Parrot Querry Language PQL

Overview

PQL Queries are always executed in a context, e.g., the case or a new incident

Types

literals

• Strings ('hello', "foo bar")

• Integers (1, 2, 5123)

• Floats (1.0, 0.009)

• Dates (now(), date("yyyy-MM-dd'T'HH:mm:ss'Z'"))

• Intervals ('1d', '24h', '1440m')
• can be negative ('-7d', '-1w)
• valid modifiers: [w]eek, [d]ay, [h]our, [m]inute
 

Identifiers

reference a field in the context

• Simple (event_count)

• Dicts (malware.name)

• Lists (reporters[0])

logical expressions

• Operators: AND, OR

• Parenthesis a AND (b OR c)

• Negation a AND NOT b

• existence: a IS NULL, b is NOT NULL, c IS KEY, d IS NOT KEY

Relational operators

< > <= >= !=

Functions

• between(, , )
• between(event_count, 0, 999)

• format(<format_string>, <object...> args)
• format('client_id is %s, event_count is %d', case.client_id, case.event_count)

• in_cidr(<hex_field>, <cidr_range>)
• in_cidr(resources.ip.hex, "127.0.0.0/21")

• nettag(<hex_field>, )
• nettag(resources.ip[0].hex, "Dynamic")

• infected(, ) - normalized malware name check
• infected(malware.name, "Zeus")

• contains(, )
• contains(['foo', 'bar', 'baz'], 'bar')
• contains('foobarbaz', 'oob')

• current_user() - returns the current user's name

• now() - returns this instant as a date object

• date_diff(<date_from>, <date_to>) - returns an interval (from-to)
• date_diff(now(), last_event_date)
• date_diff(now(), yesterday) == interval("-1d")

• date_add(, <interval) - returns a date object
• date_add(now(), '24h')
• date_add(now(), '-1d')

• interval()
• interval('1d')
• interval('24h')
• interval('90m')
• interval('-4w')

• date() - returns a date object
• date("yyyy-MM-dd'T'HH:mm:ss'Z'")

• date_format(, <format_string>) - returns a string in a format specified by format_string.
• date("yyyy-MM-dd'T'HH:mm:ss'Z'")
 

Examples

type_counts[0].name == 'copyright'

event_count < 2 AND date_diff(now()

last_event_date) < interval('1h')

current_user() == 'superuser'

timeout_date < now()