1 2 3 4 5 6 7 8 9 |
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/etc/ssl/certs/*" Filesystem.file_path IN ("*.pem", "*.crt") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid |join proc_guid, _time [ | tstats `summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name != unknown by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data registry_key_name action] | table process_name process proc_guid file_name file_path action _time parent_process_name parent_process process_path dest user |
Investigate by MAC, IP all VPN authentications through CISCO_ISE
Helps to investigate authentications through CISCO_ISE device. This identifies who logs in, the MAC address and IP for any use cases
1 2 3 4 5 6 7 |
index=<your cisco index> "<your IP>" |rex field="cisco_av_pair" "mdm-tlv=device-mac=(?<MAC_ID>\w+-\w+-\w+-\w+-\w+-\w+)" |rex field="cisco_av_pair" "mdm-tlv=device-platform=(?<OS>\w+)" |rex field=_raw "(?<IP><IP regex>)" |iplocation IP |stats c sum(Acct_Input_Packets) as Packets_In sum(Acct_Output_Packets) as Packets_Out by _time User_Name Framed_Protocol src_mac City Country Region IP MAC_ID OS Acct_Status_Type |rename _time as Time RequestLatency as LoadTime Acct_Status_Type as Status IP as <your choice> |convert ctime(Time) |fields + Time User_Name MAC_ID OS "SourceIP - DestIP" City Country Region Framed_Protocol Status Packets_Out Packets_In |
Investigate an IP through Palo Alto Logs
1 2 3 4 |
index= <strong><your palo alto index> <IP you want to investigate></strong> |stats c sum(bytes) as Bytes_Out by _time user application action dest_ip dest_location src_ip client_ip client_location session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive" |fields + _time user application action dest_ip dest_location client_ip client_location Bytes_Out session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive" |rename client_ip as SourceIP |fields - user session_end_reason "app:prone_to_misuse" "app:used_by_malware" "app:evasive" dest_ip |
Multiple Malware Detections on a Single Host
This is a simple enough query for detecting a host with multiple infections/detections. The reason for the bucket and incorporating a search over a longer time span (say 60m) is I found it to provide better results and less false negatives if the infrastructure isn’t setup to ingest data in near real-time.
1 |
index=malware category="something_high_fidelity" | bucket _time span=15m | stats count by dest | where count>=3 |
Malware Detection
I’m reposting this query I stumbled upon in a blog here. The description states that it can be used to detect malware reporting out to the web. Check out the article it’s a decent read.
1 |
search.goes.here | convert mktime(_time) as epoch | sort 0 uri_host,client_ip,epoch | delta epoch as epoch_delta | search epoch_delta>0 epoch_delta<30 | chart count over epoch_delta by uri_host |
Microsoft Antimalware Virus Remediation Details
This query will return detailed results on malware/virus remediation.
1 |
sourcetype="WinEventLog:System" SourceName="Microsoft Antimalware" EventCode=1117 |eval Date=strftime(_time, "%Y/%m/%d")| stats count by host, Category, Name, Severity, Date, Action_Status |
Microsoft Antimalware Malware Detection Details
This query will return results if malware is detected, and return detailed information on the Malware detected.
1 |
sourcetype="WinEventLog:System" SourceName="Microsoft Antimalware" EventCode=1116 |eval Date=strftime(_time, "%Y/%m/%d")| stats count by host, Category, Name, Path, Severity, Date |