Manage Your Queries - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide
Product
Cortex XDR
License
Pro
Creation date
2023-03-22
Last date published
2023-09-25
Category
Administrator Guide

From the Query Center, you can view all manual and scheduled queries. The Query Center also provides management functions that allow you to modify, rerun, schedule, and remove queries. You can also refresh the page to view the updated status for queries, filter available queries based on fields in the query table, and manage the fields presented in the Query Center.

View the Results of a Query

After you run a query, you can view the events that match your search criteria. To view the results:

  1. Select InvestigationQuery Center.

  2. Identify the query by looking in the Query Description column.

    The Query Description column displays the parameter that were defined for a query. If necessary, use the Filter to reduce the number of queries that Cortex XDR displays.

    Queries that were created from a Query Builder template are prefixed with the template name.

  3. Right-click anywhere in the query row, select Show results, and choose whether to open the query in the same tab or a new tab.

  4. (Optional) If you want to refine your results, you can modify a query from the query results.

  5. (Optional) If desired, Export to file to export the results to a tab-separated values (TSV) file.

  6. (Optional) Perform additional investigation on the alerts.

    From the right-click pivot menu:

    • Analyze the alert and open the Causality View.

    • Investigate in Timeline.

    • View event log message to view the event details.

Modify a Query

After you run a query you might find you need to change your search parameters such as to narrow the search results or correct a search parameter. There are two ways you can modify a query: You can edit it in the Query Center, or you can edit it from the results page. Both methods populate the criteria you specified in the original query in a new query which you can modify and save.

  1. Create a query based on an existing query.

    1. Select InvestigationQuery Center.

    2. Right-click anywhere in the query and then select Save as a new query.

    3. If desired, enter a descriptive name to identify the query.

    4. Then modify the search parameters as desired.

    5. Choose when to run the query.

      Select the calendar icon to schedule a query to run on or before a specific date or Run to run the query immediately and view the results in the Query Center.

      While the query is running, you can always navigate away from the page and a notification is sent when the query completes. You can also Cancel the query or run a new query, where you have the option to Run only new query (cancel previous) or Run both queries.

  2. Modify an existing query from the Query Center.

    1. Select InvestigationQuery Center.

    2. Right-click anywhere in the query and then Edit a query.

    3. Modify the search parameters as desired.

    4. Choose when to run the query.

      Select the calendar icon to schedule a query to run on or before a specific date or Run to run the query immediately and view the results in the Query Center.

      While the query is running, you can always navigate away from the page and a notification is sent when the query completes. You can also Cancel the query or run a new query, where you have the option to Run only new query (cancel previous) or Run both queries.

  3. Modify a query from the query results.

    1. View the Results of a Query.

    2. At the top of the query, click the pencil icon to the right of the query parameters.

      Cortex XDR opens the query settings page.

    3. Modify the search parameters as desired.

    4. Choose when to run the query.

      Select the calendar icon to schedule a query to run on or before a specific date or Run to run the query immediately and view the results in the Query Center.

      While the query is running, you can always navigate away from the page and a notification is sent when the query completes. You can also Cancel the query or run a new query, where you have the option to Run only new query (cancel previous) or Run both queries.

Rerun or Schedule a Query to Run

If you want to rerun a query, you can either schedule it to run on or before a specific date, or you can rerun it immediately. Cortex XDR will create a new query in the Query Center. When the query completes, it displays a notification in the notification bar.

  1. Rerun a query immediately.

    1. Select InvestigationQuery Center.

    2. Right-click anywhere in the query and then select Rerun Query.

      Cortex XDR initiates the query immediately.

  2. Schedule a query to run:

    1. Select InvestigationQuery Center.

    2. Right-click anywhere in the query and then select Schedule.

    3. Choose the desired schedule option and the date and time the query should run:

      • Run one time query on a specific date

      • Run query by date and time—Schedule a reoccurring query at a frequency of your choice.

    4. Click OK to schedule the query.

      Cortex XDR creates a new query and schedules it to run on or by the selected date and time.

    5. View the status of the scheduled query on the Scheduled Queries page.

      At any time, you can view or make changes to the query on the Scheduled Queries page. For example, you can edit the frequency, view when the query will next run, or disable the query.

Rename a Query

If needed, you can rename a query at any time. If you later rerun the query, the new query will run using the new name. You can also edit the name of a query when you Modify a Query.

  1. Select InvestigationQuery Center.

  2. Right-click anywhere in the query and then select Rename.

  3. Enter the new query name and click OK.