Create a Search Query for Incidents

Create a search query for Cortex XSOAR incidents. Custom which incidents are displayed. Save search queries.
The default view of the Incidents page displays all open incidents from the last seven days. You can customize which incidents are displayed by creating and saving queries. You can also customize the information that is displayed for each incident by customizing the table summary layout and the Chart panel. This information is then saved as part of the query.
  1. In the query bar, type your search criteria.
    By default, the syntax is
    -status:closed -category:job
    , which searches for categories other than jobs and not those that have been closed. You can add fields like severity or type to narrow your search to critical issues or issues of a certain type.
  2. From the drop down list, select the date range for which you want to search.
    By default, it is the last 7 days.
  3. If you want to customize the table summary view, click the gear icon above the table.
  4. If you want to customize the chart panel, go to one of the charts and from the drop down list select the chart as required.
  5. To save the query do the following:
    1. Click
      Add
      to Saved queries.
    2. Type a name for the query.
    3. Click
      Save
      .
    When clicking
    Saved queries
    you can view all saved queries, mark them as default, or delete the queries. To edit an existing saved query, create a new query and save it with the exact name of the query you want to replace.
In this example, you need to search for all incidents according to the following criteria:
  • Status is not closed
  • category is not job
  • type is phishing
  • opened within the last 7 days
In addition, add the
Created
column to the table summary.

Recommended For You