XQL Language Features - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Cortex XDR
Creation date
Last date published
Reference Guide

Learn more about the Cortex Query Language features to query for raw network and endpoint data.

The Cortex Query Language (XQL) enables you to query for information contained in a wide variety of data sources in Cortex XDR for rigorous endpoint and network event analysis. Queries require a dataset, or data source, to run against. Unless otherwise specified, the query runs against the xdr_data dataset, which contains all raw log information that Cortex XDR collects. You can also import data from third parties and then query against those datasets as well.

You submit XQL queries to Cortex XDR using the Incident ResponseInvestigationQuery BuilderXQL Search user interface.

XQL is similar to other query languages, and it uses some of the same functions as can be found in many SQL implementations, but it is not SQL. XQL forms queries in stages. Each stage performs a specific query operation and is separated by a pipe (|) character. To help you create an effective XQL query with the proper syntax, the query field in the user interface provides suggestions and definitions as you type. For example, the following query uses three stages to identify the dataset to query, identify the field to be retrieved from the dataset, and then set a filter that identifies which records should be retrieved as part of the query:

dataset = xdr_data 
| fields os_actor_process_file_size as osapfs 
| filter to_string(osapfs) = "12345"

XQL supports:

  • Simple queries.

  • Filters that identify a subset of records to return in the result set.

  • Joins and Unions.

  • Aggregations.

  • Queries against standard datasets.

  • Queries against presets, which are collections of information that are specific to a given type of network or endpoint activity, such as authentication or file transfers.

  • Queries against custom imported datasets.