XQL Query best practices - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-09
Category
Administrator Guide
Abstract

Learn about best practices for streamlining XQL queries.

Notice

Building Cortex Query Language (XQL) queries in the Query Builder requires a Cortex XDR Pro license.

Cortex XDR includes built-in mechanisms for mitigating long-running queries, such as default limits for the maximum number of allowed alerts. The following suggestions can help you to streamline your queries:

  • Add a smaller limit to queries by using a limit stage.

    The default results for any query is a maximum of 1,000,000 results, when no limit is explicitly stated in the query. Therefore, adding a smaller limit can greatly reduce the response time.

    Example 72. 

    dataset = microsoft_windows_raw 
    | fields *host* 
    | limit 100

  • Use a small time frame for queries by specifying the specific date and time in the custom option, instead of picking the nearest larger option available.

  • Use filters that exclude data, along with other possible filters.

  • Select the specific fields that you would like to see in the query results.