Document:Cortex XDR™ XQL Language Reference

Union

Search the Table of Contents

copyright
- copyright
Get Started with XQL
Stages Commands Reference
- Alter
- Arrayexpand
- Bin
- Comp
  - avg
  - count
  - count_distinct
  - earliest
  - first
  - last
  - latest
  - list
  - max
  - min
  - sum
  - values
- Config
  - case_sensitive
  - timeframe
- Dedup
- Fields
- Filter
- Join
- Iploc
- Limit
- Replacenull
- Sort
- Target
- Union
- View
XQL Functions Reference
- add
- arrayconcat
- arraycreate
- arraydistinct
- arrayfilter
- arrayindex
- arrayindexof
- array_length
- arraymap
- arraymerge
- arrayrange
- arraystring
- coalesce
- concat
- current_time
- divide
- extract_time
- format_string
- format_timestamp
- floor
- if
- incidr
- incidrlist
- json_extract
- json_extract_array
- json_extract_scalar
- len
- lowercase
- multiply
- object_create
- parse_timestamp
- pow
- regextract
- replace
- replex
- round
- split
- string_count
- subtract
- timestamp_diff
- timestamp_seconds
- to_boolean
- to_float
- to_integer
- to_json_string
- to_number
- to_string
- to_timestamp
- trim
- uppercase

Union

Cortex XDR XQL union() stage combines two result sets into a single result set.

Synopsis

union <datasetname>

union (<inner xql query>)

Description

The

union()

stage combines two result sets into one result. It can be used in two different ways.

If a dataset name is provided with no other arguments, then the two datasets are combined for the duration of the query, and the fields in both datasets are available to subsequent stages.

If an XQL query is provided to this stage, then the result set from that XQL union query is combined with the result set from the rest of the query. This is effectively an inner join statement.

Examples

First, create a dataset using the target stage. This results in a persistent stage that we can use later with a

union

stage.

dataset = xdr_data
| filter event_type = FILE and event_sub_type = FILE_WRITE 
| fields agent_id, action_file_sha256 as file_hash, agent_hostname 
| target type=dataset file_event

Then run a second query, using

union

so that the query can access the contents of the

file_event

dataset. Notice that this second query uses the

file_hash

alias that was defined for the

file_event

dataset.

dataset = xdr_data 
| filter event_type = PROCESS and event_sub_type = PROCESS_START 
| union file_events 
| fields agent_id, agent_hostname, file_hash, 
      actor_process_image_path as executed_by, 
      actor_process_signature_vendor as executor_signer 
| filter file_hash != null and executed_by != null

Document:Cortex XDR™ XQL Language Reference

Union

Table of Contents

Union

Synopsis

Description

Examples

Recommended For You

Recommended Videos