knowledge.threatconnect.com
Open in
urlscan Pro
2606:4700::6812:79f
Public Scan
Submitted URL: https://training.threatconnect.com/learn/article/using-threatconnect-query-language-tql-kb-article
Effective URL: https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql
Submission: On May 21 via api from US — Scanned from DE
Effective URL: https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql
Submission: On May 21 via api from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
MENU * Training Courses * Apps & Integrations Docs * Developer Docs * About * Contact * Training Courses * Apps & Integrations Docs * Developer Docs * About * Contact 🎉 ThreatConnect® 7.5 is now available! Check out our articles covering the new report templates and Details screen Custom View tab features. * * * Training Courses * Apps & Integrations Docs * Developer Docs * About * Contact Contents x No matching results found * Getting Started * Getting Started With the ThreatConnect Knowledge Base * Release Notes * ThreatConnect Platform Release Notes * 6.7 Release Notes * 7.0 Release Notes * 7.1 Release Notes * 7.2 Release Notes * 7.3 Release Notes * 7.4 Release Notes * 7.5 Release Notes Updated * ThreatConnect Risk Quantifier Release Notes * RQ 7.7 Release Notes * RQ 7.6 Release Notes * RQ 7.0 Release Notes * ThreatConnect Risk Quantifier * Getting Started With ThreatConnect Risk Quantifier * ThreatConnect Risk Quantifier FAQ * Release Notes * RQ 7.6 Release Notes * RQ 7.0 Release Notes * RQ 7.7 Release Notes * Administration and Configuration * Configuration * ThreatConnect Risk Quantifier Administration and Configuration Guide * Glossaries * FAIR - Primary Loss Magnitude Values Definitions * Loss Variables Definitions * ThreatConnect Risk Quantifier User Roles and Permissions * Analyzing and Visualizing Your Data * Cases Metrics * Cases Metrics Overview * Adding a Cases Metric Card to a Dashboard * Active Cases * Analyst Workload * False Positives * MTTD * MTTD Average * MTTR * MTTR Average * Top 10 Case Closing Analyst * Unassigned Cases * Custom Metrics * Dashboard * Dashboard Overview * Cloud Built-In Dashboards * Custom Dashboards * Adding Content to a Dashboard * Editing Dashboard Layout * Editing Dashboard Cards * Dashboard Administration * Exporting and Importing Dashboards * Generating a Report PDF for a Group * Reports * Reports Overview * Creating a Report * Adding Content to a Report * Adding Intelligence Data to a Report * Adding Group Data to a Report * Adding Case Data to a Report * Adding Basic Elements to a Report * Adding Layout Elements to a Report * Organizing a Report's Contents * Editing, Saving, and Exporting a Report * Report Templates * Viewing and Managing All Saved Reports and Templates * Search and Analyze * Search and Analyze Overview * Searching in ThreatConnect * Search Filters * Search Results * API * API Documentation * App Builder * App Builder Overview Updated * Apps Screen * The Apps Screen * Administrative Functions for Projects and Apps * App Builder Screen * The App Builder Screen * Tabs * Summary Tab * Metadata Tab * Contents Tab * Code Editor * Snippets Tab * Inputs Tab * Outputs Tab * Retry Tab * Source Control Tab * Validations Tab * App Builder Settings * Building an App * Debugging and Testing an App Updated * Releasing an App Updated * Apps and Integrations * Data Enrichment Integrations * Cisco Umbrella Investigate Spaces User Guide * Malformity Labs Maltego Integration * Silent Push Integration Installation and Configuration Guide New * ThreatConnect App for ServiceNow Security Operations User Guide * ThreatConnect VirusTotal Spaces App User Guide * Endpoint Detection & Response Integrations * BlackBerry Protect Integration Installation and Configuration Guide * CrowdStrike Falcon Insight Extract Integration Configuration Guide * Microsoft Defender for Endpoint Integration User Guide * Tanium * Tanium Connect Reputation Blacklist Integration Configuration Guide * Tanium Threat Response - Indicators Integration Configuration Guide * Tanium Threat Response - Signatures Integration Configuration Guide * Incident Response & Tracking Integrations * FireEye Helix Log Analytics Integration Configuration Guide * IT Infrastructure Integrations * Microsoft Graph Security Threat Indicators Integration User Guide * Network Security Integrations * Cisco Umbrella Integration Configuration Guide * Palo Alto Networks NGFW Integration Installation and Configuration Guide * Zscaler Internet Access Integration User Guide * MITRE ATT&CK App * MITRE ATT&CK App Overview * Deploying and Configuring the MITRE ATT&CK Source Feed * MITRE ATT&CK Deployment and Configuration Overview * Installing the MITRE ATT&CK App * Deploying the MITRE ATT&CK Source Feed * MITRE ATT&CK Manual Job Configuration (Advanced Users Only) * Adding the MITRE ATT&CK Source to Multiple Organizations * MITRE ATT&CK App Data Mappings * Viewing MITRE ATT&CK App Data * Enriching Data With Tags From the MITRE ATT&CK Source Deprecated * Orchestration Integrations * ThreatConnect Activity Pack for ServiceNow Orchestration User Guide * Premium Threat Intelligence Feed Integrations * Accenture * Accenture DeepSight Intelligence Integration Installation and Configuration Guide * Accenture iDefense Intelligence Engine Integration User Guide * Accenture iDefense IntelGraph Intelligence Engine Integration User Guide Deprecated * BAE Systems Threat Intelligence Integration Configuration Guide * Booz Allen Hamilton Cyber4Sight ThreatBase Installation Guide * CrowdStrike Falcon Intelligence Engine Integration User Guide * Digital Shadows SearchLight Integration Configuration Guide * Dragos WorldView Integration Configuration Guide * Fidelis Network Extract Integration Configuration Guide * Flashpoint * Flashpoint Intelligence Engine Integration User Guide * Flashpoint Intelligence Reports Integration Installation and Configuration Guide * Flashpoint Risk Intelligence Observables Integration Configuration Guide * FS-ISAC Integration Installation and Configuration Guide * Intel 471 * Intel 471 Intelligence Engine Integration User Guide * Intel 471 Adversary Intelligence Integration Configuration Guide * Intel 471 Malware Intelligence Integration Configuration Guide * Intel 471 Vulnerability Intelligence Integration Configuration Guide * Mandiant Advantage Threat Intelligence Engine Integration Configuration Guide * MISP Import Integration Configuration Guide * PhishMe Intelligence Integration * Proofpoint * Proofpoint ET Intelligence Reputation List Integration User Guide * Proofpoint ET Pro Signatures Integration Configuration Guide * Recorded Future * Recorded Future Intelligence Engine Integration User Guide Updated * Recorded Future Risk List Integration Installation and Configuration Guide * RH-ISAC Integration Installation and Configuration Guide * Secureworks Attacker Database Integration Configuration Guide * SIEM & Analytic Integrations * Amazon GuardDuty Integration Configuration Guide * IBM QRadar * IBM QRadar App for ThreatConnect User Guide * ThreatConnect App for IBM QRadar User Guide * Micro Focus * Micro Focus ArcSight ESM - API Integration Installation and Configuration Guide * Micro Focus ArcSight ESM - CEF Integration Installation and Configuration Guide * Micro Focus ArcSight Integration Package User Guide * Microsoft Sentinel Integration User Guide * RSA Netwitness Intel Feeds Implementation Guide * ThreatConnect Application for Splunk User Guide * ThreatConnect SmartResponse Plugin for LogRhythm User Guide * Spaces * Spaces Overview Updated * Central Spaces Updated * Contextually Aware Spaces Updated * Menu Spaces Updated * ThreatConnect Spaces Apps * Batch Import Spaces User Guide * Bulk Victim Create Configuration User Guide * Domain-Spinning Workbench Spaces App * Domain-Spinning Workbench * ThreatConnect Domain-Spinning Workbench Installation and Configuration Guide * File Post App * TC Exchange * TC Exchange App Development - Install Configuration File User Guide * ThreatConnect Runtime Apps * Indicator Migration App Configuration Guide * ThreatConnect AutoEnrich App Configuration Guide * ThreatConnect Indicator CSV Integration Installation and Configuration Guide * Vulnerability Management Integrations * Qualys Vulnerability Management Integration Configuration Guide * Tenable.sc Integration Configuration Guide * Collaboration * Contributing to a Community or Source * Contributing to a Community or Source Overview * Contributing a Group to a Community or Source * Group Hierarchy and Association Directionality * Copying a Group From a Community or Source * Posts * The Cross-Intel Sharing App: Sharing Data Across ThreatConnect Instances * The Publish Feature * Content Packs * Getting Started With Content Packs * Content Packs Overview * Creating Content Packs * Installing and Configuring Content Packs * Publishing Content Packs * Updating Content Packs * Content Packs FAQ and Known Issues * Microsoft Sentinel Content Pack * Microsoft Sentinel Content Pack Overview * Installing and Configuring the Microsoft Sentinel Content Pack * Microsoft Sentinel Content Pack Use Cases * Microsoft Sentinel Content Pack Data Mappings * ReversingLabs A1000 Content Pack * ReversingLabs A1000 Content Pack Overview * Installing and Configuring the ReversingLabs A1000 Content Pack * ReversingLabs A1000 Content Pack Use Cases * Zscaler Internet Access Content Pack * Zscaler Internet Access Content Pack Overview * Installing and Configuring the Zscaler Internet Access Content Pack * Zscaler Internet Access Content Pack Use Cases * Playbooks * The Playbooks Screen * The Playbook Designer * The Playbook Designer Overview * The Playbook Designer Screen * The Playbook Designer Screen Overview * Mode * Administration and Settings * Administration and Settings Overview * Administration Options * Settings * Tabbed Layout * Side Navigation Bar * Side Navigation Bar Overview * Summary * Validations * Triggers * Apps * Operators * Executions * Run Profiles * Metadata (Global Variables) * Versions * Components * DataStore * Audit Log * Designing a Playbook * Adding and Configuring Playbook Elements * Adding and Configuring Playbook Elements Overview * Adding a Trigger * Adding an App * Adding an Operator * Connecting Playbook Elements * Formatting a Playbook * Activating a Playbook * Interactive Playbooks * Interactive Playbooks Overview * Design Pane (Interactive Mode) * Variable Explorer * Execution Details * Notes * The Playbook Designer Keyboard Shortcuts * Parts of a Playbook * Triggers * The Mailbox Trigger * The Timer Trigger * The UserAction Trigger * The WebHook Trigger * Apps and Operators * Playbooks Iterator Operator * HTTP Client - Configuring HTTP Requests in cURL Format * Playbook Components * Playbook Components Overview * Creating a Component * Editing a Component * Administrating a Component * Using a Component in a Playbook * Cloning a Playbook as a Component * Executing a Playbook * Playbook Executions * Playbooks: Run Profiles * Playbook Versions * Playbook Templates * Playbooks: Return on Investment * Multi-Environment Orchestration: Executing Playbook Apps Through a Firewall * Playbook Environments * Playbook Environments Overview * Viewing, Activating, and Managing Playbook Environments * Configuring an Environment to an Environment Server * Administrating an Environment * Playbook Activity * Playbook Services * Playbooks Glossary * Settings and Administration * Adding App Profiles Updated * Configuring Indicator Confidence Deprecation * Creating a Phishing Mailbox * Creating an HTTP Feed * Creating Custom Attribute Types * Creating Indicator Exclusion Lists * Creating Jobs Using TC Exchange Apps * Creating Security Labels * Creating User Accounts * Environment Server * ThreatConnect Environment Server System Requirements Updated * ThreatConnect Environment Server Installation Guide Updated * Feed API Services * Feed Metrics and Report Card * Handling Incoming Emails * My Profile Updated * Notifications and Following * The Feed Deployer * TAXII * STIX 2.1 Parser Job App Data Mappings * STIX and CybOX Parser Data Mappings * TAXII Exchange Feeds * Creating an Inbound TAXII Exchange Feed * Creating an Outbound TAXII Exchange Feed * TAXII Servers * Using the ThreatConnect TAXII 2.1 Server * TAXII 2.1 Server Overview * Installing and Configuring the TAXII 2.1 Server Service * Creating a TAXII User for the TAXII 2.1 Server * Retrieving Data from the TAXII 2.1 Server * Using the ThreatConnect TAXII Server * Threat Intelligence * Adding Data to ThreatConnect * Assigning Tasks * Creating Threat Intelligence Data Updated * Doc Analysis Import * Email Import * Signature Import * Structured Indicator Import * Unstructured Indicator Import * Uploading Malware * Using Automated Email Ingest * Adding Metadata to ThreatConnect Objects * Adding Adversary Assets * Applying Security Labels * Applying Tags * Attributes * Pinned Association Attributes * The Description Attribute * The Source Attribute * Threat and Confidence Ratings * Best Practices: Indicator Threat and Confidence Ratings * Setting Indicator Threat and Confidence Ratings * Associations * Associations Overview * The Associations Card * The Associations Card: Graph View * Graph View Overview * Graph View: Object Menu * Graph View: Settings * The Associations Card: Table View * Table View Overview * Table View: Associated Groups * Table View: Associated Indicators * Table View: Associated Victim Assets * Table View: Associated Artifacts * Table View: Associated Cases * Table View: Potential Associations * The Associations Tab * Best Practices: Cross-Owner Associations * ATT&CK Visualizer * ATT&CK Visualizer Overview * ATT&CK Tags * Accessing the ATT&CK Visualizer * ATT&CK Views * Standard ATT&CK Views * Imported ATT&CK Views * ATT&CK Security Coverage * Visualizing ATT&CK Tactics, Techniques, and Sub-Techniques * Viewing All Saved ATT&CK Views * Automated Data Services * Automated Data Services Overview * DNS Resolutions * IP Geolocation Data * WHOIS Registration Information * Browse * Browse Overview * The Browse Screen * The Details Drawer * CAL * CAL Automated Threat Library (ATL) Updated * CAL Automated Threat Library (ATL) Supported Blogs Updated * CAL ATL Industry Classification New * CAL Classifiers Glossary * ThreatAssess and CAL * What Can CAL Do For You? * Enrichment * Enrichment Overview * The Enrichment Tab * VirusTotal Enrichment * Shodan Enrichment * urlscan.io Enrichment * Farsight Security Passive DNS Enrichment * DomainTools Enrichment * RiskIQ Enrichment * Explore In Graph * Explore In Graph Overview * Viewing an Object in Threat Graph * Exploring Associations * Pivoting in ThreatConnect * Pivoting with CAL * Pivoting on Enrichment Services * Running Playbooks in Threat Graph * Alias Information for Groups * Viewing Details in Threat Graph * Adjusting the Graph View * Saving and Exporting Graphs * Viewing All Saved Graphs * Exporting Data From ThreatConnect * Exporting Groups * Exporting Indicators * False Positives * False Positives Overview * Viewing and Reporting False Positives * Including False Positives Reported by API Users * Setting an Event Status to False Positive * Group Intel Rating * Indicator Status * Intelligence Requirements * Intelligence Requirements Overview * Best Practices: Intelligence Requirements * Best Practices: Keywords for Intelligence Requirements * Intelligence Requirement Categories * Creating Intelligence Requirements * Viewing Intelligence Requirement Details * Managing File Hashes and Known File Occurrences * Modeling File Behavior * OSINT and CAL Feeds * Pivoting on Data * Private Indicators * Tag Normalization * The Details Screen * The Details Screen: Custom View * The Details Screen (Legacy) Updated * The Feed Explorer * The "Last Modified" Date * ThreatConnect Intelligence Anywhere * ThreatConnect Intelligence Anywhere Overview * Installing and Logging Into ThreatConnect Intelligence Anywhere * Configuring ThreatConnect Intelligence Anywhere * Scanning Online Resources With ThreatConnect Intelligence Anywhere * Reviewing ThreatConnect Intelligence Anywhere Scan Results * Importing Potential Indicators Found With ThreatConnect Intelligence Anywhere * ThreatConnect Query Language (TQL) * ThreatConnect Query Language (TQL) Overview * Using the Advanced-Query Filter * Constructing Query Expressions * TQL Operators and Parameters * Tracking Adversary Activity * ThreatConnect Basics * My Intel Sources New * Ownership in ThreatConnect * The Diamond Model * The ThreatConnect Data Model Updated * ThreatConnect Glossary * ThreatConnect Owner Roles and Permissions * ThreatConnect Owner Roles and Permissions Overview * Viewing Owner Roles * Organization Roles * Community Roles * Creating Custom Owner Roles * Owner Role Permissions Definitions * ThreatConnect Super User Guide * ThreatConnect Super User Overview * Managing Data in All Organizations as a Super User * Managing Data in All Organizations: Dashboard * Managing Data in All Organizations: Posts * Managing Data in All Organizations: Threat Intelligence * Managing Data in All Organizations: Workflow * Managing Data in All Organizations: Playbooks * Managing Data in All Organizations: Reports and Report Templates * Administration and Configuration of All Organizations * ThreatConnect System Roles and Permissions * ThreatConnect Versioning * Viewing Owner ID Numbers * Workflow * Workflow Overview * Workflow Cases * Parts of a Case * The Cases Screen * The Cases Screen Overview * Viewing, Managing, and Filtering Cases * Creating Cases * Artifacts * Artifacts Overview * Artifacts Card * Adding Artifacts to a Case * Artifact Administrative Options * Viewing Artifact Details * Case Attributes * Case Associations * Case Associations Overview * Associations Card for Cases Updated * Potential Associations Card for Cases * Case Details * Case Notes * Phases and Tasks * Phases and Tasks Overview * Phases and Tasks Section * Adding Tasks to a Case * Viewing and Filtering Tasks in a Case * Task Administrative Options * Timeline Events * Workflow Playbooks * Workflow Playbooks Overview * Creating a Workflow Playbook * Cloning a Playbook as a Workflow Playbook * Workflow Tasks * Workflows and Workflow Templates * Workflows and Workflow Templates Overview * The Workflows Screen * The Templates Screen * Building and Activating a Workflow -------------------------------------------------------------------------------- ThreatConnect Query Language (TQL) 4 Articles  in this category * Print * Dark Light Contents THREATCONNECT QUERY LANGUAGE (TQL) Contains articles describing how to use TQL to view and filter objects and how to construct TQL query expressions. 4 Articles in this category * Dark Light -------------------------------------------------------------------------------- THREATCONNECT QUERY LANGUAGE (TQL) OVERVIEW The article provides an overview of ThreatConnect Query Language (TQL) and the corresponding minimum roles and prerequisites for this feature. Updated on : 05 Oct 2023 USING THE ADVANCED-QUERY FILTER This article describes how to access and use the advanced-query filter on the Browse screen in ThreatConnect. Updated on : 24 Oct 2023 CONSTRUCTING QUERY EXPRESSIONS This article describes how to create ThreatConnect Query Language (TQL) query expressions and provides several sample TQL queries. Updated on : 10 Jan 2024 TQL OPERATORS AND PARAMETERS This article provides a list of all ThreatConnect Query Language (TQL) operators, general parameters, and Workflow parameters. Updated on : 10 Jan 2024 Company * About Us * Blog * Contact Us Sales and Support * Sales: sales@threatconnect.com * Support: support@threatconnect.com Follow Us * * * * © 2012–2023 ThreatConnect, Inc. All Rights Reserved. * Terms of Services * Privacy Policy