topic XQL Help - Any AI tools, query library? in Cortex XDR Discussions

XQL Help - Any AI tools, query library?

J.Suter — Thu, 17 Oct 2024 17:56:46 GMT

Wondering if there are plans to help build queries? Something as simple as looking for a file called "testfile" requires the query with the below code:

|preset = xdr_file
|filter action_file_name contains "testfile"

Another example that we are currently working on is a way to search for specific models of computers. As an example: "find all Latitude 7440" and show hostname, user, ip, last seen. We are assuming the information is hidden in a json file somewhere.

It makes it difficult to figure out what's needed when the easy way (builder) doesn't have certain forms and aspects to drill into. That leads to trial and error to find a solution. We tried converting Splunk queries using the convert to XQL slider which has yet to work for us.

Is there a user Library other than the official one which only has 1 in it?

Are there plans to add an AI helper to Cortex to help build queries?

SentinelONE has Purple, Crowdstrike has Charlotte, Sophos has it built into their platform as a few examples.

Thanks!

Re: XQL Help - Any AI tools, query library?

jmazzeo — Mon, 21 Oct 2024 15:26:33 GMT

Hi @J.Suter, thanks for reaching us using the Live Community.

The XDR console has a built-in Query Library in the XQL Query designer with, for now, 90+ examples.

This list gets updated on each XDR Console new release, if there are important new queries to add.

We have here in the LC this advanced XQL crash course than can help you to build some very specific use cases as the ones you mention: https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-xql-use-cases-and-applications-crash-course/ta-p/544228

Regarding the AI, we have Cortex Copilot for XSIAM since the last release, so is a matter of time that this will also be available for XDR.

If this post answers your question, please mark it as the solution.

Re: XQL Help - Any AI tools, query library?

J.Suter — Tue, 22 Oct 2024 12:33:56 GMT

Crash course is nice, thank you, and the query library is helpful and has given us some templates to work with. That copilot will be needed in the CortexXDR Pro space, hopefully that comes sooner than later, appreciate the response!

Re: XQL Help - Any AI tools, query library?

E.Jafarov — Thu, 21 Nov 2024 11:45:58 GMT

Hi jmazzeo ,

Crash course is very nice. I watched whole videos. Thank you!

Best regards,

Elmir Jafarov. Cybersecurity Engineer.

Re: XQL Help - Any AI tools, query library?

MarekKreul — Mon, 01 Sep 2025 11:59:10 GMT

For the sake of completeness - none of the above mentioned things is really an answer on the original question.

Employing an AI to ask "write me an XQL query to search for hosts with a file XYZ.exe, and output a table showing hostname, username, filepath, creation time" is something way more powerful and "accessible" than watching hours of training video or adapting, best-guessing and trial-and-erroring with a prebuilt query library,
The Cortex Copilot in XSIAM is nowhere near what you get when you ask e.g. Microsoft Copilot or ChatGPT to write you e.g. a Splunk SPL query for the above, and these tools aren't even related to the "SIEM" manufacturer.