Document:Cortex XDR™ XQL Language Reference

View

Search the Table of Contents

copyright
- copyright
Get Started with XQL
Stages Commands Reference
- Alter
- Arrayexpand
- Bin
- Comp
  - avg
  - count
  - count_distinct
  - earliest
  - first
  - last
  - latest
  - list
  - max
  - min
  - sum
  - values
- Config
  - case_sensitive
  - timeframe
- Dedup
- Fields
- Filter
- Join
- Iploc
- Limit
- Replacenull
- Sort
- Target
- Union
- View
XQL Functions Reference
- add
- arrayconcat
- arraycreate
- arraydistinct
- arrayfilter
- arrayindex
- arrayindexof
- array_length
- arraymap
- arraymerge
- arrayrange
- arraystring
- coalesce
- concat
- current_time
- divide
- extract_time
- format_string
- format_timestamp
- floor
- if
- incidr
- incidrlist
- json_extract
- json_extract_array
- json_extract_scalar
- len
- lowercase
- multiply
- object_create
- parse_timestamp
- pow
- regextract
- replace
- replex
- round
- split
- string_count
- subtract
- timestamp_diff
- timestamp_seconds
- to_boolean
- to_float
- to_integer
- to_json_string
- to_number
- to_string
- to_timestamp
- trim
- uppercase

View

Cortex XDR XQL view stage configures the graphical display of the result set.

Synopsis

view highlight fields = <field1>[,<field2>,...] values = <value1>[,<value2>,...]

view graph = column|line|pie xaxis = <field1> 
     yaxis = <field2> [<optional parameters>]

Description

The

view()

stage configures graphical display of the result set. It can be used in two different ways.

If you use

highlight

, the

view

stage highlights specified strings that XDR finds on specified fields. The highlight values that you provide are performed as a substring search, so only partial value can be highlighted in the final results table.

If you use

graph

, the

view

stage creates a column, line, or pie chart based on the values found for the fields specified on the

xaxis

and

yaxis

parameters. In this mode,

view

also offers a large number of parameters that allow you to control colors, decorations, and other behavior used for the final chart.

If you use

graph

, the fields specified for

xaxis

and

yaxis

must be collatable or the query will fail.

Examples

Use the dedup stage collect unique combinations of

event_type

and

event_sub_type

values. Highlight the word "STREAM" when it appears in the result set.

dataset = xdr_data 
| fields event_type, event_sub_type 
| dedup event_type, event_sub_type by asc _time 
| view highlight fields = event_sub_type values = "STREAM"

Count the number of unique files accessed by each user, and show a column graph of the results. This query uses comp count_distinct to calculate the number of unique files per username.

dataset = xdr_data 
| fields actor_effective_username as username, action_file_path as file_path 
| filter file_path != null and username != null 
| comp count_distinct(file_path) as file_count by username 
| view graph type = column xaxis = username yaxis = file_count

Document:Cortex XDR™ XQL Language Reference

View

Table of Contents

View

Synopsis

Description

Examples

Recommended For You

Recommended Videos