Event, flow, and simarc fields for AQL queries
Use the Ariel Query Language (AQL) to retrieve specific fields from the events, flows,
and simarc tables in the Ariel database.
Supported event fields for AQL queries
The event fields that you can query are listed in the following table.
| Field name | Description |
|---|---|
| adekey | Ade key |
| adevalue | Ade value |
| category | Low-level category |
| creEventList | Matched custom rule |
| credibility | Credibility |
| destinationMAC | Destination MAC |
| destinationPort | Destination port |
| destinationv6 | IPv6 destination |
| destinationaddress | Destination address |
| destinationip | Destination IP |
| sourceaddress | Source address |
| deviceTime | Log source time |
| deviceType | Log source type |
| devicegrouplist | Device group list |
| domainID |
Domain ID |
| duration | Duration |
| endTime | Storage time |
| eventCount | Event count |
| eventDirection | Event direction: local-to-Local (L2L) local-to-remote (L2R) remote-to-local (R2L) remote-to-remote (R2R) |
| geographiclocation | geographic location |
| sourcegeographiclocation | Source geographic location |
| destinationgeographiclocation | Destination geographic location |
| hasIdentity | Has identity |
| hasOffense | Associated with offense |
| highLevelCategory | High-level category |
| identityhostname | Identity host name |
| identityip | Identity IP address |
| isduplicate | Is duplicate |
| isCREEvent | Is custom rule event |
| logsourceid | Log source ID |
| magnitude | Magnitude |
| pcappacket | PCAP packet |
| partialMatchList | Partial match list |
| partialorMatchList | Partial or match list |
| payload | Payload |
| postNatDestinationIP | Destination IP after NAT |
| postNatDestinationPort | Destination port after NAT |
| postNatSourceIP | Source IP after NAT |
| postNatSourcePort | Source port after NAT |
| preNatDestinationIP | Destination IP before NAT |
| preNatDestinationPort | Destination port before NAT |
| preNatSourceIP | Source IP before NAT |
| preNatSourcePort | Source port before NAT |
| protocolid | Protocol |
| processorId | Event Processor ID |
| qid | Event name ID |
| qideventid | Event ID |
| relevance | Relevance |
| severity | Severity |
| sourceIP | Source IP |
| sourceMAC | Source MAC |
| sourcePort | Source port |
| sourcev6 | IPv6 source |
| startTime | Start time |
| isunparsed | Event is unparsed |
| userName | User name |
Supported flow fields for AQL queries
The flow fields that you can query are listed in the following table.
| Field name | Description |
|---|---|
| applicationId | Application ID |
| category | Category |
| credibility | Credibility |
| destinationASN | Destination ASN |
| destinationBytes | Destination bytes |
| destinationDSCP | Destination DSCP |
| destinationFlags | Destination flags |
| destinationIP | Destination IP |
| destinationIfIndex | Destination if index |
| destinationPackets | Destination packets |
| destinationPayload | Destination payload |
| destinationPort | Destination port |
| destinationPrecedence | Destination precedence |
| destinationv6 | IPv6 destination |
| domainID |
Domain ID |
| fullMatchList | Full match list |
| firstPacketTime | First packet time |
| flowBias | Flow bias |
| flowDirection | Flow direction local-to-local (L2L) local-to-remote (L2R) remote-to-local (R2L) remote-to-remote (R2R) |
| flowInterfaceID | Flow interface ID |
| flowSource | Flow Source |
| flowType | Flow type |
| geographic | Matches geographic location |
| hasDestinationPayload | Has destination payload |
| hasOffense | Has offense payload |
| hasSourcePayload | Has source payload |
| icmpCode | Icmp code |
| icmpType | ICMP type or code |
| flowInterface | Flow interface |
| intervalId | Interval ID |
| isDuplicate | Duplicate event |
| lastPacketTime | Last packet time |
| partialMatchList | Partial match list |
| protocolId | Protocol ID |
| qid | Qid |
| processorID | Event processor ID |
| relevance | Relevance |
| retentionBucket | Retention bucket dummy |
| severity | Severity |
| sourceASN | Source ASN |
| sourceBytes | Source bytes |
| sourceDSCP | Source DSCP |
| sourceFlags | Source flags |
| sourceIP | Source IP |
| sourceIfIndex | Source if index |
| sourcePackets | Source packets |
| sourcePayload | Source payload |
| sourcePort | Source port |
| sourcePrecedence | Source precedence |
| sourcev6 | IPv6 source |
| startTime | Start time |
| viewObjectPair | View object pair |
Supported simarc fields for AQL queries
The simarc fields that you can query are listed in the following table.
| Field name | Description |
|---|---|
| destinationPort | Destination port key creator |
| destinationType | Destination type key creator |
| deviceId | Device key creator |
| direction | Direction key creator |
| eventCount | Event count key creator |
| eventFlag | Flag key creator |
| applicationId | Application ID key creator |
| flowCount | Flow count key creator |
| destinationBytes | Destination bytes key creator |
| flowSource | Flow source key creator |
| sourceBytes | Source bytes key creator |
| lastPacketTime | Time key creator |
| protocolId | Protocol key creator |
| source | Source key creator |
| sourceType | Source type key creator |
| sourceRemoteNetwork | Source remote network key creator |
| destinationRemoteNetwork | Destination remote network key creator |
| sourceCountry | Source geographic key creator |
| destinationCountry | Destination geographic key creator |
| destination | Destination key creator |