Cortex Cloud: Getting Started with XQL Filtering.

The objective of the article is to equip users with the knowledge and skills necessary to effectively utilize the XQL Search feature within the Cortex Cloud console. The article aims to guide users through configuring and customizing their search queries to accurately filter and analyze asset data across various cloud environments, fostering better investigative responses and asset management practices.

• Cortex Cloud
• XQL

1. Navigate to the Cortex Cloud console and select Investigation & Response -> Query Builder.

2. Select XQL Search.

3. After selecting XQL Search, you should see a page that looks like the following where you can begin to type out your search:

5. Add to your XQL query what is known as a dataset. The default dataset used is called xdr_data and because this is a default, this will be used if no dataset is specified. However, since this article is scoped for Cortex Cloud, we will want to change this dataset to asset_inventory as seen in the screenshot below.

NOTE: The default dataset can be changed in settings by navigating to Settings → Configurations → Data Management → Dataset Management, right-click on the appropriate dataset, and select Set as default. 

6. Once your dataset defined, you can now start to filter for various assets ingested into our Cortex Cloud environment, for example, to filter for Virtual Machines or EC2 instances in all possible cloud providers. 
   We can type out the next part with: | filter xdm.asset.type.category = "VM Instance"
   The | character is needed to separate each stage within the XQL. You will also see from the following screenshot how to determine what value is needed to add to the filter.

7. If you want to filter specifically for AWS related results, you can add to your filter stage to include: `and xdm.asset.provider = "AWS"`
   In the following screenshot you should start to see the trend on how to obtained the desired filter values.

8. As a final one we will be switching to Azure and look for VM instances that are within a specific Cloud Account using the Subscription ID. 
   We will need to replace AWS for AZURE in the xdm.asset.provider filter. Once that is done we will need to add an extra filter for and xdm.asset.realm = "SUBSCRIPTION_ID"

9. In order to get the .json resource config for any of these results, you will need to scroll until you see a column that says XDM.ASSET.RAW.FIELDS
   Once you find that value, you can then click on 'Show More' which will bring up the .json for the resource that was ingested from the CSP.

You can now take what you've found here to filter for other asset category types such as: IAM Policy, Virtual Network, and Storage Bucket.

Please see this documentation for more information on XQL.