NQL Examples
We have categorized these examples and provided a base query that you can customize to your own infrastructure and network topography:
Search for and alert on specific traffic
For example, East/West or North-South or compliance requirements or in a forensics investigation.
Outbound traffic
srcinternal == true && dstinternal == false
Inbound traffic
srcinternal == true && dstinternal == true
Search for and alert on geographic-based activity
Discover compromised devices via traffic from countries of concern, or for responding to threats or proactively threat hunting.
Outbound traffic to T1 CoC
dstgeo.countrycode == MM OR dstgeo.countrycode == CN OR dstgeo.countrycode == ER OR dstgeo.countrycode == IN OR dstgeo. countrycode == IR OR dstgeo.countrycode == NG OR dstgeo. countrycode == KP OR dstgeo.countrycode == PK OR dstgeo. countrycode == RU OR dstgeo.countrycode == SA OR dstgeo. countrycode == SY OR dstgeo.countrycode == TJ OR dstgeo. countrycode == TM OR dstgeo.countrycode == VM
Bad Actors
Such as finding IP reputation-based traffic, botnets, or phishing/spammers.
IPs that matched an IP reputation list
dstiprep.count >= 1 or srciprep.count >= 1
Outbound traffic to non-approved geographies
srcipname == PointOfSaleSystem AND (dstgeo.countrycode != US OR dstgeo.countrycode != CA)
Configuration validation or misconfiguration
Finding traffic that should not exist between applications and systems or drift between deployments.
Web application database
(srcipname == websvr && dstipname != appSvr) or (srcipname != websvr && dstipname != appSvr)
Compliance
Enforce compliance for specific applications or regions or make your reporting or compliance audits easier with audit-ready proof of enforcement.
Detect network activity on specific ports
srcinternal == true && protocol == udp && (dstport == 137 OR dstport == 138 OR dstport == 139)
Search for traffic between production environments and dev or test
tags == Production && (tags == dev or tags == test)
Show (presumed) successful flows from the Internet to the internal network, of SSH protocol
srcinternal == false && dstinternal == true && bits > 300 && packets > 3 && dstport:22
FTP and Telnet usage
protocol == tcp && tcpflags.ack == true && (dstport == 21 || dstport == 23)
Discovery by port and protocol usage
Discover devices using SSH outbound
protocol == tcp && dstport == 22 && tcpflags.ack == true && dstinternal != true
Discover devices sending > 100MB of data outbound
srcinternal == true AND dstinternal == false track by srcip, dstip threshold sum(bits) > x
x11 Discovery
protocol == tcp and (dstport >= 6000 and dstport \<= 6002)
BitTorrent traffic discovery
protocol == tcp and (dstport >= 6881 and dstport \<= 6889)
Outbound SSH Traffic
srcinternal == true && dstinternal == false && dstport == 22
Outbound Unencrypted Web traffic
srcinternal == true && dstinternal == false && dstport == 80 || dstport == 8080
Outbound Unencrypted FTP traffic
srcinternal == true && dstinternal == false && dstport == 20 || port == 21
Outbound Unencrypted Telnet traffic
srcinternal == true && dstinternal == false && dstport == 23
Netbios outbound ports
srcinternal == true && dstinternal == false && dstport == 445 || dstport == 139 || dstport == 137
Dynamic port to dynamic port
(srcinternal == true && dstinternal == false && srcport > 49151 && dstport > 49151) && srcinternal == true && protocol == TCP
Outbound encrypted DOT(853)
srcinternal == true AND dstinternal == false dstport == 853
Updated 3 months ago