Learn more about the Cortex Data Model (XDM) supported in the Cortex Query Language.
The Cortex Query Language (XQL) supports a single Cortex Data Model (XDM), which is a normalized data structure. Datasets are mapped to the XDM in 3 different ways:
The
xdr_datadataset is automatically mapped to the XDM with some data mapping exceptions (default). In addition, Next-Generation Firewall (NGFW) network log data are mapped to the XDM from the following datasets.panw_ngfw_traffic_rawpanw_ngfw_threat_rawpanw_ngfw_url_rawpanw_ngfw_filedata_rawpanw_ngfw_globalprotect_rawpanw_ngfw_hipmatch_raw
Out-of-the-box mappings of the datasets as part of the Data Model Rules via the Marketplace. For more information, see Marketplace.
You can create your own mappings by creating your own Data Model Rules. For more information, see Create Data Model Rules.
For more information on the XDM Schema, specifically the fields, fieldsets, fields designated as ENUMS (CONST), and aliases, see the Cortex XSIAM Data Model Schema.