Learn how to create queries using the Cortex Query Language (XQL).
Use XQL Search to analyze raw log data stored in Cortex XSIAM. You can query either the data model or a dataset, using the following syntax, respectively:
Data model
datamodel | <STAGE> ... | <STAGE> ... | <STAGE> ...Dataset
dataset = <DATASET NAME> | <STAGE> ... | <STAGE> ... | <STAGE> ...or
dataset in (<DATASET NAME>) | <STAGE> ... | <STAGE> ... | <STAGE> ...
Note
For further help constructing queries, use the XQL Language Reference Guide.
Create a Data Model Query
From Cortex XSIAM, select → → .
Select .
(Optional) To change the default time period against which to run your query, at the top right of the window, select the required time period, or create a customized one.
(Optional) To translate Splunk queries to XQL queries, enable Translate to XQL. If you choose to use this feature, enter your Splunk query in the Splunk field, click the arrow icon to convert to XQL, and then go to Step 6.
Create your query by typing in the query field. Relevant commands, their definitions, and operators are suggested as you type. When multiple suggestions are displayed, use the arrow keys to select a suggestion and to view an explanation for each one.
Type
datamodel.Optionally, specify one or more datasets. For example:
datamodel dataset in (xdr_data)
Press Enter, and then type the pipe character (
|). Select a command, and complete the command using the suggested options.Continue adding stages until your query is complete. For example:
datamodel dataset in (xdr_data) | filter xdm.source.ipv4 = "10.9.165.1" | fields xdm.source.ipv4, xdm.source.port | limit 100
Choose when to run your query:
the query immediately.
Run the query by the specified date and time, or on a specific date, by selecting the calendar icon (
).
(Optional) The options save your query for future use:
—when compatible, saves the query as a BIOC rule. The XQL query must contain a filter for the event_type field.
.
—saves the query to your personal query library.
—for more information, see View XQL Query Results.
Tip
While the query is running, you can navigate away from the page. A notification is sent when the query has finished. You can also Cancel the query or run a new query, where you have the option to Run only new query (cancel previous) or Run both queries.
Create a Dataset Query
From Cortex XSIAM, select → → .
Select .
(Optional) To change the default time period against which to run your query, at the top right of the window, select the required time period, or create a customized one.
(Optional) To translate Splunk queries to XQL queries, enable Translate to XQL. If you choose to use this feature, enter your Splunk query in the Splunk field, click the arrow icon to convert to XQL, and then go to Step 6.
Create your query by typing in the query field. Relevant commands, their definitions, and operators are suggested as you type. When multiple suggestions are displayed, use the arrow keys to select a suggestion and to view an explanation for each one.
Specify a dataset. For example:
dataset = xdr_data
Press Enter, and then type the pipe character (
|). Select a command, and complete the command using the suggested options.Continue adding stages until your query is complete. For example:
dataset = xdr_data | filter agent_os_type = ENUM.AGENT_OS_MAC | limit 250
Choose when to run your query:
the query immediately.
Run the query by the specified date and time, or on a specific date, by selecting the calendar icon (
).
(Optional) The options save your query for future use:
—when compatible, saves the query as a BIOC rule. The XQL query must contain a filter for the event_type field.
.
—saves the query to your personal query library.
—for more information, see View XQL Query Results.
Tip
While the query is running, you can navigate away from the page. A notification is sent when the query has finished. You can also Cancel the query or run a new query, where you have the option to Run only new query (cancel previous) or Run both queries.