About the Query Builder - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Build XQL queries that search your ingested data, and assist you in the investigation and analysis process. You can use a query template or build your own.

To support investigation and analysis, you can search all of the data ingested by Cortex XSIAM by creating queries in the Query Builder. You can create queries that investigate leads, expose the root cause of an alert, perform damage assessment, and hunt for threats from your data sources.

Cortex XSIAM saves every query that you run in the Query Center. From the Query Center you can view query results, edit, re-run, or reschedule a query. You can then visualize your query results in tables or graphs, and create widgets and correlations with the data. You can also save you queries to your own personal query library.


If you prefer to use the Query Builder in Legacy mode, switch the toggle in the header. In Legacy mode, the Query Builder searches predefined datasets only. To search the full XDM Data Model, switch to New mode or select XQL Search.