Multiple Malware Detections on a Single Host

This is a simple enough query for detecting a host with multiple infections/detections. The reason for the bucket and incorporating a search over a longer time span (say 60m) is I found it to provide better results and less false negatives if the infrastructure isn’t setup to ingest data in near real-time.

Continue Reading →

Baselining Dashboard

This is better and more flexible option then timewrap in my opinion. Performance ain’t too shabby either.

Continue Reading →

IPS Traffic Increase

You can use this for any type of baselining alerts around a predefined standard deviation. I used the IDS data model but the same logic can be applied to any random index.

You should be able to do something similar on a single sourcetype as such

Continue Reading →