Common Expression Language (CEL)

About queries and Common Expression Language

Stairwell allows you to query data and relationships in your environments using Common Expression Language (CEL).

A basic query in Stairwell includes an entity, a property, and a value, with a structure similar to this:

entity.property == "value"

You can query any of the top-level entities in Stairwell based on their CEL identifier:

• rule
• object
• net (network entity)

Each one of the top-level entities has unique properties that can be evaluated along with a specific value you wish to express.

For example, an object has hash-type properties (MD5, SHA-1, and SHA-256). You can create a query with the object as your top-level entity, hash type as your property, and then include the specific value you are looking for. An example query with this structure would look like this:

object.md5 == "6f5902ac237024bdd0c176cb93063dc4"

Note that each entity has unique properties. A hash-type property would not work with a rule top-level entity, for example. You must craft your query to match an expression that works with the top-level entity you are using.

CEL queries can be performed on any view within Stairwell; however, they will not always show results unless you are in the correct view. For example, if you query rule.name == "example_rule" but you are in the Objects view, even if that rule exists, no results will show because the view is only for Objects. Make sure that you are in the correct view to view the output of your query.

What can be queried with CEL

The following are examples of top-level entities and properties you can use to create a CEL query for specific values within your environments.

• rule

rule.name

rule.name == "<NAME>"

rule.status (INACTIVE, ACTIVE, ANCESTOR)

rule.version (<, <=, >, >=, ==, !=)

• object

object.sha256 == "<SHA256>"

object.sha1 == "<SHA1>"

object.md5 == "<MD5>"

object.authenticode_verification_result (VALID, INVALID, UNSUPPORTED)

object.imphash == "<IMPHASH>"

• net

net.hostname == "sub.domain.com"

net.ip == "1.2.3.4"

mal_eval

mal_eval.malicious == true

mal_eval.label.contains("trojan")

mal_eval.probability_bucket > r"PROBABILITY_VERY_HIGH"

Querying multiple entities

To query multiple entities, you can compose complex queries using the logical AND (&&) and IN (in) operators. You can do this to specify a list of things you wish to query or make selections based on the intersections of entities and their respective properties.

To query a simple list of objects, you would navigate to the Objects view and then specify multiple objects, like such:

object.sha256 in ["hash1", "hash2", "hash3"]

Querying with regular expression

Regular expression (regex) is a sequence of characters that specifies a matching search pattern. As such, regex CEL queries go in parenthesis and do not use ==. Regex CEL queries also need matches added to the property.

The following examples support regex matching:

• rule.name

rule.name.matches("[Aa]pt")

Common environment IDs you'll query

In addition to your own environment IDs, there are a few malware and YARA rule feeds provided by Stairwell that may be helpful in your CEL queries.

The following is a list of IDs you may need to use the most, listed here for your reference: