How to perform advanced Data Security investigations using XQL - How to work with datasets in Cortex Cloud Data Security. - Administrator Guide - Cortex XSIAM - Cortex

How to perform advanced Data Security investigations using XQL - How to work with datasets in Cortex Cloud Data Security. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-11

Notice

This feature is included with a Cortex XSIAM Premium license. It is also included with any other Cortex XSIAM license that has the Cloud Posture Security or Cloud Runtime Security add-on.

Overview

Cortex Cloud Data Security centralizes data-related information into a list of datasets, providing the foundation for comprehensive security investigations. Using Cortex Query Language (XQL) , you can create custom queries to extract valuable insights from these data sources within your system. For more information, see Get started with XQL.

You can use the following data-related datasets:

Dataset	Description
dspm_asset_metadata	Contains high-level information about all data assets, including details such as their creation and modification dates, cloud service, and any tags.
dspm_asset_table_inventory	Provides an inventory of tables and their associated fields, which is useful for analyzing data at a more granular level.
dspm_asset_data_patterns	Tracks specific patterns of sensitive data, such as SSN or credit card numbers, found within your assets.
dspm_asset_data_profiles	Provides a summary of the data's content, including counts of sensitive fields and the percentage of sensitive data found.
data_ingestion_health	Monitors the health of data ingestion pipelines, logging failures or issues that could lead to incomplete security monitoring.
findings	Contains findings associated with assets discovered within your environments. For more information, see Findings and events.
issues	Contains issues generated on assets within your environments. For more information, see Issues.

Investigate Cortex Cloud Data Security

To run queries on your Cortex Cloud Data Security datasets:

In Cortex XSIAM, in the navigation pane on the left, click Investigation & Response, then under Search, click Query Builder.
Click XQL.
You can start typing your query in the box at the top of the screen, or search for existing queries on the Query Library tab.
Click Run. The query results appear on the Query Results tab.

Note

For more information, see Build XQL queries.Build XQL queries

Examples

dataset = findings
| filter xdm.finding.type_id = 80000002 and xdm.finding.is_active = true 
| Join (dataset = asset_inventory 
    | filter xdm.asset.type.class = "Data" and xdm.asset.provider = "AWS"
    | fields xdm.asset.id as Asset_ID, xdm.asset.name as Asset_Name, xdm.asset.provider as Asset_Cloud, xdm.asset.cloud.region as Region, xdm.asset.type.name as Asset_Type) as res res.Asset_ID = xdm.finding.asset_id
| alter Patterns = json_extract_scalar_array(xdm.finding.normalized_fields, "$['xdm.data.data_pattern']") 
| alter Total_Sensitive_Records = json_extract_scalar(xdm.finding.normalized_fields, "$['xdm.data.statistics.records_count']")  
| fields Asset_Name, Asset_Type, Asset_Cloud, Region, Patterns, Total_Sensitive_Records

dataset = dspm_asset_file_inventory 
| arrayexpand file_data_profile_ids 
| alter profile_id = to_integer(file_data_profile_ids) 
| join type = left (dataset = asset_inventory 
| fields xdm.asset.name, xdm.asset.id, xdm.asset.type.name ) as ai ai.xdm.asset.id = asset_id 
| join type = left (dataset = classification_mgmt_data_profile 
| filter name = "PII" 
| fields id, name) as cmdp cmdp.id = profile_id 
| dedup xdm.asset.id 
| fields file_name, file_folder, file_extension_category, file_size_bytes, file_data_patterns, record_count, xdm.asset.name, xdm.asset.id, xdm.asset.type.name

dataset = dspm_asset_file_inventory 
| filter file_is_open_to_world = true 
| arrayexpand file_data_profile_ids 
| alter profile_id = to_integer(file_data_profile_ids) 
| join type = left (dataset = asset_inventory 
| fields xdm.asset.name, xdm.asset.id, xdm.asset.type.name ) as ai ai.xdm.asset.id = asset_id 
| join type = left (dataset = classification_mgmt_data_profile 
| filter name = "PII" 
| fields id, name) as cmdp cmdp.id = profile_id 
| dedup xdm.asset.id 
| fields file_name, file_folder, file_extension_category, file_size_bytes, file_data_patterns, record_count, xdm.asset.name, xdm.asset.id, xdm.asset.type.name

dataset = asset_inventory 
| join type = inner (dataset = dspm_asset_data_profiles 
| alter int_data_profile_id = to_integer(data_profile_id) 
|join type = inner (dataset = classification_mgmt_data_profile 
| filter name = "PCI" 
| fields id, name) as cm cm.id = int_data_profile_id) as da da.asset_id = xdm.asset.id 
| join type = inner (dataset = issue_to_asset 
| join type = left (dataset = issues 
| fields xdm.issue.id as issue_id, xdm.issue.domain, xdm.issue.status.progress as progress, xdm.issue.is_excluded as is_excluded 
| filter xdm.issue.domain = "POSTURE" and is_excluded != true and progress != "RESOLVED") as is is.issue_id = xdm.issue.id) as iss iss.xdm.asset.id = xdm.asset.id 
| dedup asset_id 
| fields xdm.asset.id, xdm.asset.type.name, xdm.asset.name