Supported Operators

Cortex XDR XQL supports specific comparison, boolean, and set operators.
The comparison, boolean, and string and range operators that you can use with XQL queries are described below.

Comparison Operators

Operator
Description
=, !=
Equal, Not equal
<, <=
Less than, Less than or equal to
>, >=
Greater than, Greater than or equal to

Boolean Operators

Operator
Description
and
Boolean and
or
Boolean or

String and Range Operators

Operator
Description
IN, NOT IN
Returns true if the field value is in the specified range, inclusive. For example:
action_local_port in(5900,5999)
CONTAINS, NOT CONTAINS
Performs a substring search. Returns True if the specified string is contained in the field. For example:
lowercase(actor_process_image_name) contains "psexec"
~=
Matches a regular expression. For example:
action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"

Add Operator for Tagging

Operator
Description
add
The
add
operator is used in combination with the
tag
command to add a single tag or list of tags to a field that you can easily query in the dataset. For example,
Adding a Single Tag
dataset = xdr_data | tag add "test"
Adding a List of Tags
dataset = xdr_data | tag add "test1", "test2", "test3"

Recommended For You