Fields - Reference Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM XQL Language Reference

Product
Cortex XSIAM
Creation date
2023-10-30
Last date published
2024-03-27
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language fields stage that defines the fields returned in the result set.

Syntax

  • Dataset Queries

    fields [-] <field_1> [as <name1>], <field_2> [as <name2>], ...
  • Cortex Data Model (XDM) Queries

    • fields [-] <field_1> [as <name1>], <field_2> [as <name2>], ...
      
    • fields [-] fieldset.xdm_<fieldset name1>, fieldset.xdm_<fieldset name2>, ...
    • Combination of both options above are supported with fields and fieldsets in any order:

      fields [-] fieldset.xdm_<fieldset name1> , <field_1> as [as <name1>], fieldset.xdm_<fieldset name2>network , <field_2>

Note

When creating XDM queries, the raw dataset fields are accessible by <dataset>.<field>, such as fields amazon_eks_raw.logStream.

Description

The fields stage declares which fields are returned in the result set, including name changes. If this stage is used, then subsequent stages can operate only on the fields identified by this stage. The syntax for this stage differs depending on the type of query you are running.

Both Dataset and XDM Queries

For both dataset and XDM queries, your fields stage syntax can include the following elements:

Wildcards

Use a wildcard (*) to include all fields that match the pattern, where wildcards can only be added at the beginning or end of a string. The following table explains the different scenarios for using wildcards in fields with examples:

Note

Wildcards are not supported in fieldsets.

Wildcard Scenarios

Examples

Adding at the end of a field.

  • Dataset Queries

    • event_*

  • XDM Queries

    • xdm.source*

    • xdm.source.*

    • xdm.source.a*

Adding at the beginning of a field, when there is no period anywhere else in the field.

  • Supported syntax

    • *ipv4

  • Unsupported syntax

    • *.ipv4

    • *source.ipv4

Adding at both the beginning and end of a field has the same limitations as using it at the beginning of a field.

  • Supported syntax

    • *ipv4*

  • Unsupported syntax

    • *.ipv4*

    • *ipv4.*

    • *source.ipv4*

Workaround syntax using the ` character can be used, which does not support the auto-suggest feature during XQL query creation.

  • *`.ipv4`

  • *`source.ipv4`

Minus Character

Use a minus character (-) to exclude a field from the result set. For example,  | fields - <field1>, <field2> will exclude both <field1> and <field2> fields in your query results.

The following system fields cannot be excluded and are always displayed, if they exist:

  • Dataset queries: _time, _insert_time, _raw_log, _product, _vendor, _tag, _snapshot_id, _snapshot_log_count, _snapshot_collection_ts, _id

  • XDM queries: _time

As Clause

Use the as clause to set an alias for a field. If you use the as clause, then subsequent stages must use that alias to refer to the field.

XDM Queries

For XDM queries, your fields stage syntax can include the following additional elements:

Fieldsets

Use a fieldset within the fields stage to refine queries on the XDM by limiting the analysis to a specific set of fields. Fieldsets contain a group of related fields, for example, the fieldset.xdm_endpoint includes fields that are related to endpoints.

The xdm_core fieldset contains fields typically queried by users, including commonly used event, source, and target fields. When no specific fields are specified in a query, the following fields will be returned by default: _time, xdm.event.type, xdm.event.description, xdm.event.operation, xdm.event.operation_sub_type, xdm.event.outcome, xdm.source.host.hostname, xdm.source.user.username, xdm.source.user.user_type, xdm.source.sent_bytes, xdm.source.agent.identifier, xdm.source.user_agent, xdm.source.process.name, xdm.source.process.executable.path, xdm.source.process.executable.filename, xdm.source.ipv4, xdm.source.port, xdm.target.host.hostname, xdm.target.user.username, xdm.target.process.executable.path, xdm.target.ipv4, xdm.target.port, xdm.target.user.user_type, xdm.target.sent_bytes, xdm.target.agent.identifier, xdm.target.url, xdm.target.domain, xdm.target.process.name, xdm.target.process.executable.filename, xdm.event.outcome_reason, xdm.observer.product, xdm.event.is_completed, xdm.event.duration

For more information on these fields, see the Cortex Data Model Schema Guide.

Wildcards

When combining the results of a dataset and XDM query using the join stage, the wildard (*) relates to both. For example, this query will return both datamodel fields that contain “host” and xdr_data fields that contain “host”.

datamodel
    | join (dataset=xdr_data) as x xdm.original_event_id = x.event_id 
    | fields *host*

Dataset Query Example

Return the action_country field from all xdr_data records where the action_country field is both not null and not "-". Also include all fields with names that match event_* except for event_type.

dataset = xdr_data 
| fields action_country as ac 
| fields event_* 
| fields - event_type 
| filter ac != null and ac != "-" 

XDM Query Example

Return the XDM fields that are related to the network (fieldset.xdm_network), fields that are related to endpoints (fieldset.xdm_endpoint), and the xdm.alert.name field.

datamodel
| fields fieldset.xdm_network, fieldset.xdm_endpoint, xdm.alert.name 

XDM Query using a Wildcard

Return the XDM fields that are related to the xdm.source.* and xdm.email.* fields, where the xdm.source.user.username is newman.

datamodel
| filter xdm.source.user.username = "newman"
| fields xdm.source.*, xdm.email.*