NQL Quick Reference Guide
Field/Operator | Description | Example | |
---|---|---|---|
General Format | field operator value | dstport < 1024 | |
Boolean Operators | && AND | Logical AND | condition1 AND condition2 |
|| OR | Logical OR | condition1 OR condition2 | |
! | Logical NOT | !(condition) | |
Comparison Operators | == != < <= > >= | Equals Not Equals Less than Less than or equals to Greater than Greater than or equals to | field == value field != value field <= value field > value field >= value |
Spacing & Parentheses | Operators must have spaces before and after | field == value | |
() | Use parentheses for grouping | condition1 OR (condition2 AND condition3) | |
Logic must be clear | Valid: A OR (B AND C) Not valid: A OR B AND C | ||
CIDR Notation | /24 | IP fields can use CIDR notation | 10.0.0.0/24 |
Pattern Matching | Wildcards, Regex, Fuzzy | ||
=~ !~ | Match pattern Match NOT pattern | ||
Supported Fields | Flow | dstiprep.categories srciprep.categories tags | |
DNS | answers.rdata query.domain query.host query.name query.publicsuffix | ||
Events | ipinfo.iprep.categories summary tags | ||
Audit | description | ||
Wildcards | =~ *pattern | Matches zero or more characters | query.name =~ *at |
!~ *pattern | Negative match for zero or more characters | query.name !~ *at | |
=~ ?pattern | Matches any single character | query.name =~ ?at | |
!~ ?pattern | Negative match for any single character | query.name !~ ?at | |
Regular Expressions (Regex) | =~ /pattern/ | Matches using regex pattern | query.name =~ /pattern/ |
!~ /pattern/ | Negative match using regex pattern | query.name !~ /pattern/ | |
Regex: Text Boundary Anchors | ^ | Beginning of a line or string: Matches the start of a string | ^cat matches "cat" at the beginning of a string |
$ | End of a line or string: Matches the end of a string | cat$ matches "cat" at the end of a string | |
Regex: Choice and Grouping | xy | Matches "xy" | abc matches "abc" |
x OR y | Matches "x" or "y" | ax OR ye matches "axe" or "aye"` | |
abc(def)? | Grouping | abc(def)? matches 'abc' and 'abcdef' | |
Regex: Repetition | x* | Zero or more occurrences of "x" | a* matches "", "a", "aa" |
x+ | One or more occurrences of "x" | a+ matches "a", "aa" | |
x? | Zero or one occurrence of "x" | a? matches "" or "a" | |
x{n,m} | Between n and m occurrences of "x" | a{2,4} matches "aa", "aaa", "aaaa" | |
x{n,} | n or more occurrences of "x" | a{2,} matches "aa", "aaa" | |
x{n} | Exactly n occurrences of "x" | a{3} matches "aaa" | |
Regex: Character Classes | . | Matches any single character | c.t matches "cat" and "cot" |
[abc] | Matches any single character in the set | [aeiou] matches any vowel | |
[^abc] | Matches any single character not in the set | [^aeiou] matches consonants | |
[a-z] | Matches any single character in the range | [a-z] matches any lowercase letter | |
Regex: Numeric Ranges | <0-10> <00-010> | Matches a numeric range Matches a numeric range with leading 0s | <0-10> matches any number from 0 to 10 |
Regex: Special Characters | \ | Escapes special characters to be treated as literals | \. matches a literal period |
Regex: Reserved Characters | . ? + * OR { } [ ] ( ) " \\ | ||
Fuzzy Matching | =~ term~ | Matches using fuzzy logic | query.name =~ cat~ |
!~ term~ | Negative fuzzy match | query.name !~ cat~ | |
=~ term~2 | Matches terms with a maximum distance of 2 changes | query.name =~ cat~2 | |
!~ term~2 | Negative match with a maximum distance of 2 changes | query.name !~ cat~2 |
See Using NQL for more detailed information.
Updated 2 months ago