Query Syntax Reference

QUERY Command Structure

QUERY
[SHOW <fields to return>]
[WITH <filter conditions>]
[SINCE <start time>]
[UNTIL <end time>]
[FROM <connector list>]
[ORDER BY <attribute> [ASC|DESC] [, ...]]
[LIMIT <record limit>]

All clauses except QUERY are optional. QUERY starts the search; SHOW specifies which fields to return. The SHOW keyword itself is optional — field names can be placed directly after QUERY. If no SHOW clause is present, the fields used in the WITH clause are shown.

Field Selection (SHOW)

Specific fields

List fields by their full OCSF path in the SHOW clause:

QUERY
SHOW authentication.time, authentication.user.username, authentication.src_endpoint.ip

Results are hierarchical JSON objects following the OCSF schema. Selecting specific fields returns the full event, but the selected fields are the ones surfaced in the Query UI's results grid:

{
  "time": "2026-03-30T08:41:17.000000+00:00",
  "user": {"username": "admin"},
  "src_endpoint": {"ip": "10.100.1.16"}
}

Wildcards and depth expansion

Excluding fields

Use set operations to remove fields from the selection:

QUERY
SHOW authentication.(* - (start_time + end_time))

Multiple event types

Combine event types with +:

QUERY
SHOW (authentication + process_activity).user.name

Category selector

Use # to select all events in a category:

QUERY
SHOW #network.**

For the full attribute selector syntax — path expansions, modifiers, filters, transformers, and set operations — see Attribute Selectors.

Filtering with WITH

The WITH clause filters results using predicates of the form <attribute> <operator> <value>.

QUERY
SHOW authentication.**
WITH authentication.status_id = FAILURE

Combining filters

Use AND, OR, NOT, and parentheses:

QUERY
SHOW process_activity.**
WITH (process_activity.process.name IN 'powershell.exe', 'cmd.exe')
AND (process_activity.process.cmd_line CONTAINS 'hidden' OR process_activity.process.cmd_line CONTAINS 'encode')

List filters with ANY and ALL

For array fields, use quantifiers:

QUERY
SHOW api_activity.**
WITH ANY web_resources_activity.web_resources.name CONTAINS 'aws'

QUERY
SHOW api_activity.**
WITH ALL api_activity.actor.authorizations.policy.name IN 'Global Administrator', 'Security Administrator'

For the complete operator reference and data type compatibility, see Search Filter Operators.

Finding Valid Enum Values

When filtering enum fields (for example status_id, activity_id, type_id), use documented enum tokens such as FAILURE, SUCCESS, LOGON, or MACOS.

If you are unsure which values are valid for a field, look up the field in Query Data Model Reference (event/object docs), and use Data Model Primer for the full lookup workflow.

Start here: [About the Query Data Model](../Query Data Model Reference/about-the-query-data-model), then browse [Events](../Query Data Model Reference/events), [Objects](../Query Data Model Reference/objects), and [Types](../Query Data Model Reference/types).

Entity Searches

The % selector searches across all fields mapped to a given entity (observable) — no need to know exact field paths. Many connectors have optimizations for entity searches, making them the preferred way to search by indicator type.

For the complete entity list, see Entities.

Because entity searches match across all event types, results may contain a mix of authentication, network, process, and other events. The __event field identifies the event class:

[
  {
    "time": "2026-03-30T14:22:01.000000+00:00",
    "activity_id": "LOGON",
    "status_id": "FAILURE",
    "user": {"name": "jsmith"},
    "src_endpoint": {"ip": "10.0.0.1", "hostname": "WORKSTATION07"},
    "__event": "authentication"
  },
  {
    "time": "2026-03-30T14:22:03.000000+00:00",
    "activity_id": "OPEN",
    "src_endpoint": {"ip": "10.0.0.1"},
    "dst_endpoint": {"ip": "10.200.5.12", "port": 445},
    "__event": "network_activity"
  }
]

Time Ranges

Time ranges are set with SINCE (how far back to search) and UNTIL (where to stop):

QUERY
SHOW authentication.**
WITH authentication.status_id = FAILURE
SINCE 48hrs UNTIL 24hrs

This reads naturally: "since 48 hours ago, until 24 hours ago."

Times can be relative, absolute (ISO 8601), or epoch timestamps:

QUERY ... SINCE 7d
QUERY ... SINCE 1 month
QUERY ... SINCE '2025-03-17'
QUERY ... UNTIL '2025-04-01 17:30:00'
QUERY ... UNTIL 1746109163

FSQL passes resolved absolute time values through to source systems; it does not normalize all query times to UTC before execution.

For full details on time formats, see Dates and Times.

Data Sources (FROM)

Limit your search to specific connectors. The FROM clause accepts a comma-separated list, and you can mix reference types freely within it.

If FROM is omitted, all enabled connectors are searched. In practice, Query can quickly eliminate connectors that cannot satisfy the requested event classes, so FROM is most useful when you intentionally want to focus on specific connectors.

Reference types

A connector can be referenced four ways:

-- By display name
QUERY
SHOW authentication.**
WITH authentication.status_id = FAILURE
FROM 'Active Directory', 'Okta'

-- By numeric ID
QUERY
SHOW authentication.**
WITH authentication.status_id = FAILURE
FROM 1940, 2015

-- By alias (unquoted)
QUERY
SHOW authentication.**
WITH authentication.status_id = FAILURE
FROM okta-logins

-- Mixing reference types in one query
QUERY
SHOW detection_finding.**
FROM 'Active Directory', crowdstrike-idp, 5678

Aliases are the recommended reference for saved and automated queries: unlike display names they cannot be renamed out from under you, and unlike numeric IDs they survive the migration to UUIDs.

Tags

A tag is a label applied to any number of connectors — for example siem, aws, or env/prod. Reference a tag in FROM with a # prefix, and the query engine expands it to every connector carrying that tag, federating the search across them and unioning the results.

-- All connectors tagged 'siem'
QUERY
SHOW detection_finding.**
WITH detection_finding.severity_id IN HIGH, CRITICAL
SINCE 24hrs
FROM #siem

-- Tags may be namespaced with a slash
QUERY
SHOW authentication.**
FROM #env/prod

-- Multiple tags union their connector sets (deduplicated)
QUERY
SHOW detection_finding.**
FROM #siem, #aws

-- Mix an individual connector alias with a tag
QUERY
SHOW authentication.**
FROM okta-logins, #aws

If a query references both a tag and a connector that also carries that tag, the connector is queried once, not twice.

📘

# in FROM vs. # in field selection

The # prefix means different things in different clauses. In FROM, #siem references a connector tag. In field selection, #network.** references an OCSF event category (see Field Selection). The two never collide because they appear in different clauses.

Discovering connectors, aliases, and tags

Use EXPLAIN CONNECTORS to list all available connectors along with their IDs, aliases, and tags. See Other Commands.

Resolution order

When resolving a FROM reference, FSQL checks, in order:

1. Numeric ID or UUID — exact match against the connector ID.
2. Tag — a #-prefixed token matching a known tag.
3. Alias — an unquoted token (or quoted string) matching a known alias.
4. Display name — a quoted string, matched case-insensitively.

Error cases

All existing FROM syntax continues to work unchanged — aliases and tags are purely additive.

Ordering Results (ORDER BY)

Use ORDER BY to sort results by one or more attributes. Each attribute can be sorted in ascending (ASC) or descending (DESC) order. If neither is specified, ASC is the default.

QUERY
SHOW authentication.time, authentication.user.username, authentication.src_endpoint.ip
WITH authentication.status_id = FAILURE
ORDER BY authentication.time DESC
SINCE 24hrs

Multiple sort keys are separated by commas. Results are sorted by the first key, then ties are broken by the second key, and so on:

QUERY
SHOW network_activity.src_endpoint.ip, network_activity.dst_endpoint.port, network_activity.traffic.bytes
WITH network_activity.dst_endpoint.port IN 4444, 8080
ORDER BY network_activity.dst_endpoint.port ASC, network_activity.traffic.bytes DESC
SINCE 7d

📘

ORDER BY delays streaming results

Without ORDER BY, FSQL streams records from each data source as they arrive. With ORDER BY, FSQL cannot deliver any results until every data source has started sending records, because it needs at least one record from each source to determine the correct global ordering. The slowest-responding source effectively gates the first result. If time-to-first-result matters, consider omitting ORDER BY or pairing it with LIMIT so the query can terminate early once enough ordered results are available.

Limiting Results (LIMIT)

By default, FSQL returns all matching results. Use LIMIT to cap the result count — once the limit is reached, FSQL stops returning results and terminates any outstanding connector queries.

QUERY
SHOW authentication.**
LIMIT 1000