Query Builder templates - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-01
Category
Administrator Guide
Abstract

Use Query Builder templates to query your data sets without using the Cortex Query Language.

You can use the Query Builder templates to create effective queries without using the Cortex Query Language (XQL).

From the Query Builder, you can select the following templates:

  • Basic: Search by IP address, host name, user name and domain.

  • Free text: Search for a free text string.

  • Identity: Search by user name and type.

  • Endpoint: Search by host name, files, and processes.

  • Network IP: Search by IP address and connection status.

  • Cloud: Search by cloud provider and zone.

The templates are configured to run on specific datasets, but it's possible to run them on all datasets. The templates run on the following datasets by default:

  • Basic, Identity, Endpoint, and Network templates: xdr_data

  • Cloud template: cloud_audit_logs

The templates are set up with predefined filtering fields and fieldsets that are specific to the template type. For example, a query built with the Endpoint template includes fields from fieldset.xdm_endpoint. You can specify values for the default fields and add any other required fields to refine and adapt your search. The Query Builder templates support any filtering fields from the Cortex Data Model (XDM) schema.

Tip

To get started with queries, you can run an empty template query with no values specified. The query results will include all of the fields in the template specific fieldset. Based on the query results, you can run subsequent queries to narrow down your search.