topic Re: XQL Query for incidents/alerts in Cortex XDR Discussions

XQL Query for incidents/alerts

NivedaR — Sun, 18 Sep 2022 15:17:00 GMT

Hello ,

Is there a way to create XQL query for the details related to incidents or alerts for past 7 days that can be used as a widget . The current widget options do no give us the output we require.

Thanks

Re: XQL Query for incidents/alerts

neelrohit — Sun, 18 Sep 2022 16:45:26 GMT

Hi @NivedaR ,

Thank you for writing to live community!

As of now we do not support XQL on incidents and alerts as incidents and alerts are processed data and XQL shows only raw events for the data we gather.

However, we would like to know your used case for details on incidents and alerts as to what is the exact data you would want to see so that we could help you with more specific answer to the above.

Regards

Re: XQL Query for incidents/alerts

NivedaR — Sun, 18 Sep 2022 17:23:15 GMT

Hi @neelrohit ,

Thanks. We were looking for a similar widget as in the total number of open incidents but customized to last 7 days. For alerts like the top 4 alerts in the last 7 days , Something along those lines...

Re: XQL Query for incidents/alerts

neelrohit — Sun, 18 Sep 2022 18:53:07 GMT

Hi @NivedaR ,

We understand your request. As stated above, though there's not much customisation available to the same. However, one of your used cases can be covered and that is with respect to new incidents over a 7 days period. We have a Security Admin Dashboard with widget which shows incidents generated(vs resolved) over a period of time which is a period of 7 days. Sample screenshot attached for reference.

As a workaround, if this suits you fine. Alternatively, you can reach out to your Customer Success Teams or TAC team to raise a feature request for the same.