XQL Search - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Use the Cortex Query Language (XQL) to query data ingested into Cortex XSIAM, for rigorous endpoint and network event analysis.

The Cortex Query Language (XQL) enables you to query data ingested into Cortex XSIAM for rigorous endpoint and network event analysis. To help you create an effective XQL query with the proper syntax, the query field in the user interface provides suggestions and definitions as you type.

XQL forms queries in stages. Each stage performs a specific query operation and is separated by a pipe character (|). Queries require a dataset, or data source, to run against. You can either query the Cortex Data Model (XDM) to which datasets are mapped, or you can query specific datasets. In a dataset query, unless otherwise specified, the query runs against the xdr_data dataset, which contains all log information that Cortex XSIAM collects. In XDM queries, the xdr_data dataset is mapped to the XDM, by default, with some data mapping exceptions. In addition, Next-Generation Firewall (NGFW) network log data are mapped to the XDM from various datasets.

XQL queries can contain different components depending on the type of query you want to build. For a complete list of the syntax options available with example queries, see the Cortex XSIAM XQL Language Reference Guide.


Forensic datasets are not inlcuded by default in XQL Search query results, unless the dataset query is explicitly defined to use a forensic dataset.