Learn more about the Cortex Query Language case_sensitive
config stage.
Syntax
config case_sensitive = true | false
Description
The case_sensitive
configuration identifies whether field values are evaluated as case sensitive or case insensitive. The config case_sensitive
stage must be added at the beginning of the query. You can also add another config case_sensitive
stage when adding a Join or Union stage to a query.
If you do not provide this stage in your query, the default behavior is false
, and case is not considered when evaluating field values.
Note
The
→ → → setting can overwrite thiscase_sensitive
configuration for all fields in the application except for BIOCs, which will remain case insensitive no matter what this setting is set to. Move the toggle to the left to apply case sensitivity or leave the toggle to the right to keep case insensitivity as the default setting.From Cortex XDR version 3.3, the default case sensitivity setting was changed to case insensitive (
config case_sensitive = false
). If you've been using Cortex XDR before this version was released, the default case sensitivity setting is still configured to be case sensitive (config case_sensitive = true
).The
config case_sensitive
stage can't be used to compare a field to an inner query. In this situation, ensure to use thelowercase
oruppercase
functions on the field and inner query stages and functions syntax.Example 1.This query won't provide the correct results of comparing the
agent_hostname
field with the inner query:config case_sensitive = false | dataset = xdr_data | fields agent_hostname | filter agent_hostname in (dataset = <lookup dataset> | fields agent_hostname)
This query will provide the correct output:
config case_sensitive = false | dataset = xdr_data | fields agent_hostname | filter lowercase(agent_hostname) in (dataset = <lookup dataset> | alter lower_agent_hostname = lowercase(agent_hostname) | fields lower_agent_hostname)
Examples
config case_sensitive = true | dataset = xdr_data | fields actor_process_image_name as apin | filter apin != NULL and apin contains "python" | limit 100