Manage Your Queries

Mange and rerun queries in the Cortex XDR app.
From the
Query Center
, you can view all manual and scheduled queries. The
Query Center
also provides management functions that allow you to modify, rerun, schedule, and remove queries. You can also refresh the page to view updated status for queries, filter available queries based on fields in the query table, and manage the fields presented in the
Query Center
.
query-center-pivot.png

View the Results of a Query

After you run a query, you can view the events that match your search criteria. To view the results:
  1. Select
    INVESTIGATION
    Query Center
    .
  2. Locate the query for which you want to view the results.
    If necessary, use the
    Filter
    to reduce the number of queries Cortex XDR displays.
  3. Right click anywhere in the query row and then select
    Show results
    .
    Cortex XDR displays the results in a new window.
    query-center-results.png
  4. (
    Optional
    ) If you want to refine your results, you can Modify a query from the query results.
  5. (
    Optional
    ) If desired,
    Export to file
    to export the results to a tab-separated values (TSV) file.
  6. (
    Optional
    ) Perform additional investigation on the alerts.
    From the right-click pivot menu:
    • Analyze
      the alert and open the Causality View.
    • Investigate in Timeline
      .
    • View event log message
      to view the event details.

Modify a Query

After you run a query you might find you need to change your search parameters such as to narrow the search results or correct a search parameter. There are two ways you can modify a query: You can edit it in the
Query Center
, or you can edit it from the results page. Both methods populate the criteria you specified in the original query in a new query which you can modify and save.
  • Create a query based on an existing query.
    1. Select
      INVESTIGATION
      Query Center
      .
    2. Right click anywhere in the query and then select
      Save as a new query
      .
    3. If desired, enter a descriptive name to identity the query.
    4. Then modify the search parameters as desired.
    5. Choose when to run the query.
      query-save-options.png
      Select the calendar icon to schedule a query to run on or before a specific date,
      Run in background
      to run the query as resources are available, or
      Run
      to run the query immediately and view the results in the
      Query Center
      .
  • Modify an existing query from the Query Center.
    1. Select
      INVESTIGATION
      Query Center
      .
    2. Right click anywhere in the query and then
      Edit a query
      .
    3. Modify the search parameters as desired.
    4. Choose when to run the query.
      query-save-options.png
      Select the calendar icon to schedule a query to run on or before a specific date,
      Run in background
      to run the query as resources are available, or
      Run
      to run the query immediately and view the results in the
      Query Center
      .
  • Modify a query from the query results.
    1. At the top of the query, click the pencil icon to the right of the query parameters.
      Cortex XDR opens the query settings page.
    2. Modify the search parameters as desired.
    3. Choose when to run the query.
      query-save-options.png
      Select the calendar icon to schedule a query to run on or before a specific date,
      Run in background
      to run the query and review the result at a later time, or
      Run
      to run the query immediately and view the results in the
      Query Center
      .

Rerun or Schedule a Query to Run

If you want to rerun a query, you can either schedule it to run on or before a specific date, or you can rerun it immediately. Cortex XDR will create a new query in the Query Center. When the query completes, Cortex XDR displays a notification in the notification bar.
  • Rerun a query immediately.
    1. Select
      INVESTIGATION
      Query Center
      .
    2. Right click anywhere in the query and then select
      Rerun Query
      .
      Cortex XDR initiates the query immediately.
  • Schedule a query to run:
    1. Select
      INVESTIGATION
      Query Center
      .
    2. Right click anywhere in the query and then select
      Schedule
      .
    3. Choose the desired schedule option and the date and time the query should run:
      query-schedule.png
      • Run one time query on a specific date
      • Run query by date and time
        —Schedule a reoccurring query at a frequency of your choice.
    4. Click
      OK
      to schedule the query.
      Cortex XDR creates a new query and schedules it to run on or by the selected date and time.
    5. View the status of the scheduled query on the Cortex XDR Scheduled Queries page.
      At any time, you can view or make changes to the query on the
      Scheduled Queries
      page. For example, you can edit the frequency, view when the query will next run, or disable the query.

Rename a Query

If needed, you can rename a query at any time. If you later rerun the query, the new query will run using the new name. You can also edit the name of a query when you Modify a Query.
  1. Select
    INVESTIGATION
    Query Center
    .
  2. Right click anywhere in the query and then select
    Rename
    .
  3. Enter the new query name and click
    OK
    .

Recommended For You