IQL reference guide
Internal Query Language (IQL) is used in FortiNDR Cloud for identifying, querying, filtering, and analyzing various network events such as flow, HTTP, and SSL events. It supports detections, behavioral observations, guided queries, and investigations. The results of an IQL query include enriched events, which are enhanced with intelligence indicator matches from FortiNDR Cloud's threat intelligence database. Additionally, IP enrichments such as ASN, internal/external status, and geographical attributes are included to provide comprehensive insights into network activities.
Purpose of this reference guide
This reference guide is intended as an introduction to creating IQL queries in FortiNDR Cloud. Where possible, we have provided example queries and short exercises to help you get started.
Using guided queries
If this is your first time creating queries, we recommend running a few Guided Queries to start. These will help familiarize you with query strings and their results. You can also use the results to add new queries to experiment with
Sample queries
The portal also offers a library of sample queries for common searches. To access these samples, log into the portal and navigate to Investigations > Private Search.