topic Can I filter on hostnames in an array? in Cortex XDR Discussions

Can I filter on hostnames in an array?

edvardgooijenga — Wed, 06 May 2026 19:16:29 GMT

I'm running the following script, it should display the critical vulnerabilities on MacOS systems.

//List critical vulnerabilities on all MacOS endpoints
config case_sensitive = false
| dataset = va_cves
| filter os_type = ENUM.MACOS and severity = ENUM.CRITICAL
| fields severity,name,description,affected_products,type,severity_score,os_type,affected_hosts_count,affected_hosts,modification_date,publication_date,exploitability_score
| sort desc severity_score

The problem is that the affected_hosts array also contains Windows systems that are affected by the same CVE's.
How can I filter so it only reports MacOS systems?
All our Macbook names start with "MBP-" but I was not able to filter on that , so far.

Re: Can I filter on hostnames in an array?

edvardgooijenga — Thu, 07 May 2026 10:29:02 GMT

was able to sort it out a bit more.

dataset = va_cves
| filter os_type contains "*MAC*" and severity = ENUM.CRITICAL
| arrayexpand affected_hosts
| filter affected_hosts contains "MBP-*"
| arrayexpand os_type
| filter os_type contains "*MAC*"
//| alter abc = json_extract(affected_hosts ,"$.version")
| fields severity,name,description,affected_products,type,severity_score,os_type,affected_hosts_count,affected_hosts,modification_date,publication_date,exploitability_score
| sort desc severity_score, desc name

This returns Macbooks only but hostname_count field needs work and affected_products also.
Would be even nicer to have one row with all the Macbook name for each CVE instead of each Macbook having its own row.