Network Query Attributes
Learn about Network Query attributes in RQL.
Review your options when using
Network whereon the
Investigatetab of the RedLock administrative console:
Each attribute allows you to narrow your search criteria. As you use these attributes, the auto-suggestion capability shows the available expressions, and Operators that are applicable for each attribute.
- cloud.accountUse thecloud.accountattribute to search for network activity in one or more cloud accounts that you connected to the RedLock service.For example, you can view network activity in a cloud account with > 1MB traffic:network where cloud.account = 'Developer Sandbox' AND bytes > 1048576
- cloud.regionUse thecloud.regionattribute to search for network activity in your cloud regions.For example, you can view network activity in Developer sandbox account for AWS Oregon region:network where cloud.account = 'Developer Sandbox' AND cloud.region = 'AWS Oregon' AND bytes > 0
- cloud.account.groupUse thecloud.account.groupattribute to search for network activity within a group of cloud accounts that you have connected to the RedLock service.For example, you can view network activity across your AWS accounts that belong to the Oregon region where more than 100000 packets were transmitted:network where cloud.account.group = 'All my AWS accounts' AND cloud.region = 'AWS Oregon' AND packets > 100000
- dest.ip, source.ipUse thedest.ip, source.ipattribute to filter your network to view traffic from an originating or a receiving IP address. You can enter one or more IP addresses in a comma separated list or in the CIDR format. A single IP address—172.31.60.74A list of IP addresses—172.31.60.74, 10.0.0.5A single CIDR address— 172.31.60.0/24A list of CIDR addresses— 172.31.60.0/24, 184.108.40.206/16, 10.3.2.2/32
For example, you can view network traffic to a public IP address to which more than 1000000 bytes were transmitted:
- You can provide a single IP address or a list of IP addresses from the public or RFC 1918 address space. The CIDR format is supported only for the RFC 1918 address space. You can include an IP address in a CIDR and non-CIDR format within the list of attributes.
- The value 0.0.0.0 does not mean any IP address, it means any public IP address.
or traffic originating from a specific IP subnet:network where dest.ip = 0.0.0.0 AND bytes > 1000000network where source.ip IN (10.2.1.0/24,10.3.1.0/24) AND bytes > 10000For example, you can view SSH traffic from any public IP address on the internet:network where source.ip = 0.0.0.0 and dest.port = 22
- dest.portUse thedest.portattribute to filter your network activity to view traffic from a destination port.For example, you can view network traffic for any public IP address where the destination port is 27017:network where dest.port = 27017 AND source.ip = 0.0.0.0
- dest.outboundpeers, source.outboundpeersUse thedest.outboundpeersandsource.outboundpeersattributes for a count of distinct IP addresses to which this asset establishes a connection. These network attributes enable you to aggregate connection counts for both ingress and egress traffic to help detect account compromise or identify hosts that are establishing multiple SSH connections from one or more external IP addresses.
- dest.outboundports, source.outboundportsUse thedest.outboundportsandsource.outboundportsattributes for a count of distinct destination ports to which this asset establishes a connection. These network attributes enable you to aggregate connection counts for both ingress and egress traffic. For example, you can detect an attempt to perform a port scan or port sweep, or detect an attempt to set up a number of egress connections on the crypto ports.
- dest.publicnetwork, source.publicnetworkUse theSource.publicnetworkanddest.publicnetworkattributes to query for traffic from and to predefined networks. For example,Internet IPsrepresent all public IPs,Suspicious IPsrepresent all suspicious IPs.You can also define your own network with a set of IP addresses/CIDRs to see traffic from/to your internal public [non-RFC1918] networks and use them in network RQL query. If you belong to the System Admin permission group, you can set it up in.SettingsIP WhitelistingFor example, you can view traffic on the destination port 3389 and that are classified as internet IPs or suspicious IPs:network where dest.port IN (3389) and dest.publicnetwork IN ('Internet IPs' , 'Suspicious IPs' ) and bytes > 0
- dest.resource, source.resourceUse thedest.resource, source.resourceattributes to search and filter the network by a destination or a source resource for host findings, roles, security groups, tags, and virtual networks.
displays more options:dest.resource IN or source.resource IN;
- hostfinding.severity, hostfinding.type, hostfinding.sourceUse hostfinding attributes to query for vulnerabilities on destination or source resources that have one or more host related security findings. RedLock ingests host vulnerability data from external sources such as Qualys, Tenable.io, AWS Inspector, and host security related alerts from AWS GuardDuty.To leveragehostfindingattributes, first enable the integration with the host vulnerability providers.For example, you can list hostfinding events from AWS Guard duty on destination resource which have severity as critical:network where dest.resource IN ( resource where hostfinding.type = 'AWS GuardDuty Host' AND hostfinding.severity = 'critical' ) AND bytes > 0For example, you can list host vulnerability events on the destination resource:network where dest.resource IN ( resource where hostfinding.type IN ('Host Vulnerability' ) ) and bytes > 0
- securitygroup.nameUse thesecuritygroup.nameattribute to filter the network traffic by security group name.For example, you can view the network traffic which is hitting the security groups with names AWS-OpsWorks-Java-App-Server and AWS-OpsWorks-Blank-Server:network where source.ip = 0.0.0.0 and dest.resource IN ( resource where securitygroup.name IN ( 'AWS-OpsWorks-Java-App-Server' , 'AWS-OpsWorks-Blank-Server' ))
- virtualnetwork.nameUse thevirtualnetwork.nameattribute to filter the network traffic by virtual network names.For example, you can view the network traffic which is hitting the virtual network ICHS_FLORENCE:network where dest.resource IN ( resource where virtualnetwork.name IN ( 'ICHS_FLORENCE' ))
- dest.state, source.stateUsedest.stateorsource.stateattributes to view traffic originating from or destined to a specific state within a country.For example, you can view network traffic to Karnataka in India:network where cloud.account = 'Developer Sandbox' AND dest.country = 'India' AND dest.state = 'Karnataka'For example, you can view network traffic from Karnataka in India:network where cloud.account = 'Developer Sandbox' AND source.country = 'India' AND source.state = 'Karnataka'
- dest.country, source.countryUse thedest.country, source.countryattributes to filter your network to view traffic from the country of its origin or the country where the traffic is received.For example, you can view network activity where the destination of the traffic is in China and Russia:network where dest.country IN ( 'China' , 'Russia' ) and bytes > 0To view network activity where the source of the traffic is in China:network where source.country = 'China' AND bytes > 0
- bytesUse thebytesattribute to search for network related information by the aggregate byte volume while the transmission lasts.For example, you can search for network traffic by internet IPs, suspicious IPs and bytes:network where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) and bytes > 0
- response.bytesUse thedest.country, source.countryattribute to search for network related information by the aggregate response byte volume.For example, you can search for network traffic with response bytes more than 1,00,000:network where response.bytes > 100000 AND cloud.account = 'Sandbox Account'
- accepted.bytesUse theaccepted.bytesattribute to search for the network related information by the aggregate accepted byte volume.For example, you can search for network traffic with accepted bytes more than 1,00,000:network where accepted.bytes > 100000 AND cloud.account = 'Sandbox Account'
- packetsUse thepacketsattribute to search for network related information by the aggregate packet volume while the transmission lasts.For example, you can identify traffic from internal workloads to internet IPs on ports 8545,30303 that are known to mine Ethereum:network where dest.port IN (8545,30303) and dest.publicnetwork IN ('Internet IPs' , 'Suspicious IPs' ) and packets> 0
- protocolUse theprotocolattribute to search for network-related information in relation to network protocols.For example, you can search for network information by TCP protocol and where the destination port is 21:network where src.ip=0.0.0.0 AND protocol='TCP' AND dest.port IN (21)
- roleUse theroleattribute to filter the network traffic by roles.For example, you can view all network traffic in RedLock account where the destination resource role is not AWS NAT Gateway and AWS ELB:network where cloud.account = 'RedLock' AND source.ip = 0.0.0.0 AND dest.resource IN ( resource where role NOT IN ( 'AWS NAT Gateway' , 'AWS ELB' ))For example, you can view traffic originating from suspicious IPs and internet IPS which are hitting the resource roles AWS RDS and Database:network where source.publicnetwork IN ( 'Suspicious IPs' , 'Internet IPs' ) and dest.resource IN ( resource where role IN ( 'AWS RDS' , 'Database' ))
- tagUsetagattribute to filter the network traffic by tags.For example, you can view network traffic which is hitting the resources that are tagged as NISP:network where dest.resource IN ( resource where tag ('name') = 'NISP')
- threat.sourceUse thethreat.sourceattribute to filter for the supported threat intelligence feeds—AutoFocus or Facebook ThreatExchange—sources. The operators supported include!=,=,IN (,NOT IN (.For example,network where bytes > 10000 AND threat.source IN ('FB')
- threat.tag.groupFor example,network where bytes > 100 AND threat.source = 'AutoFocus' AND threat.tag.group IN ( 'BankingTrojan', 'LinuxMalware', 'Worm', 'Downloader', 'HackingTool', 'PotentiallyUnwantedProgram', 'InfoStealer', 'Ransomware', 'InternetofThingsMalware', 'ATMMalware')
- traffic.type INUsetraffic.type INattribute to view how entities within your cloud environment have accepted and rejected traffic.For example, using the values for the traffic.type IN, in the parenthesis enables you to find traffic from Suspicious IPs or Internet IPs.NETWORK WHERE src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN (resource WHERE virtualnetwork.name IN ( 'vpc-323cda49' )) AND dest.ip IN (172.31.12.172 ) AND traffic.type IN ('REJECTED')
Recommended For You
Recommended videos not found.