Create an Authentication Query

From the Cortex® XDR™ management console, you can create a query to investigate any authentication activity.
From the Query Builder you can investigate authentication activity across all ingested authentication logs and data.
Some examples of authentication queries you can run include:
  • Authentication logs by severity
  • Authentication logs by event message
  • Authentication logs for a specific source IP address
To build an authentication query:
  1. From Cortex XDR, select
    INVESTIGATION
    Query Builder
    .
  2. Select
    AUTHENTICATION
    .
  3. Enter the search criteria for the authentication query.
    By default, Cortex XDR will return the activity that matches all the criteria you specify. To exclude a value, toggle the
    =
    option to
    =!
    .
  4. Choose when to run the query.
    Select the calendar icon to schedule a query to run on or before a specific date,
    Run in background
    to run the query as resources are available, or
    Run
    to run the query immediately and view the results in the
    Query Center
    .
  5. When you are ready, View the Results of a Query.

Recommended For You