knowledge.threatconnect.com Open in urlscan Pro
2606:4700::6812:79f  Public Scan

Submitted URL: https://training.threatconnect.com/learn/article/using-threatconnect-query-language-tql-kb-article
Effective URL: https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql
Submission: On May 21 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

MENU
 * Training Courses
 * Apps & Integrations Docs
 * Developer Docs
 * About
 * Contact


 * Training Courses
 * Apps & Integrations Docs
 * Developer Docs
 * About
 * Contact




🎉 ThreatConnect® 7.5 is now available! Check out our articles covering the new
report templates and Details screen Custom View tab features.

 * 
   
   
   
 * 



 * Training Courses
 * Apps & Integrations Docs
 * Developer Docs
 * About
 * Contact



Contents x
No matching results found
 * Getting Started
   * Getting Started With the ThreatConnect Knowledge Base
 * Release Notes
   * ThreatConnect Platform Release Notes
     * 6.7 Release Notes
     * 7.0 Release Notes
     * 7.1 Release Notes
     * 7.2 Release Notes
     * 7.3 Release Notes
     * 7.4 Release Notes
     * 7.5 Release Notes Updated
   * ThreatConnect Risk Quantifier Release Notes
     * RQ 7.7 Release Notes
     * RQ 7.6 Release Notes
     * RQ 7.0 Release Notes
 * ThreatConnect Risk Quantifier
   * Getting Started With ThreatConnect Risk Quantifier
   * ThreatConnect Risk Quantifier FAQ
   * Release Notes
     * RQ 7.6 Release Notes
     * RQ 7.0 Release Notes
     * RQ 7.7 Release Notes
   * Administration and Configuration
     * Configuration
     * ThreatConnect Risk Quantifier Administration and Configuration Guide
   * Glossaries
     * FAIR - Primary Loss Magnitude Values Definitions
     * Loss Variables Definitions
   * ThreatConnect Risk Quantifier User Roles and Permissions
 * Analyzing and Visualizing Your Data
   * Cases Metrics
     * Cases Metrics Overview
     * Adding a Cases Metric Card to a Dashboard
     * Active Cases
     * Analyst Workload
     * False Positives
     * MTTD
     * MTTD Average
     * MTTR
     * MTTR Average
     * Top 10 Case Closing Analyst
     * Unassigned Cases
   * Custom Metrics
   * Dashboard
     * Dashboard Overview
     * Cloud Built-In Dashboards
     * Custom Dashboards
     * Adding Content to a Dashboard
     * Editing Dashboard Layout
     * Editing Dashboard Cards
     * Dashboard Administration
     * Exporting and Importing Dashboards
   * Generating a Report PDF for a Group
   * Reports
     * Reports Overview
     * Creating a Report
     * Adding Content to a Report
       * Adding Intelligence Data to a Report
         * Adding Group Data to a Report
         * Adding Case Data to a Report
       * Adding Basic Elements to a Report
       * Adding Layout Elements to a Report
     * Organizing a Report's Contents
     * Editing, Saving, and Exporting a Report
     * Report Templates
     * Viewing and Managing All Saved Reports and Templates
   * Search and Analyze
     * Search and Analyze Overview
     * Searching in ThreatConnect
     * Search Filters
     * Search Results
 * API
   * API Documentation
 * App Builder
   * App Builder Overview Updated
   * Apps Screen
     * The Apps Screen
     * Administrative Functions for Projects and Apps
   * App Builder Screen
     * The App Builder Screen
     * Tabs
       * Summary Tab
       * Metadata Tab
       * Contents Tab
       * Code Editor
       * Snippets Tab
       * Inputs Tab
       * Outputs Tab
       * Retry Tab
       * Source Control Tab
       * Validations Tab
     * App Builder Settings
     * Building an App
     * Debugging and Testing an App Updated
     * Releasing an App Updated
 * Apps and Integrations
   * Data Enrichment Integrations
     * Cisco Umbrella Investigate Spaces User Guide
     * Malformity Labs Maltego Integration
     * Silent Push Integration Installation and Configuration Guide New
     * ThreatConnect App for ServiceNow Security Operations User Guide
     * ThreatConnect VirusTotal Spaces App User Guide
   * Endpoint Detection & Response Integrations
     * BlackBerry Protect Integration Installation and Configuration Guide
     * CrowdStrike Falcon Insight Extract Integration Configuration Guide
     * Microsoft Defender for Endpoint Integration User Guide
     * Tanium
       * Tanium Connect Reputation Blacklist Integration Configuration Guide
       * Tanium Threat Response - Indicators Integration Configuration Guide
       * Tanium Threat Response - Signatures Integration Configuration Guide
   * Incident Response & Tracking Integrations
     * FireEye Helix Log Analytics Integration Configuration Guide
   * IT Infrastructure Integrations
     * Microsoft Graph Security Threat Indicators Integration User Guide
   * Network Security Integrations
     * Cisco Umbrella Integration Configuration Guide
     * Palo Alto Networks NGFW Integration Installation and Configuration Guide
     * Zscaler Internet Access Integration User Guide
   * MITRE ATT&CK App
     * MITRE ATT&CK App Overview
     * Deploying and Configuring the MITRE ATT&CK Source Feed
       * MITRE ATT&CK Deployment and Configuration Overview
       * Installing the MITRE ATT&CK App
       * Deploying the MITRE ATT&CK Source Feed
       * MITRE ATT&CK Manual Job Configuration (Advanced Users Only)
       * Adding the MITRE ATT&CK Source to Multiple Organizations
     * MITRE ATT&CK App Data Mappings
     * Viewing MITRE ATT&CK App Data
     * Enriching Data With Tags From the MITRE ATT&CK Source Deprecated
   * Orchestration Integrations
     * ThreatConnect Activity Pack for ServiceNow Orchestration User Guide
   * Premium Threat Intelligence Feed Integrations
     * Accenture
       * Accenture DeepSight Intelligence Integration Installation and
         Configuration Guide
       * Accenture iDefense Intelligence Engine Integration User Guide
       * Accenture iDefense IntelGraph Intelligence Engine Integration User
         Guide Deprecated
     * BAE Systems Threat Intelligence Integration Configuration Guide
     * Booz Allen Hamilton Cyber4Sight ThreatBase Installation Guide
     * CrowdStrike Falcon Intelligence Engine Integration User Guide
     * Digital Shadows SearchLight Integration Configuration Guide
     * Dragos WorldView Integration Configuration Guide
     * Fidelis Network Extract Integration Configuration Guide
     * Flashpoint
       * Flashpoint Intelligence Engine Integration User Guide
       * Flashpoint Intelligence Reports Integration Installation and
         Configuration Guide
       * Flashpoint Risk Intelligence Observables Integration Configuration
         Guide
     * FS-ISAC Integration Installation and Configuration Guide
     * Intel 471
       * Intel 471 Intelligence Engine Integration User Guide
       * Intel 471 Adversary Intelligence Integration Configuration Guide
       * Intel 471 Malware Intelligence Integration Configuration Guide
       * Intel 471 Vulnerability Intelligence Integration Configuration Guide
     * Mandiant Advantage Threat Intelligence Engine Integration Configuration
       Guide
     * MISP Import Integration Configuration Guide
     * PhishMe Intelligence Integration
     * Proofpoint
       * Proofpoint ET Intelligence Reputation List Integration User Guide
       * Proofpoint ET Pro Signatures Integration Configuration Guide
     * Recorded Future
       * Recorded Future Intelligence Engine Integration User Guide Updated
       * Recorded Future Risk List Integration Installation and Configuration
         Guide
     * RH-ISAC Integration Installation and Configuration Guide
     * Secureworks Attacker Database Integration Configuration Guide
   * SIEM & Analytic Integrations
     * Amazon GuardDuty Integration Configuration Guide
     * IBM QRadar
       * IBM QRadar App for ThreatConnect User Guide
       * ThreatConnect App for IBM QRadar User Guide
     * Micro Focus
       * Micro Focus ArcSight ESM - API Integration Installation and
         Configuration Guide
       * Micro Focus ArcSight ESM - CEF Integration Installation and
         Configuration Guide
       * Micro Focus ArcSight Integration Package User Guide
     * Microsoft Sentinel Integration User Guide
     * RSA Netwitness Intel Feeds Implementation Guide
     * ThreatConnect Application for Splunk User Guide
     * ThreatConnect SmartResponse Plugin for LogRhythm User Guide
   * Spaces
     * Spaces Overview Updated
     * Central Spaces Updated
     * Contextually Aware Spaces Updated
     * Menu Spaces Updated
     * ThreatConnect Spaces Apps
       * Batch Import Spaces User Guide
       * Bulk Victim Create Configuration User Guide
       * Domain-Spinning Workbench Spaces App
         * Domain-Spinning Workbench
         * ThreatConnect Domain-Spinning Workbench Installation and
           Configuration Guide
       * File Post App
   * TC Exchange
     * TC Exchange App Development - Install Configuration File User Guide
   * ThreatConnect Runtime Apps
     * Indicator Migration App Configuration Guide
     * ThreatConnect AutoEnrich App Configuration Guide
     * ThreatConnect Indicator CSV Integration Installation and Configuration
       Guide
   * Vulnerability Management Integrations
     * Qualys Vulnerability Management Integration Configuration Guide
     * Tenable.sc Integration Configuration Guide
 * Collaboration
   * Contributing to a Community or Source
     * Contributing to a Community or Source Overview
     * Contributing a Group to a Community or Source
     * Group Hierarchy and Association Directionality
   * Copying a Group From a Community or Source
   * Posts
   * The Cross-Intel Sharing App: Sharing Data Across ThreatConnect Instances
   * The Publish Feature
 * Content Packs
   * Getting Started With Content Packs
     * Content Packs Overview
     * Creating Content Packs
     * Installing and Configuring Content Packs
     * Publishing Content Packs
     * Updating Content Packs
     * Content Packs FAQ and Known Issues
   * Microsoft Sentinel Content Pack
     * Microsoft Sentinel Content Pack Overview
     * Installing and Configuring the Microsoft Sentinel Content Pack
     * Microsoft Sentinel Content Pack Use Cases
     * Microsoft Sentinel Content Pack Data Mappings
   * ReversingLabs A1000 Content Pack
     * ReversingLabs A1000 Content Pack Overview
     * Installing and Configuring the ReversingLabs A1000 Content Pack
     * ReversingLabs A1000 Content Pack Use Cases
   * Zscaler Internet Access Content Pack
     * Zscaler Internet Access Content Pack Overview
     * Installing and Configuring the Zscaler Internet Access Content Pack
     * Zscaler Internet Access Content Pack Use Cases
 * Playbooks
   * The Playbooks Screen
   * The Playbook Designer
     * The Playbook Designer Overview
     * The Playbook Designer Screen
       * The Playbook Designer Screen Overview
       * Mode
       * Administration and Settings
         * Administration and Settings Overview
         * Administration Options
         * Settings
       * Tabbed Layout
       * Side Navigation Bar
         * Side Navigation Bar Overview
         * Summary
         * Validations
         * Triggers
         * Apps
         * Operators
         * Executions
         * Run Profiles
         * Metadata (Global Variables)
         * Versions
         * Components
         * DataStore
         * Audit Log
     * Designing a Playbook
       * Adding and Configuring Playbook Elements
         * Adding and Configuring Playbook Elements Overview
         * Adding a Trigger
         * Adding an App
         * Adding an Operator
         * Connecting Playbook Elements
       * Formatting a Playbook
       * Activating a Playbook
       * Interactive Playbooks
         * Interactive Playbooks Overview
         * Design Pane (Interactive Mode)
         * Variable Explorer
         * Execution Details
         * Notes
     * The Playbook Designer Keyboard Shortcuts
   * Parts of a Playbook
   * Triggers
     * The Mailbox Trigger
     * The Timer Trigger
     * The UserAction Trigger
     * The WebHook Trigger
   * Apps and Operators
     * Playbooks Iterator Operator
     * HTTP Client - Configuring HTTP Requests in cURL Format
   * Playbook Components
     * Playbook Components Overview
     * Creating a Component
     * Editing a Component
     * Administrating a Component
     * Using a Component in a Playbook
     * Cloning a Playbook as a Component
   * Executing a Playbook
   * Playbook Executions
   * Playbooks: Run Profiles
   * Playbook Versions
   * Playbook Templates
   * Playbooks: Return on Investment
   * Multi-Environment Orchestration: Executing Playbook Apps Through a Firewall
   * Playbook Environments
     * Playbook Environments Overview
     * Viewing, Activating, and Managing Playbook Environments
     * Configuring an Environment to an Environment Server
     * Administrating an Environment
   * Playbook Activity
   * Playbook Services
   * Playbooks Glossary
 * Settings and Administration
   * Adding App Profiles Updated
   * Configuring Indicator Confidence Deprecation
   * Creating a Phishing Mailbox
   * Creating an HTTP Feed
   * Creating Custom Attribute Types
   * Creating Indicator Exclusion Lists
   * Creating Jobs Using TC Exchange Apps
   * Creating Security Labels
   * Creating User Accounts
   * Environment Server
     * ThreatConnect Environment Server System Requirements Updated
     * ThreatConnect Environment Server Installation Guide Updated
   * Feed API Services
   * Feed Metrics and Report Card
   * Handling Incoming Emails
   * My Profile Updated
   * Notifications and Following
   * The Feed Deployer
 * TAXII
   * STIX 2.1 Parser Job App Data Mappings
   * STIX and CybOX Parser Data Mappings
   * TAXII Exchange Feeds
     * Creating an Inbound TAXII Exchange Feed
     * Creating an Outbound TAXII Exchange Feed
   * TAXII Servers
     * Using the ThreatConnect TAXII 2.1 Server
       * TAXII 2.1 Server Overview
       * Installing and Configuring the TAXII 2.1 Server Service
       * Creating a TAXII User for the TAXII 2.1 Server
       * Retrieving Data from the TAXII 2.1 Server
     * Using the ThreatConnect TAXII Server
 * Threat Intelligence
   * Adding Data to ThreatConnect
     * Assigning Tasks
     * Creating Threat Intelligence Data Updated
     * Doc Analysis Import
     * Email Import
     * Signature Import
     * Structured Indicator Import
     * Unstructured Indicator Import
     * Uploading Malware
     * Using Automated Email Ingest
   * Adding Metadata to ThreatConnect Objects
     * Adding Adversary Assets
     * Applying Security Labels
     * Applying Tags
     * Attributes
     * Pinned Association Attributes
     * The Description Attribute
     * The Source Attribute
     * Threat and Confidence Ratings
       * Best Practices: Indicator Threat and Confidence Ratings
       * Setting Indicator Threat and Confidence Ratings
   * Associations
     * Associations Overview
     * The Associations Card
       * The Associations Card: Graph View
         * Graph View Overview
         * Graph View: Object Menu
         * Graph View: Settings
       * The Associations Card: Table View
         * Table View Overview
         * Table View: Associated Groups
         * Table View: Associated Indicators
         * Table View: Associated Victim Assets
         * Table View: Associated Artifacts
         * Table View: Associated Cases
         * Table View: Potential Associations
     * The Associations Tab
     * Best Practices: Cross-Owner Associations
   * ATT&CK Visualizer
     * ATT&CK Visualizer Overview
     * ATT&CK Tags
     * Accessing the ATT&CK Visualizer
     * ATT&CK Views
       * Standard ATT&CK Views
       * Imported ATT&CK Views
     * ATT&CK Security Coverage
     * Visualizing ATT&CK Tactics, Techniques, and Sub-Techniques
     * Viewing All Saved ATT&CK Views
   * Automated Data Services
     * Automated Data Services Overview
     * DNS Resolutions
     * IP Geolocation Data
     * WHOIS Registration Information
   * Browse
     * Browse Overview
     * The Browse Screen
     * The Details Drawer
   * CAL
     * CAL Automated Threat Library (ATL) Updated
     * CAL Automated Threat Library (ATL) Supported Blogs Updated
     * CAL ATL Industry Classification New
     * CAL Classifiers Glossary
     * ThreatAssess and CAL
     * What Can CAL Do For You?
   * Enrichment
     * Enrichment Overview
     * The Enrichment Tab
     * VirusTotal Enrichment
     * Shodan Enrichment
     * urlscan.io Enrichment
     * Farsight Security Passive DNS Enrichment
     * DomainTools Enrichment
     * RiskIQ Enrichment
   * Explore In Graph
     * Explore In Graph Overview
     * Viewing an Object in Threat Graph
     * Exploring Associations
       * Pivoting in ThreatConnect
       * Pivoting with CAL
       * Pivoting on Enrichment Services
     * Running Playbooks in Threat Graph
     * Alias Information for Groups
     * Viewing Details in Threat Graph
     * Adjusting the Graph View
     * Saving and Exporting Graphs
     * Viewing All Saved Graphs
   * Exporting Data From ThreatConnect
     * Exporting Groups
     * Exporting Indicators
   * False Positives
     * False Positives Overview
     * Viewing and Reporting False Positives
     * Including False Positives Reported by API Users
     * Setting an Event Status to False Positive
   * Group Intel Rating
   * Indicator Status
   * Intelligence Requirements
     * Intelligence Requirements Overview
     * Best Practices: Intelligence Requirements
     * Best Practices: Keywords for Intelligence Requirements
     * Intelligence Requirement Categories
     * Creating Intelligence Requirements
     * Viewing Intelligence Requirement Details
   * Managing File Hashes and Known File Occurrences
   * Modeling File Behavior
   * OSINT and CAL Feeds
   * Pivoting on Data
   * Private Indicators
   * Tag Normalization
   * The Details Screen
   * The Details Screen: Custom View
   * The Details Screen (Legacy) Updated
   * The Feed Explorer
   * The "Last Modified" Date
   * ThreatConnect Intelligence Anywhere
     * ThreatConnect Intelligence Anywhere Overview
     * Installing and Logging Into ThreatConnect Intelligence Anywhere
     * Configuring ThreatConnect Intelligence Anywhere
     * Scanning Online Resources With ThreatConnect Intelligence Anywhere
     * Reviewing ThreatConnect Intelligence Anywhere Scan Results
     * Importing Potential Indicators Found With ThreatConnect Intelligence
       Anywhere
   * ThreatConnect Query Language (TQL)
     * ThreatConnect Query Language (TQL) Overview
     * Using the Advanced-Query Filter
     * Constructing Query Expressions
     * TQL Operators and Parameters
   * Tracking Adversary Activity
 * ThreatConnect Basics
   * My Intel Sources New
   * Ownership in ThreatConnect
   * The Diamond Model
   * The ThreatConnect Data Model Updated
   * ThreatConnect Glossary
   * ThreatConnect Owner Roles and Permissions
     * ThreatConnect Owner Roles and Permissions Overview
     * Viewing Owner Roles
     * Organization Roles
     * Community Roles
     * Creating Custom Owner Roles
     * Owner Role Permissions Definitions
   * ThreatConnect Super User Guide
     * ThreatConnect Super User Overview
     * Managing Data in All Organizations as a Super User
       * Managing Data in All Organizations: Dashboard
       * Managing Data in All Organizations: Posts
       * Managing Data in All Organizations: Threat Intelligence
       * Managing Data in All Organizations: Workflow
       * Managing Data in All Organizations: Playbooks
       * Managing Data in All Organizations: Reports and Report Templates
     * Administration and Configuration of All Organizations
   * ThreatConnect System Roles and Permissions
   * ThreatConnect Versioning
   * Viewing Owner ID Numbers
 * Workflow
   * Workflow Overview
   * Workflow Cases
     * Parts of a Case
     * The Cases Screen
       * The Cases Screen Overview
       * Viewing, Managing, and Filtering Cases
       * Creating Cases
     * Artifacts
       * Artifacts Overview
       * Artifacts Card
       * Adding Artifacts to a Case
       * Artifact Administrative Options
       * Viewing Artifact Details
     * Case Attributes
     * Case Associations
       * Case Associations Overview
       * Associations Card for Cases Updated
       * Potential Associations Card for Cases
     * Case Details
     * Case Notes
     * Phases and Tasks
       * Phases and Tasks Overview
       * Phases and Tasks Section
       * Adding Tasks to a Case
       * Viewing and Filtering Tasks in a Case
       * Task Administrative Options
     * Timeline Events
   * Workflow Playbooks
     * Workflow Playbooks Overview
     * Creating a Workflow Playbook
     * Cloning a Playbook as a Workflow Playbook
   * Workflow Tasks
   * Workflows and Workflow Templates
     * Workflows and Workflow Templates Overview
     * The Workflows Screen
     * The Templates Screen
     * Building and Activating a Workflow




--------------------------------------------------------------------------------




ThreatConnect Query Language (TQL)
4 Articles  in this category

 * Print
 * Dark
   Light

Contents


THREATCONNECT QUERY LANGUAGE (TQL)

Contains articles describing how to use TQL to view and filter objects and how
to construct TQL query expressions.
4 Articles in this category
 * Dark
   Light

--------------------------------------------------------------------------------


THREATCONNECT QUERY LANGUAGE (TQL) OVERVIEW

The article provides an overview of ThreatConnect Query Language (TQL) and the
corresponding minimum roles and prerequisites for this feature.
Updated on : 05 Oct 2023


USING THE ADVANCED-QUERY FILTER

This article describes how to access and use the advanced-query filter on the
Browse screen in ThreatConnect.
Updated on : 24 Oct 2023


CONSTRUCTING QUERY EXPRESSIONS

This article describes how to create ThreatConnect Query Language (TQL) query
expressions and provides several sample TQL queries.
Updated on : 10 Jan 2024


TQL OPERATORS AND PARAMETERS

This article provides a list of all ThreatConnect Query Language (TQL)
operators, general parameters, and Workflow parameters.
Updated on : 10 Jan 2024




Company
 * About Us
 * Blog
 * Contact Us

Sales and Support
 * Sales: sales@threatconnect.com
 * Support: support@threatconnect.com

Follow Us
 * 
 * 
 * 
 * 

© 2012–2023 ThreatConnect, Inc. All Rights Reserved.
 * Terms of Services
 * Privacy Policy