CQL Query Usecase
See the following table for a few examples. You can also see Get Started with CQL.
Note
The examples provided in the following table are for representation purposes only.
Use Case | CQL Query |
|---|---|
I want to filter results for only SHA-1 and SHA-256 hashes with a confidence score greater than 50 and are related to Attack Pattern. | 'Object Type' = "indicator" AND 'IOC Type' IN ("SHA-1::SHA1","SHA-256::SHA256") AND 'confidence_score' > "50" AND 'Related Object' = "attack-pattern" |
I want to filter results based on indicators enriched from virus total, Alien Vault, and RiskIQ. | 'Object Type' = "indicator" AND 'enrichment_tool' IN ("Alien Vault", "Risk IQ", "Virus Total") |
I want to filter results based on Observables enriched from the virus total and whose verdict is malicious. | 'Object Type' = "observable" AND 'enrichment_tool' = "Virus Total" AND 'Tool Verdict' = "Malicious" |
I want to filter indicators that are deprecated. | 'Object Type' = "indicator" AND 'Deprecated Status' = "Deprecated" |
I want to filter indicators that are received from Tenable between 1st November 2021 and 19th November 2021. | 'Object Type' = "indicator" AND 'source' = "Tenable" AND 'Created' RANGE ("1/11/2021","19/11/2021") |
I want to filter indicators that have been published in 'High Risk' collection this month. | 'Object Type' = "indicator" AND 'published collection' = "High Risk" AND 'Published on' RANGE ("1/11/2021","30/11/2021") |
I want to filter vulnerabilities that have CVSS v2 base score ranging from 6.0 to 10. | 'Object Type' = "vulnerability" AND 'Custom Attribute' = "CVSSv2_base_score" AND 'Custom Attribute Value' RANGE (6, 10) To create custom attributes for CVSS V2 Base Score, see Custom Attributes. |
I want to filter vulnerabilities that have CVSS v3 base score ranging from 6.0 to 10. | 'Object Type' = "vulnerability" AND 'Custom Attribute' = "CVSSv3_base_score" AND 'Custom Attribute Value' RANGE (6, 10) To create custom attributes for CVSS V3 Base Score, see Custom Attributes. |
I want to filter vulnerabilities that have CVSS v2 temporal score ranging from 6.0 to 10. | 'Object Type' = "vulnerability" AND 'Custom Attribute' = "CVSSv2_temp_score" AND 'Custom Attribute Value' RANGE (6, 10) To create custom attributes for CVSS V2 Temporal Score, see Custom Attributes. |
I want to filter vulnerabilities that have CVSS v3 temporal score ranging from 6.0 to 10. | 'Object Type' = "vulnerability" AND 'Custom Attribute' = "CVSSv3_temp_score" AND 'Custom Attribute Value' RANGE (6, 10) To create custom attributes for CVSS V3 Temporal Score, see Custom Attributes. |
I want to filter vulnerabilities that have relationships with infrastructure and were created on March 21, 2023. | 'Object Type' = "vulnerability" AND 'Related Object' = "Infrastructure" AND 'Relation Created Date' = "Mar 21, 2023, 12:00 AM" |
I want to filter vulnerabilities that have relationships with infrastructure and were updated on March 21, 2023. | 'Object Type' = "vulnerability" AND 'Related Object' = "Infrastructure" AND 'Relation Updated Date' = "Mar 21, 2023, 12:00 AM" |