Create XQL query - Learn how to create queries using the Cortex Query Language (XQL). - Administrator Guide - Cortex XSIAM - Cortex

Create XQL query - Learn how to create queries using the Cortex Query Language (XQL). - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product

Cortex XSIAM

Creation date

2024-03-06

Last date published

2025-05-14

Tip

While the query is running, you can navigate away from the page. A notification is sent when the query has finished. You can also Cancel the query or run a new query, where you have the option to Run only new query (cancel previous) or Run both queries.

From Cortex XSIAM, select Incident Response → Investigation → Query Builder.
Click XQL.
(Optional) Change the default time period against which to run your query from the time picker at the top right of the window. You can select the required Timeframe from any of the following options available:
- Preset time ranges easily available to select from, such as 24 hours and 30 days.
- Recently used selections from your previous queries.
- Relative time: Define the time frame as the last <number> minutes, days, or hours by setting the number.
- Calendar: Create a customized time period by selecting the date range from the calendar and the specific Start Time and End Time.
Note
- Whenever the time period is changed in the query window, the config timeframe is automatically set to the time period defined, but this won't be visible as part of the query. Only if you manually type in the config timeframe will this be seen in the query.
- These time picker options are available in XQL queries when using the Query Builder, XQL Widgets, and when defining XQL Widgets in Reports and Dashboards.
(Optional) To translate Splunk queries to XQL queries, enable Translate to XQL. If you choose to use this feature, enter your Splunk query in the Splunk field, click the arrow icon () to convert to XQL, and then go to Step 6.
Create your query by typing in the query field. Relevant commands, their definitions, and operators are suggested as you type.
Tip
When creating XQL queries, you can:
- Use the up and down arrow keys to navigate through the auto-suggestion command suggestions and definitions.
- Select an auto-suggestion command by pressing either the Enter or Tab key.
- Press Shift+Enter to add a new line, and easily ignore the auto-suggestion output.
- Close the auto-suggestion output by pressing the Esc key.
1. (Optional) Specify a dataset.
  You only need to specify a dataset if you are running your query against a dataset that you have not set as default. Otherwise, the query runs against the xdr_data dataset. For more information, see How to build XQL queries.
  Example 69.
```
dataset = xdr_data
```
2. Press Enter, and then type the pipe character (|). Select a command, and complete the command using the suggested options.
3. Continue adding stages until your query is complete.
  Example 70.
```
dataset = xdr_data 
| filter agent_os_type = ENUM.AGENT_OS_MAC
| limit 250  
```
Choose when to run your query:
- Run the query immediately.
- Run the query by the specified date and time, or on a specific date, by selecting the calendar icon ().
(Optional) The Save As options save your query for future use:
- BIOC Rule: When compatible, saves the query as a BIOC rule. The XQL query must contain a filter for the event_type field.
- Correlation Rule: When compatible, saves the query as a Correlation Rule. For more information, see What's a correlation rule?.
- Query to Library: Saves the query to your personal query library. For more information, see Manage your personal query library.
- Widget to Library: For more information, see Create custom XQL widgets.

Note

Tip

Note

Tip

Note

Tip

Tip