XQL Search - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Use the Cortex Query Language (XQL) search to create complex custom queries on raw log data.

The Cortex Query Language (XQL) enables you to query data ingested into Cortex XDR for rigorous endpoint and network event analysis returning up to 1M results. XQL forms queries in stages. Each stage performs a specific query operation and is delimited by a pipe (|). Queries require a dataset, or data source, to run against. Unless otherwise specified, the query will run against the xdr_data dataset, which contains all log information that Cortex XDR collects.


Forensic datasets are not inlcuded by default in XQL Search query results, unless the dataset query is explicitly defined to use a forensic dataset.

To streamline your investigations, the XQL search provides the following aids to help you construct and visualize your queries.

  • XQL query—The XQL query field is where you define the parameters of your query. To help you create an effective XQL query, the search field provides suggestions and definitions as you type.

  • Translate to XQL— Converts your existing Splunk queries to the XQL syntax. When building your XQL query and you move the toggle to Translate to XQL , both a SPL query field and XQL query field are displayed, so you can easily add a Splunk query, which is converted to XQL in the XQL query field. This option is disabled by default, so only the XQL query field is displayed.

  • Query Results—After you create and run an XQL query, you can view, filter, and visualize your Query Results.

  • XQL Helper—Describes common stage commands and provides examples that you can use to build a query.

  • Query Library—Contains common, predefined queries that you can use or modify to your liking. In addition, a Personal Query Library for saving and managing your own queries that you can also share with others, and queries shared with you.

  • Schema—Contains schema information for every field found in the result set. This information includes the field name, data type, descriptive text (if available), and the dataset that contains the field. For dataset queries, the schema contains the list of all the fields of all the datasets that were involved in the query.

In the xdr_data dataset, every user field included in the raw data, for network, authentication, and login events, has an equivalent normalized user field associated with it that displays the user information in the following standardized format:


For example, the login_data field has the login_data_dst_normalized_user field to display the content in the standardized format. We recommend that you use these normalized_user fields when building your queries to ensure the most accurate results.

For further help constructing queries, use the XQL Language Reference.