Docs

NQL Examples

Suggest Edits

We have categorized these examples and provided a base query that you can customize to your own infrastructure and network topography:

Search for and alert on specific traffic

For example, East/West or North-South or compliance requirements or in a forensics investigation.

Outbound traffic

srcinternal == true && dstinternal == false

Inbound traffic

srcinternal == true && dstinternal == true

Search for and alert on geographic-based activity

Discover compromised devices via traffic from countries of concern, or for responding to threats or proactively threat hunting.

Outbound traffic to T1 CoC

dstgeo.countrycode == MM OR dstgeo.countrycode == CN OR dstgeo.countrycode == ER OR dstgeo.countrycode == IN OR dstgeo. countrycode == IR OR dstgeo.countrycode == NG OR dstgeo. countrycode == KP OR dstgeo.countrycode == PK OR dstgeo. countrycode == RU OR dstgeo.countrycode == SA OR dstgeo. countrycode == SY OR dstgeo.countrycode == TJ OR dstgeo. countrycode == TM OR dstgeo.countrycode == VM

Bad Actors

Such as finding IP reputation-based traffic, botnets, or phishing/spammers.

IPs that matched an IP reputation list

dstiprep.count >= 1 or srciprep.count >= 1

Outbound traffic to non-approved geographies

srcipname == PointOfSaleSystem AND (dstgeo.countrycode != US OR dstgeo.countrycode != CA)

Configuration validation or misconfiguration

Finding traffic that should not exist between applications and systems or drift between deployments.

Web application database

(srcipname == websvr && dstipname != appSvr) or (srcipname != websvr && dstipname != appSvr)

Compliance

Enforce compliance for specific applications or regions or make your reporting or compliance audits easier with audit-ready proof of enforcement.

Detect network activity on specific ports

srcinternal == true && protocol == udp && (dstport == 137 OR dstport == 138 OR dstport == 139)

Search for traffic between production environments and dev or test

tags == Production && (tags == dev or tags == test)

Show (presumed) successful flows from the Internet to the internal network, of SSH protocol

srcinternal == false && dstinternal == true && bits > 300 && packets > 3 && dstport:22

FTP and Telnet usage

protocol == tcp && tcpflags.ack == true && (dstport == 21 || dstport == 23)

Discovery by port and protocol usage

Discover devices using SSH outbound

protocol == tcp && dstport == 22 && tcpflags.ack == true && dstinternal != true

Discover devices sending > 100MB of data outbound

srcinternal == true AND dstinternal == false track by srcip, dstip threshold sum(bits) > x

x11 Discovery

protocol == tcp and (dstport >= 6000 and dstport \<= 6002)

BitTorrent traffic discovery

protocol == tcp and (dstport >= 6881 and dstport \<= 6889)

Outbound SSH Traffic

srcinternal == true && dstinternal == false && dstport == 22

Outbound Unencrypted Web traffic

srcinternal == true && dstinternal == false && dstport == 80 || dstport == 8080

Outbound Unencrypted FTP traffic

srcinternal == true && dstinternal == false && dstport == 20 || port == 21

Outbound Unencrypted Telnet traffic

srcinternal == true && dstinternal == false && dstport == 23

Netbios outbound ports

srcinternal == true && dstinternal == false && dstport == 445 || dstport == 139 || dstport == 137

Dynamic port to dynamic port

(srcinternal == true && dstinternal == false && srcport > 49151 && dstport > 49151) && srcinternal == true && protocol == TCP

Outbound encrypted DOT(853)

srcinternal == true AND dstinternal == false dstport == 853

Updated 4 months ago