Get started with XQL queries - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2025-01-21
Category
Administrator Guide
Abstract

Learn more about some important information before getting started with XQL queries.

Notice

Building Cortex Query Language (XQL) queries in the Query Builder requires a Cortex XDR Pro license.

Before you begin running XQL queries, consider the following information:

  • Use the interface to help you build queries

    Cortex XDR offers features in the XQL search interface to help you to build queries. For more information see Useful XQL user interface features.

  • Understand query defaults and limitations

    Before you run a query, review this list to better understand query behavior and results. For more information, see Expected results when querying fields.

  • Translate Splunk queries to XQL

    If you have existing Splunk queries, you can translate them to XQL. For more information, see Translate to XQL.