1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex® XDR Pro Administrator’s Guide
    5. Investigation and Response
    6. Search Queries
    7. Cortex XDR Query Center

    Cortex XDR Query Center

    From the Cortex XDR management console you can manage the results of queries and adjust and rerun them as needed.
    From the
    Query Center
     you can manage and view the results of all simple and complex queries created from the
    Query Builder
    . The Query Center displays information about the query including the query parameters and allows you to adjust and rerun queries as needed.
    The following table describes the fields that are available for each query in alphabetical order.
    Certain fields are exposed and hidden by default. An asterisks (*) is beside every field that is exposed by default.
    Field
    Description
    BQL
    Displays whether the query was created by the native search.
    Native search has been deprecated, this field allows you to view data for queries performed prior.
    COMPUTE UNIT USAGE
    Displays how many query units were used to execute the API query and Cold Storage query.
    CREATED BY
     *
    User who created or scheduled the query.
    EXECUTION ID
    Unique identifier of XQL queries in the tenant. The identifier id generated for queries executed in the
    Cortex
    XDR
     app and XQL query API.
    NUM OF RESULTS
    *
    Number of results returned by the query.
    PUBLIC API
    Displayed whether the source executing the query was XQL query API.
    QUERY DESCRIPTION
    *
    The query parameters used to run the query.
    QUERY ID
    Unique identifier of the query.
    QUERY NAME
    *
    For saved queries, the
    Query Name
    identifies the query specified by the administrator. For scheduled queries, the
    Query Name
     identifies the auto-generated name of the parent query. Scheduled queries also display an icon to the left of the name to indicate that the query is reoccurring.
    QUERY STATUS
    *
    Status of the query:
    • Queued—The query is queued and will run when there is an available slot.
    • Running
    • Failed
    • Partially completed—The query was stopped after exceeding the maximum number of permitted results; 100,000 for queries executed in
      Cortex
      XDR
       app and 1,000,000 for XQL Query API. To reduce the number of results returned, you can adjust the query settings and rerun.
    • Stopped—The query was stopped by an administrator.
    • Completed
    • Deleted—The query was pruned.
    RESULTS SAVED
    *
    Yes or No.
    SIMULATED COMPUTE UNITS
    Displays how many query units were used to execute the Hot Storage query.
    TENANT
    List of tenants on which an XQL query were executed.
    TIMESTAMP
    *
    Date and time the query was created.
    XQL
    Displays whether the query was created by the an XQL search.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo