Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Event, Flow, and Simarc Fields for AQL Queries

 

Use the Ariel Query Language (AQL) to retrieve specific fields from the events, flows, and simarc tables in the Ariel database.

Supported Event Fields for AQL Queries

The event fields that you can query are listed in the following table.

Table 1: Supported Event Fields for AQL Queries

Field name

Description

adekey

Ade key

adevalue

Ade value

category

Low-level category

creEventList

Matched custom rule

credibility

Credibility

destinationMAC

Destination MAC

destinationPort

Destination port

destinationv6

IPv6 destination

destinationaddress

Destination address

destinationip

Destination IP

sourceaddress

Source address

deviceTime

Log source time

deviceType

Log source type

devicegrouplist

Device group list

domainID

Domain ID

duration

Duration

endTime

End time

eventCount

Event count

eventDirection

Event direction:

local-to-Local (L2L)

local-to-remote (L2R)

remote-to-local (R2L)

remote-to-remote (R2R)

geographiclocation

geographic location

sourcegeographiclocation

Source geographic location

destinationgeographiclocation

Destination geographic location

hasIdentity

Has identity

hasOffense

Associated with offense

highLevelCategory

High-level category

identityhostname

Identity host name

identityip

Identity IP address

isduplicate

Is duplicate

isCREEvent

Is custom rule event

logsourceid

Log source ID

magnitude

Magnitude

pcappacket

PCAP packet

partialMatchList

Partial match list

payload

Payload

postNatDestinationIP

Destination IP after NAT

postNatDestinationPort

Destination port after NAT

postNatSourceIP

Source IP after NAT

postNatSourcePort

Source port after NAT

preNatDestinationIP

Destination IP before NAT

preNatDestinationPort

Destination port before NAT

preNatSourceIP

Source IP before NAT

preNatSourcePort

Source port before NAT

protocolid

Protocol

processorId

Event Processor ID

qid

Event name ID

relevance

Relevance

severity

Severity

sourceIP

Source IP

sourceMAC

Source MAC

sourcePort

Source port

sourcev6

IPv6 source

startTime

Start time

isunparsed

Event is unparsed

userName

User name

Supported Flow Fields for AQL Queries

The flow fields that you can query are listed in the following table.

Table 2: Supported Flow Fields for AQL Queries

Field name

Description

applicationId

Application ID

category

Category

credibility

Credibility

destinationASN

Destination ASN

destinationBytes

Destination bytes

destinationDSCP

Destination DSCP

destinationFlags

Destination flags

destinationIP

Destination IP

destinationIfIndex

Destination if index

destinationPackets

Destination packets

destinationPayload

Destination payload

destinationPort

Destination port

destinationPrecedence

Destination precedence

destinationv6

IPv6 destination

domainID

Domain ID

fullMatchList

Full match list

firstPacketTime

First packet time

flowBias

Flow bias

flowDirection

Flow direction

local-to-local (L2L)

local-to-remote (L2R)

remote-to-local (R2L)

remote-to-remote (R2R)

flowInterfaceID

Flow interface ID

flowSource

Flow Source

flowType

Flow type

geographic

Matches geographic location

hasDestinationPayload

Has destination payload

hasOffense

Has offense payload

hasSourcePayload

Has source payload

icmpCode

Icmp code

icmpType

ICMP type or code

flowInterface

Flow interface

intervalId

Interval ID

isDuplicate

Duplicate event

lastPacketTime

Last packet time

partialMatchList

Partial match list

protocolId

Protocol ID

qid

Qid

processorID

Event processor ID

relevance

Relevance

retentionBucket

Retention bucket dummy

severity

Severity

sourceASN

Source ASN

sourceBytes

Source bytes

sourceDSCP

Source DSCP

sourceFlags

Source flags

sourceIP

Source IP

sourceIfIndex

Source if index

sourcePackets

Source packets

sourcePayload

Source payload

sourcePort

Source port

sourcePrecedence

Source precedence

sourcev6

IPv6 source

startTime

Start time

viewObjectPair

View object pair

Supported Simarc Fields for AQL Queries

The simarc fields that you can query are listed in the following table.

Table 3: Supported Simarc Fields for AQL Queries

Field name

Description

destinationPort

Destination port key creator

destinationType

Destination type key creator

deviceId

Device key creator

direction

Direction key creator

eventCount

Event count key creator

eventFlag

Flag key creator

applicationId

Application ID key creator

flowCount

Flow count key creator

destinationBytes

Destination bytes key creator

flowSource

Flow source key creator

sourceBytes

Source bytes key creator

lastPacketTime

Time key creator

protocolId

Protocol key creator

source

Source key creator

sourceType

Source type key creator

sourceRemoteNetwork

Source remote network key creator

destinationRemoteNetwork

Destination remote network key creator

sourceCountry

Source geographic key creator

destinationCountry

Destination geographic key creator

destination

Destination key creator