Alter - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-02-26
Last date published
2024-05-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language alter stage.

Syntax

alter <field1> = <function value1> [, <field2> = <function value2>, ...]

Description

The alter stage is used to change the values of an existing field (column) or to create a new field (column) based on constant values or existing fields (columns). The alter stage does this by assigning a value to a field name based on the returned value of the specified function. The field does not have to be known to the dataset or preset schema that you are querying. Further, you can overwrite the current value for a known field using this stage.

After defining a field using the alter stage, you can apply other stages, such as filtering, to the new field or field value.

Examples

Given three username fields, use the coalesce function to return a username value in the default_username field, making sure to never have a default_username that is root.

dataset = xdr_data 
| fields actor_primary_username, 
         os_actor_primary_username, 
         causality_actor_primary_username 
| alter default_username = coalesce(actor_primary_username, 
                                    os_actor_primary_username, 
                                    causality_actor_primary_username)
| filter default_username != "root"