Docs

Search with NQL Intersections

Suggest Edits

The Search page, found in the Investigate section of the left-hand menu, enables you to perform advanced searches using NQL Intersections. Intersections allow you to combine multiple NQL queries based on shared fields.

What is an Intersection?

An NQL Intersection allows for the logical combination of multiple independent NQL queries, focusing on the commonality between their results based on specified fields. This approach differs fundamentally from writing a single NQL query that combines conditions using logical operators like AND.

When you write a single long NQL query, all specified conditions are applied simultaneously within the same query scope. This means a record must satisfy every condition at once to be included in the results.

❗️

Intersections are a bit complicated to understand, but once you do you can conduct complex NQL searches very quickly

🤷‍♂️

Using intersections is a powerful tool for network forensics

You're monitoring network traffic and want to see if any device on your network is acting suspiciously.

Specifically, you want to find out if any device:

  1. Talked to a lot of different internal servers (which might mean it’s scanning the network).
  2. Sent data to an external IP (which could mean data is leaving the company).

Problem with a Single Search

You can construct a search for the first condition or the second, but if you tried to do a logical AND of the two, these two things can't happen in one flow, and if you tried to a logical OR of the two, you wouldn't know if it did both or just one of them.

Using an Intersection

Instead, you can run two separate searches:

  1. Find devices that talked to many different servers.
  2. Find devices that sent data to external IPs.
  3. Then, you check if the same device shows up in both searches by intersecting the two separate queries on the srcip. If it does, this means the device is doing both network activities, even if not at the same time.

Intersections help you catch patterns of suspicious behavior that happen in different flows. By looking at these activities separately and then combining the results, you can see if a device is up to something that might be missed if you only looked for everything at once.

Limitations of Intersections

  • Multiple NQL Queries: You can intersect up to 5 different NQL queries in a search
  • Field Intersections: Up to 5 fields can be selected for intersecting the NQL queries
  • Flow Only: Intersections are currently supported only for flow traffic searches
  • Not Available in Global Filter: Intersections are only available on the Search page

Using intersections via API

You can search using Intersections in the Search Records API endpoint.

Using Intersections in the Portal

To create an intersection in the portal, navigate to the Search page under the Investigate section. Here’s how you can set up intersections:

  1. Add Multiple NQL Queries:

    • Start by entering your first NQL query in the input box.
    • Click the plus sign (+) next to the NQL input box to add up to 4 more queries (for a total of 5).

  2. Select Fields for Intersection:

    • For each query, select the fields on which you want to intersect the results. This defines how the results from each query will be combined, focusing on the overlap in these specific fields.

  3. Run the Search:

    • Once all queries and intersecting fields are set, run the search to see the combined results based on the intersections.

How intersections work

NQL Intersection allows you to run multiple NQL queries independently and then combine the results by intersecting them on specific fields. This means each query operates in isolation, and only the overlapping data points that meet the criteria across all intersected queries are included in the final result set.

  1. Each query is executed independently, generating its own result set.
  2. Intersection: The intersection process identifies records that appear in all result sets based on the intersected by fields.
  3. Only records where the intersected fields are found in all of the separate searches are included in the result set. This approach is more flexible than a combination of logical AND and OR conditions, , as it allows for independent conditions later correlated through specific fields.

Key Points:

  1. Independent Evaluation: Each NQL query is evaluated independently, unlike a single long query where all conditions are evaluated in a single logical step.
  2. Field-Specific Intersection: The intersection occurs on specified fields (up to 5), ensuring that only data points that match across these fields in all queries are included.
  3. Result Set Correlation: The final result set is the intersection of the individual result sets, meaning it only includes common data points across all the queries based on the intersected fields.

Use Cases:

  • Complex Filtering: When you need to filter data across multiple dimensions that don’t necessarily fit into a single query string
  • Correlation of Data: When you want to correlate different aspects of data, such as matching IPs across different conditions (e.g., ports, protocols) without enforcing all conditions simultaneously.

Updated 3 months ago

What’s Next