Network Query Examples

Some examples for Network Queries.
Use this section for some examples that show you how to use Network Query Attributes in RQL for investigating Network issues:
DESCRIPTION
RQL
View traffic originating from the Internet & suspicious IPs to resource with Database role.
network from vpc.flow_record where source.publicnetwork IN ( 'Suspicious IPs' , 'Internet IPs' ) and dest.resource IN ( resource where role IN ( 'AWS RDS' , 'Database' ) )
Find instances that are accessible over the internet using insecure ports.
network from vpc.flow_record where source.publicnetwork IN ( 'Internet IPs' ) and protocol = 'TCP' AND dest.port IN ( 21,23,80)
Find hosts with Meltdown and Spectre vulnerabilities receiving network traffic.
network from vpc.flow_record where dest.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.name IN ( 'CVE-2017-5754', 'CVE-2017-5753', 'CVE-2017-5715' ) ) and bytes > 0
Check for traffic categorized as malware of type DDoS, HackingTool, or Worm, originating from the Internet & suspicious IPs that are destined to your cloud assets that are not directly accessible over the internet.
network from vpc.flow_record where src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' ) AND threat.source = 'AF' AND threat.tag.group IN ( 'DDoS', 'HackingTool', 'Worm' )
Look for traffic from internet to any instance outside of Web servers, NAT Gateways or ELBs.
network from vpc.flow_record where src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' )
Look for source entities which are AWS ELBs with connections to more than 10 unique peer IP addresses, but those peer IPs are not endpoints that function as Databases.
network from vpc.flow_record where src.resource IN (RESOURCE WHERE role = ('AWS ELB') AND source.outboundpeers > 10) AND dest.resource IN (RESOURCE WHERE role != ('Database'))
Identify any instances with a private IP address (specified in the CIDR format) that are sending traffic to the internet.
You cannot include a public IP address in the CIDR format as a source or destination IP address. Also, do not include an IP address and an IP address in a CIDR format as a comma separated list.
network from vpc.flow_record where cloud.account=account_name AND source.ip IN(172.31.0.0/12,10.0.0.0/8) AND dest.publicnetwork IN 'Internet IPs' AND bytes > 0
View whether a list of specified IP addresses are sending traffic to the internet.
network from vpc.flow_record where cloud.account=account_name AND source.ip IN(52.31.0.0,10.0.8.0) AND dest.publicnetwork IN 'Internet IPs' AND bytes > 0

Recommended For You