IQL query examples
Insight Query Language Basics
|
Query |
IQL |
|---|---|
|
Filter by event type |
<event-type>:<field> <operator> <value>: dns:dst.ip = 8.8.8.8 |
|
Add an aggregation |
<clause> group by <aggregation field>: dns:dst.ip = 8.8.8.8 and dst.port = 53 group by query.domain |
|
Add a clause |
<clause> <structural operator> <clause>: dns:dst.ip = 8.8.8.8 and dst.port = 53 |
DCE-RPC Examples
|
Query |
IQL |
|---|---|
|
Search for RPC service creation |
dce_rpc:dce_rpc_operation like '%CreateService%' |
|
Search for RPC scheduled task registration |
dce_rpc:dce_rpc_operation = 'SchRpcRegisterTask' |
DNS Examples
|
Query |
IQL |
|---|---|
| Search for long DNS queries | dst.internal = false and dns:query.domain matches '[ 0-9a-zA-Z\.\-]{75,}' group by query.domain
|
| Search for long DNS txt records | dns:qtype_name = 'TXT' and dns:query.domain matches '.{100,}' and dns:answers matches '.{100,}'
|
HTTP Examples
|
Query |
IQL |
|---|---|
| Search for direct-to-IP HTTP post | http:host.ip != null and method = 'POST' and dst.internal = false |
| Search for deprecated Windows versions | src.internal=true and http:user_agent matches '.*Windows (XP|2000|2003|NT [4,5]).*' |
Flow Examples
|
Query |
IQL |
|---|---|
| Search for top outbound services by data sent | src.internal = true and dst.internal = false and flow:service != null group by service, sum(total_ip_bytes) |
| Search for outbound connections using administrative protocols | src.internal = true and dst.internal=false and flow:service in ("ftp","ssh","rdp") group by service, dst.asn.asn_org
|
FTP Examples
|
Query |
IQL |
|---|---|
| Search for executable files over FTP | ftp_arg matches '.*[Ee][Xx][Ee]' |
Kerberos Examples
|
Query |
IQL |
|---|---|
|
Search for revoked Kerberos login attempts |
kerberos:error_msg = 'KDC_ERR_CLIENT_REVOKED' |
NTLM Examples
|
Query |
IQL |
|---|---|
|
Search for admin NTLM user accounts |
ntlm:username matches '.*[Aa]dmin.*' group by username, src.ip |
|
Search for revoked NTLM user accounts |
ntlm_status in ('ACCOUNT_DISABLED', 'ACCOUNT_EXPIRED', 'ACCOUNT_LOCKED_OUT', 'ACCOUNT_RESTRICTION', 'INVALID_WORKSTATION', 'NO_SUCH_USER')
|
PE Examples
|
Query |
IQL |
|---|---|
|
Search for recently compiled, non-GUI executable files |
pe:compile_timestamp > t'2020-01-01T00:00:00.000Z' and subsystem != 'WINDOWS_GUI' group by file.name |
RDP Examples
|
Query |
IQL |
|---|---|
|
Search for unencrypted RDP traffic |
rdp:src.internal=true and result!='Success' and result != 'encrypted' group by dst.ip |
SMB Examples
|
Query |
IQL |
|---|---|
|
Search for SMB access to temporary paths |
smb_file:files.smb_path.path matches '.*[Tt][Ee][Mm][Pp].*' |
|
Search for SMB access to filenames containing "password" |
smb_file:files.name matches ".*\\[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd][^\\]+\.[a-zA-Z]{2,4}" group by files.name
|
|
Search for hosts with accessible C$ shares |
smb_mapping:smb_path.share = 'C$' group by smb_path.system |
SMTP Examples
|
Query |
IQL |
|---|---|
|
Search for SMTP mail servers |
smtp:src.internal = true and dst.internal = false group by src.ip |
SSH Examples
|
Query |
IQL |
|---|---|
|
Outbound SSH to rare or unknown SSH server versions |
ssh:auth_success = true and dst.internal = false and src.internal = true group by server |
SSL Examples
|
Query |
IQL |
|---|---|
| Search for deprecated SSL versions | ssl:version in ('SSLv2', 'SSLv3', 'TLSv10', 'TLSv11')
|
| Search for self-signed SSL certificates | ssl:issuer matches '.*[Ll][Oo][Cc][Aa][Ll][Hh][Oo][Ss][Tt].*' |
X509 Examples
|
Query |
IQL |
|---|---|
| Search for expired X.509 certificates | x509:valid_end < t'2020-03-03T00:00:00.000Z' |