topic Re: XQL query for incident report in Cortex XDR Discussions

XQL query for incident report

T.Nurmi — Thu, 10 Oct 2024 13:53:57 GMT

I like to get a hint how i can build simple xql query for overtime timeframe for incidents. I need to filter that data, but that kind report that i can show example monthly base report for customer. where there are data for each day

Re: XQL query for incident report

nsinghvirk — Fri, 11 Oct 2024 03:29:29 GMT

Hello @T.Nurmi

Thanks for reaching out on LiveCommunity!

To get a comprehensive view of incidents over time please use "Incident Management" dashboard where you can interact with data based on various parameters like status, severity and assignment etc. You can also generate a report of it based on the timeframe that you want to see. You can also create a custom dashboard based on "Incident Management" by adding custom widgets for your particular use case.

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

Re: XQL query for incident report

T.Nurmi — Fri, 11 Oct 2024 05:53:48 GMT

Hi. Thanks for answer, but what i try to find is to get trend reports . example here is data for 30 days, but i like to get trend reports for this kind info> then able to see monthly report/by day

config timeframe between "30d" and "now"
| dataset = incidents
| filter (status in (ENUM.NEW,UNDER_INVESTIGATION ))
| filter (alert_sources != "fw")
| comp count(status) as counter by status

| view graph type = pie xaxis = status yaxis = counter

Re: XQL query for incident report

kadirerol — Fri, 17 Jan 2025 11:52:13 GMT

Hi,

Thanks for answer but I need to calculate month by month in the last 1 year. For example march 2024-april 2024 245 incident,april 2024-march 2024 230 incidents and in the same query.

Re: XQL query for incident report

kadirerol — Tue, 21 Jan 2025 06:37:16 GMT

Ok. I found it.

Re: XQL query for incident report

T.Nurmi — Tue, 21 Jan 2025 08:19:55 GMT

Thanks 🙂 very good advice

Re: XQL query for incident report

T.Nurmi — Wed, 22 Jan 2025 08:49:45 GMT

so if i want to compare example truepositive and falsepositive /month with year level> what i should add to query

Re: XQL query for incident report

kadirerol — Mon, 03 Feb 2025 07:49:43 GMT

Hi,

I guess you need below query

| view graph type = column subtype = stacked xaxis = month yaxis = status,total_inc_month default_limit = `false` seriescolor("status","#ee0505") headerfontsize = 3 legendfontsize = 4 xaxistitle = "Status by month" yaxistitle = "Count"

Re: XQL query for incident report

T.Nurmi — Fri, 21 Feb 2025 10:49:06 GMT

Yes. thanks. But how i get those data for own "pilar"

now all info in same month located in same pilar...:)