👋 How can we help you?

Parrot Querry Language PQL

PQL Queries are always executed in a context, e.g. the case or a new incident

Last updated on Invalid Date

Overview

PQL Queries are always executed in a context, e.g. the case or a new incident

Types

literals

  • Strings ('hello', "foo bar")
  • Integers (1, 2, 5123)
  • Floats (1.0, 0.009)
  • Dates (now(), date("yyyy-MM-dd'T'HH:mm:ss'Z'"))
  • Intervals ('1d', '24h', '1440m')
    • can be negative ('-7d', '-1w)
    • valid modifiers: [w]eek, [d]ay, [h]our, [m]inute
    •  

Identifiers

reference a field in the context

  • Simple (event_count)
  • Dicts (malware.name)
  • Lists (reporters[0])
 

logical expressions

  • Operators: AND, OR
  • Parenthesis a AND (b OR c)
  • Negation a AND NOT b
  • existence: a IS NULL, b is NOT NULL, c IS KEY, d IS NOT KEY
 

Relational operators

< > <= >= !=

 

Functions

  • between(, , )
    • between(event_count, 0, 999)
  • format(<format_string>, <object...> args)
    • format('client_id is %s, event_count is %d', case.client_id, case.event_count)
  • in_cidr(<hex_field>, <cidr_range>)
    • in_cidr(resources.ip.hex, "127.0.0.0/21")
  • nettag(<hex_field>, )
    • nettag(resources.ip[0].hex, "Dynamic")
  • infected(, ) - normalized malware name check
    • infected(malware.name, "Zeus")
  • contains(, )
    • contains(['foo', 'bar', 'baz'], 'bar')
    • contains('foobarbaz', 'oob')
  • current_user() - returns the current user's name
  • now() - returns this instant as a date object
  • date_diff(<date_from>, <date_to>) - returns an interval (from-to)
    • date_diff(now(), last_event_date)
    • date_diff(now(), yesterday) == interval("-1d")
  • date_add(, <interval) - returns a date object
    • date_add(now(), '24h')
    • date_add(now(), '-1d')
  • interval()
    • interval('1d')
    • interval('24h')
    • interval('90m')
    • interval('-4w')
  • date() - returns a date object
    • date("yyyy-MM-dd'T'HH:mm:ss'Z'")
  • date_format(, <format_string>) - returns a string in a format specified by format_string.
    • date("yyyy-MM-dd'T'HH:mm:ss'Z'")
    •  

Examples

type_counts[0].name == 'copyright'event_count < 2 AND date_diff(now(), last_event_date) < interval('1h')current_user() == 'superuser'timeout_date < now()

 
 
 
Did this answer your question?
😞
😐
🤩