Manage Your Personal Query Library

Cortex® XDR™ provides as part of the Query Library a new Personal Library for saving and managing your own queries.
Cortex® XDR™ provides as part of the Query Library a personal query library for saving and managing your own queries. When creating a query in XQL Search or managing your queries from the Query Center, you can save queries to your personal library. You can also decide whether the query is shared with others (on the same tenant) in their Query Library or make it unshared and only visible by you. In addition, you can view the queries that are shared by others (on the same tenant) in your Query Library.
The queries listed in your Query Library have different icons to help you identify the different states of the queries.
  • —Created by me and unshared.
  • —Create by me and shared.
  • —Created by someone else and shared.
The Query Library contains a powerful search mechanism that enables you to search in any field related to the query, such as the query name, description, creator, query text, and labels. In addition, adding a label to your query enables you to search for these queries using these labels in the Query Library.
To add a query to your personal query library.
  1. Save a query to your personal query library.
    You can do this in two ways.
    • From XQL Search
      1. Select
        Investigation
        Query Builder
        XQL Search
        .
      2. In the XQL query field, define the parameters of your query. For more information, see Create an XQL Query.
      3. Select
        Save as
        Query to Library
        .
    • From the Query Center
      1. Select
        Investigation
        Query Center
        .
      2. Locate the query that you want to save to your personal query library.
      3. Right-click anywhere in the query row, and select
        Save query to library
        .
  2. Set these parameters.
    • Query Name
      —Specify a unique name for the query. Query names must be unique in both private and shared lists, which includes other people’s queries.
    • Query Description
      —(
      Optional
      ) Specify a descriptive name for your query.
    • Labels
      —(
      Optional
      ) Specify a label that is associated with your query. You can select a label from the list of predefined labels or add your label and then select
      Create Label
      . Adding a label to your query enables you to search for queries using this label in the Query Library.
    • Share with others
      —You can either set the query to be private and only accessible by you (default) or move the toggle to
      Share with others
      the query, so that other users using the same tenant can access the query in their Query Library.
  3. Click
    Save
    .
    A notification appears confirming that the query was saved successfully to the library, and closes on its own after a few seconds.
    Your query that you added is now listed as the first entry in the
    Query Library
    . The query editor is opened to the right of the query.
  4. Other available options.
    As needed, you can return to your queries in the
    Query Library
    to manage your queries. Here are the actions available to you.
    • Edit the name, description, labels, and parameters of your query by selecting the query from the
      Query Library
      , hovering over the line in the query editor that you want to edit, and selecting the edit icon to edit the text.
    • Search query data and metadata
      —Use the Query Library’s powerful search mechanism that enables you to search in any field related to the query, such as the query name, description, creator, query text, and label. The
      Search query data and metadata
      field is available at the top of your list of queries in the
      Query Library
      .
    • Show
      —Filter the list of queries from the
      Show
      menu. You can filter by the
      Palo Alto Networks
      queries provided with Cortex XDR, filter by the queries
      Created by Me
      , or filter by the queries
      Created by Others
      . To view the entire list,
      Select all
      (default).
    • Save as new
      —Duplicate the query and save it as a new query. This action is available from the query menu by selecting .
    • Share with others
      —If your query is currently unshared, you can share with other users on the same tenant your query, which will be available in their Query Library. This action is only available from the query menu by selecting when your query is unshared.
    • Unshare
      —If your query is currently shared with other users, you can
      Unshare
      the query and remove it from their Query Library. This action is only available from the query menu by selecting when your query is shared with others. You can only
      Unshare
      a query that you created. If another user created the query, this option is disabled in the query menu.
    • Delete
      the query. You can only delete queries that you created. If another user created the query, this option is disabled in the query menu when selecting .

Recommended For You