Threat Detection Queries

Overview

Reusable AQL queries for common threat detection scenarios.

Lateral Movement

SMB Traffic (Port 445)

SELECT
    sourceip AS "Source",
    destinationip AS "Destination",
    COUNT(*) AS "Connections"
FROM flows
WHERE destinationport = 445
GROUP BY sourceip, destinationip
ORDER BY "Connections" DESC
LAST 24 HOURS

RDP Traffic

SELECT
    sourceip AS "Source",
    destinationip AS "Destination",
    COUNT(*) AS "Connections"
FROM flows
WHERE destinationport = 3389
GROUP BY sourceip, destinationip
ORDER BY "Connections" DESC
LAST 24 HOURS

WinRM/PSRemoting

SELECT
    sourceip AS "Source",
    destinationip AS "Destination",
    destinationport AS "Port",
    COUNT(*) AS "Connections"
FROM flows
WHERE destinationport IN (5985, 5986)
GROUP BY sourceip, destinationip, destinationport
ORDER BY "Connections" DESC
LAST 24 HOURS

Data Exfiltration

Large Outbound Transfers

SELECT
    sourceip AS "Internal",
    destinationip AS "External",
    destinationport AS "Port",
    APPLICATIONNAME(applicationid) AS "Application",
    SUM(sourceBytes) AS "Bytes Out"
FROM flows
WHERE NOT INCIDR('10.0.0.0/8', destinationip)
GROUP BY sourceip, destinationip, destinationport, applicationid
HAVING SUM(sourceBytes) > 100000000
ORDER BY "Bytes Out" DESC
LAST 24 HOURS

Related