Supported Operators - Reference Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM XQL Language Reference

Product
Cortex XSIAM
Creation date
2023-10-30
Last date published
2024-03-27
Category
Reference Guide
Abstract

Cortex Query Language supports specific comparison, boolean, and set operators in Cortex XSIAM.

Cortex Query Language (XQL) queries support the following comparison, boolean, string, range, and add operators.

Operator

Description

Comparison Operators

=, !=

Equal, Not equal

<, <=

Less than, Less than or equal to

>, >=

Greater than, Greater than or equal to

Boolean Operators

and

Boolean and

or

Boolean or

not

Boolean not

String and Range Operators

IN, NOT IN

Returns true if the integer or string field value is one of the options specified. For example:

action_local_port in(5900,5999)

For string field values, wildcards are supported. In this example a wildcard (*) is used to search if the value contains the strings "word_1" or "word_2" anywhere in the output, or exactly matches the string "word":

str_field in ("*word_1*", "*word_2*", "word")

CONTAINS, NOT CONTAINS

Performs a search for an integer or string. Returns true if the specified string is contained in the field. Contains and Not Contains are also supported within arrays for integers and strings. For example: 

lowercase(actor_process_image_name) contains "psexec"

~=

Matches a regular expression. For example:

action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"

INCIDR, NOT INCIDR

Performs a search for an IPv4 address or IPv4 range using CIDR notation, and returns true if the address is in range. For example:

action_remote_ip incidr "192.1.1.1/24"

INCIDR6, NOT INCIDR6

Performs a search for an IPv6 address or IPv6 range using CIDR notation, and returns true if the address is in range. For example:

action_remote_ip incidr6 “3031:3233:3435:3637:0000:0000:0000:0000/64”

Add Operator for Tagging

add

The add operator is used in combination with the tag command to add a single tag or list of tags to a field that you can easily query in the dataset. For example:

  • Adding a Single Tag

    dataset = xdr_data
    | tag add "test"
  • Adding a List of Tags

    dataset = xdr_data
    | tag add "test1", "test2", "test3"