About the Query Builder - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-09-12
Category
Administrator Guide
Abstract

The Query Builder facilitates threat detection, incident expansion, and data analytics for suspected threats.

The Query Builder aids in the detection of threats by allowing you to search for indicators of compromise and suspicious patterns within data sources. It assists in expanding incident investigations by identifying related events and entities, such as activities associated with specific user accounts or network lateral movement. In addition, the Query Builder enables data analytics on suspected threats, helping organizations analyze large volumes of data to identify trends, anomalies, and correlations that may indicate potential security issues.

To support investigation and analysis, you can search all of the data ingested by Cortex XSIAM by creating queries in the Query Builder. You can create queries that investigate leads, expose the root cause of an alert, perform damage assessment, and hunt for threats from your data sources.

Cortex XSIAM provides different options in the Query Builder for creating queries:

Tip

If you prefer to use the Query Builder in Legacy mode, switch the toggle in the header. In Legacy mode, the Query Builder searches predefined datasets only. To search the full XDM Data Model, switch to New mode or select XQL Search.