Set a default query for a role in Cortex XSOAR.
When you define a role, a list of queries for each of the following components appears. This list is based on your saved queries for these components:
Incidents
Indicators
Jobs
War Room
Note
To add a query for a component, create the query in the component page and click Add next to the query field. Give the query a name and click Save.
You can choose one of the queries from the component’s queries list to be the role’s pre-set query. The pre-set query will run when a user with that role accesses that component page.
The role's pre-set query will be the default query for a new user. Existing users will be able to choose a default query for themselves. The pre-set query will be available for the user to choose.
Having a default query associated with a user’s role is useful for new users in Cortex XSOAR who are not sure what query is best, but also for other users who prefer to be given a default query.
When you edit or create roles, the available queries are based on the role’s editing permissions as follows.
Page | Page Access or Role Permissions |
---|---|
Incidents | Incidents |
Indicators | Indicators |
Jobs | Jobs |
War Room | Investigation > data > read |
When you edit a role, the list of queries is re-populated with your own saved queries. If you change the pre-set query for a role, the query will be added to the users’ queries, but not as the pre-set query. However, if you delete one of your own queries after you configure a role, the role’s list of queries is not affected.
When you remove a role’s pre-set query, if a query exists for that role it will automatically become the pre-set query for the role.
Users can view the pre-set query based on their role when clicking Saved queries. The pre-set role query will have (Pre-set) appended to the name of the query. Although users can change the their default query, they cannot delete the pre-set role query. If a user has multiple roles, the user will see multiple queries. The pre-set role query will be the highest nested one or the first one that appears alphabetically.
If a user’s role changes, the user’s pre-set role query is automatically updated.
Users can create and save queries for a component page and select any one of the saved queries to be their default query.