XQL provides presets that you can query to investigate different actions occurring on your network and endpoints.
Presets offer groupings of xdr_data fields that are useful for analyzing
specific areas of network and endpoint activity. All of the fields available for a
preset are also available on the larger xdr_data dataset, but by
using the preset your query can run more efficiently.
The xdr_data dataset is comprised of both raw EDR events reported by the Cortex XDR agent, and
of logs from different sources such as Palo Alto Networks next-generation firewall logs,
and third-party logs. To help you investigate events more efficiently, Cortex XDR also
stitches these logs and events together into common schemas called
These stories are available using the Cortex XDR presets, and they are the
Authentication and Network stories.
This chapter describes the presets that you can use with XQL.