Learn more about the Cortex Query Language case_sensitive config stage.
Syntax
config case_sensitive = true | false
Description
The case_sensitive configuration identifies whether field values are evaluated as case sensitive or case insensitive. The config case_sensitive stage must be added at the beginning of the query. You can also add another config case_sensitive stage when adding a Join or Union stage to a query.
If you do not provide this stage in your query, the default behavior is false, and case is not considered when evaluating field values.
Note
The → → → setting can overwrite this
case_sensitiveconfiguration for all fields in the application except for BIOCs, which will remain case insensitive no matter what this setting is set to. Move the toggle to the left to apply case sensitivity or leave the toggle to the right to keep case insensitivity as the default setting.From Cortex XDR version 3.3, the default case sensitivity setting was changed to case insensitive (
config case_sensitive = false). If you've been using Cortex XDR before this version was released, the default case sensitivity setting is still configured to be case sensitive (config case_sensitive = true).
Examples
config case_sensitive = true | dataset = xdr_data | fields actor_process_image_name as apin | filter apin != NULL and apin contains "python" | limit 100