Learn more about the Cortex Query Language structure when creating a query.
Cortex Query Language (XQL) queries usually begin by defining a data source, be it a dataset, preset, or Cortex Data Model (XDM). You can either query the XDM to which datasets are mapped, or you can query specific datasets, including presets. In a dataset query, unless otherwise specified, the query runs against the xdr_data dataset, which contains all log information that Cortex XSIAM collects. In XDM queries, the xdr_data dataset is mapped to the XDM, by default, with some data mapping exceptions.
After specifying a data source, you use zero or more stages to form the XQL query. Each stage is delimited using a pipe character (|). The function performed by each stage is identified by the stage keyword that you provide. XQL queries can contain different components depending on the type of query you want to build.