View - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2023-10-31
Last date published
2024-03-27
Category
Reference Guide
Abstract

Lear more about the Cortex Query Language view stage that configures the display of the result set.

Syntax

view highlight fields = <field1>[,<field2>,...] values = <value1>[,<value2>,...]
view graph type = column|line|pie xaxis = <field1>
     yaxis = <field2> [<optional parameters>]
view column order = default|populated

Description

The view() stage configures the display of the result set in the following ways:

  • highlight: Highlights specified strings that Cortex XDR finds on specified fields. The highlight values that you provide are performed as a substring search, so only partial value can be highlighted in the final results table.

  • graph type: Creates a column, line, or pie chart based on the values found for the fields specified in the xaxis and yaxis parameters. In this mode, view also offers a large number of parameters that allow you to control colors, decorations, and other behavior used for the final chart. You can also define a graph subtype, when setting the graph type to either column or pie.

    Note

    If you use graph type, the fields specified for xaxis and yaxis must be collatable or the query will fail.

  • column order: Enables you to list the query results by popularity, where the most non-null returned fields are displayed first using the syntax view column order = populated. By default, if column order is not defined (or view column order=default), the original column order is used.

    Note

    This option does not apply to Cortex Query Language (XQL) queries in widgets, Correlation Rules, public APIs, reports, and dashboards. If you include the view column order syntax in these types of queries, Cortex XDR disregards the stage from the query and completes the rest of the query.

Examples

Use the dedup stage collect unique combinations of event_type and event_sub_type values. Highlight the word "STREAM" when it appears in the result set.

dataset = xdr_data 
| fields event_type, event_sub_type 
| dedup event_type, event_sub_type by asc _time 
| view highlight fields = event_sub_type values = "STREAM"

Count the number of unique files accessed by each user, and show a column graph of the results. This query uses comp count_distinct to calculate the number of unique files per username.

dataset = xdr_data 
| fields actor_effective_username as username, action_file_path as file_path 
| filter file_path != null and username != null 
| comp count_distinct(file_path) as file_count by username 
| view graph type = column xaxis = username yaxis = file_count

Count the number of unique files accessed by each user, and display the results by popularity according to the most non-null values returned fields. This query uses comp count_distinct to calculate the number of unique files per username.

dataset = xdr_data 
| fields actor_effective_username as username, action_file_path as file_path 
| filter file_path != null and username != null 
| comp count_distinct(file_path) as file_count by username 
| view column order = populated