TQL Operators and Parameters
- 01 Oct 2024
- 16 Minutes to read
-
Print
-
DarkLight
TQL Operators and Parameters
- Updated on 01 Oct 2024
- 16 Minutes to read
-
Print
-
DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Overview
A ThreatConnect® Query Language (TQL) query expression includes a parameter name, an operator, and a value or list of values, and you can combine multiple query expressions using parentheses and AND/OR logic. This article provides a list of all TQL operators and parameters available in ThreatConnect.
Operators
Table 1 describes all of the ThreatConnect Query Language (TQL) operators in all of their acceptable forms.
Note
Operators are case insensitive.
| Operator(s) | Description | Example |
|---|---|---|
| =, ==, EQ, EQUALS | Returns objects that equal the specified value. | typeName = "Adversary" |
| !=, NE | Returns objects that do not equal the specified value. | typeName != "Adversary" |
| >, GT | Returns objects that are greater than the specified value. | dateAdded > "2023-12-31" |
| <, LT | Returns objects that are less than the specified value. | dateAdded < "2023-12-31" |
| <=, LEQ | Returns objects that are less than or equal to the specified value. | dateAdded <= "2023-12-31" |
| >=, GEQ | Returns objects that are greater than or equal to the specified value. | dateAdded >= "2023-12-31" |
| IN | Returns objects that match any value in a list of values. | typeName IN ("Host", "URL") |
| LIKE | Returns objects that match an exact term or a pattern. Use the percent symbol (%) as a wildcard to represent zero, one, or multiple characters in a pattern. | typeName LIKE ("Email%") |
| CONTAINS | Returns objects that contain the specified value. | summary CONTAINS "bad" |
| STARTSWITH | Returns objects that start with the specified value. | summary STARTSWITH "CVE-" |
| ENDSWITH | Returns objects that end with the specified value. | summary ENDSWITH ".com" |
| NOT | Negates the IN, LIKE, CONTAINS, STARTSWITH, or ENDSWITH operator or a nested query in an expression. Place NOT before the operator or nested query to be negated. | summary NOT CONTAINS "bad" |
| AND | Logical and that returns objects for which all conditions in the expression are true. | typeName = "Host" AND dateAdded >= "2023-12-31" |
| OR | Logical or that returns objects for which any condition in the expression is true. | typeName = "Host" OR dateAdded >= "2023-12-31" |
Parameters
Threat Intelligence Parameters
The following subsections describe all of the TQL parameters available for threat intelligence data objects in ThreatConnect.
Note
It is recommended to use ISO-8601-compliant formatting for TQL parameters with the Date data type.
Groups
Table 2 provides all of the TQL parameters available for Groups.
| Object Type | Parameter | Data Type | Comments |
|---|---|---|---|
| Groups | associatedGroupSource | String | Acceptable values:
|
| Groups | associatedIndicator | Integer | Deprecated by nested query; equivalent to hasIndicator(id=n) |
| Groups | associatedIndicatorSource | String | Acceptable values:
|
| Groups | attributeNN | Dependent | See the “Query for Attributes” section of Constructing Query Expressions for more information. |
| Groups | createdBy | User | Any username in the user’s Organization (e.g., createdBy = "joeuser@gmail.com") |
| Groups | dateAdded | Date | |
| Groups | documentDateAdded | Date | |
| Groups | documentFilename | String | |
| Groups | documentFilesize | Long | |
| Groups | documentStatus | String | |
| Groups | documentType | String | |
| Groups | downvoteCount | Integer | |
| Groups | emailDate | Date | |
| Groups | emailFrom | String | |
| Groups | emailScore | Integer | |
| Groups | emailScoreIncludesBody | Boolean | |
| Groups | emailSubject | String | |
| Groups | eventDate | Date | |
| Groups | eventType | Enum | The type of event that an Event Group represents. Acceptable values:
|
| Groups | externalDateAdded | Date | The date that the Group was first created externally |
| Groups | externalDateExpires | Date | The date that the Group was last modified externally |
| Groups | externalLastModified | Date | The date that the Group expires externally |
| Groups | firstSeen | Date | The date that the Group was first seen |
| Groups | generatedReport | Boolean | Returns Report Groups that were created using the Publish Report feature in the Report Editor |
| Groups | hasAllTags() | Nested Query | A nested query that returns only Groups with all specified Tags applied to them. The query must be of the form hasAllTags(id=x) or hasAllTags(id IN (x,y)), where x and y represent Tag ID numbers. |
| Groups | hasArtifact() | Nested Query | |
| Groups | hasAttribute() | Nested Query | |
| Groups | hasCase() | Nested Query | |
| Groups | hasGroup() | Nested Query | |
| Groups | hasIndicator() | Nested Query | |
| Groups | hasIntelQuery() | Nested Query | |
| Groups | hasIntelRequirement() | Nested Query | |
| Groups | hasSecurityLabel() | Nested Query | |
| Groups | hasTag() | Nested Query | |
| Groups | hasVictim() | Nested Query | |
| Groups | hasVictimAsset() | Nested Query | |
| Groups | id | Integer | The ID number of a Group. This number can be found in the URL of the Group’s Details screen, between groups/ and /overview. |
| Groups | insights | String | The AI-generated summary of a Report Group Note As of ThreatConnect 7.4, AI-generated summaries are available only for Report Groups in CAL™ Automated Threat Library (ATL). |
| Groups | lastModified | Date | |
| Groups | lastSeen | Date | The date that the Group was last seen |
| Groups | owner | Integer | |
| Groups | ownerName | String | |
| Groups | securityLabel | String | |
| Groups | signatureDateAdded | Date | |
| Groups | signatureFilename | String | |
| Groups | signatureType | String | |
| Groups | status | String | |
| Groups | summary | String | |
| Groups | tag | String | Deprecated by nested query; equivalent to hasTag(summary="") |
| Groups | tagOwner | Integer | Deprecated by nested query; equivalent to hasTag(owner=n) |
| Groups | tagOwnerName | String | Deprecated by nested query; equivalent to hasTag(ownerName="") |
| Groups | taskAssignee | User | me is the only valid value |
| Groups | taskAssigneePseudo | User | |
| Groups | taskDateAdded | Date | |
| Groups | taskDueDate | Date | |
| Groups | taskEscalated | Boolean | |
| Groups | taskEscalationDate | Date | |
| Groups | taskLastModified | Date | |
| Groups | taskOverdue | Boolean | |
| Groups | taskReminded | Boolean | |
| Groups | taskReminderDate | Date | |
| Groups | taskStatus | String | |
| Groups | type | Integer | |
| Groups | typeName | String | |
| Groups | upvoteCount | Integer | |
| Groups | victimAsset | String | Deprecated by nested query; equivalent to hasVictimAsset(name="") |
Indicators
Table 3 provides all of the TQL parameters available for Indicators.
| Object Type | Parameter | Data Type | Comments |
|---|---|---|---|
| Indicators | activeLocked | Boolean | |
| Indicators | addressASN | Integer | |
| Indicators | addressCIDR | CIDR Expression | |
| Indicators | addressCity | String | |
| Indicators | addressCountryCode | String | |
| Indicators | addressCountryName | String | |
| Indicators | addressIpVal | BigInteger | |
| Indicators | addressIsIpv6 | Boolean | |
| Indicators | addressRegisteringOrg | String | |
| Indicators | addressState | String | |
| Indicators | addressTimezone | String | |
| Indicators | associatedGroup | Integer | Deprecated by nested query; equivalent to hasGroup(id=n) |
| Indicators | associatedGroupSource | String | Acceptable values:
|
| Indicators | associatedIndicatorSource | String | Acceptable values:
|
| Indicators | attributeNN | Dependent | See the “Query for Attributes” section of Constructing Query Expressions for more information. |
| Indicators | confidence | Integer | |
| Indicators | dateAdded | Date | Acceptable formats:
|
| Indicators | description | String | |
| Indicators | dtLastUpdated | Date | The last date and time the Indicator was looked at with DomainTools® |
| Indicators | dtMalwareScore | Integer | The malware score for the Indicator in DomainTools |
| Indicators | dtOverallScore | Integer | The overall score for the Indicator in DomainTools |
| Indicators | dtPhishingScore | Integer | The phishing score for the Indicator in DomainTools |
| Indicators | dtSpamScore | Integer | The spam score for the Indicator in DomainTools |
| Indicators | dtStatus | Boolean | The domain status for the Indicator in DomainTools |
| Indicators | externalDateAdded | Date | The date and time that the Indicator was first created externally |
| Indicators | externalDateExpires | Date | The date and time the Indicator expires externally |
| Indicators | externalLastModified | Date | The date and time that the Indicator was last modified externally |
| Indicators | falsePositiveCount | String | |
| Indicators | fileName | String | |
| Indicators | filePath | String | |
| Indicators | fileSize | BigInteger | |
| Indicators | firstSeen | Date | The date and time that the Indicator was first seen |
| Indicators | hasAllTags() | Nested Query | A nested query that returns only Indicators with all specified Tags applied to them. The query must be of the form hasAllTags(id=x) or hasAllTags(id IN (x,y)), where x and y represent Tag ID numbers. |
| Indicators | hasArtifact() | Nested Query | |
| Indicators | hasAttribute() | Nested Query | |
| Indicators | hasCase() | Nested Query | |
| Indicators | hasCustomAssociation() | Nested Query | |
| Indicators | hasGroup() | Nested Query | |
| Indicators | hasIndicator() | Nested Query | |
| Indicators | hasIntelRequirement() | Nested Query | |
| Indicators | hasSecurityLabel() | Nested Query | |
| Indicators | hasTag() | Nested Query | |
| Indicators | hasVictim() | Nested Query | |
| Indicators | hasVictimAsset() | Nested Query | |
| Indicators | hostDnsActive | Boolean | |
| Indicators | hostWhoisActive | Boolean | |
| Indicators | id | Integer | The ID number of an Indicator. This number can be found in the URL of the Indicator’s Details screen, between indicators/ and /overview. |
| Indicators | indicatorActive | Boolean | |
| Indicators | lastFalsePositive | Date | |
| Indicators | lastModified | Date | |
| Indicators | lastObserved | Date | |
| Indicators | lastSeen | Date | The date and time that the Indicator was last seen |
| Indicators | observationCount | Integer | |
| Indicators | owner | Integer | |
| Indicators | ownerName | String | |
| Indicators | rating | Integer | |
| Indicators | riskIqClassification | String | The classification from the RiskIQ® enrichment data. |
| Indicators | riskIqReputationScore | Integer | The reputation score from the RiskIQ enrichment data. |
| Indicators | securityLabel | String | |
| Indicators | source | String | |
| Indicators | summary | String | |
| Indicators | tag | String | Deprecated by nested query; equivalent to hasTag(summary="") |
| Indicators | tagOwner | Integer | Deprecated by nested query; equivalent to hasTag(owner=n) |
| Indicators | tagOwnerName | String | Deprecated by nested query; equivalent to hasTag(ownerName="") |
| Indicators | threatAssessScore | Integer | |
| Indicators | type | Integer | |
| Indicators | typeName | String | |
| Indicators | value1 | String | Used to search for Indicators that include multiple fields (e.g., File Indicators, Registry Key Indicators) |
| Indicators | value2 | String | Used to search for Indicators that include multiple fields (e.g., File Indicators, Registry Key Indicators) |
| Indicators | value3 | String | Used to search for Indicators that include multiple fields (e.g., File Indicators, Registry Key Indicators) |
| Indicators | vtLastUpdated | Date | The last date and time the Indicator was looked at with VirusTotal™ |
| Indicators | vtMaliciousCount | Integer | The number of malicious reports for an Indicator from VirusTotal (i.e., the VirusTotal score) |
Intelligence Requirements
Table 4 provides all of the TQL parameters available for Intelligence Requirements (IRs).
| Object Type | Parameter | Data Type | Comments |
|---|---|---|---|
| Intelligence Requirements | category | String | The category of an IR |
| Intelligence Requirements | dateAdded | Date | The date and time an IR was added to ThreatConnect |
| Intelligence Requirements | hasArtifact() | Nested Query | A nested query for association to Artifacts |
| Intelligence Requirements | hasCase() | Nested Query | A nested query for association to Cases |
| Intelligence Requirements | hasGroup() | Nested Query | A nested query for association to Groups |
| Intelligence Requirements | hasIndicator() | Nested Query | A nested query for association to Indicators |
| Intelligence Requirements | hasTag() | Nested Query | A nested query for association to Tags |
| Intelligence Requirements | hasVictim() | Nested Query | A nested query for association to Victims |
| Intelligence Requirements | hasVictimAsset() | Nested Query | A nested query for association to Victim Assets |
| Intelligence Requirements | id | Integer | The ID number of an IR. This number can be found in the URL of the IR’s Details screen, between intel-requirements/ and /overview. |
| Intelligence Requirements | lastModified | Date | The last modified date for an IR |
| Intelligence Requirements | owner | Integer | The ID of an IR’s owner |
| Intelligence Requirements | ownerName | String | The name of an IR's owner |
| Intelligence Requirements | requirement | String | The summary of an IR |
| Intelligence Requirements | subtype | String | The subtype of an IR |
| Intelligence Requirements | tag | String | The name of a Tag applied to an IR |
| Intelligence Requirements | uniqueId | String | The unique ID of an IR. This is the number that was entered in the ID field when the IR was created. It is found at the upper left of the header of the IR’s Details screen, both next to the Browse link and above the IR’s summary. |
Intelligence Requirement Results
Table 5 provides all of the TQL parameters available for Intelligence Requirement (IR) results.
| Object Type | Parameter | Data Type | Comments |
|---|---|---|---|
| Intelligence Requirement Results | archivedDate | Date | The date and time an IR query result was archived |
| Intelligence Requirement Results | dateAdded | Date | The date and time the ThreatConnect object to which an IR query result corresponds was created |
| Intelligence Requirement Results | hasIntelRequirement() | Nested Query | |
| Intelligence Requirement Results | id | Integer | The ID number of an IR query result |
| Intelligence Requirement Results | intelId | Integer | The ID number of the ThreatConnect object to which an IR query result corresponds |
| Intelligence Requirement Results | intelReqId | Integer | The ID number of the IR to which an IR query result corresponds |
| Intelligence Requirement Results | intelType | String | The type of ThreatConnect object to which an IR query result corresponds (e.g., Address, Host, Adversary, Campaign) |
| Intelligence Requirement Results | isArchived | Boolean | A flag indicating whether an IR query result has been archived |
| Intelligence Requirement Results | isAssociated | Boolean | A flag indicating whether an IR query result has been associated to an IR |
| Intelligence Requirement Results | isFalsePositive | Boolean | A flag indicating whether an IR query result has been flagged as a false positive |
| Intelligence Requirement Results | isLocal | Boolean | A flag indicating whether an IR query result exists in the owners to which you have access on your ThreatConnect instance |
| Intelligence Requirement Results | lastMatchedDate | Date | The date and time that an IR query result last matched the IR’s keyword query |
| Intelligence Requirement Results | lastModified | Date | The date and time the ThreatConnect object to which an IR query result corresponds was last modified |
| Intelligence Requirement Results | owner | Integer | The ID number of the owner of the ThreatConnect object to which an IR query result corresponds |
| Intelligence Requirement Results | ownerName | String | The name of the owner of the ThreatConnect object to which an IR query result corresponds |
| Intelligence Requirement Results | score | Decimal | A weighted score indicating the relevancy of an IR query result Note As of ThreatConnect 7.3.1, the score for an IR query result is not available in the ThreatConnect UI. It can be accessed only via TQL queries and the v3 API. This parameter can be used to target IR query results that have the most relevancy out of all available IR query results. |
| Intelligence Requirement Results | summary | String | The summary of the ThreatConnect object to which an IR query result corresponds |
Tags
Table 6 provides all of the TQL parameters available for Tags.
| Object Type | Parameter | Data Type | Comments |
|---|---|---|---|
| Tags | active | Boolean | Read-only field that can be false for certain ATT&CK® Tags that become deprecated over time and will be excluded from places such as the ATT&CK Visualizer. The value of this parameter is true in all other cases. |
| Tags | associatedCase | Integer | Deprecated by nested query; equivalent to hasCase(id=n) |
| Tags | associatedGroup | Integer | Deprecated by nested query; equivalent to hasGroup(id=n) |
| Tags | associatedIndicator | Integer | Deprecated by nested query; equivalent to hasIndicator(id=n) |
| Tags | associatedVictim | Integer | Deprecated by nested query; equivalent to hasVictim(id=n) |
| Tags | caseId | Integer | |
| Tags | description | String | |
| Tags | hasCase() | Nested Query | |
| Tags | hasGroup() | Nested Query | |
| Tags | hasIndicator() | Nested Query | |
| Tags | hasVictim() | Nested Query | |
| Tags | id | Integer | The ID number of a Tag. This number can be found in the URL of the Tag’s Details screen, after tag.xhtml?tag=. |
| Tags | lastUsed | Date | |
| Tags | name | String | The name of the Tag (case sensitive) |
| Tags | normalized | Boolean | Read-only field that indicates if a Tag is defined as a main Tag within a Tag normalization rule. |
| Tags | owner | Integer | |
| Tags | ownerName | String | |
| Tags | securityCoverage | Enum | The security coverage level assigned to an ATT&CK Tag in your Organization. Acceptable values:
|
| Tags | summary | String | The name of the Tag (case insensitive) |
| Tags | techniqueId | String | The standard ID for specific MITRE ATT&CK® techniques and sub-techniques (e.g., T1234, T1234.001). The value of this parameter is null for all non-ATT&CK Tags. |
Tracks
Table 7 provides all of the TQL parameters available for Tracks.
| Object Type | Parameter | Data Type | Comments |
|---|---|---|---|
| Tracks | active | Boolean | |
| Tracks | associatedIndicator | Integer | Not deprecated, because Tracks are not part of the nested-query feature |
| Tracks | contains | String | |
| Tracks | dateAdded | Date | |
| Tracks | description | String | |
| Tracks | lastUpdated | Date | |
| Tracks | notContains | String | |
| Tracks | owner | Integer | |
| Tracks | ownerName | String | |
| Tracks | result | String | |
| Tracks | resultCount | Integer | |
| Tracks | resultDate | Date | |
| Tracks | summary | String |
Victim Assets
Table 8 provides all of the TQL parameters available for Victim Assets.
| Object Type | Parameter | Data Type | Comments |
|---|---|---|---|
| Victim Assets | asset | String | |
| Victim Assets | associatedGroup | Integer | Deprecated by nested query; equivalent to hasGroup(id=n) |
| Victim Assets | hasGroup() | Nested Query | |
| Victim Assets | hasIndicator() | Nested Query | |
| Victim Assets | hasVictim() | Nested Query | |
| Victim Assets | hasVictimAsset() | Nested Query | |
| Victim Assets | id | Integer | |
| Victim Assets | owner | Integer | |
| Victim Assets | ownerName | String | |
| Victim Assets | summary | String | |
| Victim Assets | type | Integer | |
| Victim Assets | typeName | String | |
| Victim Assets | victimId | Integer | |
| Victim Assets | victimName | String |
Victims
Table 9 provides all of the TQL parameters available for Victims.
| Object Type | Parameter | Data Type | Comments |
|---|---|---|---|
| Victims | assetName | String | Deprecated by nested query; equivalent to hasVictimAsset(summary="") |
| Victims | assetType | Integer | Deprecated by nested query; equivalent to hasVictimAsset(type=n) |
| Victims | assetTypeName | String | Deprecated by nested query; equivalent to hasVictimAsset(typeName="") |
| Victims | attributeNN | Dependent | See the “Query for Attributes” section of Constructing Query Expressions for more information. |
| Victims | description | String | |
| Victims | hasAllTags() | Nested Query | A nested query that returns only Victims with all specified Tags applied to them. The query must be of the form hasAllTags(id=x) or hasAllTags(id IN (x,y)), where x and y represent Tag ID numbers. |
| Victims | hasAttribute() | Nested Query | |
| Victims | hasGroup() | Nested Query | |
| Victims | hasIndicator() | Nested Query | |
| Victims | hasSecurityLabel() | Nested Query | |
| Victims | hasTag() | Nested Query | |
| Victims | hasVictim() | Nested Query | |
| Victims | hasVictimAsset() | Nested Query | |
| Victims | id | Integer | The ID number of a Victim. This number can be found in the URL of the Victim’s Details screen, after victim.xhtml?victim=. |
| Victims | name | String | |
| Victims | nationality | String | |
| Victims | organization | String | |
| Victims | owner | Integer | |
| Victims | ownerName | String | |
| Victims | securityLabel | String | |
| Victims | subOrg | String | |
| Victims | summary | String | Equivalent to name |
| Victims | tag | String | Deprecated by nested query; equivalent to hasTag(summary="") |
| Victims | tagOwner | Integer | Deprecated by nested query; equivalent to hasTag(owner=n) |
| Victims | tagOwnerName | String | Deprecated by nested query; equivalent to hasTag(ownerName="") |
| Victims | workLocation | String |
Workflow Parameters
The following subsections describe all of the TQL parameters available for Workflow objects in ThreatConnect.
Important
Workflow-related TQL parameters are available only in dashboard Query cards and the ThreatConnect v3 API. They are not available on the Browse screen.
Note
It is recommended to use ISO-8601-compliant formatting for TQL parameters with the Date data type.
Artifacts
Table 10 provides all of the TQL parameters available for Artifacts.
| Workflow Type | Parameter | Data Type | Description |
|---|---|---|---|
| Artifact | analyticsScore | Integer | The ThreatAssess assessment level of the Artifact |
| Artifact | caseId | Integer | The ID number of a Case associated with an Artifact |
| Artifact | dateAdded | Date | The date and time at which an Artifact was added to ThreatConnect |
| Artifact | hasCase() | Nested Query | A nested query for association to other Cases |
| Artifact | hasGroup() | Nested Query | A nested query for association to other Groups |
| Artifact | hasIndicator() | Nested Query | A nested query for association to other Indicators |
| Artifact | hasNote() | Nested Query | A nested query for association to other Notes |
| Artifact | hasTask() | Nested Query | A nested query for association to other Tasks |
| Artifact | id | Integer | The ID number of an Artifact |
| Artifact | indicatorActive | Boolean | A flag indicating whether the Artifact is active |
| Artifact | noteId | Integer | The ID number of a Note associated with an Artifact |
| Artifact | source | String | The source of an Artifact |
| Artifact | summary | String | The summary of an Artifact |
| Artifact | taskId | Integer | The ID number of a Task associated with an Artifact |
| Artifact | type | String | The type name of an Artifact |
| Artifact | typeName | String | The type name of an Artifact |
Artifact Types
Table 11 provides all of the TQL parameters available for Artifact types.
| Workflow Type | Parameter | Data Type | Description |
|---|---|---|---|
| ArtifactType | active | Boolean | The active status of an Artifact type |
| ArtifactType | dataType | Enum | The data type of an Artifact type |
| ArtifactType | description | String | The description of an Artifact type |
| ArtifactType | id | Integer | The ID number of an Artifact type |
| ArtifactType | intelType | String | The intel type of an Artifact type |
| ArtifactType | managed | Boolean | The managed status of an Artifact type |
| ArtifactType | name | String | The name of an Artifact type |
Cases
Table 12 provides all of the TQL parameters available for Cases.
| Workflow Type | Parameter | Data Type | Description |
|---|---|---|---|
| Case | assignedToUserOrGroup | Enum | The type of Case assignee (either User or Group) |
| Case | assigneeName | String | The name of the user or user group assigned to the Case |
| Case | attribute | String | An Attribute corresponding to a Case |
| Case | calScore | Integer | The CAL score of the Case (i.e., the highest CAL score among the Case’s Artifacts with a CAL score and an active Indicator Status set by CAL) |
| Case | caseCloseDate | Date | The date and time a Case was closed |
| Case | caseCloseTime | Date | The date and time a Case was closed |
| Case | caseCloseUser | User | The username of the user who closed a Case |
| Case | caseDetectionTime | Date | The date and time a security incident or threat (i.e., the event that caused a Case to be opened) was detected (e.g., by the security team) |
| Case | caseDetectionUser | User | The username of the user who logged a Case’s detection time |
| Case | caseOccurrenceTime | Date | The date and time a security incident or threat (i.e., the event that caused a Case to be opened) occurred |
| Case | caseOccurrenceUser | User | The username of the user who logged a Case’s occurrence time |
| Case | caseOpenDate | Date | The date and time a Case was opened |
| Case | caseOpenTime | Date | The date and time a Case was opened |
| Case | caseOpenUser | User | The username of the user who opened a Case |
| Case | createdBy | User | The username of the user who created a Case |
| Case | createdById | Integer | The user ID number of the user who created a Case |
| Case | dateAdded | Date | The date on which a Case was added to ThreatConnect |
| Case | description | String | The description of a Case |
| Case | hasAllTags() | Nested Query | A nested query that returns only Cases with all specified Tags applied to them. The query must be of the form hasAllTags(id=x) or hasAllTags(id IN (x,y)), where x and y represent Tag ID numbers. |
| Case | hasArtifact() | Nested Query | A nested query for association to Artifacts |
| Case | hasCase() | Nested Query | A nested query for association to other Cases |
| Case | hasGroup() | Nested Query | A nested query for association to other Groups |
| Case | hasIndicator() | Nested Query | A nested query for association to other Indicators |
| Case | hasNote() | Nested Query | A nested query for association to Notes |
| Case | hasTag() | Nested Query | A nested query for association to labels |
| Case | hasTask() | Nested Query | A nested query for association to Tasks |
| Case | hasWorkflowTemplate() | Nested Query | A nested query for association to Workflow Templates |
| Case | id | Integer | The ID number of a Case |
| Case | idAsString | String | The ID number of a Case as a String |
| Case | lastUpdated | Date | The date a Case was last updated |
| Case | missingArtifactCount | Integer | The number of required Artifacts that have not been collected for a Case’s Tasks |
| Case | name | String | The name of a Case Note If querying for Cases with a name that contains a backslash character (\), use a double backslash (\\) in the query to escape the single backslash. For more information, see the “Workflow-Related Queries” section of Constructing Query Expressions. |
| Case | owner | Integer | The ID number for the owner of a Case |
| Case | ownerName | String | The name of the owner of a Case |
| Case | resolution | String | The resolution of a Case |
| Case | severity | Enum | The severity of a Case |
| Case | status | Enum | The status of a Case |
| Case | tag | String | The name of a Tag applied to a Case |
| Case | targetId | Integer | The user or user group ID number for a Case assignee |
| Case | targetType | Enum | The target type for a Case (either User or Group) |
| Case | threatAssessScore | Integer | The ThreatAssess score of a Case (i.e., the highest ThreatAssess score among the Case’s Artifacts with a ThreatAssess score) |
| Case | typeName | String | The name of a Case |
| Case | xid | String | The XID of a Case |
Case Attributes
Table 13 provides all of the TQL parameters available for Case Attributes.
| Workflow Type | Parameter | Data Type | Description |
|---|---|---|---|
| CaseAttribute | caseId | Integer | The ID number of a Case to which the Attribute is added |
| CaseAttribute | dateAdded | Date | The date on which the Attribute was added to the system |
| CaseAttribute | dateVal | Date | The date value of an Attribute (applies only to certain Attribute Types) |
| CaseAttribute | displayed | Boolean | A flag indicating whether the Attribute is displayed in a Case |
| CaseAttribute | hasCase() | Nested Query | A nested query for association to other Cases |
| CaseAttribute | id | Integer | The ID number of an Attribute |
| CaseAttribute | intVal | Integer | The integer value of an Attribute (applies only to certain Attribute Types) |
| CaseAttribute | lastModified | Date | The date when an Attribute was last modified |
| CaseAttribute | maxSize | Integer | The maximum length of an Attribute’s text |
| CaseAttribute | owner | Integer | The ID of the owner in which an Attribute exists |
| CaseAttribute | ownerName | String | The name of the owner in which an Attribute exists |
| CaseAttribute | shortText | String | The short text of an Attribute (applies only to certain Attribute Types) |
| CaseAttribute | source | String | An Attribute’s source |
| CaseAttribute | text | String | The text of an Attribute (applies only to certain Attribute Types) |
| CaseAttribute | type | Integer | The ID number of an Attribute’s Type |
| CaseAttribute | typeName | String | The name of an Attribute’s Type |
| CaseAttribute | user | String | The username of the user who created an Attribute |
Notes
Table 14 provides all of the TQL parameters available for Notes.
| Workflow Type | Parameter | Data Type | Description |
|---|---|---|---|
| Note | artifactId | Integer | The ID number of an Artifact with which a Note is associated |
| Note | author | User | The account login of a user who wrote a Note |
| Note | caseId | Integer | The ID number of a Case with which a Note is associated |
| Note | data | String | The contents of a Note |
| Note | dateAdded | Date | The date on which a Note was written |
| Note | hasArtifact() | Nested Query | A nested query for association to Artifacts |
| Note | hasCase() | Nested Query | A nested query for association to Cases |
| Note | hasTask() | Nested Query | A nested query for association to Tasks |
| Note | id | Integer | The ID number of a Case |
| Note | lastModified | Date | The date on which a Note was last modified |
| Note | summary | String | Text of the first 100 characters of a Note |
| Note | taskId | Integer | The ID number of a Task with which a Note is associated |
| Note | workflowEventId | Integer | The ID number of a Workflow Timeline event with which a Note is associated |
Tasks
Table 15 provides all of the TQL parameters available for Tasks.
| Workflow Type | Parameter | Data Type | Description |
|---|---|---|---|
| Task | assignedToUserOrGroup | Enum | The type of Task assignee (either User or Group) |
| Task | assigneeName | String | The name of the user or user group assigned to the Task |
| Task | automated | Boolean | A flag indicating whether a Task is automated |
| Task | caseId | Integer | The ID number of a Case with which a Task is associated |
| Task | caseIdAsString | String | The ID number of a Case as a String |
| Task | caseSeverity | Enum | The severity of a Case associated with a Task |
| Task | completedBy | User | The username of a user who completed a Task |
| Task | completedDate | Date | The completion date of a Task |
| Task | description | String | The description of a Task |
| Task | dueDate | Date | The due date of a Task |
| Task | hasArtifact() | Nested Query | A nested query for association to other Artifacts |
| Task | hasCase() | Nested Query | A nested query for association to other Cases |
| Task | hasNote() | Nested Query | A nested query for association to other Notes |
| Task | id | Integer | The ID number of a Task |
| Task | missingArtifactCount | Integer | The number of required Artifacts that have not been collected for a Task |
| Task | name | String | The name of a Task |
| Task | owner | Integer | The ID of the owner in which a Task exists |
| Task | ownerName | String | The name of the owner in which a Task exists |
| Task | required | Boolean | A flag indicating whether a Task is required or not |
| Task | status | Enum | The status of a Task |
| Task | targetId | Long | The user or user group ID number for a Task assignee |
| Task | targetType | Enum | The target type for a Task (either User or Group) |
| Task | workflowPhase | Integer | The Workflow Phase of a Task |
| Task | workflowStep | Integer | The Workflow step of a Task |
| Task | xid | String | The XID of a Task |
Workflow Events
Table 16 provides all of the TQL parameters available for Workflow Events (i.e., Timeline Events).
| Workflow Type | Parameter | Data Type | Description |
|---|---|---|---|
| WorkflowEvent | caseId | Integer | The ID number of a Case with which a Timeline Event is associated |
| WorkflowEvent | dateAdded | Date | The date on which a Timeline Event was added |
| WorkflowEvent | deleted | Boolean | The deletion status of a Timeline Event |
| WorkflowEvent | deletedReason | String | The reason a Timeline Event was deleted |
| WorkflowEvent | eventDate | Date | The date on which a Timeline Event occurred |
| WorkflowEvent | id | Integer | The ID number of a Timeline Event |
| WorkflowEvent | link | StringUpper | The item to which a Timeline Event pertains, in format <type>:<id> |
| WorkflowEvent | summary | String | The text of a Timeline Event |
| WorkflowEvent | systemGenerated | Boolean | Flag determining whether a Timeline Event was created automatically by the system |
| WorkflowEvent | userName | String | The username associated with a Timeline Event |
Workflow Templates
Table 17 provides all of the TQL parameters available for Workflow Templates.
| Workflow Type | Parameter | Data Type | Description |
|---|---|---|---|
| WorkflowTemplate | active | Boolean | The active status of a Workflow Template |
| WorkflowTemplate | description | String | The description of a Workflow Template |
| WorkflowTemplate | id | Integer | The ID number of a Workflow Template |
| WorkflowTemplate | name | String | The name of a Workflow Template |
| WorkflowTemplate | owner | Integer | The ID of the owner in which a Workflow Template exists |
| WorkflowTemplate | ownerName | String | The name of the owner in which a Workflow Template exists |
| WorkflowTemplate | targetId | Integer | The user or user group ID for the default assignee for a Workflow Template |
| WorkflowTemplate | targetType | Enum | The target type for a Workflow Template (either User or Group) |
| WorkflowTemplate | version | Integer | The version of a Workflow Template |
General Parameters
The following subsections describe all of the general TQL parameters available in ThreatConnect.
Attribute Types
Table 18 provides all of the TQL parameters available for Attribute Types.
| Object Type | Parameter | Data Type | Description |
|---|---|---|---|
| AttributeType | associatedType | String | The data type(s) for which an Attribute Type can be used |
| AttributeType | default | Boolean | A flag designating whether the Attribute Type is a default Attribute Type |
| AttributeType | defaultOwnerId | Integer | The ID number of the owner in which an Attribute Preference is configured for the Attribute Type |
| AttributeType | description | String | The description of an Attribute Type |
| AttributeType | id | Integer | The ID number of an Attribute Type |
| AttributeType | maxsize | Integer | The maximum size, in characters, of an Attribute Type’s value. |
| AttributeType | name | String | The name of an Attribute Type |
| AttributeType | owner | Integer | The ID number for the owner of an Attribute Type |
| AttributeType | ownerName | String | The name of the owner of an Attribute Type |
| AttributeType | system | Boolean | A flag designating whether to show System-level Attributes (TRUE) or owner-specific Attributes only (FALSE) |
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
DomainTools® is a registered trademark of DomainTools, LLC.
VirusTotal™ is a trademark of Google, Inc.
RiskIQ® is a registered trademark of Microsoft Corporation.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.
20052-04 v.24.A
Was this article helpful?
