- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-30-2023 04:15 AM
Hi all,
I need to create an Incident Management Report by using specific tags.
Is it possible? Maybe I can do it via XQL query? If not, do you have any suggestions on how can I create incident reports for different tags? (I don't want to export the incidents and create reports via Excel!!!:D)
Best regards.
11-30-2023 07:13 AM
Hi Danielius-Paskevic,
You may create an XQL query using the dataset = alerts and filtering for original_tags to filter by an endpoint group tag. Below is a query example:
Resolved Incidents MTTR
dataset = alerts
| fields alert_id, incident_id, local_insert_ts, original_tags
| join type = left (dataset = incidents | fields incident_id, resolved_ts) as join_incidents join_incidents.incident_id = incident_id
| alter created_time = to_timestamp(local_insert_ts, "MILLIS")
| alter resolved_time_minutes = timestamp_diff(resolved_ts, created_time, "MINUTE")
| alter resolved_time_hours = divide(to_integer(multiply(divide(resolved_time_minutes, 60), 100)), 100) //minutes -> hours, rounded to two decimal places
| alter resolved_time_days = divide(to_integer(multiply(divide(resolved_time_minutes, 1440), 100)), 100) //minutes -> days, rounded to two decimal places
| fields alert_id, incident_id, created_time, resolved_ts, resolved_time_minutes, resolved_time_hours, resolved_time_days, original_tags
| filter (original_tags contains """endpoint_tag_name""")
Also, you may view/search all of the fields in a dataset schema in Query Builder by filtering for a name as shown below. Navigate to Incident Response → Investigation → Query Builder → XQL Search
Reference XQL Search • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation portal
If you found this answer helpful, please select Accept as Solution.
Thank you
11-30-2023 07:13 AM
Hi Danielius-Paskevic,
You may create an XQL query using the dataset = alerts and filtering for original_tags to filter by an endpoint group tag. Below is a query example:
Resolved Incidents MTTR
dataset = alerts
| fields alert_id, incident_id, local_insert_ts, original_tags
| join type = left (dataset = incidents | fields incident_id, resolved_ts) as join_incidents join_incidents.incident_id = incident_id
| alter created_time = to_timestamp(local_insert_ts, "MILLIS")
| alter resolved_time_minutes = timestamp_diff(resolved_ts, created_time, "MINUTE")
| alter resolved_time_hours = divide(to_integer(multiply(divide(resolved_time_minutes, 60), 100)), 100) //minutes -> hours, rounded to two decimal places
| alter resolved_time_days = divide(to_integer(multiply(divide(resolved_time_minutes, 1440), 100)), 100) //minutes -> days, rounded to two decimal places
| fields alert_id, incident_id, created_time, resolved_ts, resolved_time_minutes, resolved_time_hours, resolved_time_days, original_tags
| filter (original_tags contains """endpoint_tag_name""")
Also, you may view/search all of the fields in a dataset schema in Query Builder by filtering for a name as shown below. Navigate to Incident Response → Investigation → Query Builder → XQL Search
Reference XQL Search • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation portal
If you found this answer helpful, please select Accept as Solution.
Thank you
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!