NQL Quick Reference Guide
| Field/Operator | Description | Example | |
|---|---|---|---|
| General Format | field operator value | dstport < 1024 | |
| Boolean Operators | && AND | Logical AND | condition1 AND condition2 |
|| OR | Logical OR | condition1 OR condition2 | |
! | Logical NOT | !(condition) | |
| Comparison Operators | ==!=<<=>>= | Equals Not Equals Less than Less than or equals to Greater than Greater than or equals to | field == valuefield != valuefield <= valuefield > valuefield >= value |
| Spacing & Parentheses | Operators must have spaces before and after | field == value | |
() | Use parentheses for grouping | condition1 OR (condition2 AND condition3) | |
| Logic must be clear | Valid: A OR (B AND C)Not valid: A OR B AND C | ||
| CIDR Notation | /24 | IP fields can use CIDR notation | 10.0.0.0/24 |
| Pattern Matching | Wildcards, Regex, Fuzzy | ||
=~!~ | Match pattern Match NOT pattern | ||
| Supported Fields | Flow | dstiprep.categories srciprep.categories tags | |
| DNS | answers.rdata query.domain query.host query.name query.publicsuffix | ||
| Events | ipinfo.iprep.categories summary tags | ||
| Audit | description | ||
| Wildcards | =~ *pattern | Matches zero or more characters | query.name =~ *at |
!~ *pattern | Negative match for zero or more characters | query.name !~ *at | |
=~ ?pattern | Matches any single character | query.name =~ ?at | |
!~ ?pattern | Negative match for any single character | query.name !~ ?at | |
| Regular Expressions (Regex) | =~ /pattern/ | Matches using regex pattern | query.name =~ /pattern/ |
!~ /pattern/ | Negative match using regex pattern | query.name !~ /pattern/ | |
| Regex: Text Boundary Anchors | ^ | Beginning of a line or string: Matches the start of a string | ^cat matches "cat" at the beginning of a string |
$ | End of a line or string: Matches the end of a string | cat$ matches "cat" at the end of a string | |
| Regex: Choice and Grouping | xy | Matches "xy" | abc matches "abc" |
x OR y | Matches "x" or "y" | ax OR ye matches "axe" or "aye"` | |
abc(def)? | Grouping | abc(def)? matches 'abc' and 'abcdef' | |
| Regex: Repetition | x* | Zero or more occurrences of "x" | a* matches "", "a", "aa" |
x+ | One or more occurrences of "x" | a+ matches "a", "aa" | |
x? | Zero or one occurrence of "x" | a? matches "" or "a" | |
x{n,m} | Between n and m occurrences of "x" | a{2,4} matches "aa", "aaa", "aaaa" | |
x{n,} | n or more occurrences of "x" | a{2,} matches "aa", "aaa" | |
x{n} | Exactly n occurrences of "x" | a{3} matches "aaa" | |
| Regex: Character Classes | . | Matches any single character | c.t matches "cat" and "cot" |
[abc] | Matches any single character in the set | [aeiou] matches any vowel | |
[^abc] | Matches any single character not in the set | [^aeiou] matches consonants | |
[a-z] | Matches any single character in the range | [a-z] matches any lowercase letter | |
| Regex: Special Characters | \ | Escapes special characters to be treated as literals | \. matches a literal period |
| Regex: Reserved Characters | . ? + * OR { } [ ] ( ) " \\ | ||
| Fuzzy Matching | =~ term~ | Matches using fuzzy logic | query.name =~ cat~ |
!~ term~ | Negative fuzzy match | query.name !~ cat~ | |
=~ term~2 | Matches terms with a maximum distance of 2 changes | query.name =~ cat~2 | |
!~ term~2 | Negative match with a maximum distance of 2 changes | query.name !~ cat~2 |
See Using NQL for more detailed information.
Updated about 1 month ago