About the Query Builder - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

The Query Builder facilitates threat detection, incident expansion, and data analytics for suspected threats.

Notice

Building Cortex Query Language (XQL) queries in the Query Builder requires a Cortex XDR Pro license.

The Query Builder aids in the detection of threats by allowing you to search for indicators of compromise and suspicious patterns within data sources. It assists in expanding incident investigations by identifying related events and entities, such as activities associated with specific user accounts or network lateral movement. In addition, the Query Builder enables data analytics on suspected threats, helping organizations analyze large volumes of data to identify trends, anomalies, and correlations that may indicate potential security issues.

To support investigation and analysis, you can search all of the data ingested by Cortex XDR by creating queries in the Query Builder. You can create queries that investigate leads, expose the root cause of an alert, perform damage assessment, and hunt for threats from your data sources.

Cortex XDR provides different options in the Query Builder for creating queries: