Learn more about building Cortex Data Model (XDM) queries in Cortex Query Language.
The basic syntax structure for querying the Cortex Data Model (XDM) is:
datamodel | <STAGE> ... | <STAGE> ... | <STAGE> ...
In a query using the datamodel
command, unless specific datasets are specified, a query will run against all mapped datasets, which contain log information ingested by Cortex XSIAM. You can also install Marketplace Content Packs, or map an ingested dataset into the XDM, to query additional datasets.
In XDM queries that specify datasets, use either of the following syntax:
datamodel dataset in (<dataset_name>,...) …
or
datamodel dataset = <dataset_name> …
Adding a wildcard suffix (*) is supported in the <dataset_name>
, which matches all datasets that are mapped to the data model and begin with the specified text. For example, datamodel dataset = xdr*
or datamodel dataset in (xdr*)
.
When querying the XDM, fields that are not mapped to the XDM are accessible by <dataset>.<field>
. They can be used at any stage of a datamodel
query.
When creating XDM queries, auto-suggestions are available, according to the existing XDM fields.