Set a default query for a role in Cortex XSOAR.
When you define or edit a role, in the Advanced tab, you can view or edit a list of queries for each of the following components appears, which is based on your saved queries for these components:
Indicators (Threat Intel)
To add a query for a component, create the query in the component page, such as the Incidents page and save the query (next to the query field). Give the query a name and then Save it.
You can select one of the queries from the component’s queries list to be the role’s preset query. The preset query runs when a user with that role accesses that component page.
The role's preset query is the default query for a new user. Existing users can choose a default query for themselves. The preset query is available for the user to choose.
Having a default query associated with a user’s role is useful for new users who are not sure what query is best, but also for other users who prefer to be given a default query.
When you edit or create roles, the available queries are based on the role’s editing permissions.
When you edit a role, the list of queries is populated with your own saved queries. If you change the preset query for a role, the query is added to the users’ queries, but not as the preset query. However, if you delete one of your own queries after you configure a role, the role’s list of queries is unaffected.
When you remove a role’s preset query, if a query exists for that role it will automatically become the preset query for the role.
Users can view the preset query based on their role when clicking the ellipsis in each component page. The preset role query has (Pre-set) appended to the name of the query. Although users can change their default query, they cannot delete the preset role query. If a user has multiple roles, the user sees multiple queries. The preset role query is the highest nested one or the first one that appears alphabetically.
If a user’s role changes, the user’s preset role query is automatically updated.