Perform advanced Identity Security investigations using XQL - Working with datasets in Cortex Cloud Identity Security. - Administrator Guide

Perform advanced Identity Security investigations using XQL - Working with datasets in Cortex Cloud Identity Security. - Administrator Guide - Cortex CLOUD

Cortex Cloud Runtime Security Documentation

Product

Cortex Cloud Application Security > Cortex CLOUD

License

Cloud Runtime Security

Creation date

2024-12-24

Last date published

2026-06-10

Overview

Cortex Cloud Identity Security centralizes identity-related information into a list of datasets, providing the foundation for comprehensive security investigations. Using Cortex Query Language (XQL) , security practitioners can create custom queries to extract valuable insights from these data sources within your system. For more information, see Get started with XQL.

You can use the following identity-related datasets:

Dataset	Description
ciem_permissions_with_last_access	Contains the permissions of each identity that is discovered in your environments, including the time of their last access when applicable.
asset_inventory	Contains an inventory of all the assets that are discovered in your environments. For more information, see Inventory management.Inventory management
issues	Contains the issues that are related to the assets in your environments. For more information, see Issues.Issues
findings	Contains the findings that are associated with the assets that are found in your environments. For more information, see Findings and events.

Investigate Cortex Cloud Identity Security

To run queries on your Cortex Cloud Identity Security datasets:

In Cortex Cloud, in the navigation pane on the left, click Investigation & Response, then under Search, click XQL Search.
On the XQL Search screen, under XQL Query, in the text box, start typing your query. Alternatively, you can search for existing queries on the Query Library tab.
When you have finished entering your query, click Run. The results appear on the Query Results tab.

Note

For more information, see Build XQL queries.

Examples

Here are some examples of identity-related queries you can run in Cortex Cloud to investigate your identity posture:

dataset = ciem_permissions_with_last_access 
| filter action_name = "sts:AssumeRole"
| fields source_cloud_resource_uai, dest_cloud_resource_uai, dest_cloud_resource_id, dest_cloud_account_id 
| filter source_cloud_resource_uai not in(dataset = ciem_permissions_raw 
| filter action_access_isadministrative in(true, TRUE) 
| dedup source_cloud_resource_uai 
| fields source_cloud_resource_uai) 
| fields source_cloud_resource_uai as source, dest_cloud_resource_uai as dest_uai, dest_cloud_resource_id as dest_id, dest_cloud_account_id as dest_account_id 
| join(dataset = ciem_permissions_raw 
| filter grantedby_cloud_entity_type = "role" 
| filter action_access_isadministrative in(true, TRUE) 
| dedup grantedby_cloud_entity_id 
| fields grantedby_cloud_entity_account_id, grantedby_cloud_entity_id) as admin_roles (dest_id = admin_roles.grantedby_cloud_entity_id or (dest_id ~= "^\*$" and dest_account_id = admin_roles.grantedby_cloud_entity_account_id)) 
| fields source

dataset = ciem_permissions_with_last_access
| filter source_cloud_resource_type = "instance" and source_cloud_service_name = "EC2" and action_access_isadministrative = true
| comp values(action_name) as actions by source_cloud_resource_uai, source_cloud_resource_name, source_cloud_account_id, grantedby_cloud_entity_name
| join (dataset = asset_inventory) as assets source_cloud_resource_uai = assets.xdm.asset.id
| alter access_to_services = to_integer(json_extract_scalar(xdm.asset.normalized_fields, "$['xdm.identity.access_statistics.services']"))
| filter access_to_services >= 10
| fields source_cloud_resource_name, source_cloud_resource_uai, access_to_services, grantedby_cloud_entity_name