Macros
The [Management->Favorites->Macros] menu can be used to configure custom NQL language macros in the form of various variables.
A Macro is used to substitute a string of characters into an NQL expression using a variable.
Note that it does not add any additional set of logic, but only inserts the stored part of the expression in place of the variable. You have to make sure that the NQL syntax after inserting the macro is correct by maintaining proper spacing, punctuation marks and control expressions.
Syntax:
$MACRO_NAME$
In order to use a macro, remember to precede and end its name with a $
sign.
Example 1:
Having an NQL with a macro called MACRO1 to which the value MACRO1=sometext is assigned,
src stream="alerts" | set fullName=concat("alertName", "$MACRO1$", "alertSeverity") | limit 1000
during its execution, the character string "MACRO1" will be substituted with the MACRO1 value, so the produced NQL will read as follows:
src stream="alerts" | set fullName=concat("alertName", "sometext", "alertSeverity") | limit 1000
Example 2:
Macro: MACRO2 = src stream="alerts"
NQL: $MACRO2$ | where serverBytes>100 | sort serverBytes | limit 1000
Result: src stream="alerts" | where serverBytes>100 | sort serverBytes | limit 1000
Example 3:
Macro:
MACRO31 = aggr clientIpCount = count(clientIpCount)
MACRO32 = aggr maxTimeStamp = max(timestamp)
NQL: src stream="netflow" | fork ($MACRO31$), ($MACRO32$)
Result: src stream="netflow" | fork (aggr clientIpCount = count(clientIpCount)), (aggr maxTimeStamp = max(timestamp))
Macro definition in the Sycope
In order to define a new macro or edit an existing one, you must select the "Macros" tab in the [Management->Favorites->Macros].
The New Macro
button is used for adding a new macro.
Parameters:
- Name - Name of the macro
- Description - Description of the macro
- Query - Text of the macro
- Tags - Tags assigned to the macro object.
You can use a macro added in this manner, for example, in the Playground, in the Query field: $MACRO2$ | sort id | limit 1000
Built-in Macros
Macros that have been built into the System are shown in the table below.
Name | Description | Tags | Query |
---|---|---|---|
INT_EXT | Traffic between private client and public server IP Addresses. | Visibility | lookupKeyExists("groups-private", {"cidr": clientIp } ) AND not lookupKeyExists("groups-private", {"cidr": serverIp }) |
EXT_ | Traffic between public client and any (public/private) server IP Addresses. | Visibility | not(lookupKeyExists("groups-private", {"cidr": clientIp } )) |
_EXT | Traffic between any (public/private) client and public server IP Addresses. | Visibility | not(lookupKeyExists("groups-private", {"cidr": serverIp } )) |
INT_ | Traffic between private client and any (public/private) server IP Addresses. | Visibility | lookupKeyExists("groups-private", {"cidr": clientIp } ) |
_INT | Traffic between any (private/public) client and private server IP Addresses. | Visibility | lookupKeyExists("groups-private", {"cidr": serverIp } ) |
LDAP | LDAP Traffic | Visibility | (serverPort = 636 AND protocol = 6) OR serverPort = 389 or applicationNameNtop = "LDAP" |
DHCP | DHCP Traffic | Visibility | in(serverPort, [67,68]) or applicationNameNtop = "DHCP" |
EXT_INT | Traffic between public client and private server IP Addresses. | Visibility | not(lookupKeyExists("groups-private", {"cidr": clientIp } )) AND lookupKeyExists("groups-private", {"cidr": serverIp }) |
EXT_EXT | Traffic between public IP Addresses. | Visibility | not(lookupKeyExists("groups-private", {"cidr": clientIp } )) AND not (lookupKeyExists("groups-private", {"cidr": serverIp })) |
INT_INT | Traffic between private IP addresses. | Visibility | (lookupKeyExists("groups-private", {"cidr": clientIp } )) and (lookupKeyExists("groups-private", {"cidr": serverIp } )) |
RDP | RDP traffic | Visibility | serverPort=3389 or applicationNameNtop = "RDP" |
DNS | DNS traffic | Visibility | serverPort=53 or applicationNameNtop = "DNS" |
Workstations | Traffic to server belonging to the Workstations group. | Visibility | any(serverGroups, ["Workstations"]) |
Public | Traffic to server belonging to the Public group. | Visibility | any(serverGroups, ["Public"]) |