NQL syntax overview

Specifying table

Every NQL query starts with a short statement specifying the table to select data from. The syntax to specify the table is:

<namespace>.<table>

For example, listing all records in the events table from the execution namespace translates into the following statement:

execution.events

Syntax shortcuts

Instead of typing the namespace and the table, you can also use the predefined shortcuts. Type the table name only, without a namespace first to retrieve data from the following tables:

NamespaceTableShortcut

application

applications

applications

binary

binaries

binaries

campaign

campaigns

campaigns

device

devices

devices

user

user

users

For example, type devices instead of device.devices to list all the records within the devices table in the device namespace.

devices

You do not need to specify the table fields included in the results to query data from the table. The system includes default fields that are most relevant to identify the records. For more information about fields contained in specific table, refer to the NQL data model page. Use the NQL list keyword to access other fields in the specific table.

Specifying time frame

You have the option to filter your results over a specific period of time by putting a time frame selection right after the table name in your NQL statement. Depending on what you need, you can choose from various data selection formats and time precisions. For example you can specify the number of days back:

execution.crashes during past 7d

Or specific date:

execution.crashes on Feb 8, 2024

You can also use a time selection when querying the following inventory objects: devices, users, binaries. If you specify the time frame for the inventory objects, the system refers to the events behind the object's activity.

For example, the following queries refer to the same set of data.

devices during past 7
devices 
| with device_performance.events during past 7

For more information regarding the time selection formats refer to the NQL time selection

Customizing Query Results

After specifying the table and timeframe, you can further refine your query by providing additional instructions to the system using keywords, operators and functions. These refinements allow you to organize, filter or aggregate your results to gather more comprehensive insights.

For example:

  1. Filter the results using the where clause

    binaries during past 24h
    | where binary.name == "dllhost.exe"
  2. Select specific data to display using the list clause

    binaries during past 24h
    | where binary.name == "dllhost.exe"
    | list name, version, platform, architecture, size
  3. Order results using the sort ... desc clause

    binaries during past 24h
    | where binary.name == "dllhost.exe"
    | list name, version, platform, architecture, size
    | sort size desc
  4. Set a maximum number of results using the limit clause

    binaries during past 24h
    | where binary.name == "dllhost.exe"
    | list name, version, platform, architecture, size
    | sort size desc
    | limit 10

For more information about specific instructions, refer to the NQL keywords section.

Pattern matching

Use wildcard characters such as * and ? for text filters.

* replaces any number of characters

? replaces any single character

For example, listing all binaries with a name starting with dll and finishing with .exe translates into the following query:

binaries during past 24h
| where binary.name == "dll*.exe"
| list size,name,version 
| sort size desc 
| limit 100

Last updated