CEL Query Language
Overview
Stairwell allows you to query data and relationships in your environments using Common Expression Language (CEL).
CEL provides a powerful syntax for filtering and searching entities across the Stairwell platform. Analysts use CEL queries to locate malware indicators, hunt for suspicious files, filter YARA rules, and explore network indicators.
A typical CEL query consists of three parts:
entity.property == "value"Example:
object.md5 == "6f5902ac237024bdd0c176cb93063dc4"| Component | Meaning |
|---|---|
entity | Data type being queried |
property | Attribute of that entity |
value | Value you are matching |
Entities
CEL queries operate on top-level entities within Stairwell.
| Entity | Description |
|---|---|
object | Files and binaries ingested into Stairwell |
rule | YARA rules |
net | Network indicators such as IP addresses or hostnames |
mal_eval | Machine learning malware evaluation results |
Each entity supports different properties.
Example:
object.sha256 == "HASH"Query Structure
General CEL query format:
entity.property OPERATOR valueExample:
rule.name == "example_rule"⚠️ Queries only return results if the current Stairwell view matches the entity.
Example:
| Query | Correct View |
|---|---|
rule.name == "example" | Rules view |
object.sha256 == "hash" | Objects view |
Supported Properties
rule
rule.name == "<NAME>"
rule.status == ACTIVE
rule.status != INACTIVE
rule.version > 5
rule.tag == "MALWARE"object
object.sha256 == "<SHA256>"
object.sha1 == "<SHA1>"
object.md5 == "<MD5>"
object.imphash == "<IMPHASH>"
object.authenticode_verification_result == VALID
object.tag == "<TAG>"
object.tag in ["TAG1","TAG2"]
Note
object.tagqueries cannot be combined with other logical operators.
net
net.hostname == "sub.domain.com"
net.ip == "1.2.3.4"mal_eval
mal_eval.malicious == true
mal_eval.label.contains("trojan")
mal_eval.probability_bucket > r"PROBABILITY_VERY_HIGH"Operators
| Operator | Meaning | Example |
|---|---|---|
== | Equal | object.sha256 == "hash" |
!= | Not equal | rule.status != ACTIVE |
< | Less than | rule.version < 5 |
> | Greater than | rule.version > 2 |
<= | Less than or equal | rule.version <= 3 |
>= | Greater than or equal | rule.version >= 10 |
in | Value in list | object.sha256 in ["h1","h2"] |
&& | Logical AND | Combine queries |
Querying Multiple Values
Example:
object.sha256 in ["hash1","hash2","hash3"]Example with AND:
object.imphash == "abcd1234" && mal_eval.malicious == trueRegex Queries
Regular expression queries use .matches().
Example:
rule.name.matches("[Aa]pt")This matches:
apt
APT
AptExample Threat Hunting Queries
Search by hash:
object.sha256 == "HASH"Search by import hash:
object.imphash == "IMPHASH"Search by YARA rule:
rule.name == "example_rule"Search by hostname:
net.hostname == "malicious.domain.com"Search for malicious files:
mal_eval.malicious == trueSearch for trojan-labeled files:
mal_eval.label.contains("trojan")Common Environment IDs
Malware Feeds
| Feed | Environment ID |
|---|---|
| VirusShare | 6HP5R3-ZM7DAN-RB4732-X6QPCJ36 |
| Malshare | D7W6M6-BA9BS4-BQ23Z4-NKCNWQ96 |
| Malware Bazaar | D4447Q-WJJL6P-W7ME89-WHXJK8TW |
| Jotti | VR9Z98-4KU7ZC-PCNFEG-FURQ66FW |
| vxintel | TV6WCV-7Y79LE-BK79EY-C8GUEY46 |
| Threat Report Feeds | MKYSAR-3XN9MB-3VAK3R-888ZJUTJ |
| Stairwell Public Verdicts | TT9GM5-JUMD8H-9828FL-GAW5NNX |
Rule Feeds
| Feed | Environment ID |
|---|---|
| Stairwell OSINT | EB3DXY-3ZYFVH-6HNKJQ-GAPKHESS |
| Stairwell Methodology | GEG6FU-MRARGF-TLTM6X-H6MGDT5E |
| Stairwell Research | NQNJM6-5LSCAF-3MC5FJ-W8EKGW6N |
| Florian's Open Rules | NCS2SM-YHB2KT-SAFUDX-JC7F6WYA |
| Pro Rules | XAKLND-DKWP3Z-56RL88-6XJ5NH46 |
Updated 4 days ago