union - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language union stage that combines two result sets into a single result set.

Syntax
union <datasetname>
union (<inner xql query>)
Description

The union() stage combines two result sets into one result. It can be used in two different ways.

If a dataset name is provided with no other arguments, the two datasets are combined for the duration of the query, and the fields in both datasets are available to subsequent stages.

If a Cortex Query Language (XQL) query is provided to this stage, the result set from that XQL union query is combined with the result set from the rest of the query. This is effectively an inner join statement.

Examples

First, create a dataset using the target stage. This results in a persistent stage that we can use later with a union stage.

dataset = xdr_data
| filter event_type = FILE and event_sub_type = FILE_WRITE 
| fields agent_id, action_file_sha256 as file_hash, agent_hostname 
| target type=dataset file_event

Then run a second query, using union so that the query can access the contents of the file_event dataset. Notice that this second query uses the file_hash alias that was defined for the file_event dataset.

dataset = xdr_data 
| filter event_type = PROCESS and event_sub_type = PROCESS_START 
| union file_event
| fields agent_id, agent_hostname, file_hash, 
      actor_process_image_path as executed_by, 
      actor_process_signature_vendor as executor_signer 
| filter file_hash != null and executed_by != null