Parrot Querry Language PQL

Overview

PQL Queries are always executed in a context, e.g., the case or a new incident

Types

literals

• Strings (‘hello’, “foo bar”)
• Integers (1, 2, 5123)
• Floats (1.0, 0.009)
• Dates (now(), date(“yyyy-MM-dd’T’HH:mm:ss’Z'”))

• • Intervals (‘1d’, ’24h’, ‘1440m’)
    • can be negative (‘-7d’, ‘-1w)
    • valid modifiers: [w]eek, [d]ay, [h]our, [m]inute

Identifiers
reference a field in the context

• Simple (event_count)
• Dicts (malware.name)
• Lists (reporters[0])

logical expressions

• Operators: AND, OR
• Parenthesis a AND (b OR c)
• Negation a AND NOT b
• existence: a IS NULL, b is NOT NULL, c IS KEY, d IS NOT KEY

Relational operators

< > <= >= !=

Functions

• between(, , )
  • between(event_count, 0, 999)

• format(<format_string>, <object…> args)
  • format(‘client_id is %s, event_count is %d’, case.client_id, case.event_count)

• in_cidr(<hex_field>, <cidr_range>)
  • in_cidr(resources.ip.hex, “127.0.0.0/21”)

• nettag(<hex_field>, )
  • nettag(resources.ip[0].hex, “Dynamic”)

• infected(, ) – normalized malware name check
  • infected(malware.name, “Zeus”)

• contains(, )
  • contains([‘foo’, ‘bar’, ‘baz’], ‘bar’)
  • contains(‘foobarbaz’, ‘oob’)

• current_user() – returns the current user’s name

• now() – returns this instant as a date object

• date_diff(<date_from>, <date_to>) – returns an interval (from-to)
  • date_diff(now(), last_event_date)
  • date_diff(now(), yesterday) == interval(“-1d”)

• date_add(, <interval) – returns a date object
  • date_add(now(), ’24h’)
  • date_add(now(), ‘-1d’)

• interval()
  • interval(‘1d’)
  • interval(’24h’)
  • interval(’90m’)
  • interval(‘-4w’)

• date() – returns a date object
  • date(“yyyy-MM-dd’T’HH:mm:ss’Z'”)

• • date_format(, <format_string>) – returns a string in a format specified by format_string.
    • date(“yyyy-MM-dd’T’HH:mm:ss’Z'”)

Examples

type_counts[0].name == ‘copyright’
event_count < 2 AND date_diff(now() last_event_date) < interval(‘1h’)
current_user() == ‘superuser’
timeout_date < now()