08-04-2022 01:40 AM
Hello Community,
I'm been using the platform for a couple months and recently I'm getting interested in XQL query.
My question is how to I simplify the search string if i have multiple values that I need to insert?
With the example below, i'm looking to simply the filter section to filter action_device_usb_vendor_name "vendor_A, vendor_B, vendor_C". The issue is i'm not sure what is the right delimiter for it.
E.g.
config timeframe = 7d
| dataset = xdr_data
| filter action_device_usb_vendor_name = "vendor_A" or action_device_usb_vendor_name = "vendor_B" or action_device_usb_vendor_name = "vendor_C"
| fields X, Y, Z
Thanks in advance.
Cortex XDR
08-04-2022 05:40 AM
I think what you are looking for it the "in" operator.
config timeframe = 7d
| dataset = xdr_data
| filter action_device_usb_vendor_name in ("vendor_A", "vendor_B", "vendor_C")
| fields X, Y, Z
08-04-2022 05:40 AM
I think what you are looking for it the "in" operator.
config timeframe = 7d
| dataset = xdr_data
| filter action_device_usb_vendor_name in ("vendor_A", "vendor_B", "vendor_C")
| fields X, Y, Z
08-04-2022 05:55 AM
OMG, this is it! The query is tidy and clean now. Thank you!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
