03-23-2026 06:18 AM
Looking to add the dynamic groups assigned to endpoints as a field in an XQL query. Here is what I have right now below. I'm unable to figure out if there is a way to get the dynamic group names in there. That would help us find machines easier than using the GUI method as this is a single report instead of trying to combine multiple exports due to versioning. Right now its export this, then export full endpoints database and then carry over the group column with a diff-merge, would be nice to do it all at once.
config case_sensitive = false
| dataset = host_inventory
| filter applications != null
| arrayexpand applications
| alter applicationName = applications -> application_name
| filter applicationName contains "TargetApplication"
| alter applicationVersion = applications -> version
| alter version_1major = to_integer(arrayindex(split(applicationVersion, "."),0))
| alter version_2minor = to_integer(arrayindex(split(applicationVersion, "."),1))
| alter version_3patch = to_integer(arrayindex(split(applicationVersion, "."),2))
| alter version_4hotfix = to_integer(arrayindex(split(applicationVersion, "."),3))
| fields applicationName, applicationVersion, ip_addresses, host_name, version_*, applications
| dedup host_name
Cortex XDR
03-23-2026 07:11 AM
Hello @J.Suter ,
Greetings for the day.
Yes, you can include both dynamic and static group names assigned to endpoints by joining your host_inventory query with the endpoints dataset.
In Cortex XDR/XSIAM, endpoint group membership is stored in the group_names field within the endpoints dataset. This field is an array, since an endpoint can belong to multiple groups at the same time.
To incorporate this into your report, you can use a join stage. The most reliable join key between host_inventory and endpoints is endpoint_id.
Here is your updated query:
Field Type:group_names is an array. If you want to filter for a specific group, use:
endpoints dataset is typically updated about once per hour. This can cause slight differences between the “All Endpoints” UI and XQL results if group assignments were recently changed.Alternative Format:
If you want each group to appear as a separate row, add:
after the join.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
03-23-2026 07:35 AM
It looks like it should work but throws errors:
Line #9 "endpoint.id is not a valid value"
Line #15 "ep.group_names is not a valid value"
I tried massaging it a little to get it to work and nothing, didnt know you can join datasets. If we can get this working this is the solution.
03-23-2026 11:15 AM
Hello @J.Suter ,
Thank you for the response.
I recommend reaching out to your Account Team, Solution Consultant, or Sales Engineer. They will be able to assist you in constructing the XQL query based on your specific requirements.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
