Learn more about the Cortex Query Language union
stage that combines two result sets into a single result set.
Syntax
union <datasetname>
union (<inner xql query>)
Description
The union()
stage combines two result sets into one result. It can be used in two different ways.
If a dataset name is provided with no other arguments, the two datasets are combined for the duration of the query, and the fields in both datasets are available to subsequent stages.
If a Cortex Query Language (XQL) query is provided to this stage, the result set from that XQL union query is combined with the result set from the rest of the query. This is effectively an inner join statement.
Examples
First, create a dataset using the target stage. This results in a persistent stage that we can use later with a union
stage.
dataset = xdr_data | filter event_type = FILE and event_sub_type = FILE_WRITE | fields agent_id, action_file_sha256 as file_hash, agent_hostname | target type=dataset file_event
Then run a second query, using union
so that the query can access the contents of the file_event
dataset. Notice that this second query uses the file_hash
alias that was defined for the file_event
dataset.
dataset = xdr_data | filter event_type = PROCESS and event_sub_type = PROCESS_START | union file_event | fields agent_id, agent_hostname, file_hash, actor_process_image_path as executed_by, actor_process_signature_vendor as executor_signer | filter file_hash != null and executed_by != null