Network Flow Log Query Attributes

cloud.account

Use the

cloud.account

attribute to search for network activity in one or more cloud accounts that you connected to Prisma Cloud.

For example, you can view network activity in a cloud account with > 1MB traffic:

network from vpc.flow_record where cloud.account = 'Developer Sandbox' AND bytes > 1048576

cloud.region

Use the

cloud.region

attribute to search for network activity in your cloud regions.

For example, you can view network activity in Developer sandbox account for AWS Oregon region:

network from vpc.flow_record where cloud.account = 'Developer Sandbox' AND cloud.region = 'AWS Oregon' AND bytes > 0

cloud.account.group

Use the

cloud.account.group

attribute to search for network activity within a group of cloud accounts that you have connected to the RedLock service.

For example, you can view network activity across your AWS accounts that belong to the Oregon region where more than 100000 packets were transmitted:

network from vpc.flow_record where cloud.account.group = 'All my AWS accounts' AND cloud.region = 'AWS Oregon' AND packets > 100000

dest.ip, source.ip

Use the

dest.ip, source.ip

attribute to filter your network to view traffic from an originating or a receiving IP address. You can enter one or more IP addresses in a comma separated list or in the CIDR format. A single IP address—172.31.60.74A list of IP addresses—172.31.60.74, 10.0.0.5A single CIDR address— 172.31.60.0/24A list of CIDR addresses— 172.31.60.0/24, 13.233.0.0/16, 10.3.2.2/32

You can provide a single IP address or a list of IP addresses from the public or RFC 1918 address space. The CIDR format is supported only for the RFC 1918 address space. You can include an IP address in a CIDR and non-CIDR format within the list of attributes.
The value 0.0.0.0 does not mean any IP address, it means any public IP address.

For example, you can view network traffic to a public IP address to which more than 1000000 bytes were transmitted:

network from vpc.flow_record where dest.ip = 0.0.0.0 AND bytes > 1000000

or traffic originating from a specific IP subnet:

network from vpc.flow_record where source.ip IN (10.2.1.0/24,10.3.1.0/24) AND bytes > 10000

For example, you can view SSH traffic from any public IP address on the internet:

network from vpc.flow_record where source.ip = 0.0.0.0 and dest.port = 22

dest.port

Use the

dest.port

attribute to filter your network activity to view traffic from a destination port.

For example, you can view network traffic for any public IP address where the destination port is 27017:

network from vpc.flow_record where dest.port = 27017 AND source.ip = 0.0.0.0

dest.outboundpeers, source.outboundpeers

Use the

dest.outboundpeers

and

source.outboundpeers

attributes for a count of distinct IP addresses to which this asset establishes a connection. These network attributes enable you to aggregate connection counts for both ingress and egress traffic to help detect account compromise or identify hosts that are establishing multiple SSH connections from one or more external IP addresses.

dest.outboundports, source.outboundports

Use the

dest.outboundports

and

source.outboundports

attributes for a count of distinct destination ports to which this asset establishes a connection. These network attributes enable you to aggregate connection counts for both ingress and egress traffic. For example, you can detect an attempt to perform a port scan or port sweep, or detect an attempt to set up a number of egress connections on the crypto ports.

dest.publicnetwork, source.publicnetwork

Use the

Source.publicnetwork

and

dest.publicnetwork

attributes to query for traffic from and to predefined networks. For example,

Internet IPs

represent all public IPs,

Suspicious IPs

represent all suspicious IPs.

You can also define your own network with a set of IP addresses/CIDRs to see traffic from/to your internal public [non-RFC1918] networks and use them in network RQL query. If you belong to the System Admin permission group, you can set it up in

Settings

Trusted IP Addresses

, for details refer to trusted IP addresses.

For example, you can view traffic on the destination port 3389 and that are classified as internet IPs or suspicious IPs:

network from vpc.flow_record where dest.port IN (3389) and dest.publicnetwork IN ('Internet IPs' , 'Suspicious IPs' ) and bytes > 0

dest.resource, source.resource

Use the

dest.resource, source.resource

attributes to search and filter the network by a destination or a source resource for finding host-based issues, roles, security groups, tags, and virtual networks.

dest.resource IN or source.resource IN;

displays more options:



finding.severity, finding.type, finding.source

Use finding attributes to query for vulnerabilities on destination or source resources that have one or more host-related security findings. Prisma Cloud ingests host vulnerability data from Prisma Cloud Defenders deployed on your cloud environments, and external sources such as Qualys, Tenable.io, AWS Inspector, and host and IAM-security related alerts from Amazon GuardDuty.

To leverage

finding

attributes, you must either enable the integration with the host vulnerability providers or deploy Prisma Cloud Defenders on hosts and containers.

For example, you can list events from AWS Guard duty on destination resource which have severity as critical:

network from vpc.flow_record where dest.resource IN ( resource where finding.type = 'AWS GuardDuty Host' AND finding.severity = 'critical' ) AND bytes > 0

For example, you can list host vulnerability events on the destination resource:

network from vpc.flow_record where dest.resource IN ( resource where finding.type IN ('Host Vulnerability' ) ) and bytes > 0

securitygroup.name

Use the

securitygroup.name

attribute to filter the network traffic by security group name.

For example, you can view the network traffic which is hitting the security groups with names AWS-OpsWorks-Java-App-Server and AWS-OpsWorks-Blank-Server:

network from vpc.flow_record where source.ip = 0.0.0.0 and dest.resource IN ( resource where securitygroup.name IN ( 'AWS-OpsWorks-Java-App-Server' , 'AWS-OpsWorks-Blank-Server' ))

virtualnetwork.name

Use the

virtualnetwork.name

attribute to filter the network traffic by virtual network names.

For example, you can view the network traffic which is hitting the virtual network ICHS_FLORENCE:

network from vpc.flow_record where dest.resource IN ( resource where virtualnetwork.name IN ( 'ICHS_FLORENCE' ))

dest.state, source.state

Use

dest.state

or

source.state

attributes to view traffic originating from or destined to a specific state within a country.

For example, you can view network traffic to Karnataka in India:

network from vpc.flow_record where cloud.account = 'Developer Sandbox' AND dest.country = 'India' AND dest.state = 'Karnataka'

For example, you can view network traffic from Karnataka in India:

network from vpc.flow_record where cloud.account = 'Developer Sandbox' AND source.country = 'India' AND source.state = 'Karnataka'

dest.country, source.country

Use the

dest.country, source.country

attributes to filter your network to view traffic from the country of its origin or the country where the traffic is received.

For example, you can view network activity where the destination of the traffic is in China and Russia:

network from vpc.flow_record where dest.country IN ( 'China' , 'Russia' ) and bytes > 0

To view network activity where the source of the traffic is in China:

network from vpc.flow_record where source.country = 'China' AND bytes > 0

bytes

Use the

bytes

attribute to search for network related information by the aggregate byte volume while the transmission lasts.

For example, you can search for network traffic by internet IPs, suspicious IPs and bytes:

network from vpc.flow_record where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) and bytes > 0

response.bytes

Use the

response.bytes

attribute to search for network related information by the aggregate response byte volume.

For example, you can search for network traffic with response bytes more than 100,000:

network from vpc.flow_record where response.bytes > 100000 AND cloud.account = 'Sandbox Account'

accepted.bytes

Use the

accepted.bytes

attribute to search for the network related information by the aggregate accepted byte volume.

For example, you can search for network traffic with accepted bytes more than 100,000:

network from vpc.flow_record where accepted.bytes > 100000 AND cloud.account = 'Sandbox Account'

packets

Use the

packets

attribute to search for network related information by the aggregate packet volume while the transmission lasts.

For example, you can identify traffic from internal workloads to internet IPs on ports 8545,30303 that are known to mine Ethereum:

network from vpc.flow_record where dest.port IN (8545,30303) and dest.publicnetwork IN ('Internet IPs' , 'Suspicious IPs' ) and packets> 0

protocol

Use the

protocol

attribute to search for network-related information in relation to network protocols.

For example, you can search for network information by TCP protocol and where the destination port is 21:

network from vpc.flow_record where src.ip=0.0.0.0 AND protocol='TCP' AND dest.port IN (21)

role

Use the

role

attribute to filter the network traffic by roles.

For example, you can view all network traffic in RedLock account where the destination resource role is not AWS NAT Gateway and AWS ELB:

network from vpc.flow_record where cloud.account = 'RedLock' AND source.ip = 0.0.0.0 AND dest.resource IN ( resource where role NOT IN ( 'AWS NAT Gateway' , 'AWS ELB' ))

For example, you can view traffic originating from suspicious IPs and internet IPS which are hitting the resource roles AWS RDS and Database:

network from vpc.flow_record where source.publicnetwork IN ( 'Suspicious IPs' , 'Internet IPs' ) and dest.resource IN ( resource where role IN ( 'AWS RDS' , 'Database' ))

tag

Use

tag

attribute to filter the network traffic by tags.

For example, you can view network traffic which is hitting the resources that are tagged as NISP:

network from vpc.flow_record where dest.resource IN ( resource where tag ('name') = 'NISP')

threat.source

Use the

threat.source

attribute to filter for the supported threat intelligence feeds—AutoFocus or Opensource—sources. The operators supported include

!=

,

=

,

IN (

,

NOT IN (

.

For example,

network from vpc.flow_record where bytes > 10000 AND threat.source IN ('AutoFocus')

threat.tag.group

Use the

threat.tag.group

, when the

threat.source

is AutoFocus, to query for specific tag groups. Tag groups are genres of malware families as categorized by the Unit 42 threat research team.

For example,

network from vpc.flow_record where bytes > 100 AND threat.source = 'AutoFocus' AND threat.tag.group IN ( 'BankingTrojan', 'LinuxMalware', 'Worm', 'Downloader', 'HackingTool', 'PotentiallyUnwantedProgram', 'InfoStealer', 'Ransomware', 'InternetofThingsMalware', 'ATMMalware')

traffic.type IN

Use

traffic.type IN

attribute to view how entities within your cloud environment have accepted and rejected traffic.

For example, using the values for the traffic.type IN, in the parenthesis enables you to find traffic from Suspicious IPs or Internet IPs.

network from vpc.flow_record where src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN (resource WHERE virtualnetwork.name IN ( 'vpc-323cda49' )) AND dest.ip IN (172.31.12.172 ) AND traffic.type IN ('REJECTED')