XQL Language Structure

Cortex XDR XQL is a query language that is based on stages. Each stage specifies a particular aspect of the query.
XQL queries usually begin by defining a data source, be it a dataset or a preset. After that, you use zero or more stages to form the XQL query. Each stage is delimited using a pipe (|). The function performed by each stage is identified by the stage keyword that you provide.
Specifying a dataset is not required because Cortex XDR uses
xdr_data
as the default dataset. If you have more than one dataset or lookup, you can change your default dataset by navigating to
Settings ( )
Configurations
Data Management
Dataset Management
, right-click on the appropriate dataset, and select
Set as default
.
In the simplest case, you can specify a dataset using one of the following formats.
  • Hot Storage queries are performed on a dataset using the format
    dataset = <dataset name>
    . This is the default option.
    dataset = xdr_data
  • Cold Storage queries are performed using the format
    cold_dataset = <dataset name>
    .
    cold_dataset = xdr_data
You can also build a query that investigates data in both a
cold_dataset
and hot dataset in the same query. In addition, since the hot storage dataset format is the default option and represents the fully searchable storage, for investigation and threat hunting, this format is used throughout this guide. For more information on hot and cold storage, see Dataset Management.
When using the hot storage default format, this returns every
xdr_data
record contained in your Cortex XDR instance over the time range that you provide to the Query Builder user interface. This can be a large amount of data, which might take a long time to retrieve. You can use a
limit
stage to specify how many records you want to retrieve.
dataset = xdr_data | limit 5
The records resulting from this query, or the
result set
, are returned in unsorted order. Every time you run the query, it will probably return a different set of records in no specific order. To create a predictable result set, use other stages to define Sort order, Filter the result set to identify exactly what records you want returned, to create fields containing aggregations , and more.
There is no practical limit to the number of stages that you can specify. See Stages Commands Reference for information on all the supported stages.
In the XQL, every user field included in the raw data, for network, authentication, and login events, has an equivalent normalized user field associated with it that displays the user information in the following standardized format:
<company domain>
\
<username>
For example, the
login_data
field has the
login_data_dst_normalized_user
field to display the content in the standardized format. We recommend that you use these
normalized_user
fields when building your queries to ensure the most accurate results.
You can also add comments in any section when building a query in XQL Search.
  • Comments are added on a single line using the following syntax.
    /*<comments> */
    For example,
    dataset = xdr_data | filter event_type=1 /* process */ and event_sub_type = 1 /* execution*/
  • To write a comment that extends over multiple lines use the following syntax.
    //multi-line <comments> //
    For example,
    dataset = xdr_data | filter //multi-line Adding comments is a great thing. Here is an example // event_type=1

Recommended For You