Target - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-02-26
Last date published
2024-05-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language target stage that saves query results to a dataset or lookup dataset.

Syntax

target type=dataset|lookup [append=true|false] <dataset name>

Description

The target() stage saves query results to a named dataset or lookup. These are persistent and can be used in subsequent queries. This stage must be the last stage specified in the query.

The type argument defines the type of dataset to create, when a new one needs to be created. The following types are supported:

  • dataset: A regular dataset of type USER. Use dataset if you are saving the query results for use in future queries.

  • lookup: A small lookup table with a 50MB limit. This lookup table can be used with parsing rules and downloaded as a JSON file. Use lookup if you want to export the query results to a disk.

Important

A target stage used on the same target with a type argument of dataset or lookup, can only be used up to 5 times per minute.

Optional Append

Use append to define whether the data from the current query should be appended to the dataset (true) or re-created as a new dataset (false). If no append is included, the default is false. This means that after the query runs the data in an existing dataset is replaced with the new data.

Example 1

Save the results of a simple query to a named dataset.

dataset = xdr_data 
| fields action_boot_time as abt
| filter abt != null
| target type=dataset abt_dataset

Subsequently, you can query the new dataset. Notice that the field names used by the new dataset conform to the aliases that you used when you created the dataset:

dataset = abt_dataset 
| filter abt = 1603986614040

Example 2

The following example creates a dataset with the number of agents per country.

dataset = xdr_data
| fields agent_id,  action_country
| comp count_distinct(agent_id) as count by action_country
| target type=dataset append=false agents_per_country

This results in the following XQL JSON:

{
    "tables": [
        "xdr_data"
    ],
    "original_query": "\n
    dataset=xdr_data\n
    | fields agent_id,  action_country \n
    | comp count_distinct(agent_id) as count by action_country\n
    | target type=dataset append=false agents_per_country\n
    ",    "stages":
 [
        {
            "FIELD_SELECT": {
                "fields": [
                    {                        "name": "agent_id",                        "as": None
                    },
                    {                        "name": "action_country",                        "as": None
                    }
                ],
                "exclude": []
            }
        },
        {
            "GROUP": {
                "aggregations": [
                    {
                        "function": "count_distinct",
                        "parameters": [
                            "$agent_id"
                        ],
                        "name": "count"
                    }
                ],
                "key": [
                    "action_country"
                ]
            }
        }
    ],
    "output": [
        {
            "TARGET": {
                "type": "dataset",
                "target": "agents_per_country",
                "append": False
            }
        }
    ]
}