malware Archives -

Investigate by MAC, IP all VPN authentications through CISCO_ISE

Helps to investigate authentications through CISCO_ISE device. This identifies who logs in, the MAC address and IP for any use cases

index=<your cisco index> "<your IP>"
|rex field="cisco_av_pair" "mdm-tlv=device-mac=(?<MAC_ID>\w+-\w+-\w+-\w+-\w+-\w+)" |rex field="cisco_av_pair" "mdm-tlv=device-platform=(?<OS>\w+)" 
|rex field=_raw "(?<IP><IP regex>)" 
|iplocation IP
|stats c sum(Acct_Input_Packets) as Packets_In sum(Acct_Output_Packets) as Packets_Out by _time User_Name Framed_Protocol src_mac City Country Region IP MAC_ID OS Acct_Status_Type
|rename _time as Time RequestLatency as LoadTime Acct_Status_Type as Status IP as <your choice> |convert ctime(Time)
|fields + Time User_Name MAC_ID OS "SourceIP - DestIP" City Country Region Framed_Protocol Status Packets_Out Packets_In

index=<your cisco index> "<your IP>"

|rex field="cisco_av_pair" "mdm-tlv=device-mac=(?<MAC_ID>\w+-\w+-\w+-\w+-\w+-\w+)" |rex field="cisco_av_pair" "mdm-tlv=device-platform=(?<OS>\w+)"

|rex field=_raw "(?<IP><IP regex>)"

|iplocation IP

|stats c sum(Acct_Input_Packets) as Packets_In sum(Acct_Output_Packets) as Packets_Out by _time User_Name Framed_Protocol src_mac City Country Region IP MAC_ID OS Acct_Status_Type

|rename _time as Time RequestLatency as LoadTime Acct_Status_Type as Status IP as <your choice> |convert ctime(Time)

|fields + Time User_Name MAC_ID OS "SourceIP - DestIP" City Country Region Framed_Protocol Status Packets_Out Packets_In

Continue Reading →

Investigate an IP through Palo Alto Logs

index=
<strong><your palo alto index> <IP you want to investigate></strong>
|stats c sum(bytes) as Bytes_Out by _time user application action dest_ip dest_location src_ip client_ip client_location session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive" |fields + _time user application action dest_ip dest_location client_ip client_location Bytes_Out session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive"
|rename client_ip as SourceIP |fields - user session_end_reason "app:prone_to_misuse" "app:used_by_malware" "app:evasive" dest_ip

index=

|stats c sum(bytes) as Bytes_Out by _time user application action dest_ip dest_location src_ip client_ip client_location session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive" |fields + _time user application action dest_ip dest_location client_ip client_location Bytes_Out session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive"

|rename client_ip as SourceIP |fields - user session_end_reason "app:prone_to_misuse" "app:used_by_malware" "app:evasive" dest_ip

Continue Reading →

Multiple Malware Detections on a Single Host

This is a simple enough query for detecting a host with multiple infections/detections. The reason for the bucket and incorporating a search over a longer time span (say 60m) is I found it to provide better results and less false negatives if the infrastructure isn’t setup to ingest data in near real-time.

index=malware category="something_high_fidelity" | bucket _time span=15m | stats count by dest | where count>=3

1	index=malware category="something_high_fidelity" \| bucket _time span=15m \| stats count by dest \| where count>=3

Continue Reading →

Malware Detection

I’m reposting this query I stumbled upon in a blog here. The description states that it can be used to detect malware reporting out to the web. Check out the article it’s a decent read.

search.goes.here | convert mktime(_time) as epoch | sort 0 uri_host,client_ip,epoch | delta epoch as epoch_delta | search epoch_delta>0 epoch_delta<30 | chart count over epoch_delta by uri_host

1	search.goes.here \| convert mktime(_time) as epoch \| sort 0 uri_host,client_ip,epoch \| delta epoch as epoch_delta \| search epoch_delta>0 epoch_delta<30 \| chart count over epoch_delta by uri_host

Continue Reading →

Microsoft Antimalware Virus Remediation Details

This query will return detailed results on malware/virus remediation.

sourcetype="WinEventLog:System" SourceName="Microsoft Antimalware" EventCode=1117 |eval Date=strftime(_time, "%Y/%m/%d")| stats count by host, Category, Name, Severity, Date, Action_Status

1	sourcetype="WinEventLog:System" SourceName="Microsoft Antimalware" EventCode=1117 \|eval Date=strftime(_time, "%Y/%m/%d")\| stats count by host, Category, Name, Severity, Date, Action_Status

Continue Reading →

Microsoft Antimalware Malware Detection Details

This query will return results if malware is detected, and return detailed information on the Malware detected.

sourcetype="WinEventLog:System" SourceName="Microsoft Antimalware"  EventCode=1116 |eval Date=strftime(_time, "%Y/%m/%d")| stats count by host, Category, Name, Path, Severity, Date

1	sourcetype="WinEventLog:System" SourceName="Microsoft Antimalware" EventCode=1116 \|eval Date=strftime(_time, "%Y/%m/%d")\| stats count by host, Category, Name, Path, Severity, Date

Continue Reading →

Tag: malware

Investigate by MAC, IP all VPN authentications through CISCO_ISE

Investigate an IP through Palo Alto Logs

Multiple Malware Detections on a Single Host

Malware Detection

Microsoft Antimalware Virus Remediation Details

Microsoft Antimalware Malware Detection Details