Learn how to view the results returned from an XQL query.
View the results returned from a Cortex Query Language (XQL) query.
From Cortex XSIAM, select → → .
Hover over the desired row in the table, and then select Show Results.
Use the following options to investigate your query results.
Option
Use
Table tab
Displays results in rows and columns according to the entity fields. Columns can be filtered, using their filter icons.
More options (kebab icon
) displays table layout options, which are divided into different sections:In the Appearance section, you can Show line breaks for any text field in the Query Results. By default, the text in these fields are wrapped unless the Show line breaks option is selected. In addition, you can change the way rows and columns are displayed.
In the Log Format section, you can change the way that logs are displayed:
RAW—Raw format of the entity in the database.
JSON—Condensed JSON format with key value distinctions. NULL values are not displayed.
TREE—Dynamic view of the JSON hierarchy with the option to collapse and expand the different hierarchies.
In the Search column section, you can find a specific column; enable or disable display of columns using the checkboxes.
Show and hide rows according to a specific field in a specific event: select a cell, right-click it, and then select either or
Graph tab
Use the Chart Editor to visualize the query results.
Advanced tab
Displays results in a table format which aggregates the entity fields into one column. You can change the layout, decide whether to Show line breaks for any text field in the results table, and change the log format from the
menu.Select Show more to pivot an Expanded View of the event results that include NULL values. You can toggle between the JSON and Tree views, search, and Copy to clipboard.
Export to File
Exports the results to a TSV (tab-separated values) file.
More options (
) works in a similar way to how it works on the Table tab.Show more in the bottom left corner of each row opens the Expanded View of the event results that also include NULL values. Here, you can toggle between the JSON and Tree views, search, and Copy to clipboard.
Log format options change the way that logs are displayed:
—Raw format of the entity in the database.
—Condensed JSON format with key value distinctions. NULL values are not displayed.
—Dynamic view of the JSON hierarchy with the option to collapse and expand the different hierarchies.
Refresh
Refreshes the query results.
Free text search
Searches the query results for text that you specify in the free text search. Click the Free text search icon to reveal or hide the free text search field.
Filter
Enables you to filter a particular field in the interface that is displayed to specify your filter criteria.
For integer, boolean, and timestamp (such as _time) fields, we recommend that you use the Filter instead of the Free text search, in order to retrieve the most accurate query results.
Fields menu
Filters query results. To quickly set a filter, Cortex XSIAM displays the top ten results from which you can choose to build your filter.
From within the menu, click on any field (excluding JSON and array fields) to see a histogram of all the values found in the result set for that field. This histogram includes:
A count of the total number of times a value was found in the result set.
The value's frequency as a percentage of the total number of values found for the field.
A bar chart showing the value's frequency.
Note
In order for Cortex XSIAM to provide a histogram for a field, the field must not contain an array or a JSON object.
(Optional) Save the query to your personal query library.
(Optional) Continue investigation in the Causality View or Timeline View.
Right-click the event and select the desired view. This option is available for the following types of events: process (except for those with an event sub-type of termination), network, file, registry, injection, load image, system calls, event logs for Windows, and system authentication logs for Linux. For network stories, you can pivot to the Causality View only. For cloud Cortex XSIAM events and Cloud Audit Logs, you can only pivot to the Cloud Causality View, while software-as-a-service (SaaS) related alerts for audit stories, such as Office 365 audit logs and normalized logs, you can only pivot to the SaaS Causality View.
(Optional) Add a file path to your existing Malware Profile allowed list. Right-click a <path> field, such as target_process_path, and select Add <path type> to malware profile allow list.
(Optional) Visualize your query results.