Events
Nov 19, 11 PM - Nov 21, 11 PM
Gain the competitive edge you need with powerful AI and Cloud solutions by attending Microsoft Ignite online.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
The WMI Query Language (WQL) is a subset of the American National Standards Institute Structured Query Language (ANSI SQL) with minor semantic changes. The following table lists the WQL keywords.
WQL keyword | Meaning |
---|---|
AND |
Combines two Boolean expressions, and returns TRUE when both expressions are TRUE. |
ASSOCIATORS OF | Retrieves all instances that are associated with a source instance. Use this statement with schema queries and data queries. |
__CLASS | References the class of the object in a query. |
FROM |
Specifies the class that contains the properties listed in a SELECT statement. Windows Management Instrumentation (WMI) supports data queries from only one class at a time. |
GROUP Clause | Causes WMI to generate one notification to represent a group of events. Use this clause with event queries. |
HAVING | Filters the events that are received during the grouping interval that is specified in the WITHIN clause. |
IS | Comparison operator used with NOT and NULL. The syntax for this statement is the following: IS [NOT] NULL (where NOT is optional) |
ISA | Operator that applies a query to the subclasses of a specified class. For more information, see ISA Operator for Event Queries, ISA Operator for Data Queries, and ISA Operator for Schema Queries. |
KEYSONLY |
Used in REFERENCES OF and ASSOCIATORS OF queries to ensure that the resulting instances are only populated with the keys of the instances, which reduces the overhead of the call. |
LIKE | Operator that determines whether or not a given character string matches a specified pattern. |
NOT |
Comparison operator that use in a WQL SELECT query, for example:
|
NULL | Indicates an object does not have an explicitly assigned value. NULL is not equivalent to zero (0) or blank. |
OR |
Combines two conditions. When more than one logical operator is used in a statement, the OR operators are evaluated after the AND operators. |
REFERENCES OF | Retrieves all association instances that refer to a specific source instance. Use this statement with schema and data queries. The REFERENCES OF statement is similar to the ASSOCIATORS OF statement. However, it does not retrieve endpoint instances; it retrieves the association instances. |
SELECT |
Specifies the properties that are used in a query. For more information, see SELECT Statement for Data Queries, SELECT Statement for Event Queries, or SELECT Statement for Schema Queries. |
TRUE | Boolean operator that evaluates to -1 (minus one). |
WHERE | Narrows the scope of a data, event, or schema query. |
WITHIN | Specifies a polling or grouping interval. Use this clause with event queries. |
FALSE |
Boolean operator that evaluates to 0 (zero). |
Note
Using a WQL key word as an object name can result in a query that cannot be parsed even when the query compiles without error.
Events
Nov 19, 11 PM - Nov 21, 11 PM
Gain the competitive edge you need with powerful AI and Cloud solutions by attending Microsoft Ignite online.
Register nowTraining
Module
Construct KQL statements for Microsoft Sentinel - Training
Construct KQL statements for Microsoft Sentinel