Search incidents for Timer/SLAs - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-11-28
Category
Administrator Guide
Solution
On-prem
Abstract

Search incidents based on their SLA status, a SLA field, or a timer field.

You can search for incidents based on their SLA in several ways:

  • Based on the SLA status.

    Note

    The SLA status is not defined unless the timer is in a stopped mode, meaning either paused or ended.

  • Based on an SLA field.

  • Based on a timer field.

For example, you can search for all of the timer fields that are currently running, or you can search for all incidents with a specific SLA status.

  1. Navigate to the Incidents page.

  2. To search for an incident whose Timer/SLA is still active, enter the following:

    • The name of the field

    • The run status

    • The due date

      This parameter is required for queries whose run status is neither ended nor paused, to improve query performance.

  3. To search for an incident whose timer is no longer active, enter the SLA Status.

Examples

In the following example, search for all incidents using the Remediation SLA field that fulfill the following criteria:

  • The Remediation SLA run status has not ended or paused AND the due date is later than now OR the SLA status is within time.

    (-remediationsla.runStatus:(ended paused) and remdiationsla.dueDate:>now) or (remediationsla.slaStatus:"within")

  • The Remediation SLA run status has not ended or paused AND the due date is earlier than now OR the SLA status is late.

    (-remediationsla.runStatus:(ended paused) and remediationsla.dueDate:<now) or (remediationsla.slaStatus:late)

  • The Remediation SLA run status has not ended or paused AND the due date is between now and five hours (the five hours represent our risk threshold) OR the SLA status is Risk.

    (-remediationsla.runStatus:(ended paused) and remediationsla.dueDate:>now and remediationsla.dueDate:<"in 300 minutes") or (remediationsla.slaStatus:risk)