Skip to main content

Cyware Threat Intelligence eXchange

CQL Query Usecase

See the following table for a few examples. You can also see Get Started with CQL.

Note

The examples provided in the following table are for representation purposes only.

Use Case

CQL Query

I want to filter results for only SHA-1 and SHA-256 hashes with a confidence score greater than 50 and are related to Attack Pattern.

'Object Type' = "indicator" AND 'IOC Type' IN ("SHA-1::SHA1","SHA-256::SHA256") AND 'confidence_score' > "50" AND 'Related Object' = "attack-pattern"

I want to filter results based on indicators enriched from virus total, Alien Vault, and RiskIQ.

'Object Type' = "indicator" AND 'enrichment_tool' IN ("Alien Vault", "Risk IQ", "Virus Total")

I want to filter results based on Observables enriched from the virus total and whose verdict is malicious.

'Object Type' = "observable" AND 'enrichment_tool' = "Virus Total" AND 'Tool Verdict' = "Malicious"

I want to filter indicators that are deprecated.

'Object Type' = "indicator" AND 'Deprecated Status' = "Deprecated"

I want to filter indicators that are received from Tenable between 1st November 2021 and 19th November 2021.

'Object Type' = "indicator" AND 'source' = "Tenable" AND 'Created' RANGE ("1/11/2021","19/11/2021")

I want to filter indicators that have been published in 'High Risk' collection this month.

'Object Type' = "indicator" AND 'published collection' = "High Risk" AND 'Published on' RANGE ("1/11/2021","30/11/2021")

I want to filter vulnerabilities that have CVSS v2 base score ranging from 6.0 to 10.

'Object Type' = "vulnerability" AND 'Custom Attribute' = "CVSSv2_base_score" AND 'Custom Attribute Value' RANGE (6, 10)

To create custom attributes for CVSS V2 Base Score, see Custom Attributes.

I want to filter vulnerabilities that have CVSS v3 base score ranging from 6.0 to 10.

'Object Type' = "vulnerability" AND 'Custom Attribute' = "CVSSv3_base_score" AND 'Custom Attribute Value' RANGE (6, 10)

To create custom attributes for CVSS V3 Base Score, see Custom Attributes.

I want to filter vulnerabilities that have CVSS v2 temporal score ranging from 6.0 to 10.

'Object Type' = "vulnerability" AND 'Custom Attribute' = "CVSSv2_temp_score" AND 'Custom Attribute Value' RANGE (6, 10)

To create custom attributes for CVSS V2 Temporal Score, see Custom Attributes.

I want to filter vulnerabilities that have CVSS v3 temporal score ranging from 6.0 to 10.

'Object Type' = "vulnerability" AND 'Custom Attribute' = "CVSSv3_temp_score" AND 'Custom Attribute Value' RANGE (6, 10)

To create custom attributes for CVSS V3 Temporal Score, see Custom Attributes.

I want to filter vulnerabilities that have relationships with infrastructure and were created on March 21, 2023.

'Object Type' = "vulnerability" AND 'Related Object' = "Infrastructure" AND 'Relation Created Date' = "Mar 21, 2023, 12:00 AM"

I want to filter vulnerabilities that have relationships with infrastructure and were updated on March 21, 2023.

'Object Type' = "vulnerability" AND 'Related Object' = "Infrastructure" AND 'Relation Updated Date' = "Mar 21, 2023, 12:00 AM"