Intelligence Queries

Build Queries in Intelligence to hunt out specific threats from log files.

Queries

Intelligence uses sophisticated queries to filter the information from cloud logs, to search for information or events of interest. These queries are built with the Governance Specification Language (GSL), equivalent to queries for Running an Assessment. You can use these queries 'out-of-the-box' to quickly visualize traffic on your cloud environments. For example,

  • Inbound traffic - Shows all inbound traffic

  • Rejected traffic - Shows all rejected traffic to or from your VPC

  • Malicious accepted traffic - Shows traffic that was accepted by your network, that originated from malicious IP addresses (as determined by threat intelligence sources)

In addition, you can configure custom queries, to filter for specific information not covered by built-in queries.

Build Custom Queries

To create custom queries for Intelligence Traffic and Activity Explorer views, use a graphic query builder, or enter the query directly as text.

The examples below illustrate how to create queries with these methods.

This example creates a query in the Traffic Explorer view.

Rules are built up in the Rule GSL box, based on entities and operators that appear below the box. The set of entities and operators that are shown varies incrementally based on the context of the query as you develop it.

  1. In the query box at the top of the page, click open editor. This opens the GSL editor. The rule is built in the Rule GSL box, on the left. You build the rule incrementally. At each stage, the entities that you can select are shown below the box (based on the context of the rule as it is being built).

    On the right is a dictionary of all the entities and properties that you can select, and the data type for each (use this when you create a rule with Free Text).

  2. Select the cloud provider.

  3. Select the source (vpcfl or cloudtrail, for AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services.). This is the source of the log information. For AWS accounts, vpcfl logs are used for network querie and cloudtrail logs for account activity queries.

  4. Next, select a condition (where). This is the only option at this stage. After this, you can select the left parenthesis, to open a clause or a property (of the source entity).

  5. Select a property from those shown (status/protocol/action/src etc.). In this example, select src. You can then select more properties, to qualify the src property.

  6. Select a different property to qualify src. In this example, select address, giving src.address.

  7. Select an operator (=, like, regexMatch) and an argument. In this example, select the function isPublicCIDR(), for which an operator. is not necessary. This gives the query vpcfl where src.address isPublicCIDR().

  8. Click OK to close the editor. The query is placed in the query box, ready to run. Select an account, and a time frame for the query, and then click Run to run the query. The results show all traffic that originates from a public IP address. The results appear in the Network Log Explorer view.

You can enter the text for a query directly in the Free Text box. To create the same query as in the earlier example:

  1. In the query box at the top of the page, click open editor. This opens the GSL editor.

  2. Enter the text of your query in the text box. For example, enter
    vpcfl where src.geolocation.countryname='China' and action='ACCEPT' or protocol isPrivateCIDR() or packets isEmpty()

  3. Click OK, to close the editor and go back to the Traffic or Events activity page. Click Run to run the query.