replex

Cortex XDR XQL replex function uses a regular expression to identify and replace substrings.

Synopsis

replex (<
string
>, <
pattern
>, <
new_string
>)

Description

The
replex()
function accepts a string, and then uses a regular expression to identify a substring, and then replaces matching substrings with a new string.
XQL uses RE2 for its regular expression implementation.

Examples

For any
agent_id
that contains a dotted decimal IP address, mask the IP address. Use the dedup stage to reduce the result set to first-seen
agent_id
values.
dataset = xdr_data | fields agent_id | alter clean_agent_id = replex(agent_id, "[\d]+\.[\d]+\.[\d]+\.[\d]+", "xxx.xxx.xx.xx") | dedup agent_id by asc _time

Recommended For You