Document:Cortex XDR™ XQL Language Reference

Filter

Search the Table of Contents

copyright
- copyright
Get Started with XQL
Stages Commands Reference
- Alter
- Arrayexpand
- Bin
- Comp
  - avg
  - count
  - count_distinct
  - earliest
  - first
  - last
  - latest
  - list
  - max
  - min
  - sum
  - values
- Config
  - case_sensitive
  - timeframe
- Dedup
- Fields
- Filter
- Join
- Iploc
- Limit
- Replacenull
- Sort
- Target
- Union
- View
XQL Functions Reference
- add
- arrayconcat
- arraycreate
- arraydistinct
- arrayfilter
- arrayindex
- arrayindexof
- array_length
- arraymap
- arraymerge
- arrayrange
- arraystring
- coalesce
- concat
- current_time
- divide
- extract_time
- format_string
- format_timestamp
- floor
- if
- incidr
- incidrlist
- json_extract
- json_extract_array
- json_extract_scalar
- len
- lowercase
- multiply
- object_create
- parse_timestamp
- pow
- regextract
- replace
- replex
- round
- split
- string_count
- subtract
- timestamp_diff
- timestamp_seconds
- to_boolean
- to_float
- to_integer
- to_json_string
- to_number
- to_string
- to_timestamp
- trim
- uppercase

Filter

Cortex XDR XQL sort() command narrow downs the displayed results.

Synopsis

filter <boolean expr>

Description

The

filter

stage identifies which data records should be returned by the query. Filters are boolean expressions that can use a wide range of functions and operators to express the filter. If a record matches the filter (that is, the filter expression returns True when applied to the record), then the record is returned in the query's result set.

The functions you can use with a filter are described in XQL Functions Reference. For a list of supported operators, see Supported Operators.

Examples

Return

xdr_data

records where the

event_type

NETWORK

and the

event_sub_type

NETWORK_HTTP_HEADER

dataset = xdr_data 
| filter event_type = NETWORK and event_sub_type = NETWORK_HTTP_HEADER

When entering filters to the

XQL Search

user interface, possible field values for fields of type

enum

are available using the auto-complete feature. However, the autocomplete can only show enum values that are known to the schema. In some cases, on data import an enum value is included that is not known to the defined schema. In this case, the value will appear in the result set as an unknown value. (For example,

event_type_unknown_4

). Be aware that even though this value appears in the result set, you cannot create a filter using it. For example, this query will fail, even if you know the value appears in your result set:

dataset = xdr_data 
| filter event_type = event_type_unknown_4

When using fields of type

enum

, the following syntax is supported.

Syntax format A

| filter event_type = ENUM.FILE

Syntax format B

| filter event_type = FILE

Document:Cortex XDR™ XQL Language Reference

Filter

Table of Contents

Filter

Synopsis

Description

Examples

Recommended For You

Recommended Videos