Understand CQL Grammar
CQL grammar is a combination of the following constructs:
Parameters: Parameters are different information types present in Intel Exchange such as object type, confidence score, TLP, sightings, tags, created or modified dates, collection name, feed sources, enrichment sources, published date range, risk severity, actions, etc.
Conditions: Conditions are used to combine two or more parameters or to append a lot of conditions to your query. You can use AND and OR conditions in your CQL query.
Operators: Operators relate the parameters to the value. Some operators include =, >,<, >=, <=, !=, CONTAINS, IN, RANGE, BEGINS WITH, ENDS WITH, MATCHES, EXACTLY, and ONLY IN.
Note
The examples of the CQL parameters, conditions, and operators provided below are for representation purposes only.
Parameters define the fields you can query in CQL. You use parameters to specify the attributes of threat data, such as identifiers, dates, and relationships. Each parameter supports specific operators depending on its type.
Parameter | Description | Example |
|---|---|---|
Object Type | STIX-type threat data objects are available in Intel Exchange. An object type includes Indicator, Malware, Attack Pattern, Threat Actor, Campaign, Course of Action, Vulnerability, Identity, Infrastructure, Intrusion Set, Location, Malware Analysis, Observed Data, Opinion, Tool, Report, Custom Object, and Observables. | Use 'Object Type' = "Indicator" to see all the indicators. |
IOC Type | Types of indicators or observables. These are the different types of indicators of compromise. IOC types include Artifact, Autonomous system, Directory, Domain, Email Address, Email Message, IPV4 address, IPV6 address, MAC address, Mutex, Network Traffic, Process, Software, URL, User Account, Windows registry key, X509 certificate, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, and SSDEEP. | Use 'Object Type' = "indicator" AND 'IOC Type' = "ipv4 addr" to see indicators that IPv4 addresses. |
Custom Object Type (Supported Version: v3.7.5 and later) | Filter threat data based on the custom object subtypes, which include those created manually or ingested from external sources. | Use 'Object Type' = "Custom Object" AND 'Custom Object Type` = "bundle-object" to see custom objects that have the subtype bundle-object. |
Source | Feed sources from which Intel Exchange receives threat intel. Feed sources include the sources configured in Integration Management in the application. | Use 'Object Type' = "Indicator" AND 'IOC Type' = "ipv4 addr" AND 'source' = "Virus Total" to see IPv4 addresses received from Virus Total feed source. |
Source Collections | Collections in Intel Exchange that contain a specific type of threat intel. Source collections include the STIX collections that are part of a feed source in Intel Exchange. | Use 'Object Type' = "Indicator" AND 'IOC Type' = "IPV4 addr::" AND 'source' = "Virus Total" AND 'source_collection' = "Emerging Threats- Compromised" to see all IPV4 addresses received from Virus Total and are part of the Emerging Threats-Compromised collection. |
Source Confidence | Classification of the source for IOCs based on the source confidence score. Source confidence values include high, medium, low, or none. | Use 'Object Type' = "Indicator" AND 'Source Confidence' = "HIGH" to see indicators that are classified as highly malicious based on their source confidence score. |
Source Confidence Value | A numeric filter that represents the confidence level of a threat source, ranging from 0 to 100. A value of 0 indicates non-malicious data, while 100 indicates highly malicious data. | Use 'Object Type' = "Indicator" AND 'Source Confidence Value' = "100" to see indicators that are classified as highly malicious based on their source confidence value. |
Source Created Date | The earliest date on which the threat data object was reported by a source. | Use 'Object Type' = "Indicator" AND 'Source Created Date' RANGE ("July 31, 2022, 12:00 AM","August 15, 2022, 11:59 AM") to se indicators that were reported by a source in a given date range. |
Source Modified Date | The latest date on which the threat data object was modified on the source. | Use 'Object Type' = "Indicator" AND 'Source Modified Date' RANGE ("July 31, 2022, 12:00 AM","August 15, 2022, 11:59 AM") to see indicators that were modified by a source in a given date range. |
Value | Data or result set. Enter a numeric or text value for any of the selected parameters. | Use 'Object Type' = "Indicator" AND 'Value' = "111.11.112.11" to see details of the indicator 111.11.112.11. |
Published Collections | List of published collections in Intel Exchange. | Use 'Object Type' = "Malware" AND 'Published Collection' = "RiskIQ Report" to see malware that is part of the published collection called RiskIQ Report. |
Source Type | Types of feed sources defined in Intel Exchange. | Use 'Object Type' = "Malware" AND 'source type' = "STIX" AND 'source_collection' = "Stix collection" to see all malware that is received as part of a STIX Collection. |
Published On | Published date. | Use 'Object Type' = "Malware" AND 'Source Type' = "STIX" AND 'source collection' = "malware collection" AND 'Published On' = "date" to see malware published on a particular date as part of the STIX malware collection. |
System Created Date | The created date of the threat data in Intel Exchange. | Use 'Object Type' = "Malware" AND 'Created On' = "date" to see indicators created in Intel Exchange on a particular date. |
System Modified Date | The modified date of the threat data in Intel Exchange. | Use 'Object Type' = "Malware" AND 'Modified On' = "date" to see indicators modified in Intel Exchange on a particular date. |
Risk Score | A numeric filter that represents the risk level of an indicator, ranging from 0 to 100. The risk score is automatically assigned to threat indicators based on their potential threat level. A score of 100 indicates that the indicator is highly malicious, while 0 suggests it is non-malicious. | Use 'Object Type' = "Indicator" AND 'Risk Score' RANGE (10,90) to see the indicators that have risk scores in the range of 10 and 90. |
TLP | Traffic Light Protocol values, such as RED, AMBER, AMBER + STRICT, GREEN, and CLEAR. | Use 'Object Type' = "Malware" AND 'TLP' = "RED" to see malware classified as RED TLP. |
Valid From | Select a date. | Use 'Object Type' = "Indicator" AND 'Valid From' = "Date" to see indicators that are valid from a given date. |
Valid Until | Select a date. | Use 'Object Type' = "Indicator" AND 'Valid Until' = "Date" to see indicators that are valid until a given date. |
Tags | All the tags are defined in the Intel Exchange application. | Use 'Object Type' = "Vulnerability" AND 'tag' = "CVSS critical" to see vulnerabilities categorized as CVSS critical. |
Tag Category | Select the tag category to filter threat data objects. Possible values include User, Source, System, Group, and Privileged Access. | Use 'Object Type' = "Indicator" AND 'Tag Category' = "Group" to view threat actors associated with the tag group category. |
Analyst Score | The score given by an analyst. | Use 'Object Type' = "Indicator" AND 'Analyst Score' RANGE (10,90) to see indicators with analyst score values between 10 and 90. |
Analyst CVSS Score | The CVSS score assigned by an analyst to a vulnerability object. | Use 'Object Type' = "Vulnerability" AND 'Analyst CVSS Score' = '2.3' to see vulnerabilities with a CVSS score of 2.3 assigned by an analyst. |
Countries | List of all countries. | Use 'Object Type' = "Indicator" AND 'IOC Type' = "URL" AND 'countries' = "India" to see URLs from India. |
First Seen | Select a date. | Use 'Object Type' = "Indicator" AND 'First Seen' = "Date" to see indicators that are first seen on a given date. |
Last Seen | Select a date. | Use 'Object Type' = "Indicator" AND 'Last Seen' = "Date" to see indicators that are last seen on a given date. |
Deprecated Status | Defines if the object is deprecated or not. | Use 'Object Type' = "Indicator" AND 'Deprecated Status' = "Deprecated" to see deprecated indicators. |
Revoke Status | Defines if the indicator is marked as revoked. | Use Object Type' = "Indicator" AND'Revoke Status' = "Yes" to see IOCs marked as revoked. |
False Positive Status | Defines if the object is marked false positive or not. | Use 'Object Type' = "Indicator" AND 'False Positive Status' = "False Positive" to see indicators that are marked as false positives. |
Reviewed Status | Defines if the object is reviewed or not. | Use 'Object Type' = "Indicator" AND 'Reviewed Status' = "Yes" to see reviewed indicators. |
Manual Review | Filters objects that are currently marked for manual review. This filter excludes objects that have already been reviewed. | Use 'Object Type' = "Indicator" AND 'Manual Review' = "Yes" to see manually reviewed data. |
Indicators Allowed Status | Defines if the indicator is allowed or not. | Use 'Object Type' = "Indicator" AND 'Indicators Allowed Status' = "Indicators Allowed" to see indicators whose status is allowed. |
Actioned By | The name of the user or a rule that has performed an action on the Threat data object. | Use 'Object Type' = "Indicator" AND 'Actioned By' = "john.doe@abc.com" AND 'actioned_on' = "date" to see indicators on which John Doe has performed actions on a particular date. |
Actioned On | Select a date. | Use 'Object Type' = "Indicator" AND 'Actioned By' = "john.doe@abc.com" AND 'actioned_on' = "date" to see indicators on which John Doe has performed actions on a particular date. |
Action Medium | Defines the type of action performed on an object. | Use 'Object Type' = "Indicator" AND 'Action Medium' = "Rule" to see indicators that have been actioned by a rule. |
Actioned App Type | Defines the application type. | Use 'Object Type' = "Indicator" AND 'Actioned App Type' = "CTIX" to see indicators that have some action performed on them by the Intel Exchange application. |
Actioned App | Defines all the applications integrated with Intel Exchange | Use 'Object Type' = "Indicator" AND 'Actioned App' = "Alien Vault" to see indicators that have some action performed on them by Alien Vault. |
Relation Type | Defines the STIX relationship types. | Use 'Object Type' = "indicator" AND 'Relationship Type' = "targets" AND 'Related Object' = "malware" to see indicators that are related to a malware object by a particular relationship type. |
Related Object | Select the related object for the primary object. This allows you to focus on specific associations and refine your search. When you select a related object in a CQL query, all parameters defined after the related object are applied to the related object. | Use 'Object Type' = "Threat Actor" AND 'Relation Type' = "uses" AND 'Relation Object' = "Malware" to fetch all threat actors that use a specific malware. |
Related Object Value (Supported Version: v3.4.2 and later) | Enter the value of the related object to filter the relevant threat data objects. This parameter is useful when you want to filter objects related to an object with a specific value. You must provide a related object to use the related object value. | Use 'Object Type' = "Vulnerability" AND 'Related Object Type' = "Course of Action" AND 'Related Object Value' CONTAINS " google:chrome" to fetch vulnerabilities that are fixed by a specific browser. |
Related Object Property (Supported Version: v3.4.2 and later) | Select a property of the related object to search for the relevant threat data objects. You can choose from object type, source, IOC type, source type, source collections, and more. This list automatically appears when you select the Related Object Property parameter. | Use 'Object Type' = "Indicator" AND 'Related Object' = "Malware" AND 'Related Object Property:Source' = "Import" to see indicators that are related to a malware object received into the platform by importing intel. |
Has Relations | Select Yes or No to filter objects that either have or don't have relations with other objects. | Use 'Object Type' = "Indicator" AND 'Has Relations' = "Yes" to see all indicators that have relationships defined with other objects. |
Enrichment Tools | Defines Enrichment tools in Intel Exchange | Use 'Object Type' = "Indicator" AND 'Enrichment Tool' = "RiskIQ" and 'Tool Verdict' = "malicious" to see all indicators that have tool verdict as malicious from RiskIQ. |
Enriched On | Select a date. | Use 'Object Type' = "Indicator" AND 'Enrichment Tool' = "RiskIQ" and 'Tool Verdict' = "malicious" and 'enriched on' = "Date" to see all indicators that have tool verdict as malicious from RiskIQ and that have been enriched on a particular date. |
Enrichment Verdict | Defines the verdict of the enrichment tool configured in Intel Exchange. | Use 'Object Type' = "Indicator" AND 'Enrichment Tool' = "RiskIQ" and 'Tool Verdict' = "malicious" to see all indicators that have tool verdict as malicious from RiskIQ. |
Enriched Status | Enrichment status of objects | Use 'Object Type' = "Indicator" AND 'Enrichced Status' = "Enriched" to see all indicators that are successfully enriched. |
Rules | Rules defined in Intel Exchange | Use 'Object Type' = "Indicator" AND 'rule' = "import reports" to see all indicators impacted by a given rule. |
Custom Attribute | Select from the drop-down list to search for threat data objects that have custom attributes. | Use 'Object Type' = "Vulnerability" AND 'Custom Attribute' = "zero_day" to fetch vulnerabilities that have the zero-day custom attribute. |
Custom Attribute Value | Enter the specific custom attribute value to search for threat data objects that have custom attributes with the mentioned value. | Use 'Object Type' = "Vulnerability" AND Custom Attribute' = "zero_day" AND 'Custom Attribute Value' = "true" to fetch vulnerabilities that have the zero-day custom attribute, and it is set to true. |
Custom Attribute Type (Supported Version: v3.4.2 and later) | Enter the type of custom attribute to search for threat data objects that have the same custom attribute type. You must provide a custom attribute value to search for a custom attribute type. | Use 'Object Type' = "Vulnerability" AND 'Custom Attribute' = "cvss_v3_temporal_score" AND 'Custom Attribute type' = "Float" AND 'Custom Attribute Value' > "5" to fetch vulnerabilities where the cvss_v3_temporal_score is greater than 5. |
Relation Created Date | Set the date and time to search for relationships based on their date of creation. | Use 'Object Type' = "Indicator" AND 'Relation Created Date' = 'Timestamp' to search for indicators with relations created on the set date and time. |
Relation Modified Date | Set the date and time to search for relationships based on their date of modification. | Use 'Object Type' = "Indicator" AND 'Relation Modified Date' = 'Timestamp' to search for indicators with relations modified on the set date |
Custom Score | Select the custom score configured in Administration > Configuration > Custom Scores to filter objects that include an assigned value of the selected custom score. | Use 'Custom Score' = "Relevance Score" to retrieve objects that include an assigned relevance score value. |
Custom Score Type | Select the type of custom score, such as integer, text, or single select field, to filter objects. In the CQL query, the Custom Score Type parameter must be followed by the Custom Score Value parameter. | Use 'Custom Score' = "Relevance Score" AND 'Custom Score Type' = "Integer" AND 'Custom Score Value' RANGE (80,90) to retrieve objects with a relevance score between 80 and 90. |
Custom Score Value | Enter the value of the selected custom score type to filter objects. | Use 'Custom Score' = "Relevance Score" AND 'Custom Score Type' = "Integer" AND 'Custom Score Value' RANGE (80,90) to retrieve objects with a relevance score between 80 and 90. |
CIDR Lookup | Enter an IPv4 or IPv6 address subnet range (CIDR) to filter objects matching the specified range. This also supports IPv6 short-form representations, such as compressed and abbreviated formats. | Use 'CIDR Lookup' = '192.0.2.0/24' to retrieve indicators within the specified CIDR range. |
Marking Definitions | Select marking definitions to filter the threat data objects. | Use 'Object Type' = "Indicator" AND 'Marking Definitions' IN ("Highly Confidential") to retrieve indicators marked highly confidential. |
Analyst Marking Definitions | Select analyst marking definitions to filter the threat data objects assigned by the analyst. | Use ‘Object Type’ = “Indicator” AND ‘Analyst Marking Definitions’ = “ACS1” to retrieve indicators tagged with a specific analyst-assigned definition. |
Marking Specification | Select marking specification to filter the threat data objects based on specific criteria. | Use ‘Object Type’ = “Indicator” AND ‘Marking Specification’ = “Statement” to retrieve indicators tagged with specific marking. |
Analyst Marking Specification | Select analyst marking specification to filter the threat data objects based on the criteria assigned by the analyst. | Use ‘Object Type’ = “Threat Actor” AND ‘Analyst Marking Specification’ = “IEP 2.0” to retrieve threat actors tagged with specific analyst-assigned marking. |
Imported File Date | The date the file was imported into the platform. Use EPOCH timestamp values. | Use ‘Source’ = "003d51d0-d3fd-4442-aa60-7e3d5ec8d93d::Import" AND 'Imported File On' RANGE ("1751308200000","1752690599000") to retrieve intel imported within a specific date range. |
Imported File | Search for objects based on the name or ID of the file from which the data was imported. | Use 'Object Type' = "Indicator" AND 'Imported File' = "sample_indicators.xlsx" to retrieve indicator objects imported from the specified file. |
Sighting ID | Search for objects associated with a specific sighting using the sighting identifier. | Use 'Object Type' = "Indicator" AND 'Sighting ID' = "sighting--f7f23d01-dc9d-4c45-bfcb-872c76083da8" to retrieve indicator objects associated with the specified sighting ID. |
Has Sighting | Filter objects based on whether they have one or more associated sightings. | Use 'Object Type' = "Malware" AND 'Has Sighting' = "Yes" to retrieve malware objects that have associated sightings. |
Sighting Located | Filter objects based on whether associated sightings include location information. | Use 'Object Type' = "Attack Pattern" AND 'Sighting Located' = "Yes" to retrieve attack pattern objects with sightings that include location details. |
Sighting Observed | Filter threat data objects based on whether they have associated Observed Data objects through Sighting relationships. | Use 'Object Type' = "Threat Actor" AND 'Sighting Observed' = "Yes" to retrieve threat actor objects with observed sightings. |
Sighting First Seen | Search for objects based on the earliest observed timestamp of associated sightings. | Use 'Object Type' = "Indicator" AND 'Sighting First Seen' = "Jan 07, 2026, 12:00 AM" to retrieve indicator objects with sightings first observed at the specified time. |
Sighting Last Seen | Search for objects based on the most recent observed timestamp of associated sightings. | Use 'Object Type' = "Malware" AND 'Sighting Last Seen' = "Jan 10, 2026, 09:29 PM" to retrieve malware objects with sightings last observed at the specified time. |
Sighting Source Created | Search for objects based on the creation time of the source record associated with a sighting. | Use 'Object Type' = "Threat Actor" AND 'Sighting Source Created' = "Jan 12, 2026, 02:22 PM" to retrieve threat actor objects with sightings whose source record was created at the specified time. |
Sighting Source Modified | Search for objects based on the last modified time of the source record associated with a sighting. | Use 'Object Type' = "Indicators" AND 'Sighting Source Modified' = "Jan 10, 2026, 07:10 PM" to retrieve indicator objects with sightings whose source record was modified at the specified time. |
Sighting Count | The number of times the SDO has been observed. | Use 'Object Type' = "Indicator" AND 'Sighting Count' > 4 to retrieve indicators that have been seen more than four times. |
Aliases | Search for objects based on alternative names used to identify them. | Use ‘Object Type’ = “Threat Actor” AND ‘Aliases’ CONTAINS “test” to retrieve threat actors with aliases that include the specified value. |
Kill Chain Phase | Search for objects associated with specific kill chain phases. | Use ‘Object Type’ = “Malware” AND ‘Kill Chain Phase’ = “Attack” to retrieve indicators associated with the specified kill chain phase. |
Is Defanged | Search for objects based on whether their data has been defanged. | Use ‘Object Type’ = “Indicator” AND ‘Is Defanged’ = “True” to retrieve indicators that are defanged. |
Is Published | Search for objects based on whether they are published to a collection. | Use 'Object Type' = "Indicator" AND 'Is Published' = "True" to retrieve indicators that are published. |
Has Alias | Search for objects that have one or more aliases defined. | Use 'Object Type' = "Threat Actor" AND 'Has Aliases' = "True" to search for threat actors that have one or more aliases defined. |
Has Analyst Notes | Search for objects that contain analyst notes. | Use 'Object Type' = "Indicator" AND 'Has Analyst Notes' = "True" to search for indicators that contain analyst notes. |
Has Tasks | Search for objects that have one or more tasks associated with them. | Use 'Object Type' = "Indicator" AND 'Has Tasks' = "True" to search for indicators that have one or more tasks associated with them. |
Objectives | Search for threat actors, intrusion sets, or campaigns based on their objectives or intended outcomes. | Use 'Object Type' = "Threat Actor" AND 'Objective' = "Operations" to search for threat actors based on their objectives or intended outcomes. |
Goals | Search for threat actors, intrusion sets, or campaigns based on their high-level goals. | Use 'Object Type' = "Threat Actor" AND 'Goals' = "Financial" to search for threat actors based on their high-level goals. |
Infrastructure Type | Search for infrastructure objects based on their infrastructure classification. | Use 'Object Type' = "Infrastructure" AND 'Infrastructure Types' = "Control System" to search for infrastructure objects based on their classification. |
Threat Actor Type | Search for threat actors based on their type or classification. | Use 'Object Type' = "Threat Actor" AND 'Threat Actor Type' = "Activist" to search for threat actors based on their type or classification. |
Threat Actor Role | Search for threat actors based on the roles they perform. | Use 'Object Type' = "Threat Actor" AND 'Threat Actor Role' = "Agent" to search for threat actors based on the roles they perform. |
Sophistication | Search for threat actors based on their level of skill or expertise. | Use 'Object Type' = "Threat Actor" AND 'Sophistication' = "Advanced" to search for threat actors based on their level of skill or expertise. |
Resource Level | Search for threat actors based on the level of resources available to them. | Use 'Object Type' = "Threat Actor" AND 'Resource Level' = "Organization" to search for threat actors based on the level of resources available to them. |
Primary Motivation | Search for threat actors, intrusion sets, or campaigns based on their primary motivation. | Use 'Object Type' = "Threat Actor" AND 'Primary Motivation' = "Ideology" to search for threat actors based on their primary motivation. |
Secondary Motivation | Search for threat actors, intrusion sets, or campaigns based on their secondary motivations. | Use 'Object Type' = "Threat Actor" AND 'Secondary Motivation' = "Unpredictable" to search for threat actors based on their secondary motivations. |
Personal Motivations | Search for threat actors based on their personal motivations. | Use 'Object Type' = "Threat Actor" AND 'Personal Motivations' = "Dominance" to search for threat actors based on their personal motivations. |
Version String | Search for tools based on their version identifier. | Use 'Object Type' = "Tool" AND 'Version String' = "4" to search for tools based on their version identifier. |
Tool Type | Search for tools based on their tool classification. | Use 'Object Type' = "Tool" AND 'Tool Type' = "Network Capture" to search for tools based on their classification. |
Malware Type | Search for malware based on its malware classification. | Use 'Object Type' = "Malware" AND 'Malware Type' = "Ransomware" to search for malware based on its classification. |
Is Family | Search for malware objects based on whether they represent a malware family or an individual instance. | Use 'Object Type' = "Malware" AND 'Is Family' = "True" to search for malware objects that represent a malware family. |
Architecture Execution Environment | Search for malware based on the execution architecture. | Use 'Object Type' = "Malware" AND 'Architecture Execution Environment' = "misp" to search for malware based on the execution architecture. |
Implementation Languages | Search for malware based on the programming languages used for implementation. | Use 'Object Type' = "Malware" AND 'Implementation Language' = "java" to search for malware based on the programming languages used for implementation. |
Malware Capabilities | Search for malware based on identified capabilities. | Use 'Object Type' = "Malware" AND 'Malware Capabilities' = "Anti Sandbox" to search for malware based on identified capabilities. |
Identity Roles | Search for identity objects based on assigned roles. | Use 'Object Type' = "Identity" AND 'Identity Roles' = "Administrator" to search for identity objects based on assigned roles. |
Identity Class | Search for identity objects based on their classification. | Use 'Object Type' = "Identity" AND 'Identity Class' = "Individual" to search for identity objects based on their classification. |
Identity Sectors | Search for identity objects based on associated industry sectors. | Use 'Object Type' = "Identity" AND 'Identity Sectors' = "Commercial" to search for identity objects based on associated industry sectors. |
Location Region | Search for objects based on the associated geographic region. | Use 'Object Type' = "Identity" AND 'Location Region' = "Asia" to search for objects based on the associated geographic region. |
Location Country | Search for objects based on the associated country. | Use 'Object Type' = "Identity" AND 'Location Country' = "India" to search for objects based on the associated country. |
Location City | Search for objects based on the associated city. | Use 'Object Type' = "Identity" AND 'Location City' = "Bengaluru" to search for objects based on the associated city. |
Location Administrative Area | Search for objects based on the associated administrative area. | Use 'Object Type' = "Identity" AND 'Location Administrative Area' = "Pune" to search for objects based on the associated administrative area. |
Note
Date-based parameters support only exact dates. Relative date values such as Last 7 days, Last 15 days, or Last 1 month are not supported.
Conditions are used to combine parameters in a CQL query using logical operators. You use conditions to control how multiple parameters are evaluated in a single query.
CQL evaluates conditions using a default precedence where AND has higher precedence than OR. However, while using the APIs, you can use parentheses to explicitly group conditions and control the order of evaluation.
Note
The updated CQL evaluation precedence applies to all queries, including saved searches and query-based configurations, and may result in updated results.
Condition | Description | Example |
|---|---|---|
AND | Returns items that match all clauses defined in the query. | Use 'Object Type' = "Indicator" AND 'Subscriber' = "John Doe" AND 'Subscriber Collections' = "Malicious IOCs" to see indicators where the subscriber is John Doe and is part of Malicious IOCs subscriber collection. |
OR | Returns items that match any one of the clauses defined in the query. | Use 'Object Type' = "Indicator" OR 'Object Type' = "Malware" OR 'Object Type' = "Campaign" to see threat data items that belong to either Indicators, malware, or campaigns. |
Operators define how you compare a field with a value in a CQL query. You use operators to build conditions based on the type of data you are querying.
Operator | Description | Example |
|---|---|---|
= | Search for records that are an exact match of the provided numeric and text values. | Use 'Object Type' = "Indicator" AND 'Value' = "111.11.112.11" to see details of indicator 111.11.112.11. |
!= | Search for records that do not match the provided numeric and text values. | Use 'Object Type' = "Indicator" AND 'Value' != "111.11.112.11" to see details of indicators other than 111.11.112.11. |
> | Search for records that have a higher numeric value than the provided numeric value. | Use 'Object Type' = "Indicator" AND 'Confidence Score' > "90" to see indicators with a confidence score greater than 90. |
< | Search for records that have a lower numeric value than the provided value. | Use 'Object Type' = "Indicator" AND 'Confidence Score' < "10" to see indicators with a confidence score less than 10. |
<= | Search for records with numeric values that are either less than or equal to the provided value. | Use 'Object Type' = "Indicator" AND 'Confidence Score' <= "10" to see indicators with a confidence score less than or equal to 10. |
>= | Search for records with numeric values that are either greater than or equal to the provided value. | Use 'Object Type' = "Indicator" AND 'Confidence Score' >= "90" to see indicators with a confidence score greater than or equal to 90. |
CONTAINS | Search for records that contain the provided text or numeric values. | Use 'Object Type' = "Threat Actor" AND 'Value' CONTAINS "spider" to see all the threat actors of the spider family and can contain spider in their name. |
IN | Search for records that contain one of multiple specified values. You can enter multiple values separated by a comma. | Use 'IOC Type' IN ("ipv4 addr","ipv6 addr","mac-addr") to see indicators that are IPV4 address, IPV6 address, or a MAC address. |
RANGE | Search for records that have values within the provided range. | Use 'Object Type' = "Indicator" AND 'Confidence Score' RANGE (10,90) to see all the indicators that have confidence scores in the range of 10 and 90. |
NOT IN | Search for records that do not contain the specified values. You can enter multiple values separated by a comma. | Use 'IOC Type' NOT IN ("ipv4 addr", "ipv6 addr", "mac-addr") to see indicators that are NOT IPV4 address, IPV6 address, or a MAC address. |
BEGINS WITH | Search for values that start with the given value. | Use 'Object Type' = "Indicator" AND 'Value' BEGINS WITH "121" to see indicators that start with 121. |
ENDS WITH | Search for values that end with the given value. | Use 'Object Type' = "Indicator" AND 'Value' ENDS WITH "34" to see indicators that end with 34. |
MATCHES | Search for values that exactly match the given value. | Use 'Value' MATCHES "10.127.46.117" to filter objects with a value of 10.127.46.117. |
EXACTLY | Search for values that match only and exactly the specified set of values. Results include objects that contain all the provided values and no additional values. This operator applies only to the Source and Tags fields. | Use 'Object Type' = "Threat Data" AND 'Tags' EXACTLY ("Tags1", "Tags2", "Tags3") to see objects that contain only the tags Tags1, Tags2, and Tags3. Objects with additional tags or missing any of the specified tags are not included. |
ONLY IN | Search for values that include one or more of the specified values. Results include objects that contain any subset or combination of the provided values. This operator applies only to the Source and Tags fields. NoteThe ONLY IN operator supports up to five values per query. | Use 'Object Type' = "Threat Data" AND 'Source' ONLY IN ("CrowdStrike", "AlienVault", "Recorded Future") to see objects that have one or more of the specified sources. This includes objects with a single source, multiple sources, or all the specified sources. |