Overview
PQL Queries are always executed in a context, e.g., the case or a new incident
Types
literals
- Strings ('hello', "foo bar")
- Integers (1, 2, 5123)
- Floats (1.0, 0.009)
- Dates (now(), date("yyyy-MM-dd'T'HH:mm:ss'Z'"))
- Intervals ('1d', '24h', '1440m')
- can be negative ('-7d', '-1w)
- valid modifiers: [w]eek, [d]ay, [h]our, [m]inute
Β
Identifiers
reference a field in the context
- Simple (event_count)
- Dicts (malware.name)
- Lists (reporters[0])
Β
logical expressions
- Operators: AND, OR
- Parenthesis a AND (b OR c)
- Negation a AND NOT b
- existence: a IS NULL, b is NOT NULL, c IS KEY, d IS NOT KEY
Β
Relational operators
< > <= >= !=
Β
Functions
- between(,Β ,Β )
- between(event_count, 0, 999)
- format(<format_string>, <object...> args)
- format('client_id is %s, event_count is %d', case.client_id, case.event_count)
- in_cidr(<hex_field>, <cidr_range>)
- in_cidr(resources.ip.hex, "127.0.0.0/21")
- nettag(<hex_field>,Β )
- nettag(resources.ip[0].hex, "Dynamic")
- infected(,Β ) - normalized malware name check
- infected(malware.name, "Zeus")
- contains(,Β )
- contains(['foo', 'bar', 'baz'], 'bar')
- contains('foobarbaz', 'oob')
- current_user() - returns the current user's name
- now() - returns this instant as a date object
- date_diff(<date_from>, <date_to>) - returns an interval (from-to)
- date_diff(now(), last_event_date)
- date_diff(now(), yesterday) == interval("-1d")
- date_add(, <interval) - returns a date object
- date_add(now(), '24h')
- date_add(now(), '-1d')
- interval()
- interval('1d')
- interval('24h')
- interval('90m')
- interval('-4w')
- date() - returns a date object
- date("yyyy-MM-dd'T'HH:mm:ss'Z'")
- date_format(, <format_string>) - returns a string in a format specified by format_string.
- date("yyyy-MM-dd'T'HH:mm:ss'Z'")
Β
Examples
type_counts[0].name == 'copyright'
event_count < 2 AND date_diff(now()
last_event_date) < interval('1h')
current_user() == 'superuser'
timeout_date < now()
Β
Β
Send us a message
Having trouble with your set up or a technical issue? Get in touch with our team of Abusix experts.
Click the chat button at the bottom and send us your questions. Alternatively, you can email us at support@abusix.com
Β
also, follow our LinkedIn Channel for updates & subscribe to our YouTube Channel for the latest Abusix how-to-videos.
Β