A SOC analyst needs to retrieve the list of all open phishing incidents in the last 30 days. What is the correct query to use?
A SOC analyst needs to retrieve the list of all open phishing incidents in the last 30 days. What is the correct query to use?
To retrieve the list of all open phishing incidents in the last 30 days, the correct query must exclude closed incidents and incidents categorized under job type but include those created in the last 30 days. The query -status:closed -category:job type:Phishing created:>=
Answer is A for my XSOAR
Not sure if any of these answers are correct. On my XSOAR this query works: -status:Closed -category:job and type:Phishing created:>="30 days ago" Notice the 'and' and not '&' and the >= not <= operators So, the -status closed means NOT closed as the - means the opposite. The -category job means anything but jobs as again the - means 'not' The greater than or equal to is a weird one, I just created a test phishing incident so I would of thought all Phishing incidents greater than or equal to 30 days ago.
A is correct