Create a search query for Cortex XSOAR incidents. Custom
which incidents are displayed. Save search queries.
The default view of the Incidents page displays
all open incidents from the last seven days. You can customize which
incidents are displayed by creating and saving queries. You can
also customize the information that is displayed for each incident
by customizing the table summary layout and the Chart panel. This
information is then saved as part of the query.
In the query bar, type your search criteria.
By default, the syntax is
-status:closed -category:job
,
which searches for categories other than jobs and not those that have
been closed. You can add fields like severity or type to narrow
your search to critical issues or issues of a certain type.
From the drop down list, select the date range for which
you want to search.
By default, it is the last 7 days.
If you want to customize the table summary view, click
the gear icon above the table.
If you want to customize the chart panel, go to one of
the charts and from the drop down list select the chart as required.
To save the query do the following:
Click
Add
to Saved queries.
Type a name for the query.
Click
Save
.
When clicking
Saved queries
you
can view all saved queries, mark them as default, or delete the
queries. To edit an existing saved query, create a new query and
save it with the exact name of the query you want to replace.
In this example, you need to search for all incidents according
to the following criteria:
Status is not closed
category is not job
type is phishing
opened within the last 7 days
In addition,
add the
Created
column to the table summary.
Share Saved Queries
Shared queries enable you to share your customized configurations with
all users. For example, you can define queries for security analysts
to help focus them on incidents relevant for them to analyze. The
shared queries feature applies everywhere you define queries, including
incidents, dashboards, indicators, and jobs.
Once you create and save a query, to share it with all users
click
Saved queries
and then click
for
that query.
Hovering over the query name in the list of saved queries shows
that the query is shared. The share icon also indicates you can
remove the share.
The shared query appears in the users’ Saved queries list. They
see the query with a
icon
and the name of the shared query owner in parentheses after the
query name.
Edits made to shared queries are not saved. To
save an edited version of the shared query, make a copy and then
edit and save it.
Copying the shared query or clicking
Mark Default
(to
make the query the page default) keeps the shared query in the user’s
Saved
queries
list even if the shared query owner removes
the share. Otherwise, the query will disappear from the users’
for
that query.
icon
and the name of the shared query owner in parentheses after the
query name.
