Filter - Reference Guide - Cortex XSIAM - Cortex

Abstract

Learn more about the Cortex Query Language filter stage that narrows down the displayed results.

Syntax

filter <boolean expr>

Description

The filter stage identifies which data records should be returned by the query. Filters are boolean expressions that can use a wide range of functions and operators to express the filter. If a record matches the filter as the filter expression returns true when applied to the record, the record is returned in the query's result set.

The functions you can use with a filter are described in XQL Functions Reference. For a list of supported operators, see Supported Operators.

Dataset Query Examples

Return xdr_data records where the event_type is NETWORK and the event_sub_type is NETWORK_HTTP_HEADER.

dataset = xdr_data 
| filter event_type = NETWORK and event_sub_type = NETWORK_HTTP_HEADER

Note

When entering filters to the XQL Search user interface, possible field values for fields of type enum are available using the auto-complete feature. However, the autocomplete can only show enum values that are known to the schema. In some cases, on data import an enum value is included that is not known to the defined schema. In this case, the value will appear in the result set as an unknown value, such as event_type_unknown_4. Be aware that even though this value appears in the result set, you cannot create a filter using it. For example, this query will fail, even if you know the value appears in your result set:

dataset = xdr_data 
| filter event_type = event_type_unknown_4

When using fields of type ENUM, the following syntax is supported.

Syntax format A

| filter event_type = ENUM.FILE

Syntax format B

| filter event_type = FILE

XDM Query Examples

Return the XDM fields that are related to the xdm.source.* and xdm.email.* fields, where the xdm.source.user.username is newman.

datamodel
| filter xdm.source.user.username = "newman"
| fields xdm.source.*, xdm.email.*

XDM CONSTS (ENUMS)

When using fields of type ENUM, you can map values from a predefined list of ENUMs. For example, the field xdm.network.ip_protocol is defined as Enum.IP_PROTOCOL, so you can assign it values such as XDM_CONST.IP_PROTOCOL_TCP. The full list can be found in the automatically suggested values for the relevant fields. This syntax is not mandatory.

datamodel
    | filter xdm.network.ip_protocol = XDM_CONST.IP_PROTOCOL_TCP

For more information on the XDM CONST fields, see the Cortex Data Model Schema Guide.

Aliases

The Cortex Data Model (XDM) includes aliases. These are predefined sets of fields that can be used to simplify your filter. When the XDM_ALIAS keyword is added while writing a query, a list of available predefined aliases and a tooltip are displayed. The tooltip provides more details about the selected alias. The aliases support these Cortex Query Language (XQL) operators: comparison, string, and range.

For example, when you type this query to search the IPv4 field in the XDM,

datamodel
| filter XDM_ALIAS.ipv4 = "10.10.10.10"

the tooltip displays the fields that will be searched for the alias XDM_ALIAS.ipv4:

xdm.network.dchp.ciaddr, xdm.target.ipv4, xdm.network.dhcp.giaddr, xdm.source.ipv4, xdm.intermediate.ipv4, xdm.network.dhcp.yiaddr, xdm.network.dhcp.siaddr

The query above is the equivalent to the following syntax, which does not contain a predefined alias, and displays the rows that match the alias XDM_ALIAS.ipv4 equaling "10.10.10.10" at least once in the fields that make up the alias:

datamodel
    | filter xdm.network.dchp.ciaddr = "10.10.10.10"
    or xdm.target.ipv4 = "10.10.10.10"
    or xdm.network.dhcp.giaddr = "10.10.10.10"
    or xdm.source.ipv4 = "10.10.10.10"
    or xdm.intermediate.ipv4 = "10.10.10.10"
    or xdm.network.dhcp.yiaddr = "10.10.10.10"
    or xdm.network.dhcp.siaddr = "10.10.10.10"

In this example, when you type this query to search the IPv4 field in the XDM,

datamodel
| filter XDM_ALIAS.ipv4 != "10.10.10.10"