Query Language Reference
The general syntax is a logical expression followed by an "order by" clause.
Specifies the search condition for the query's results.
There are 3 logical operators: not, and, or.
The precedence level of operation is:
'not' > 'and' > 'or', with 'not' being evaluated first and 'or' evaluated last.
Expressions can also be nested using parenthesis.
For logical comparisons, the following operators are available: '==' (equals), '!=' (different), '<' (less than), '>' (greater than), '>=' (greater than or equal), '<=' (less than or equal).
The operator 'in' will evaluate to true if the variable is equal to any of the elements in the list.
This will return all requests made by "admin" and "example_user":
contains operator is used for variables that stores lists of things. The following query will return all requests that applied both "rule_a" and "rule_b" rules:
Order By syntax
The "order by" clause sorts the results by one or more fields.
The following fields can be used in place of "VARIABLE_NAME" in all expressions:
|timestamp||DateTime||Date/time the request happened|
|instanceId||Text||Id of the shield instance that processed this request|
|apps||Text Array||List of apps that matched to this rule|
|hostname||Text||Hostname of the http server for this request|
|contentType||Text||Content type of the request|
|username||Text||User that made this request|
|userGroup||Text||Comma separated list of user groups|
|ip||Ip||User Ip address|
|ipLocation||Text||User country detected through the ip address|
|device||Text||User device description|
|rules||Text Array||List of rules matched to the request|
|detectedDataTypes||Text Array||List of data types detected on this request|
Each field has a type that can be
bool are straightforward and can be compared using: the comparison operators (like
>) and the
in operator. The other types are detailed as follows:
A datetime can be compared using the same comparison operators as
Text, but must follow a specific format.
The simplest format to define a specific date is in the format YYYY-MM-DD, where YYYY is the year, MM the month and DD the day.
The following query returns all requests that happen after 2022-01-01 at 00:00:
Relative dates can also be used. In the query below, requests that happened the last 10 days are returned:
Request happened within the last 10 days
Request happened within the last 10 hours
Request happened within the last 10 minutes
Request happened within the last 10 days and 5 hours
Ip addresses should be in the ipv4 octet format (as in "126.96.36.199").
Returns all requests made by "188.8.131.52"
Returns all requests made by the subnet at "192.168.x.x"
These type contains a list, and can only be compared with the "contains" operator.
- All requests that both "rule_a" and "rule_b" matched.
Request happened at or later than '2021-01-01'
Request happened at or after '2021-01-01' and was scanned
Request happened at or after '2021-01-01' and was obfuscted or detected
Request that happened at '2021-01-01'
Scanned requests, sorted by timestamp
All requests in which credit cards and domains were detected, sorted by ascending timestamp