Use Query Builder templates to query your data sets without using the Cortex Query Language.
You can use the Query Builder templates to create effective queries without using the Cortex Query Language (XQL).
From the Query Builder, you can select the following templates:
Basic: Search by IP address, host name, user name and domain.
Free text: Search for a free text string.
Identity: Search by user name and type.
Endpoint: Search by host name, files, and processes.
Network IP: Search by IP address and connection status.
Cloud: Search by cloud provider and zone.
The templates are configured to run on specific datasets, but it's possible to run them on all datasets. The templates run on the following datasets by default:
Basic, Identity, Endpoint, and Network templates:
xdr_data
Cloud template:
cloud_audit_logs
The templates are set up with predefined filtering fields and fieldsets that are specific to the template type. For example, a query built with the Endpoint template includes fields from fieldset.xdm_endpoint
. You can specify values for the default fields and add any other required fields to refine and adapt your search. The Query Builder templates support any filtering fields from the Cortex Data Model (XDM) schema.
Tip
To get started with queries, you can run an empty template query with no values specified. The query results will include all of the fields in the template specific fieldset. Based on the query results, you can run subsequent queries to narrow down your search.