Learn more about reviewing the results returned from an XQL query.
Review the following topics:
The results of a Cortex Query Language (XQL) query are displayed in a tab called Query Results.
Note
It's also possible to graph the results displayed. For more information, see Graph query results.
Use the following options in the Query Results tab to investigate your query results:
Option | Use |
---|---|
Table tab | Displays results in rows and columns according to the entity fields. Columns can be filtered, using their filter icons. More options (kebab icon ) displays table layout options, which are divided into different sections:
Show and hide rows according to a specific field in a specific event: select a cell, right-click it, and then select either Show rows with … or Hide rows with … |
Graph tab | Use the Chart Editor to visualize the query results. |
Advanced tab | Displays results in a table format which aggregates the entity fields into one column. You can change the layout, decide whether to Show line breaks for any text field in the results table, and change the log format from the menu. Select Show more to pivot an Expanded View of the event results that include NULL values. You can toggle between the JSON and Tree views, search, and Copy to clipboard. |
Export to File | Exports the results to a TSV (tab-separated values) file.
|
Refresh | Refreshes the query results. |
Free text search | Searches the query results for text that you specify in the free text search. Click the Free text search icon to reveal or hide the free text search field. |
Filter | Enables you to filter a particular field in the interface that is displayed to specify your filter criteria. For integer, boolean, and timestamp (such as |
Fields menu | Filters query results. To quickly set a filter, Cortex XSIAM displays the top ten results from which you can choose to build your filter. This option is only available in the Table and Advanced tabs, From within the Fields menu, click on any field (excluding JSON and array fields) to see a histogram of all the values found in the result set for that field. This histogram includes:
NoteIn order for Cortex XSIAM to provide a histogram for a field, the field must not contain an array or a JSON object. |
The Save As options save your query for future use:
BIOC Rule: When compatible, saves the query as a BIOC rule. The XQL query must contain a filter for the event_type field.
Correlation Rule: When compatible, saves the query as a Correlation Rule. For more information, see What's a correlation rule?.
Query to Library: Saves the query to your personal query library. For more information, see personal query library.
Widget to Library: For more information, see Create custom XQL widgets.
You can continue investigating the query results in the Causality View or Timeline by right-clicking the event and selecting the desired view. This option is available for the following types of events:
Process (except for those with an event sub-type of termination)
Network
File
Registry
Injection
Load image
System calls
Event logs for Windows
System authentication logs for linux
For network stories, you can pivot to the Causality View only. For cloud Cortex XSIAM events and Cloud Audit Logs, you can only pivot to the Cloud Causality View, while software-as-a-service (SaaS) related alerts for audit stories, such as Office 365 audit logs and normalized logs, you can only pivot to the SaaS Causality View.
Add a file path to your existing Malware Profile allowed list by right-clicking a <path> field, such as target_process_path, and select Add <path type> to malware profile allow list.