Tag - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-02-26
Last date published
2024-05-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language tag stage that adds a single tag or list of tags to the _tag system field.

Syntax

  • Add a single tag:

    | tag add <tag name>
  • Add a list of tags:

     | tag add "<tag name1>", "<tag name2>", "<tag name3>",.....

Description

The tag stage is used in combination with the add operator to append a single tag or list of tags to the _tag system field, which you can easily query in the dataset.

Examples

In the xdr_data dataset, add a single tag called "test" to the _tag system field.

dataset = xdr_data
| tag add "test"

In the xdr_data dataset, add a list of tags, "test1", "test2", and "test3", to the _tag system field.

dataset = xdr_data
| tag add "test1", "test2", "test3"