Pre-set Query per Role - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-11-05
End_of_Life
EoL
Category
Administrator Guide
Abstract

Set a default query for a role in Cortex XSOAR.

When you define a role, a list of queries for each of the following components appears. This list is based on your saved queries for these components:

  • Incidents

  • Indicators

  • Jobs

  • War Room

Note

To add a query for a component, create the query in the component page and click Add next to the query field. Give the query a name and click Save.

You can choose one of the queries from the component’s queries list to be the role’s pre-set query. The pre-set query will run when a user with that role accesses that component page.

The role's pre-set query will be the default query for a new user. Existing users will be able to choose a default query for themselves. The pre-set query will be available for the user to choose.

Having a default query associated with a user’s role is useful for new users in Cortex XSOAR who are not sure what query is best, but also for other users who prefer to be given a default query.

When you edit or create roles, the available queries are based on the role’s editing permissions as follows.

Page

Page Access or Role Permissions

Incidents

Incidents

Indicators

Indicators

Jobs

Jobs

War Room

Investigation > data > read

When you edit a role, the list of queries is re-populated with your own saved queries. If you change the pre-set query for a role, the query will be added to the users’ queries, but not as the pre-set query. However, if you delete one of your own queries after you configure a role, the role’s list of queries is not affected.

When you remove a role’s pre-set query, if a query exists for that role it will automatically become the pre-set query for the role.

Users can view the pre-set query based on their role when clicking Saved queries. The pre-set role query will have (Pre-set) appended to the name of the query. Although users can change the their default query, they cannot delete the pre-set role query. If a user has multiple roles, the user will see multiple queries. The pre-set role query will be the highest nested one or the first one that appears alphabetically.

If a user’s role changes, the user’s pre-set role query is automatically updated.

Users can create and save queries for a component page and select any one of the saved queries to be their default query.