> ## Documentation Index
> Fetch the complete documentation index at: https://docs.abusix.com/llms.txt
> Use this file to discover all available pages before exploring further.

#  Parrot Querry Language PQL

## **Overview**

PQL Queries are always executed in a context, e.g., the case or a new incident

## **Types**

**literals**

* Strings (‘hello’, “foo bar”)
* Integers (1, 2, 5123)
* Floats (1.0, 0.009)
* Dates (now(), date(“yyyy-MM-dd’T’HH:mm:ss’Z'”))
* Intervals (‘1d’, ’24h’, ‘1440m’)
  * can be negative (‘-7d’, ‘-1w)
  * valid modifiers: \[w]eek, \[d]ay, \[h]our, \[m]minute

###

**Identifiers**\
reference a field in the context

* Simple (event\_count)
* Dicts ([malware.name](http://malware.name))
* Lists (reporters\[0])

###

**logical expressions**

* Operators: AND, OR
* Parenthesis a AND (b OR c)
* Negation a AND NOT b
* existence: a IS NULL, b is NOT NULL, c IS KEY, d IS NOT KEY

###

**Relational operators**

\< > \<= >= !=

###

**Functions**

* between(, , )
  * between(event\_count, 0, 999)
* format(\<format\_string>, \<object…> args)
  * format(‘client\_id is %s, event\_count is %d’, case.client\_id, case.event\_count)
* in\_[cidr](https://abusix.com/glossary/classless-inter-domain-routing/)(\<hex\_field>, \<cidr\_range>)
  * in\_[cidr](https://abusix.com/glossary/classless-inter-domain-routing/)(resources.[ip](https://abusix.com/glossary/internet-protocol-address/).hex, “127.0.0.0/21”)
* nettag(\<hex\_field>, )
  * nettag(resources.[ip](https://abusix.com/glossary/internet-protocol-address/)\[0].hex, “Dynamic”)
* infected(, ) – normalized [malware](https://abusix.com/glossary/malware/) name check
  * infected([malware.name](http://malware.name), “Zeus”)
* contains(, )
  * contains(\[‘foo’, ‘bar’, ‘baz’], ‘bar’)
  * contains(‘foobarbaz’, ‘oob’)
* current\_user() – returns the current user’s name
* now() – returns this instant as a date object
* date\_diff(\<date\_from>, \<date\_to>) – returns an interval (from-to)
  * date\_diff(now(), last\_event\_date)
  * date\_diff(now(), yesterday) == interval(“-1d”)
* date\_add(, \<interval) – returns a date object
  * date\_add(now(), ’24h’)
  * date\_add(now(), ‘-1d’)
* interval()
  * interval(‘1d’)
  * interval(’24h’)
  * interval(’90m’)
  * interval(‘-4w’)
* date() – returns a date object
  * date(“yyyy-MM-dd’T’HH:mm:ss’Z'”)
* date\_format(, \<format\_string>) – returns a string in a format specified by format\_string.
  * date(“yyyy-MM-dd’T’HH:mm:ss’Z'”)

**Examples**

> *type\_counts\[0].name == ‘copyright’
> event\_count \< 2 AND date\_diff(now() last\_event\_date) \< interval(‘1h’)
> current\_user() == ‘superuser’
> timeout\_date \< now()*