XQL Query Best Practices - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn about best practices for streamlining XQL queries.

Cortex XSIAM includes built-in mechanisms for mitigating long-running queries, such as default limits for the maximum number of allowed alerts, and for the maximum number of returned rows. Only specified mapped datasets are searched when querying by the Cortex Data Model (XDM) to use system resources and time more efficiently. The following suggestions can help you to streamline your queries:

  • Add a smaller limit to queries by using a limit stage. To help reduce the Cortex Query Language (XQL) response time, the default results for an XDM query or an XQL basic query is limited to 1000, when  no limit is explicitly stated in the query. This applies to basic queries with no stages except the fields stage. This default limit does not apply to widgets, Correlation Rules, public APIs, saved queries, or scheduled queries, where the limit is a maximum of 1,000,000 results. Therefore, adding a smaller limit can greatly reduce the response time. For example:

    datamodel dataset = microsoft_windows_raw 
        | fields *host* 
        | limit 100
  • Use a small time frame for queries (specify the specific date and time in the custom option, instead of picking the nearest larger option available).

  • Use filters that exclude data, along with other possible filters.

  • Select the specific fields that you would like to see in the query results.