Running XQL Query APIs - API Reference Guide - Reference Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM API Reference

Product
Cortex XSIAM
Creation date
2023-02-16
Last date published
2024-02-22
Category
API Reference Guide
Reference Guide
Abstract

Learn how to run XQL queries on your data sources using a series of APIs.

Cortex XSIAM enables you to run XQL queries on your data sources using a series of APIs. To execute XQL APIs you must have:

  • Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB license.

  • Valid API Key and API Key ID that include the Instance Administrator role permissions.

  • Available query quota.

Query quota is made up of query units that enable you to run XQL APIs. Each XQL API query entails a cost of query units calculated according to the complexity and number of search results. The query cost for each API query is displayed in the Get Query Results API. You can also track the query cost per XQL API search, overall usage, and remaining quota in Cortex XSIAM or by running a Get XQL Query Quota API. Cortex XSIAM provides a free daily quota relative to your license size for you to run XQL API queries. In the case of Managed Security, the parent quota depends solely on the children licenses.

Note

You will be able to purchase additional query units in future Cortex XSIAM versions.

To execute an XQL API, you need to run a series of APIs. Each API requires a response value from the previous API to continue. This allows you to track the number of XQL queries you want to run, which in turn helps you manage your daily quota. Queries called without enough quota will fail. To ensure you don’t surpass your quota, Cortex XSIAM allows you to run up to four API queries in parallel.

Run the following APIs to call an XQL query:

  1. Start an XQL Query—Run an XQL query. Response returns a unique execution ID used to retrieve the results by the Get XQL Query Results API.

  2. Get XQL Query Results—Retrieve XQL query results.

    API displays up to 1,000 results. If query generated more than 1,000 results, the response returns a unique stream ID used to retrieve additional results by the Get XQL Query Results Stream API.

  3. Get XQL Query Results Stream—Retrieve XQL query with more than 1,000 results.