https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549766#M2328 <P>But when I check your query, the IP is the same for the victim and target which does not sound right. Could you please copy and paste the same query in incidents search box to see if there is any alerts.</P> Tue, 18 Jul 2023 09:40:07 GMT gyldz 2023-07-18T09:40:07Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549581#M2322 <P>Hi, I am using SearchIncidentsV2 automation to loop through 2 IP addresses previously saved to IP incident key, to see if these IPs are showing in FireEye NX alerts. When I try to loop I receive empty foundIncidents key:&nbsp;&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MMagdic_0-1689670794647.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51718i75B5CEF7C45A13BC/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="MMagdic_0-1689670794647.png" alt="MMagdic_0-1689670794647.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>When I hardcode the IP addresses everything works as it should.&nbsp;<BR />What I am missing?<BR /><LI-PRODUCT title="Cortex XSOAR" id="Cortex_XSOAR"></LI-PRODUCT>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 18 Jul 2023 09:00:22 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549581#M2322 MMagdic 2023-07-18T09:00:22Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549761#M2326 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/271971">@MMagdic</a>&nbsp;,</P> <P>&nbsp;</P> <P>Do you see any results when you use the same query in the incidents page search box?<BR /><BR /></P> Tue, 18 Jul 2023 09:20:27 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549761#M2326 gyldz 2023-07-18T09:20:27Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549765#M2327 <P>Yes, of course with hardcoded IP values.</P> Tue, 18 Jul 2023 09:32:12 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549765#M2327 MMagdic 2023-07-18T09:32:12Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549766#M2328 <P>But when I check your query, the IP is the same for the victim and target which does not sound right. Could you please copy and paste the same query in incidents search box to see if there is any alerts.</P> Tue, 18 Jul 2023 09:40:07 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549766#M2328 gyldz 2023-07-18T09:40:07Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549805#M2331 <P>Yes, the reason to have both (victim and target) is because sometimes FireEye NX is parsing incident fields not correctly, putting external (attacker IP) in target ip. But the query is working:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MMagdic_0-1689683575150.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51726i654AB8D72120EE9B/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="MMagdic_0-1689683575150.png" alt="MMagdic_0-1689683575150.png" /></span></P> <P>So the question is how to loop through a couple of IP addresses, e.g. at least 2 IP addresses in&nbsp;<SPAN>SearchIncidentsV2 automation using query as a filter.</SPAN></P> <P>&nbsp;</P> Tue, 18 Jul 2023 12:36:01 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549805#M2331 MMagdic 2023-07-18T12:36:01Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549809#M2332 <P>See here results when I try with 2 IP addresses:<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="query_results.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51728i4314E6B685883619/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="query_results.png" alt="query_results.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="query_results_foundIncidents.png" style="width: 390px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51727i538FBCF567230195/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="query_results_foundIncidents.png" alt="query_results_foundIncidents.png" /></span></P> Tue, 18 Jul 2023 12:42:39 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549809#M2332 MMagdic 2023-07-18T12:42:39Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549821#M2333 <P>Hi again, you need to use&nbsp;join transformer for that task. Before searching the incidents Set another field as below and then use it in the search incidents task.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="gyldz_3-1689685291576.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51732i598EF1E6ECD6C377/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="gyldz_3-1689685291576.png" alt="gyldz_3-1689685291576.png" /></span></P> <P>&nbsp;</P> <DIV id="tinyMceEditor_14f04a2e6150f9gyldz_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="gyldz_2-1689685246360.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51731i26DA13675BD995C2/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="gyldz_2-1689685246360.png" alt="gyldz_2-1689685246360.png" /></span></P> <P>&nbsp;</P> Tue, 18 Jul 2023 13:01:48 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549821#M2333 gyldz 2023-07-18T13:01:48Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549832#M2334 <P>Thanks, but this should work only by adding space before&amp;after "or" to " or " (in Join Transformer) as in cli:</P> <P><SPAN>!SearchIncidentsV2 query="type:FireEye NX Alert and fireeyenxalertvictimip:11.11.11.11 or 134.122.90.162"<BR /><BR /></SPAN></P> Tue, 18 Jul 2023 13:41:46 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549832#M2334 MMagdic 2023-07-18T13:41:46Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549833#M2335 <P>Yes there was a space in the screenshot I shared&nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 18 Jul 2023 14:15:46 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/searchincidentsv2-not-returning-results/m-p/549833#M2335 gyldz 2023-07-18T14:15:46Z