lag - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-07-16
Last date published
2024-10-06
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language lag() navigation function that is used with a windowcomp stage.

Syntax

windowcomp lag(<field>) [by <field> [,<field>,...]] sort [asc|desc] <field1> [, [asc|desc] <field2>,...] [as <alias>]

Description

The lag() function is a navigation function that is used in combination with a windowcomp stage. This function is used to return a single value of a field on a preceding row for each row in the group of rows using a combination of the by clause and sort (mandatory).

Example

Retrieve for each event the timestamp of the previous successful login since the last one.

preset = authentication_story
| filter auth_identity not in (null, """""") and auth_outcome = """SUCCESS"""
| alter ep = to_epoch(_time)
| limit 100
| windowcomp lag(_time) by auth_identity sort asc ep as previous_login