first_value - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-07-16
Last date published
2024-11-25
Category
Reference Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation/Cortex-XDR-XQL
Abstract

Learn more about the Cortex Query Language first_value() navigation function that is used with a windowcomp stage.

Syntax

windowcomp first_value(<field>) [by <field> [,<field>,...]] sort [asc|desc] <field1> [, [asc|desc] <field2>,...] [between 0|null|<number>|-<number> [and 0|null|<number>|-<number>] [frame_type=range]] [as <alias>]

Description

The first_value() function is a navigation function that is used in combination with a windowcomp stage. This function is used to return a single value of a field for the first row of each row in the group of rows in the current window frame, for all records that contain matching values for the fields identified using a combination of the by clause, sort (mandatory), and between window frame clause.

Example

Return the first IP address a user authenticated from successfully.

preset = authentication_story
| filter auth_identity not in (null, """""") and auth_outcome = """SUCCESS""" and action_country != UNKNOWN
| alter et = to_epoch(_time), t = _time
| bin t span = 1d
| limit 100
| windowcomp first_value(action_local_ip) by auth_identity, t sort asc et between null and null as first_action_local_ip
| fields auth_identity , *action_local_ip