Manage your query library - Cortex XSIAM provides a Query Library for saving and managing your own queries. - Administrator Guide - Cortex XSIAM - Cortex

Manage your query library - Cortex XSIAM provides a Query Library for saving and managing your own queries. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-04

Note

The Query to Library option is only available if your role has the Create Queries capability. For more information, see Manage access to saved queries.

Save a query to your query library.
- From the Query Builder
  1. Select Investigation & Response → Search → Query Builder → XQL.
  2. Define the parameters of your query.
  3. Select Save as → Query to Library.
- From the Query Center
  1. Select Investigation & Response → Search → Query Center.
  2. Under Query History, locate the query that you want to save.
  3. Right-click anywhere in the query row, and select Save query to library.
Set the query parameters.
- Query Name: Specify a unique name for the query. Query names must be unique in both private and shared lists, which includes other people’s queries.
- Query Description (Optional): Specify a descriptive summary.
- Labels (Optional): Assign labels to categorize your query for faster filtering. You can select a label from the list of predefined labels or add your label and then select Create Label. Adding a label to your query enables you to search for queries using this label in the Query Library.
Click Save.
The query is now listed in the Query Library as a Restricted query (visible only to you). To make the query available to other users, user groups, or API keys, you must configure its sharing settings.

Important

The ability to create, edit, or share queries is governed by access management. If certain options are unavailable, contact your administrator. For more information, see Manage access to saved queries.

The visibility of saved queries in the Query Library is determined by access management. You can manage who can view (and run) or edit your queries by sharing them with specific users, user groups, or API keys. You can also view queries created and shared by others in your organization if they have granted you access or marked the query as Public.

The following icons in the Query Library table help you identify the sharing status of each query:

: Identifies Restricted queries you created that have not been shared.
: Identifies queries you created that are currently shared with others.
: Identifies queries created by another user that have been shared with you.
: Identifies out-of-the-box (OOTB) system queries provided by Palo Alto Networks.

Use the following tools and the vertical ellipsis (⋮) menu to manage your saved queries:

Search and filter: Use the search field to find queries by metadata or content. Use the Show menu to filter by Owned by Me, Owned by Others, or Palo Alto Networks.
Save as new: Duplicate a query using the vertical ellipsis (⋮) menu.
Share/Manage Access: Once a query is saved to the library, the Owner (or an authorized Editor) can manage who else can interact with it using the vertical ellipsis (⋮) menu. The specific option available (Share or Manage Access) is determined by tenant-level settings.
Change owner: Administrators can use the vertical ellipsis (⋮) menu to change the query owner to a different user.
Delete: You can only delete queries that you Own. Palo Alto Networks system queries cannot be deleted.

Once a query is saved to the library, the Owner (or an authorized Editor) can manage who else can interact with it. The options available depend on the tenant-level settings configured by your administrator.

In the Query Library tab, locate the query you want to share in the table.
Click the three dot, vertical ellipsis (⋮) and select the available action:
- Share: This option appears when Owners can Share objects they created is enabled in tenant-level settings. It allows you to manage both General access and specific principals (users, user groups, and API keys).
- Manage Access: This option appears when Owners can Share objects they created is disabled in tenant-level settings. It only allows you to change the General access state.
(If sharing is enabled) To share with specific entities:
- Search for the User, User Group, or API Key.
- Assign the access level: Viewer (can run/view) or Editor (can modify and, if permitted by tenant-level settings, share).
Set the General access drop-down menu (if authorized by tenant-level settings):
- Restricted: The query is private. It is only visible to the Owner and the specific principals added to the list.
- Public: The query is visible to every user who has the Query Library enabled in their role.
Note
When the tenant-level setting Owners and editors can change the general access is unselected, the drop-down is disabled and only an administrator can configure this option.
Click Save.