Cortex XDR Query Builder

Investigate alerts through building queries to identify connections between alerts.
The
Query Builder
is a powerful search tool at the heart of Cortex XDR that you can use to investigate any lead quickly, expose the root cause of an alert, perform damage assessment, and hunt for threats from your data sources. With
Query Builder
, you can build complex queries for entities and entity attributes so that you can surface and identify connections between them. The
Query Builder
searches the raw data and logs stored in Cortex Data Lake and Cortex XDR for the entities and attributes you specify and returns up to 100,000 results.
query-builder-options.png
The
Query Builder
provides queries for the following types of entities:
  • Process
    —Search on process execution and injection by process name, hash, path, command-line arguments, and more. See Create a Process Query.
  • File
    —Search on file creation and modification activity by file name and path. See Create a File Query.
  • Network
    —Search network activity by IP address, port, host name, protocol, and more. See Create a Network Query.
  • Registry
    —Search on registry creation and modification activity by key, key value, path, and data. See Create a Registry Query.
  • Event Log
    —Search Windows event logs by username, log event ID, log level, and message. See Create an Event Log Query.
  • NG Network
    —Search security event logs by firewall logs, endpoint raw data over your network. See Create an NG Network Query.
  • All Actions
    —Search across all network, registry, file, and process activity by endpoint or process. See Query Across All Entities.
The
Query Builder
also provides flexibility for both on-demand query generation and scheduled queries.

Recommended For You