XQL (CorteX Query Language) is Palo Alto’s query language used in Cortex XSIAM and Cortex XDR
Uses
- Reactive
- Incident Investigations
- Proactive
- Detection Rules
Threat Hunting
Also known as lead investigation, is when an analyst uses investigation tools to query the datasets to find threats.
Query Builder
The query builder is where you run XQL queries from scratch, templates, or fields.
- Run
- Foreground task to run queries immediately but won’t let you navigate to other pages.
- Scheduled Query
- Useful for ongoing analysis or monitoring.
- There are two types of scheduled queries.
- non-periodic – scheduled once.
- periodic – runs on a scheduled routine.