Supported Operators - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-07-16
Last date published
2024-10-06
Category
Reference Guide
Abstract

Cortex Query Language supports specific comparison, boolean, and set operators in Cortex XDR.

Cortex Query Language (XQL) queries support the following comparison, boolean, string, range, and add operators.

Operator

Description

Comparison Operators

=, !=

Equal, Not equal

<, <=

Less than, Less than or equal to

>, >=

Greater than, Greater than or equal to

Boolean Operators

and

Boolean and

or

Boolean or

not

Boolean not

String and Range Operators

IN, NOT IN

Returns true if the integer or string field value is one of the options specified. For example:

action_local_port in(5900,5999)

For string field values, wildcards are supported. In this example a wildcard (*) is used to search if the value contains the strings "word_1" or "word_2" anywhere in the output, or exactly matches the string "word":

str_field in ("*word_1*", "*word_2*", "word")

Note

In some cases, using an IN or NOT IN operator combined with a dataset and filter stage can be a better alternative to using a join stage.

CONTAINS, NOT CONTAINS

Performs a search for an integer or string. Returns true if the specified string is contained in the field. Contains and Not Contains are also supported within arrays for integers and strings. For example: 

lowercase(actor_process_image_name) contains "psexec"

~=

Matches a regular expression. For example:

action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"

INCIDR, NOT INCIDR

Performs a search for an IPv4 address or IPv4 range using CIDR notation, and returns true if the address is in range. For example:

action_remote_ip incidr "192.1.1.1/24"

It is also possible to define multiple CIDRs with comma separated syntax when building a XQL query with the Query Builder or in Correlation Rules. When defining multiple CIDRs, the logical OR is used between the CIDRS listed, so as long as one address is in range the entire statement returns true. The same logic is used when using the incidr() function. For more information on how this logic works to determine whether the incidr or not incidr operators return true or false, see incidr.

action_remote_ip incidr "192.168.0.0/24, 1.168.0.0/24"

INCIDR6, NOT INCIDR6

Performs a search for an IPv6 address or IPv6 range using CIDR notation, and returns true if the address is in range. For example:

action_remote_ip incidr6 “3031:3233:3435:3637:0000:0000:0000:0000/64”

It is also possible to define multiple CIDRs with comma separated syntax when building a XQL query with the Query Builder or in Correlation Rules. When defining multiple CIDRs, the logical OR is used between the CIDRS listed, so as long as one address is in range the entire statement returns true. The same logic is used when using the incidr6() function. For more information on how this logic works to determine whether the incidr6 or not incidr6 operators return true or false, see incidr6.

action_remote_ip incidr6 "2001:0db8:85a3:0000:0000:8a2e:0000:0000/64, fe80::/10"

Add Operator for Tagging

add

The add operator is used in combination with the tag command to add a single tag or list of tags to a field that you can easily query in the dataset. For example:

  • Adding a Single Tag

    dataset = xdr_data
    | tag add "test"
  • Adding a List of Tags

    dataset = xdr_data
    | tag add "test1", "test2", "test3"