replex - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-02-26
Last date published
2024-05-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language replex() function that uses a regular expression to identify and replace substrings.

Syntax

replex (<string>, <pattern>, <new_string>)

Description

The replex() function accepts a string, and then uses a regular expression to identify a substring, and then replaces matching substrings with a new string.

XQL uses RE2 for its regular expression implementation.

Examples

For any agent_id that contains a dotted decimal IP address, mask the IP address. Use the dedup stage to reduce the result set to first-seen agent_id values.

dataset = xdr_data 
| fields agent_id 
| alter clean_agent_id = replex(agent_id, 
                              "[\d]+\.[\d]+\.[\d]+\.[\d]+", 
                              "xxx.xxx.xx.xx") 
| dedup agent_id by asc _time