When you define a role, a list of queries for each of the following components appears. This list is based on your saved queries for these components:

You can choose one of the queries from the component’s queries list to be the role’s pre-set query. The pre-set query will run when a user with that role accesses that component page.

The role's pre-set query will be the default query for a new user. Existing users will be able to choose a default query for themselves. The pre-set query will be available for the user to choose.

Having a default query associated with a user’s role is useful for new users in Cortex XSOAR who are not sure what query is best, but also for other users who prefer to be given a default query.

When you edit or create roles, the available queries are based on the role’s editing permissions as follows.

When you edit a role, the list of queries is re-populated with your own saved queries. If you change the pre-set query for a role, the query will be added to the users’ queries, but not as the pre-set query. However, if you delete one of your own queries after you configure a role, the role’s list of queries is not affected.

When you remove a role’s pre-set query, if a query exists for that role it will automatically become the pre-set query for the role.

Users can view the pre-set query based on their role when clicking

Saved queries

. The pre-set role query will have

(Pre-set)

appended to the name of the query. Although users can change the their default query, they cannot delete the pre-set role query. If a user has multiple roles, the user will see multiple queries. The pre-set role query will be the highest nested one or the first one that appears alphabetically.

If a user’s role changes, the user’s pre-set role query is automatically updated.

Users can create and save queries for a component page and select any one of the saved queries to be their default query.