XQL Language Structure - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-02-09
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language structure when creating a query.

Cortex Query Language (XQL) queries usually begin by defining a data source, be it a dataset, preset, or Cortex Data Model (XDM). You must specify the dataset mapped to the XDM that you want to run your query against. In a dataset query, unless otherwise specified, the query runs against the xdr_data dataset, which contains all log information that Cortex XSIAM collects from all Cortex product agents, including EDR data, and PAN NGFW data. It's possible to change the default dataset in the Dataset Management page of Cortex XSIAM. For more information, see What are datasets?.

After specifying a data source, you use zero or more stages to form the XQL query. Each stage is delimited using a pipe character (|). The function performed by each stage is identified by the stage keyword that you provide. XQL queries can contain different components depending on the type of query you want to build.