1. Home
    2. Cortex
    3. Cortex XDR
    4. Cortex XDR™ Pro Administrator’s Guide
    5. Investigation and Response
    6. Search Queries
    7. Cortex® XDR™ Query Builder
    8. XQL Search

    XQL Search

    Use the XDR Query Language (XQL) search to create complex custom queries on raw log data.
    The XDR Query Language (XQL) enables you to query data ingested into Cortex XDR for rigorous endpoint and network event analysis returning up to 1M results. XQL forms queries in stages. Each stage performs a specific query operation and is delimited by a pipe (
    |
    ). Queries require a dataset, or data source, to run against. Unless otherwise specified, the query will run against the
    xdr_data
     dataset, which contains all log information that Cortex XDR collects. However, you can also configure Cortex XDR to query additional datasets.
    It is possible to create a dataset with uppercase characters in its name, but when creating a query, the dataset name only uses lowercase characters.
    To streamline your investigations, the XQL search provides the following aids to help you construct and visualize your queries.
    • XQL query—The XQL query field is where you define the parameters of your query. To help you create an effective XQL query, the search field provides suggestions and definitions as you type.
    • Query Results
      —After you create and run an XQL query, you can view, filter, and visualize your
      Query Results
      .
    • XQL Helper
      —Describes common stage commands and provides of examples that you can use to build a query.
    • Query Library
      —Contains common, predefined queries that you can use or modify to your liking. In addition, a Personal Query Library for saving and managing your own queries that you can also share with others, and queries shared with you.
    • Schema
      —Contains schema information for every field found in the result set. This information includes the field name, data type, descriptive text (if available), and the dataset that contains the field. In order for a field to appear in the
      Schema
       tab, it must contain a non-NULL value at least once in the result set.
    In the XQL, every user field included in the raw data, for network, authentication, and login events, has an equivalent normalized user field associated with it that displays the user information in the following standardized format:
    <company domain>
    \
    <username>
    For example, the
    login_data
     field has the
    login_data_dst_normalized_user
     field to display the content in the standardized format. We recommend that you use these
    normalized_user
     fields when building your queries to ensure the most accurate results.
    For further help constructing queries, use the Cortex XDR XQL Language Reference.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo