Create an XQL Query
Learn how to create queries using the XDR Query Language (XQL).
Use XQL Search to analyze raw log data stored in Cortex XDR. The following example demonstrates how to create a query that uses the
coalescefunction to derive a single
usernameby examining multiple field names.
The XQL Language Reference provides more information about valid commands, such as the ones used in this example, and general XQL syntax.
- From Cortex XDR, select.InvestigationQuery BuilderXQL Search
- (Optional) Specify a dataset.From the first letter that you type, the query field provides you with suggestions of commands and their definitions:When you select a command, you will see available operators:After selecting the operator, the query field presents available values:
- Hit the return key and enter a pipe (|) followed by the first stage of your query.This stage uses thefieldscommand to declare which fields are returned in the results. If you use this stage, then following stages can only operate on the fields specified in it.
- Continue adding stages until your query is complete.This stage uses the functioncoalesceto return the first value that is not NULL out of the given fields and thealterstage command to assign that value to the fieldusername.
- Specify the time period against which you want to run your query.The options are last24H(hours), last7D(days), last1M(month), or select aCustomtime period.
- Choose when to run the query.Select the calendar icon to schedule a query to run on or before a specific date,Add as BIOCto save the query as a BIOC rule (if compatible),Run in background(that is, as resources are available), orRunthe query immediately.
- (Optional) After your query is complete, you can save the query as one of the following rules.
- After running your query, review theQuery Results.Alternate between the following display options to investigate your query results:
You can also perform the following additional actions on the results displayed.
- Table ( )—Displays results in rows and columns according to the entity fields.From the menu, you can change the table layout. You can also change the raw log format (displayed in the_Raw_Logfield) to one of the following log formats:
- RAW—Raw format of the entity in the database.
- JSON—Condensed JSON format with key value distinctions. Null values are not displayed.
- TREE—Dynamic view of the JSON hierarchy with the option to collapse and expand the different hierarchies.
- Advanced ( )—Displays results in a table format aggregating the entity fields into one column. Similar to the table display, you can change the layout and log format from the menu.SelectShow moreto pivot anExpanded Viewof the event results that include null values. You can toggle between theJSONandTreeviews, search, andCopy to clipboard.
We recommend for Integer, Boolean, and timestamp, such as_Time, fields that you use theFilteras opposed to theFree text searchto retrieve the most accurate query results.For Table and Advanced displays, Cortex XDR provides aFieldsmenu on the left side of the query results that you use to filter the results. To quickly set a filter, Cortex XDR displays the top 10 results from which you can choose to build your filter. From within theFieldsmenu, click on any field (excluding JSON and array fields) to see a histogram of all the values found in the result set for that field. This histogram includes a count of the total number of times a value was found in the result set, the value's frequency as a percentage of the total number of values found for the field, and a bar chart showing the value's frequency. In order for Cortex XDR to provide a histogram for a field, the field must not contain an array or a JSON object.You can also manage your queries, which includes viewing query results, from theQuery Center.
- Export to File( )—Exports the results to a TSV (Tab-separated values) file.
- Refresh( )—Refreshes the query results.
- Free text search( )—Searches the query results for text that you specify in the free text search. Click theFree text searchicon to reveal the textType your search here.
- Filter( )—Enables you to filter a particular field in the interface that is displayed to specify your filter criteria.
- (Optional) Save the query to your personal query library.
- (Optional) Continue investigation in the Causality View or Timeline View.Right-click the event and select the desired view. This option is available for the following types of events: process (except for those with an event sub type of termination), network, file, registry, injection, load image, system calls, event logs for Windows, and system authentication logs for Linux. For network stories, you can pivot to the Causality View only.
- (Optional) Add a file path to your exiting Malware Profile allowed list.Right-click a<path>fields, for example,target_process_path,file_path, oros_parent_path, and selectAdd.<path type>to malware profile allow list
- (Optional) Visualize your query results.
Recommended For You
Recommended videos not found.