Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    2024.10.0
    2024.10.0
    2024.9.0
    2024.7.0

    IQL Quick Reference

    IQL Quick Reference

    The IQL Quick Reference contains information and examples for creating IQL queries:

    Network Security Posture Examples

    Cloud Storage Use Over Time

    http:host MATCHES '.*(dropbox.com|\.box.com).*' GROUP BY HOUR(timestamp), src.ip

    Back to top.

    Deprecated SSL Versions

    ssl:version MATCHES 'SSLv[2,3]|TLSv10' AND dst.internal = true AND src.internal = false GROUP BY dst.ip, src.ip

    Back to top.

    Outbound SSH Sessions

    src.internal = true AND dst.internal = false AND ssh:auth_success = true AND dst.asn.isp NOT IN ( 'Amazon', 'Amazon.com', 'GitHub, Inc.', 'GitHub') GROUP BY dst.geo.country, dst.asn.org

    Back to top.

    Hunt Examples

    Long DNS Requests

    query.domain MATCHES '.{150,}' GROUP BY query.domain

    Back to top.

    HTTP Post to IP Address

    http:host.ip != null AND method = 'POST' AND dst.internal = false GROUP BY http:host.ip

    Back to top.

    Possible Webshell Command Execution

    src.internal = false AND ((uri.uri LIKE '%whoami%') OR (uri.uri LIKE '%netstat%') OR (uri.uri LIKE '%ifconfig%') OR (uri.uri LIKE '%ipconfig%')) AND status_code = 200 GROUP BY uri.uri

    Back to top.

    Events and Properties

    Event Types

    • DCE-RPC
    • DHCP
    • DNS
    • Flow
    • FTP
    • HTTP
    • Kerberos
    • NTLM

    • Observation

    • PE
    • RDP
    • SMB_FILE
    • SMB_MAPPING
    • SMTP
    • Software
    • SSH
    • SSL
    • Suricata
    • TUNNEL
    • X509

    Field Primitives

    TYPE

    SYNTAX

    EXAMPLES

    IP

    8.8.8.8, '10.0.0.0/8',

    "192.168.1.1"

    ip, src.ip, answer.ip

    Timestamp

    t'2017-02-08T17:49:10.017Z'

    timestamp pe_compile_time

    String

    'www.google.com' "curl-agent"

    domain user_agent

    Integer

    1234

    total_pkts total_ip_bytes

    Float

    1.234

    duration geo_distance

    Boolean

    true false

    src.internal has_export_table

    Source and Destination

    PROPERTY

    DESCRIPTION

    src.ip dst.ip

    IP address associated with the traffic

    src.port dst.port

    Port associated with the traffic

    src.ip_bytes dst.ip_bytes

    Bytes transferred from the provided endpoint src.ip_bytes ==> uploaded

    src.pkts dst.pkts

    Packets transferred from the provided endpoint

    src.internal dst.internal

    Boolean value defining whether the provided endpoint belongs to the customer IP space

    src.asn dst.asn

    Registration information such as AS number and registered organization

    src.geo dst.geo

    Geolocation information such as city and country

    Back to top.

    Property Comparisons

    Equal or Not Equal: = == != <>

    Exact field match

    dst.port = 80

    event_type == "http"

    domain == "www.google.com"

    http:referrer = null (Records with no referrer)

    ftp:dst.geo.country != 'US'

    total_ip_bytes <> 0

    http:host.ip != null (HTTP records accessed by IP)

    Less/Greater than (or equal to): < > <= >=

    Filter on comparative size

    timestamp > t"2017-01-01T00:00:00Z"

    status_code < 500

    duration <= 3600

    duration <= 1 hour src.ip_bytes >= 1000000

    bytes >= 1gb

    Set: IN

    Exact match of multiple values

    dst.ip IN ('8.8.8.8', '8.8.4.4')

    http:method NOT IN ('GET', 'POST', 'CONNECT')

    Fuzzy: LIKE

    Wildcards using SQL-like notation

    % - 0 to many characters

    _ - One character

    rdp:cookie LIKE "_"

    http:user_agent NOT LIKE 'Mozilla%' ssh:cipher like '%RC4%' http:host.domain like '%paypal%.%.com

    Regex: MATCHES

    (Formerly Lucene Regex support)

    ssl:version MATCHES 'SSLv[2,3]|TLSv10'

    user_agent NOT MATCHES '.*Chrome\/6[0-9]\..*'

    query.domain matches '[a-zA-Z0-9]{16}\.onion((\.([a-zA-Z]+|([xX][nN]--[a-

    zA-Z0-9]+)))+)?'

    Back to top.

    Querying Array/Nested Fields

    Nested Field Queries

    QUERY

    DESCRIPTION

    intel.feed = 'Alexa Top Domains' AND intel.severity = 'high'

    Filters on aggregated values on all intel objects.

    intel {feed = 'Alexa Top Domains' AND severity = 'high'}

    Filter on individual objects of intel field.
    Note

    Scoped syntax, (i.e., using braces { }) only works for nested fields.

    List of Nested Fields

    answers

    files

    headers.proxied_client_ips

    intel

    path

    san_dns

    san_ip to

    uri.params

    Back to top.

    Building Complex Queries

    Structural Components

    • ( )

    • AND

    • OR

    server_name MATCHES 'www\..*\.com' AND subject MATCHES 'CN=www\..*\.net' AND issuer MATCHES 'CN=www\..*\.com'

    http:uri.uri LIKE '%.php?a=%&cd%&cr=%' OR uri.uri LIKE'%/?f=%&a=%&cd=%&cr=%&ir='

    (http:user_agent='hola_get' OR http:host='client.hola.org') AND src.internal = true

    src.internal = true and (user_agent LIKE '%Windows_XP%' OR user_agent LIKE '%Windows 2003%' OR user_agent LIKE '%Windows NT 5.%' OR user_agent LIKE '%Windows 2000%' OR user_agent LIKE'%Windows NT4.%')

    Bulk Indicator Parsing

    Quickly search across your environment for multiple indicators by pasting an unformatted text blob (or list of indicators) into the bulk indicator search feature. From the Actions menu, click Bulk Add Indicators:

    FortiNDR Cloud will parse the contents for IoCs (IPs, domains, hashes, etc.), remove common defanging techniques and generate a query to run in your environment.

    Back to top.

    Aggregations

    Aggregate up to two fields using GROUP BY. Returns top 100 aggregate values of $field1 and top 10 of $field2. Modify counts using limit. Maximum of 10,000 aggregates.

    Unique Value Counting

    src.internal = true AND dst.internal = false AND service = 'dns'
GROUP BY dst.ip

src.internal = true and http:host MATCHES '.*(gotomypc.com|logmein. com)' GROUP BY src.ip limit 20, http:host limit 4

src.internal = true AND dst.internal = false AND service = 'http' GROUP BY src.ip limit 10000

    Aggregate Functions

    Sum

    Sum of integer or float field

    Sum of integer or float field
src.internal = true AND src.ip_bytes > 1000000000 AND dst.ip_bytes
< 500000000 AND dst.internal = false GROUP BY dst.asn.org, SUM(src. ip_bytes)

src.internal = true AND dst.asn.asn_org = 'Amazon.com, Inc.' GROUP BY src.ip, SUM(total_ip_bytes)

    Min/Max

    Min/Max value of integer, float, timestamp field

    http:host.domain = 'lumtest.com' AND uri.uri = '/myip.json' AND referrer.host.domain = null GROUP BY src.ip, MIN(timestamp)

service = 'ssh' AND src.internal = true AND dst.internal = false GROUP BY src.ip, MAX(duration)

    Minute/Hour/Day

    X-duration buckets of events based on any timestamp field

    src.internal = true AND dst.internal = false AND flow:service != null GROUP BY HOUR(timestamp), service

dst.asn.asn_org = 'Dropbox, Inc.' GROUP BY DAY(timestamp), sum(total_ip_bytes)

intel.indicator != null and dst.asn.asn_org in ('Hosting Solution Ltd.','Digital Ocean, Inc.','Choopa, LLC') GROUP BY dst.ip, HOUR(timestamp)
    Previous
    Next

    On This Page

    Network Security Posture Examples
    Hunt Examples
    Events and Properties
    Property Comparisons
    Querying Array/Nested Fields
    Building Complex Queries
    Aggregations

    IQL Quick Reference

    IQL Quick Reference

    The IQL Quick Reference contains information and examples for creating IQL queries:

    Network Security Posture Examples

    Cloud Storage Use Over Time

    http:host MATCHES '.*(dropbox.com|\.box.com).*' GROUP BY HOUR(timestamp), src.ip

    Back to top.

    Deprecated SSL Versions

    ssl:version MATCHES 'SSLv[2,3]|TLSv10' AND dst.internal = true AND src.internal = false GROUP BY dst.ip, src.ip

    Back to top.

    Outbound SSH Sessions

    src.internal = true AND dst.internal = false AND ssh:auth_success = true AND dst.asn.isp NOT IN ( 'Amazon', 'Amazon.com', 'GitHub, Inc.', 'GitHub') GROUP BY dst.geo.country, dst.asn.org

    Back to top.

    Hunt Examples

    Long DNS Requests

    query.domain MATCHES '.{150,}' GROUP BY query.domain

    Back to top.

    HTTP Post to IP Address

    http:host.ip != null AND method = 'POST' AND dst.internal = false GROUP BY http:host.ip

    Back to top.

    Possible Webshell Command Execution

    src.internal = false AND ((uri.uri LIKE '%whoami%') OR (uri.uri LIKE '%netstat%') OR (uri.uri LIKE '%ifconfig%') OR (uri.uri LIKE '%ipconfig%')) AND status_code = 200 GROUP BY uri.uri

    Back to top.

    Events and Properties

    Event Types

    • DCE-RPC
    • DHCP
    • DNS
    • Flow
    • FTP
    • HTTP
    • Kerberos
    • NTLM

    • Observation

    • PE
    • RDP
    • SMB_FILE
    • SMB_MAPPING
    • SMTP
    • Software
    • SSH
    • SSL
    • Suricata
    • TUNNEL
    • X509

    Field Primitives

    TYPE

    SYNTAX

    EXAMPLES

    IP

    8.8.8.8, '10.0.0.0/8',

    "192.168.1.1"

    ip, src.ip, answer.ip

    Timestamp

    t'2017-02-08T17:49:10.017Z'

    timestamp pe_compile_time

    String

    'www.google.com' "curl-agent"

    domain user_agent

    Integer

    1234

    total_pkts total_ip_bytes

    Float

    1.234

    duration geo_distance

    Boolean

    true false

    src.internal has_export_table

    Source and Destination

    PROPERTY

    DESCRIPTION

    src.ip dst.ip

    IP address associated with the traffic

    src.port dst.port

    Port associated with the traffic

    src.ip_bytes dst.ip_bytes

    Bytes transferred from the provided endpoint src.ip_bytes ==> uploaded

    src.pkts dst.pkts

    Packets transferred from the provided endpoint

    src.internal dst.internal

    Boolean value defining whether the provided endpoint belongs to the customer IP space

    src.asn dst.asn

    Registration information such as AS number and registered organization

    src.geo dst.geo

    Geolocation information such as city and country

    Back to top.

    Property Comparisons

    Equal or Not Equal: = == != <>

    Exact field match

    dst.port = 80

    event_type == "http"

    domain == "www.google.com"

    http:referrer = null (Records with no referrer)

    ftp:dst.geo.country != 'US'

    total_ip_bytes <> 0

    http:host.ip != null (HTTP records accessed by IP)

    Less/Greater than (or equal to): < > <= >=

    Filter on comparative size

    timestamp > t"2017-01-01T00:00:00Z"

    status_code < 500

    duration <= 3600

    duration <= 1 hour src.ip_bytes >= 1000000

    bytes >= 1gb

    Set: IN

    Exact match of multiple values

    dst.ip IN ('8.8.8.8', '8.8.4.4')

    http:method NOT IN ('GET', 'POST', 'CONNECT')

    Fuzzy: LIKE

    Wildcards using SQL-like notation

    % - 0 to many characters

    _ - One character

    rdp:cookie LIKE "_"

    http:user_agent NOT LIKE 'Mozilla%' ssh:cipher like '%RC4%' http:host.domain like '%paypal%.%.com

    Regex: MATCHES

    (Formerly Lucene Regex support)

    ssl:version MATCHES 'SSLv[2,3]|TLSv10'

    user_agent NOT MATCHES '.*Chrome\/6[0-9]\..*'

    query.domain matches '[a-zA-Z0-9]{16}\.onion((\.([a-zA-Z]+|([xX][nN]--[a-

    zA-Z0-9]+)))+)?'

    Back to top.

    Querying Array/Nested Fields

    Nested Field Queries

    QUERY

    DESCRIPTION

    intel.feed = 'Alexa Top Domains' AND intel.severity = 'high'

    Filters on aggregated values on all intel objects.

    intel {feed = 'Alexa Top Domains' AND severity = 'high'}

    Filter on individual objects of intel field.
    Note

    Scoped syntax, (i.e., using braces { }) only works for nested fields.

    List of Nested Fields

    answers

    files

    headers.proxied_client_ips

    intel

    path

    san_dns

    san_ip to

    uri.params

    Back to top.

    Building Complex Queries

    Structural Components

    • ( )

    • AND

    • OR

    server_name MATCHES 'www\..*\.com' AND subject MATCHES 'CN=www\..*\.net' AND issuer MATCHES 'CN=www\..*\.com'

    http:uri.uri LIKE '%.php?a=%&cd%&cr=%' OR uri.uri LIKE'%/?f=%&a=%&cd=%&cr=%&ir='

    (http:user_agent='hola_get' OR http:host='client.hola.org') AND src.internal = true

    src.internal = true and (user_agent LIKE '%Windows_XP%' OR user_agent LIKE '%Windows 2003%' OR user_agent LIKE '%Windows NT 5.%' OR user_agent LIKE '%Windows 2000%' OR user_agent LIKE'%Windows NT4.%')

    Bulk Indicator Parsing

    Quickly search across your environment for multiple indicators by pasting an unformatted text blob (or list of indicators) into the bulk indicator search feature. From the Actions menu, click Bulk Add Indicators:

    FortiNDR Cloud will parse the contents for IoCs (IPs, domains, hashes, etc.), remove common defanging techniques and generate a query to run in your environment.

    Back to top.

    Aggregations

    Aggregate up to two fields using GROUP BY. Returns top 100 aggregate values of $field1 and top 10 of $field2. Modify counts using limit. Maximum of 10,000 aggregates.

    Unique Value Counting

    src.internal = true AND dst.internal = false AND service = 'dns'
GROUP BY dst.ip

src.internal = true and http:host MATCHES '.*(gotomypc.com|logmein. com)' GROUP BY src.ip limit 20, http:host limit 4

src.internal = true AND dst.internal = false AND service = 'http' GROUP BY src.ip limit 10000

    Aggregate Functions

    Sum

    Sum of integer or float field

    Sum of integer or float field
src.internal = true AND src.ip_bytes > 1000000000 AND dst.ip_bytes
< 500000000 AND dst.internal = false GROUP BY dst.asn.org, SUM(src. ip_bytes)

src.internal = true AND dst.asn.asn_org = 'Amazon.com, Inc.' GROUP BY src.ip, SUM(total_ip_bytes)

    Min/Max

    Min/Max value of integer, float, timestamp field

    http:host.domain = 'lumtest.com' AND uri.uri = '/myip.json' AND referrer.host.domain = null GROUP BY src.ip, MIN(timestamp)

service = 'ssh' AND src.internal = true AND dst.internal = false GROUP BY src.ip, MAX(duration)

    Minute/Hour/Day

    X-duration buckets of events based on any timestamp field

    src.internal = true AND dst.internal = false AND flow:service != null GROUP BY HOUR(timestamp), service

dst.asn.asn_org = 'Dropbox, Inc.' GROUP BY DAY(timestamp), sum(total_ip_bytes)

intel.indicator != null and dst.asn.asn_org in ('Hosting Solution Ltd.','Digital Ocean, Inc.','Choopa, LLC') GROUP BY dst.ip, HOUR(timestamp)
    Previous
    Next