XQL Language Structure

Cortex XDR XQL is a query language that is based on stages. Each stage specifies a particular aspect of the query.
XQL queries usually begin by defining a data source, be it a dataset or a preset. After that, you use zero or more stages to form the XQL query. Each stage is delimited using a pipe (|). The function performed by each stage is identified by the stage keyword that you provide.
Specifying a dataset is not required because Cortex XDR uses
xdr_data
as the default dataset. If you have more than one dataset or lookup, you can change your default dataset by navigating to
Settings ( )
Configurations
Data Management
Dataset Management
, right-click on the appropriate dataset, and select
Set as default
.
In the simplest case, you can simply specify a dataset:
dataset = xdr_data
This returns every xdr_data record contained in your Cortex XDR instance over the time range that you provide to the Query Builder user interface. This can be a large amount of data, which might take a long time to retrieve. You can use a
limit
stage to specify how many records you want to retrieve:
dataset = xdr_data | limit 5
The records resulting from this query, or the
result set
, are returned in unsorted order. Every time you run the query, it will probably return a different set of records in no specific order. To create a predictable result set, use other stages to define Sort order, Filter the result set to identify exactly what records you want returned, to create fields containing aggregations , and more.
There is no practical limit to the number of stages that you can specify. See Stages Commands Reference for information on all the supported stages.
In the XQL, every user field included in the raw data, for network, authentication, and login events, has an equivalent normalized user field associated with it that displays the user information in the following standardized format:
<company domain>
\
<username>
For example, the
login_data
field has the
login_data_dst_normalized_user
field to display the content in the standardized format. We recommend that you use these
normalized_user
fields when building your queries to ensure the most accurate results.

Recommended For You