NQL System Presets
The data in most pages of the Fusion portal can be manipulated via the portal's Global Filters (e.g. date & time). One field in the Global Filters is NQL Search. Here, you may use NQL to filter the data being shown in the data currently being presented. Creating and type the NQL language will be full of suggestions on both available keys and (when applicable) available values for said keys.
Additionally, some Threat Hunting pages allow for searching records directly via date/time and NQL. The following system defaults will work both in the Global Filters, and the Threat Hunting search pages.
Default NQL presets
Flow Records
IP Reputation Violators
srciprep.count > 0 OR dstiprep.count > 0
Only Privileged Ports
dstport < 1024
Not Broadcast IPs
dstip != 255.255.255.0/24
TCP Ports Scan
tcpflags.syn == true and tcpflags.ack == true and srcport > 1024
Alert Records (Events)
High & Medium Severities
severity == high || severity == medium
DDoS Category
categories == ddos
Audit Records
Login and Logout actions
class == authentication && (subclass == login || subclass == logout)
Deleted Objects
action == delete
Block Records
Active Blocks
active == true
Skipped Blocks
skipped == true
Updated 7 months ago