Create a Search Query for Incidents - Administrator Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-28
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Create a search query for Cortex XSOAR incidents, customize which incidents are displayed, and save search queries.

The default view of the Incidents page displays all open incidents from the last seven days. You can customize which incidents are displayed by creating and saving queries. You can also customize the information that is displayed for each incident by customizing the table summary layout and the Chart panel. This information is then saved as part of the query.

Note

The timezone for searches is UTC. The system timezone is not used.

  1. In the query bar, type your search criteria.

    By default, the syntax is -status:closed -category:job, which searches for categories other than jobs and not those that have been closed. You can add fields like severity or type to narrow your search to critical issues or issues of a certain type.

  2. From the dropdown list, select the date range for which you want to search.

    By default, it is the last 7 days.

  3. If you want to customize the table summary view, click the gear icon above the table.

  4. If you want to customize the chart panel, go to one of the charts and from the dropdown list select the chart as required.

  5. To save the query do the following:

    1. Click Add to Saved queries.

    2. Type a name for the query.

    3. Click Save.

    When clicking Saved queries you can view all saved queries, mark them as default, or delete the queries. To edit an existing saved query, create a new query and save it with the exact name of the query you want to replace.

In this example, you need to search for all incidents according to the following criteria:

  • Status is not closed

  • Category is not a job

  • Type is phishing

  • Opened within the last 7 days

In addition, add the Created column to the table summary.

query_incidents_example.png