Skip to main content

Sample Network VPC Flows RQL Queries

note

The following guide will walk you through Network based on VPC Flows RQL Examples

Map all suspicious and internet traffic to resources that have discovered vulnerabilities

This query excludes resources that are expected to intercept internet and suspicious traffic from all sources

network from vpc.flow_record where source.publicnetwork IN ( 'Internet IPs', 'Suspicious IPs' )
AND dest.resource IN ( resource where role NOT IN ( 'AWS ELB', 'AWS NAT Gateway', 'AZURE ELB', 'GCP ELB' )
AND finding.type IN ( 'Host Vulnerability', 'Prisma Cloud Alert', 'Serverless Vulnerability' ) ) AND bytes > 0

Network activity with an AutoFocus Cryptomining Event

Alert triggered by Autofocus Tags being associated with network traffic

network from vpc.flow_record where bytes > 0 AND threat.source = 'AutoFocus'
AND threat.tag.group = 'Cryptominer'

Network activity with an AutoFocus Ransomware Event

Alert triggered by Autofocus Tags being associated with network traffic

network from vpc.flow_record where bytes > 0 AND threat.source = 'AutoFocus'
AND threat.tag.group = 'Ransomware'

Public traffic to workloads classified as private

Alert triggered by Autofocus Tags being associated with network traffic

network from vpc.flow_record where source.publicnetwork IN ( 'Internet IPs', 'Suspicious IPs' )
AND dest.resource IN ( resource where tag ( 'DataClassification' ) IN ( 'private' ,'Private'))