09-13-2022 12:15 AM
Hello,
I'm trying to use the automation "SearchIncidentsV2" to get the incidents with two conditions: the name and a range of time.
To achieve this, first I created a simple Query to get only the incidentes with a name. name: "name of playbook"
It works and a markdown file can be downloaded with all the incidents and other info, like when was created.
So now, to check the query with the created time, a new query is proved:
name: "name of playbook" AND created:"2021-09-09T11:29:06.591074026+02:00"
It's not a range, but it should work. It doesn't
Next try, only with the created:
created."2021-09-09T11:29:06.591074026+02:00"
It doesn't work neither.
Am I missing something? the data columns are from an other place? not from the markdown? the date format is wrong?
When the ID is with the name it works:
name: "name of playbook" AND id:"10744"
This works fine.
Thanks
09-13-2022 05:31 AM
Created dates are quite formatted correctly. created:"2021-09-09T11:29:06.591074026+02:00" should be created:"2021-09-09T11:29:06.591074026 +0200". There is a missing space between the TZ and also need to remove the ':' from the timezone.
Regards
Adam
09-13-2022 05:56 AM
Thanks for the reply,
How is called that called that time transformer in XSOAR?
09-16-2022 05:23 AM
I couldn't not find the proper Query for the timestamp. So I finally, created another task getting the last incident created from the output of the Query and compering the current time minus 14 days in my case, with the time of the last incident created.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
