Supported Operators

Cortex XDR XQL supports specific comparison, boolean, and set operators.
The comparison, boolean, and string and range operators that you can use with XQL queries are described below.

Comparison Operators

Operator
Description
=, !=
Equal, Not equal
<, <=
Less than, Less than or equal to
>, >=
Greater than, Greater than or equal to

Boolean Operators

Operator
Description
and
Boolean and
or
Boolean or

String and Range Operators

Operator
Description
IN, NOT IN
Returns true if the field value is in the specified range, inclusive. For example:
action_local_port in(5900,5999)
CONTAINS, NOT CONTAINS
Performs a search for an integer or string. Returns true if the specified string is contained in the field. Contains and Not Contains are also supported within arrays for integers and strings. For example,
lowercase(actor_process_image_name) contains "psexec"
~=
Matches a regular expression. For example,
action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
INCIDR, NOT INCIDR
Performs a search for an IP address or IP range using CIDR notation, and returns true if the address is in range. For example,
action_remote_ip incidr "192.1.1.1/24"

Add Operator for Tagging

Operator
Description
add
The
add
operator is used in combination with the
tag
command to add a single tag or list of tags to a field that you can easily query in the dataset. For example,
Adding a Single Tag
dataset = xdr_data | tag add "test"
Adding a List of Tags
dataset = xdr_data | tag add "test1", "test2", "test3"

Recommended For You