* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [News and Events](https://www2.paloaltonetworks.com/blog/security-operations/category/news-and-events/)
* Cortex XDR 2.6: Better Se...

# Cortex XDR 2.6: Better Search for Better Threat Hunting

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F11%2Fcortex-xdr-2-6%2F)  
[](https://twitter.com/share?text=Cortex+XDR+2.6%3A+Better+Search+for+Better+Threat+Hunting&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F11%2Fcortex-xdr-2-6%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F11%2Fcortex-xdr-2-6%2F&title=Cortex+XDR+2.6%3A+Better+Search+for+Better+Threat+Hunting&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2020/11/cortex-xdr-2-6/&ts=markdown)  
\[\](mailto:?subject=Cortex XDR 2.6: Better Search for Better Threat Hunting)  
Link copied  
By [Kasey Cross](https://www.paloaltonetworks.com/blog/author/kasey-cross/?ts=markdown "Posts by Kasey Cross")  
Nov 02, 2020  
3 minutes  
[News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[Threat Hunting](https://www.paloaltonetworks.com/blog/tag/threat-hunting/?ts=markdown)

On Nov. 1, we released Cortex XDR 2.6, the latest in a [series of updates](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/) that break down security silos and cross traditional product boundaries to stop ever more sophisticated attacks. Cortex XDR 2.6 introduces a groundbreaking security search engine that combines a rich query language with a deep understanding of data to bring your investigation and threat hunting capabilities to the next level.

With XQL search, we've brought advanced query options -- traditionally only available with log management and security information and event management (SIEM) solutions -- to our detection and response platform. Now, your team can search across [XDR](https://www.paloaltonetworks.com/blog/2020/10/secops-beyond-traditional-edr/) data, merge findings from multiple data sources and explore over 800 catalogued fields to find stealthy threats. Investigations that previously required multiple queries across siloed tools can be performed in a snap with XQL search.

## Hunt Down Stealthy Threats with XQL Search

With flexible XQL search, you can unearth almost any threat using a broad set of search commands and options. XQL search allows you to find adversary tactics across the attack lifecycle and hunt down stealthy attack behaviors by constructing laser-precise queries. You can also search for indicators of compromise (IoCs) in your data to reveal malicious activity that might otherwise be virtually impossible to find.

![The image shows some use cases for XQL search in Cortex XDR 2.6. These include Brute Force: Search for top 10 users with most failed logins; Lateral Movement: Search for SSH or RPC traffic from unmanaged devices; Exfiltration: Look for large uploads from legitimate tools like PowerShell \& FTP; Malware: Investigate unsigned apps intalled \< 5 times; and Evasion: Hunt for renamed system utilities](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/10/word-image-2.png)

## **Find the Answer to Your Security Questions**

To reduce response time, your team needs to quickly triage and verify alerts. With XQL search, your analysts can accelerate investigations by filtering, aggregating and editing search results. They can easily find what they're looking for using regex and JSON syntax. They can even identify anomalies and understand the impact of attacks by reviewing past activity, including the number of events and the volume of data transfers.

![This is a view of the XQL search feature in the Cortex XDR 2.6 management console, showing options including use dataset, use filter and use fields.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/10/word-image-3.png)
XQL Search Feature in the Cortex XDR management console

## Get Started Quickly with Advanced Query Features

Our new search capability puts the power of XDR data at your fingertips, but it also lets you ramp up swiftly with in-product help. It offers autocomplete predictions as you type search commands. A growing library of query examples allow you to easily execute common searches.

![A growing library of query examples allow you to easily execute common searches on XQL data.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/10/word-image-4.png)
The Cortex XDR Query Library

## Visualize Search Results

If a picture is worth a thousand words, a chart is worth a thousand rows in a table. With XQL search, you can instantly understand trends and identify anomalies by reviewing pertinent statistics and charts. Simply display your XQL query results as charts or create new query-based widgets in the Cortex XDR dashboard to view graphical representations of your data.
![Display your XQL query results as charts or create new query-based widgets in the Cortex XDR dashboard to view graphical representation of your data.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/10/word-image-5.png)
Cortex XDR charts

In addition to our new XQL query language for truly accelerated threat hunting and investigations, we have also introduced:

* Google Cloud Platform log ingestion.
* Host inventory for macOS and Linux operating systems.
* New dashboard charts and widgets, including group-based widgets.
* CyberArk authentication for Pathfinder endpoint data collection.
* The ability to open the analysis view, the timeline view and other management pages in the same tab or in a new tab.

For a complete list of new features in Cortex XDR 2.6, see the [Cortex XDR release notes](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-release-notes/release-information/features-introduced/features-introduced-in-2020.html#iddb59f5e7-aac3-4e46-a08d-ab6f7a304416). See[Cortex XDR licenses](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/cortex-xdr-overview/cortex-xdr-licenses) to find out which features are available with Cortex XDR Prevent, Cortex XDR Pro per Endpoint and Cortex XDR Pro per TB.

To learn more about XQL search and other recent Cortex XDR enhancements, be sure to watch the keynote sessions at Palo Alto Networks [Ignite '20](https://ignite.paloaltonetworks.com/).

*** ** * ** ***

## Related Blogs

### [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Physical Hack, Insider Threat: Busted by Cortex XDR Managed Threat Hunting](https://www2.paloaltonetworks.com/blog/2020/06/cortex-insider-threat/)

### [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Tales From the SOC: Hunting for Persistent Malware](https://www2.paloaltonetworks.com/blog/2019/05/xdr-tales-from-the-soc-hunting-for-persistent-malware/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### Intercepting the ToolShell Zero-Day Before the Headlines](https://www2.paloaltonetworks.com/blog/security-operations/intercepting-the-toolshell-zero-day-before-the-headlines/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Threat Hunting with Mark of The Web Using Cortex XDR](https://www2.paloaltonetworks.com/blog/security-operations/threat-hunting-with-mark-of-the-web-using-cortex-xdr/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Exploring the Art and Science of Threat Hunting with Oded Awaskar](https://www2.paloaltonetworks.com/blog/security-operations/exploring-the-art-and-science-of-threat-hunting-with-oded-awaskar/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Forrester Names Palo Alto Networks a Leader in XDR](https://www2.paloaltonetworks.com/blog/2024/06/forrester-names-palo-alto-networks-a-leader-in-xdr/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language