Manage Your Personal Query Library - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-03-30
Last date published
2023-03-30

Cortex XDR provides as part of the Query Library a personal query library for saving and managing your own queries. When creating a query in XQL Search or managing your queries from the Query Center, you can save queries to your personal library. You can also decide whether the query is shared with others (on the same tenant) in their Query Library or unshare it, so it is only visible to you. You can also view the queries that are shared by others (on the same tenant) in your Query Library.

The queries listed in your Query Library have different icons to help you identify the different states of the queries.

  • unshared-query-icon.pngCreated by me and unshared.

  • query-created-by-me-shared-icon.pngCreate by me and shared.

  • query-created-by-someone-else-shared.pngCreated by someone else and shared.

The Query Library contains a powerful search mechanism that enables you to search in any field related to the query, such as the query name, description, creator, query text, and labels. In addition, adding a label to your query enables you to search for these queries using these labels in the Query Library.

To add a query to your personal query library.

  1. Save a query to your personal query library.

    You can do this in two ways.

    • From XQL Search

      1. Select Incident ResponseInvestigationQuery BuilderXQL Search.

      2. In the XQL query field, define the parameters of your query.

      3. Select Save asQuery to Library.

    • From the Query Center

      1. Select Incident ResponseInvestigationQuery Center.

      2. Locate the query that you want to save to your personal query library.

      3. Right-click anywhere in the query row, and select Save query to library.

  2. Set these parameters.

    • Query Name—Specify a unique name for the query. Query names must be unique in both private and shared lists, which includes other people’s queries.

    • Query Description—(Optional) Specify a descriptive name for your query.

    • Labels—(Optional) Specify a label that is associated with your query. You can select a label from the list of predefined labels or add your label and then select Create Label. Adding a label to your query enables you to search for queries using this label in the Query Library.

    • Share with others—You can either set the query to be private and only accessible by you (default) or move the toggle to Share with others the query, so that other users using the same tenant can access the query in their Query Library.

  3. Click Save.

    A notification appears confirming that the query was saved successfully to the library, and closes on its own after a few seconds.

    The query that you added is now listed as the first entry in the Query Library. The query editor is opened to the right of the query.

  4. Other available options.

    As needed, you can return to your queries in the Query Library to manage your queries. Here are the actions available to you.

    • Edit the name, description, labels, and parameters of your query by selecting the query from the Query Library, hovering over the line in the query editor that you want to edit, and selecting the edit icon to edit the text.

    • Search query data and metadata—Use the Query Library’s powerful search mechanism that enables you to search in any field related to the query, such as the query name, description, creator, query text, and label. The Search query data and metadata field is available at the top of your list of queries in the Query Library.

    • Show—Filter the list of queries from the Show menu. You can filter by the Palo Alto Networks queries provided with Cortex XDR , filter by the queries Created by Me, or filter by the queries Created by Others. To view the entire list, Select all (default).

    • Save as new—Duplicate the query and save it as a new query. This action is available from the query menu by selecting menu-icon.png.

    • Share with others—If your query is currently unshared, you can share with other users on the same tenant your query, which will be available in their Query Library. This action is only available from the query menu by selecting menu-icon.png when your query is unshared.

    • Unshare—If your query is currently shared with other users, you can Unshare the query and remove it from their Query Library. This action is only available from the query menu by selecting menu-icon.png when your query is shared with others. You can only Unshare a query that you created. If another user created the query, this option is disabled in the query menu.

    • Delete the query. You can only delete queries that you created. If another user created the query, this option is disabled in the query menu when selecting menu-icon.png.