Filter using Cyware Query Language (CQL)
Cyware Query Language (CQL) allows security analysts to create structured queries to retrieve relevant data from module listing pages. You can build queries with advanced logic to retrieve relevant data. For example, to search for high-priority IP spoofing incidents that are in the open state, you can use the following CQL query:
"Status" = “Open” AND "Severity" = “High” AND "Incident Type" = "IP Spoofing"
You can use CQL to filter data on the following module listing pages:
Threat Briefings
Campaigns
Incidents
Note
CQL is unavailable in the map view of incidents.
Actions
Enhancements
PIRs
Threat Actors
Malware
Threat Intel
Vulnerabilities
Devices
Applications
Software
Users
All Custom Modules
To filter data on a module listing page using CQL, follow these steps:
Go to Menu, and select a module.
Click Filters on the left, and select CQL.
Enter the CQL query.
Click Search or press Enter.
 |
You can view results based on your CQL query. Additionally, you can also copy CQL queries and use them in other modules that support similar filters.
Note
While using CQL search, the parameter-value pairs are executed from right to left. As a best practice, enter OR operators toward the end of the query.
Save CQL Query
Create CQL queries and save them as saved searches. This enables you to reuse these queries without the need to enter the query again.
Steps
To save a CQL query, follow these steps:
Go to Menu and select a module.
Click
, and then select CQL.Enter the CQL query in the CQL text box, and then click Enter or click the Search icon.
On the left, click Save Filter, and select Save As.
Enter a unique title to save the query. You can enter up to 50 characters.
In the Sharing Options, select one of the following:
Public: This option allows all users to view and use the CQL query.
Private: This option allows the CQL query to be only available to you.
Custom: This option allows sharing the CQL query only with selected users or user groups.
Click Save.
The CQL query is saved and appears in Saved Search on the left under CQL.
Manage Saved CQL Searches
You can perform the following activities to manage saved CQL searches:
Mark as Default: To mark a saved search as default, hover over a saved search, and click Mark as Default. The default saved CQL search is automatically applied when you go to the listing page of a module.
Edit: To edit a saved search, hover over the saved search, and click the vertical ellipses, and select Edit. You can update the title and sharing options of a saved CQL search. Only the creator of the query can edit the saved CQL search.
Delete: To delete a saved search, hover over the saved search, and click the vertical ellipses, and select Delete. Only the creator of the query can delete the saved search.
Filter by: You can filter saved CQL searches using options such as All, Created by me, and Created by others.
Search: You can search for saved CQL search.
Update an Existing Saved CQL Search
To update an existing saved CQL search, follow these steps:
Go to Menu and select a module.
Click
, and then select CQL.Select a saved CQL search that you want to update, and update the query in the CQL text box.
On the left, click Save Filter, and select Save.
Understand CQL Grammar
CQL grammar is a combination of the following elements:
Parameters: Parameters are the information types, based on which you want to filter the modules.
Value: Value is the actual data or the result set that we are looking for in the system using the query.
Operators: Operators relate the parameters to the value. Some operators include =, >,<, >=, <=, !=, CONTAINS, NOT CONTAINS, IN, NOT IN, RANGE.
Conditions: Conditions are the logical operators that are used to combine multiple parameter-value pairs. You can use AND and OR conditions in your CQL query.
CQL Parameters
You can use the respective modules' field names configured by your administrator as parameters in the query. For example, the parameters for incidents are incident type, severity, assigned user group, assigned user, created date, closed date, and more. The single-select and multi-select fields present in Filters are displayed as a list when you click the CQL text box, allowing you to choose from them.
Note
Respond displays the single-select and multi-select fields that are configured with Show in Filters option enabled in Filters. For more information, see Add New Field in Forms.
Title and description parameters do not appear in the filters or the CQL prompt. You can use title and description as parameters with the CONTAINS and NOT CONTAINS operators to search for the modules that include a specific term or phrase in the title and description respectively.
CQL Values
The CQL prompt displays a list of allowed values for the selected parameter to choose from. Select a value from the list to apply the value. For the title and description as parameters, that are not displayed in the CQL prompt, enter the query text within quotation marks. For example, title CONTAINS "Ransomeware".
CQL Conditions
Condition | Definition | CQL Example | Expected Output |
|---|---|---|---|
AND | Returns items that match all clauses defined in the query. | "Status" = “Open” AND "Severity" = “High” | Returns all high severity incidents that are in the open state. |
OR | Returns items that match any one of the clauses defined in the query. | "Status" = “Closed” OR "Status" = “Open” | Returns the incidents that are either in the open or closed state. |
CQL Operators
Operator | Definition | CQL Example | Expected Output |
|---|---|---|---|
= | Exact match for numeric values and options of single and multi-select fields. | "Assigned to Me" = "True" | Returns the entries that are assigned to you. |
!= | Numeric value or the option of single and multi-select fields that is not an exact match. | "Assigned to Me" != "True" | Returns the entries that are not assigned to you. |
> | Date or numeric values that are greater than the given value. | "Created Date" > "2022-09-01 12:00:00 AM" | Returns the entries that are created after 01 September 2022, 12 AM. |
< | Date or numeric values that are lesser than the given value. | "Created Date" < "2022-09-01 12:00:00 AM" | Returns the entries that are created before 01 September 2022, 12 AM. |
<= | Date or numeric values that are either less than or equal to the given value. | "Created Date" <= "2022-09-01 12:00:00 AM" | Returns the entries that are created on or before 01 September 2022, 12 AM. |
>= | Date or numeric values that are either greater than or equal to the given value. | "Created Date" >= "2022-09-01 12:00:00 AM" | Returns the entries that are created on or after 01 September 2022, 12 AM. . |
CONTAINS | Text or numeric values that exist in a text field, such as title and description. | title CONTAINS "Ransomware" | Returns the entries that include the term Ransomware in the title. |
NOT CONTAINS | Text or numeric values that do not exist in a text field, such as title and description. | title NOT CONTAINS "Ransomware" | Returns the entries that do not include the term Ransomware in the title. |
IN | Compares options or numeric values that exist in a result set, such as multi-select field values. | "Business Unit(s) Impacted" IN ("IT", "Marketing") | Returns the incidents that affect the IT and Marketing business units. |
NOT IN | Compares options or numeric values that do not exist in a result set, such as multi-select field values. | "Business Unit(s) Impacted" NOT IN ("IT", "Marketing") | Returns the incidents that affect all other business units except IT and Marketing. |
RANGE | Date range or numeric values range. | "Created Date" RANGE ("2022-09-01 12:00:00 AM","2022-09-12 11:59:59 PM") | Returns the entries that were created between the specified date range. |