Parrot Querry Language PQL
Parrot Querry Language PQL
Overview
PQL Queries are always executed in a context, e.g., the case or a new incident
Types
literals
- Strings (‘hello’, “foo bar”)
- Integers (1, 2, 5123)
- Floats (1.0, 0.009)
- Dates (now(), date(“yyyy-MM-dd’T’HH:mm:ss’Z’”))
- Intervals (‘1d’, ’24h’, ‘1440m’)
- can be negative (‘-7d’, ‘-1w)
- valid modifiers: [w]eek, [d]ay, [h]our, [m]minute
Identifiers
reference a field in the context
- Simple (event_count)
- Dicts (malware.name)
- Lists (reporters[0])
logical expressions
- Operators: AND, OR
- Parenthesis a AND (b OR c)
- Negation a AND NOT b
- existence: a IS NULL, b is NOT NULL, c IS KEY, d IS NOT KEY
Relational operators
< > <= >= !=
Functions
- between(, , )
- between(event_count, 0, 999)
- format(<format_string>, <object…> args)
- format(‘client_id is %s, event_count is %d’, case.client_id, case.event_count)
- in_cidr(<hex_field>, <cidr_range>)
- nettag(<hex_field>, )
- nettag(resources.ip[0].hex, “Dynamic”)
- infected(, ) – normalized malware name check
- infected(malware.name, “Zeus”)
- contains(, )
- contains([‘foo’, ‘bar’, ‘baz’], ‘bar’)
- contains(‘foobarbaz’, ‘oob’)
- current_user() – returns the current user’s name
- now() – returns this instant as a date object
- date_diff(<date_from>, <date_to>) – returns an interval (from-to)
- date_diff(now(), last_event_date)
- date_diff(now(), yesterday) == interval(“-1d”)
- date_add(, <interval) – returns a date object
- date_add(now(), ’24h’)
- date_add(now(), ‘-1d’)
- interval()
- interval(‘1d’)
- interval(’24h’)
- interval(’90m’)
- interval(‘-4w’)
- date() – returns a date object
- date(“yyyy-MM-dd’T’HH:mm:ss’Z’”)
- date_format(, <format_string>) – returns a string in a format specified by format_string.
- date(“yyyy-MM-dd’T’HH:mm:ss’Z’”)
Examples
type_counts[0].name == ‘copyright’ event_count < 2 AND date_diff(now() last_event_date) < interval(‘1h’) current_user() == ‘superuser’ timeout_date < now()