Stanzas2

Stanza Attributes

The stanza identifies what kind of data you want and where to find it in the database. Think of stanzas as tables within the database.

Stanzas are the first part of every filter, and must be placed before the curly brackets. They are not case sensitive.

There are thirteen stanzas to query from. If you use multiple filters, you must enter filters hierarchically as shown in the following list.

domain{}
devicegroup{}
device{}
policy{}
rule{}
natrule{}
control{}
assessment{}
asset{}
networkObj{} -Only allowed when querying for network objects
serviceObj{} -Only allowed when querying for service objects
userObj{} -Only allowed when querying for user objects
appObj{} -Only allowed when querying for application objects
profileObj{} -Only allowed when querying for security profiles
ticket{}
review{}

Each of the above stanzas support different attributes that are relevant to it. A SIQL query only supports a logical AND of the stanzas.

That means you can only do:

domain{id = 2} and devicegroup{id = 1}

You cannot use an OR operator between the stanzas. In the example above the domain criteria is ANDed with the device group criteria.

Each type of stanza has well defined search criteria that it can accept. These are defined in the document further below.

For example, if you have a filter for device and another filter for rule, you must enter the device filter first.

device{managementIp='192.168.20.1'} and rule{name='Access to Accounting'}

Assessment Stanza

The assessment stanza supports the following attributes.
Attribute Name	Attribute Type	Description
description	String	The description of the assessment, set either by Security Manager, or the user.
id	UUID	The 128-bit unique identifier for the control.
lastRunDate	Date	The date the assessment was last run.
name	String	The name of the assessment.
sci	Double	The SCI score of the assessment.

Connection Stanza

The connection stanza supports the following attributes.
Attribute Name	Attribute Type	Description
ID	Integer	The system-generation ID for the device.
name	String	The name of the connection.
description	String	The description of the connection.

Connection Custom Properties

The following table defines the custom properties that you can populate for a rule query.
Connection Property Name	SIQL Property Name
Application Name	p.application_name
Business Justification	p.business_justification
Business Unit	p.business_unit
Owner	p.owner

Control Stanza

The control stanza supports the following attributes.
Attribute Name	Attribute Type	Description
code	String	The value of the control code.
description	String	The description the control, set either by Security Manager or the user.
id	UUID	The 128-bit unique identifier for the control.
name	String	The name of the control.
severity	Integer	The severity of a control failure.
status	String	The status of the control result.
tag	String	The user-defined grouping of the control and identifier.
allowlist	Boolean	Whether the control is allowlisted or not.

Device Stanza

The device stanza supports the following attributes. A search will only return the specific device in the query, not nested devices.
Attribute Name	Attribute Type	Description
changeStatus	String	The status of a device configuration change.
complexity	Double	The complexity of the device.
description	String	The description of the domain, set either by Security Manager, or by the user.
id	Integer	The system-generated ID for the device.
lastUpdated	Date	The last date the device was edited.
lastRevision	Date	The last date a new configuration was retrieved and sent to Security Manager.
lastSciComputeDate	Date	The last date the SCI value was computed.
licensed	String	The product name code for which the device is licensed.
logStatus	String	The ability of a device to receive and record syslog messages.
managementStationId	Integer	The Management Station ID. When included in a device stanza in a SIQL query, this attribute returns the children devices of the Management Station ID.
managementIp	String	The management IP address of the device, typically the IP that Data Collector uses to connect to the device for retrievals. The management ID attribute supports Set operations. For example: device{managementIp EQUALS '192.168.20.12'} device{managementIp IS SUBSET OF '192.168.20.0/24'} device{managementIp INTERSECTS '192.168.20.0/24'} device{managementIp IS DISJOINT FROM '193.168.20.12/32'}
name	String	The unique name for the device.
p.*	String	A device property. When using in a SIQL query, enter a property name in place of the asterisk.
retrievalStatus	String	The status of a configuration retrieval.
sci	Double	The device SCI.
type	String	The device type for the device, such as FIREWALL, EDGE, or LOG.
totalSecRules	Integer	The number of rules in the device.

Device Group Stanza

The device group stanza supports the following attributes. A search will only return the specific device group in the query, not nested devices.
Attribute Name	Attribute Type	Description
avgDeviceComplexity	Double	The average complexity of the devices in the device group (not including nested device groups).
avgDeviceSci	Double	The average SCI of a device in the device group (not including nested device groups).
description	String	The description of the domain, set either by Security Manager, or by the user.
id	Integer	The system-generated ID for the device.
name	String	The unique name for the device.
lastUpdated	Date	The last date the device was edited.
lastSciComputeDate	Date	The last date the SCI value was computed.
sci	Double	The device SCI.
totalDevices	Integer	The number of devices in the device groups (not including nested device groups).
totalSecRules	Integer	The number of rules in the device.

Domain Stanza

The domain stanza supports the following attributes.
Attribute Name	Attribute Type	Description
id	Integer	The system-generated domain ID.
name	String	The unique name for the domain.
description	String	The description of the domain, set either by Security Manager, or by the user.
lastSciComputeDate	Date	The last date the SCI was computed.

License Values

These are the codes for the products for which a device can be licensed.
Product Code	Product Name
SM	Security Manager
PP	Policy Planner
PO	Policy Optimizer
RA	Risk Analyzer

Configuration Change Status Values

The following table lists the possible status values for a device configuration change.
Value Name	Description
Active	The configuration change is currently in progress.
Disabled	The user stopped the configuration change.
Down	The change status is currently unavailable. Data Collector cannot connect to the log server.
Unknown	The configuration change failed.

Retrieval Status Values

The following tables lists the possible status values for a configuration change retrieval.
Value Name	Description
Retrieving	Data Collector is in the process of retrieving the updated configuration.
Failure	Data Collector failed to retrieve the updated configuration.
Success	Data Collector successfully retrieved the updated configuration.

Log Status Values

The following tables lists the possible status values for a device's syslog recording.
Value Name	Description
ACTIVE	The device is able to retrieve and record syslog messages.
DISABLED	The device is unable to retrieve and record syslog messages.
DOWN	The device cannot connect to the syslog server.
LEA_DOWN	The device cannot connect to a Check Point log server.
NOT_APPLICABLE	The device doesn't have the plugin needed for logging syslog messages.
NO_CONFIGURATION	The device doesn't have a regex defined for syslog monitoring.
NO_LOG_RECORD	The device isn't retrieving syslog messages.
RETRIEVING	The device is in the process of retrieving syslog messages.
SUCCESS	The device has successfully retrieved syslog messages.
UNKNOWN	The device has not yet retrieved any syslog messages.

Policy Stanza

The policy stanza supports the following attribute.
Attribute Name	Attribute Type	Description
name	String	The name of the policy.

NAT Rule Stanza

The NAT rule stanza supports the following attributes.
Attribute Name	Attribute Type	Description
comment	String	The free-form comment text a user can add to a rule.
created	Date	The date the rule was created.
destination	Address	A set operation for the rule destination. Examples: Destination IS SUBSET OF 192.168.1.20 Destination INTERSECTS 192.168.1.20 Destination IS SUPERSET OF 192.168.1.20 Destination IS DISJOINT FROM 192.168.1.20 Destination EQUALS 192.168.1.20
destinationTranslated	Address	A set operation for the translated rule destination column.
destination.any destination.name destination.id destination.type desination.zone	Boolean String UUID String	The value in the "Destination" column of the rule.
destination.addressSpace destinationTranslated.addressSpace	Integer	The count of all the addresses represented in the "Destination" column.
destination.expandedObjectCount destinationTranslated.expandedObjectCount	Integer	The count of all the objects in the expanded "Destination" column
destination.objectCount desinationTranslated.objectCount	Integer	The number of all the objects in the "Destination" column.
disabled	Boolean	Whether a setting is enabled or disabled.
id	UUID	The unique NAT rule ID for the specific revision.
log	Boolean	Whether logging is enabled or disabled.
name	String	The GUID for a rule.
number	Integer	The policy-defined rule number.
p.*	Varies	A rule property or custom property. Each property has a defined key value that takes the place of the wildcard character. The key value can be a string, boolean, date, integer, and string array types are supported.
service	Service	A set operation for the rule service. Examples: Service IS SUBSET OF 192.168.1.20 Service INTERSECTS 192.168.1.20 Service IS SUPERSET OF 192.168.1.20 Service IS DISJOINT FROM 192.168.1.20 Service EQUALS 192.168.1.20
serviceTranslated	Service	A set operation on the translated service column.
service.port service.portRange service.protocol service.any service.name service.id service.type	Number Boolean String Boolean String UUID String	The value in the "Service" column for the rule.
service.anyport serviceTranslated.anyport	Boolean	Whether any destination port is allowed.
service.expandedObjectCount serviceTranslated.expandedObjectCount	Integer	The number of objects in the expanded "Service" column.
service.icmpPortCount serviceTranslated.icmpPortCount	Integer	The number of ICMP type and code values in the "Service" column.
service.objectCount serviceTranslated.objectCount	Integer	The number of objects in the expanded "Service" column.
service.portCount serviceTranslated.portCount	Integer	The number of destination ports in the "Service" column.
service.tcpPortCount service.tcpPortCount	Integer	The number of destination TCP ports in the "Service" column.
service.udpPortCount service.udpPortCount	Integer	The number of destination UDP ports in the "Service" column.
severity	Double	The cumulative severity of a rule as defined by its assessments.
source	Address	A set operation for the rule source. Examples: Source IS SUBSET OF 192.168.1.20 Source INTERSECTS 192.168.1.20 Source IS SUPERSET OF 192.168.1.20 Source IS DISJOINT FROM 192.168.1.20 Source EQUALS 192.168.1.20
sourceTranslated	Address	A set operation for the translated rule source column.
source.any source.name source.id source.type source.zone	Boolean String UUID String	The value in the "Source" column of the rule.
source.addressspace sourceTranslated.addressSpace	Integer	The number of the addresses represented in the "Source" column of the NAT rule.
source.objectCount	Integer	The number of the objects in the "Source" given column.
source.expandedObjectCount sourceTranslated.expandedObjectCount	Integer	The number of all the objects in the "Source" column.
source.portCount	Integer	The number of destination ports in the "Source" column.
user.any user.name user.id user.type	Boolean String UUID String	The value in the "User" column for the column.
uid	UUID	The unique rule ID across all revisions.
user.expandedObjectCount	Integer	The number of all objects in the expanded "Application." column.
user.objectCount	Integer	The number of all objects in the "Application" column.

Rule Stanza

The rule stanza supports the following attributes.
Attribute Name	Attribute Type	Description
action	String	The action of the rule. See the Action Values table below for a list of valid values.
application.any application.name application.id application.type	Boolean String UUID String	The value in the "Application" column of the rule.
application.objectCount	Integer	The number of all objects in the "Application" column.
application.expandedObjectCount	Integer	The number of all objects in the expanded "Application" column.
birdiectional	Boolean	Whether the rule source is the same as its destination.
comment	String	The free-form comment text a user can add to a rule.
complexity	Integer	The complexity of the rule. The complexity is found by multiplying the number of sources, destinations, services, users, and applications.
created	Date	The date the rule was created.
destination	Address	A set operation for the rule destination. Examples: Destination IS SUBSET OF 192.168.1.20 Destination INTERSECTS 192.168.1.20 Destination IS SUPERSET OF 192.168.1.20 Destination IS DISJOINT FROM 192.168.1.20 Destination EQUALS 192.168.1.20
destination.any destination.name destination.id destination.type desination.zone	Boolean String UUID String	The value in the "Destination" column of the rule.
destination.addressSpace	Integer	The count of all the addresses represented in this column of the rule.
destination.objectCount	Integer	The number of all the objects in the "Destination" column.
destination.expandedObjectCount	Integer	The count of all the objects in the expanded "Destination" column.
disabled	Boolean	Whether a setting is enabled or disabled.
expiration	Date	Rule expiration date.
id	UUID	The unique rule ID for the specific revision.
lastUseDate	Date	The date the rule was last used. The value will be null if the rule has never been used. You can use lastUseDate to find unused rules by using the query "rule{lastUseDate is null}".
lastChanged	Date	The date the rule was last changed. The default value is the date the rule was created.
lastUpdated	Date	The date the rule properties were last updated. The default value is the date the rule was created.
lastRuleSeverityComputeDate	Date	The date when the cumulative rule severity value was computed.
log	Boolean	Whether logging is enabled or disabled.
name	String	The GUID for a rule.
number	Integer	The policy-defined rule number.
position	String/Integer	The rules order in the policy. The query can include the strings FIRST and LAST. Otherwise, the value is assumed to be an integer. Examples: {position EQUALS first} {position EQUALS last} {position 3}
p.*	Varies	A rule property or custom property. Each property has a defined key value that takes the place of the wildcard character. The key value can be a string, boolean, date, integer, and string array types are supported.
redundant	Boolean	Whether there is already a rule that performs the same action in the policy.
removable	Boolean	Whether the rule is redundant or shadowed and thus can be removed from the policy.
ruleName	String	The unique string name.
shadowed	Boolean	Whether there is a rule in the policy that performs the opposite action.
service	Service	A set operation for the rule service. Examples: Service IS SUBSET OF 192.168.1.20 Service INTERSECTS 192.168.1.20 Service IS SUPERSET OF 192.168.1.20 Service IS DISJOINT FROM 192.168.1.20 Service EQUALS 192.168.1.20
service.port service.portrange service.protocol service.any service.name service.id service.type	Number Boolean String Boolean String UUID String	The value in the "Service" column for the rule.
service.anyport	Boolean	Whether any destination port is allowed.
service.icmpPortCount	Integer	The number of ICMP type and code values in the "Service" column.
service.objectCount	Integer	The number of objects in the expanded "Service" column.
service.expandedObjectCount	Integer	The number of objects in the expanded "Service" column.
service.portCount	Integer	The number of destination ports in the "Service" column.
service.tcpPortCount	Integer	The number of destination TCP ports in the "Service" column.
service.udpPortCount	Integer	The number of destination UDP ports in the "Service" column.
severity	Double	The cumulative severity of a rule as defined by its assessments.
source	Address	A set operation for the rule source. Examples: Source IS SUBSET OF 192.168.1.20 Source INTERSECTS 192.168.1.20 Source IS SUPERSET OF 192.168.1.20 Source IS DISJOINT FROM 192.168.1.20 Source EQUALS 192.168.1.20
source.any source.name source.id source.type source.zone	Boolean String UUID String	The value in the "Source" column of the rule.
source.addressspace	Integer	The number of the addresses represented in the "Source" column of the rule.
source.expandedObjectCount	Integer	The number of all the objects in the "Source" column.
source.objectCount	Integer	The number of the objects in the "Source" given column.
source.portCount	Integer	The number of destination ports in the "Source" column.
user.any user.name user.id user.type	Boolean String UUID String	The value in the "User" column for the column.
uid	UUID	The unique rule ID across all revisions.
user.objectCount	Integer	The number of all objects in the "Application" column.
user.expandedObjectCount	Integer	The number of all objects in the expanded "Application." column.

Action Values

The following table defines the possible values for a rule action.
Action Value Name	Description
ACCEPT	This action allows traffic that matches the specified rule.
AUTHENTICATE	The action
DROP	This action drops packets that match the specified rule. The action will not notify you before dropping packets.
ENCRYPT	This action encrypts outgoing packets and decrypts outgoing packets.
FROM_TUNNEL	This action drops a packet and sends a sends a notification to the source that the packet has been dropped.

Rule Custom Properties

The following table defines the custom properties that you can populate for a rule query.
Rule Custom Property Name	SIQL Property Name
Alert On Change	p.alert_on_change
Approver	p.approver
Business Justification	p.business_justification
Business Unit	p.business_unit
Change Control Number	p.change_control_number
Customer	p.customer
Disaster Recovery	p.disaster_recovery
Next Review Date	p.next_review_date
Owner	p.owner
Requestor	p.requestor
Review Comment	p.review_comment
Review Date	p.review_date
Review Decision	p.review_decision
Review User	p.review_user
Verifier	p.verifier

Status Values

The control status attribute supports the following values.
Value Name	Description
PASS	The control passed.
FAIL	The control failed.
SKIPPED	Security Manager did not execute the control and moved to the next control.
INFO	The control requires more information.
ERROR	An error occurred during the control run.

NetworkObj Stanza

The networkObj can only be used when querying for network objects, and is only applicable when querying the REST endpoint /siql/networkObj/paged-search.
Attribute Name	Attribute Type	Description
addressSpace	Address	A SET operation on the network address space represented by the given network object.
id	UUID	The unique network object ID for a revision.
uid	UUID	The unique network object ID across all revisions.
name	String	The name of the network object.
empty	Boolean	Whether the network object is empty or not. A network object is considered empty if it is of the GROUP type and it has no members.
referenced	Boolean	Whether the network object is referenced by a rule.
type	String	The type of network object.
ndProblem	Boolean	Whether a network object was flagged for having an problem during normalization. Objects that have problems are typically created as empty objects in the system.

ServiceObj Stanza

The serviceObj can only be used when querying for service objects, and is only applicable when querying the REST endpoint /siql/serviceObj/paged-search.
Attribute Name	Attribute Type	Description
addressSpace	Address	A SET operation on the network address space that is represented by this network object. Examples: networkobj{addressspace equals '8.8.8.0/24'} networkobj{addressspace is subset of '8.8.8.0/16'} networkobj{addressspace intersects '8.8.8.0/24'}
id	UUID	The unique service object ID for a revision.
uid	UUID	The unique service object ID across all revisions.
name	String	The name of the service object.
empty	Boolean	Whether the service object is empty or not. A service object is considered empty if it is of the GROUP type and it has no members.
referenced	Boolean	Whether the service object is referenced by a rule.
type	String	The type of service object.
ndProblem	Boolean	Whether a service object was flagged for having an problem during normalization. Objects that have problems are typically created as empty objects in the system.

UserObj Stanza

The userObj can only be used when querying for user objects, and is only applicable when querying the REST endpoint /siql/userObj/paged-search.
Attribute Name	Attribute Type	Description
id	UUID	The unique user object ID for a revision.
uid	UUID	The unique user object ID across all revisions.
name	String	The name of the user object.
empty	Boolean	Whether the user object is empty or not. A user object is considered empty if it is of the GROUP type and it has no members.
referenced	Boolean	Whether the user object is referenced by a rule.
type	String	The type of user object.
ndProblem	Boolean	Whether a user object was flagged for having an problem during normalization. Objects that have problems are typically created as empty objects in the system.

AppObj Stanza

The AppObj can only be used when querying for application objects, and is only applicable when querying the REST endpoint /siql/applicationObj/paged-search.
Attribute Name	Attribute Type	Description
id	UUID	The unique application object ID for a revision.
uid	UUID	The unique application object ID across all revisions.
name	String	The name of the application object.
empty	Boolean	Whether the application object is empty or not. An application object is considered empty if it is of the GROUP type and it has no members.
referenced	Boolean	Whether the application object is referenced by a rule.
type	String	The type of application object.
ndProblem	Boolean	Whether an application object was flagged for having an problem during normalization. Objects that have problems are typically created as empty objects in the system.

Object Type Values

The network, service, user, and application objects type attribute supports the following values.
Value Name	Description
ANY	The object represents any address space.
SINGLE	The object represents a specific address space, such as 192.168.20.0/24.
GROUP	The object is a container for other objects.
SINGLE_GROUP	The object contains an address and other nested member objects.

Ticket Stanza

The ticket stanza supports the following attributes. You can use the ticket stanza to query Policy Planner tickets. For more information, see the Policy Planner User's Guide.
Attribute Name	Attribute Type	Description
assignee.username	Integer	The username assigned to the ticket.
assignee.id	Integer	The ID of the user assigned to the ticket.
assignee.firstname	String	The first name of the user assigned to the ticket.
assignee.lastname	String	The last name of the user assigned to the ticket.
businessKey	String	This key can be used as a substitute for the process instance ID.
created	Date	The date the ticket was created.
creator.username	String	The username who created the ticket.
creator.id	Integer	The ID of the user who created the ticket.
creator.firstname	String	The first name of the user who created the ticket.
creator.lastname	String	The last name of the user who created the ticket.
completed	Date	The date the ticket was closed.
completer.username	String	The username who completed the ticket.
completer.id.	Integer	The ID of the user who completed the ticket.
completer.firstname	String	The first name of the user who completed the ticket.
completer.lastname		The last name of the user who completed the ticket.
editable	Boolean	If TRUE, returns tickets is currently in a task the user has WRITE permissions for, the task is not completed, and is either assigned to the user, or unassigned. If FALSE, returns tickets that are in a task the user does not have WRITE permissions for.
id	Long	The ticket ID.
lastUpdated	Date	The date the ticket was last modified.
p.*	Varies	A rule property or custom property. Each property has a defined key value that takes the place of the wildcard character. The key value can be a string, boolean, date, integer, and string array types are supported.
processInstanceId	String	The ID of the workflow process instance.
status	String	The status of the ticket.
task	Integer	The current workflow stage of the ticket.
task.completed	Date	The date the task was completed. If the task has not been completed, this value is null.
task.name	String	The display name of the task.
task.started	Date	The date a task was started.
user	String	A user in Policy Planner.
version	Integer	The workflow version for the ticket.
workflow	Integer	The workflow for the ticket.
workflow.name	String	The display name for the workflow.

Review Stanza

The review stanza supports the following attributes. You can use the review stanza to query Policy Optimizer reviews. For more information, see the Policy Optimizer User's Guide.
Attribute Name	Attribute Type	Description
businessKey	String	This key can be used as a substitute for the process instance ID.
created	Date	The date the review was created.
creator.username	String	The username who created the review.
creator.id	Integer	The ID of the user who created the review.
creator.firstname	String	The first name of the user who created the review.
creator.lastname	String	The last name of the user who created the review.
completed	Date	The date the review was closed.
completer.username	String	The username who completed the review.
completer.id.	Integer	The ID of the user who completed the review.
completer.firstname	String	The first name of the user who completed the review.
completer.lastname		The last name of the user who completed the review.
id	Long	The review ID.
editable	Boolean	If TRUE, returns reviews is currently in a task the user has WRITE permissions for, the task is not completed, and is either assigned to the user, or unassigned. If FALSE, returns reviews that are in a task the user does not have WRITE permissions for.
lastUpdated	Date	The date the review was last modified.
p.*	Varies	A rule property or custom property. Each property has a defined key value that takes the place of the wildcard character. The key value can be a string, boolean, date, integer, and string array types are supported.
processInstanceId	String	The ID of the workflow process instance.
status	String	The status of the review.
task	Integer	The current workflow stage of the review.
task.completed	Date	The date the task was completed. If the task has not been completed, this value is null.
task.name	String	The display name of the task.
task.started	Date	The date a task was started.
user	String	A user in Policy Planner.
version	Integer	The workflow version for the review.
workflow	Integer	The workflow for the review.
workflow.name	String	The display name for the workflow.