NQL System Presets

Suggest Edits

The data in most pages of the Fusion portal can be manipulated via the portal's Global Filters (e.g. date & time).  One field in the Global Filters is NQL Search.  Here, you may use NQL to filter the data being shown in the data currently being presented.   Creating and type the NQL language will be full of suggestions on both available keys and (when applicable) available values for said keys.

Additionally, some Threat Hunting pages allow for searching records directly via date/time and NQL.  The following system defaults will work both in the Global Filters, and the Threat Hunting search pages.

Default NQL presets

Flow Records

IP Reputation Violators

srciprep.count > 0 OR dstiprep.count > 0

Only Privileged Ports

dstport < 1024

Not Broadcast IPs

dstip != 255.255.255.0/24

TCP Ports Scan

tcpflags.syn == true and tcpflags.ack == true and srcport > 1024

Alert Records (Events)

High & Medium Severities

severity == high || severity == medium

DDoS Category

categories == ddos

Audit Records

Login and Logout actions

class == authentication && (subclass == login || subclass == logout)

Deleted Objects

action == delete

Block Records

Active Blocks

active == true

Skipped Blocks

skipped == true

Updated 7 months ago

What’s Next