topic Re: Query in Lucene syntax don't get the created data time in Cortex XSOAR Discussions

Query in Lucene syntax don't get the created data time

Josep — Tue, 13 Sep 2022 07:15:24 GMT

Hello,

I'm trying to use the automation "SearchIncidentsV2" to get the incidents with two conditions: the name and a range of time.

To achieve this, first I created a simple Query to get only the incidentes with a name. name: "name of playbook"

It works and a markdown file can be downloaded with all the incidents and other info, like when was created.

So now, to check the query with the created time, a new query is proved:

name: "name of playbook" AND created:"2021-09-09T11:29:06.591074026+02:00"

It's not a range, but it should work. It doesn't

Next try, only with the created:

created."2021-09-09T11:29:06.591074026+02:00"

It doesn't work neither.

Am I missing something? the data columns are from an other place? not from the markdown? the date format is wrong?

When the ID is with the name it works:

name: "name of playbook" AND id:"10744"

This works fine.

Thanks

Re: Query in Lucene syntax don't get the created data time

ABurt — Tue, 13 Sep 2022 12:31:35 GMT

Created dates are quite formatted correctly. created:"2021-09-09T11:29:06.591074026+02:00" should be created:"2021-09-09T11:29:06.591074026 +0200". There is a missing space between the TZ and also need to remove the ':' from the timezone.

Regards

Adam

Re: Query in Lucene syntax don't get the created data time

Josep — Tue, 13 Sep 2022 12:56:22 GMT

Thanks for the reply,

How is called that called that time transformer in XSOAR?

Re: Query in Lucene syntax don't get the created data time

Josep — Fri, 16 Sep 2022 12:23:55 GMT

I couldn't not find the proper Query for the timestamp. So I finally, created another task getting the last incident created from the output of the Query and compering the current time minus 14 days in my case, with the time of the last incident created.