Use the Cortex Query Language (XQL) to query data ingested into Cortex XSIAM, for rigorous endpoint and network event analysis.
The Cortex Query Language (XQL) enables you to query data ingested into Cortex XSIAM for rigorous endpoint and network event analysis. To help you create an effective XQL query with the proper syntax, the query field in the user interface provides suggestions and definitions as you type.
XQL forms queries in stages. Each stage performs a specific query operation and is separated by a pipe character (|
). Queries require a dataset, or data source, to run against. You can either query the Cortex Data Model (XDM) to which datasets are mapped, or you can query specific datasets. In a dataset query, unless otherwise specified, the query runs against the xdr_data
dataset, which contains all log information that Cortex XSIAM collects from all Cortex product agents, including EDR data, and PAN NGFW data. In XDM queries, you must specify the dataset mapped to the XDM that you want to run your query against.
Tip
For dataset queries, it's possible to change the default dataset in the Dataset Management page. For more information, see Manage Datasets.
XQL queries can contain different components depending on the type of query you want to build. For a complete list of the syntax options available with example queries, see the Cortex XSIAM XQL Language Reference Guide.
Important
Forensic datasets are not inlcuded by default in XQL Search query results, unless the dataset query is explicitly defined to use a forensic dataset.