Create a pre-set query for a role in Cortex XSOAR.
When you define a role, a list of queries for each of
the following components appears. This list is based on your saved
queries for these components:
Incidents
Indicators
Jobs
War Room
To add a query for a component, create the query in the
component page and click
Add
next to the
query field. Give the query a name and click
Save
.
You can choose one of the queries from the component’s queries
list to be the role’s pre-set query. The pre-set query will run
when a user with that role accesses that component page.
The role's pre-set query will be the default query for a new
user. Existing users will be able to choose a default query for
themselves. The pre-set query will be available for the user to
choose.
Having a default query associated with a user’s
role is useful for new users in Cortex XSOAR who are not sure what
query is best, but also for other users who prefer to be given a
default query.
When you edit or create roles, the available queries are based
on the role’s editing permissions as follows.
Page
Page Access or Role Permissions
Incidents
Incidents
Indicators
Indicators
Jobs
Jobs
War Room
Investigation > data > read
When you edit a role, the list of queries is re-populated with
your own saved queries. If you change the pre-set query for a role,
the query will be added to the users’ queries, but not as the pre-set
query. However, if you delete one of your own queries after you
configure a role, the role’s list of queries is not affected.
When you remove a role’s pre-set query, if a query exists for
that role it will automatically become the pre-set query for the
role.
Users can view the pre-set query based on their role when clicking
Saved
queries
. The pre-set role query will have
(Pre-set)
appended
to the name of the query. Although users can change the their default
query, they cannot delete the pre-set role query. If a user has multiple
roles, the user will see multiple queries. The pre-set role query
will be the highest nested one or the first one that appears alphabetically.
If a user’s role changes, the user’s pre-set role query is automatically updated.
Users can create and save queries for a component page and select
any one of the saved queries to be their default query.