# NQL Examples We have categorized these examples and provided a base query that you can customize to your own infrastructure and network topography: ### Search for and alert on specific traffic For example, East/West or North-South or compliance requirements or in a forensics investigation. #### Outbound traffic {% tabs %} {% tab title="NQL" %} ```sql srcinternal == true && dstinternal == false ``` {% endtab %} {% endtabs %} #### Inbound traffic {% tabs %} {% tab title="NQL" %} ```sql srcinternal == true && dstinternal == true ``` {% endtab %} {% endtabs %} ### Search for and alert on geographic-based activity Discover compromised devices via traffic from countries of concern, or for responding to threats or proactively threat hunting. #### Outbound traffic to T1 CoC {% tabs %} {% tab title="NQL" %} ```sql dstgeo.countrycode == MM OR dstgeo.countrycode == CN OR dstgeo.countrycode == ER OR dstgeo.countrycode == IN OR dstgeo. countrycode == IR OR dstgeo.countrycode == NG OR dstgeo. countrycode == KP OR dstgeo.countrycode == PK OR dstgeo. countrycode == RU OR dstgeo.countrycode == SA OR dstgeo. countrycode == SY OR dstgeo.countrycode == TJ OR dstgeo. countrycode == TM OR dstgeo.countrycode == VM ``` {% endtab %} {% endtabs %} ### Bad Actors Such as finding IP reputation-based traffic, botnets, or phishing/spammers. #### IPs that matched an IP reputation list {% tabs %} {% tab title="NQL" %} ```sql dstiprep.count >= 1 or srciprep.count >= 1 ``` {% endtab %} {% endtabs %} #### Outbound traffic to non-approved geographies {% tabs %} {% tab title="NQL" %} ```sql srcipname == PointOfSaleSystem AND (dstgeo.countrycode != US OR dstgeo.countrycode != CA) ``` {% endtab %} {% endtabs %} ### Configuration validation or misconfiguration Finding traffic that should not exist between applications and systems or drift between deployments. #### Web application database {% tabs %} {% tab title="NQL" %} ```sql (srcipname == websvr && dstipname != appSvr) or (srcipname != websvr && dstipname != appSvr) ``` {% endtab %} {% endtabs %} ### Compliance Enforce compliance for specific applications or regions or make your reporting or compliance audits easier with audit-ready proof of enforcement. #### Detect network activity on specific ports {% tabs %} {% tab title="NQL" %} ```sql srcinternal == true && protocol == udp && (dstport == 137 OR dstport == 138 OR dstport == 139) ``` {% endtab %} {% endtabs %} #### Search for traffic between production environments and dev or test {% tabs %} {% tab title="NQL" %} ```sql tags == Production && (tags == dev or tags == test) ``` {% endtab %} {% endtabs %} #### Show (presumed) successful flows from the Internet to the internal network, of SSH protocol {% tabs %} {% tab title="NQL" %} ```sql srcinternal == false && dstinternal == true && bits > 300 && packets > 3 && dstport:22 ``` {% endtab %} {% endtabs %} #### FTP and Telnet usage {% tabs %} {% tab title="NQL" %} ```sql protocol == tcp && tcpflags.ack == true && (dstport == 21 || dstport == 23) ``` {% endtab %} {% endtabs %} ### Discovery by port and protocol usage #### Discover devices using SSH outbound {% tabs %} {% tab title="NQL" %} ```sql protocol == tcp && dstport == 22 && tcpflags.ack == true && dstinternal != true ``` {% endtab %} {% endtabs %} #### Discover devices sending > 100MB of data outbound {% tabs %} {% tab title="NQL" %} ```sql srcinternal == true AND dstinternal == false track by srcip, dstip threshold sum(bits) > x ``` {% endtab %} {% endtabs %} #### x11 Discovery {% tabs %} {% tab title="NQL" %} ```sql protocol == tcp and (dstport >= 6000 and dstport \<= 6002) ``` {% endtab %} {% endtabs %} #### BitTorrent traffic discovery {% tabs %} {% tab title="NQL" %} ```sql protocol == tcp and (dstport >= 6881 and dstport \<= 6889) ``` {% endtab %} {% endtabs %} #### Outbound SSH Traffic {% tabs %} {% tab title="NQL" %} ```sql srcinternal == true && dstinternal == false && dstport == 22 ``` {% endtab %} {% endtabs %} #### Outbound Unencrypted Web traffic {% tabs %} {% tab title="NQL" %} ```sql srcinternal == true && dstinternal == false && dstport == 80 || dstport == 8080 ``` {% endtab %} {% endtabs %} #### Outbound Unencrypted FTP traffic {% tabs %} {% tab title="NQL" %} ```sql srcinternal == true && dstinternal == false && dstport == 20 || port == 21 ``` {% endtab %} {% endtabs %} #### Outbound Unencrypted Telnet traffic {% tabs %} {% tab title="NQL" %} ```sql srcinternal == true && dstinternal == false && dstport == 23 ``` {% endtab %} {% endtabs %} #### Netbios outbound ports {% tabs %} {% tab title="NQL" %} ```sql srcinternal == true && dstinternal == false && dstport == 445 || dstport == 139 || dstport == 137 ``` {% endtab %} {% endtabs %} #### Dynamic port to dynamic port {% tabs %} {% tab title="NQL" %} ```sql (srcinternal == true && dstinternal == false && srcport > 49151 && dstport > 49151) && srcinternal == true && protocol == TCP ``` {% endtab %} {% endtabs %} #### Outbound encrypted DOT(853) {% tabs %} {% tab title="NQL" %} ```sql srcinternal == true AND dstinternal == false dstport == 853 ``` {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fusion.vectra.ai/netography-query-language/nql-examples.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.