NQL Examples
Netography Query Language (NQL) is comprehensive yet familiar and enables security pros to search enriched flow records, create, save and use custom searches to rapidly analyze, investigate, and respond to suspicious traffic or incidents.
For example, you’ll be able to isolate and analyze specific traffic, geo activity, bad-actors configurations, and more. Below are sample and easy-to-use NQLs can be used for numerous security and network use cases. Search for flows, alerts, or interfaces Filter statistics and aggregations Define custom algorithms to alert on.
We have categorized these examples and provided a base query that you can customize to your own infrastructure and network topography:
Search for and alert on specific traffic
For example, East/West or North-South or compliance requirements or in a forensics investigation.
Outbound traffic
srcinternal == true && dstinternal == false
Inbound traffic
srcinternal == true && dstinternal == true
Search for and alert on geo-activity
Discover compromised devices via traffic from countries of concern, or for responding to threats or proactively threat hunting
Outbound traffic to T1 CoC
dstgeo.countrycode == MM OR dstgeo.countrycode == CN OR dstgeo.countrycode == ER OR dstgeo.countrycode == IN OR dstgeo. countrycode == IR OR dstgeo.countrycode == NG OR dstgeo. countrycode == KP OR dstgeo.countrycode == PK OR dstgeo. countrycode == RU OR dstgeo.countrycode == SA OR dstgeo. countrycode == SY OR dstgeo.countrycode == TJ OR dstgeo. countrycode == TM OR dstgeo.countrycode == VM
Bad-Actors
Such as finding traffic that is IP reputation-based, or botnets or phishing/spammers.
Find, alert and block connections to know bad reputation IPs
dstiprep.count >= 1 or srciprep.count >= 1
Outbound traffic to non-approved geo
srcipname == PointOfSaleSystem AND (dstgeo.countrycode != US OR dstgeo.countrycode != CA)
Configuration validation or misconfiguration
Finding traffic that should not exist between applications and systems or drift between deployments.
Web application database
(srcipname == websvr && dstipname != appSvr) or (srcipname != websvr && dstipname != appSvr)
Compliance
Enforce compliance for specific applications or regions or make your reporting or compliance audits easier with audit-ready proof of enforcement.
Detect mis-config or compromise for legacy authorizations
srcinternal == true && protocol == udp && (dstport == 137 OR dstport == 138 OR dstport == 139)
Search for traffic between production environments and dev or test
tags == Production && (tags == dev or tags == test)
Show (presumed) successful flows from the Internet to the internal network, of SSH protocol
srcinternal == false && dstinternal == true && bits > 300 && packets > 3 && dstport:22
FTP and Telnet usage
protocol == tcp && tcpflags.ack == true && (dstport == 21 || dstport == 23)
Discovery by port and protocol usage
Discover devices using SSH outbound
protocol == tcp && dstport == 22 && tcpflags.ack == true && dstinternal != true
Discover devices sending > 100MB of data outbound
srcinternal == true AND dstinternal == false track by srcip, dstip threshold sum(bits) > x
x11 Discovery
protocol == tcp and (dstport >= 6000 and dstport \<= 6002)
BitTorrent traffic discovery
protocol == tcp and (dstport >= 6881 and dstport \<= 6889)
Outbound SSH Traffic
srcinternal == true && dstinternal == false && dstport == 22
Outbound Un-encrypted Web traffic
srcinternal == true && dstinternal == false && dstport == 80 || dstport == 8080
Outbound Un-encrypted FTP traffic
srcinternal == true && dstinternal == false && dstport == 20 || port == 21
Outbound Un-encrypted Telnet traffic
srcinternal == true && dstinternal == false && dstport == 23
Netbios outbound ports
srcinternal == true && dstinternal == false && dstport == 445 || dstport == 139 || dstport == 137
Dynamic port to dynamic port
(srcinternal == true && dstinternal == false && srcport > 49151 && dstport > 49151) && srcinternal == true && protocol == TCP
Outbound encrypted DOT(853)
srcinternal == true AND dstinternal == false dstport == 853
Updated 7 months ago