1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Resource Query Language (RQL) Reference
    5. Prisma Cloud RQL Reference
    6. Network Query
    7. Network Flow Log Query Examples

    Network Flow Log Query Examples

    Some examples for Network Flow Log Queries.
    This section lists some examples that show you how to use Network Flow Log Query Attributes in RQL for investigating network flow log issues.
    USE CASE
    RQL
    View traffic originating from the Internet & suspicious IPs to resource with Database role.
    network from vpc.flow_record where source.publicnetwork IN ( 'Suspicious IPs' , 'Internet IPs' ) and dest.resource IN ( resource where role IN ( 'AWS RDS' , 'Database' ) )
    Find instances that are accessible over the Internet using insecure ports.
    network from vpc.flow_record where source.publicnetwork IN ( 'Internet IPs' ) and protocol = 'TCP' AND dest.port IN ( 21,23,80)
    Find hosts with Meltdown and Spectre vulnerabilities receiving network traffic.
    network from vpc.flow_record where dest.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.name IN ( 'CVE-2017-5754', 'CVE-2017-5753', 'CVE-2017-5715' ) )  and bytes > 0
    Check for traffic categorized as malware of type DDoS, HackingTool, or Worm, originating from the Internet & suspicious IPs that are destined to your cloud assets that are not directly accessible over the Internet.
    network from vpc.flow_record where src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' ) AND threat.source = 'AF' AND threat.tag.group IN ( 'DDoS', 'HackingTool', 'Worm' )
    Look for traffic from Internet to any instance outside of Web servers, NAT Gateways or ELBs.
    network from vpc.flow_record where src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' )
    Look for source entities which are AWS ELBs with connections to more than 10 unique peer IP addresses, but those peer IPs are not endpoints that function as Databases.
    network from vpc.flow_record where src.resource IN (RESOURCE WHERE role = ('AWS ELB') AND source.outboundpeers > 10) AND dest.resource IN (RESOURCE WHERE role != ('Database'))
    Identify any instances with a private IP address (specified in the CIDR format) that are sending traffic to the Internet.
    network from vpc.flow_record where cloud.account=account_name AND source.ip IN(172.31.0.0/12,10.0.0.0/8) AND dest.publicnetwork IN 'Internet IPs' AND bytes > 0
    Public IP addresses in the CIDR format cannot be set as a source or destination IP address, or a comma seperated value list.
    View whether a list of specified IP addresses are sending traffic to the Internet.
    network from vpc.flow_record where cloud.account=account_name AND source.ip IN(52.31.0.0,10.0.8.0) AND dest.publicnetwork IN 'Internet IPs' AND bytes > 0

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo