Skip to main content
Version: 2.3

Built-in filters

Filters that have been built into the System are shown in the table below.

NameDescriptionSourceQuery
Abnormal activityThe search allows for analyzing network traffic in 3-hour time periods in context of countries, which may help to detect abnormal activities.netflowByCountryAggrset sumClientBytesAndServerBytes = add(clientBytes, serverBytes) | timeAggr dcCountry=dc(country), avgSumClientBytesAndServerBytes=avg(sumClientBytesAndServerBytes),sum1 = sum(sumClientBytesAndServerBytes), countries=join(country), mintimestamp=min(timestamp),maxtimestamp=max(timestamp) on timestamp interval="3h" | set timestampStr=tsToStr(_bucket),mintimestampStr=tsToStr(mintimestamp),maxtimestampStr=tsToStr(maxtimestamp) | project +avgSumClientBytesAndServerBytes as clientBytes, +countries as country, +timestampStr as timestamp, +mintimestampStr as activeTime, +maxtimestampStr as tenantId
Activity on non-standard portsThe search allows for detecing suspicious ports (e.g. based on MITRE non-standard ports list)netflowlookupKeyExists("ports-suspicious", {"Port": serverPort} )
Bottom Client IPsThe search allows to display at least common client IP Addresses, which help to identify potential bad hosts.netflowaggr countClientIp=count(clientIp) by clientIp unwind=true | sort countClientIp asc | limit 10 | project +clientIp, +countClientIp as flows
Brute Force - SSHThe search allows for detection a brute force attack against SSH services.netflow(serverPort=22 or applicationNameNtop="SSH") | aggr _countSessions=count(timestamp), _sumBytes=sum(add(clientBytes,serverBytes)), _sumPackets=sum(add(clientPackets,serverPackets)) by clientIp, serverIp, serverPort unwind=true | sort _countSessions desc | _countSessions > 50 and _sumBytes > 1000 | project +clientIp,+serverIp,+_sumBytes as clientBytes,+_countSessions as flows,+_sumPackets as clientPackets,+serverPort
ChatThe search allows for detection chat traffic such as for example Signal, QQ, IRC, WhatsApp, Telegram, KakaoTalk or WeChat.netflowapplicationNameNtop in ["Signal","QQ","IRC","WhatsApp","Telegram","KakaoTalk","WeChat"]
CloudThe search allows for monitoring cloud traffic.netflowapplicationNameNtop in ["NestLogSin","Dropbox","UbuntuONE","Microsoft","GoogleDrive","MS_OneDrive","LISP","ApplePush","AmazonVideo","AmazonAWS","Salesforce","Azure","GoogleCloud","Edgecast","Cachefly"]
CollaborativeThe search allows for monitoring collaborative applications, such as for example Discord or Slack.netflowapplicationNameNtop in ["Discord","Slack","LotusNotes","Github","Microsoft365","Git","GoogleDocs","Teams","GitLab","GoogleClassroom"]
CTI AlertsThe search allows displaying alerts detected by Sycope CTI.alertsany(["CTI"], alertTags)
Dangerous systemThe search allows for detection dangerous applications, such as for example SBMv1.netflowapplicationNameNtop in ["SMBv1"]
Dangerous VPNThe search allows for detecting network traffic regarding dangerous VPN as Tor or HotspotShield.netflowapplicationNameNtop in ["Tor","HotspotShield"]
Data TransferThe search allows for monitoring applications from the Data Transfer category.netflowapplicationNameNtop in ["NFS","TFTP","AFP","CHECKMK","RSYNC","Crashlytics"]
DatabaseThe search allows for monitoring DB traffic.netflowapplicationNameNtop in ["MySQL","MongoDB","MsSQL-TDS","Oracle","Redis","DRDA","Cassandra"]
DoSThe search allows for detecting denial of service attacks.netflowaggr countSessions=count(timestamp), uniqueClientIPs=dc(clientIp), clientBytes=sum(clientBytes) by serverIp unwind=true | sort countSessions desc | project +serverIp,+countSessions as flows, +uniqueClientIPs as clientPackets, +clientBytes | clientPackets > 200 and flows > 10000 and clientBytes >10000
Exfiltration over Web Service (Cloud Storages)The search allows for detecting data exfiltration via cloud storages.netflowhttpHost in ["dropbox.com","box.com","drive.google.com","mega.io","mediafire.com"]
Exfiltration over Web Service (Code Repositories)The search allows for detecting data exfiltration via web code repositories.netflowhttpHost in ["github.com","justpaste.it","pastebin.com","onpaste.com","transfernow.net","codepad.org"]
External ThreatsThe search allows displaying internal threats, that is, alerts where either the client or the server has a public address.alerts(isIpPrivate(clientIp) and not isIpPrivate(serverIp)) or(not isIpPrivate(clientIp) and isIpPrivate(serverIp))
GameThe search allows for monitoring traffic from the Game category.netflowapplicationNameNtop in ["Xbox","AmongUs","Steam","HalfLife2","WorldOfWarcraft","Armagetron","Dofus","Fiesta", "Florensia","Guildwars","MapleStory","Warcraft3","WorldOfKungFu","Nintendo","Starcraft","Playstation","CSGO","GenshinImpact","Activision","RakNet"]
Horizontal ScanThe search allows for detecting many connections/flows from one host to many on the same port. Such activity may indicate on horizontal scans.netflow$_INT$ | aggr _uniqueServerIps=dc(serverIp), _countSessions=count(timestamp) by clientIp, serverPort unwind=true | sort _uniqueServerIps desc | where _countSessions > 100 and _uniqueServerIps > 30 | project +clientIp,+serverPort,+_countSessions as flows,+_uniqueServerIps as clientPort
Internal ThreatsThe search allows displaying internal threats, that is, alerts where the client and server IP addresses are private.alertsisIpPrivate(clientIp) and isIpPrivate(serverIp)
IoT-ScadaThe search allows for monitoring IoT/OT traffic, such as Modbus, DNP3 or IEC60870.netflowapplicationNameNtop in ["Modbus","DNP3","IEC60870"]
Large Google Cloud UploadThis search detects a large Google Drive upload traffic. Such activity may indicate on policy violation or exfiltration attempt.netflowserverAsNumber = 15169 | aggr sumBytes=sum(add(clientBytes,serverBytes)) by serverIp, clientIp unwind=true | sort sumBytes desc | sumBytes > 1000000 | project +clientIp,+serverIp,+sumBytes as clientBytes
Malicious IoCThe search detects communications with malicious IoC (IPs and Domains) > 20kB.netflowlookupKeyExists("sec-cti-ip-malware", {"ip": clientIp} ) OR lookupKeyExists("sec-cti-ip-malware", {"ip": serverIp}) OR lookupKeyExists("sec-cti-domain-malware-db", {"domain": dnsQuery}) | set bytes=add(clientBytes, serverBytes) | aggr bytes=sum(bytes) by clientIp,serverIp unwind=true | sort bytes desc | bytes > 20000 | project +clientIp,+serverIp,+bytes as clientBytes
Malicious IP/HostThe search allows for detection communication to/from malicious IP addresses.netflowlookupKeyExists("sec-cti-ip-malware", {"ip": clientIp} ) OR lookupKeyExists("sec-cti-ip-malware", {"ip": serverIp}) OR lookupKeyExists("sec-cti-domain-malware-db", {"domain": dnsQuery})
Monitor unauthorized dynDNS servicesThe search allows for detecting dynamic DNS services, which can be used to host malicious payloads or C2 nodes to bypass firewalls and other threat detection systems. There are many common dynamic DNS services, e.g. 123DDNS, AFRAID.ORG, CHANGEIP, ClouDNS, DNS Max, DNSEXIT, DNSMADEEASY, DUCKDNS, DVRLISTS, DYIP, DYN, DYNDNSS, DYNS, DYNU, DYNV6, EASTERNDNS, EASYDNS, EuroDynDNS, FREEDNS, LAVIEW, NO-IP, SECUREPOINT, SWANN, THATIP, ULTRADNS, YDNS, ZONEEDIT. The created query is an example of searching for only a few of them.netflowregex(dnsQuery,".cloud.dns") or regex(dnsQuery,".dynu.net") or regex(dnsQuery,".*mywire.org")
Multi-host threatsThe search allows displaying multi-host threats, that is, alerts where multiple hosts could participate as either client or server.alertsclientIp = null or serverIp = null
Potentially Dangerous DownloadThe search allows for monitoring potentially dangerous download applications.netflowapplicationNameNtop in ["Pastebin"]
Potentially Dangerous NetworkThe search allows for detection potentially dangerous network traffic.netflowapplicationNameNtop in ["RemoteScan"]
Remote Access SoftwareThe search allows for detecting unathorized usage of Remote Monitoring and Management software. Cybercriminals may use such software for C2 activities, so as part of threat hunting, consider to analyze anomalies related to such services as for example: 5938/tcp - Team Viewer 15000/udp - Go2Assist 5631/tcp - PCAnywhere 5632/udp - PCAnywhere 5650/tcp - Remote Utilities 5655/tcp - Remote Utilities remoteutilities.com - Remote Utilities 6568/tcp - AnyDesknetflow(protocol ="6" and serverPort in [5938, 6568, 5650, 5655, 5631] ) or (protocol = "17" and serverPort in [15000, 5632]) or httpHost = "remoteutilities.com"
Resource HijackingThe search detects crypto-mining activity based on characteristics ports (3333, 3334, 3335, 4444, 5555, 5556, 6633, 6666, 7777, 8788, 8888, 8899, 9980, 9999, 13333, 14433, 14444, 16633, 16666).netflowlookupKeyExists("sec-port-cryptomining", {"Port": serverPort }) or lookupKeyExists("sec-port-cryptomining", {"Port": clientPort })
Reverse Proxy - NgrokThe search allows for detecting connections to a reverse proxy tool - Ngrok. The tool can create a secure tunnel to servers behind firewalls or on local computers that don't have a public IP address. Ngrok has been used by cybercrime groups in several campaigns, including lateral movement and data exfiltration.netflowregex(httpSite,".ngrok.")
Social NetworksThe search allows for monitoring social networks applications.netflowapplicationNameNtop in ["TikTok","GooglePlus","Tumblr","Facebook","Twitter","Pinterest","Snapchat","Sina(Weibo)","Reddit","Instagram","LinkedIn","Likee","Badoo","Tencent"]
StreamingThe search allows for monitoring streaming applications.netflowapplicationNameNtop in ["PPStream","DisneyPlus","Hulu","AppleiTunes","Pandora","Vimeo","Dazn","1kxun"]
Suspicious ASNAnalyzing of communication to/from suspicious ASNs should be a part of the threat hunting process. You can find a list of suspicious ASNs, e.g. on the https://www.spamhaus.org/ website.netflowclientAsNumber in [4134,4837,45609,36947,7713,14618, 24560, 23969 ,17557] or serverAsNumber in [4134,4837,45609,36947,7713,14618, 24560, 23969 ,17557]
Suspicious CountryAnalyzing of communication to/from suspispicious countries should be a part of the threat hunting process. You can find a list of suspicious countries, e.g. on the https://www.spamhaus.org/statistics/botnet-cc/ website.netflowclientCountry = "CN" or clientCountry="ID" or clientCountry="TH"
Suspicious LDAP ActivityCybercriminals may use LDAP protocol to malicious activities, as for example in the Log4j vulnerability, so as a Threat Hunter consider to analyze anomalies related to this protocol, e.g. connections to/from external LDAP servers.netflow($INT_EXT$ or $EXT_INT$) AND (serverPort = 636 AND protocol = 6) OR (serverPort = 389 AND protocol = 17) | not any(serverFunction,["LDAP"])
Suspicius hostA search allows for detection suspicious host based on unusual network traffic characteristics.netflowaggr _countSessions=count(timestamp), _sumPackets=sum(add(clientPackets,serverPackets)) by clientIp,serverIp unwind=true | set _ppf=div(_sumPackets,_countSessions) | sort _ppf,_countSessions desc | _ppf >50 and _countSessions>100 | project +clientIp,+serverIp,+_ppf as clientPackets,+_countSessions as flows
Top Client IPsA search allows to display most common client IP Addresses, which help to identify potential abuses.netflowaggr countClientIp=count(clientIp) by clientIp unwind=true | sort countClientIp desc | limit 10 | project +clientIp, +countClientIp as flows
Unauthorized SSH Activity (External -> Internal)The search allows for detection unauthorized SSH traffic from external to internal host.netflow$EXT_INT$ and serverPort = 22 AND not any(serverFunction,["SSH"]) | aggr _sumBytes=sum(add(clientBytes,serverBytes)) by clientIp, serverIp, serverPort unwind=true | sort _sumBytes desc | _sumBytes > 1000 | project +clientIp, +serverIp, +_sumBytes as clientBytes, +serverPort
Unauthorized SSH Activity (Internal -> External)The search allows for detection unauthorized SSH traffic from internal to external host.netflowserverPort = 443 AND not any(serverFunction,["SSH"]) | aggr _sumBytes=sum(add(clientBytes,serverBytes)) by clientIp, serverIp, serverPort unwind=true | sort _sumBytes desc | _sumBytes > 1000 | project +clientIp, +serverIp, +_sumBytes as clientBytes, +serverPort
Unauthorized SSH activity on non-standard portThe search allows for detection SSH traffic on non-standard ports.netflowapplicationNameNtop = "SSH" and serverPort != 22 and not any(serverFunction,["SSH"])
Vertical ScanThe search allows for detecting many connections/flows between two hosts on many ports. Such activity may indicate on vertical scans.netflow$_INT$ | aggr _countUniqueServerPorts=dc(serverPort), _countSessions=count(timestamp) by clientIp, serverIp unwind=true | sort _countSessions desc, _countUniqueServerPorts desc | where _countUniqueServerPorts > 30 and _countSessions > 200 | project +clientIp,+serverIp,+_countSessions as flows,+_countUniqueServerPorts as serverPort
VideoThe search allows for monitoring video traffic.netflowapplicationNameNtop in ["Zattoo","Sopcast","TVUplayer","QQLive","PS_VUE","NetFlix","Zoom","Twitch","IFLIX"]
VirtAssistantThe search allows for detection virtual assistants.netflowapplicationNameNtop in ["AmazonAlexa","AppleSiri"]
VoIPThe search allows for monitoring VoIP applications.netflowapplicationNameNtop in ["SkypeCall","WhatsAppCall","MGCP","IAX","SIP","TruPhone","Skype_Teams","Webex","Viber","Tuenti","H323","NOE","TeamSpeak","CiscoSkinny","RTCP","Megaco","KakaoTalk_Voice","IMO","SnapchatCall","FacebookVoip","SignalVoip","Fuze","GoTo"]
VPNThe search allows for monitoring VPN traffic.netflowapplicationNameNtop in ["PTTP","OpenVPN","CiscoVPN","WireGuard","TINC","FortiClient","iCloudPrivateRelay","Softether"]