XQL query entities - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language (XQL) entities available in the Query Builder.

With Query Builder, you can build complex queries for entities and entity attributes so that you can surface and identify connections between them. Cortex XDR provides Cortex Query Language (XQL) queries for different types of entities in the Query Builder that search predefined datasets. The Query Builder searches the raw data and logs stored in Cortex XDR tenant and for the entities and attributes you specify, it returns up to 1,000,000 results.

The Query Builder provides queries for the following types of entities:

  • Process: Search on process execution and injection by process name, hash, path, command line arguments, and more. See Create process query.

  • File: Search on file creation and modification activity by file name and path. See Create file query.

  • Network: Search network activity by IP address, port, host name, protocol, and more. See Create network query.

  • Image Load: Search on module load into process events by module IDs and more. See Create image load query.

  • Registry: Search on registry creation and modification activity by key, key value, path, and data. See Create registry query.

  • Event Log: Search Windows event logs and Linux system authentication logs by username, log event ID (Windows only), log level, and message. See Create event log query.

  • Network Connections: Search security event logs by firewall logs, endpoint raw data over your network. See Create network connections query.

  • Authentications: Search on authentication events by identity, target outcome, and more. See Create authentication query.

  • All Actions: Search across all network, registry, file, and process activity by endpoint or process. See Query across all entities.

The Query Builder also provides flexibility for both on-demand query generation and scheduled queries.