https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/xsiam-xql-query-help-needed/m-p/1237088#M245 <P>Hi All,</P> <P>So i need some xql query help please..</P> <P>Example : I have 2 datasets in xsiam, one called 'xdr_data', and another called 'ioc', <BR />In my 'ioc' dataset I have a field called 'indicator' with different values ie 4.4.4.4; 1.2.3.4 for example.. these we auto populate when we find iocs ie ips, hashes, url etc etc..</P> <P>My plan is to run a correlation rule in realtime that will scan all incoming data in xdr_data and possibly other datasets, and 'match' it to any of these indicator fields.. and if a match is found to generate an alert.</P> <P>So my question is how would i write the query do to this using multiple datasets and would imagine this would utilize the join statement etc.</P> <P>note this xsiam tenant does not have a TIM license. else would have been easy <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>&nbsp;</P> <P>thanks in advance</P> Tue, 02 Sep 2025 07:55:41 GMT PA_nts 2025-09-02T07:55:41Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/xsiam-xql-query-help-needed/m-p/1237088#M245 <P>Hi All,</P> <P>So i need some xql query help please..</P> <P>Example : I have 2 datasets in xsiam, one called 'xdr_data', and another called 'ioc', <BR />In my 'ioc' dataset I have a field called 'indicator' with different values ie 4.4.4.4; 1.2.3.4 for example.. these we auto populate when we find iocs ie ips, hashes, url etc etc..</P> <P>My plan is to run a correlation rule in realtime that will scan all incoming data in xdr_data and possibly other datasets, and 'match' it to any of these indicator fields.. and if a match is found to generate an alert.</P> <P>So my question is how would i write the query do to this using multiple datasets and would imagine this would utilize the join statement etc.</P> <P>note this xsiam tenant does not have a TIM license. else would have been easy <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>&nbsp;</P> <P>thanks in advance</P> Tue, 02 Sep 2025 07:55:41 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/xsiam-xql-query-help-needed/m-p/1237088#M245 PA_nts 2025-09-02T07:55:41Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/xsiam-xql-query-help-needed/m-p/1237270#M246 <P>ok so update on this..&nbsp;</P> <P>xql query below seems to work.. needs more work but as a start it will check any values in field 'indicator' on dataset 'IOC' and if a match is found in dataset 'xdr_data' would output, then can use a scheduled correlation rule to look for indicators and generate alerts etc</P> <P>&nbsp;</P> <P>dataset = xdr_data<BR />| filter dest_ip in (dataset = ioc | fields indicator)<BR />| dedup dest_ip, source_ip<BR />| fields _time, source_ip, dest_ip, app, action</P> <P>&nbsp;</P> <P>if ever you build on this.. please add in this chat your additions if you can.</P> <P>appreciated</P> Thu, 04 Sep 2025 06:39:23 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/xsiam-xql-query-help-needed/m-p/1237270#M246 PA_nts 2025-09-04T06:39:23Z