1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex XDR™ XQL Language Reference
    5. Stages Commands Reference
    6. Union

    Union

    Cortex XDR XQL union() stage combines two result sets into a single result set.

    Synopsis

    union <
    datasetname
    >
    union (<inner xql query>)

    Description

    The
    union()
     stage combines two result sets into one result. It can be used in two different ways.
    If a dataset name is provided with no other arguments, then the two datasets are combined for the duration of the query, and the fields in both datasets are available to subsequent stages.
    If an XQL query is provided to this stage, then the result set from that XQL union query is combined with the result set from the rest of the query. This is effectively an inner join statement.

    Examples

    First, create a dataset using the target stage. This results in a persistent stage that we can use later with a
    union
     stage. 
    dataset = xdr_data
| filter event_type = FILE and event_sub_type = FILE_WRITE 
| fields agent_id, action_file_sha256 as file_hash, agent_hostname 
| target type=dataset file_event
    Then run a second query, using
    union
     so that the query can access the contents of the
    file_event
     dataset. Notice that this second query uses the
    file_hash
     alias that was defined for the
    file_event
     dataset. 
    dataset = xdr_data 
| filter event_type = PROCESS and event_sub_type = PROCESS_START 
| union file_events 
| fields agent_id, agent_hostname, file_hash, 
      actor_process_image_path as executed_by, 
      actor_process_signature_vendor as executor_signer 
| filter file_hash != null and executed_by != null

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo