Create a Search Query for Incidents - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Create a search query for incidents. Custom which incidents are displayed. Save search queries.

The default view of the Incidents page displays all open incidents from the last seven days. You can customize which incidents are displayed by creating and saving queries. You can also customize the information that is displayed for each incident by customizing the table summary layout and the Chart panel. This information is then saved as part of the query.


The timezone for searches is UTC. The system timezone is not used.

  1. In the query bar, type your search criteria.

    By default, the query is -status:closed -category:job, which searches for categories other than jobs and not those that have been closed. You can add fields like severity or type to narrow your search to critical issues or issues of a certain type.

  2. From the dropdown list, select the date range for which you want to search.

    By default, it is the last 7 days.

  3. To customize the table summary view, click the gear icon above the table.

  4. To customize the chart panel, go to one of the charts and from the dropdown list select the desired chart.

  5. To save the query do the following:

    1. Click save.png.

    2. Type a name for the query.

    3. Click Save.

    To view all saved queries, click market-gear.png. The list of saved queries appears. You can mark a saved query as a default, or delete a query. To edit an existing saved query, create a new query and save it with the exact name of the query you want to replace.

In this example, you need to search for all incidents according to the following criteria:

  • Status is not closed

  • Category is not a job

  • Type is unclassified

  • Opened within the last 7 days

In addition, add the Created column to the table summary.

Share Saved Queries

Shared queries enable you to share your customized configurations with all users. For example, you can define queries for security analysts to help focus them on incidents relevant for them to analyze. The shared queries feature applies everywhere you define queries, including incidents, dashboards, indicators, and jobs.

Once you create and save a query, to share it with all users click market-gear.png and then click share_query_icon.png for that query.


The icon next to the name of the query changes to share_query_icon.png. Hovering over this icon in the list of saved queries shows that the query is shared. To remove sharing, click share_query_icon.png to the right of the name of the query.


The shared query appears in the users’ Saved queries list. They see the query with a shared-queries-group-icon.PNG icon and the name of the shared query owner in parentheses after the query name.



  • Edits made to shared queries are not saved. To save an edited version of the shared query, make a copy and then edit and save it.

  • Copying the shared query or clicking Mark Default (to make the query the page default) keeps the shared query in the user’s Saved queries list even if the shared query owner removes the share. Otherwise, the query will disappear from the users’ Saved queries list if the query owner removes the share.