After Cortex XDR begins receiving data from your XDR Collectors configuration that are dedicated for on-premise data collection on Windows and Linux machines.
For Filebeat, the app automatically creates an Cortex Query Language (XQL) dataset of event logs using the vendor name and the product name specified in the configuration file section of the Filebeat profile. The dataset name follows the format
<vendor>_<product>_raw. If not specified, Cortex XDR automatically creates a new default dataset in the format<module>_<module>_rawor<input>_<input>_raw. For example, if you are using the NGINX module, the dataset is callednginx_nginx_raw.For Winlogbeat, the app automatically creates an XQL dataset of event logs using the vendor name and the product name specified in the configuration file section of the Winlogbeat profile. The dataset name follows the format
<vendor>_<product>_raw. If not specified, Cortex XDR automatically creates a new default dataset,microsoft_windows_raw, for event log collection.
After Cortex XDR creates the dataset, you can search for your XDR Collector data using XQL Search.