Understand CQL Grammar
CQL grammar is a combination of the following constructs:
Parameters: Parameters are different information types present in CTIX such as object type, confidence score, TLP, sightings, tags, created or modified dates, collection name, feed sources, enrichment sources, published date range, risk severity, actions, etc.
Conditions: Conditions are used to combine two or more parameters or append a lot of conditions to your query. You can use AND, OR conditions in your CQL query.
Operators: Operators relate the parameters to the value. Some operators include =, >,<, >=, <=, !=, CONTAINS, IN, RANGE, BEGINS WITH, and ENDS WITH.
Note
The examples of the CQL parameters, conditions, and operators provided below are for representation purposes only.
Parameter | Description | Examples |
Object Type | STIX-type threat data objects available in CTIX. An object type includes Indicator, Malware, Attack Pattern, Threat Actor, Campaign, Course of Action, Vulnerability, Identity, Infrastructure, Intrusion set, Location, Malware Analysis, Observed Data, Opinion, Tool, Report, Custom Object, and Observables. | Use 'Object Type' = "Indicator" to see all the indicators. |
IOC Type | Types of indicators or observables. These are the different types of indicators of compromise. IOC types include Artifact, Autonomous system, Directory, Domain, Email Address, Email Message, IPV4 address, IPV6 address, MAC address, Mutex, Network Traffic, Process, Software, URL, User Account, Windows registry key, X509 certificate, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, and SSDEEP. | Use 'Object Type' = "indicator" AND 'IOC Type' = "ipv4 addr" to see indicators that IPv4 addresses. |
Source | Feed sources from which CTIX receives threat intel. Feed sources include the sources configured in Integration Management in the application. | Use 'Object Type' = "indicator" AND 'IOC Type' = "ipv4 addr" AND 'source' = "Virus Total" to see IPv4 addresses received from Virus Total feed source. |
Source Collections | Collections in CTIX that contain a specific type of threat intel. Source collections include the STIX collections that are part of a feed source in CTIX. | Use 'Object Type' = "Indicator" AND 'IOC Type' = "IPV4 addr::" AND 'source' = "Virus Total" AND 'source_collection' = "Emerging Threats- Compromised" to see all IPV4 addresses received from Virus Total and are part of the Emerging Threats-Compromised collection. |
Source Confidence | Classification of the source for IOCs based on the source confidence score. Source confidence values include high, medium, low, or none. | Use 'Object Type' = "indicator" AND 'Source Confidence' = "HIGH" to see indicators that are classified as highly malicious based on their source confidence score. |
Source Created Date | The earliest date on which the threat data object was reported by a source. | Use 'Object Type' = "indicator" AND 'Source Created Date' RANGE ("July 31, 2022, 12:00 AM","August 15, 2022, 11:59 AM") to see indicators that were reported by a source in a given date range. |
Source Modified Date | The latest date on which the threat data object was modified on the source. | Use 'Object Type' = "indicator" AND 'Source Modified Date' RANGE ("July 31, 2022, 12:00 AM","August 15, 2022, 11:59 AM") to see indicators that were modified by a source in a given date range. |
Value | Data or result set. Enter a numeric or text value for any of the selected parameters. | Use 'Object Type' = "Indicator" AND 'Value' = "111.11.112.11" to see details of the indicator 111.11.112.11. |
Subscriber | List of all subscribers defined in CTIX. | Use 'Object Type' = "Indicator" AND 'Subscriber' = "John Doe" to see indicators from the subscriber John Doe. |
Subscriber Collections | List of all subscriber collections defined in CTIX. | Use 'Object Type' = "Indicator" AND 'Subscriber' = "John Doe" AND 'Subscriber Collections' = "Malicious IOCs" to see indicators from the subscriber John Doe that is part of the Malicious IOCs collection. |
Published Collections | List of published collections in CTIX. | Use 'Object Type' = "Malware" AND 'Published Collection' = "RiskIQ Report" to see malware that is part of the published collection called RiskIQ Report. |
Source Type | Types of feed sources defined in CTIX. | Use 'Object Type' = "Malware" AND 'source type' = "STIX" AND 'source_collection' = "Stix collection" to see all malware that is received as part of a Stix Collection. |
Published On | Published date. | Use 'Object Type' = "Malware" AND 'Source Type' = "STIX" AND 'source collection' = "malware collection" AND 'Published On' = "date" to see malware published on a particular date as part of the STIX malware collection. |
System Created Date | The created date of the threat data in CTIX. | Use 'Object Type' = "Malware" AND 'Created On' = "date" to see indicators created in CTIX on a particular date. |
System Modified Date | The Modified date of the threat data in CTIX. | Use 'Object Type' = "Malware" AND 'Modified On' = "date" to see indicators modified in CTIX on a particular date. |
Confidence Score | Confidence Score | Use 'Object Type' = "Indicator" AND 'Confidence Score' RANGE (10,90) to see the indicators that have confidence scores in the range of 10 and 90. |
TLP | Traffic Light Protocol values, such as RED, YELLOW, AMBER, GREEN, and WHITE. | Use 'Object Type' = "Malware" AND 'TLP' = "RED" to see malware classified as RED TLP. |
Valid From | Select a date. | Use 'Object Type' = "Indicator" AND 'Valid From' = "Date" to see indicators that are valid from a given date. |
Valid Until | Select a date. | Use 'Object Type' = "Indicator" AND 'Valid Until' = "Date" to see indicators that are valid until a given date. |
Tags | All the tags are defined in the CTIX application. | Use 'Object Type' = "Vulnerability" AND 'tag' = "CVSS critical" to see vulnerabilities categorized as CVSS critical. |
Analyst Score | The score as given by an analyst. | Use 'Object Type' = "Indicator" AND 'Analyst Score' RANGE (10,90) to see indicators with analyst score values between 10 and 90. |
Analyst CVSS Score | The CVSS score assigned by an analyst to a vulnerability object. | Use 'Object Type' = "Vulnerability" AND 'Analyst CVSS Score' = '2.3' to see vulnerabilities with a CVSS score of 2.3 assigned by an analyst. |
Countries | List of all countries. | Use 'Object Type' = "Indicator" AND 'IOC Type' = "URL" AND 'countries' = "India" to see URLs from India. |
First Seen | Select a date. | Use 'Object Type' = "Indicator" AND 'First Seen' = "Date" to see indicators that are first seen on a given date. |
Last Seen | Select a date. | Use 'Object Type' = "Indicator" AND 'Last Seen' = "Date" to see indicators that are last seen on a given date. |
Deprecated Status | Defines if the object is deprecated or not. | Use 'Object Type' = "Indicator" AND 'Deprecated Status' = "Deprecated" to see deprecated indicators. |
Revoke Status | Defines if the indicator is marked as revoked. | Use Object Type' = "Indicator" AND'Revoke Status' = "Yes" to see IOCs marked as revoked. |
False Positive Status | Defines if the object is marked false positive or not. | Use 'Object Type' = "Indicator" AND 'False Positive Status' = "False Positive" to see indicators that are marked as false positive. |
Reviewed Status | Defines if the object is reviewed or not. | Use 'Object Type' = "Indicator" AND 'Reviewed Status' = "Yes" to see reviewed indicators. |
Manual Review | Defines if the object is manually reviewed by the analyst or not. | Use 'Object Type' = "Indicator" AND 'Manual Review' = "Yes" to see manually reviewed data. |
Indicators Allowed Status | Defines if the indicator is allowed or not. | Use 'Object Type' = "Indicator" AND 'Indicators Allowed Status' = "Indicators Allowed" to see indicators whose status is allowed. |
Actioned By | The name of the user or a rule that has performed an action on the Threat data object. | Use 'Object Type' = "Indicator" AND 'Actioned By' = "john.doe@abc.com" AND 'actioned_on' = "date" to see indicators on which John Doe has performed actions on a particular date. |
Actioned On | Select a date. | Use 'Object Type' = "Indicator" AND 'Actioned By' = "john.doe@abc.com" AND 'actioned_on' = "date" to see indicators on which John Doe has performed actions on a particular date. |
Action Medium | Defines the type of action performed on an object. | Use 'Object Type' = "Indicator" AND 'Action Medium' = "Rule" to see indicators that have been actioned by a rule. |
Actioned App Type | Defines the application type. | Use 'Object Type' = "Indicator" AND 'Actioned App Type' = "CTIX" to see indicators that have some action performed on them by the CTIX application. |
Actioned App | Defines all the applications integrated with CTIX | Use 'Object Type' = "Indicator" AND 'Actioned App' = "Alien Vault" to see indicators that have some action performed on them by Alien Vault. |
Relation Type | Defines the STIX relationship types. | Use 'Object Type' = "indicator" AND 'Relationship Type' = "targets" AND 'Related Object' = "malware" to see indicators that are related to a malware object by a particular relationship type. |
Related Object | Select the related object for the primary object. This allows you to focus on specific associations and refine your search. When you select a related object in a CQL query, all parameters defined after the related object are applied to the related object. | Use 'Object Type' = "Threat Actor" AND 'Relation Type' = "uses" AND 'Relation Object' = "Malware" to fetch all threat actors that use a specific malware. |
Related Object Value (Supported Version: v3.4.2 and later) | Enter the value of the related object to filter the relevant threat data objects. This parameter is useful when you want to filter objects related to an object with a specific value. You must provide a related object to use the related object value. | Use 'Object Type' = "Vulnerability" AND 'Related Object Type' = "Course of Action" AND 'Related Object Value' CONTAINS " google:chrome" to fetch vulnerabilities that are fixed by a specific browser. |
Related Object Property (Supported Version: v3.4.2 and later) | Select a property of the related object to search for the relevant threat data objects. You can choose from object type, source, IOC type, source type, source collections, and more. This list automatically appears when you select the Related Object Property parameter. | Use 'Object Type' = "Indicator" AND 'Related Object' = "Malware" AND 'Related Object Property:Source' = "Import" to see indicators that are related to a malware object received into the platform by importing intel. |
Has Relations | Select Yes or No to filter objects that either have or don't have relations with other objects. | Use 'Object Type' = "indicator" AND 'Has Relations' = "Yes" to see all indicators that have relationships defined with other objects. |
Enrichment Tools | Defines Enrichment tools in CTIX | Use 'Object Type' = "indicator" AND 'Enrichment Tool' = "RiskIQ" and 'Tool Verdict' = "malicious" to see all indicators that have tool verdict as malicious from RiskIQ. |
Enriched On | Select a date. | Use 'Object Type' = "indicator" AND 'Enrichment Tool' = "RiskIQ" and 'Tool Verdict' = "malicious" and 'enriched on' = "Date" to see all indicators that have tool verdict as malicious from RiskIQand that have been enriched on a particular date. |
Enrichment Verdict | Defines the verdict of the enrichment tool configured in CTIX. | Use 'Object Type' = "indicator" AND 'Enrichment Tool' = "RiskIQ" and 'Tool Verdict' = "malicious" to see all indicators that have tool verdict as malicious from RiskIQ. |
Enriched Status | Enrichment status of objects | Use 'Object Type' = "indicator" AND 'Enrichced Status' = "Enriched" to see all indicators that are successfully enriched. |
Rules | Rules defined in CTIX | Use 'Object Type' = "indicator" AND 'rule' = "import reports" to see all indicators impacted by a given rule. |
Custom Attribute | Select from the drop-down list to search for threat data objects that have custom attributes. | Use 'Object Type' = "Vulnerability" AND 'Custom Attribute' = "zero_day" to fetch vulnerabilities that have the zero-day custom attribute. |
Custom Attribute Value | Enter the specific custom attribute value to search for threat data objects that have custom attributes with the mentioned value. | Use 'Object Type' = "Vulnerability" AND Custom Attribute' = "zero_day" AND 'Custom Attribute Value' = "true" to fetch vulnerabilities that have the zero day custom attribute and it is set to true. |
Custom Attribute Type (Supported Version: v3.4.2 and later) | Enter the type of custom attribute to search for threat data objects that have the same custom attribute type. You must provide a custom attribute value to search for a custom attribute type. | Use 'Object Type' = "Vulnerability" AND 'Custom Attribute' = "cvss_v3_temporal_score" AND 'Custom Attribute type' = "Float" AND 'Custom Attribute Value' > "5" to fetch vulnerabilities where the cvss_v3_temporal_score is greater than 5. |
Relation Created Date | Set the date and time to search for relationships based on their date of creation. | Use 'Object Type' = "Indicator" AND 'Relation Created Date' = 'Timestamp' to search for indicators with relations created on the set date and time. |
Relation Modified Date | Set the date and time to search for relationships based on their date of modification. | Use 'Object Type' = "Indicator" AND 'Relation Modified Date' = 'Timestamp' to search for indicators with relations modified on the set date |
Condition | Description | Example |
AND | Returns items that match all clauses defined in the query. | Use 'Object Type' = "Indicator" AND 'Subscriber' = "John Doe" AND 'Subscriber Collections' = "Malicious IOCs" to see indicators where the subscriber is John Doe and is part of Malicious IOCs subscriber collection. |
OR | Returns items that match any one of the clauses defined in the query. | Use 'Object Type' = "Indicator" OR 'Object Type' = "Malware" OR 'Object Type' = "Campaign" to see threat data items that belong to either Indicators, malware, or campaigns. |
Operator | Description | Example |
= | Search for records that are the exact match of provided numeric and text values. | Use 'Object Type' = "Indicator" AND 'Value' = "111.11.112.11" to see details of indicator 111.11.112.11. |
!= | Search for records that do not match the provided numeric and text values. | Use 'Object Type' = "Indicator" AND 'Value' != "111.11.112.11" to see details of indicators other than 111.11.112.11. |
> | Search for records that have a higher numeric value than the provided numeric value. | Use 'Object Type' = "Indicator" AND 'Confidence Score' > "90" to see indicators with a confidence score greater than 90. |
< | Search for records that have a lower numeric value than the provided value. | Use 'Object Type' = "Indicator" AND 'Confidence Score' < "10" to see indicators with a confidence score less than 10. |
<= | Search for records with numeric values that are either less than or equal to the provided value. | Use 'Object Type' = "Indicator" AND 'Confidence Score' <= "10" to see indicators with a confidence score less than or equal to 10. |
>= | Search for records with numeric values that are either greater than or equal to the provided value. | Use 'Object Type' = "Indicator" AND 'Confidence Score' >= "90" to see indicators with a confidence score greater than or equal to 90. |
CONTAINS | Search for records that contains the provided text or numeric values. | Use 'Object Type' = "Threat Actor" AND 'Value' CONTAINS "spider" to see all the threat actors of the spider family and can contain spider in their name. |
IN | Search for records that contains one of multiple specified values. You can enter multiple values separated by comma. | Use 'IOC Type' IN ("ipv4 addr","ipv6 addr","mac-addr") to see indicators that are IPV4 address, IPV6 address, or a MAC address. |
RANGE | Search for records that have values within the provided range. | Use 'Object Type' = "Indicator" AND 'Confidence Score' RANGE (10,90) to see all the indicators that have confidence scores in the range of 10 and 90. |
NOT IN | Search for records that does not contain the specified values. You can enter multiple values separated by comma. | Use 'IOC Type' NOT IN ("ipv4 addr","ipv6 addr","mac-addr") to see indicators that are NOT IPV4 address, IPV6 address, or a MAC address. |
BEGINS WITH | Search for values that start with the given value. This operator is applicable to Value and Related Object Value parameters. | Use 'Object Type' = "Indicator" AND 'Value' BEGINS WITH "121" to see indicators that start with 121. |
ENDS WITH | Search for values that end with the given value. This operator is applicable to Value and Related Object Value parameters. | Use 'Object Type' = "Indicator" AND 'Value' ENDS WITH "34" to see indicators that end with 34. |