list - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language list aggregate comp function that returns an array for up to 100 values for a field in the result set.

Syntax
comp list(<field>) [as <alias>] by <field_1>,<field_2> [addrawdata = true|false [as <target field>]]
Description

The list aggregation is a comp function that returns a single array of up to 100 values found for a given field over a group of rows, for all records that contain matching values for the fields identified in the by clause. The array values are all non-null, so null values are filtered out. The values returned in the array are non-unique, so if a value repeats multiple times it is included as part of the list of up to 100 values. This function is used in combination with a comp stage.

In addition, you can configure whether the raw data events are displayed by setting addrawdata to either true or false (default), which are used to configure the final comp results. When including raw data events in your query, the query runs for up to 50 fields that you define and displays up to 100 events.

Examples

Return an array containing up to 100 values seen for the action_total_download field over a group of rows, for all records that have matching values for their actor_process_image_path and actor_process_command_line values. The query calculates a maximum of 100 xdr_data records and includes a raw_data column listing the raw data events used to display the final comp results.

dataset = xdr_data
| fields actor_process_image_path as Process_Path, actor_process_command_line as Process_CMD, action_total_download Download
| filter Download > 0
| limit 100
| comp list(Download) as list_download by Process_Path, Process_CMD addrawdata = true as raw_data