XQL: Anyone has working example of building analytics on XQL query?

KanwarSingh01 — Fri, 03 Jan 2025 03:22:40 GMT

We want to build analytics using XQL where we could find or create an alert if certain behavior has occurred for the first time on endpoint.

Currently, we use external help where we run XQL schedule query and then retrieve results and run python script based on our use case.

Any suggestion will be helpful.

Re: XQL: Anyone has working example of building analytics on XQL query?

nsinghvirk — Wed, 15 Jan 2025 15:08:43 GMT

Hello @KanwarSingh01

Thanks for reaching out on LiveCommunity!

You can use correlation rules which will help you analyse correlations of multi-events from multiple sources by using the Cortex Query Language (XQL) based engine for creating scheduled rules. Alerts can then be triggered based on these correlation rules with a defined time frame and set schedule, including every X minutes, once a day, once a week, or a custom time.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Create-a-correlation-rule

Then you can create automation rules to respond with endpoint scripts as per your use case.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Automation-rule-actions?tocId=Nju8rTlaDtpJAGTzhJwIBw

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

topic XQL: Anyone has working example of building analytics on XQL query? in Cortex XDR Discussions

XQL: Anyone has working example of building analytics on XQL query?

Re: XQL: Anyone has working example of building analytics on XQL query?