Flow search using NQL Intersections

Suggest Edits

Multiple NQL statements can be intersected on a field (or multiple fields). 

Constraints

  • Only supported flow context searches
  • Max of 5 NQL search queries
  • Max of 5 intersected fields

In the portal, new parameters have been added to support intersecting queries.

FieldDescriptionNotes
intersectAn array of flow fields to intersect the multiple queries on.Max of five fields to intersect with. Required when length of search array is > 1
searchan array of NQL search strings$Max of 5 search strings
rollupperiodThe time bucket the intersection is valid.Only valid when search array is > 1. If not provided then no time bucketing will happen outside of the start/end search period.

Example Request

Current basic search request

POST https://api.netography.com/api/v1/search/flow
{
    "start": -3600,
    "end": 0,
    "size": 10,
    "search": "protocol == tcp"
}

New basic search request

POST https://api.netography.com/api/v1/search/flow
{
    "start": -3600,
    "end": 0,
    "intersect": \["srcip"\],
    "rollupperiod": 300,
    "size": 10,
    "search": \[
        "srcip == 10.0.0.0/8 && protocol == udp && dstport == 53",
        "protocol == tcp && srcport == 80"
    \]
}

Example Response

Current response

{
    "code": 200,
    "meta": {
        "count": 2,
        "tid": "673d8a71-a7b7-470b-8b7b-be8941cf4d8d",
        "timems": 17.937822,
        "totalcount": 10000
    },
    "data": \[
        {
            "dstip": "54.175.191.203",
            "protocol": "tcp",
            "srcip": "10.0.98.60"
        },
        {
            "dstip": "52.44.223.164",
            "protocol": "tcp",
            "srcip": "10.0.98.60"
        }
    \]
}

New response

New response with intersection on dstip, dstport. The intersection array will be the unique intersections found in the result set (data array). If rollupperiod is provided the starting timestamp will be included for each intersection.

{
    "code": 200,
    "meta": {
        "count": 4,
        "tid": "6d85deb5-36a2-4844-a00b-ebf2eeb70160",
        "timems": 23.291099,
        "totalcount": 10000
    },
    "data": \[
        {
            "dstip": "10.0.99.222",
            "dstport": 41000,
            "protocol": "tcp",
            "setid": 1,
            "srcip": "10.0.98.60",
            "timestamp": 1643395900
        },
        {
            "dstip": "10.0.99.222",
            "dstport": 41000,
            "protocol": "tcp",
            "setid": 1,
            "srcip": "10.0.98.60",
            "timestamp": 1643396200
        },
        {
            "dstip": "54.92.199.186",
            "dstport": 50000,
            "protocol": "tcp",
            "setid": 2,
            "srcip": "10.0.98.60",
            "timestamp": 1643396200
        },
        {
            "dstip": "54.92.199.186",
            "dstport": 50000,
            "protocol": "tcp",
            "setid": 2,
            "srcip": "10.0.98.60",
            "timestamp": 1643396500
        }
    \],
    "intersection": \[
        {"dstip": "10.0.99.222", "dstport": 41000, "setid": 1, "start": 1643395900, "end": 1643396200},
        {"dstip": "54.92.199.186", "dstport": 50000, "setid": 2, "start": 1643396200, "end": 1643396500}
    \]
}

Updated 7 months ago