Custom Queries

Harmony Email & Collaboration stores the metadata of all items (emails, files, user logins, etc.) obtained through the public APIs of the protected cloud applications and inspected by the system.

• For harmless items, metadata is retained for two weeks.

• For malicious items, metadata is stored indefinitely.

Custom Queries provides direct access to the metadata database, and you can use them to:

• Troubleshoot

• Build custom reports

• Perform bulk action such as quarantining phishing emails

Managing Custom Queries

The Analytics Queries page shows a list of all custom queries in your environment.

To view the Analytics Queries page, click Analytics > Custom Queries.

Column	Description
SaaS	Logo of the SaaS application.
Status	Status of the query. Running Saved
Name	Displays the name of the query. Click on the query name to view the related query results.
Description	Description related to the query.
Matched	Number of matched query results.
Entity Type	Type of entity.
Severity	Severity level of the query. Low Medium High Critical
Create	The date and time when the alert was created.
Created By	The email address of the user who created the query.

Acting on Queries

• To create a new query, see Creating and Saving a New Query.

• To remove queries, select the required queries and click Remove Selected.

  In the Remove Queries pop-up that appears, click OK.

• To import query details, select the required queries and click Import a Query in the top-right corner.

• To export query details, select the required queries and click Export Selected in the top right corner.

Creating and Saving a New Query

You can create and save custom queries to analyze a specific SaaS application for immediate and future use.

To create and save a new query:

1. Access the Harmony Email & Collaboration Administrator Portal.

2. From the left navigation panel, go to Analytics > Custom Queries.

3. Click Create New Query.

   The system displays a list of available templates for each protected cloud application.

4. Select a required template for the new query.

   After you select a template, the system displays the query results with predefined columns.

5. Click Query Actions > Save As at the top-right corner.

   The Save Query pop-up appears.

6. In the Name field, enter the query name.

7. In the Description field, enter the relevant description.

8. From the Severity dropdown, select the severity level of the query.

9. Click Save.

Updating the Query Details

To update the query details:

1. Go to Analytics > Custom Queries.

2. Select a required query.

   After you select a query, the system displays the list of available query results.

3. Click Query Actions > Query Details.

4. In the Update Query Details pop-up that appears, update the details as required and click Save.

Exporting a Query Results

To export the query's results to your email address:

1. Go to Analytics > Custom Queries.

2. Select or create a query, see Creating and Saving a New Query.

   After you select a query, the system displays the list of available query results.

3. Click Query Actions > Export Results.

   The Export Query Results pop-up appears.

   

4. In the Email report to field, enter the email address.

5. In the File password field, enter the password.

6. From the Format dropdown, select the required file format.

   • CSV

   • JSON

   • XLSX

7. Click Export.

Scheduling an Export of Query Results

To schedule an export of query results to your email address:

1. Go to Analytics > Custom Queries.

2. Select or create a query, see Creating and Saving a New Query.

   After you select a query, the system displays the list of available query results.

3. Click Query Actions > Scheduled Export.

   The Scheduled Export pop-up appears.

   

4. In the Email report to field, enter the email address.

5. In the Password field, enter the password.

6. From the Format dropdown, select the required file format.

   • CSV

   • JSON

   • XLSX

7. From the Frequency dropdown, select the required option.

   • Daily

   • Weekly

   • Monthly

8. Click Save.

Modifying the Query Columns

After selecting a template, you can edit its predefined columns by adding or removing columns.

To modify the columns:

1. Go to Analytics > Custom Queries.

2. Select or create a query, see Creating and Saving a New Query.

   After you select a query, the system displays the list of available query results.

3. Click the Edit Columns icon to modify the columns as needed.

4. From the dropdown, select or unselect the required columns and click Apply.

Bulk Actions on Query Results

You can perform bulk remediation actions on the query results, such as quarantining, moving them to spam, or sending phishing alerts.

• If no items are selected in the query results, the action applies to all items.

• If you select some query results, the action applies only to those items.

To perform bulk actions on query results:

1. Go to Analytics > Custom Queries.

2. Select a required query.

   After you select a query, the system displays the list of available query results.

3. Select the required query results and click Group Actions.

4. To move the selected query results to the spam folder, click Move to Spam.

5. To send a phishing alert to users associated with the selected query results, click Add phishing alert.

6. To add security exceptions to the selected query results, click Add Security Exception.

7. To create security events for the selected query results, click Generate Security Events.

8. To dismiss security events for the selected query results, click Dismiss Security Events.

9. In the Perform Action on selected items pop-up that appears, click Yes.

Quarantining a Query

To quarantine a query:

1. Go to Analytics > Custom Queries.

2. Select or create a query, see Creating and Saving a New Query.

   After you select a query, the system displays the list of available query results.

3. Click Query Actions > Quarantine.

4. In the Quarantine pop-up that appears, click Save.

To quarantine bulk query results:

1. Go to Analytics > Custom Queries.

2. Select a required query.

   After you select a query, the system displays the list of available query results.

3. Select the required query results and click Group Actions > Quarantine.

4. In the Perform Action on selected items pop-up that appears, click Yes.

Restoring a Query from Quarantine

To restore a query:

1. Go to Analytics > Custom Queries.

2. Select a required query.

   After you select a query, the system displays the list of available query results.

3. Click Query Actions > Restore.

4. In the Restore pop-up that appears, click Save.

To restore bulk query results:

1. Go to Analytics > Custom Queries.

2. Select a required query.

   After you select a query, the system displays the list of available query results.

3. Select the required query results and click Group Actions > Restore from quarantine.

4. In the Perform Action on selected items pop-up that appears, click Yes.

Sending a Query Alerts and Reports to Users

To send an email alert to a specific user:

1. Go to Analytics > Custom Queries.

2. Select or create a query, see Creating and Saving a New Query.

   After you select a query, the system displays the list of available query results.

3. Click Query Actions > Send Email Alert.

4. In the Send Email Alert pop-up that appears, enter the email address, and click Save.

   The system sends an email alert to the specified user's email address.

To send email reports to bulk users in the query results:

1. Go to Analytics > Custom Queries.

2. Select a required query.

   After you select a query, the system displays the list of available query results.

3. Select the required query results and click Group Actions > Send Email Report.

4. In the Perform Action on selected items pop-up that appears, click Yes.

   The system sends an email report to the email addresses of each user selected in the query results.