XQL Query to view the "Incident Name"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XQL Query to view the "Incident Name"

L1 Bithead

Hi People, 

 

I was wondering if anyone could assist me with XQL Query to display the Incident name. Please refer to the attached photo to get an idea of what I am trying to achieve. I have used the xdr_data dataset, however i cannot find the relevant field. Appreciate anyone's support. 



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
6 REPLIES 6

L5 Sessionator

Hi @JBahardeen ,

 

Cortex XDR XQL shows raw data only. Incidents and alerts are events created by processing and stitching raw logs which we see in XQL and hence they are not exposed as of now with the capability to run queries on incidents and alerts.

 

As a result, this is not possible,

 

Regards.

Hi @neelrohit , 
Thank you for the prompt response and clarification. So just to confirm, it is impossible to achieve what is shown in the image and only through a feature request we could display the Incident "Description" ? and also The widget is created by PAN Internally ?Screenshot 2022-10-17 181229.png

That's right. The incidents/alerts dataset is not exposed over XQL.

Thanks for the clarification everyone !

I will reach out to your Customer Success Teams or TAC team to raise a feature request. 

I think this Top 10 Incidents provides list of last 24 hrs incidents only , can you help me how to get data for last 30 days.

Hello,

I have the same question.  I understand that it is not possible to create custom dashboard and reports based on incidents and alerts. For large company with multiple entities it is a must for me. 

  • 3555 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!