I’m reposting this query I stumbled upon in a blog here. The description states that it can be used to detect malware reporting out to the web. Check out the article it’s a decent read.
|
1 |
search.goes.here | convert mktime(_time) as epoch | sort 0 uri_host,client_ip,epoch | delta epoch as epoch_delta | search epoch_delta>0 epoch_delta<30 | chart count over epoch_delta by uri_host |
This query will return detailed results on malware/virus remediation.
|
1 |
sourcetype="WinEventLog:System" SourceName="Microsoft Antimalware" EventCode=1117 |eval Date=strftime(_time, "%Y/%m/%d")| stats count by host, Category, Name, Severity, Date, Action_Status |
This query will return results if malware is detected, and return detailed information on the Malware detected.
|
1 |
sourcetype="WinEventLog:System" SourceName="Microsoft Antimalware" EventCode=1116 |eval Date=strftime(_time, "%Y/%m/%d")| stats count by host, Category, Name, Path, Severity, Date |
