Search Incidents using SLA and Timer Fields - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-03-28
Category
Administrator Guide
Solution
Cloud
Abstract

Search incidents based on their SLA status, a SLA field, or a timer field.

You can search for incidents based on their SLA in several ways:

  • Based on the SLA status.

    Note

    The SLA status is not defined unless the timer is in a stopped mode, meaning either paused or ended.

  • Based on an SLA field.

  • Based on a timer field.

For example, you can search for all of the timer fields that are currently running, or you can search for all incidents with a specific SLA status.

  1. Navigate to the Incidents page.

  2. To search for an incident whose timer is still active, enter the following:

    • The name of the field

    • The run status

    • The due date. This is required for queries whose run status is neither ended nor paused, to improve query performance.

  3. To search for an incident whose timer is no longer active, enter the SLA Status.

Examples

In the following example, we are searching for all incidents that have an SLA timer called slatimer and fulfill the following criteria:

  • The run status is neither ended nor paused AND the due date is later than now, meaning, the due date has not yet passed.

    OR

  • Incidents whose run status is ended or paused and the SLA status is within the allotted time.

    (-slatimer.runStatus:(ended paused) and slatimer.dueDate:>“now”) or (slatimer.slaStatus:“within”)

In the following example, we are searching for all incidents that fulfill the following criteria:

  • The run status is either ended or paused AND the due date is earlier than now, meaning, the due date has already passed.

    OR

  • Incidents whose run status is ended or paused and the SLA status is late.

    (-slatimer.runStatus:(ended paused) and slatimer.dueDate:<“now”) or (slatimer.slaStatus:“late”)

In the following example, we are searching for all incidents that fulfill the following criteria:

  • The run status is neither ended nor paused AND the due date is between now and five hours. The five hours represents our risk threshold.

    OR

  • Incidents whose run status is ended or paused and the SLA status is Risk.

    (-slatest.runStatus:(ended paused) and slatest.dueDate:>"now" and slatest.dueDate:<"in 300 minutes") or (slatest.slaStatus:"risk")