-
Notifications
You must be signed in to change notification settings - Fork 62
Cortex XDR
Cori Smith edited this page Jul 11, 2023
·
2 revisions
Nuances and common questions when using Cortex XDR
Surveyor builds queries to fit the format
<INSERT_YOUR_QUERY_PARAMETERS>
| <INSERT_FILTERS>
| fields agent_hostname, action_process_image_path, action_process_username, action_process_image_command_line, actor_process_image_path, actor_primary_username, actor_process_command_line, event_id
So when using the --query parameter or the query field in a definition file, you need to format your query to fill in the <INSERT_YOUR_PARAMETERS> section.
That is followed by the <INSERT_FILTERS> section which is populated if you use the --hostname or --username filter parameters.
Time filters are not included in the query body but in the headers for the API calls.
Yes, Cortex XDR has a query quota that limits how complex/many queries you can run in a give timspan. Details on how that is calculated and how to check your usage can be found here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/XQL-Query-APIs