json_extract_array - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-02-26
Last date published
2024-05-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language json_extract_array() function that accepts a string representing a JSON array, and returns an XQL-native array.

Important

Before using this JSON function, it's important that you understand how Cortex XDR treats a JSON in the Cortex Query Language. For more information, see JSON Functions.

Syntax

json_extract_array(<json_array_string>, <json_path>)

When a field in the <json_path> contains characters, such as a dot (.) or colon (:), use the syntax:

json_extract_array(<json_array_string>, "['<json_field>']")

To make it easier for you to write your XQL queries, you can also use the following syntactic sugar format.

<json_array_string> -> <json_path>[]

When a field in the <json_path> contains characters, such as a dot (.) or colon (:), use the syntax:

<json_array_string> -> ["<json_field>"][]

Description

The json_extract_array() function accepts a string representing a JSON array, and returns an XQL-native array. To convert a string field to a JSON object, use the to_json_string function.

Examples

Extract the first IPV4 address found in the first element of the agent_interface_map array.

dataset = xdr_data 
| fields agent_interface_map as aim 
| alter ipv4 = json_extract_array(to_json_string(arrayindex(aim, 0)) , "$.ipv4") 
| filter aim != null 
| limit 10

The same example above with a syntactic sugar format.

dataset = xdr_data
| fields agent_interface_map as aim
| alter ipv4 = to_json_string(aim)->[0].ipv4[0]
| filter aim != null
| limit 10