Using Axonshell's Built-In Wizard

What is a wizard?

A wizard is of course someone skilled in magic. And while the Axonius platform itself is not magical, you may think what it can do is. Especially when it comes to our wizard.

Our wizard was created to give our users a nice graphical way to create very complex AQL statements but do so in a way that is organized and is easy to understand. An example wizard creating AQL in the GUI would look like this:

You can see on the right is the actual wizard and the left is the generated AQL statement. The wizard can create very complex queries with complicated logic and even embed other full queries inside the logic as well.

So this is great for the GUI but what about the python library and Axonshell? Are we stuck using super complex AQL statements with these? Nope not at all! We have a query wizard in these as well! Lets take a look at using the query wizard built into Axonshell.

How do I use the query wizard inside of Axonshell?

If you have already read our previous article Using AQL with Axonshell, you already know of two options for using AQL with axonshell `--query` and `--query-file`. However, there is a third option that's available and that is the option to use the built-in query wizard:

 -wz, --wiz TYPE "EXPRESSION"    Build a query using an expression
                                  (multiples, will override --query)  [env
                                  var: AX_WIZARD_CONTENT]

This parameter needs two key pieces of information. The first is what type of field we are working with. This will either be `simple` or `complex`.  An example of a simple field would be something like `name`. Where the value would be something simple like a string. A `complex` field is something like `installed_software` which has a main object and lots of children that also have children.

The second is the wizard expression that the wizard will use to generate the AQL. Lets take a look at a simple example.

axonshell devices get --wiz simple "hostname contains test"

In this example we are targeting a simple field `hostname` using the operator `contains` looking for the value `test`.  Not only is this easier from an AQL perspective, but this is also more human readable as well as less error prone.

Let's look at a complex example:

axonshell devices get --wiz complex "installed_software // name contains chrome // version earlier_than 82"

In this example, you will notice it is quite a bit different. Firstly, we are using `complex` instead of `simple` for the field type. Secondly, for the expression you will notice `//`. This is a separator to split expressions for sup-fields of complex objects. In this example we are looking for:

  • devices where `installed_software` exists
  • where the software `name` `contains` chrome
  • and where the software `version` is `earlier_than` 82

If you would like to see more examples of how to use the wizard, including what flags you can use as part of your expressions, you can run the following command:

❯ axonshell devices get --help-detailed wizard

# Example:
simple   ( hostname contains test
simple   ! hostname contains internal )
simple   ( os.type equals windows
simple   | os.type equals os x )
complex  installed_software // name contains chrome // version earlier_than 82

# Format -- [] represents optional items:
simple   [& | ! ( )] FIELD OPERATOR VALUE [)]
# Description: Filter entry for simple fields
complex  [& | ! ( )] COMPLEX-FIELD // SUB-FIELD OPERATOR VALUE[ //  ...] [)]
# Description: Filter entry for complex fields and their sub-fields

# Flags:
# &  Use and instead of or (default)
# |  Use or instead of and (overrides &)
# !  Use not
# (  Open a parentheses
# )  Close a parentheses (can also be at end of entry)



Please sign in to leave a comment.

Didn't find what you were looking for?

New post