NDR Queries

View each row of an NDR FLOW based detection -- NAME: NDR - Detection Details (FLOW BASED) -- CATEGORY: NDR -- DESCRIPTION: Examine the detection context for flow based detections and provide context and investigation actions -- VARIABLE $$Message...

-- NAME: NDR - Top 100 most trafficked hostnames -- CATEGORY: NDR -- DESCRIPTION: Detection for identifying the top 100 most trafficked hostnames by traffic volume -- SOURCE: Data Lake -- VARIABLE $$Destination IP Address$$ IP ADDRESS -- VARIABLE $...

-- QUERY NAME: NDR Report with last execution time -- CATEGORY: All queries, NDR -- DESCRIPTION: List the available NDR reports and the most current report execution time -- SOURCE: Data Lake -- VARIABLE $$Report Name$$ STRING SELECT DISTINCT...

-- NAME: NDR - Protocol Report (BARS) -- CATEGORY: NDR -- DESCRIPTION: Detection for identifying protocols used and how often -- NOTE: avg_pcr is the Producer Consumer Ratio (PCR) (-1 Pure Push to +1 Pure Pull) -- NOTE: mac_addresses is a list of...

-- NAME: NDR - Devices generating most network traffic (BARS) -- CATEGORY: NDR -- DESCRIPTION: Detection for identifying the top 100 talkers on a network. -- Fields are ip: the private IP address of the machine, total_bytes: the total number of bytes...

This query provides a human readable description of an NDR FLOW based detection. You can use a wild card % to see all detections in a time range or pivot directly to the query from the 'message_id' field of the flow detection record. -- NAME: NDR...

-- NAME: NDR - Top Clusters (BARS) -- CATEGORY: NDR -- DESCRIPTION: Detection for identifying the clusters with the most traffic in bytes. -- A cluster is a group of flows defined by their shared values for src_ip, dest_ip, dest_port, protocol, app_protocol...

-- NAME: NDR - Top 10 hosts for each protocol seen -- CATEGORY: NDR -- DESCRIPTION: Detection for identifying all used application protocols on the network and the top five hosts using each -- SOURCE: Data Lake -- VARIABLE $$Application Protocol...

-- NAME: NDR - MAC IP correlation -- DESCRIPTION: Detection for identifying all the IP addresses associated with a given MAC address -- Excludes :: and 0.0.0.0 -- The query also checks for the MAC Address in the data lakes XDR Data to determine if...

-- NAME: NDR - Number of Monitored Hosts -- CATEGORY: NDR -- DESCRIPTION: Detection for identifying the number of private, public, and unknown hosts being monitored by -- SOURCE: Data Lake -- VARIABLE $$Category$$ STRING WITH NDR_Data AS ( ...