Search - Reference Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM XQL Language Reference
Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language search stage that searches for free-text strings.

Syntax

search "<free_text1>"[,"<free_text2>", ...]

Description

The search stage searches for free text strings in the datasets that are stored in your Cortex XSIAM tenant. Consider the following information:

  • search should be the first stage in the query. Only the config stage can precede search.

  • You can refine the search to specify datasets.

    Only datasets are supported. You can't refine by preset or search the Cortex Data Model (XDM) schema.

    Note

    • If you do not specify a dataset in the query, Cortex XSIAM searches all of the existing datasets on your tenant.

    • Free text search searches the relevant columns in each dataset. Relevant columns are subject to a change and can vary between datasets.

  • Queries containing search do not support the bin, comp, top, or dedup stages.

  • Queries using the search stage are limited to the last 90 days of data. Specifying a timeframe outside of this limitation will cause the query to fail.

Examples

Returns instances of "MacOs" in the endpoints dataset.

search "MacOs" dataset = endpoints

Returns instances of "MacOs" or "failed" in the endpoints and agent_auditing datasets.

search “MacOs”,“failed” dataset in (endpoints, agent_auditing)