* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [AI and Cybersecurity](https://www2.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/)
* NL2XQL: Turning Natural L...

# NL2XQL: Turning Natural Language into Powerful Cybersecurity Querying

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fnl2xql-turning-natural-language-into-powerful-cybersecurity-querying%2F)  
[](https://twitter.com/share?text=NL2XQL%3A+Turning+Natural+Language+into+Powerful+Cybersecurity+Querying&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fnl2xql-turning-natural-language-into-powerful-cybersecurity-querying%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fnl2xql-turning-natural-language-into-powerful-cybersecurity-querying%2F&title=NL2XQL%3A+Turning+Natural+Language+into+Powerful+Cybersecurity+Querying&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/nl2xql-turning-natural-language-into-powerful-cybersecurity-querying/&ts=markdown)  
\[\](mailto:?subject=NL2XQL: Turning Natural Language into Powerful Cybersecurity Querying)  
Link copied  
By [Gal Itzhak](https://www.paloaltonetworks.com/blog/author/gal-itzhak/?ts=markdown "Posts by Gal Itzhak") and [Lior Perry](https://www.paloaltonetworks.com/blog/author/lior-perry/?ts=markdown "Posts by Lior Perry")  
Apr 23, 2025  
4 minutes  
[AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown)  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[AI](https://www.paloaltonetworks.com/blog/tag/ai/?ts=markdown)  
[artificial intelligence](https://www.paloaltonetworks.com/blog/tag/artificial-intelligence/?ts=markdown)  
[Cortex](https://www.paloaltonetworks.com/blog/tag/cortex/?ts=markdown)  
[cybersecurity](https://www.paloaltonetworks.com/blog/tag/cybersecurity/?ts=markdown)  
[Google](https://www.paloaltonetworks.com/blog/tag/google/?ts=markdown)  
[Machine Learning](https://www.paloaltonetworks.com/blog/tag/machine-learning/?ts=markdown)  
[ML](https://www.paloaltonetworks.com/blog/tag/ml-2/?ts=markdown)  
[natural language](https://www.paloaltonetworks.com/blog/tag/natural-language/?ts=markdown)  
[threat research](https://www.paloaltonetworks.com/blog/tag/threat-research/?ts=markdown)  
[XDR](https://www.paloaltonetworks.com/blog/tag/xdr/?ts=markdown)  
[XQL](https://www.paloaltonetworks.com/blog/tag/xql/?ts=markdown)  
[XSIAM](https://www.paloaltonetworks.com/blog/tag/xsiam/?ts=markdown)

## **The Challenge: Making XQL More Accessible**

XQL (Extended Query Language) is a domain-specific query language designed for cybersecurity investigations, offering powerful data interrogation capabilities within Cortex XSIAM^®^. However, writing effective XQL queries requires prior knowledge of the language's structure, syntax, and relevant dataset fields. For newcomers, this learning curve can hinder efficiency and delay critical security operations.

To solve this, NL2XQL leverages [large language model (LLM)](https://www.paloaltonetworks.com/cyberpedia/large-language-models-llm) driven algorithms to enable seamless natural language to XQL translation, unlocking new levels of accessibility and productivity for security teams.

## **Introducing NL2XQL --** **Now Available in Private Preview**

**NL2XQL** is designed to bridge the gap between human language and XQL. This innovative feature---now a part of the Cortex Copliot Early Access Program---is set to ease investigation and data analysis by allowing users to effortlessly translate natural language into precise XQL queries.

As part of Cortex XSIAM, NL2XQL strives to lower the entry barrier for security analysts, enabling efficient threat detection and data analysis without requiring deep expertise in XQL syntax. Whether you're an experienced threat hunter or a security analyst new to XQL, NL2XQL empowers you to extract critical insights from massive datasets using simple, intuitive language.
![Figure 1: Illustration of the NL2XQL input prompt screen in the UI of Cortex XSIAM](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/04/word-image-337541-1.png)
Figure 1: Illustration of the NL2XQL input prompt screen in the UI of Cortex XSIAM ![Figure 2: Illustration of the NL2XQL output query screen in the UI of Cortex XSIAM](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/04/word-image-337541-2.png)
Figure 2: Illustration of the NL2XQL output query screen in the UI of Cortex XSIAM

## **The NL2XQL Research Journey: Overcoming Complexity**

Developing an **LLM-powered** XQL generator introduces several challenges:

* **Domain-Specific Complexity** -- Unlike SQL, XQL is proprietary, meaning LLMs lack prior exposure.
* **Limited Training Data** -- High-quality natural language--XQL query pairs are scarce, requiring innovative data synthesis techniques.
* **Strict Query Requirements** -- The generated queries must be compilable, syntactically correct, and contextually relevant.
* **Evaluation Ambiguity** -- Correctness is difficult to assess as multiple valid queries could return the same results.
* **Dataset and Field Characterization** -- Understanding dataset structures and field relevance is crucial for generating meaningful and contextual queries.

To address these, we have developed a **multi-phase strategy** combining **synthetic data generation, fine-tuning, and multi-perspective evaluation methodologies**.

## **The Algorithm: A Multi-Phase Funnel for LLM Grounding**

NL2XQL employs a structured, multi-phase funnel pipeline to ensure robustness and efficiency. A funnel-like architecture progressively **reduces uncertainties at each phase** and **grounds LLM-generated results** in real-world cybersecurity context.

1. **Understanding the Query Intent** -- Classifies the user's input into specific tables, views, and event types (e.g., network, file, process events).
2. **Determining Relevant Fields** -- Based on the event types and relevant datasets, selects candidate data fields (table columns) that comply with the user's intent.
3. **Planning Query Structure** -- Using a fine-tuned LLM, structuring a pseudo-query which breaks the query implementation task into smaller steps.
4. **Step-by-Step Implementation** -- Parallel implementation of each step by leveraging the relevant data fields and the unique XQL syntax.
5. **Query Assembly and Validation** -- The final query is validated for compilability and correctness, ensuring it aligns with XQL syntax.

This structured approach minimizes hallucinations, enhances query correctness, and ensures that security teams receive meaningful, actionable results.

## **The Evaluation: Multi-Perspective Methodology**

Performance evaluation of an LLM-powered algorithm is a well-known challenge in the literature and the industry as a whole. To overcome this challenge and obtain a meaningful and reliable performance assessment, we have combined several approaches whose unification yields a comprehensive, multi-perspective, view.

More specifically, the following approaches are used:

1. **Manual evaluation**- Ensuring overall correctness through an expert verification.
2. **Static KPIs**- Evaluating compilability as well as the Jaccard similarity considering different query attributes like fields, stages, and operators.
3. \*\*LLM as a judge -\*\*Direct and indirect (via SQL translation) assessment in scale.

Combining the three approaches, we are able to attain a context-aware LLM-grounding evaluation that may also be extended to scale.
![Figure 3: Diagram of the three performance evaluation approaches and their advantages](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/04/word-image-337541-3.png)
Figure 3: Diagram of the three performance evaluation approaches and their advantages

## **The Future of NL2XQL**

As we continue developing NL2XQL, our focus remains on expanding and refining its capabilities. Translating natural language into **meaningful, context-aware** XQL queries is a complex challenge, and we have several planned enhancements to further improve accuracy and usability:

**Expanded XQL Capabilities** -- Supporting more complex query structures.  
**Broader Table Support** -- Extending functionality to additional datasets.  
**Improved Query Understanding** -- Enhancing the model's ability to capture nuances for more precise query translation.  
**Deeper Cybersecurity Context Awareness** -- Increasing relevance and effectiveness in security investigations.

Palo Alto Networks is committed to integrating advanced AI tools into its products, enabling customers to leverage AI for more effective and efficient security operations. NL2XQL is an important step in this direction, and we look forward to its continued evolution.

**Looking to empower your research? Submit a registration request to the Cortex Copliot Early Access program: dl-cortexcopilotsupport@paloaltonetworks.com**

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's New in Cortex](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### How Cortex Defends Against Microsoft SharePoint "ToolShell" Exploits](https://www2.paloaltonetworks.com/blog/security-operations/how-cortex-defends-against-microsoft-sharepoint-toolshell-exploits/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Democratize Threat Hunting with Cortex Copilot](https://www2.paloaltonetworks.com/blog/security-operations/democratize-threat-hunting-with-cortex-copilot/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Optimize Analyst Workflows with Cortex Copilot](https://www2.paloaltonetworks.com/blog/security-operations/optimize-analyst-workflows-with-cortex-copilot/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Cortex Copilot - Another Step Forward in SOC Transformation](https://www2.paloaltonetworks.com/blog/security-operations/cortex-copilot-another-step-forward-in-soc-transformation/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's Next in Cortex: New Innovations for Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/whats-next-in-cortex-new-innovations-for-security-operations/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language