Learn more about building dataset queries in Cortex Query Language.
In a dataset query, unless otherwise specified, the query runs against the xdr_data
dataset, which contains all log information that Cortex XSIAM collects. In a dataset query, if you are running your query against a dataset that has been set as default, there is no need to specify a dataset. Otherwise, specify a dataset in your query. The Dataset Queries lists the available datasets, depending on system configuration.
Note
Users with different dataset permissions can receive different results for the same XQL query.
An administrator or a user with a predefined user role can create and view queries built with an unknown dataset that currently does not exist in Cortex XSIAM. All other users can only create and view queries built with an existing dataset.
When you have more than one dataset or lookup, you can change your default dataset by navigating to Settings → Configurations → Data Management → Dataset Management, right-click on the appropriate dataset, and select Set as default. For more information about setting default datasets, see Dataset Management.
The basic syntax structure for querying datasets that are not mapped to the XDM is:
dataset = <dataset name> | <stage1> ... | <stage2> ... | <stage3> ...
or
dataset in (<dataset name>) | <stage1> ... | <stage2> ... | <stage3> ...
You can specify a dataset using one of the following formats, which is based on the data retention offerings available in Cortex XSIAM.
Hot Storage queries use the format
dataset = <dataset name>
. This is the default option. For example:dataset = xdr_data
Cold Storage queries use the format
cold_dataset = <dataset name>
. For example:cold_dataset = xdr_data
Note
You can build a query that investigates data in both a cold dataset and a hot dataset in the same query. In addition, as the hot storage dataset format is the default option and represents the fully searchable storage, this format is used throughout this guide for investigation and threat hunting. For more information on hot and cold storage, see Dataset Management.
When using the hot storage default format, this returns every xdr_data
record contained in your Cortex XSIAM instance over the time range that you provide to the Query Builder user interface. This can be a large amount of data, which may take a long time to retrieve. You can use a limit
stage to specify how many records you want to retrieve.
There is no practical limit to the number of stages that you can specify. See Stages Commands Reference for information on all the supported stages.
In the xdr_data
dataset, every user field included in the raw data for network, authentication, and login events has an equivalent normalized user field associated with it that displays the user information in the following standardized format:
<company domain>
\<username>
For example, the login_data
field has the login_data_dst_normalized_user
field to display the content in the standardized format. To ensure the most accurate results, we recommend that you use these normalized_user
fields when building your queries.