Integration

AI Integration for Palo Alto Cortex XQL Automation

Automate the generation and execution of Cortex XDR Query Language (XQL) queries using AI. Translate natural language analyst requests into precise XQL, automate hunting workflows, and reduce manual query writing time from hours to minutes.

Get in touch Learn more

Operations team reviewing AI workflow automation on laptop, workflow builder visible, casual office setup.

ARCHITECTURE AND IMPLEMENTATION

Where AI Fits into Cortex XQL Workflows

Integrating AI with Palo Alto Networks Cortex XDR Query Language (XQL) transforms how security teams investigate threats, moving from manual query writing to automated, context-aware analysis.

AI integration for Cortex XQL automation typically connects at two primary surfaces: the investigation console and the orchestration layer. For the analyst console, a natural language interface allows SOC personnel to describe a hunt hypothesis (e.g., "find machines that communicated with this malicious domain and then spawned suspicious child processes") and receive a validated, executable XQL query. This query can be run directly in the Cortex XDR platform or via its APIs. At the orchestration layer, AI can be triggered by external alerts from tools like email security gateways or identity providers. It automatically generates and executes targeted XQL queries against the Cortex Data Lake to gather endpoint and network telemetry, enriching the initial alert with concrete evidence from your environment.

The implementation centers on a middleware service that handles the translation logic. This service uses a large language model (LLM) fine-tuned on XQL syntax, your organization's data schema (e.g., custom process or network fields), and security logic. It calls the Cortex XDR Public API's xql_query_api to execute the generated queries. Results are post-processed by the AI to summarize findings, highlight outliers, and even suggest next investigative steps—such as recommending a related query to check for persistence mechanisms. This workflow turns hours of manual data exploration into minutes of guided investigation, significantly reducing mean time to detect (MTTD) and mean time to respond (MTTR) for complex incidents.

Rollout requires careful governance. Queries should be executed in a read-only mode initially, with results reviewed by an analyst before any containment actions are taken via Cortex XSOAR. Implement approval workflows for queries that scan large data sets or during peak business hours to manage platform load. Furthermore, maintain an audit log of all AI-generated queries, their results, and the analyst who approved them to ensure accountability and provide feedback for model tuning. This controlled approach allows security teams to scale their threat hunting and case enrichment capabilities without introducing operational risk or overwhelming the SIEM with poorly constructed searches.

CORTEX XQL AUTOMATION

Key Integration Surfaces in the Palo Alto Stack

Automating Query Creation from Natural Language

The primary integration point is the Cortex XDR API endpoint for XQL queries. AI can be used to translate analyst intent—like "show me all processes that spawned from a suspicious PowerShell script on finance servers in the last 48 hours"—into valid, optimized XQL. This involves:

Parsing Intent: Using an LLM to extract key entities (endpoint filters, time windows, event types, IOC conditions).
Schema Mapping: Mapping those entities to the correct fields in the Cortex Data Lake schema (e.g., actor_process_image_path, event_type, _vendor).
Query Assembly: Constructing the XQL string with proper syntax for dataset, filter, and aggregation clauses.

This surface connects to the /public_api/v1/xql/start_xql_query/ API. The AI acts as a co-pilot, reducing the time from question to executed hunt from minutes to seconds.

AUTOMATE THREAT HUNTING AND INVESTIGATION

High-Value Use Cases for AI-Powered XQL

Integrating AI with Palo Alto Cortex XDR Query Language (XQL) transforms how security teams generate, execute, and operationalize queries. Move from manual, ad-hoc hunting to automated, context-aware investigation workflows that scale analyst capacity.

Natural Language to XQL Query Generation

Analysts describe a hunt hypothesis in plain English (e.g., 'find users who logged in after hours from a new country and then accessed sensitive servers'). An AI agent converts this into a valid, optimized XQL query, executes it against Cortex Data Lake, and returns the results. This reduces the barrier to advanced hunting and lets junior analysts contribute immediately.

Hours -> Minutes

Query development time

Automated IOC Expansion & Hunting

When a new IOC (IP, hash, domain) is ingested from a threat feed, an AI workflow automatically generates and runs a suite of XQL queries to hunt for related activity across endpoints, network traffic, and cloud logs. It looks for related artifacts, execution chains, and lateral movement, creating a pre-populated investigation case in Cortex XDR if matches are found.

Batch -> Real-time

IOC operationalization

Dynamic Query Tuning for Alert Enrichment

Enhance Cortex XDR alerts by triggering contextual XQL queries. For a 'malicious process' alert, an AI agent automatically runs queries to pull the parent process tree, network connections established, and files touched in the minutes before and after the detection. This enriched evidence is appended to the alert, giving analysts a complete story on first view.

Same day

Context for triage

Proactive Threat Hunting Campaigns

Automate the execution of entire hunting campaigns based on MITRE ATT&CK techniques. An AI orchestrator selects relevant XQL query templates for techniques like 'Credential Dumping' or 'Lateral Tool Transfer', customizes them with environment-specific parameters (e.g., internal subnet ranges), schedules execution, and summarizes findings into a daily hunt report for analyst review.

1 sprint

Campaign coverage

Incident Response Evidence Collection

During an active incident, responders need data fast. An AI co-pilot accepts natural language requests like 'get all process creation events for host XYZ-123 for the last 7 days' and generates the precise XQL, handles pagination, and formats the results into a timeline or CSV for further analysis. This accelerates evidence gathering for containment and eradication steps.

Hours -> Minutes

Evidence assembly

Compliance & Audit Data Extraction

Automate the periodic data pulls required for compliance audits (e.g., 'show all admin logins to financial systems'). AI workflows translate control requirements into XQL queries, execute them over the required time period, anonymize or redact sensitive fields, and compile the results into an auditor-ready format, ensuring consistent, repeatable evidence collection.

Batch -> Scheduled

Report generation

PRACTICAL IMPLEMENTATION PATTERNS

Example AI-XQL Automation Workflows

These workflows illustrate how AI agents can generate, validate, and execute Cortex XDR Query Language (XQL) queries based on natural language requests or automated triggers, reducing the time from investigation hypothesis to actionable data.

Trigger: An analyst types a request into a chat interface (e.g., Slack, Teams) or a dedicated SOC copilot tool: "Show me all endpoints in the Finance OU that communicated with this suspicious IP 185.220.101.34 in the last 48 hours."

Workflow:

Intent Parsing: An AI agent parses the natural language request, identifying key entities:
- Target: endpoints
- Filter 1: Finance OU (requires mapping to an AD group or tag)
- Filter 2: IP 185.220.101.34
- Filter 3: Time range: last 48 hours
- Action: communicated with (implies network connection data)
Context Enrichment: The agent may call internal APIs to resolve "Finance OU" to a specific group ID or list of hostnames.

Query Generation: The agent constructs a valid XQL query using the identified parameters, targeting the network dataset.

xql
dataset = network 
| filter dst_ip = "185.220.101.34" or src_ip = "185.220.101.34"
| filter actor_process_image_path contains "finance" or endpoint_hostname contains "fin" // Example mapping
| filter _time >= now() - 48h
| fields _time, endpoint_hostname, src_ip, dst_ip, dst_port, actor_process_command_line

Validation & Execution: The agent submits the query to the Cortex XDR API (/public_api/v1/xql/start_xql_query), monitors the job, and streams results back to the analyst.
Human Review Point: The analyst reviews the returned data set. They can ask follow-up questions ("Now show me processes spawned on those hosts") to iteratively refine the hunt.

FROM NATURAL LANGUAGE TO EXECUTED QUERY

Implementation Architecture & Data Flow

A practical blueprint for connecting AI to Palo Alto Networks Cortex XDR, enabling analysts to generate and execute XQL queries using natural language.

The integration connects at the Cortex XDR API layer, specifically the /public_api/v1/xql/start_xql_query and results retrieval endpoints. The core workflow is triggered when an analyst submits a natural language request (e.g., "show me all processes named powershell.exe that spawned from office.exe in the last 24 hours") via a chat interface, Slack command, or within a Cortex XSOAR playbook. An AI agent, powered by a model like GPT-4, interprets this intent, maps key entities (process names, parent-child relationships, timeframes) to the XQL data model, and constructs a syntactically valid XQL query. This query is then validated against a library of allowed data sources (xdr_data) and fields to prevent overly broad or resource-intensive searches before execution.

Once the XQL query is executed, the AI layer doesn't stop. The system streams the results back, where a secondary AI process can summarize findings, highlight outliers, or suggest next investigative steps. For example, if the query returns hundreds of results, the AI can cluster them by endpoint, flag the ones with rare command-line arguments, and propose a follow-up XQL query to examine network connections from those specific processes. This creates a conversational investigation loop directly within the analyst's workflow. The architecture is designed to be stateless and queue-driven, ensuring high-volume periods don't impact the Cortex XDR API's performance, with all generated queries, results summaries, and user interactions logged to an audit trail for compliance and model tuning.

Rollout and governance are critical. We recommend a phased approach: start in a read-only, supervised mode where AI-generated queries are presented to an analyst for review and manual execution within the Cortex XDR Investigate interface. This builds trust and provides a feedback loop for prompt engineering. As confidence grows, move to a policy-enforced automation tier where pre-approved query patterns (e.g., hunting for specific MITRE ATT&CK techniques) can be executed autonomously, with results posted to a designated XDR incident or XSOAR case. Governance revolves around strict RBAC (tying AI query generation to analyst permissions), query cost/timeout limits, and a regular review of the audit log to refine the AI's understanding of your environment's unique data schema and hunting priorities.

XQL AUTOMATION PATTERNS

Code & Payload Examples

Translating Analyst Intent into Queries

This pattern uses an LLM to convert a free-text analyst request into a valid XQL query, ready for execution in Cortex XDR. The system must understand the Cortex Data Lake schema, common security event types, and XQL syntax.

Key Steps:

Accept a natural language prompt (e.g., "Find all endpoints in the Finance OU that communicated with this suspicious IP last Tuesday").
Use a structured prompt to guide the LLM to output only a valid XQL query.
Validate the generated query's basic syntax and high-risk commands before execution.
Execute the query via the Cortex XDR API and return results.

python
# Example: Generating an XQL query from natural language
import openai
from cortex import CortexApiClient

cortex_client = CortexApiClient(api_key='YOUR_KEY')

analyst_request = "Show me processes named 'powershell.exe' that made network connections in the last 24 hours."

prompt = f"""
You are a Cortex XQL expert. Convert the following analyst request into a valid XQL query.
Only return the XQL query, nothing else.

Request: {analyst_request}

Schema Hint: Use the `process` and `network` datasets. The `process` dataset has fields like `actor_process_image_name`. The `network` dataset has `dst_ip`.

XQL:
"""

response = openai.ChatCompletion.create(
    model="gpt-4",
    messages=[{"role": "user", "content": prompt}]
)

generated_xql = response.choices[0].message.content.strip()
# generated_xql might be: `dataset = xdr_data | filter event_type = PROCESS and action_process_image_name = "powershell.exe" | fields agent_hostname, actor_process_command_line | join (dataset = xdr_data | filter event_type = NETWORK) on agent_id`

# Execute the generated query
query_id = cortex_client.start_xql_query(generated_xql, timeframe='last_24_hours')
results = cortex_client.get_xql_results(query_id)

AI-ASSISTED XQL WORKFLOWS

Realistic Time Savings & Operational Impact

How integrating AI with Palo Alto Cortex XDR Query Language (XQL) transforms analyst-driven investigation and automation tasks from manual, time-consuming processes into guided, rapid-execution workflows.

Metric	Before AI	After AI	Notes
XQL Query Drafting	Manual SPL translation, syntax debugging	Natural language to validated XQL generation	Analyst describes intent; AI drafts query with proper fields, time ranges, and joins.
Ad-hoc Threat Hunting	Hours to construct and iterate complex queries	Minutes to generate and refine hypothesis-driven queries	AI suggests related entities and attack patterns to expand hunt scope.
Automated Playbook Trigger	Static, rule-based query execution	Dynamic query generation from alert context	AI crafts context-specific XQL to gather evidence post-alert, feeding into SOAR.
Data Lake Exploration	Trial-and-error to find relevant datasets/fields	Guided schema discovery and query suggestions	AI analyzes data model to recommend optimal tables and fields for the investigation goal.
Query Optimization & Tuning	Manual review of execution time, result volume	AI-assisted performance analysis and restructuring	AI suggests indexing strategies, time-range adjustments, and efficient filtering to reduce load.
Cross-Platform Correlation	Manual query translation for Splunk/Sentinel	Semi-automated query translation between SIEM languages	AI assists in converting XQL logic to KQL/SPL for data fusion across a multi-vendor SOC.
Investigation Documentation	Manual note-taking on query logic and findings	Auto-generated query rationale and result summaries	AI creates audit trail explaining why a query was run and what the results indicate.

ARCHITECTING CONTROLLED AI AUTOMATION FOR SECURITY OPERATIONS

Governance, Security, and Phased Rollout

Integrating AI with Palo Alto Networks Cortex XQL requires a deliberate approach to access control, query validation, and incremental deployment to maintain security posture and operational trust.

Production AI integrations must operate within the principle of least privilege. This means creating dedicated service accounts for the AI system with scoped API permissions to the Cortex Data Lake, limiting access to specific data sets and read-only operations where possible. All generated XQL queries should be executed within a sandboxed environment or via a secure proxy that enforces query timeouts, result size limits, and scans for potentially destructive operations before passing them to the live data lake. Every query generation, execution, and result set must be logged to a separate, immutable audit trail, linking the AI's action to a specific analyst request or automated trigger for full accountability.

A phased rollout is critical for building confidence and refining the system. Start with a read-only pilot focused on non-critical, investigative workflows. For example, allow a small group of Tier 2 analysts to use natural language to generate hunting queries against historical data, with a mandatory human review and approval step before any query is executed. In Phase 2, introduce automated, low-risk generation for repetitive tasks, such as creating standardized XQL queries for weekly compliance reports based on a template. The final phase moves to conditional automation for high-fidelity alerts, where the system can automatically generate and execute a containment verification query (e.g., | dataset = xdr_data | filter event_type = PROCESS and action = RUN and actor_process_image_path contains "powershell.exe") when a high-severity Cortex XDR alert fires, but still requires analyst approval for any resulting response action.

Governance is maintained through continuous evaluation and a human-in-the-loop escalation layer. Implement a feedback loop where analysts can rate the usefulness and accuracy of AI-generated queries. This data trains a secondary model to flag low-confidence generations for review. Furthermore, establish clear escalation protocols that define when the AI system must halt automation and page a human—such as when querying sensitive data categories (e.g., HR records), generating unusually complex or resource-intensive queries, or operating during a declared security incident. This layered approach ensures the AI augments the SOC without introducing ungoverned risk or bypassing critical security controls inherent to the Cortex platform itself.

Enabling Efficiency, Speed & Accuracy

Intelligent Analysis, Decision & Execution

We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.

Talk to Us

Search across company data

Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.

Useful when people spend too long searching or get different answers from different systems.

Enterprise searchRAGPermissions

Automate internal workflows

Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.

Useful when repetitive work moves across multiple tools and teams.

AI agentsWorkflow automationGovernance

Add AI to products and internal tools

Build assistants, guided actions, or decision support into the software your team or customers already use.

Useful when AI needs to be part of the product, not a separate tool.

AI integrationDecision supportModel routing

AI INTEGRATION FOR CORTEX XQL

Frequently Asked Questions (FAQ)

Practical questions about implementing AI to generate, optimize, and execute Cortex XDR Query Language (XQL) queries, automating threat hunting and investigation workflows.

The workflow converts an analyst's plain-text question into a validated, executable XQL query.

Trigger: An analyst types a request into a chat interface (e.g., Slack, Teams) or a dedicated SOC copilot web app. Example: "Find all endpoints in the finance OU that communicated with this suspicious IP 185.2.3.4 in the last 48 hours."
Context Enrichment: The AI system first enriches the request by:
- Validating the provided IP against internal asset lists and threat intel.
- Looking up the correct Active Directory Organizational Unit (OU) name or ID for "finance."
- Confirming the available dataset tables in Cortex Data Lake (e.g., xdr_data, dns_data).

Query Generation: A language model (like GPT-4) with specific prompting and few-shot examples crafts the XQL. It uses a structured template:

xql
dataset = xdr_data |
filter event_type = NETWORK |
    actor_process_image_path != "" and
    action_remote_ip = "185.2.3.4" and
    actor_primary_user_sid in (
        dataset = xdr_data |
        filter event_type = ENUMERATION and
            actor_primary_user_sid != "" and
            ad_ou = "OU=Finance,DC=corp,DC=local" |
        dedup actor_primary_user_sid
    ) |
fields actor_hostname, actor_primary_user, actor_process_image_path, action_remote_ip, action_remote_port, _time |
alter start_time = now() - 48h |
filter _time >= start_time

Validation & Execution: The generated query is passed through a safety/validation layer that checks for syntax errors, overly broad filters (e.g., missing timeframes), and potential performance impacts before being sent to the Cortex XDR API for execution.
Result Delivery: Results are returned to the analyst in the chat interface, often with a summary and an option to refine the query or drill down.

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.

Limited slotsGet a Free AI Consultation

How We Work

Custom AI workflows for your Business

One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.