extract_url_pub_suffix - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference
Product
Cortex XDR
Creation date
2024-02-26
Last date published
2024-04-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language extract_url_pub_suffix() function.

Syntax

extract_url_pub_suffix ("<URL>")

Description

The extract_url_pub_suffix() function returns the public suffix of the URL, such as com, org, or net. The function always returns a value in lowercase characters even if the URL provided contains uppercase characters.

Example

Output examples when using the function

Returns com for the following URL: https://paloaltonetworks.com

extract_url_pub_suffix ("https://paloaltonetworks.com")

Returns com for the following URL containing suffixes: https://www.test.paloaltonetworks.com/suffix/another_suffix

extract_url_pub_suffix ("https://www.test.paloaltonetworks.com/suffix/another_suffix")
Complete XQL Query Example

Returns one xdr_data record in the results table where the public suffix of the URL https://www.paloaltonetworks.com is listed in the URL_PUB_SUFFIX column as com.

dataset = xdr_data 
| alter url_pub_suffix = extract_url_pub_suffix("https://paloaltonetworks.com") 
| fields url_pub_suffix 
| limit 1