Network Query Attributes

Learn about Network Query attributes in RQL.
Review your options when using
Network where
on the
Investigate
tab of the RedLock administrative console:
network-where-options-query.png
Each attribute allows you to narrow your search criteria. As you use these attributes, the auto-suggestion capability shows the available expressions, and Operators that are applicable for each attribute.
  • cloud.account
    Use the
    cloud.account
    attribute to search for network activity in one or more cloud accounts that you connected to the RedLock service.
    For example, you can view network activity in a cloud account with > 1MB traffic:
    network where cloud.account = 'Developer Sandbox' AND bytes > 1048576
  • cloud.region
    Use the
    cloud.region
    attribute to search for network activity in your cloud regions.
    For example, you can view network activity in Developer sandbox account for AWS Oregon region:
    network where cloud.account = 'Developer Sandbox' AND cloud.region = 'AWS Oregon' AND bytes > 0
  • cloud.account.group
    Use the
    cloud.account.group
    attribute to search for network activity within a group of cloud accounts that you have connected to the RedLock service.
    For example, you can view network activity across your AWS accounts that belong to the Oregon region where more than 100000 packets were transmitted:
    network where cloud.account.group = 'All my AWS accounts' AND cloud.region = 'AWS Oregon' AND packets > 100000
  • dest.ip, source.ip
    Use the
    dest.ip, source.ip
    attribute to filter your network to view traffic from an originating or a receiving IP address. You can enter one or more IP addresses in a comma separated list or in the CIDR format. A single IP address—172.31.60.74A list of IP addresses—172.31.60.74, 10.0.0.5A single CIDR address— 172.31.60.0/24A list of CIDR addresses— 172.31.60.0/24, 13.233.0.0/16, 10.3.2.2/32
    • You can provide a single IP address or a list of IP addresses from the public or RFC 1918 address space. The CIDR format is supported only for the RFC 1918 address space. You can include an IP address in a CIDR and non-CIDR format within the list of attributes.
    • The value 0.0.0.0 does not mean any IP address, it means any public IP address.
    For example, you can view network traffic to a public IP address to which more than 1000000 bytes were transmitted:
    network where dest.ip = 0.0.0.0 AND bytes > 1000000
    or traffic originating from a specific IP subnet:
    network where source.ip IN (10.2.1.0/24,10.3.1.0/24) AND bytes > 10000
    For example, you can view SSH traffic from any public IP address on the internet:
    network where source.ip = 0.0.0.0 and dest.port = 22
  • dest.port
    Use the
    dest.port
    attribute to filter your network activity to view traffic from a destination port.
    For example, you can view network traffic for any public IP address where the destination port is 27017:
    network where dest.port = 27017 AND source.ip = 0.0.0.0
  • dest.outboundpeers, source.outboundpeers
    Use the
    dest.outboundpeers
    and
    source.outboundpeers
    attributes for a count of distinct IP addresses to which this asset establishes a connection. These network attributes enable you to aggregate connection counts for both ingress and egress traffic to help detect account compromise or identify hosts that are establishing multiple SSH connections from one or more external IP addresses.
  • dest.outboundports, source.outboundports
    Use the
    dest.outboundports
    and
    source.outboundports
    attributes for a count of distinct destination ports to which this asset establishes a connection. These network attributes enable you to aggregate connection counts for both ingress and egress traffic. For example, you can detect an attempt to perform a port scan or port sweep, or detect an attempt to set up a number of egress connections on the crypto ports.
  • dest.publicnetwork, source.publicnetwork
    Use the
    Source.publicnetwork
    and
    dest.publicnetwork
    attributes to query for traffic from and to predefined networks. For example,
    Internet IPs
    represent all public IPs,
    Suspicious IPs
    represent all suspicious IPs.
    You can also define your own network with a set of IP addresses/CIDRs to see traffic from/to your internal public [non-RFC1918] networks and use them in network RQL query. If you belong to the System Admin permission group, you can set it up in
    Settings
    IP Whitelisting
    .
    For example, you can view traffic on the destination port 3389 and that are classified as internet IPs or suspicious IPs:
    network where dest.port IN (3389) and dest.publicnetwork IN ('Internet IPs' , 'Suspicious IPs' ) and bytes > 0
  • dest.resource, source.resource
    Use the
    dest.resource, source.resource
    attributes to search and filter the network by a destination or a source resource for host findings, roles, security groups, tags, and virtual networks.
    dest.resource IN or source.resource IN;
    displays more options:
    dest-resource-in-resource-query-example.png
  • hostfinding.severity, hostfinding.type, hostfinding.source
    Use hostfinding attributes to query for vulnerabilities on destination or source resources that have one or more host related security findings. RedLock ingests host vulnerability data from external sources such as Qualys, Tenable.io, AWS Inspector, and host security related alerts from AWS GuardDuty.
    To leverage
    hostfinding
    attributes, first enable the integration with the host vulnerability providers.
    For example, you can list hostfinding events from AWS Guard duty on destination resource which have severity as critical:
    network where dest.resource IN ( resource where hostfinding.type = 'AWS GuardDuty Host' AND hostfinding.severity = 'critical' ) AND bytes > 0
    For example, you can list host vulnerability events on the destination resource:
    network where dest.resource IN ( resource where hostfinding.type IN ('Host Vulnerability' ) ) and bytes > 0
  • securitygroup.name
    Use the
    securitygroup.name
    attribute to filter the network traffic by security group name.
    For example, you can view the network traffic which is hitting the security groups with names AWS-OpsWorks-Java-App-Server and AWS-OpsWorks-Blank-Server:
    network where source.ip = 0.0.0.0 and dest.resource IN ( resource where securitygroup.name IN ( 'AWS-OpsWorks-Java-App-Server' , 'AWS-OpsWorks-Blank-Server' ))
  • virtualnetwork.name
    Use the
    virtualnetwork.name
    attribute to filter the network traffic by virtual network names.
    For example, you can view the network traffic which is hitting the virtual network ICHS_FLORENCE:
    network where dest.resource IN ( resource where virtualnetwork.name IN ( 'ICHS_FLORENCE' ))
  • dest.state, source.state
    Use
    dest.state
    or
    source.state
    attributes to view traffic originating from or destined to a specific state within a country.
    For example, you can view network traffic to Karnataka in India:
    network where cloud.account = 'Developer Sandbox' AND dest.country = 'India' AND dest.state = 'Karnataka'
    For example, you can view network traffic from Karnataka in India:
    network where cloud.account = 'Developer Sandbox' AND source.country = 'India' AND source.state = 'Karnataka'
  • dest.country, source.country
    Use the
    dest.country, source.country
    attributes to filter your network to view traffic from the country of its origin or the country where the traffic is received.
    For example, you can view network activity where the destination of the traffic is in China and Russia:
    network where dest.country IN ( 'China' , 'Russia' ) and bytes > 0
    To view network activity where the source of the traffic is in China:
    network where source.country = 'China' AND bytes > 0
  • bytes
    Use the
    bytes
    attribute to search for network related information by the aggregate byte volume while the transmission lasts.
    For example, you can search for network traffic by internet IPs, suspicious IPs and bytes:
    network where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) and bytes > 0
  • response.bytes
    Use the
    dest.country, source.country
    attribute to search for network related information by the aggregate response byte volume.
    For example, you can search for network traffic with response bytes more than 1,00,000:
    network where response.bytes > 100000 AND cloud.account = 'Sandbox Account'
  • accepted.bytes
    Use the
    accepted.bytes
    attribute to search for the network related information by the aggregate accepted byte volume.
    For example, you can search for network traffic with accepted bytes more than 1,00,000:
    network where accepted.bytes > 100000 AND cloud.account = 'Sandbox Account'
  • packets
    Use the
    packets
    attribute to search for network related information by the aggregate packet volume while the transmission lasts.
    For example, you can identify traffic from internal workloads to internet IPs on ports 8545,30303 that are known to mine Ethereum:
    network where dest.port IN (8545,30303) and dest.publicnetwork IN ('Internet IPs' , 'Suspicious IPs' ) and packets> 0
  • protocol
    Use the
    protocol
    attribute to search for network-related information in relation to network protocols.
    For example, you can search for network information by TCP protocol and where the destination port is 21:
    network where src.ip=0.0.0.0 AND protocol='TCP' AND dest.port IN (21)
  • role
    Use the
    role
    attribute to filter the network traffic by roles.
    For example, you can view all network traffic in RedLock account where the destination resource role is not AWS NAT Gateway and AWS ELB:
    network where cloud.account = 'RedLock' AND source.ip = 0.0.0.0 AND dest.resource IN ( resource where role NOT IN ( 'AWS NAT Gateway' , 'AWS ELB' ))
    For example, you can view traffic originating from suspicious IPs and internet IPS which are hitting the resource roles AWS RDS and Database:
    network where source.publicnetwork IN ( 'Suspicious IPs' , 'Internet IPs' ) and dest.resource IN ( resource where role IN ( 'AWS RDS' , 'Database' ))
  • tag
    Use
    tag
    attribute to filter the network traffic by tags.
    For example, you can view network traffic which is hitting the resources that are tagged as NISP:
    network where dest.resource IN ( resource where tag ('name') = 'NISP')
  • threat.source
    Use the
    threat.source
    attribute to filter for the supported threat intelligence feeds—AutoFocus or Facebook ThreatExchange—sources. The operators supported include
    !=
    ,
    =
    ,
    IN (
    ,
    NOT IN (
    .
    For example,
    network where bytes > 10000 AND threat.source IN ('FB')
  • threat.tag.group
    Use the
    threat.tag.group
    , when the
    threat.source
    is AutoFocus, to query for specific tag groups. Tag groups are genres of malware families as categorized by the Unit 42 threat research team.
    For example,
    network where bytes > 100 AND threat.source = 'AutoFocus' AND threat.tag.group IN ( 'BankingTrojan', 'LinuxMalware', 'Worm', 'Downloader', 'HackingTool', 'PotentiallyUnwantedProgram', 'InfoStealer', 'Ransomware', 'InternetofThingsMalware', 'ATMMalware')
  • traffic.type IN
    Use
    traffic.type IN
    attribute to view how entities within your cloud environment have accepted and rejected traffic.
    For example, using the values for the traffic.type IN, in the parenthesis enables you to find traffic from Suspicious IPs or Internet IPs.
    NETWORK WHERE src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN (resource WHERE virtualnetwork.name IN ( 'vpc-323cda49' )) AND dest.ip IN (172.31.12.172 ) AND traffic.type IN ('REJECTED')

Recommended For You