case_sensitive - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language case_sensitive config stage.

Syntax
config case_sensitive = true | false
Description

The case_sensitive configuration identifies whether field values are evaluated as case sensitive or case insensitive. The config case_sensitive stage must be added at the beginning of the query. You can also add another config case_sensitive stage when adding a join or union stage to a query.

If you do not provide this stage in your query, the default behavior is false, and case is not considered when evaluating field values.

Note

  • The SettingsConfigurationsXQL ConfigurationCase Sensitivity (case_sensitive) setting can overwrite this case_sensitive configuration for all fields in the application except for BIOCs, which will remain case insensitive no matter what this setting is set to.

  • From Cortex XDR version 3.3, the default case sensitivity setting was changed to case insensitive (config case_sensitive = false). If you've been using Cortex XDR before this version was released, the default case sensitivity setting is still configured to be case sensitive (config case_sensitive = true).

Examples
config case_sensitive = true 
| dataset = xdr_data 
| fields actor_process_image_name as apin 
| filter apin != NULL and apin contains "python" 
| limit 100