XDR Best Practices: 5 Tips For Better XQL Queries

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L1 Bithead
No ratings



The Cortex Query Language (XQL) is an advanced query language, built on top of BigQuery (GoogleSQL), that enables you to query data ingested into Cortex XDR and XSIAM for rigorous endpoint and network event analysis. By leveraging the full potential of XQL, you can enhance threat hunting, investigation, and other critical security operations. In this blog post, we will provide some key tips and best practices for utilizing XQL more effectively, optimizing query performance, and leveraging its powerful features to streamline your data analysis workflows.


1. Utilize Query Templates and Translations
If you're new to XQL, leverage the query templates for a more hands-on approach. This tool guides you through the query creation process, though it may be slower due to searching through a broader range of data. Additionally, consider using the XQL function that translates Splunk queries, enabling easy migration and adoption of existing queries. Cortex XDR includes a toggle called Translate to XQL in the XQL Search module. When this option is selected, both a SPL query field and XQL query field are displayed, so you can easily add a Splunk query, which is converted to XQL in the XQL query field.


2. Format Your Stages
Unlike common SQL, XQL is written as a flowing process of stages, where each step is separated by a pipe (|). Use this to your advantage and write your query so that each stage takes place on a separate line. This will make it easier to read, which will in turn help you identify stages that you may want or need to change later on.


3. Be Granular With Your Queries
To create queries that are more efficient, you want to ensure they are formatted in a way that will make the system run more effectively, delivering results faster and not cause any delays. Therefore, it's a great practice to limit the amount of data being pulled from the previous stages of your XQL queries. You can do this by utilizing the "fields'' stage at early points in your query to drop unnecessary columns that will only weigh your query down. Additionally, minimize your usage of the resource heavy function dedup or joining datasets that haven't been pared down. Being as granular as possible eliminates the risk of slowing processing speed and acquiring extraneous information that now has to be manually sifted through.


4. Avoid Repetitive Logical Operators
There are times when you may have a list of values that you need to search for or exclude. Rather than a filter stage filled with logical operators like OR and AND, which will make your query clunky, utilize the powerful arraycreate function to create an array of your values. You can then use other functions like arrayfilter and arraylength to iterate through your array and include or exclude results that match your values. This will improve the efficiency of your queries and ensure you’re getting the correct results.

5. Check the Intensity of Your Queries

If any of your queries appear to be running slower than normal, you can head over to the query center and view the simulated compute units of your queries. This will help you understand the complexity of the query, which will affect data usage and resulting speeds. If you find a query is relatively high on compute units and running slow, you may need to simplify it to help it run efficiently and not cause any delays.

If you want more tips and tutorials on how to use XQL, we recommend checking out our Cortex XDR Basic XQL Crash Course. For more advanced XQL users looking to expand their expertise, we recommend viewing our Cortex XDR XQL Use Cases and Applications Crash Course.


Have questions about XQL? Leave a comment or post it on our Discussions forum.


Rate this article:
Community Team Member

Thanks for sharing!

L0 Member

Thanks for great article

I have question about using Windows variables like %userprofile% or %program files%. How can we use this variables on our XQL querys?


Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎07-24-2023 10:02 AM
Updated by: