Fortinet black logo

User Guide

Home FortiNDR Cloud User Guide

IQL Quick Reference

IQL Quick Reference

The IQL Quick Reference contains information and examples for creating IQL queries:

Network Security Posture Examples

Cloud Storage Use Over Time

http:host MATCHES '.*(dropbox.com|\.box.com).*' GROUP BY HOUR(timestamp), src.ip

Back to top.

Deprecated SSL Versions

ssl:version MATCHES 'SSLv[2,3]|TLSv10' AND dst.internal = true AND src.internal = false GROUP BY dst.ip, src.ip

Back to top.

Outbound SSH Sessions

src.internal = true AND dst.internal = false AND ssh:auth_success = true AND dst.asn.isp NOT IN ( 'Amazon', 'Amazon.com', 'GitHub, Inc.', 'GitHub') GROUP BY dst.geo.country, dst.asn.org

Back to top.

Hunt Examples

Long DNS Requests

query.domain MATCHES '.{150,}' GROUP BY query.domain

Back to top.

HTTP Post to IP Address

http:host.ip != null AND method = 'POST' AND dst.internal = false GROUP BY http:host.ip

Back to top.

Possible Webshell Command Execution

src.internal = false AND ((uri.uri LIKE '%whoami%') OR (uri.uri LIKE '%netstat%') OR (uri.uri LIKE '%ifconfig%') OR (uri.uri LIKE '%ipconfig%')) AND status_code = 200 GROUP BY uri.uri

Back to top.

Events and Properties

Event Types

  • DCE-RPC
  • DHCP
  • DNS
  • Flow
  • FTP
  • HTTP
  • Kerberos
  • NTLM

  • Observation

  • PE
  • RDP
  • SMB_FILE
  • SMB_MAPPING
  • SMTP
  • Software
  • SSH
  • SSL
  • Suricata
  • TUNNEL
  • X509

Field Primitives

TYPE

SYNTAX

EXAMPLES

IP

8.8.8.8, '10.0.0.0/8',

"192.168.1.1"

ip, src.ip, answer.ip

Timestamp

t'2017-02-08T17:49:10.017Z'

timestamp pe_compile_time

String

'www.google.com' "curl-agent"

domain user_agent

Integer

1234

total_pkts total_ip_bytes

Float

1.234

duration geo_distance

Boolean

true false

src.internal has_export_table

Source and Destination

PROPERTY

DESCRIPTION

src.ip dst.ip

IP address associated with the traffic

src.port dst.port

Port associated with the traffic

src.ip_bytes dst.ip_bytes

Bytes transferred from the provided endpoint src.ip_bytes ==> uploaded

src.pkts dst.pkts

Packets transferred from the provided endpoint

src.internal dst.internal

Boolean value defining whether the provided endpoint belongs to the customer IP space

src.asn dst.asn

Registration information such as AS number and registered organization

src.geo dst.geo

Geolocation information such as city and country

Back to top.

Property Comparisons

Equal or Not Equal: = == != <>

Exact field match

dst.port = 80

event_type == "http"

domain == "www.google.com"

http:referrer = null (Records with no referrer)

ftp:dst.geo.country != 'US'

total_ip_bytes <> 0

http:host.ip != null (HTTP records accessed by IP)

Less/Greater than (or equal to): < > <= >=

Filter on comparative size

timestamp > t"2017-01-01T00:00:00Z"

status_code < 500

duration <= 3600

duration <= 1 hour src.ip_bytes >= 1000000

bytes >= 1gb

Set: IN

Exact match of multiple values

dst.ip IN ('8.8.8.8', '8.8.4.4')

http:method NOT IN ('GET', 'POST', 'CONNECT')

Fuzzy: LIKE

Wildcards using SQL-like notation

% - 0 to many characters

_ - One character

rdp:cookie LIKE "_"

http:user_agent NOT LIKE 'Mozilla%' ssh:cipher like '%RC4%' http:host.domain like '%paypal%.%.com

Regex: MATCHES

(Formerly Lucene Regex support)

ssl:version MATCHES 'SSLv[2,3]|TLSv10'

user_agent NOT MATCHES '.*Chrome\/6[0-9]\..*'

query.domain matches '[a-zA-Z0-9]{16}\.onion((\.([a-zA-Z]+|([xX][nN]--[a-

zA-Z0-9]+)))+)?'

Back to top.

Querying Array/Nested Fields

Nested Field Queries

QUERY

DESCRIPTION

intel.feed = 'Alexa Top Domains' AND intel.severity = 'high'

Filters on aggregated values on all intel objects.

intel {feed = 'Alexa Top Domains' AND severity = 'high'}

Filter on individual objects of intel field.
Note

Scoped syntax, (i.e., using braces { }) only works for nested fields.

List of Nested Fields

answers

files

headers.proxied_client_ips

intel

path

san_dns

san_ip to

uri.params

Back to top.

Building Complex Queries

Structural Components

  • ( )

  • AND

  • OR

server_name MATCHES 'www\..*\.com' AND subject MATCHES 'CN=www\..*\.net' AND issuer MATCHES 'CN=www\..*\.com'

http:uri.uri LIKE '%.php?a=%&cd%&cr=%' OR uri.uri LIKE'%/?f=%&a=%&cd=%&cr=%&ir='

(http:user_agent='hola_get' OR http:host='client.hola.org') AND src.internal = true

src.internal = true and (user_agent LIKE '%Windows_XP%' OR user_agent LIKE '%Windows 2003%' OR user_agent LIKE '%Windows NT 5.%' OR user_agent LIKE '%Windows 2000%' OR user_agent LIKE'%Windows NT4.%')

Bulk Indicator Parsing

Quickly search across your environment for multiple indicators by pasting an unformatted text blob (or list of indicators) into the bulk indicator search feature. From the Actions menu, click Bulk Add Indicators:

FortiNDR Cloud will parse the contents for IoCs (IPs, domains, hashes, etc.), remove common defanging techniques and generate a query to run in your environment.

Back to top.

Aggregations

Aggregate up to two fields using GROUP BY. Returns top 100 aggregate values of $field1 and top 10 of $field2. Modify counts using limit. Maximum of 10,000 aggregates.

Unique Value Counting

src.internal = true AND dst.internal = false AND service = 'dns'
GROUP BY dst.ip

src.internal = true and http:host MATCHES '.*(gotomypc.com|logmein. com)' GROUP BY src.ip limit 20, http:host limit 4

src.internal = true AND dst.internal = false AND service = 'http' GROUP BY src.ip limit 10000

Aggregate Functions

Sum

Sum of integer or float field

Sum of integer or float field
src.internal = true AND src.ip_bytes > 1000000000 AND dst.ip_bytes
< 500000000 AND dst.internal = false GROUP BY dst.asn.org, SUM(src. ip_bytes)

src.internal = true AND dst.asn.asn_org = 'Amazon.com, Inc.' GROUP BY src.ip, SUM(total_ip_bytes)

Min/Max

Min/Max value of integer, float, timestamp field

http:host.domain = 'lumtest.com' AND uri.uri = '/myip.json' AND referrer.host.domain = null GROUP BY src.ip, MIN(timestamp)

service = 'ssh' AND src.internal = true AND dst.internal = false GROUP BY src.ip, MAX(duration)

Minute/Hour/Day

X-duration buckets of events based on any timestamp field

src.internal = true AND dst.internal = false AND flow:service != null GROUP BY HOUR(timestamp), service

dst.asn.asn_org = 'Dropbox, Inc.' GROUP BY DAY(timestamp), sum(total_ip_bytes)

intel.indicator != null and dst.asn.asn_org in ('Hosting Solution Ltd.','Digital Ocean, Inc.','Choopa, LLC') GROUP BY dst.ip, HOUR(timestamp)
Previous
Next

On This Page

Network Security Posture Examples
Hunt Examples
Events and Properties
Property Comparisons
Querying Array/Nested Fields
Building Complex Queries
Aggregations

IQL Quick Reference

The IQL Quick Reference contains information and examples for creating IQL queries:

Network Security Posture Examples

Cloud Storage Use Over Time

http:host MATCHES '.*(dropbox.com|\.box.com).*' GROUP BY HOUR(timestamp), src.ip

Back to top.

Deprecated SSL Versions

ssl:version MATCHES 'SSLv[2,3]|TLSv10' AND dst.internal = true AND src.internal = false GROUP BY dst.ip, src.ip

Back to top.

Outbound SSH Sessions

src.internal = true AND dst.internal = false AND ssh:auth_success = true AND dst.asn.isp NOT IN ( 'Amazon', 'Amazon.com', 'GitHub, Inc.', 'GitHub') GROUP BY dst.geo.country, dst.asn.org

Back to top.

Hunt Examples

Long DNS Requests

query.domain MATCHES '.{150,}' GROUP BY query.domain

Back to top.

HTTP Post to IP Address

http:host.ip != null AND method = 'POST' AND dst.internal = false GROUP BY http:host.ip

Back to top.

Possible Webshell Command Execution

src.internal = false AND ((uri.uri LIKE '%whoami%') OR (uri.uri LIKE '%netstat%') OR (uri.uri LIKE '%ifconfig%') OR (uri.uri LIKE '%ipconfig%')) AND status_code = 200 GROUP BY uri.uri

Back to top.

Events and Properties

Event Types

  • DCE-RPC
  • DHCP
  • DNS
  • Flow
  • FTP
  • HTTP
  • Kerberos
  • NTLM

  • Observation

  • PE
  • RDP
  • SMB_FILE
  • SMB_MAPPING
  • SMTP
  • Software
  • SSH
  • SSL
  • Suricata
  • TUNNEL
  • X509

Field Primitives

TYPE

SYNTAX

EXAMPLES

IP

8.8.8.8, '10.0.0.0/8',

"192.168.1.1"

ip, src.ip, answer.ip

Timestamp

t'2017-02-08T17:49:10.017Z'

timestamp pe_compile_time

String

'www.google.com' "curl-agent"

domain user_agent

Integer

1234

total_pkts total_ip_bytes

Float

1.234

duration geo_distance

Boolean

true false

src.internal has_export_table

Source and Destination

PROPERTY

DESCRIPTION

src.ip dst.ip

IP address associated with the traffic

src.port dst.port

Port associated with the traffic

src.ip_bytes dst.ip_bytes

Bytes transferred from the provided endpoint src.ip_bytes ==> uploaded

src.pkts dst.pkts

Packets transferred from the provided endpoint

src.internal dst.internal

Boolean value defining whether the provided endpoint belongs to the customer IP space

src.asn dst.asn

Registration information such as AS number and registered organization

src.geo dst.geo

Geolocation information such as city and country

Back to top.

Property Comparisons

Equal or Not Equal: = == != <>

Exact field match

dst.port = 80

event_type == "http"

domain == "www.google.com"

http:referrer = null (Records with no referrer)

ftp:dst.geo.country != 'US'

total_ip_bytes <> 0

http:host.ip != null (HTTP records accessed by IP)

Less/Greater than (or equal to): < > <= >=

Filter on comparative size

timestamp > t"2017-01-01T00:00:00Z"

status_code < 500

duration <= 3600

duration <= 1 hour src.ip_bytes >= 1000000

bytes >= 1gb

Set: IN

Exact match of multiple values

dst.ip IN ('8.8.8.8', '8.8.4.4')

http:method NOT IN ('GET', 'POST', 'CONNECT')

Fuzzy: LIKE

Wildcards using SQL-like notation

% - 0 to many characters

_ - One character

rdp:cookie LIKE "_"

http:user_agent NOT LIKE 'Mozilla%' ssh:cipher like '%RC4%' http:host.domain like '%paypal%.%.com

Regex: MATCHES

(Formerly Lucene Regex support)

ssl:version MATCHES 'SSLv[2,3]|TLSv10'

user_agent NOT MATCHES '.*Chrome\/6[0-9]\..*'

query.domain matches '[a-zA-Z0-9]{16}\.onion((\.([a-zA-Z]+|([xX][nN]--[a-

zA-Z0-9]+)))+)?'

Back to top.

Querying Array/Nested Fields

Nested Field Queries

QUERY

DESCRIPTION

intel.feed = 'Alexa Top Domains' AND intel.severity = 'high'

Filters on aggregated values on all intel objects.

intel {feed = 'Alexa Top Domains' AND severity = 'high'}

Filter on individual objects of intel field.
Note

Scoped syntax, (i.e., using braces { }) only works for nested fields.

List of Nested Fields

answers

files

headers.proxied_client_ips

intel

path

san_dns

san_ip to

uri.params

Back to top.

Building Complex Queries

Structural Components

  • ( )

  • AND

  • OR

server_name MATCHES 'www\..*\.com' AND subject MATCHES 'CN=www\..*\.net' AND issuer MATCHES 'CN=www\..*\.com'

http:uri.uri LIKE '%.php?a=%&cd%&cr=%' OR uri.uri LIKE'%/?f=%&a=%&cd=%&cr=%&ir='

(http:user_agent='hola_get' OR http:host='client.hola.org') AND src.internal = true

src.internal = true and (user_agent LIKE '%Windows_XP%' OR user_agent LIKE '%Windows 2003%' OR user_agent LIKE '%Windows NT 5.%' OR user_agent LIKE '%Windows 2000%' OR user_agent LIKE'%Windows NT4.%')

Bulk Indicator Parsing

Quickly search across your environment for multiple indicators by pasting an unformatted text blob (or list of indicators) into the bulk indicator search feature. From the Actions menu, click Bulk Add Indicators:

FortiNDR Cloud will parse the contents for IoCs (IPs, domains, hashes, etc.), remove common defanging techniques and generate a query to run in your environment.

Back to top.

Aggregations

Aggregate up to two fields using GROUP BY. Returns top 100 aggregate values of $field1 and top 10 of $field2. Modify counts using limit. Maximum of 10,000 aggregates.

Unique Value Counting

src.internal = true AND dst.internal = false AND service = 'dns'
GROUP BY dst.ip

src.internal = true and http:host MATCHES '.*(gotomypc.com|logmein. com)' GROUP BY src.ip limit 20, http:host limit 4

src.internal = true AND dst.internal = false AND service = 'http' GROUP BY src.ip limit 10000

Aggregate Functions

Sum

Sum of integer or float field

Sum of integer or float field
src.internal = true AND src.ip_bytes > 1000000000 AND dst.ip_bytes
< 500000000 AND dst.internal = false GROUP BY dst.asn.org, SUM(src. ip_bytes)

src.internal = true AND dst.asn.asn_org = 'Amazon.com, Inc.' GROUP BY src.ip, SUM(total_ip_bytes)

Min/Max

Min/Max value of integer, float, timestamp field

http:host.domain = 'lumtest.com' AND uri.uri = '/myip.json' AND referrer.host.domain = null GROUP BY src.ip, MIN(timestamp)

service = 'ssh' AND src.internal = true AND dst.internal = false GROUP BY src.ip, MAX(duration)

Minute/Hour/Day

X-duration buckets of events based on any timestamp field

src.internal = true AND dst.internal = false AND flow:service != null GROUP BY HOUR(timestamp), service

dst.asn.asn_org = 'Dropbox, Inc.' GROUP BY DAY(timestamp), sum(total_ip_bytes)

intel.indicator != null and dst.asn.asn_org in ('Hosting Solution Ltd.','Digital Ocean, Inc.','Choopa, LLC') GROUP BY dst.ip, HOUR(timestamp)
Previous
Next