replex - Learn more about the Cortex Query Language replex() function that uses a regular expression to identify and replace substrings. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 3.x Documentation
Product
Cortex XDR
License
Prevent
Pro
Creation date
2024-03-06
Last date published
2025-11-14
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language replex() function that uses a regular expression to identify and replace substrings.

Syntax
replex (<string>, <pattern>, <new_string>)
Description

The replex() function accepts a string, and then uses a regular expression to identify a substring, and then replaces matching substrings with a new string.

XQL uses RE2 for its regular expression implementation.

Examples

For any agent_id that contains a dotted decimal IP address, mask the IP address. Use the dedup stage to reduce the result set to first-seen agent_id values.

dataset = xdr_data 
| fields agent_id 
| alter clean_agent_id = replex(agent_id, 
                              "[\d]+\.[\d]+\.[\d]+\.[\d]+", 
                              "xxx.xxx.xx.xx") 
| dedup agent_id by asc _time