TQL Operators and Parameters
- 10 Jan 2024
- 13 Minutes to read
-
Print
-
DarkLight
TQL Operators and Parameters
- Updated on 10 Jan 2024
- 13 Minutes to read
-
Print
-
DarkLight
Article Summary
Share feedback
Thanks for sharing your feedback!
Operators
Table 1 provides a list of all ThreatConnect Query Language (TQL) operators in all of their acceptable forms.
| Operators |
|---|
| =, ==, EQ, EQUALS |
| !=, NE |
| >, GT |
| <, LT |
| <=, LEQ |
| >=, GEQ |
| [NOT] IN |
| [NOT] LIKE |
| [NOT] CONTAINS |
| [NOT] STARTSWITH |
| [NOT] ENDSWITH |
General Parameters
Table 2 provides all of the general TQL parameters, including their corresponding ThreatConnect object type and data type.
Note
It is recommended to use ISO-8601-compliant formatting for TQL parameters with the Date data type.
| Object Type | Parameter | Data Type | Comments |
|---|---|---|---|
| Groups | associatedGroupSource | String | Accepted values:
|
| Groups | associatedIndicator | Integer | Deprecated by nested query; equivalent to hasIndicator(id=n) |
| Groups | associatedIndicatorSource | String | Accepted values:
|
| Groups | attributeNN | Dependent | See the “Query for Attributes” section of Constructing Query Expressions for more information. |
| Groups | createdBy | User | Any username in the user’s Organization (e.g., createdBy = "joeuser@gmail.com") |
| Groups | dateAdded | Date | |
| Groups | documentDateAdded | Date | |
| Groups | documentFilename | String | |
| Groups | documentFilesize | Long | |
| Groups | documentStatus | String | |
| Groups | documentType | String | |
| Groups | downvoteCount | Integer | |
| Groups | emailDate | Date | |
| Groups | emailFrom | String | |
| Groups | emailScore | Integer | |
| Groups | emailScoreIncludesBody | Boolean | |
| Groups | emailSubject | String | |
| Groups | eventDate | Date | |
| Groups | externalDateAdded | Date | The date that the Group was first created externally |
| Groups | externalDateExpires | Date | The date that the Group was last modified externally |
| Groups | externalLastModified | Date | The date that the Group expires externally |
| Groups | firstSeen | Date | The date that the Group was first seen |
| Groups | generatedReport | Boolean | Returns Report Groups that were created using the Publish Report feature in the Report Editor |
| Groups | hasAllTags() | Nested Query | A nested query that returns only Groups with all specified Tags applied to them. The query must be of the form hasAllTags(id=x) or hasAllTags(id IN (x,y)), where x and y represent Tag ID numbers. |
| Groups | hasArtifact() | Nested Query | |
| Groups | hasAttribute() | Nested Query | |
| Groups | hasCase() | Nested Query | |
| Groups | hasGroup() | Nested Query | |
| Groups | hasIndicator() | Nested Query | |
| Groups | hasIntelQuery() | Nested Query | |
| Groups | hasIntelRequirement() | Nested Query | |
| Groups | hasSecurityLabel() | Nested Query | |
| Groups | hasTag() | Nested Query | |
| Groups | hasVictim() | Nested Query | |
| Groups | hasVictimAsset() | Nested Query | |
| Groups | id | Integer | The ID number of a Group. This number can be found in the URL of the Group’s Details screen, between groups/ and /overview. |
| Groups | insights | String | The AI-generated summary of a Report Group Note As of ThreatConnect 7.4, AI-generated summaries are available only for Report Groups in the CAL™ Automated Threat Library (ATL) Source. |
| Groups | lastModified | Date | |
| Groups | lastSeen | Date | The date that the Group was last seen |
| Groups | owner | Integer | |
| Groups | ownerName | String | |
| Groups | securityLabel | String | |
| Groups | signatureDateAdded | Date | |
| Groups | signatureFilename | String | |
| Groups | signatureType | String | |
| Groups | status | String | |
| Groups | summary | String | |
| Groups | tag | String | Deprecated by nested query; equivalent to hasTag(summary="") |
| Groups | tagOwner | Integer | Deprecated by nested query; equivalent to hasTag(owner=n) |
| Groups | tagOwnerName | String | Deprecated by nested query; equivalent to hasTag(ownerName="") |
| Groups | taskAssignee | User | me is the only valid value |
| Groups | taskAssigneePseudo | User | |
| Groups | taskDateAdded | Date | |
| Groups | taskDueDate | Date | |
| Groups | taskEscalated | Boolean | |
| Groups | taskEscalationDate | Date | |
| Groups | taskLastModified | Date | |
| Groups | taskOverdue | Boolean | |
| Groups | taskReminded | Boolean | |
| Groups | taskReminderDate | Date | |
| Groups | taskStatus | String | |
| Groups | type | Integer | |
| Groups | typeName | String | |
| Groups | upvoteCount | Integer | |
| Groups | victimAsset | String | Deprecated by nested query; equivalent to hasVictimAsset(name="") |
| Indicators | activeLocked | Boolean | |
| Indicators | addressASN | Integer | |
| Indicators | addressCIDR | CIDR Expression | |
| Indicators | addressCity | String | |
| Indicators | addressCountryCode | String | |
| Indicators | addressCountryName | String | |
| Indicators | addressIpVal | BigInteger | |
| Indicators | addressIsIpv6 | Boolean | |
| Indicators | addressRegisteringOrg | String | |
| Indicators | addressState | String | |
| Indicators | addressTimezone | String | |
| Indicators | associatedGroup | Integer | Deprecated by nested query; equivalent to hasGroup(id=n) |
| Indicators | associatedGroupSource | String | Accepted values:
|
| Indicators | associatedIndicatorSource | String | Accepted values:
|
| Indicators | attributeNN | Dependent | See the “Query for Attributes” section of Constructing Query Expressions for more information. |
| Indicators | confidence | Integer | |
| Indicators | dateAdded | Date | Accepted formats: yyyy-MM-dd HH:mm yyyy-MM-dd MM-dd-yyyy |
| Indicators | description | String | |
| Indicators | dtLastUpdated | Date | The last date and time the Indicator was looked at with DomainTools® |
| Indicators | dtMalwareScore | Integer | The malware score for the Indicator in DomainTools |
| Indicators | dtOverallScore | Integer | The overall score for the Indicator in DomainTools |
| Indicators | dtPhishingScore | Integer | The phishing score for the Indicator in DomainTools |
| Indicators | dtSpamScore | Integer | The spam score for the Indicator in DomainTools |
| Indicators | dtStatus | Boolean | The domain status for the Indicator in DomainTools |
| Indicators | externalDateAdded | Date | The date and time that the Indicator was first created externally |
| Indicators | externalLastModified | Date | The date and time that the Indicator was last modified externally |
| Indicators | externalDateExpires | Date | The date and time the Indicator expires externally |
| Indicators | falsePositiveCount | String | |
| Indicators | fileName | String | |
| Indicators | filePath | String | |
| Indicators | fileSize | BigInteger | |
| Indicators | firstSeen | Date | The date and time that the Indicator was first seen |
| Indicators | hasAllTags() | Nested Query | A nested query that returns only Indicators with all specified Tags applied to them. The query must be of the form hasAllTags(id=x) or hasAllTags(id IN (x,y)), where x and y represent Tag ID numbers. |
| Indicators | hasArtifact() | Nested Query | |
| Indicators | hasAttribute() | Nested Query | |
| Indicators | hasCase() | Nested Query | |
| Indicators | hasCustomAssociation() | Nested Query | |
| Indicators | hasGroup() | Nested Query | |
| Indicators | hasIndicator() | Nested Query | |
| Indicators | hasIntelRequirement() | Nested Query | |
| Indicators | hasSecurityLabel() | Nested Query | |
| Indicators | hasTag() | Nested Query | |
| Indicators | hasVictim() | Nested Query | |
| Indicators | hasVictimAsset() | Nested Query | |
| Indicators | hostDnsActive | Boolean | |
| Indicators | hostWhoisActive | Boolean | |
| Indicators | id | Integer | The ID number of an Indicator. This number can be found in the URL of the Indicator’s Details screen, between indicators/ and /overview. |
| Indicators | indicatorActive | Boolean | |
| Indicators | lastFalsePositive | Date | |
| Indicators | lastModified | Date | |
| Indicators | lastObserved | Date | |
| Indicators | lastSeen | Date | The date and time that the Indicator was last seen |
| Indicators | observationCount | Integer | |
| Indicators | owner | Integer | |
| Indicators | ownerName | String | |
| Indicators | rating | Integer | |
| Indicators | riskIqClassification | String | The classification from the RiskIQ® enrichment data. |
| Indicators | riskIqReputationScore | Integer | The reputation score from the RiskIQ enrichment data. |
| Indicators | securityLabel | String | |
| Indicators | source | String | |
| Indicators | summary | String | |
| Indicators | tag | String | Deprecated by nested query; equivalent to hasTag(summary="") |
| Indicators | tagOwner | Integer | Deprecated by nested query; equivalent to hasTag(owner=n) |
| Indicators | tagOwnerName | String | Deprecated by nested query; equivalent to hasTag(ownerName="") |
| Indicators | threatAssessScore | Integer | |
| Indicators | type | Integer | |
| Indicators | typeName | String | |
| Indicators | value1 | String | Used to search for Indicators that include multiple fields (e.g., File Indicators, Registry Key Indicators) |
| Indicators | value2 | String | Used to search for Indicators that include multiple fields (e.g., File Indicators, Registry Key Indicators) |
| Indicators | value3 | String | Used to search for Indicators that include multiple fields (e.g., File Indicators, Registry Key Indicators) |
| Indicators | vtLastUpdated | Date | The last date and time the Indicator was looked at with VirusTotal™ |
| Indicators | vtMaliciousCount | Integer | The number of malicious reports for an Indicator from VirusTotal (i.e., the VirusTotal score) |
| Intelligence Requirements | category | String | The category of an Intelligence Requirement (IR) |
| Intelligence Requirements | dateAdded | Date | The date and time an IR was added to ThreatConnect |
| Intelligence Requirements | hasAllTags() | Nested Query | A nested query that returns only IRs with all specified Tags applied to them. The query must be of the form hasAllTags(id=x) or hasAllTags(id IN (x,y)), where x and y represent Tag ID numbers. |
| Intelligence Requirements | hasArtifact() | Nested Query | A nested query for association to Artifacts |
| Intelligence Requirements | hasCase() | Nested Query | A nested query for association to Cases |
| Intelligence Requirements | hasGroup() | Nested Query | A nested query for association to Groups |
| Intelligence Requirements | hasIndicator() | Nested Query | A nested query for association to Indicators |
| Intelligence Requirements | hasTag() | Nested Query | A nested query for association to Tags |
| Intelligence Requirements | hasVictim() | Nested Query | A nested query for association to Victims |
| Intelligence Requirements | hasVictimAsset() | Nested Query | A nested query for association to Victim Assets |
| Intelligence Requirements | id | Integer | The ID number of an IR. This number can be found in the URL of the IR’s Details screen, between intel-requirements/ and /overview. |
| Intelligence Requirements | lastModified | Date | The “last modified” date for an IR |
| Intelligence Requirements | owner | Integer | The ID of an IR’s owner |
| Intelligence Requirements | ownerName | String | The name of an IR's owner |
| Intelligence Requirements | requirement | String | The summary of an IR |
| Intelligence Requirements | subtype | String | The subtype of an IR |
| Intelligence Requirements | tag | String | The name of a Tag applied to an IR |
| Intelligence Requirements | uniqueId | String | The unique ID of an IR. This is the number that was entered in the ID field when the IR was created. It is found at the upper left of the header of the IR’s Details screen, both next to the Browse link and above the IR’s summary. |
| Intelligence Requirement Results | archivedDate | Date | The date and time an IR query result was archived |
| Intelligence Requirement Results | hasIntelRequirement() | Nested Query | |
| Intelligence Requirement Results | id | Integer | The ID number of an IR query result |
| Intelligence Requirement Results | intelId | Integer | The ID number of a ThreatConnect object matching an IR query result |
| Intelligence Requirement Results | intelReqId | Integer | The ID number of an IR query result’s IR |
| Intelligence Requirement Results | intelType | String | The object type of an IR query result (e.g., Address, Host, Adversary, Campaign) |
| Intelligence Requirement Results | isArchived | Boolean | A flag indicating whether an IR query result has been archived |
| Intelligence Requirement Results | isAssociated | Boolean | A flag indicating whether an IR query result has been associated to an IR |
| Intelligence Requirement Results | isFalsePositive | Boolean | A flag indicating whether an IR query result has been flagged as a false positive |
| Intelligence Requirement Results | isLocal | Boolean | A flag indicating whether an IR query result exists in the owners to which you have access on your ThreatConnect instance |
| Intelligence Requirement Results | lastMatchedDate | Date | The date and time that an IR query result last matched the IR’s keyword query |
| Intelligence Requirement Results | owner | Integer | The ID number of an IR query result’s owner |
| Intelligence Requirement Results | ownerName | String | The name of an IR query result’s owner |
| Intelligence Requirement Results | score | Decimal | A weighted score indicating the relevancy of an IR query result Note As of ThreatConnect version 7.3.1, the score for an IR query result is not available in the ThreatConnect UI. It can be accessed only via TQL queries and the v3 API. This parameter can be used to target IR query results that have the most relevancy out of all available IR query results. |
| Intelligence Requirement Results | summary | String | The summary of an IR query result |
| Tags | active | Boolean | Read-only field that can be false for certain ATT&CK® Tags that become deprecated over time and will be excluded from places such as the ATT&CK Visualizer. The value of this parameter is true in all other cases. |
| Tags | associatedCase | Integer | Deprecated by nested query; equivalent to hasCase(id=n) |
| Tags | associatedGroup | Integer | Deprecated by nested query; equivalent to hasGroup(id=n) |
| Tags | associatedIndicator | Integer | Deprecated by nested query; equivalent to hasIndicator(id=n) |
| Tags | associatedVictim | Integer | Deprecated by nested query; equivalent to hasVictim(id=n) |
| Tags | caseId | Integer | |
| Tags | description | String | |
| Tags | hasCase() | Nested Query | |
| Tags | hasGroup() | Nested Query | |
| Tags | hasIndicator() | Nested Query | |
| Tags | hasVictim() | Nested Query | |
| Tags | id | Integer | The ID number of a Tag. This number can be found in the URL of the Tag’s Details screen, after tag.xhtml?tag=. |
| Tags | lastUsed | Date | |
| Tags | name | String | The name of the Tag (case sensitive) |
| Tags | normalized | Boolean | Read-only field that indicates if a Tag is defined as a main Tag within a Tag normalization rule. |
| Tags | owner | Integer | |
| Tags | ownerName | String | |
| Tags | summary | String | The name of the Tag (case insensitive) |
| Tags | techniqueId | String | The standard ID for specific MITRE ATT&CK® techniques and sub-techniques (e.g., T1234, T1234.001). The value of this parameter is null for all non-ATT&CK Tags. |
| Tracks | active | Boolean | |
| Tracks | associatedIndicator | Integer | Not deprecated, because Tracks are not part of the nested-query feature |
| Tracks | contains | String | |
| Tracks | dateAdded | Date | |
| Tracks | description | String | |
| Tracks | lastUpdated | Date | |
| Tracks | notContains | String | |
| Tracks | owner | Integer | |
| Tracks | ownerName | String | |
| Tracks | result | String | |
| Tracks | resultCount | Integer | |
| Tracks | resultDate | Date | |
| Tracks | summary | String | |
| Victim Assets | asset | String | |
| Victim Assets | associatedGroup | Integer | Deprecated by nested query; equivalent to hasGroup(id=n) |
| Victim Assets | hasGroup() | Nested Query | |
| Victim Assets | hasIndicator() | Nested Query | |
| Victim Assets | hasVictim() | Nested Query | |
| Victim Assets | hasVictimAsset() | Nested Query | |
| Victim Assets | id | Integer | |
| Victim Assets | owner | Integer | |
| Victim Assets | ownerName | String | |
| Victim Assets | summary | String | |
| Victim Assets | type | Integer | |
| Victim Assets | typeName | String | |
| Victim Assets | victimId | Integer | |
| Victim Assets | victimName | String | |
| Victims | assetName | String | Deprecated by nested query; equivalent to hasVictimAsset(summary="") |
| Victims | assetType | Integer | Deprecated by nested query; equivalent to hasVictimAsset(type=n) |
| Victims | assetTypeName | String | Deprecated by nested query; equivalent to hasVictimAsset(typeName="") |
| Victims | attributeNN | Dependent | See the “Query for Attributes” section of Constructing Query Expressions for more information. |
| Victims | description | String | |
| Victims | hasAllTags() | Nested Query | A nested query that returns only Victims with all specified Tags applied to them. The query must be of the form hasAllTags(id=x) or hasAllTags(id IN (x,y)), where x and y represent Tag ID numbers. |
| Victims | hasAttribute() | Nested Query | |
| Victims | hasGroup() | Nested Query | |
| Victims | hasIndicator() | Nested Query | |
| Victims | hasSecurityLabel() | Nested Query | |
| Victims | hasTag() | Nested Query | |
| Victims | hasVictim() | Nested Query | |
| Victims | hasVictimAsset() | Nested Query | |
| Victims | id | Integer | The ID number of a Victim. This number can be found in the URL of the Victim’s Details screen, after victim.xhtml?victim=. |
| Victims | name | String | |
| Victims | nationality | String | |
| Victims | organization | String | |
| Victims | owner | Integer | |
| Victims | ownerName | String | |
| Victims | securityLabel | String | |
| Victims | subOrg | String | |
| Victims | summary | String | Equivalent to name |
| Victims | tag | String | Deprecated by nested query; equivalent to hasTag(summary="") |
| Victims | tagOwner | Integer | Deprecated by nested query; equivalent to hasTag(owner=n) |
| Victims | tagOwnerName | String | Deprecated by nested query; equivalent to hasTag(ownerName="") |
| Victims | workLocation | String |
Workflow Parameters
Table 3 provides all of the Workflow-related TQL parameters, including their corresponding ThreatConnect Workflow type, data type, and a description.
Important
Workflow-related TQL parameters are available only in dashboard Query cards and the ThreatConnect v3 API. They are not available in the Browse screen.
Note
It is recommended to use ISO-8601-compliant formatting for TQL parameters with the Date data type.
| Workflow Type | Parameter | Data Type | Description |
|---|---|---|---|
| Artifact | analyticsScore | Integer | The ThreatAssess assessment level of the Artifact |
| Artifact | caseId | Integer | The ID number of a Case associated with an Artifact |
| Artifact | dateAdded | Date | The date and time at which an Artifact was added to ThreatConnect |
| Artifact | hasCase() | Nested Query | A nested query for association to other Cases |
| Artifact | hasGroup() | Nested Query | A nested query for association to other Groups |
| Artifact | hasIndicator() | Nested Query | A nested query for association to other Indicators |
| Artifact | hasNote() | Nested Query | A nested query for association to other Notes |
| Artifact | hasTask() | Nested Query | A nested query for association to other Tasks |
| Artifact | id | Integer | The ID number of an Artifact |
| Artifact | indicatorActive | Boolean | A flag indicating whether the Artifact is active |
| Artifact | noteId | Integer | The ID number of a Note associated with an Artifact |
| Artifact | source | String | The source of an Artifact |
| Artifact | summary | String | The summary of an Artifact |
| Artifact | taskId | Integer | The ID number of a Task associated with an Artifact |
| Artifact | type | String | The type name of an Artifact |
| Artifact | typeName | String | The type name of an Artifact |
| ArtifactType | active | Boolean | The active status of an Artifact type |
| ArtifactType | dataType | Enum | The data type of an Artifact type |
| ArtifactType | description | String | The description of an Artifact type |
| ArtifactType | id | Integer | The ID number of an Artifact type |
| ArtifactType | intelType | String | The intel type of an Artifact type |
| ArtifactType | managed | Boolean | The managed status of an Artifact type |
| ArtifactType | name | String | The name of an Artifact type |
| AttributeType | associatedType | String | The data type(s) for which an Attribute Type can be used |
| AttributeType | description | String | The description of an Attribute Type |
| AttributeType | id | Integer | The ID number of an Attribute Type |
| AttributeType | maxsize | Integer | The maximum size, in characters, of an Attribute Type’s value. |
| AttributeType | name | String | The name of an Attribute Type |
| AttributeType | owner | Integer | The ID number for the owner of an Attribute Type |
| AttributeType | ownerName | String | The name of the owner of an Attribute Type |
| AttributeType | system | Boolean | A flag designating whether to show System-level Attributes (TRUE) or owner-specific Attributes only (FALSE) |
| Case | assignedToUserOrGroup | Enum | The type of Case assignee (either User or Group) |
| Case | assigneeName | String | The name of the user or user group assigned to the Case |
| Case | attribute | String | An Attribute corresponding to a Case |
| Case | calScore | Integer | The CAL score of the Case (i.e., the highest CAL score among the Case’s Artifacts with a CAL score and an active Indicator Status set by CAL) |
| Case | caseCloseDate | Date | The date and time a Case was closed |
| Case | caseCloseTime | Date | The date and time a Case was closed |
| Case | caseCloseUser | User | The username of the user who closed a Case |
| Case | caseDetectionTime | Date | The date and time a security incident or threat (i.e., the event that caused a Case to be opened) was detected (e.g., by the security team) |
| Case | caseDetectionUser | User | The username of the user who logged a Case’s detection time |
| Case | caseOccurrenceTime | Date | The date and time a security incident or threat (i.e., the event that caused a Case to be opened) occurred |
| Case | caseOccurrenceUser | User | The username of the user who logged a Case’s occurrence time |
| Case | caseOpenDate | Date | The date and time a Case was opened |
| Case | caseOpenTime | Date | The date and time a Case was opened |
| Case | caseOpenUser | User | The username of the user who opened a Case |
| Case | createdBy | User | The username of the user who created a Case |
| Case | createdById | Integer | The user ID number of the user who created a Case |
| Case | dateAdded | Date | The date on which a Case was added to ThreatConnect |
| Case | description | String | The description of a Case |
| Case | hasAllTags() | Nested Query | A nested query that returns only Cases with all specified Tags applied to them. The query must be of the form hasAllTags(id=x) or hasAllTags(id IN (x,y)), where x and y represent Tag ID numbers. |
| Case | hasArtifact() | Nested Query | A nested query for association to Artifacts |
| Case | hasCase() | Nested Query | A nested query for association to other Cases |
| Case | hasGroup() | Nested Query | A nested query for association to other Groups |
| Case | hasIndicator() | Nested Query | A nested query for association to other Indicators |
| Case | hasNote() | Nested Query | A nested query for association to Notes |
| Case | hasTag() | Nested Query | A nested query for association to labels |
| Case | hasTask() | Nested Query | A nested query for association to Tasks |
| Case | hasWorkflowTemplate() | Nested Query | A nested query for association to Workflow Templates |
| Case | id | Integer | The ID number of a Case |
| Case | idAsString | String | The ID number of a Case as a String |
| Case | lastUpdated | Date | The date a Case was last updated |
| Case | missingArtifactCount | Integer | The number of required Artifacts that have not been collected for a Case’s Tasks |
| Case | name | String | The name of a Case Note If querying for Cases with a name that contains a backslash character (\), use a double backslash (\\) in the query to escape the single backslash. For more information, see the “Workflow-Related Queries” section of Constructing Query Expressions. |
| Case | owner | Integer | The ID number for the owner of a Case |
| Case | ownerName | String | The name of the owner of a Case |
| Case | resolution | String | The resolution of a Case |
| Case | severity | Enum | The severity of a Case |
| Case | status | Enum | The status of a Case |
| Case | tag | String | The name of a Tag applied to a Case |
| Case | targetId | Integer | The user or user group ID number for a Case assignee |
| Case | targetType | Enum | The target type for a Case (either User or Group) |
| Case | threatAssessScore | Integer | The ThreatAssess score of a Case (i.e., the highest ThreatAssess score among the Case’s Artifacts with a ThreatAssess score) |
| Case | typeName | String | The name of a Case |
| Case | xid | String | The XID of a Case |
| CaseAttribute | caseId | Integer | The ID number of a Case to which the Attribute is added |
| CaseAttribute | dateAdded | Date | The date on which the Attribute was added to the system |
| CaseAttribute | dateVal | Date | The date value of an Attribute (applies only to certain Attribute Types) |
| CaseAttribute | displayed | Boolean | A flag indicating whether the Attribute is displayed in a Case |
| CaseAttribute | hasCase() | Nested Query | A nested query for association to other Cases |
| CaseAttribute | id | Integer | The ID number of an Attribute |
| CaseAttribute | intVal | Integer | The integer value of an Attribute (applies only to certain Attribute Types) |
| CaseAttribute | lastModified | Date | The date when an Attribute was last modified |
| CaseAttribute | maxSize | Integer | The maximum length of an Attribute’s text |
| CaseAttribute | owner | Integer | The ID of the owner in which an Attribute exists |
| CaseAttribute | ownerName | String | The name of the owner in which an Attribute exists |
| CaseAttribute | shortText | String | The short text of an Attribute (applies only to certain Attribute Types) |
| CaseAttribute | source | String | An Attribute’s source |
| CaseAttribute | text | String | The text of an Attribute (applies only to certain Attribute Types) |
| CaseAttribute | type | Integer | The ID number of an Attribute’s Type |
| CaseAttribute | typeName | String | The name of an Attribute’s Type |
| CaseAttribute | user | String | The username of the user who created an Attribute |
| Note | artifactId | Integer | The ID number of an Artifact with which a Note is associated |
| Note | author | User | The account login of a user who wrote a Note |
| Note | caseId | Integer | The ID number of a Case with which a Note is associated |
| Note | data | String | The contents of a Note |
| Note | dateAdded | Date | The date on which a Note was written |
| Note | hasArtifact() | Nested Query | A nested query for association to Artifacts |
| Note | hasCase() | Nested Query | A nested query for association to Cases |
| Note | hasTask() | Nested Query | A nested query for association to Tasks |
| Note | id | Integer | The ID number of a Case |
| Note | lastModified | Date | The date on which a Note was last modified |
| Note | summary | String | Text of the first 100 characters of a Note |
| Note | taskId | Integer | The ID number of a Task with which a Note is associated |
| Note | workflowEventId | Integer | The ID number of a Workflow Timeline event with which a Note is associated |
| Task | assignedToUserOrGroup | Enum | The type of Task assignee (either User or Group) |
| Task | assigneeName | String | The name of the user or user group assigned to the Task |
| Task | automated | Boolean | A flag indicating whether a Task is automated |
| Task | caseId | Integer | The ID number of a Case with which a Task is associated |
| Task | caseIdAsString | String | The ID number of a Case as a String |
| Task | caseSeverity | Enum | The severity of a Case associated with a Task |
| Task | completedBy | User | The username of a user who completed a Task |
| Task | completedDate | Date | The completion date of a Task |
| Task | description | String | The description of a Task |
| Task | dueDate | Date | The due date of a Task |
| Task | hasArtifact() | Nested Query | A nested query for association to other Artifacts |
| Task | hasCase() | Nested Query | A nested query for association to other Cases |
| Task | hasNote() | Nested Query | A nested query for association to other Notes |
| Task | id | Integer | The ID number of a Task |
| Task | missingArtifactCount | Integer | The number of required Artifacts that have not been collected for a Task |
| Task | name | String | The name of a Task |
| Task | owner | Integer | The ID of the owner in which a Task exists |
| Task | ownerName | String | The name of the owner in which a Task exists |
| Task | required | Boolean | A flag indicating whether a Task is required or not |
| Task | status | Enum | The status of a Task |
| Task | targetId | Long | The user or user group ID number for a Task assignee |
| Task | targetType | Enum | The target type for a Task (either User or Group) |
| Task | workflowPhase | Integer | The Workflow Phase of a Task |
| Task | workflowStep | Integer | The Workflow step of a Task |
| Task | xid | String | The XID of a Task |
| WorkflowEvent | caseId | Integer | The ID number of a Case with which a Timeline Event is associated |
| WorkflowEvent | dateAdded | Date | The date on which a Timeline Event was added |
| WorkflowEvent | deleted | Boolean | The deletion status of a Timeline Event |
| WorkflowEvent | deletedReason | String | The reason a Timeline Event was deleted |
| WorkflowEvent | eventDate | Date | The date on which a Timeline Event occurred |
| WorkflowEvent | id | Integer | The ID number of a Timeline Event |
| WorkflowEvent | link | StringUpper | The item to which a Timeline Event pertains, in format <type>:<id> |
| WorkflowEvent | summary | String | The text of a Timeline Event |
| WorkflowEvent | systemGenerated | Boolean | Flag determining whether a Timeline Event was created automatically by the system |
| WorkflowEvent | userName | String | The username associated with a Timeline Event |
| WorkflowTemplate | active | Boolean | The active status of a Workflow Template |
| WorkflowTemplate | description | String | The description of a Workflow Template |
| WorkflowTemplate | id | Integer | The ID number of a Workflow Template |
| WorkflowTemplate | name | String | The name of a Workflow Template |
| WorkflowTemplate | owner | Integer | The ID of the owner in which a Workflow Template exists |
| WorkflowTemplate | ownerName | String | The name of the owner in which a Workflow Template exists |
| WorkflowTemplate | targetId | Integer | The user or user group ID for the default assignee for a Workflow Template |
| WorkflowTemplate | targetType | Enum | The target type for a Workflow Template (either User or Group) |
| WorkflowTemplate | version | Integer | The version of a Workflow Template |
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
DomainTools® is a registered trademark of DomainTools, LLC.
VirusTotal™ is a trademark of Google, Inc.
RiskIQ® is a registered trademark of Microsoft Corporation.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.
20052-04 v.22.A
Was this article helpful?
