topic Re: Cortex XQL &quot;Let&quot; replacement in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-quot-let-quot-replacement/m-p/1236517#M8684 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1084995931">@KCaudwell</a>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">dataset = va_cves | arrayexpand affected_hosts | join (preset = host_inventory_endpoints | filter group_names in ("UKI", "CAN", "AUS") | fields endpoint_name, group_names ) as edr edr.endpoint_name = affected_hosts | fields endpoint_name , group_names , name , description , exploitability_score , impact_score | comp count(endpoint_name ) as count</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>or maybe&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">dataset = va_cves | arrayexpand affected_hosts | join (preset = host_inventory_endpoints | filter group_names contains "UKI" OR group_names contains "AUS" OR group_name contains "CAN" | fields endpoint_name, group_names ) as edr edr.endpoint_name = affected_hosts | fields endpoint_name , group_names , name , description , exploitability_score , impact_score | comp count(endpoint_name ) as count</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Please let me know if the former worked for you</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.</P> <P>&nbsp;</P> <P>KR,</P> <P>Luis</P> Fri, 22 Aug 2025 12:21:53 GMT eluis 2025-08-22T12:21:53Z Cortex XQL "Let" replacement https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-quot-let-quot-replacement/m-p/1236353#M8677 <P>Hi,&nbsp;</P> <P>&nbsp;</P> <P>I'm wondering if anybody knows a method, I can use to join multiple queries within the same XQL query.&nbsp;<BR /><BR />I have 3 separate queries which return a count of vulnerabilities for each region of logs. How do i merge these 3 queries to return a table which shows&nbsp;</P> <P>&nbsp;</P> <P>UKI 1&nbsp;</P> <P>CAN&nbsp; 1</P> <P>AUS&nbsp; 1</P> <P><BR />I know this was possible with Sentinel KQL as you could nest queries in let functions.. is it possible with XQL?</P> <P>Kind regards,&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>For example:&nbsp;</P> <P>&nbsp;</P> <P>dataset = va_cves <BR />| arrayexpand affected_hosts <BR />| join (preset = host_inventory_endpoints | filter group_names contains "UKI" | fields endpoint_name, group_names ) as edr edr.endpoint_name = affected_hosts <BR />| fields endpoint_name , group_names , name , description , exploitability_score , impact_score</P> <P>| comp count(endpoint_name ) as count</P> <P>&nbsp;</P> <P>dataset = va_cves <BR />| arrayexpand affected_hosts <BR />| join (preset = host_inventory_endpoints | filter group_names contains "CAN" | fields endpoint_name, group_names ) as edr edr.endpoint_name = affected_hosts <BR />| fields endpoint_name , group_names , name , description , exploitability_score , impact_score</P> <P>| comp count(endpoint_name ) as count</P> <P>&nbsp;</P> <P>dataset = va_cves <BR />| arrayexpand affected_hosts <BR />| join (preset = host_inventory_endpoints | filter group_names contains "UKI" | fields endpoint_name, group_names ) as edr edr.endpoint_name = affected_hosts <BR />| fields endpoint_name , group_names , name , description , exploitability_score , impact_score</P> <P>| comp count(endpoint_name ) as count</P> Wed, 20 Aug 2025 14:37:43 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-quot-let-quot-replacement/m-p/1236353#M8677 KCaudwell 2025-08-20T14:37:43Z Re: Cortex XQL "Let" replacement https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-quot-let-quot-replacement/m-p/1236517#M8684 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1084995931">@KCaudwell</a>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">dataset = va_cves | arrayexpand affected_hosts | join (preset = host_inventory_endpoints | filter group_names in ("UKI", "CAN", "AUS") | fields endpoint_name, group_names ) as edr edr.endpoint_name = affected_hosts | fields endpoint_name , group_names , name , description , exploitability_score , impact_score | comp count(endpoint_name ) as count</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>or maybe&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">dataset = va_cves | arrayexpand affected_hosts | join (preset = host_inventory_endpoints | filter group_names contains "UKI" OR group_names contains "AUS" OR group_name contains "CAN" | fields endpoint_name, group_names ) as edr edr.endpoint_name = affected_hosts | fields endpoint_name , group_names , name , description , exploitability_score , impact_score | comp count(endpoint_name ) as count</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Please let me know if the former worked for you</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.</P> <P>&nbsp;</P> <P>KR,</P> <P>Luis</P> Fri, 22 Aug 2025 12:21:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-quot-let-quot-replacement/m-p/1236517#M8684 eluis 2025-08-22T12:21:53Z