case_sensitive - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Cortex XDR
Creation date
Last date published
Reference Guide

Learn more about the Cortex Query Language case_sensitive config stage.

config case_sensitive = true | false

The case_sensitive configuration identifies whether field values are evaluated as case sensitive or case insensitive. The config case_sensitive stage must be added at the beginning of the query. You can also add another config case_sensitive stage when adding a Join or Union stage to a query.

If you do not provide this stage in your query, the default behavior is false, and case is not considered when evaluating field values.


  • The SettingsConfigurationsXQL ConfigurationCase Sensitivity (case_sensitive) setting can overwrite this case_sensitive configuration for all fields in the application except for BIOCs, which will remain case insensitive no matter what this setting is set to. Move the toggle to the left to apply case sensitivity or leave the toggle to the right to keep case insensitivity as the default setting.

  • From Cortex XDR version 3.3, the default case sensitivity setting was changed to case insensitive (config case_sensitive = false). If you've been using Cortex XDR before this version was released, the default case sensitivity setting is still configured to be case sensitive (config case_sensitive = true).

config case_sensitive = true 
| dataset = xdr_data 
| fields actor_process_image_name as apin 
| filter apin != NULL and apin contains "python" 
| limit 100