Query Builder - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-11-07
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

From Cortex XDR you can investigate alerts through building queries to identify connections between alerts.

The Query Builder is a powerful search tool at the heart of Cortex XDR that you can use to investigate any lead quickly, expose the root cause of an alert, perform damage assessment, and hunt for threats from your data sources. With Query Builder, you can build complex queries for entities and entity attributes so that you can surface and identify connections between them. The Query Builder searches the raw data and logs stored in Cortex XDR tenant and for the entities and attributes you specify, it returns up to 1,000,000 results.

From the Query Builder, you can also use the XQL Search to create XQL queries to search for and view raw data that is stored in Cortex XDR or imported from custom and third-party datasets.

The Query Builder provides queries for the following types of entities:

  • Process—Search on process execution and injection by process name, hash, path, command line arguments, and more. See Create a Process Query.

  • File—Search on file creation and modification activity by file name and path. See Create a File Query.

  • Network—Search network activity by IP address, port, host name, protocol, and more. See Create a Network Query.

  • Registry—Search on registry creation and modification activity by key, key value, path, and data. See Create a Registry Query.

  • Event Log—Search Windows event logs and Linux system authentication logs by username, log event ID (Windows only), log level, and message. See Create an Event Log Query.

  • Network Connections—Search security event logs by firewall logs, endpoint raw data over your network. See Create a Network Connections Query.

  • All Actions—Search across all network, registry, file, and process activity by endpoint or process. See Query Across All Entities.

The Query Builder also provides flexibility for both on-demand query generation and scheduled queries.