Use the XDR Query Language (XQL) search to create complex
custom queries on raw log data.
The XDR Query Language (XQL) enables you to query
data ingested into Cortex XDR for rigorous endpoint and network
event analysis. XQL forms queries in stages. Each stage performs
a specific query operation and is delimited by a pipe (
Queries require a dataset, or data source, to run against.
Unless otherwise specified, the query will run against the
It is possible to create
a dataset with uppercase characters in its name, but when creating
a query, the dataset name only uses lowercase characters.
streamline your investigations, the XQL search provides the following
aids to help you construct and visualize your queries.
query—The XQL query field is where you define the parameters of
your query. To help you create an effective
XQL query, the search field provides suggestions and definitions
as you type.
—After you create and
run an XQL query, you can view, filter, and visualize your
—Describes common stage
commands and provides of examples that you can use to build a query.
—Contains common, predefined
queries that you can use or modify to your liking.
information for every field found in the result set. This information
includes the field name, data type, descriptive text (if available),
and the dataset that contains the field. In order for a field to
appear in the
tab, it must contain
a non-NULL value at least once in the result set.
In the XQL, every user field included in the
raw data, for network, authentication, and login events, has an
equivalent normalized user field associated with it that displays
the user information in the following standardized format:
For example, the
to display the content in the standardized format. We recommend
that you use these
when building your queries to ensure the most accurate results.