Supported operators - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-11-07
Category
Administrator Guide
Abstract

Cortex Query Language supports specific comparison, boolean, and set operators in Cortex XSIAM.

Cortex Query Language (XQL) queries support the following comparison, boolean, string, range, and add operators.

Operator

Description

Comparison operators

=, !=

Equal, Not equal

<, <=

Less than, Less than or equal to

>, >=

Greater than, Greater than or equal to

Boolean operators

and

Boolean and

or

Boolean or

not

Boolean not

String and range operators

IN, NOT IN

Returns true if the integer or string field value is one of the options specified. For example:

action_local_port in(5900,5999)

For string field values, wildcards are supported. In this example a wildcard (*) is used to search if the value contains the strings "word_1" or "word_2" anywhere in the output, or exactly matches the string "word":

str_field in ("*word_1*", "*word_2*", "word")

Note

In some cases, using an IN or NOT IN operator combined with a dataset and filter stage can be a better alternative to using a join stage.

CONTAINS, NOT CONTAINS

Performs a search for an integer or string. Returns true if the specified string is contained in the field. Contains and Not Contains are also supported within arrays for integers and strings. 

Example 107. 
lowercase(actor_process_image_name) contains "psexec"

~=

Matches a regular expression.

Example 108. 
action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"

INCIDR, NOT INCIDR

Performs a search for an IPv4 address or IPv4 range using CIDR notation, and returns true if the address is in range.

Example 109. 
action_remote_ip incidr "192.1.1.1/24"

It is also possible to define multiple CIDRs with comma separated syntax when building a XQL query with the Query Builder or in Correlation Rules. When defining multiple CIDRs, the logical OR is used between the CIDRS listed, so as long as one address is in range the entire statement returns true. The same logic is used when using the incidr() function. For more information on how this logic works to determine whether the incidr or not incidr operators return true or false, see incidr.

Example 110. 
action_remote_ip incidr "192.168.0.0/24, 1.168.0.0/24"

Both the IPv4 address and CIDR ranges can be either an explicit string using quotes (""), such as "192.168.0.1", or a string field.

INCIDR6, NOT INCIDR6

Performs a search for an IPv6 address or IPv6 range using CIDR notation, and returns true if the address is in range.

Example 111. 
action_remote_ip incidr6 “3031:3233:3435:3637:0000:0000:0000:0000/64”

It is also possible to define multiple CIDRs with comma separated syntax when building a XQL query with the Query Builder or in Correlation Rules. When defining multiple CIDRs, the logical OR is used between the CIDRS listed, so as long as one address is in range the entire statement returns true. The same logic is used when using the incidr6() function. For more information on how this logic works to determine whether the incidr6 or not incidr6 operators return true or false, see incidr6.incidr6

Example 112. 
action_remote_ip incidr6 "2001:0db8:85a3:0000:0000:8a2e:0000:0000/64, fe80::/10"

Both the IPv6 address and CIDR ranges can be either an explicit string using quotes (""), such as “3031:3233:3435:3637:0000:0000:0000:0000/64”, or a string field.

Add operator for tagging

add

The add operator is used in combination with the tag command to add a single tag or list of tags to a field that you can easily query in the dataset.

Example 113. 
  • Adding a Single Tag

    dataset = xdr_data
    | tag add "test"
  • Adding a List of Tags

    dataset = xdr_data
    | tag add "test1", "test2", "test3"