Guides

Cheat Sheet

Single-page FSQL quick reference

Query Structure

QUERY [SHOW] <fields>
[WITH <filters>]
[SINCE <start time>] [UNTIL <end time>]
[FROM <connectors>]
[ORDER BY <attribute> [ASC|DESC] [, ...]]
[LIMIT <max results>]

Connector References (FROM)

ReferenceSyntaxExample
Display nameQuoted stringFROM 'Active Directory', 'Okta'
Numeric ID / UUIDUnquotedFROM 1940, 2015
AliasUnquotedFROM okta-logins
Tag (expands to all tagged connectors)#-prefixedFROM #siem, #env/prod

Reference types can be mixed: FROM okta-logins, #aws, 'Active Directory'. In FROM, # means a connector tag; in field selection it means an event category (#network.**).

Attribute Selectors

SelectorMeaningExample
.Direct pathauthentication.user.username
*All fields (one level)authentication.*
**All fields (full depth)authentication.**
#Category#network.**
%Entity (observable)%ip, %hash, %username
@Type filter@ip_t, @user
+Union(authentication + process_activity).user.name
-Differenceauthentication.(* - (start_time + end_time))
&IntersectionA & B
//Deep expansion modifier#network//*

Filter Operators

OperatorDescriptionExample
=Equalsstatus_id = FAILURE
==Equals (case-insensitive)user.username == 'ADMIN'
!=Not equalsstatus_id != SUCCESS
!==Not equals (case-insensitive)user.username !== 'admin'
~, CONTAINSContains substringcmd_line ~ 'powershell'
~~, ICONTAINSContains (case-insensitive)cmd_line ~~ 'powershell'
^=, STARTSWITHStarts withfilename ^= 'mal'
^==, ISTARTSWITHStarts with (case-insensitive)filename ^== 'Mal'
$=, ENDSWITHEnds withfilename $= '.exe'
$==, IENDSWITHEnds with (case-insensitive)filename $== '.EXE'
INIn liststatus_id IN SUCCESS, FAILURE
IINIn list (case-insensitive)user.name IIN 'admin', 'root'
<, >, <=, >=Numeric comparisoncount > 5
EMPTYField is null/emptyuser.email EMPTY
MATCHESRegex matchcmd_line MATCHES '.*\.ps1$'
IMATCHESRegex (case-insensitive)cmd_line IMATCHES '.*\.ps1$'
CIDRIP in CIDR rangesrc_endpoint.ip CIDR '10.0.0.0/8'
NOTNegate a filterNOT status_id = SUCCESS

Combining Filters

WITH (A OR B) AND C AND NOT D

Array Quantifiers

WITH ANY field.list CONTAINS 'value'
WITH ALL field.list IN 'a', 'b'

Entity Shortcuts

EntityNamesSearches
IP Address%ip, %ip_addressAll IP fields
Hostname%hostnameAll hostname fields
Username%username, %user_nameAll username fields
Email%email, %email_addressAll email fields
Hash%hash, %file_hashAll hash fields
File Name%filename, %file_nameAll file name fields
Process Name%processname, %process_nameAll process name fields
URL%url, %url_stringAll URL fields
MAC Address%mac, %mac_addressAll MAC address fields
Port%portAll port fields
Command Line%command_lineAll command line fields
CVE%cveAll CVE ID fields

Time Syntax

SINCE = how far back to start. UNTIL = where to stop.

Relative

SINCE 48hrs UNTIL 24hrs      -- between 48 and 24 hours ago
SINCE 7d                     -- last 7 days
UNTIL 2 weeks 3 days         -- no older than 2 weeks 3 days

Units: m/min/minutes, h/hr/hrs/hours, d/day/days, w/wk/weeks, mo/month/months

Absolute

SINCE '2025-03-17'
UNTIL '2025-04-01 17:30:00'
SINCE '2025-04-01 17:30-05:00'

Epoch

UNTIL 1746109163

SUMMARIZE (Analytics)

SUMMARIZE <operation> <fields>
[WITH <filters>]
[GROUP BY <fields>]
[SINCE <time>] [UNTIL <time>]
[FROM <connectors>]
OperationDescription
COUNTCount events
COUNT DISTINCTCount unique values
MINMinimum value
MAXMaximum value
AVGAverage value
SUMTotal value
SUMMARIZE COUNT authentication
WITH authentication.status_id = FAILURE
GROUP BY authentication.user.username
SINCE 24hrs

STATS is an alias for SUMMARIZE.

Common OCSF Event Classes

Event ClassWhat It Covers
authenticationLogins, MFA, SSO
process_activityProcess creation/termination
network_activityNetwork connections/flows
dns_activityDNS queries/responses
http_activityHTTP requests/responses
file_activityFile CRUD operations
email_activityEmail send/receive/scan
detection_findingSecurity alerts/detections
account_changeAccount create/modify/delete
api_activityAPI calls (cloud, SaaS)
ssh_activitySSH sessions

Categories: #network, #iam, #findings, #application

EXPLAIN Commands

EXPLAIN VERSION                           -- FSQL and QDM versions
EXPLAIN ATTRIBUTES <selector>             -- Expand a selector to field list
EXPLAIN SCHEMA <selector>                 -- Schema definitions for fields
EXPLAIN CONNECTORS                        -- Available connectors and events
EXPLAIN QUERY <query>                     -- How FSQL interprets your query
EXPLAIN GRAPHQL QUERY <query>             -- Translate to GraphQL
VALIDATE QUERY <query>                    -- Check query validity

Updated about 5 hours ago