https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-creation-time-filter/m-p/1225582#M8179 <P>OK thank your reply. how can this apply to incident filter using XQL query for <STRONG>creation time.</STRONG></P> <P>&nbsp;</P> <LI-CODE lang="markup">dataset = incidents</LI-CODE> Thu, 03 Apr 2025 13:03:30 GMT Chamindu 2025-04-03T13:03:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-creation-time-filter/m-p/1225425#M8176 <LI-CODE lang="markup">dataset = alerts</LI-CODE> <P>&nbsp;</P> <ARTICLE class="w-full text-token-text-primary" dir="auto" data-testid="conversation-turn-6" data-scroll-anchor="true"> <DIV class="text-base my-auto mx-auto py-5 px-6"> <DIV class="mx-auto flex flex-1 text-base gap-4 md:gap-5 lg:gap-6 md:max-w-3xl lg:max-w-[40rem] xl:max-w-[48rem] group/turn-messages focus-visible:outline-none" tabindex="-1"> <DIV class="group/conversation-turn relative flex w-full min-w-0 flex-col agent-turn @xs/thread:px-0 @sm/thread:px-1.5 @md/thread:px-4"> <DIV class="relative flex-col gap-1 md:gap-3"> <DIV class="flex max-w-full flex-col flex-grow"> <DIV class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 whitespace-normal break-words text-start [.text-message+&amp;]:mt-5" dir="auto" data-message-author-role="assistant" data-message-id="54903566-326a-41a0-8a45-69771bd6e6bd" data-message-model-slug="gpt-4o"> <DIV class="flex w-full flex-col gap-1 empty:hidden first:pt-[3px]"> <DIV class="markdown prose w-full break-words dark:prose-invert dark"> <P class="" data-start="0" data-end="232">I need to filter alerts using XQL. However, when I use the above query in the usual format, it filters alerts based on the <STRONG data-start="117" data-end="137">last update time</STRONG>. What I actually need is to filter alerts based on their <STRONG data-start="195" data-end="212">creation time</STRONG>. How can I do that?</P> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </ARTICLE> <DIV class="pointer-events-none h-px w-px" aria-hidden="true" data-edge="true">&nbsp;</DIV> Wed, 02 Apr 2025 06:14:31 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-creation-time-filter/m-p/1225425#M8176 Chamindu 2025-04-02T06:14:31Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-creation-time-filter/m-p/1225561#M8178 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/320316">@Chamindu</a>&nbsp;,</P> <P>&nbsp;</P> <P>In Alerts dataset, it doesn't&nbsp;<SPAN>filters alerts based on the&nbsp;</SPAN><STRONG data-start="117" data-end="137">last update time.&nbsp;</STRONG>In Incidents dataset, _time refers to last updated time and in Alerts dataset it refers to Alert generation time on source origin. Please refer to below:</P> <DIV id="message-list_1743668711.389729" class="c-virtual_list__item" tabindex="0" role="listitem" aria-setsize="-1" data-qa="virtual-list-item" data-item-key="1743668711.389729"> <DIV class="c-message_kit__background p-message_pane_message__message c-message_kit__message" role="presentation" data-qa="message_container" data-qa-unprocessed="false" data-qa-placeholder="false"> <DIV class="c-message_kit__hover" role="document" aria-roledescription="message" data-qa-hover="true"> <DIV class="c-message_kit__actions c-message_kit__actions--above"> <DIV class="c-message_kit__gutter"> <DIV class="c-message_kit__gutter__right" role="presentation" data-qa="message_content"> <DIV class="c-message_kit__blocks c-message_kit__blocks--rich_text"> <DIV class="c-message__message_blocks c-message__message_blocks--rich_text" data-qa="message-text"> <DIV class="p-block_kit_renderer" data-qa="block-kit-renderer"> <DIV class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first"> <DIV class="p-rich_text_block" dir="auto"> <DIV class="p-rich_text_section">_time: represents the timestamp of the actual event that triggered the alert.<BR /><I data-stringify-type="italic">event</I>_timestamp:Also denotes the timestamp of the event related to the alert, typically mirroring the<SPAN>&nbsp;</SPAN><CODE class="c-mrkdwn__code" data-stringify-type="code">_time</CODE><SPAN>&nbsp;</SPAN>field.<BR />Arrival_time: Indicates the time when the alert was ingested into the Cortex XDR system.<SPAN class="c-message__edited_label" data-sk="tooltip_parent">&nbsp;(edited)&nbsp;</SPAN></DIV> <DIV class="p-rich_text_section"><SPAN class="c-message__edited_label" data-sk="tooltip_parent"><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Overview-of-the-Alerts-page" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Overview-of-the-Alerts-page</A></SPAN></DIV> <DIV class="p-rich_text_section">&nbsp;</DIV> <DIV class="p-rich_text_section"><SPAN class="c-message__edited_label" data-sk="tooltip_parent">You can simply sort using _time field and you will get the alerts based on Creation time.</SPAN></DIV> <DIV class="p-rich_text_section">&nbsp;</DIV> <DIV class="p-rich_text_section"><SPAN class="c-message__edited_label" data-sk="tooltip_parent"><SPAN>If you feel this has answered your query, please let us know by clicking like and&nbsp; on "mark this as a Solution". Thank you.</SPAN></SPAN></DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV id="message-list_1743668835.568479" class="c-virtual_list__item" tabindex="-1" role="listitem" aria-setsize="-1" data-qa="virtual-list-item" data-item-key="1743668835.568479"> <DIV class="c-message_kit__background p-message_pane_message__message c-message_kit__message" role="presentation" data-qa="message_container" data-qa-unprocessed="false" data-qa-placeholder="false"> <DIV class="c-message_kit__hover" role="document" aria-roledescription="message" data-qa-hover="true"> <DIV class="c-message_kit__actions c-message_kit__actions--above"> <DIV class="c-message_kit__gutter"> <DIV class="c-message_kit__gutter__left" role="presentation">&nbsp;</DIV> <DIV class="c-message_kit__gutter__right" role="presentation" data-qa="message_content"> <DIV class="c-message_kit__blocks c-message_kit__blocks--rich_text"> <DIV class="c-message__message_blocks c-message__message_blocks--rich_text" data-qa="message-text"> <DIV class="p-block_kit_renderer" data-qa="block-kit-renderer"> <DIV class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first"> <DIV class="p-rich_text_block" dir="auto"> <DIV class="p-rich_text_section">&nbsp;</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Thu, 03 Apr 2025 09:37:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-creation-time-filter/m-p/1225561#M8178 aspatil 2025-04-03T09:37:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-creation-time-filter/m-p/1225582#M8179 <P>OK thank your reply. how can this apply to incident filter using XQL query for <STRONG>creation time.</STRONG></P> <P>&nbsp;</P> <LI-CODE lang="markup">dataset = incidents</LI-CODE> Thu, 03 Apr 2025 13:03:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-creation-time-filter/m-p/1225582#M8179 Chamindu 2025-04-03T13:03:30Z