AbuseHQ

support people
Welcome to the AbuseHQ Documentation, where you'll
find comprehensive guides and documentation to help you get started
working with AbuseHQ as quickly as possible, as well as advanced
know-how about how to get the most out of AbuseHQ.

Get Started    

Parrot Querry Language (PQL)

or how to write "Preconditions" Queries

PQL Queries are always executed in a context, e.g. the case or a new incident

Types

literals:

  • Strings ('hello', "foo bar")
  • Integers (1, 2, 5123)
  • Floats (1.0, 0.009)
  • Dates (now(), date("yyyy-MM-dd'T'HH:mm:ss'Z'"))
  • Intervals ('1d', '24h', '1440m')
    • can be negative ('-7d', '-1w)
    • valid modifiers: [w]eek, [d]ay, [h]our, [m]inute

Identifiers

reference a field in the context

  • Simple (event_count)
  • Dicts (malware.name)
  • Lists (reporters[0])

logical expressions

  • Operators: AND, OR
  • Parenthesis a AND (b OR c)
  • Negation a AND NOT b
  • existence: a IS NULL, b is NOT NULL, c IS KEY, d IS NOT KEY

Relational operators

< > <= >= !=

Functions

  • between(<field>, <lowerbound>, <upperbound>)
    • between(event_count, 0, 999)
  • format(<format_string>, <object...> args)
    • format('client_id is %s, event_count is %d', case.client_id, case.event_count)
  • in_cidr(<hex_field>, <cidr_range>)
    • in_cidr(resources.ip.hex, "127.0.0.0/21")
  • nettag(<hex_field>, <network tag>)
    • nettag(resources.ip[0].hex, "Dynamic")
  • infected(<field>, <malware name>) - normalized malware name check
    • infected(malware.name, "Zeus")
  • contains(<haystack>, <needle>)
    • contains(['foo', 'bar', 'baz'], 'bar')
    • contains('foobarbaz', 'oob')
  • current_user() - returns the current user's name
  • now() - returns this instant as a date object
  • date_diff(<date_from>, <date_to>) - returns an interval (from-to)
    • date_diff(now(), last_event_date)
    • date_diff(now(), yesterday) == interval("-1d")
  • date_add(<date>, <interval) - returns a date object
    • date_add(now(), '24h')
    • date_add(now(), '-1d')
  • interval(<expr>)
    • interval('1d')
    • interval('24h')
    • interval('90m')
    • interval('-4w')
  • date(<expr>) - returns a date object
    • date("yyyy-MM-dd'T'HH:mm:ss'Z'")
  • date_format(<date>, <format_string>) - returns a string in a format specified by format_string.
    • date("yyyy-MM-dd'T'HH:mm:ss'Z'")

Examples:

type_counts[0].name == 'copyright'
event_count < 2 AND date_diff(now(), last_event_date) < interval('1h')
current_user() == 'superuser'
timeout_date < now()