call - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language call stage to reference a predefined query from the Query Library.

Syntax
call "<name of predefined query>" [<param_name1> = <value1> <param_name2> = <value2>....]
Description

The call stage is used to reference a predefined query from the Query Library, including your Personal Query Library. In addition, if your query includes parameters you can reference them in the call stage using the syntax <param_name1> = <value1> <param_name2> = <value2>.... When using parameters in your call stage, you need to ensure that a query already exists that uses these parameters.

Example without Parameters

For the predefined query called "CreateRole operation parsed to fields", returns a maximum of 100 records, where the accessKeyId equals "1234".

call "CreateRole operation parsed to fields"
| filter accessKeyId = "1234"
| limit 100
Example with Parameters

Using the same example above, this example shows how to use the same call stage with parameters. This example assumes that there is a query that is already saved with a parameter $key_id = "1234".

Saved query:

dataset = dataset_name 
| filter field_name = $key_id

Query to run with using parameters:

call "CreateRole operation parsed to fields" key_id = "1234"
| limit 100