Manage Datasets

Cortex XDR runs every XQL query against a

dataset

. A dataset is a CSV or JSON file that contains the data you are interested in querying. If you do not specify a dataset in your query, then Cortex XDR runs the query against the

xdr_data

dataset, which contains all of the endpoint and network data that Cortex XDR collects.

To query other datasets, you have two options: you can either set the dataset as default, which enables you to query the datasets without specifying them in the query, or you can name a specific dataset at the beginning of your query with the

dataset

stage command. You can add to your list of available datasets by uploading a CSV or JSON file to Cortex XDR.

You cannot upload a file that contains a byte array (that is, binary data).

Manage datasets from

Cortex XDR

Settings ( )

Dataset Management

. There, you can import, view, and interact with your available datasets.

In addition to the names of your datasets, you can view their Type and whether or not they are the Default Query Target. Cortex XDR determines Type by the method used to upload the dataset. If uploaded through the user interface, the Type is Lookup. If saved by a query using the

target

command, the Type can be either User or Lookup. See the entry for

target

in the XQL Language Reference for details.

Import a dataset.
Select
+ Lookup
.
Browse
to your CSV or JSON file, or drag and drop it into the dialog window.
When uploading a JSON file, ensure that each Field name meets the following requirements:
Only use letters (
a-z, A-Z
), numbers (
0-9
), or underscores (
_
).
You can create dataset names using uppercase characters, but in queries dataset names are always treated as if they are lowercase.
Must start with a letter or underscore. Cannot use prefixes
TABLE
,
FILE
, or
_PARTITION
.
Cannot exceed 128 characters.
No duplicate names, white spaces, or carriage returns.
(
Optional
) Rename the file.
Add
the file as a lookup.

After receiving a notification reporting that the upload succeeded,
Refresh
( ) to view it in your list of datasets.
If the file has the same name as an existing dataset, Cortex XDR will append an underscore and a number to the name to make it unique.
Save query results as a dataset.
You can use the
target
stage command to save query results as a dataset. For details about this command, see the XQL Language Reference.
Query against a dataset by selecting it with the
dataset
command when you create an XQL query.
Right-click on a dataset to delete it, copy it, set it as default, and show or hide datasets.

Set as default
to query the dataset without having to specify it in your queries.
Delete
to remove the dataset from Cortex XDR.
Copy text to clipboard
to copy the name of the dataset to your clipboard.
Copy entire row
to copy each cell in a row, separated by tabs, to your clipboard.
Show rows with ‘<dataset_name>’
to create a filter that displays all datasets with the same name.
Hide rows with ‘<dataset_name>’
to create a filter that hides all datasets with the same name.
Filter
your available datasets to specify the ones you want to see.
Select

Filter

.

An interface for your filter criteria appears.



Select a field, an operator, and a value to match.



Select

+ AND

or

+ OR

to add additional filter expressions.



Save

( ) your filter to reuse it later.

After saving, select the three-dot menu ( ) to view your filter.


Customize the table.
Select the three-dot menu ( ) and
Layout
to change the width of rows and columns. You can also select which columns to display.