This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Cortex XDR Incident Management Report by tags

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cortex XDR Incident Management Report by tags

Go to solution
Danielius-Paskevic
L0 Member

‎11-30-2023 04:15 AM

Hi all,

 

I need to create an Incident Management Report by using specific tags.

 

Is it possible? Maybe I can do it via XQL query? If not, do you have any suggestions on how can I create incident reports for different tags? (I don't want to export the incidents and create reports via Excel!!!:D)

 

Best regards.

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
jtalton
L3 Networker

‎11-30-2023 07:13 AM

Hi Danielius-Paskevic,

 

You may create an XQL query using the dataset = alerts and filtering for original_tags to filter by an endpoint group tag. Below is a query example:

 

Resolved Incidents MTTR

dataset = alerts

| fields alert_id, incident_id, local_insert_ts, original_tags 

| join type = left (dataset = incidents | fields incident_id, resolved_ts) as join_incidents join_incidents.incident_id = incident_id 

| alter created_time = to_timestamp(local_insert_ts, "MILLIS")

| alter resolved_time_minutes = timestamp_diff(resolved_ts, created_time, "MINUTE")

| alter resolved_time_hours = divide(to_integer(multiply(divide(resolved_time_minutes, 60), 100)), 100) //minutes -> hours, rounded to two decimal places

| alter resolved_time_days = divide(to_integer(multiply(divide(resolved_time_minutes, 1440), 100)), 100) //minutes -> days, rounded to two decimal places

| fields alert_id, incident_id, created_time, resolved_ts, resolved_time_minutes, resolved_time_hours, resolved_time_days, original_tags 

| filter (original_tags contains """endpoint_tag_name""")

 

Also, you may view/search all of the fields in a dataset schema in Query Builder by filtering for a name as shown below. Navigate to Incident Response → Investigation → Query Builder → XQL Search

 

jtalton_0-1701356831060.png

 

Reference XQL Search • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation portal

 

If you found this answer helpful, please select Accept as Solution.

 

Thank you

If you found this answer helpful, please select Accept as Solution.

View solution in original post

0 Likes Likes
1 REPLY 1

Go to solution
jtalton
L3 Networker

‎11-30-2023 07:13 AM

Hi Danielius-Paskevic,

 

You may create an XQL query using the dataset = alerts and filtering for original_tags to filter by an endpoint group tag. Below is a query example:

 

Resolved Incidents MTTR

dataset = alerts

| fields alert_id, incident_id, local_insert_ts, original_tags 

| join type = left (dataset = incidents | fields incident_id, resolved_ts) as join_incidents join_incidents.incident_id = incident_id 

| alter created_time = to_timestamp(local_insert_ts, "MILLIS")

| alter resolved_time_minutes = timestamp_diff(resolved_ts, created_time, "MINUTE")

| alter resolved_time_hours = divide(to_integer(multiply(divide(resolved_time_minutes, 60), 100)), 100) //minutes -> hours, rounded to two decimal places

| alter resolved_time_days = divide(to_integer(multiply(divide(resolved_time_minutes, 1440), 100)), 100) //minutes -> days, rounded to two decimal places

| fields alert_id, incident_id, created_time, resolved_ts, resolved_time_minutes, resolved_time_hours, resolved_time_days, original_tags 

| filter (original_tags contains """endpoint_tag_name""")

 

Also, you may view/search all of the fields in a dataset schema in Query Builder by filtering for a name as shown below. Navigate to Incident Response → Investigation → Query Builder → XQL Search

 

jtalton_0-1701356831060.png

 

Reference XQL Search • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation portal

 

If you found this answer helpful, please select Accept as Solution.

 

Thank you

If you found this answer helpful, please select Accept as Solution.
0 Likes Likes
  • 1 accepted solution
  • 498 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks