Presets

XQL provides presets that you can query to investigate different actions occurring on your network and endpoints.
Presets offer groupings of xdr_data fields that are useful for analyzing specific areas of network and endpoint activity. All of the fields available for a preset are also available on the larger xdr_data dataset, but by using the preset your query can run more efficiently.
The xdr_data dataset is comprised of both raw EDR events reported by the Cortex XDR agent, and of logs from different sources such as Palo Alto Networks next-generation firewall logs, and third-party logs. To help you investigate events more efficiently, Cortex XDR also stitches these logs and events together into common schemas called
stories
. These stories are available using the Cortex XDR presets, and they are the Authentication and Network stories.
This chapter describes the presets that you can use with XQL.

Recommended For You