how to write and combine 2 saperate Query

[stmarya]

I have Palo Alto and fortigate, and now I want to collect event or threat names with this separate query,
Palo alto :

• AND NOT wazuh.data.Threat_ID: "(9999)" | groupby wazuh.data.Threat_ID source.ip destination.ip

Fortigate :

• AND wazuh.data.devname:”FGT-BHN” | groupby source.ip destination.ip | groupby wazuh.data.attack source.ip destination.ip | groupby wazuh.data.rule_name

is there any way to combine the query into one line?

[dougburks]

Would something like this work?
wazuh.data.devname:”FGT-BHN” AND NOT wazuh.data.Threat_ID: "(9999)" | groupby wazuh.data.Threat_ID source.ip destination.ip | groupby source.ip destination.ip | groupby wazuh.data.attack source.ip destination.ip | groupby wazuh.data.rule_name

[stmarya]

thanks for your suggestion, its work for me.

• AND NOT wazuh.data.Threat_ID:"(9999)" | groupby wazuh.data.Threat_ID source.ip destination.ip | groupby wazuh.data.attack source.ip destination.ip | groupby -pie wazuh.data.rule_name | groupby winlog.event_data.TargetUserName winlog.event_data.LogonType| groupby wazuh.data.src_user.keyword wazuh.data.rule_name.keyword

Do you have any suggestion how to save this query or make it default

[dougburks]

From https://docs.securityonion.net/en/2.4/dashboards.html#query-bar:

If you would like to save your own personal queries, you can bookmark them in your browser. If you would like to customize the default queries for all users, please see the SOC Customization section.