Alter
Cortex XDR XQL alter stage transforms field values.
Synopsis
alter <name> = <function>
Description
The
alter
stage assigns a value to a field name based
on the returned value of the function. The field does not have to be known
to the dataset or preset schema that you are querying. Further, you can overwrite
the current value for a known field using this stage.
After defining a field using the
alter
stage, you can apply other stages, such as filtering, to the new
field or field value.
Examples
Given three username fields, use the
coalesce
function to return a username value in the
default_username
field, making sure
to never have a default_username
that is root
.
dataset = xdr_data | fields actor_primary_username, os_actor_primary_username, causality_actor_primary_username | alter default_username = coalesce(actor_primary_username, os_actor_primary_username, causality_actor_primary_username) | filter default_username != "root"
Recommended For You
Recommended Videos
Recommended videos not found.
