TQL Operators and Parameters
  • 31 Aug 2022
  • 7 Minutes to read
  • Dark
    Light

TQL Operators and Parameters

  • Dark
    Light

Operators

Table 1 provides a list of all ThreatConnect Query Language (TQL) operators in all of their acceptable forms.

 

Operators
=, ==, EQ, EQUALS
!=, NE
>, GT
<, LT
<=, LEQ
>=, GEQ
[NOT] IN
[NOT] LIKE
[NOT] CONTAINS
[NOT] STARTSWITH
[NOT] ENDSWITH

General Parameters

Table 2 provides all of the general TQL parameters, including their corresponding ThreatConnect object type and data type.

 

Object TypeParameterData TypeComments
GroupsassociatedIndicatorIntegerDeprecated by nested query; equivalent to hasIndicator(id=n)
GroupsattributeNNDependentSee the “Query for Attributes” section for more information.
GroupscreatedByUserAny username in the user’s Organization (e.g., createdBy = "joeuser@gmail.com")
GroupsdateAddedDate
GroupsdocumentDateAddedDate
GroupsdocumentFilenameString
GroupsdocumentFilesizeLong
GroupsdocumentStatusString
GroupsdocumentTypeString
GroupsdownvoteCountInteger
GroupsemailDateDate
GroupsemailFromString
GroupsemailScoreInteger
GroupsemailScoreIncludesBodyBoolean
GroupsemailSubjectString
GroupseventDateDate
GroupshasArtifact()Nested Query
GroupshasAttribute()Nested Query
GroupshasCase()Nested Query
GroupshasGroup()Nested Query
GroupshasIndicator()Nested Query
GroupshasSecurityLabel()Nested Query
GroupshasTag()Nested Query
GroupshasVictim()Nested Query
GroupshasVictimAsset()Nested Query
GroupsidInteger
GroupslastModifiedDateTime
GroupsownerInteger
GroupsownerNameString
GroupssecurityLabelString
GroupssignatureDateAddedDate
GroupssignatureFilenameString
GroupssignatureTypeString
GroupsstatusString
GroupssummaryString
GroupstagStringDeprecated by nested query; equivalent to hasTag(summary="")
GroupstagOwnerIntegerDeprecated by nested query; equivalent to hasTag(owner=n)
GroupstagOwnerNameStringDeprecated by nested query; equivalent to hasTag(ownerName="")
GroupstaskAssigneeUserme is the only valid value
GroupstaskAssigneePseudoUser
GroupstaskDateAddedDate
GroupstaskDueDateDate
GroupstaskEscalatedBoolean
GroupstaskEscalationDateDate
GroupstaskLastModifiedDate
GroupstaskOverdueBoolean
GroupstaskRemindedBoolean
GroupstaskReminderDateDate
GroupstaskStatusString
GroupstypeInteger
GroupstypeNameString
GroupsupvoteCountInteger
GroupsvictimAssetStringDeprecated by nested query; equivalent to hasVictimAsset(name="")
IndicatorsactiveLockedBoolean
IndicatorsaddressASNInteger
IndicatorsaddressCIDRCIDR Expression
IndicatorsaddressCityString
IndicatorsaddressCountryCodeString
IndicatorsaddressCountryNameString
IndicatorsaddressIpValBigInteger
IndicatorsaddressIsIpv6Boolean
IndicatorsaddressRegisteringOrgString
IndicatorsaddressStateString
IndicatorsaddressTimezoneString
IndicatorsassociatedGroupIntegerDeprecated by nested query; equivalent to hasGroup(id=n)
IndicatorsattributeNNDependentSee the “Query for Attributes” section for more information.
IndicatorsconfidenceInteger
IndicatorsdateAddedDateTimeAccepted formats: yyyy-MM-dd HH:mm yyyy-MM-dd MM-dd-yyyy
IndicatorsdescriptionString
IndicatorsfalsePositiveCountString
IndicatorsfileSizeBigInteger
IndicatorshasArtifact()Nested Query
IndicatorshasAttribute()Nested Query
IndicatorshasCase()Nested Query
IndicatorshasGroup()Nested Query
IndicatorshasIndicator()Nested Query
IndicatorshasSecurityLabel()Nested Query
IndicatorshasTag()Nested Query
IndicatorshasVictim()Nested Query
IndicatorshasVictimAsset()Nested Query
IndicatorshostDnsActiveBoolean
IndicatorshostWhoisActiveBoolean
IndicatorsidInteger
IndicatorsindicatorActiveBoolean
IndicatorslastFalsePositiveDate
IndicatorslastModifiedDateTime
IndicatorslastObservedDateTime
IndicatorsobservationCountInteger
IndicatorsownerInteger
IndicatorsownerNameString
IndicatorsratingInteger
IndicatorssecurityLabelString
IndicatorssourceString
IndicatorssummaryString
IndicatorstagStringDeprecated by nested query; equivalent to hasTag(summary="")
IndicatorstagOwnerIntegerDeprecated by nested query; equivalent to hasTag(owner=n)
IndicatorstagOwnerNameStringDeprecated by nested query; equivalent to hasTag(ownerName="")
IndicatorsthreatAssessScoreInteger
IndicatorstypeInteger
IndicatorstypeNameString
Indicatorsvalue1StringUsed to search for Indicators that include multiple fields (e.g., File Indicators, Registry Key Indicators)
Indicatorsvalue2StringUsed to search for Indicators that include multiple fields (e.g., File Indicators, Registry Key Indicators)
Indicatorsvalue3StringUsed to search for Indicators that include multiple fields (e.g., File Indicators, Registry Key Indicators)
TagsassociatedCaseIntegerDeprecated by nested query; equivalent to hasCase(id=n)
TagsassociatedGroupIntegerDeprecated by nested query; equivalent to hasGroup(id=n)
TagsassociatedIndicatorIntegerDeprecated by nested query; equivalent to hasIndicator(id=n)
TagsassociatedVictimIntegerDeprecated by nested query; equivalent to hasVictim(id=n)
TagscaseIdInteger
TagsdescriptionString
TagshasCase()Nested Query
TagshasGroup()Nested Query
TagshasIndicator()Nested Query
TagshasVictim()Nested Query
TagsidInteger
TagslastUsedDate
TagsnameString
TagsownerInteger
TagsownerNameString
TagssummaryString
TracksactiveBoolean
TracksassociatedIndicatorIntegerNot deprecated, because Tracks are not part of the nested-query feature
TrackscontainsString
TracksdateAddedDate
TracksdescriptionString
TrackslastUpdatedDate
TracksnotContainsString
TracksownerInteger
TracksownerNameString
TracksresultString
TracksresultCountInteger
TracksresultDateDate
TrackssummaryString
Victim AssetsassetString
Victim AssetsassociatedGroupIntegerDeprecated by nested query; equivalent to hasGroup(id=n)
Victim AssetshasGroup()Nested Query
Victim AssetshasIndicator()Nested Query
Victim AssetshasVictim()Nested Query
Victim AssetshasVictimAsset()Nested Query
Victim AssetsidInteger
Victim AssetsownerInteger
Victim AssetsownerNameString
Victim AssetssummaryString
Victim AssetstypeInteger
Victim AssetstypeNameString
Victim AssetsvictimIdInteger
Victim AssetsvictimNameString
VictimsassetNameStringDeprecated by nested query; equivalent to hasVictimAsset(summary="")
VictimsassetTypeIntegerDeprecated by nested query; equivalent to hasVictimAsset(type=n)
VictimsassetTypeNameStringDeprecated by nested query; equivalent to hasVictimAsset(typeName="")
VictimsattributeNNDependentSee the “Query for Attributes” section for more information.
VictimsdescriptionString
VictimshasAttribute()Nested Query
VictimshasGroup()Nested Query
VictimshasIndicator()Nested Query
VictimshasSecurityLabel()Nested Query
VictimshasTag()Nested Query
VictimshasVictim()Nested Query
VictimshasVictimAsset()Nested Query
VictimsidInteger
VictimsnameString
VictimsnationalityString
VictimsorganizationString
VictimsownerInteger
VictimsownerNameString
VictimssecurityLabelString
VictimssubOrgString
VictimssummaryStringEquivalent to name
VictimstagStringDeprecated by nested query; equivalent to hasTag(summary="")
VictimstagOwnerIntegerDeprecated by nested query; equivalent to hasTag(owner=n)
VictimstagOwnerNameStringDeprecated by nested query; equivalent to hasTag(ownerName="")
VictimsworkLocationString

Workflow Parameters

Table 3 provides all of the Workflow-related TQL parameters, including their corresponding ThreatConnect Workflow type, data type, and a description.

Important
Workflow-related TQL parameters are available only in dashboard Query cards and the ThreatConnect v3 API. They are not available in the Browse screen.

 

Workflow TypeParameterData TypeDescription
ArtifactanalyticsScoreIntegerThe ThreatAssess assessment level of the Artifact
ArtifactcaseIdIntegerThe ID number of a Case associated with an Artifact
ArtifactdateAddedDateTimeThe date and time at which an Artifact was added to ThreatConnect
ArtifacthasCase()Nested QueryA nested query for association to other Cases
ArtifacthasGroup()Nested QueryA nested query for association to other Groups
ArtifacthasIndicator()Nested QueryA nested query for association to other Indicators
ArtifacthasNote()Nested QueryA nested query for association to other Notes
ArtifacthasTask()Nested QueryA nested query for association to other Tasks
ArtifactidIntegerThe ID number of an Artifact
ArtifactindicatorActiveBooleanA flag indicating whether the Artifact is active
ArtifactnoteIdIntegerThe ID number of a Note associated with an Artifact
ArtifactsourceStringThe source of an Artifact
ArtifactsummaryStringThe summary of an Artifact
ArtifacttaskIdIntegerThe ID number of a Task associated with an Artifact
ArtifacttypeStringThe type name of an Artifact
ArtifacttypeNameStringThe type name of an Artifact
ArtifactTypeactiveBooleanThe active status of an Artifact type
ArtifactTypedataTypeEnumThe data type of an Artifact type
ArtifactTypedescriptionStringThe description of an Artifact type
ArtifactTypeidIntegerThe ID number of an Artifact type
ArtifactTypeintelTypeStringThe intel type of an Artifact type
ArtifactTypemanagedBooleanThe managed status of an Artifact type
ArtifactTypenameStringThe name of an Artifact type
AttributeTypeassociatedTypeStringThe data type(s) for which an Attribute Type can be used
AttributeTypedescriptionStringThe description of an Attribute Type
AttributeTypeidIntegerThe ID number of an Attribute Type
AttributeTypemaxsizeIntegerThe maximum size, in characters, of an Attribute Type’s value.
AttributeTypenameStringThe name of an Attribute Type
AttributeTypeownerIntegerThe ID number for the owner of an Attribute Type
AttributeTypeownerNameStringThe name of the owner of an Attribute Type
AttributeTypesystemBooleanA flag designating whether to show System-level Attributes (TRUE) or owner-specific Attributes only (FALSE)
CaseassignedToUserOrGroupEnumThe type of Case assignee (either User or Group)
CaseassigneeNameStringThe name of the user or user group assigned to the Case
CaseattributeStringAn Attribute corresponding to a Case
CasecaseCloseTimeDateTimeThe date and time a Case was closed
CasecaseCloseUserUserThe username of the user who closed a Case
CasecaseDetectionTimeDateTimeThe date and time a security incident or threat (i.e., the event that caused a Case to be opened) was detected (e.g., by the security team)
CasecaseDetectionUserUserThe username of the user who logged a Case’s detection time
CasecaseOccurrenceTimeDateTimeThe date and time a security incident or threat (i.e., the event that caused a Case to be opened) occurred
CasecaseOccurrenceUserUserThe username of the user who logged a Case’s occurrence time
CasecaseOpenTimeDateTimeThe date and time a Case was opened
CasecaseOpenUserUserThe username of the user who opened a Case
CasecreatedByUserThe username of the user who created a Case
CasecreatedByIdIntegerThe user ID number of the user who created a Case
CasedateAddedDateTimeThe date on which a Case was added to ThreatConnect
CasedescriptionStringThe description of a Case
CasehasArtifactNested QueryA nested query for association to Artifacts
CasehasCase()Nested QueryA nested query for association to other Cases
CasehasGroup()Nested QueryA nested query for association to other Groups
CasehasIndicator()Nested QueryA nested query for association to other Indicators
CasehasNote()Nested QueryA nested query for association to Notes
CasehasTag()Nested QueryA nested query for association to labels
CasehasTask()Nested QueryA nested query for association to Tasks
CasehasWorkflowTemplate()Nested QueryA nested query for association to Workflow Templates
CaseidIntegerThe ID number of a Case
CaseidAsStringStringThe ID number of a Case as a String
CasenameStringThe name of a Case
CaseownerIntegerThe ID number for the owner of a Case
CaseownerNameStringThe name of the owner of a Case
CaseresolutionStringThe resolution of a Case
CaseseverityEnumThe severity of a Case
CasestatusEnumThe status of a Case
CasetagStringThe name of a Tag applied to a Case
CasetargetIdIntegerThe user or user group ID number for a Case assignee
CasetargetTypeEnumThe target type for a Case (either User or Group)
CasetypeNameStringThe name of a Case
CasexidStringThe XID of a Case
CaseAttributecaseIdIntegerThe ID number of a Case to which the Attribute is added
CaseAttributedateAddedDateTimeThe date on which the Attribute was added to the system
CaseAttributedateValDateTimeThe date value of an Attribute (only applies to certain Attribute Types)
CaseAttributedisplayedBooleanA flag indicating whether the Attribute is displayed in a Case
CaseAttributehasCase()Nested QueryA nested query for association to other Cases
CaseAttributeidIntegerThe ID number of an Attribute
CaseAttributeintValIntegerThe integer value of an Attribute (only applies to certain Attribute Types)
CaseAttributelastModifiedDateTimeThe date when an Attribute was last modified
CaseAttributemaxSizeIntegerThe maximum length of an Attribute’s text
CaseAttributeownerIntegerThe ID of the owner in which an Attribute exists
CaseAttributeownerNameStringThe name of the owner in which an Attribute exists
CaseAttributesourceStringAn Attribute’s source
CaseAttributetextStringThe text of an Attribute (only applies to certain Attribute Types)
CaseAttributetypeIntegerThe ID number of an Attribute’s Type
CaseAttributetypeNameStringThe name of an Attribute’s Type
CaseAttributeuserStringThe username of the user who created an Attribute
NoteartifactIdIntegerThe ID number of an Artifact with which a Note is associated
NoteauthorUserThe account login of a user who wrote a Note
NotecaseIdIntegerThe ID number of a Case with which a Note is associated
NotedateAddedDateTimeThe date on which a Note was written
NotehasArtifact()Nested QueryA nested query for association to Artifacts
NotehasCase()Nested QueryA nested query for association to Cases
NotehasTask()Nested QueryA nested query for association to Tasks
NoteidIntegerThe ID number of a Case
NotelastModifiedDateTimeThe date on which a Note was last modified
NotesummaryStringText of the first 100 characters of a Note
NotetaskIdIntegerThe ID number of a Task with which a Note is associated
NoteworkflowEventIdIntegerThe ID number of a Workflow Timeline event with which a Note is associated
TaskassignedToUserOrGroupEnumThe type of Task assignee (either User or Group)
TaskassigneeNameStringThe name of the user or user group assigned to the Task
TaskautomatedBooleanA flag indicating whether a Task is automated
TaskcaseIdIntegerThe ID number of a Case with which a Task is associated
TaskcaseIdAsStringStringThe ID number of a Case as a String
TaskcaseSeverityEnumThe severity of a Case associated with a Task
TaskcompletedByUserThe username of a user who completed a Task
TaskcompletedDateDateThe completion date of a Task
TaskdescriptionStringThe description of a Task
TaskdueDateDateThe due date of a Task
TaskhasArtifact()Nested QueryA nested query for association to other Artifacts
TaskhasCase()Nested QueryA nested query for association to other Cases
TaskhasNote()Nested QueryA nested query for association to other Notes
TaskidIntegerThe ID number of a Task
TasknameStringThe name of a Task
TaskownerIntegerThe ID of the owner in which a Task exists
TaskownerNameStringThe name of the owner in which a Task exists
TaskrequiredBooleanA flag indicating whether a Task is required or not
TaskstatusEnumThe status of a Task
TasktargetIdLongThe user or user group ID number for a Task assignee
TasktargetTypeEnumThe target type for a Task (either User or Group)
TaskworkflowPhaseIntegerThe Workflow Phase of a Task
TaskworkflowStepIntegerThe Workflow step of a Task
TaskxidStringThe XID of a Task
WorkflowEventcaseIdIntegerThe ID number of a Case with which a Timeline event is associated
WorkflowEventdateAddedDateTimeThe date on which a Timeline event was added
WorkflowEventdeletedBooleanThe deletion status of a Timeline event
WorkflowEventdeletedReasonStringThe reason a Timeline event was deleted
WorkflowEventeventDateDateTimeThe date on which a Timeline event occurred
WorkflowEventidIntegerThe ID number of a Timeline event
WorkflowEventlinkStringUpperThe item to which a Timeline event pertains, in format <type>:<id>
WorkflowEventsummaryStringText of a Timeline event
WorkflowEventsystemGeneratedBooleanFlag determining whether a Timeline event was created automatically by the system
WorkflowEventuserNameStringThe username associated with a Timeline event
WorkflowTemplateactiveBooleanThe active status of a Workflow Template
WorkflowTemplatedescriptionStringThe description of a Workflow Template
WorkflowTemplateidIntegerThe ID number of a Workflow Template
WorkflowTemplatenameStringThe name of a Workflow Template
WorkflowTemplateownerIntegerThe ID of the owner in which a Workflow Template exists
WorkflowTemplateownerNameStringThe name of the owner in which a Workflow Template exists
WorkflowTemplatetargetIdIntegerThe user or user group ID for the default assignee for a Workflow Template
WorkflowTemplatetargetTypeEnumThe target type for a Workflow Template (either User or Group)
WorkflowTemplateversionIntegerThe version of a Workflow Template

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20052-04 v.17.A


Was this article helpful?