array_any - Learn more about the Cortex Query Language array_any() function. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 3.x Documentation
Product
Cortex XDR
License
Prevent
Pro
Creation date
2024-03-06
Last date published
2025-11-14
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language array_any() function.

Syntax
array_any(<array>, "@element"<operator>"<array element>")

Note

The <operator> can be any of the ones supported, such as = and !=.

Description

The array_any() function returns true when at least 1 element in a particular array matches the condition in the specified array element. Otherwise, the function returns false.

Example

When the dfe_labels array is not empty, use the alter stage to create a new column called x that returns true when at least 1 element in the dfe_labels array is equal to network; otherwise, the function returns false.

dataset = xdr_data
| filter dfe_labels != null
| alter x = array_any(dfe_labels , "@element" = "network")
| fields x, dfe_labels
| limit 100