Edit and rerun queries in Query Center - Learn more about viewing the results of a query, modifying a query, and rerunning queries from Query Center. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation
Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-11-14
Category
Administrator Guide
Abstract

Learn more about viewing the results of a query, modifying a query, and rerunning queries from Query Center.

From the Query Centerr you can take action on the Completed and In Progress queries that are running on your tenant.

Right-click a query to see the available options, where some of the options differ depending on the type of query you've selected. The pivot (right-click) options described below are some of the ones that may require further explanation.

View the results of a query

  1. Select InvestigationQuery Center.

  2. Identify the query by looking in the Query Description column.

    The Query Description column displays the parameters that were defined for a query. If necessary, use the Filter to reduce the number of queries that Cortex XSIAM displays.

    Queries that were created from a Query Builder template are prefixed with the template name.

  3. Right-click anywhere in the query row and select Show results.

    You have the option to Show results in new tab or Show results in same tab.

  4. (Optional) Export to file to export the results to a tab-separated values (TSV) file.

  5. (Optional) Perform additional investigation on the alerts.

    Right-click a value in the results table to see the options for further investigation.

Modify a query

After you run a query, you might need to change your search parameters to refine the search results or correct a search parameter.

  • For queries created in XQL, type your changes in the XQL query field where the original query is listed and the results are displayed in the Query Results tab. After modifying the query, you can run, schedule, or save the query.

  • For queries created with a Query Builder template, the defined parameters are shown at the top of the Results page. Select Back to edit to modify the query with the template format or Continue in XQL to open the query in XQL.

Schedule a query to run

You can either schedule an XQL query to run on or before a specific date. Cortex XSIAM creates a new query in the Query Center, and when the query completes, it displays a notification in the notification bar.

How to schedule a query

  1. In the Query Center, right-click anywhere in the query and then select Schedule.

  2. Choose a schedule option and the date and time that the query should run:

    • Run one time query on a specific date

    • Run query by date and time: Schedule a recurring query.

  3. Click OK to schedule the query.

    Cortex XSIAM creates a new query and schedules it to run on or by the selected date and time.

  4. View the status of the scheduled query on the Scheduled Queries page.

    You can also make changes to the query, edit the frequency, view when the query will next run, or disable the query. For more information, see Manage scheduled queries.

Cancel a query

Note

You can cancel your own queries. To cancel queries run by other users, you must have View/Edit permissions for ConfigurationsQuery Management. By default, Instance administrators have View/Edit permission.

On the Active Queries tab you can cancel one or more In Progress queries. You might want to cancel long-running queries, or cancel queries to reduce tenant consumption. If query limits are applied to your tenant and you exceed the defined limit of concurrent running queries, new queries are blocked until the number of active queries falls below the threshold. Canceling active queries allows you to unblock and run new queries.

How to cancel a query

  1. Select InvestigationQuery CenterActive Queries.

  2. Select one or more queries and click Cancel Selected Queries.

Note

  • Cancelled queries show a Canceled status. You can see details of all canceled queries in the Query History tab.  

  • You cannot cancel correlation rule queries.

  • If you cancel a scheduled query, only the current query is cancelled. Future recurrences of the scheduled query are not affected.