Query incident and alert data - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-11-12
Category
Administrator Guide
Abstract

You can run queries on incident and alert data with the incidents and alerts datasets.

You can query incident and alert data in the incidents and alerts datasets.

When using the alerts dataset, keep in mind the following:

  • Info alerts are not included in the this dataset.

  • Alert fields are limited to certain fields available in the API. For the full list, see Get Alerts Multi-Events v2 API.

The alerts dataset comprises alerts from the Security and Health domains. To query only security alerts, use the following XQL:

dataset = alerts | filter alert_domain = "DOMAIN_SECURITY"

To query only health alerts, use the following XQL:

dataset = alerts | filter alert_domain = "DOMAIN_HEALTH"