Share your LEQL query tips and tricks!

Within InsightIDR, you can use LEQL queries to search through your logs, create custom alerts, and power your dashboards. With so many different uses for LEQL, the Rapid7 team is looking into how we can make LEQL easier to use all around and we want to hear about the different ways that you use LEQL.

  • What are some LEQL queries that you have been using frequently?
  • What does querying help you to accomplish?
  • What types of LEQL queries would you like to see included in InsightIDR?
  • Is there anything that has tripped you up while using LEQL?
  • Do you have any tips for new LEQL users?
1 Like

Here’s a handy query I’ve used for identifying Private IPs:
where(source_ip = IP(192.168.0.0/16) OR source_ip = IP(172.16.0.0/12) OR source_ip = IP(10.0.0.0/8) OR source_ip = IP(169.254.0.0/16))

Reverse the logic above to get public IPs.

One cool improvement (just brainstorming here) to LEQL and the log search experience would be the ability to create and save user-defined functions that could be used elsewhere in the app. Something like:
define_function(is_private_ip(ip_address) where(ip_address= IP(192.168.0.0/16) OR ip_address= IP(172.16.0.0/12) OR ip_address= IP(10.0.0.0/8) OR ip_address = IP(169.254.0.0/16))

Then you could write the query above like:
where(is_private_ip(source_ip))

Micah

3 Likes