What are datasets? - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-12-12
Category
Administrator Guide
Abstract

Learn how to import, delete, and interact with custom or third-party datasets in Cortex XSIAM.

Cortex XSIAM runs every Cortex Query Language (XQL) query against a dataset. A dataset is a collection of column:value sets. If you do not specify a dataset in your query, Cortex XSIAM runs the query against the default datasets configured, which is by default xdr_data for a dataset query. The xdr_data dataset contains all of the endpoint and network data that Cortex XSIAM collects. For a Cortex Data Model (XDM) query, unless specific datasets are specified, a query will run against all mapped datasets. You can always change the default datasets using the set to default option. You can also upload datasets as a CSV, TSV, or JSON file that contains the data you are interested in querying. These uploaded datasets are called lookup datasets.

It's also possible to create dataset views, which provide a virtual representation of data from one or more datasets, based on the Cortex Query Language (XQL) query defined. Dataset views enhance data efficiency and security. For example, by segregating data for specific user needs or access privileges through the Role-based access control (RBAC) settings. For more information, see Dataset views.

To query other datasets, you have the following options:

  • Set a dataset as default, which enables you to query the datasets without specifying them in the query.

  • Name a specific dataset at the beginning of your query with the dataset stage command.

You can manage your datasets and dataset views in Cortex XSIAM from the SettingsConfigurationsData ManagementDataset Management page.

Below are some of the main tasks available for all dataset types by right-clicking a particular dataset or dataset view listed in either the Datasets or Dataset Views table. Only tasks that need further explanation are explained below. Datasets and dataset views can only be deleted if there are no other dependencies. For example, if a Correlation Rule is based on a dataset or dataset view, you wouldn't be able to delete the dataset or dataset view until you removed the dataset view from the XQL query of the Correlation Rule.

Note

For more information on tasks specific to lookup datasets, see Lookup datasets.