Edit and rerun queries - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-05-06
Last date published
2024-07-12
Category
Administrator Guide
Abstract

From the Query Center, you can view the results of a query, modify a query, and rerun queries.

The Query Center displays information about all queries that were run in the Query Builder. From the Query Center you can manage your queries, view query results, and adjust and rerun queries. Right-click a query to see the available options.

  1. Select InvestigationQuery Center.

  2. Identify the query by looking in the Query Description column.

    The Query Description column displays the parameters that were defined for a query. If necessary, use the Filter to reduce the number of queries that Cortex XSIAM displays.

    Queries that were created from a Query Builder template are prefixed with the template name.

  3. Right-click anywhere in the query row and select Show results.

  4. (Optional) Export to file to export the results to a tab-separated values (TSV) file.

  5. (Optional) Perform additional investigation on the alerts.

    Right-click a value in the results table to see the options for further investigation.

After you run a query, you might need to change your search parameters to refine the search results or correct a search parameter. You can modify a query from the Results page:

  • For queries created in XQL, the Results page includes the XQL query builder with the defined parameters. Modify the query and Run, schedule, or save the query.

  • For queries created with a Query Builder template, the defined parameters are shown at the top of the Results page. Select Back to edit to modify the query with the template format or Continue in XQL to open the query in XQL.

If you want to rerun a query, you can either schedule it to run on or before a specific date, or you can rerun it immediately. Cortex XSIAM creates a new query in the Query Center, and when the query completes, it displays a notification in the notification bar.

To rerun a query immediately, right-click anywhere in the query and then select Rerun Query.

How to schedule a query
  1. In the Query Center, right-click anywhere in the query and then select Schedule.

  2. Choose a schedule option and the date and time that the query should run:

    • Run one time query on a specific date

    • Run query by date and time: Schedule a recurring query.

  3. Click OK to schedule the query.

    Cortex XSIAM creates a new query and schedules it to run on or by the selected date and time.

  4. View the status of the scheduled query on the Scheduled Queries page.

    You can also make changes to the query, edit the frequency, view when the query will next run, or disable the query. For more information, see Manage scheduled queries.