XQL Query best practices - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Learn about best practices for streamlining XQL queries.

Cortex XSIAM includes built-in mechanisms for mitigating long-running queries, such as default limits for the maximum number of allowed alerts, and for the maximum number of returned rows. Only specified mapped datasets are searched when querying by the Cortex Data Model (XDM) to use system resources and time more efficiently. The following suggestions can help you to streamline your queries:

  • Add a smaller limit to queries by using a limit stage.

    To help reduce the Cortex Query Language (XQL) response time, the default results for an XDM query or an XQL dataset query is limited to 1000, when  no limit is explicitly stated in the query. This applies to basic queries with no stages except the fields stage. This default limit does not apply to widgets, Correlation Rules, public APIs, saved queries, or scheduled queries, where the limit is a maximum of 1,000,000 results. Therefore, adding a smaller limit can greatly reduce the response time.

    Example 122. 

    datamodel dataset = microsoft_windows_raw 
    | fields *host* 
    | limit 100

  • Use a small time frame for queries by specifying the specific date and time in the custom option, instead of picking the nearest larger option available.

  • Use filters that exclude data, along with other possible filters.

  • Select the specific fields that you would like to see in the query results.