This is a simple enough query for detecting a host with multiple infections/detections. The reason for the bucket and incorporating a search over a longer time span (say 60m) is I found it to provide better results and less false negatives if the infrastructure isn’t setup to ingest data in near real-time.
|
1 |
index=malware category="something_high_fidelity" | bucket _time span=15m | stats count by dest | where count>=3 |
I’m reposting this query I stumbled upon in a blog here. The description states that it can be used to detect malware reporting out to the web. Check out the article it’s a decent read.
|
1 |
search.goes.here | convert mktime(_time) as epoch | sort 0 uri_host,client_ip,epoch | delta epoch as epoch_delta | search epoch_delta>0 epoch_delta<30 | chart count over epoch_delta by uri_host |
This query will return detailed results on malware/virus remediation.
|
1 |
sourcetype="WinEventLog:System" SourceName="Microsoft Antimalware" EventCode=1117 |eval Date=strftime(_time, "%Y/%m/%d")| stats count by host, Category, Name, Severity, Date, Action_Status |
This query will return results if malware is detected, and return detailed information on the Malware detected.
|
1 |
sourcetype="WinEventLog:System" SourceName="Microsoft Antimalware" EventCode=1116 |eval Date=strftime(_time, "%Y/%m/%d")| stats count by host, Category, Name, Path, Severity, Date |
