Create an Event Log Query

Create a query to investigate Windows event log attributes and investigate event logs across endpoints.
From the
Query Builder
you can search Windows event log attributes and investigate event logs across endpoints with an Cortex XDR agent installed.
query-search-event-log.png
Some examples of event log queries you can run include:
  • Critical level messages on specific endpoints.
  • Message descriptions with specific keywords on specific endpoints.
To build a file query:
  1. From Cortex XDR, select
    INVESTIGATION
    Query Builder
    .
  2. Select
    EVENT LOG
    .
  3. Enter the search criteria for your Windows event log query.
    Define any event attributes for which you want to search. By default, Cortex XDR will return the events that match the attribute you specify. To exclude an attribute value, toggle the
    =
    option to
    =!
    . Attributes are:
      • PROVIDER NAME
        —The provider of the event log.
      • USERNAME
        —The username associated with the event.
      • EVENT ID
        —The unique ID of the event.
      • LEVEL
        —The event severity level.
      • MESSAGE
        —The description of the event.
      To specify an additional exception (match this value except), click the
      +
      to the right of the value and specify the exception value.
  4. (
    Optional
    ) Limit the scope to an endpoint or endpoint attributes:
    Specify one or more of the following attributes:
    HOST NAME
    ,
    HOST IP
    address, or
    HOST OS
    .
    Use a pipe (
    |
    ) to separate multiple values. Use an asterisk (
    *
    ) to match any string of characters.
  5. Specify the time period for which you want to search for events.
    Options are:
    Last 24H
    (hours),
    Last 7D
    (days),
    Last 1M
    (month), or select a
    Custom
    time period.
  6. Choose when to run the query.
    query-save-options.png
    Select the calendar icon to schedule a query to run on or before a specific date,
    Run in background
    to run the query as resources are available, or
    Run
    to run the query immediately and view the results in the
    Query Center
    .
  7. When you are ready, View the Results of a Query.
  8. Specify the time period for which you want to search for events.
    Options are:
    Last 24H
    (hours),
    Last 7D
    (days),
    Last 1M
    (month), or select a
    Custom
    time period.
  9. Choose when to run the query.
    query-save-options.png
    Select the calendar icon to schedule a query to run on or before a specific date,
    Run in background
    to run the query as resources are available, or
    Run
    to run the query immediately and view the results in the
    Query Center
    .
  10. When you are ready, View the Results of a Query.

Related Documentation