Learn About Queries
The query area displays the query associated with the selected node. Queries are based on the LogicHub Query Language (LQL), which is an extension of SQL with some powerful operations that are available as operators.
LogicHub Query Language (LQL)
LogicHub Query Language (LQL) is the language for all queries used to develop a playbook. An LQL query can be either of the following:
- A custom LogicHub operator. Click Available operators to view the list of operators and make a selection. For more information, see Select operators.
- A standard SQL query, with the SQL enclosed in backtick (`) marks. You can use any Spark SQL functions listed on the Apache Spark website. A list of the available SQL functions can be found on this page.
Example:
SELECT src_ip, dest_ip, count(*) as conn_count FROM PsData group by src_ip, dest_ip
Select Operators
Operators can include integrations that interact with other systems or tools (such as VirusTotal, Damballa) to bring in external information about threats.
To see the list of available operators, select a node and click Available Operators. A panel containing the list of operators opens on the left.
You can scroll through the list and click More to view additional details for any particular operator.
Click an operator to add it to the query area. You can then modify the query as needed, and click Update Table.
Keep in mind that the node type depends on the function that is applied. For example, if you add a computation node (green header) and then select a score function from the available functions list, the node changes to a scorer node (purple header).
Tabs
The node name is listed at the top of the query area, followed by the associated query. A new tab opens for each node you select. To close a node, hover over the tab and click X. If you close all of the tabs, only the graphical view is displayed.
Results Table
The results table below the query area lists the events that match the query for the selected period.
To save any changes you make to a query and redisplay the table, click Update Table.
To filter the results table, click Filter Table and enter filter criteria. A filter criterion is a SQL where condition. For example: action='allowed'
Note: For event types, the query area is read-only. See [Event type details ](../Export as CSV)for instructions on editing event type queries.
Identifying Nodes by Tagging and Starring
Tagging and starring allow you to identify nodes that you would like to consider together or find easily in searches.
Tagging
You can define one or more tags per node. Enter text to the right of the tag icon and press Return to save and display the tag. Tags cannot contain any spaces or special characters.
For example, suppose you want to ask some colleagues for an opinion on the computations in your playbook. If you add their names as tags on the nodes and then share the playbook, the colleagues will be able to search on the tags and quickly identify the nodes that you would like to have them review.
Starring
Starring a node makes it a favorite. Click the star icon in the query area to star a node.
The icon turns yellow, and the node is shown with a start on the graphical map. To unstar a node, click the icon again.
Updated about 1 year ago