1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex XDR™ XQL Language Reference
    5. Stages Commands Reference
    6. Alter

    Alter

    Cortex XDR XQL alter stage transforms field values.

    Synopsis

    alter <
    name
    > = <
    function
    >

    Description

    The
    alter
     stage assigns a value to a field name based on the returned value of the function. The field does not have to be known to the dataset or preset schema that you are querying. Further, you can overwrite the current value for a known field using this stage.
    After defining a field using the
    alter
     stage, you can apply other stages, such as filtering, to the new field or field value.

    Examples

    Given three username fields, use the coalesce function to return a username value in the
    default_username
     field, making sure to never have a
    default_username
     that is
    root
    . 
    dataset = xdr_data 
| fields actor_primary_username, 
         os_actor_primary_username, 
         causality_actor_primary_username 
| alter default_username = coalesce(actor_primary_username, 
                                    os_actor_primary_username, 
                                    causality_actor_primary_username)
| filter default_username != "root"

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo