Overview
Mandiant Query Language (MQL) is a data analysis language used in queries to retrieve events for further analysis. MQL queries are used in searches and rules in Helix, and other FireEye products.
Syntax
MQL has a unique syntax, which can be used to search for alerts/events. MQL is the only way to use the Helix 'index search' in the dashboard (see below)
Examples
Here are a few examples of the syntax:
1.class=test | groupby class
2.!class=*.com
3.srcport > 8999 and srcport < 9301
The use of pips (|), wildcards (*), and operators (see below):
The order of precedence for AND, OR, and NOT is:
1. NOT, which binds to what immediately follows it
2. AND (explicit)
3. AND (implicit, or no AND is entered, but a space exists between two terms)
4. OR
The valid symbols for AND are:
AND/and/&&/(single empty space)
The valid symbols for OR are:
OR/or/||
The valid symbols for NOT are:
NOT/Not/! (exclamation point with no space before next search term)
Comparions operators use/symobles:
> rcvdpackets > 20
< rcvdpackets < 20
=< rcvdpackets <= 20
>= rcvdpackets >= 20
Just like operators in Regular Expressions (RegEx) these operators can be used together and combined to make the most use out of creating your MQL search query.
Additional Documentation
Learn more about Helix's MQL syntax and design Here.