XQL Language Features

Cortex XDR XQL is a query language that you use to query for raw network and endpoint data.
XQL is a query language that allows you to query for information contained in a wide variety of data sources. Out of the box, you can query against raw Cortex XDR logs using the xdr_data dataset. But you can also import data from third parties and then query against those datasets as well.
You submit XQL queries to Cortex XDR using the
Investigation
Query Builder
XQL Search
user interface.
XQL is similar to other query languages, and it uses some of the same functions as can be found in many SQL implementations, but it is not SQL. XQL forms queries based on
stages
. Each stage performs a specific query operation. Stages are delimited by pipes (|). For example, the following query uses three stages to identify the dataset to query, identify the field to be retrieved from the dataset, and then set a filter that identifies which records should be retrieved as part of the query:
dataset = xdr_data  | fields os_actor_process_file_size as osapfs  | filter to_string(osapfs) = "12345"
XQL supports:
  • Simple queries.
  • Filters that identify a subset of records to return in the result set.
  • Joins and Unions.
  • Aggregations.
  • Queries against standard datasets.
  • Queries against presets, which are collections of information that are specific to a given type of network or endpoint activity such as authentication or file transfers.
  • Queries against custom imported datasets.

Recommended For You