About
Overview
The Netography Query Language (NQL) is the basis for accomplishing many tasks.
- Searching for flows, events (alerts), audits, or block records
- Filtering statistics and aggregations
- Defining custom Detection Models (algorithms) to create an event (alert) on
Becoming familiar with the Netography Query Language will make the most out of the service. These generic rules apply regardless of where in the service you leverage the query language
Basics
Using the Netography Query Language is much like writing a programming conditional
inside an if ( ) statement. The statement should be constructed logically, from left to right, comparing fields to values.
Usage
In the Portal, NQL can be used on the Search pages, as part of the Global Filters, or defining Widgets inside custom dashboards.
For API requests, if the search parameter is provided, (its value being your NQL condition), then only records that match the search: "NQL string" condition will be returned.
Examples (flow context):
| IP Reputation Violators | srciprep.count > 0 OR dstiprep.count > 0 |
| Only Privileged Ports | dstport < 1024 |
| Not Broadcast IPs | dstip != 255.255.255.0/24 |
| TCP Ports Scan | tcpflags.syn == true and tcpflags.ack == true and srcport > 1024 |
For additional examples see NQL Examples, or watch the Video walkthroughs NQL video.
Rules and limitations
- Logic must be unambiguous. e.g.
A && B || Cwill fail. Use parens to prevent ambiguity. - NQL accepts nested parentheses. For example,
((this) || (that)) && otheris a valid NQL statement. However this can be considered hard to read, so it is suggested to reduce the use of parentheses when possible, e.g.(this || that) && other. - IP fields can be searched with CIDR notation if desired. For example,
10.0.0.0/24will match10.0.0.1 - Only integer fields can use numerical comparisons.
< <= > >= - Strings with spaces must be quoted with single quotes.
- Allowed Boolean operators are:
&& AND and,|| OR or, and! - Allowed numerical operators are:
== != < <= > >= - Operators must be surrounded by spaces e.g.
srcip == 10.0.0.1is valid, whilesrcip==10.0.0.1is not valid. - Whitespace is not optional in NQL. For example,
input==1is invalid, butinput == 1is valid, since the NQL parser will not parse the first example if the whitespace is missing.
Operators
| Boolean | Description | Example |
|---|---|---|
| &&, and, AND | a logical AND | this && that |
| ||, or, OR | a logical OR | this || that |
| ! | NOT. Must precede expressions in parenthesis | !(srcip == 10.0.0.1) |
| Comparison | Description |
|---|---|
| == | equals |
| != | not equals |
| <= | less than or equals to |
| <= | less than |
| >= | greater than or equals to |
| > | greater than |
Updated 7 months ago