Review XQL query results - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Learn more about reviewing the results returned from an XQL query.

Review the following topics:

The results of a Cortex Query Language (XQL) query are displayed in a tab called Query Results.

Note

It's also possible to graph the results displayed. For more information, see Graph query results.

Use the following options in the Query Results tab to investigate your query results:

Option

Use

Table tab

Displays results in rows and columns according to the entity fields. Columns can be filtered, using their filter icons.

More options (kebab icon table-settings.png) displays table layout options, which are divided into different sections:

  • In the Appearance section, you can Show line breaks for any text field in the Query Results. By default, the text in these fields are wrapped unless the Show line breaks option is selected. In addition, you can change the way rows and columns are displayed.

  • In the Log Format section, you can change the way that logs are displayed:

    • RAW: Raw format of the entity in the database.

    • JSON: Condensed JSON format with key value distinctions. NULL values are not displayed.

    • TREE: Dynamic view of the JSON hierarchy with the option to collapse and expand the different hierarchies.

  • In the Search column section, you can find a specific column; enable or disable display of columns using the checkboxes.

Show and hide rows according to a specific field in a specific event: select a cell, right-click it, and then select either Show rows with … or Hide rows with …

Graph tab

Use the Chart Editor to visualize the query results.

Advanced tab

Displays results in a table format which aggregates the entity fields into one column. You can change the layout, decide whether to Show line breaks for any text field in the results table, and change the log format from the table-settings.png menu.

Select Show more to pivot an Expanded View of the event results that include NULL values. You can toggle between the JSON and Tree views, search, and Copy to clipboard.

Export to File

Exports the results to a TSV (tab-separated values) file.

  • More options (table-settings.png) works in a similar way to how it works on the Table tab.

  • Show more in the bottom left corner of each row opens the Expanded View of the event results that also include NULL values. Here, you can toggle between the JSON and Tree views, search, and Copy to clipboard.

  • Log format options change the way that logs are displayed:

    • RAW: Raw format of the entity in the database.

    • JSON: Condensed JSON format with key value distinctions. NULL values are not displayed.

    • TREE: Dynamic view of the JSON hierarchy with the option to collapse and expand the different hierarchies.

Refresh

Refreshes the query results.

Free text search

Searches the query results for text that you specify in the free text search. Click the Free text search icon to reveal or hide the free text search field.

Filter

Enables you to filter a particular field in the interface that is displayed to specify your filter criteria.

For integer, boolean, and timestamp (such as _time) fields, we recommend that you use the Filter instead of the Free text search, in order to retrieve the most accurate query results.

Fields menu

Filters query results. To quickly set a filter, Cortex XSIAM displays the top ten results from which you can choose to build your filter. This option is only available in the Table and Advanced tabs,

From within the Fields menu, click on any field (excluding JSON and array fields) to see a histogram of all the values found in the result set for that field. This histogram includes:

  • A count of the total number of times a value was found in the result set.

  • The value's frequency as a percentage of the total number of values found for the field.

  • A bar chart showing the value's frequency.

Note

In order for Cortex XSIAM to provide a histogram for a field, the field must not contain an array or a JSON object.

The Save As options save your query for future use:

  • BIOC Rule: When compatible, saves the query as a BIOC rule. The XQL query must contain a filter for the event_type field.

  • Correlation Rule: When compatible, saves the query as a Correlation Rule. For more information, see What's a correlation rule?.

  • Query to Library: Saves the query to your personal query library. For more information, see personal query library.

  • Widget to Library: For more information, see Create custom XQL widgets.

You can continue investigating the query results in the Causality View or Timeline by right-clicking the event and selecting the desired view. This option is available for the following types of events:

  • Process (except for those with an event sub-type of termination)

  • Network

  • File

  • Registry

  • Injection

  • Load image

  • System calls

  • Event logs for Windows

  • System authentication logs for linux

For network stories, you can pivot to the Causality View only. For cloud Cortex XSIAM events and Cloud Audit Logs, you can only pivot to the Cloud Causality View, while software-as-a-service (SaaS) related alerts for audit stories, such as Office 365 audit logs and normalized logs, you can only pivot to the SaaS Causality View.

Add a file path to your existing Malware Profile allowed list by right-clicking a <path> field, such as target_process_path, and select Add <path type> to malware profile allow list.