Considerations for using Query Builder templates - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-04
Category
Administrator Guide
Abstract

Learn more about using filtering fields and operators in Query Builder templates.

The following sections provide information and considerations for using Query Builder templates.

The following general considerations apply to Query Builder templates:

  • The templates run on the following datasets by default:

    • Basic, Identity, Endpoint, and Network templates: xdr_data

    • Cloud template: cloud_audit_logs

    It is also possible to run the templates on all datasets.

  • The query uses an AND operator between the filtering fields.

  • Separate multiple values with pipes and do not add spaces between the value and the pipe.

  • Some of the filtering fields are aliases and therefore search all fields that are associated with the alias.

  • Fields with dropdown options support ENUMs and free text values.

  • In IP address fields, you can also specify subnets.

  • The asterisk (*) wildcard is supported, except in subnet values.

  • You cannot remove the predefined fields, but you can leave them blank.

  • When filtering integer and float fields, you can only specify two operators from the four available options.

Filtering fields support the = (equal to) and != (not equal to) operators, and you can specify both operators for the same field. The following conditions apply to these operators:

  • If you specify multiple values for a field with the = operator, the OR operator is applied. For example, User Name = aaa|bbb searches for instances of user name equal to aaa OR bbb.

  • If you specify multiple values for a field with the != operator, the AND operator is applied. For example, User Name != aaa|bbb searches for instances of user name not equal to aaa AND bbb.

  • If you specify both operators (= and !=) for the same field, the AND operator is applied. For example, COUNTRY = Empty values AND COUNTRY != USA.

Filtering fields support the >= (greater than and equal) and <= (less than and equal) operators, and you can specify both operators for the same field. The following conditions apply to these operators:

  • Cortex XSIAM supports using these operators for integer and float fields.

  • Empty values are not supported with these operators.

You can use the Empty values field to include or exclude fields with empty values and strings. In the search results, some fields might return empty values. This occurs if no data is mapped to a field. The following conditions apply to the Empty values field:

  • If you specify = and select Empty values, the query includes fields with empty values with an OR operator.

    For example, _vendor = aaa OR _vendor = Empty values searches the _vendor field for any instances of aaa or empty values.

  • If you specify != and select Empty values, the query excludes fields with empty values with an AND operator.

    For example, _vendor != aaa AND _vendor != Empty values searches the _vendor field for values that are not equal to aaa AND do not contain empty values.

  • If you specify != and select Empty values for an alias, you might not receive any results. The query searches all of the fields associated with the alias for non-empty values. If any of the associated fields contain empty values, no results are returned.

    For example, User Name != aaa AND User Name != Empty values searches the User Name alias fields for values that are not equal to aaa AND empty values. If the query finds either aaa or empty values in any of the alias fields, no results are returned.