XQL provides presets that you can query to investigate different actions occurring on your network and endpoints.
Presets offer groupings of xdr_data fields that are useful for analyzing specific areas of network and endpoint activity. All of the fields available for a preset are also available on the larger xdr_data dataset, but by using the preset your query can run more efficiently.
The xdr_data dataset is comprised of both raw EDR events reported by the Cortex XDR agent, and of logs from different sources such as Palo Alto Networks next-generation firewall logs, and third-party logs. To help you investigate events more efficiently, Cortex XDR also stitches these logs and events together into common schemas called
. These stories are available using the Cortex XDR presets, and they are the Authentication and Network stories.
This chapter describes the presets that you can use with XQL.

