builder replaces traditional filtering with an interface similar to SQL, supporting multiple operators, comparisons, and wildcard matching. Various features in Device Security use the Query Builder, such as searching the inventories, defining Custom Alert Rules, and configuring Custom Widgets for Custom Dashboards.
    From the Query Library, you can create queries that span multiple domains, combining device attributes with alert severity levels or vulnerability data for granular security assessments. Device Security supports up to two domains per query and provides autocomplete functionality to help you construct valid queries. Save your queries to view them in the Query Library, or to reuse them when searching in the inventories or when building custom widgets and dashboards. You can also modify a saved query to run on a recurring schedule, with the results stored and downloadable in the Query Log.
    The enhanced Query Builder is only available for Device Security in Strata Cloud Manager, under the Queries tab.

    Structure of a Query

    All queries start with a primary domain. You then specify domain-specific attributes and attribute values to narrow down the query. The domain corresponds to the three main inventories in Device Security:
    • Devices
    • Alerts
    • Vulnerabilities
    When you build a query with the global query on the device, alerts, or vulnerability inventories, the page determines the default domain. If you change the domain and run the query, the page changes to the related inventory page. If you create a query from the Query Library, then you can choose the domain and even make a multi-domain query.
    The attributes available for your query depend on what domain you choose. For example, if you choose the device domain, you can specify MAC address as an attribute, but you can't use MAC address as an attribute for the alert domain. The attributes available for your query also include third-party attributes for any active third-party integration.
    For each attribute, you can choose the specific values you want to match with or against, using the operators that the attribute supports.
    • Logical Operators: AND, OR
    • Equality/Comparison Operators: =, !=, >, <, >=, <=
    • Set Operators: IN, NOT IN, EXISTS
    • String Operators: STARTS WITH, ENDS WITH, CONTAINS
      String operators search for partial matches, and are case insensitive. For example, a search for "Alert Title" CONTAINS "connection" would match all of the following:
      • Ssl connection to risky Internet site detected
      • Excessive external connections detected
      • Connection to malicious host
      • Unsecure outbound ftp connections to Internet
    For some attributes, you can define a list of values as the matching criteria. The query builder will return results that match any of the values in the list. You can also select an attribute multiple times if you want to use different operators.
    The following example query finds all devices with either iOS or Windows as their OS, and it finds all devices with a Profile name that contains "Rockwell", as long as the Profile name is not "Rockwell Automation HMI." 
    "OS" IN ("iOS", "Windows") OR "Profile" CONTAINS "Rockwell" AND "Profile"  != "Rockwell Automation HMI"
    Creating a query from the Query Library also lets you make a multi-domain query. If your primary domain is Device, you can choose Alert or Vulnerability as a secondary domain to further narrow down your query. In this case, the table will display all devices that meet your primary domain matching criteria, and the results are further pared down to devices that are affected by alerts or vulnerabilities that match your secondary domain matching criteria.
    The following example of a primary domain query finds all devices with the "Windows" operating system: 
    SHOW Devices WHERE "OS" = "Windows"
    The following example of a query with an added secondary domain would find all devices with the "iPad" profile and aren't joined to an AD or don't have a high confidence level. Additionally, the results would be limited to such devices that also have vulnerabilities that are exploited with no identified patch. 
    SHOW Devices WHERE "Profile" = "iPad"  AND ( "AD Join Status" != "No" OR "Confidence Level" != "High" ) FROM Vulnerabilities WHERE "Exploit Status" = "Exploited in the Wild" AND "Patch Identified" = "No"

    © 2025 Palo Alto Networks, Inc. All rights reserved.