What permissions do I need?
To access the Alerts overview area and see the alert queries, you need at least the Triggered alerts (view) permission (see a detailed description of the alerts permissions here).
Additionally, you need to have alerts assigned with View access (see Assign resources to a role), which will be those you will see on the list.
Open query from the alert list
You can go the search window to see the query defined for that triggered alert and examine the events that caused it to trigger. Click the ellipsis menu at the end of the row and select Go to query.
You will be taken to the search window, and you will see the alert query with the time range for the events that triggered the alert. You will access the search window in incognito mode, which means any changes in the query will not be saved.
Open query from the alert details window
You can also open the query to explore it from the details window, which is accesible by clicking an alert’s ID on the list (more info about the details window here). Simply click on the Open in query editor button above the query section of the alert details window.
