XQL Query Best Practices - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

Learn about best practices for streamlining XQL queries.

Cortex XSIAM includes built-in mechanisms for mitigating long-running queries, such as default limits for the maximum number of allowed alerts, and for the maximum number of returned rows. All mapped datasets are searched when querying by the Cortex Data Model (XDM), unless stated otherwise. We therefore recommend that you refine your query to use system resources and time more efficiently. The following suggestions can help you to streamline your queries:

  • Add a smaller limit to queries by using a limit stage. To help reduce the Cortex Query Language (XQL) response time, the default results for an XDM query or an XQL basic query is limited to 1000, when  no limit is explicitly stated in the query. This applies to basic queries with no stages except the fields stage. This default limit does not apply to widgets, Correlation Rules, public APIs, saved queries, or scheduled queries, where the limit is a maximum of 1,000,000 results. Therefore, adding a smaller limit can greatly reduce the response time. For example:

    datamodel 
        | fields *host* 
        | limit 100
  • Use a small time frame for queries (specify the specific date and time in the custom option, instead of picking the nearest larger option available).

  • Specify the relevant products/datasets, and exclude irrelevant products/datasets.

  • Use filters that exclude data, along with other possible filters.

  • Select the specific fields that you would like to see in the query results.