- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-17-2022 01:15 AM
Hi People,
I was wondering if anyone could assist me with XQL Query to display the Incident name. Please refer to the attached photo to get an idea of what I am trying to achieve. I have used the xdr_data dataset, however i cannot find the relevant field. Appreciate anyone's support.
10-17-2022 03:41 AM
Hi @JBahardeen ,
Cortex XDR XQL shows raw data only. Incidents and alerts are events created by processing and stitching raw logs which we see in XQL and hence they are not exposed as of now with the capability to run queries on incidents and alerts.
As a result, this is not possible,
Regards.
10-18-2022 03:49 PM - edited 10-18-2022 03:51 PM
Hi @neelrohit ,
Thank you for the prompt response and clarification. So just to confirm, it is impossible to achieve what is shown in the image and only through a feature request we could display the Incident "Description" ? and also The widget is created by PAN Internally ?
10-18-2022 10:43 PM
That's right. The incidents/alerts dataset is not exposed over XQL.
10-18-2022 10:48 PM
Thanks for the clarification everyone !
I will reach out to your Customer Success Teams or TAC team to raise a feature request.
03-17-2023 12:48 AM
I think this Top 10 Incidents provides list of last 24 hrs incidents only , can you help me how to get data for last 30 days.
08-29-2023 02:13 AM
Hello,
I have the same question. I understand that it is not possible to create custom dashboard and reports based on incidents and alerts. For large company with multiple entities it is a must for me.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!