NQL Examples

We have categorized these examples and provided a base query that you can customize to your own infrastructure and network topography:

Search for and alert on specific traffic

For example, East/West or North-South or compliance requirements or in a forensics investigation.

Outbound traffic

srcinternal == true && dstinternal == false

Inbound traffic

srcinternal == true && dstinternal == true

Search for and alert on geographic-based activity

Discover compromised devices via traffic from countries of concern, or for responding to threats or proactively threat hunting.

Outbound traffic to T1 CoC

dstgeo.countrycode == MM OR dstgeo.countrycode == CN OR dstgeo.countrycode == ER OR dstgeo.countrycode == IN OR dstgeo. countrycode == IR OR dstgeo.countrycode == NG OR dstgeo. countrycode == KP OR dstgeo.countrycode == PK OR dstgeo. countrycode == RU OR dstgeo.countrycode == SA OR dstgeo. countrycode == SY OR dstgeo.countrycode == TJ OR dstgeo. countrycode == TM OR dstgeo.countrycode == VM

Bad Actors

Such as finding IP reputation-based traffic, botnets, or phishing/spammers.

IPs that matched an IP reputation list

dstiprep.count >= 1 or srciprep.count >= 1

Outbound traffic to non-approved geographies

srcipname == PointOfSaleSystem AND (dstgeo.countrycode != US OR dstgeo.countrycode != CA)

Configuration validation or misconfiguration

Finding traffic that should not exist between applications and systems or drift between deployments.

Web application database

(srcipname == websvr && dstipname != appSvr) or (srcipname != websvr && dstipname != appSvr)

Compliance

Enforce compliance for specific applications or regions or make your reporting or compliance audits easier with audit-ready proof of enforcement.

Detect network activity on specific ports

srcinternal == true && protocol == udp && (dstport == 137 OR dstport == 138 OR dstport == 139)

Search for traffic between production environments and dev or test

tags == Production && (tags == dev or tags == test)

Show (presumed) successful flows from the Internet to the internal network, of SSH protocol

srcinternal == false && dstinternal == true && bits > 300 && packets > 3 && dstport:22

FTP and Telnet usage

protocol == tcp && tcpflags.ack == true && (dstport == 21 || dstport == 23)

Discovery by port and protocol usage

Discover devices using SSH outbound

protocol == tcp && dstport == 22 && tcpflags.ack == true && dstinternal != true

Discover devices sending > 100MB of data outbound

srcinternal == true AND dstinternal == false track by srcip, dstip threshold sum(bits) > x

x11 Discovery

protocol == tcp and (dstport >= 6000 and dstport \<= 6002)

BitTorrent traffic discovery

protocol == tcp and (dstport >= 6881 and dstport \<= 6889)

Outbound SSH Traffic

srcinternal == true && dstinternal == false && dstport == 22

Outbound Unencrypted Web traffic

srcinternal == true && dstinternal == false && dstport == 80 || dstport == 8080

Outbound Unencrypted FTP traffic

srcinternal == true && dstinternal == false && dstport == 20 || port == 21

Outbound Unencrypted Telnet traffic

srcinternal == true && dstinternal == false && dstport == 23

Netbios outbound ports

srcinternal == true && dstinternal == false && dstport == 445 || dstport == 139 || dstport == 137

Dynamic port to dynamic port

(srcinternal == true && dstinternal == false && srcport > 49151 && dstport > 49151) && srcinternal == true && protocol == TCP

Outbound encrypted DOT(853)

srcinternal == true AND dstinternal == false dstport == 853

PreviousNQL Presets NextHow to find available NQL fields

Last updated 1 month ago

Good morning

hashtagSearch for and alert on specific traffic

hashtagOutbound traffic

hashtagInbound traffic

hashtagSearch for and alert on geographic-based activity

hashtagOutbound traffic to T1 CoC

hashtagBad Actors

hashtagIPs that matched an IP reputation list

hashtagOutbound traffic to non-approved geographies

hashtagConfiguration validation or misconfiguration

hashtagWeb application database

hashtagCompliance

hashtagDetect network activity on specific ports

hashtagSearch for traffic between production environments and dev or test

hashtagShow (presumed) successful flows from the Internet to the internal network, of SSH protocol

hashtagFTP and Telnet usage

hashtagDiscovery by port and protocol usage

hashtagDiscover devices using SSH outbound

hashtagDiscover devices sending > 100MB of data outbound

hashtagx11 Discovery

hashtagBitTorrent traffic discovery

hashtagOutbound SSH Traffic

hashtagOutbound Unencrypted Web traffic

hashtagOutbound Unencrypted FTP traffic

hashtagOutbound Unencrypted Telnet traffic

hashtagNetbios outbound ports

hashtagDynamic port to dynamic port

hashtagOutbound encrypted DOT(853)