Multiple Malware Detections on a Single Host

This is a simple enough query for detecting a host with multiple infections/detections. The reason for the bucket and incorporating a search over a longer time span (say 60m) is I found it to provide better results and less false negatives if the infrastructure isn’t setup to ingest data in near real-time.

Continue Reading →

List all fields for an index

A few different queries / methods to list all fields for indexes.

or

or

or ;-)

Continue Reading →