Get Started with CQL
Cyware Query Language (CQL) enables analysts to perform fast, complex, and advanced searches by writing simple queries.
When analyzing large volumes of data, use the wide array of filters in the CTIX Threat Data module to narrow down your search and find your data set faster. These built-in search filters are great for most search queries and help you refine your search results by fetching relevant information from large datasets. However, if you are looking for specifically tailored information beyond the traditional Threat Data filters and want to use more than one condition at a time to further refine your search results, use CQL.
CQL helps you to add sophisticated logic, append conditions together, and drill deeper into a dataset to fetch results with a specific context.
Learn CQL syntax
While there is a full reference for Cyware Query Language (CQL), you don’t need to start writing queries from scratch to get started. You can build a sample search query with the filters and then click CQL to translate the specified filters into a CQL query.
Use Filters to Learn CQL
Use filters to build a simple query that you can translate to CQL.
From the main menu, select Threat Data.
Build a simple query using the following values for the threat data filters.
Object Type: Select an Object type, for example, Indicator.
IOC type: Select the type of Indicator, for example, IPV4 address.
Source: Select the name of a source that you configured, for example, Bambenek.
Source Collection: Select the name of a collection configured for your source, for example, Threat investigation.
After your search results are automatically displayed, click CQL.
You can now see your filters translated into a CQL query in the search.
English
Threat Data Filters
CQL query
To see all indicators that are IPV4 addresses, received from Bambenek and part of Threat Investigations collection.
Object Type: Select an Object type, for example, Indicator.
IOC type: Select the type of Indicator, for example, IPV4 address.
Source: Select the name of a source that you configured, for example, Bambenek.
Source Collection: Select the name of a collection configured for your source, for example, Threat investigation.
Object Type = Indicator AND IOC Type = IPV4 Address AND Source = Bambenek AND Source Collection = Threat Investigation
Write a Simple CQL Query
A simple query in CQL consists of a parameter, followed by an operator, followed by one or more values. You can connect two expressions together using AND or OR operators.
For example:
To see all indicators
Object Type = Indicator
To see all indicators that are received from Bambenek.
Object Type = Indicator AND Source = Bambenek
To see all indicators that are from Bambenek and that are IPV4 addresses
Object Type = Indicator AND Source = Bambenek AND IOC Type = IPV4 Address
To see all indicators, that are IPV4 addresses, received from Bambenek and have a confidence score of more than 90.
Object Type = Indicator AND Source = Bambenek AND IOC Type = IPV4 Address and Confidence Score > 90
For the complete syntax of CQL, see Cyware Query Language (CQL).
Watch this video to see it in action.
Analyst Usecases
You can perform an advanced search using CQL to gain tremendous insights into your day-to-day operations. Some examples of Analyst use cases include:
To see all IOCs enriched from Virus Total with a malicious verdict.
Object Type = Indicator AND Enrichment Tool = Virus Total AND Enrichment Verdict = Malicious
To see all IOCs that have relations with a malware object.
Object Type = Indicator AND Has Relations = True AND Related Object = Malware.
To see all indicators that are of Red TLP and have a confidence score between 90 and 100.
Object Type = Indicator AND TLP = RED AND Confidence Score RANGE (90,100)
To see all indicators that are not enriched.
Object Type = Indicator AND enrichment status = False
To see all malware objects that are published to a collection.
Object Type = Malware AND Published Collection = malicious malware