Create an Authentication Query

Create a query to investigate authentication activity.
From the Query Builder you can investigate authentication activity across all ingested authentication logs and data.
query-builder-authentication.png
Some examples of authentication queries you can run include:
  • Authentication logs by severity
  • Authentication logs by event message
  • Authentication logs for a specific source IP address
To build an authentication query:
  1. From Cortex XDR, select
    INVESTIGATION
    Query Builder
    .
  2. Select
    AUTHENTICATION
    .
  3. Enter the search criteria for the authentication query.
    By default, Cortex XDR will return the activity that matches all the criteria you specify. To exclude a value, toggle the
    =
    option to
    =!
    .
  4. Choose when to run the query.
    query-save-options.png
    Select the calendar icon to schedule a query to run on or before a specific date,
    Run in background
    to run the query as resources are available, or
    Run
    to run the query immediately and view the results in the
    Query Center
    .
  5. When you are ready, View the Results of a Query.

Recommended For You