Edit and rerun queries in Query Center - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-12-12
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

Learn more about viewing the results of a query, modifying a query, and rerunning queries from Query Center.

Notice

Building Cortex Query Language (XQL) queries in the Query Builder requires a Cortex XDR Pro license.

The Query Center displays information about all queries that were run in the Query Builder. From the Query Center you can manage your queries, view query results, and adjust and rerun queries. Right-click a query to see the available options.

  1. Select InvestigationQuery Center.

  2. Identify the query by looking in the Query Description column.

    The Query Description column displays the parameters that were defined for a query. If necessary, use the Filter to reduce the number of queries that Cortex XDR displays.

    Queries that were created from a Query Builder template are prefixed with the template name.

  3. Right-click anywhere in the query row and select Show results.

  4. (Optional) Export to file to export the results to a tab-separated values (TSV) file.

  5. (Optional) Perform additional investigation on the alerts.

    Right-click a value in the results table to see the options for further investigation.

After you run a query, you might need to change your search parameters to refine the search results or correct a search parameter. You can modify a query from the Results page:

  • For queries created in XQL, the Results page includes the XQL query builder with the defined parameters. Modify the query and Run, schedule, or save the query.

  • For queries created with a Query Builder template, the defined parameters are shown at the top of the Results page. Select Back to edit to modify the query with the template format or Continue in XQL to open the query in XQL.

If you want to rerun a query, you can either schedule it to run on or before a specific date, or you can rerun it immediately. Cortex XDR creates a new query in the Query Center, and when the query completes, it displays a notification in the notification bar.

To rerun a query immediately, right-click anywhere in the query and then select Rerun Query.

How to schedule a query
  1. In the Query Center, right-click anywhere in the query and then select Schedule.

  2. Choose a schedule option and the date and time that the query should run:

    • Run one time query on a specific date

    • Run query by date and time: Schedule a recurring query.

  3. Click OK to schedule the query.

    Cortex XDR creates a new query and schedules it to run on or by the selected date and time.

  4. View the status of the scheduled query on the Scheduled Queries page.

    You can also make changes to the query, edit the frequency, view when the query will next run, or disable the query. For more information, see Manage scheduled queries.