Create an Authentication Query - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

From the Cortex XDR management console, you can create a query to investigate any authentication activity.

From the Query Builder, you can investigate authentication activity across all ingested authentication logs and data.

Some examples of authentication queries you can run include:

  • Authentication logs by severity

  • Authentication logs by the event message

  • Authentication logs for a specific source IP address

To build an authentication query:

  1. From Cortex XDR , select INVESTIGATIONQuery Builder.


  3. Enter the search criteria for the authentication query.

    By default, Cortex XDR will return the activity that matches all the criteria you specify. To exclude a value, toggle the = option to =!.

  4. Choose when to run the query.

    Select the calendar icon to schedule a query to run on or before a specific date or Run to run the query immediately and view the results in the Query Center.

    While the query is running, you can always navigate away from the page and a notification is sent when the query completes. You can also Cancel the query or run a new query, where you have the option to Run only new query (cancel previous) or Run both queries.

  5. When you are ready, View the Results of a Query.