Which RQL string returns all traffic destined for internet or Suspicious IPs that exceeds 1GB?

• A. Show traffic where destination.network = { 'Internet IPs', 'Suspicious IPs' } AND bytes > 1000000000
• B. Network where dest.public network IN { 'Internet IPs', 'Suspicious IPs' } AND bytes > 1000000000
• C. Network where publicnetwork = { 'Internet IPs', 'Suspicious IPs' } AND bytes > 1000000000
• D. Network where bytes > 1GB and destination = 'Internet IPs' OR 'Suspicious IPs'

Answer: (B)

The selected RQL string accurately captures the requirement to filter traffic based on two distinct criteria: the destination network and the traffic size. The phrase "dest.public network IN { 'Internet IPs', 'Suspicious IPs' }" identifies traffic targeting either 'Internet IPs' or 'Suspicious IPs', ensuring that both sets of IPs are included in the query results. Moreover, the inclusion of "AND bytes > 1000000000" ensures that only traffic exceeding 1GB is returned, precisely aligning with the requirement.

This RQL string effectively utilizes the correct syntax for defining a condition for public networks and allows for an accurate logical conjunction of the criteria: it specifies the destination networks and the required traffic volume simultaneously. The use of the "IN" operator here is also particularly effective for filtering against multiple values within a single condition.