XQL Language Structure

Cortex XDR XQL is a query language that is based on stages. Each stage specifies a particular aspect of the query.
XQL queries usually begin by defining a data source, be it a dataset or a preset. After that, you use zero or more stages to form the XQL query. Each stage is delimited using a pipe (|). The function performed by each stage is identified by the stage keyword that you provide.
Specifying a dataset is not required because Cortex XDR uses
as the default dataset. If you have more than one dataset or lookup, you can change your default dataset by navigating to
Settings ( )
Data Management
Dataset Management
, right-click on the appropriate dataset, and select
Set as default
In the simplest case, you can specify a dataset using one of the following formats.
  • Hot Storage queries are performed on a dataset using the format
    dataset = <dataset name>
    . This is the default option.
    dataset = xdr_data
  • Cold Storage queries are performed using the format
    cold_dataset = <dataset name>
    cold_dataset = xdr_data
You can also build a query that investigates data in both a
and hot dataset in the same query. In addition, since the hot storage dataset format is the default option and represents the fully searchable storage, for investigation and threat hunting, this format is used throughout this guide. For more information on hot and cold storage, see Dataset Management.
When using the hot storage default format, this returns every
record contained in your Cortex XDR instance over the time range that you provide to the Query Builder user interface. This can be a large amount of data, which might take a long time to retrieve. You can use a
stage to specify how many records you want to retrieve.
dataset = xdr_data | limit 5
The records resulting from this query, or the
result set
, are returned in unsorted order. Every time you run the query, it will probably return a different set of records in no specific order. To create a predictable result set, use other stages to define Sort order, Filter the result set to identify exactly what records you want returned, to create fields containing aggregations , and more.
There is no practical limit to the number of stages that you can specify. See Stages Commands Reference for information on all the supported stages.
In the XQL, every user field included in the raw data, for network, authentication, and login events, has an equivalent normalized user field associated with it that displays the user information in the following standardized format:
<company domain>
For example, the
field has the
field to display the content in the standardized format. We recommend that you use these
fields when building your queries to ensure the most accurate results.
You can also add comments in any section when building a query in XQL Search.
  • Comments are added on a single line using the following syntax.
    /*<comments> */
    For example,
    dataset = xdr_data | filter event_type=1 /* process */ and event_sub_type = 1 /* execution*/
  • To write a comment that extends over multiple lines use the following syntax.
    //multi-line <comments> //
    For example,
    dataset = xdr_data | filter //multi-line Adding comments is a great thing. Here is an example // event_type=1

Recommended For You