Understanding string manipulation in XQL - Learn more about string manipulation in Cortex Query Language (XQL) using double and triple quotes. - Administrator Guide - Cortex XDR - Cortex

Understanding string manipulation in XQL - Learn more about string manipulation in Cortex Query Language (XQL) using double and triple quotes. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product

Cortex XDR

License

Prevent

Pro

Creation date

2024-03-06

Last date published

2025-07-10

Category

Administrator Guide

Abstract

Learn more about string manipulation in Cortex Query Language (XQL) using double and triple quotes.

When defining string fields in Cortex Query Language (XQL) queries, it's important to understand the various string manipulations available and the syntax required to build effective queries that return the results you're expecting. Cortex Query Language (XQL) uses RE2 for its regular expression implementation.

Cortex XDR enables you to use single double quotes ("<text>") or triple double quotes ("""<text>""") when defining your XQL syntax for string manipulation. This specific syntax is used with different stages, functions, and operators, with or without wildcards. Typically, the alter and filter stages are used with single or triple double quotes, so these stages are used in the examples provided below.

Triple double quotes ("""<text>""") include the following functionality:

Enables regex-style pattern matching and escape sequence interpretation.
Escape sequences, such as \n (new line) or \t (tab), are processed.
Wildcards using the asterisk (*) are processed as XQL wildcards, and match any sequence of characters.

Example 94.

"""\\test\\""" means to look for \test\

Understanding the results:

The double backslashes (\\) at the beginning becomes a single backlash (\) as it's processed as an escaped backslash.
test is interpreted as literal.
The double backslashes (\\) at the end becomes a single backlash (\) as it's processed as an escaped backslash.

When using the alter stage, you can use both single ("<text>") and triple ("""<text>""") double quotes when specifying string values. The difference lies in how special characters and pattern matching are interpreted.

Example 95.

config timeframe = 10y 
| dataset = test_dataset  
| limit 1
| alter test = "\test\"
| alter test_triple = """\\\test\\"""
| fields test, test_triple

Understanding the query and results

test field using single double quotes:
- The field value is "\test\".
- The output results display \test\ exactly as defined in the field value as no escape sequences are processed.
test_triple field using triple double quotes:
- The field value is """\\\test\\""".
- The output results display \ est\ (with a tab between \ and the text est) because:
  - \\: First two backslashes become single backslash \.
  - \t: Interpreted as a tab.
  - est: Is interpreted as literal.
  - \\: Last two backslashes become single backslash \.

When using the filter stage, you can use both single ("<text>") and triple ("""<text>""") double quotes when specifying string values. The difference lies in how special characters and pattern matching are interpreted.

The examples provided are based on the following data table for a dataset called test_dataset:

_TIME	TEST
Mar 26th 2022 19:26:07	12\t3
May 7th 2023 15:16:00	12 3
Jun 8th 2024 16:56:27	1233
Mar 26th 2024 19:26:07	123
Apr 5th 2024 11:21:02	12\t34563
Apr 9th 2025 13:22:22	1233345
May 9th 2025 13:22:22	12 35897
May 30th 2025 21:45:02	116

Example 96.

config timeframe = 10y 
| dataset = test_dataset  
| filter test = "12\t3*"
| fields test

Output results table:

_TIME	TEST
Mar 26th 2022 19:26:07	12\t3
Apr 5th 2024 11:21:02	12\t34563

Explanation of results:

The asterisk (*) in "12\t3*" means to process the string field as an XQL wildcard by matching any sequence of characters that begins with 12\t3. In addition, the \t characters are not processed as an escape character, but as plain characters.

Example 97.

config timeframe = 10y 
| dataset = test_dataset  
| filter test = """12\t3*"""
| fields test

Output results table:

_TIME	TEST
May 7th 2023 15:16:00	12 3
May 9th 2025 13:22:22	12 35897

Explanation of results:

The \t in """12\t3*""" is processed as a tab escape character. The asterisk (*) in """12\t3*""" means to process the string field as an XQL wildcard by matching any sequence of characters that begins with 12<tab>3.