Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

external-header-nav
keyboard_arrow_up
list Table of Contents
keyboard_arrow_right

User and Network Monitoring Query Examples

date_range 27-Mar-21

Use query examples to help you create your user and network monitoring query AQL queries.

Use the following examples to monitor your users and network, or you can edit the queries to suit your requirements.

Find Users Who Used the VPN to Access the Network from Three or More IP Addresses in a 24-hour Period

content_copy zoom_out_map
SELECT username,
UNIQUECOUNT(sourceip)
AS ’Source IP count’
FROM events
WHERE LOGSOURCENAME(logsourceid)
ILIKE ’%VPN%’
AND username IS NOT NULL
GROUP BY username
HAVING "Source IP count" >= 3
ORDER BY "Source IP count"
DESC
LAST 24 HOURS

This query outputs the username and Source IP count columns.

The username column returns the names of users who used the VPN to access the network from three or more IP addresses in the last 24 hours.

Find Users Who Used the VPN from More That One Geographic Location in 24 Hours

content_copy zoom_out_map
SELECT username, UNIQUECOUNT(geographiclocation)
AS ’Count of locations’
FROM events
WHERE LOGSOURCENAME(logsourceid)
ILIKE ’%VPN%’
AND geographiclocation <> ’other location’
AND username
IS NOT NULL
GROUP BY username
HAVING "Count of locations" > 1
ORDER BY "Count of locations"
DESC
LAST 3 DAYS

This query outputs the username and Count of locations columns.

The username column returns the names of users who used the VPN from more than one location that is not called 'other location' in the last 24 hours.

Monitoring Local to Remote Flow Traffic by Network

content_copy zoom_out_map
SELECT sourceip,
LONG(SUM(sourcebytes+destinationbytes))
AS TotalBytes
FROM flows
WHERE flowdirection= ’L2R’
AND NETWORKNAME(sourceip)
ILIKE ’servers’
GROUP BY sourceip
ORDER BY TotalBytes

This query outputs the sourceip and TotalBytes columns.

The TotalBytes column returns the sum of the source and destination bytes that crosses from local to remote.

Monitoring Remote to Local Flow Traffic by Network

content_copy zoom_out_map
LONG(SUM(sourcebytes+destinationbytes))
AS TotalBytes
FROM flows
WHERE flowdirection= ’R2L’
AND NETWORKNAME(sourceip)
ILIKE ’servers’
GROUP BY sourceip
ORDER BY TotalBytes

This query outputs the sourceip and TotalBytes columns.

The TotalBytes column returns the sum of the source and destination bytes from remote to local.

Application Usage by Application Name, Users, and Flows Traffic

content_copy zoom_out_map
SELECT sourceip
AS Source_IP,
FIRST(destinationip)
AS Destination_IP,
APPLICATIONNAME(applicationid)
AS Application,
DATEFORMAT(lastpackettime, ’dd-MM-yyyy hh:m:ss’)
AS ’Start Time’,
FIRST(sourcebytes)
AS Source_Bytes,
ASSETUSER(sourceip, NOW()) AS Src_Asset_User
FROM flows
GROUP BY Source_IP
ORDER BY Source_Bytes DESC

This query outputs data about your asset users, application names, and flow data. Use this query to report specific user activity or application usage, or to build a variation of this query to achieve your desired results.

Location Of Assets

content_copy zoom_out_map
SELECT ASSETPROPERTY(’Location’,sourceip)
AS asset_location,
COUNT(*)
FROM events
GROUP BY asset_location
LAST 1 days

This query outputs the asset_location and count columns.

The asset location column returns the location of the assets.

Copying Query Examples from the AQL Guide

If you copy and paste a query example that contains single or double quotation marks from the AQL Guide, you must retype the quotation marks to be sure that the query parses.

external-footer-nav
Ask AI
close

How can I help you today?

LLMs can make mistakes. Verify important information.
chat_add_on New topic
send progress_activity
This conversation will be monitored and recorded. Any information you provide will be subject to our Privacy Notice and may be used for quality assurance purposes. Do not include any personal or sensitive information. Ask AI can make mistakes. Verify generated output for accuracy.
Protected by hCaptcha arrow_drop_down arrow_drop_up
Juniper Networks, Inc. | Privacy Notice | Terms of Use