nano SIEM
Reference

Notebook @ Commands Reference

Notebook @ Commands Reference

This reference covers all available @ commands for investigation notebooks, including syntax, examples, and AI-powered features.

Command Categories

Search & Analysis Commands

Purpose: AI generates search queries from natural language descriptions

Syntax: @search <natural language description>

Examples:

@search find all failed logins in the last hour
@search show network connections from suspicious IP 192.168.1.100  
@search lateral movement activity involving domain admin accounts
@search data exfiltration attempts over 100MB
@search powershell execution with encoded commands

AI Output:

  • Generated nPL query
  • Natural language explanation
  • Reasoning steps taken
  • Fields used in the query
  • Execution ready for immediate use

@pivot

Purpose: AI suggests related queries based on investigation context

Syntax: @pivot (no arguments)

AI Analysis:

  • Reviews recent notebook entries
  • Identifies investigation patterns
  • Suggests 2-4 follow-up queries
  • Provides rationale for each suggestion

Example Output:

Context: Investigating failed login attempts from 192.168.1.100

Suggested Pivots:
1. "Check for successful logins from same IP"
   → src_ip="192.168.1.100" AND event_type="login" AND result="success"
   
2. "Look for other IPs from same subnet"  
   → src_ip="192.168.1.*" | stats count by src_ip
   
3. "Find user accounts targeted by this IP"
   → src_ip="192.168.1.100" | stats count by target_user

@summarize

Purpose: Generate comprehensive AI summary of investigation

Syntax: @summarize (no arguments)

AI Summary Includes:

  • Investigation overview (2-3 sentences)
  • Key findings (3-5 bullet points)
  • Entities investigated (IPs, users, hosts, hashes)
  • Activity statistics (queries run, alerts reviewed)
  • Suggested next steps
  • Recommended disposition

Entity Reference Commands

@entity

Purpose: Reference any entity type with explicit typing

Syntax: @entity <type>:<value>

Supported Types:

  • ip - IP addresses (IPv4/IPv6)
  • user - Usernames, account names
  • host - Hostnames, computer names
  • hash - File hashes (MD5, SHA1, SHA256)
  • email - Email addresses
  • domain - Domain names
  • url - Full URLs
  • file - File paths
  • process - Process names

Examples:

@entity ip:192.168.1.100
@entity user:john.doe
@entity host:workstation-01
@entity hash:a1b2c3d4e5f67890abcdef1234567890
@entity email:suspicious@malicious.com
@entity domain:evil.com
@entity url:https://malicious.com/payload.exe
@entity file:/tmp/suspicious.exe
@entity process:powershell.exe

Entity Shortcuts

Purpose: Quick entity references without explicit typing

Syntax: @<type>:<value>

Available Shortcuts:

@ip:192.168.1.100           # IP address
@user:john.doe              # User account  
@host:workstation-01        # Hostname
@hash:a1b2c3d4e5f6...       # File hash
@email:user@company.com     # Email address
@domain:malicious.com       # Domain name
@url:https://evil.com       # URL
@file:/tmp/malware.exe      # File path
@process:powershell.exe     # Process name

Auto-Detection: If you use @ioc <value>, the system automatically detects entity type:

  • 192.168.1.1 → IP
  • user@domain.com → Email
  • malicious.com → Domain
  • a1b2c3d4e5f6... → Hash (by length)
  • /path/to/file → File
  • process.exe → Process

Threat Intelligence Commands

@ioc

Purpose: Mark entities as Indicators of Compromise

Syntax: @ioc <value>

Features:

  • Automatic entity type detection
  • Analyst confidence level (analyst_confirmed)
  • Visual IOC markers in timeline
  • Integration with threat intel feeds

Examples:

@ioc 192.168.1.100          # Malicious IP
@ioc malicious.com          # C2 domain
@ioc user@phishing.com      # Phishing email
@ioc a1b2c3d4e5f67890...    # Malware hash

IOC Display:

[IOC] Indicator of Compromise
   IP: 192.168.1.100
   Confidence: Analyst Confirmed

@timeline

Purpose: Add timeline markers for key investigation events

Syntax: @timeline <event description>

Use Cases:

  • Mark when attacks occurred
  • Note investigation milestones
  • Document decision points
  • Highlight critical findings

Examples:

@timeline Initial compromise detected via phishing email
@timeline Lateral movement to domain controller observed  
@timeline Malware payload downloaded from C2 server
@timeline Incident response team notified
@timeline Systems isolated and forensic imaging started

Timeline Display:

2024-01-03 14:23:45
   Initial compromise detected via phishing email

Linking Commands

@alert

Purpose: Link specific alerts to the investigation

Syntax: @alert (opens searchable dropdown)

Features:

  • Search alerts by rule name
  • Filter by severity, status, assignment
  • Show "My Alerts" toggle
  • Full alert context capture

Captured Information:

  • Alert ID and rule name
  • Severity and current status
  • Rule query and matched events
  • Risk score and sample events
  • Creation timestamp

Auto-Pivot: Linking an alert automatically triggers AI to suggest related queries based on the alert's context.

@detection

Purpose: Link detection rules to the investigation

Syntax: @detection (opens searchable dropdown)

Features:

  • Search rules by name
  • Filter by severity and mode
  • Show rule status (enabled/disabled)
  • Capture rule configuration

Captured Information:

  • Rule ID and name
  • Severity and detection mode
  • Complete rule query
  • Rule configuration details

AI Integration

All @ commands integrate with the AI system:

Context Awareness

  • AI learns from your @ command usage
  • Builds investigation context over time
  • Improves suggestions based on patterns
  • Remembers entity relationships

Auto-Suggestions

Commands that trigger automatic AI analysis:

  1. @alert → Generates pivot queries based on alert context
  2. @search → Provides query explanation and field analysis
  3. @pivot → Analyzes recent context for suggestions
  4. @summarize → Reviews entire investigation timeline

Smart Linking

  • Entities referenced via @ commands become searchable
  • Click any entity to generate contextual searches
  • AI suggests related entities based on investigation flow
  • Automatic IOC correlation across investigations

Command Syntax Rules

General Format

@<command> [arguments]

Argument Types

  • No arguments: @pivot, @summarize
  • Required text: @search <description>, @timeline <event>
  • Structured data: @entity <type>:<value>, @ip:<address>
  • Interactive selection: @alert, @detection

Special Characters

  • Colon (:) - Separates entity type from value
  • Spaces - Separate command from arguments
  • No quotes needed - Arguments can contain spaces naturally

Auto-Completion

  • Type @ to see available commands
  • Commands show descriptions and examples
  • Entity types show in submenu for @entity
  • Alert/detection dropdowns show live search results

Integration Examples

Complete Investigation Flow

# Start with natural language search
@search suspicious powershell activity in last 24 hours

# Reference key entities found
@ip:192.168.1.100
@user:compromised.user
@process:powershell.exe

# Mark confirmed threats
@ioc 192.168.1.100
@ioc malicious.com

# Add timeline context
@timeline Initial access via spear phishing email
@timeline Powershell payload execution detected

# Link related alerts
@alert [Select: "Suspicious PowerShell Execution"]

# Get AI suggestions for next steps  
@pivot

# Generate final summary
@summarize

Collaborative Investigation

# Analyst 1 starts investigation
@search failed login attempts from external IPs
@ip:203.0.113.100
@timeline Brute force attack detected

# Analyst 2 adds context
@user:targeted.account
@timeline Account lockout triggered after 10 failed attempts

# Team lead reviews and summarizes
@summarize

Best Practices

Command Usage

  1. Start broad, get specific - Use @search for initial queries, then @pivot for focused analysis
  2. Mark threats immediately - Use @ioc as soon as you confirm malicious indicators
  3. Document timeline - Use @timeline for key events, not every action
  4. Link related items - Use @alert and @detection to build investigation context

AI Optimization

  1. Be descriptive with @search - "Find lateral movement using WMI" vs "show WMI events"
  2. Use @pivot regularly - AI learns your investigation patterns
  3. Provide context in @timeline - Help AI understand investigation flow
  4. Review AI suggestions - Generated queries may need refinement for your environment

Collaboration

  1. Use consistent entity formats - Helps team members find related work
  2. Add timeline context - Other analysts can follow your reasoning
  3. Link shared alerts - Creates bidirectional references
  4. Generate summaries - Share findings with @summarize before handoffs

@ Commands provide structured ways to enhance your investigations with AI assistance while maintaining detailed audit trails of your analysis workflow.

Namespaces

How namespaces isolate identity resolution across cloud accounts and network boundaries

Deployment Architecture

How nano deploys across tiers — from single-node Docker Compose to multi-pool Kubernetes with ClickHouse Cloud

Edit this page on GitHub
On this page

On this page

Notebook @ Commands Reference
Command Categories
Search & Analysis Commands
@search
@pivot
@summarize
Entity Reference Commands
@entity
Entity Shortcuts
Threat Intelligence Commands
@ioc
@timeline
Linking Commands
@alert
@detection
AI Integration
Context Awareness
Auto-Suggestions
Smart Linking
Command Syntax Rules
General Format
Argument Types
Special Characters
Auto-Completion
Integration Examples
Complete Investigation Flow
Collaborative Investigation
Best Practices
Command Usage
AI Optimization
Collaboration