if - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-12-12
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language if() function that returns a result after evaluating a condition.

Syntax
Description

The if() function evaluates a single expression or group of expressions depending on the syntax used to define the function. The syntax can be set up in the following ways:

  • Regular if statement: A single boolean expression is evaluated. If the expression evaluates as true, the function returns the results defined in the second function argument. If the expression evaluates as false and a false return expression is defined, the function returns the results of the third function argument; otherwise, if no false return expression is set, returns null.

  • Nested if/else statment: At least two boolean expressions and two true return expressions are required when using this option. The first boolean expression is evaluated. If the first expression evaluates as true, the function returns the results defined in the second function argument. The second boolean expression is evaluated. If the second expression evaluates as true, the function returns the results defined in the fourth function argument. If there are any other boolean expressions defined, they are evaluated following the same pattern when evaluated as true. If any of the expressions evaluates as false and a false return expression is defined, the function returns the results defined in the last function argument for the false return expression; otherwise, if no false return expression is set, returns null.

Examples