1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex XDR™ API Reference
    5. Cortex XDR APIs
    6. XQL Query APIs

    XQL Query APIs

    Cortex XDR enables you to run XQL queries on your data sources using a series of APIs. To execute XQL APIs you must have:
    • Cortex XDR Pro per Endpoint or Cortex XDR Pro per TB license.
    • Valid API Key and API Key ID that include the Instance Administrator role permissions.
    • Available query quota.
    Query quota is made up of query units that enable you to run XQL APIs. Each XQL API query entails a cost of query units calculated according to the complexity and number of search results. The query cost for each API query is displayed in the
    Get Query Results
     API. You can also track the query cost per XQL API search, overall usage, and remaining quota in the Cortex XDR app or by running a Get XQL Query Quota API. Cortex XDR provides a free daily quota relative to your license size for you to run XQL API queries. In the case of Managed Security, the parent quota depends solely on the children licenses.
    You will be able to purchase additional query units in future Cortex XDR versions.
    To execute a XQL API, you need to run a series of APIs. Each API requires a response value from the previous API to continue. This allows you to track the number of XQL queries you want to run, which in turn helps you manage your daily quota. Queries called without enough quota will fail. To ensure you don’t surpass your quota, Cortex XDR allows you to run up to four API queries in parallel.
    Run the following APIs to call an XQL query:
    1. Start an XQL Query—Run an XQL query. Response returns a unique execution ID used to retrieve the results by the
      Get XQL Query Results
       API.
    2. Get XQL Query Results—Retrieve XQL query results.
      API displays up to 1,000 results. If query generated more than 1,000 results, the response returns a unique stream ID used to retrieve additional results by the
      Get XQL Query Results Stream
       API.
    3. Get XQL Query Results Stream—Retrieve XQL query with more than 1,000 results.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo