Datasets and Presets
The Cortex XDR XQL query language supports built-in datasets, custom datasets, and presets.
Every XQL query begins by identifying a data source that the query will run against. Each data source has a unique name, and a series of fields. Your query specifies the data source, and then provides stages that identify fields of interest and perform operations against those fields.
You can query against either datasets or presets. Cortex XDR Query Language (XQL) supports using different languages for dataset and field names.
The standard, built-in data source that is available in every Cortex XDR instance is the
xdr_datadataset. This is a very large dataset with many hundreds of available fields. See the
Cortex XDR XQL Schema Referencefor information about this dataset. Cortex XDR Query Language (XQL) supports using different languages for dataset and field names.
This dataset is comprised of both raw EDR events reported by the Cortex XDR agent, and of logs from different sources such as third-party logs. To help you investigate events more efficiently, Cortex XDR also stitches these logs and events together into common schemas called
stories. These stories are available using the Cortex XDR presets.
You use the
datasetkeyword to specify a dataset on your query.
You can create a custom dataset using the Target stage.
Depending on your integrations, you might also have the following datasets available for queries:
Active Directory via Cloud Identity Engine
AWS CloudTrail and Amazon CloudWatch
Azure Event Hub
Azure Network Watcher
BeyondTrust Privilege Management Cloud
Cortex XDR Host Firewall enforcement events
CSV files in shared Windows directory
Custom datasets—Select from pre-existing user-created datasets or add a new dataset.
Database data (MySQL, PostgreSQL, MSSQL, and Oracle)
Logs from third party source over FTP, FTPS, or SFTP
GlobalProtect access authentication logs
To ensure GlobalProtect access authentication logs are sent to Cortex XDR, verify that your PANW firewall’s
Log Settingsfor GlobalProtect has the
Cortex Data Lakecheckbox selected.
Google Cloud Platform (GCP) logs
Google Kubernetes Engine (GKE)
JSON or text logs from third-party source over HTTP
Network Share logs
Supports the following logs.
*These datasets use the query field names as described in the Cortex schema documentation.
PingOne for Enterprise
Prisma Cloud Compute
Proofpoint Targeted Attack Protection
A ServiceNow CMDB dataset is created for each table configured for data collection using the format
USB devices connect and disconnect events reported by the agent
Windows Endpoints using Cortex XDR Forensics Add-on
Windows Event Collector (WEC)
Windows DHCP using Elasticsearch Filebeat
Zscaler Cloud Firewall
Dataset names can use uppercase characters, but in queries dataset names are always treated as if they are lowercase. In addition, dataset names are supported using different languages, numbers (
0-9), and underscores (
_). Yet, underscores cannot be the first character of the name.
Upon ingestion, all fields are retained even fields with a null value. You can also use the Cortex XDR XQL query language to query parsing rules for null values.
Presets offer groupings of xdr_data fields that are useful for analyzing specific areas of network and endpoint activity. All of the fields available for a preset are also available on the larger xdr_data dataset, but by using the preset your query can run more efficiently.
Two of the available presets are
stories. These contain information stitched together from Cortex XDR agent events and log files to form a common schema. They are
You use the
presetkeyword to specify a dataset on your query.
See the Cortex XDR XQL Schema Reference for information about the presets available to you, including the fields available for each preset.
Recommended For You
Recommended videos not found.