Cortex Cloud: Getting Started with XQL Filtering.

The objective of the article is to equip users with the knowledge and skills necessary to effectively utilize the XQL Search feature within the Cortex Cloud console. The article aims to guide users through configuring and customizing their search queries to accurately filter and analyze asset data across various cloud environments, fostering better investigative responses and asset management practices.

• Cortex Cloud
• XQL

1. First we will want to navigate to the Cortex Cloud console and select Investigation & Response -> Query Builder.

2. Then select XQL Search.

3. After selecting XQL Search, we should land on a page that looks like the following where we can begin to type out our search:

5. The first thing we will need to add to our XQL is what is known as a dataset. The default dataset used is called xdr_data and because this is a default, this will be used if we don't specify any dataset. However, since this article is scoped for Cortex Cloud, we will want to change this dataset to asset_inventory as seen in the screenshot below.

NOTE: The default dataset can be changed in settings by navigating to Settings → Configurations → Data Management → Dataset Management, right-click on the appropriate dataset, and select Set as default. 

6. Once we have our dataset defined, we can now start to filter for various assets ingested into our Cortex Cloud environment. Let's say we want to filter for Virtual Machines or EC2 instances in all possible cloud providers.
   We can type out the next part with: | filter xdm.asset.type.category = "VM Instance"
   The | character is needed to separate each stage within the XQL. And you will also see from the following screenshot how we figured out what value we need to add to the filter.

7. Now that's great and all, but let's say we want to filter for only AWS. We can add to our filter stage to include: and xdm.asset.provider = "AWS"
   Again, in the following screenshot we should start to see the trend on how we obtained the desired filter values.

8. As a final one we will be switching to Azure and look for VM instances that are within a specific Cloud Account using the Subscription ID. 
   We will need to replace AWS for AZURE in the xdm.asset.provider filter. Once that is done we will need to add an extra filter for and xdm.asset.realm = "SUBSCRIPTION_ID"

9. In order to get the json resource config for any of these results, we will need to scroll until we see a column that says XDM.ASSET.RAW.FIELDS
   Once we find that we can then click on Show More which will bring up the json for the resource that was ingested from the CSP.

You can now take what you've found here to filter for other asset category types such as: IAM Policy , Virtual Network , and Storage Bucket.

Please see this documentation for more information on XQL.