NQL Quick Reference Guide

General Format

field operator value

dstport < 1024

Boolean Operators

&& AND

Logical AND

condition1 AND condition2

|| OR

Logical OR

condition1 OR condition2

!

Logical NOT

!(condition)

Comparison Operators

== != < <= > >=

Equals Not Equals Less than Less than or equals to Greater than Greater than or equals to

field == value field != value field <= value field > value field >= value

Spacing & Parentheses

Operators must have spaces before and after

field == value

()

Use parentheses for grouping

condition1 OR (condition2 AND condition3)

Logic must be clear

Valid: A OR (B AND C) Not valid: A OR B AND C

CIDR Notation

/24

IP fields can use CIDR notation

10.0.0.0/24

Pattern Matching

Wildcards, Regex, Fuzzy

= !

Match pattern Match NOT pattern

Supported Fields

Flow

dstiprep.categories srciprep.categories tags

DNS

answers.rdata query.domain query.host query.name query.publicsuffix

Events

ipinfo.iprep.categories summary tags

Audit

description

Wildcards

=~ *pattern

Matches zero or more characters

query.name =~ *at

!~ *pattern

Negative match for zero or more characters

query.name !~ *at

=~ ?pattern

Matches any single character

query.name =~ ?at

!~ ?pattern

Negative match for any single character

query.name !~ ?at

Regular Expressions (Regex)

=~ /pattern/

Matches using regex pattern

query.name =~ /pattern/

!~ /pattern/

Negative match using regex pattern

query.name !~ /pattern/

Regex: Text Boundary Anchors

^

Beginning of a line or string: Matches the start of a string

^cat matches "cat" at the beginning of a string

$

End of a line or string: Matches the end of a string

cat$ matches "cat" at the end of a string

Regex: Choice and Grouping

xy

Matches "xy"

abc matches "abc"

x OR y

Matches "x" or "y"

ax OR ye matches "axe" or "aye"`

abc(def)?

Grouping

abc(def)? matches 'abc' and 'abcdef'

Regex: Repetition

x*

Zero or more occurrences of "x"

a* matches "", "a", "aa"

x+

One or more occurrences of "x"

a+ matches "a", "aa"

x?

Zero or one occurrence of "x"

a? matches "" or "a"

x{n,m}

Between n and m occurrences of "x"

a{2,4} matches "aa", "aaa", "aaaa"

x{n,}

n or more occurrences of "x"

a{2,} matches "aa", "aaa"

x{n}

Exactly n occurrences of "x"

a{3} matches "aaa"

Regex: Character Classes

.

Matches any single character

c.t matches "cat" and "cot"

[abc]

Matches any single character in the set

[aeiou] matches any vowel

[^abc]

Matches any single character not in the set

[^aeiou] matches consonants

[a-z]

Matches any single character in the range

[a-z] matches any lowercase letter

Regex: Numeric Ranges

<0-10> <00-010>

Matches a numeric range Matches a numeric range with leading 0s

<0-10> matches any number from 0 to 10

Regex: Case Insensitive

/pattern/i

Matches the pattern without regard to case

/neto/i matches "neto","NETO",etc.

Regex: Special Characters

\

Escapes special characters to be treated as literals

\. matches a literal period

Regex: Reserved Characters

. ? + * OR { } [ ] ( ) " \\

Fuzzy Matching

=~ term~

Matches using fuzzy logic

query.name =~ cat~

!~ term~

Negative fuzzy match

query.name !~ cat~

=~ term~2

Matches terms with a maximum distance of 2 changes

query.name =~ cat~2

!~ term~2

Negative match with a maximum distance of 2 changes

query.name !~ cat~2