Legacy Query Builder - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Learn more about the entities in the Legacy Query Builder.

Note

We recommend using the Query Builder in New mode to take advantage of the Query Builder templates and ability to search the full Cortex Data Model (XDM).

In Legacy mode, the Query Builder searches predefined datasets only. To search the full XDM, switch to New mode or select XQL Search.

The Legacy Query Builder provides queries for the following types of entities:

  • Process: Search on process execution and injection by process name, hash, path, command line arguments, and more. See Create process query.

  • File: Search on file creation and modification activity by file name and path. See Create file query.

  • Network: Search network activity by IP address, port, host name, protocol, and more. See Create network query.

  • Image Load: Search on module load into process events by module IDs and more. See Create image load query.

  • Registry: Search on registry creation and modification activity by key, key value, path, and data. See Create registry query.

  • Event Log: Search Windows event logs and Linux system authentication logs by username, log event ID (Windows only), log level, and message. See Create event log query.

  • Network Connections: Search security event logs by firewall logs, endpoint raw data over your network. See Create network connections query.

  • Authentications: Search on authentication events by identity, target outcome, and more. See Create authentication query.

  • All Actions: Search across all network, registry, file, and process activity by endpoint or process. See Query across all entities.

The Query Builder also provides flexibility for both on-demand query generation and scheduled queries.