Network Flow Queries

Overview

Queries for analyzing network flows in QRadar.

Top Talkers

SELECT
    sourceip AS "Source",
    SUM(sourcebytes) AS "Bytes Sent",
    SUM(destinationbytes) AS "Bytes Received",
    SUM(flowbytes) AS "Total Bytes",
    COUNT(*) AS "Flows"
FROM flows
GROUP BY sourceip
ORDER BY "Total Bytes" DESC
LIMIT 50
LAST 24 HOURS

External Traffic

SELECT
    sourceip AS "Internal Source",
    destinationip AS "External Dest",
    destinationport AS "Port",
    SUM(flowbytes) AS "Total Bytes"
FROM flows
WHERE NOT INCIDR('10.0.0.0/8', destinationip)
  AND NOT INCIDR('172.16.0.0/12', destinationip)
  AND NOT INCIDR('192.168.0.0/16', destinationip)
GROUP BY sourceip, destinationip, destinationport
ORDER BY "Total Bytes" DESC
LIMIT 100
LAST 24 HOURS

Related

Threat Detection