API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 25th, 2020
310
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.17 KB | None | 0 0
raw download clone embed print report
  1. ---------------------------------
  2. WINDOWS USECASES
  3. ------------------------------
  4.  
  5.  
  6. Duration of login and log out.. same user on same system login and
  7.  
  8. logout duration
  9.  
  10.  
  11.  
  12. index=* sourcetype="WMI:WinEventLog:Security" (EventCode=4624 OR
  13.  
  14. EventCode=4634) (Logon_Type=2 OR Logon_Type=10)
  15.  
  16.  
  17.  
  18. | eval Date=strftime(_time, "%Y/%m/%d")|eval
  19.  
  20. Start&End=strftime(_time,"%Y-%m-%d %H:%M:%S")
  21.  
  22.  
  23.  
  24. | eval LogonType=case(Logon_Type="2", "Local Console Access",
  25.  
  26. Logon_Type="10", "Remote Desktop")
  27.  
  28.  
  29.  
  30. | transaction host user session_id startswith=EventCode=4624
  31.  
  32. endswith=EventCode=4634 maxevents=2
  33.  
  34.  
  35.  
  36. | eval Duration = round (duration/60 ,2)
  37.  
  38.  
  39.  
  40. | dedup host,user,Start&End
  41.  
  42.  
  43.  
  44. | table src_ip,host,user, LogonType,Duration, Date ,Start&End | rename
  45.  
  46. Duration as "Session in Minutes" | sort  date
  47.  
  48.  
  49.  
  50. More than 10 successful login on 1 system from different user accounts
  51.  
  52.  
  53.  
  54. index=* sourcetype="WMI:WinEventLog:Security" EventCode=4624
  55.  
  56. (Logon_Type=2 OR Logon_Type=10)| bucket _time span=60m | stats
  57.  
  58. values(user) AS UserName dc(user) AS User_Count by host | where
  59.  
  60. User_Count>10 |table UserName host User_Count (time span of
  61.  
  62. 60minutes)
  63.  
  64.  
  65.  
  66. Single user logged in to more than 5 systems at the same time (30
  67.  
  68. minutes)
  69.  
  70.  
  71. index=* sourcetype="WMI:WinEventLog:Security" EventCode=4624
  72.  
  73. (Logon_Type=2 OR Logon_Type=10)| bucket _time span=30m | stats
  74.  
  75. values(host) AS HostName dc(host) AS Host_Count by user | where
  76.  
  77. Host_Count>5|table user HostName Host_Count
  78.  
  79.  
  80.  
  81. Successful logins on Hosts in 1 day time period
  82.  
  83. index=* EventCode=4624|stats values(Workstation_Name) AS Source
  84.  
  85. count by host| table Source host count |rename host AS Destination |
  86.  
  87. sort -count
  88.  
  89.  
  90.  
  91. Failed logins on Hosts in 1 day time period
  92.  
  93.  
  94.  
  95. index=* EventCode=4625|stats values(Workstation_Name) AS Source
  96.  
  97. count by host| table Source host count |rename host AS Destination |
  98.  
  99. sort -count
  100.  
  101.  
  102.  
  103. Brute Force Attempt
  104.  
  105.  
  106. index=* EventCode=4625 | stats count by Account_Name Failure_Reason
  107.  
  108. Logon_Type | where count > 7 (Threshold limit is for visualization
  109.  
  110. purpose only)
  111.  
  112.  
  113. More than 2 login failures from the same user in 1 day
  114.  
  115.  
  116.  
  117. index=* EventCode=4625 | stats count by Account_Name Failure_Reason
  118.  
  119. Logon_Type | where count > 2
  120.  
  121.  
  122. ------------------------------------------------------------------------------------
  123. FIREWALL/NETWORK USECASES
  124. --------------------------------------------------------------------------------------
  125. MS networking worm
  126. index=* sourcetype=firewall | bucket _time span=1m | where match (dest_port, "^(445|139|137|135)$") | stats dc(dest_ip) values(dest_ip) by src_ip
  127. Smtp mass mailer
  128. index=* sourcetype=firewall | search dest_port=25 | stats dc(dest_ip) AS destination values(dest_port) values(dest_ip) by src_ip |where destination > 5
  129. IRC connections
  130. index=* sourcetype=firewall | where match (dest_port,"^(6667|6668|6669|6697)$") |stats count by action,src_ip dest_ip src_port dest_port | sort -count
  131. DNS Flood
  132. index=* sourcetype=firewall |bucket _time span=1m| search dest_port=53|stats sum(bytes_in) sum(packets_in) count by src_ip dest_ip dest_port src_port | sort -count
  133. Large DNS reponse
  134. index=* sourcetype=firewall | search dest_port=53 |where bytes_in>512 |stats sum(packets_in) count by bytes_in src_ip dest_ip dest_port src_port | sort -count
  135. DNS requests to External network
  136. index=* sourcetype=firewall | search dest_port=53 | stats count by src_ip dest_ip action src_port| sort -count
  137. P2P traffic
  138. index=* sourcetype=firewall| bucket _time span=1m | where match (dest_port, "^(4662|4672|6257|6346-6347|6699|6881-6889|6969)$") | stats dc(dest_ip) values(dest_port) values(dest_ip) by src_ip
  139. Production IP's communicating to external IP's
  140. index=* sourcetype=firewall NOT (dest_ip=192.168.* OR dest_ip=10.*) | stats dc(dest_ip) AS dest_count values(dest_port) values(dest_ip) by src_ip |sort -dest_count
  141. Backdoor communication on well known proxy port
  142. index=* sourcetype=FIREWALL | search dest_port=3128 | stats dc(dest_ip) AS dest_count values(dest_port) values(dest_ip) by src_ip |sort -dest_count
  143.  
  144.  
  145. Check for suspicious ICMP traffic
  146.  
  147. index=* sourcetype=firewall | eval size= bytes_in / packets_in | where size > 200 ||stats values(packets_in) values(size) As sizeofpacket by src_ip src_hostname dest_ip dest_hostname src_port dest_port| sort -sizeofpacket
  148.  
  149. Identify unusual protocol occurrences or volumes
  150.  
  151. index=* sourcetype=firewall NOT (protoid=6 OR protoid=17 OR protoid=1 OR protoid=89 OR protoid=41 ) | stats values(src_ip) values(dest_ip) sum(bytes_in) as Bytes by protoid
  152.  
  153. Ping Sweep
  154. index=* (proto=icmp OR protoid=1) |bucket _time span=1m | stats values(dest_ip) As dstip dc(dest_ip) AS ipscan by src, _time|where ipscan>20
  155.  
  156.  
  157. Large DNS response
  158.  
  159. index=* sourcetype=firewall src_port=53|where bytes_in>512||stats sum(packets_in) by bytes_in src_ip src_hostname dest_ip dest_hostname|sort -bytes_in
  160.  
  161.  
  162. Database Ping sweep detection index=* sourcetype=firewall| where match(dest_port, "^(1443|1521|3306)$") | bucket _time span=1m|stats dc(dest_ip) AS connections values(dest_port) values(dest_ip) by src_ip | sort -connections | where connections > 50
  163.  
  164.  
  165. Port Scan index=* |bucket _time span=1m| stats values(src_IP) values(dest_IP) dc(dest_port) AS PortsScanned by src,dst, _time |where PortsScanned>300| dedup src, PortsScanned
  166.  
  167. Check Responses or downloads index=* sourcetype=firewall| where src_port < 1024 AND dest_port > 1023 | stats sum(bytes_in) as Bytes by src_port, dest_port | eval MB=Bytes/(1024*1024) | rename src_port as Source, dest_port as Destination | table Source, Destination, MB | sort -MB
  168.  
  169.  
  170. Check requests or uploads
  171.  
  172. "index=* sourcetype=firewall | where dest_port < 1024 AND src_port > 1023 | stats sum(bytes_in) as Bytes by src_port,
  173. dest_port | eval MB=Bytes/(1024*1024) | rename src_port as Source, dest_port as Destination | table Source, Destination, MB | sort -MB"
  174.  
  175.  
  176. Check Reponses or downloads with Specific wellknown Ports, latest 25 index=* sourcetype=firewall| where match(src_port, "^(20|21|23|69|512|513|514)$") AND dest_port > 1023 | stats sum(bytes_in) as Bytes by src_ip, dest_ip src_port | eval MB=Bytes/(1024*1024) | sort -MB limit=25
  177.  
  178.  
  179. Check Reposne Downloads apart from port 445 index=* sourcetype=firewall NOT src_port = 445 AND dest_port > 1023 | bucket _time span=1s |stats sum(packets_in) as Packets sum(bytes_in) as Bytes by _time src_ip, dest_ip |lookup dnslookup clientip as dest_ip OUTPUT clienthost as dest_hostname|lookup dnslookup clientip as src_ip OUTPUT clienthost as src_hostname| eval MB=Bytes/(1024*1024) | sort 10 -MB
  180.  
  181.  
  182. Rouge DHCP server detection index=* (sourcetype=firewall ) protoid=17 NOT (src_ip=DHCPSERVER_IP OR src_ip=DHCPSERVER_IP) src_port=67 | stats dc(dest_ip) values(src_port) values(dest_port) values(dest_ip) by src_ip
  183.  
  184.  
  185.  
  186. Botnet activity index=* sourcetype=FIREWALL NOT dest_ip=10.0.0.0/8 NOT dest_ip=172.16.0.0/12 NOT dest_ip=192.168.0.0/16 NOT dest_ip=169.254.0.0/16 action=allowed NOT dest_ip=255.255.255.255 | bucket _time span=10m |stats dc(src_ip) as botnet_ip by _time dest_ip |where botnet_ip>=5
  187.  
  188.  
  189. Blacklisted IP Communication index=*|lookup blacklist.csv destip as dest_ip OUTPUT type as ioc_type|where isnotnull(ioc_type)|stats count by src_ip dest_ip dest_port,action,ioc_type
  190.  
  191.  
  192.  
  193. Check packets sending size above ethernet MTU size index=* sourcetype=firewall (protoid=6 OR protoid=17)| eval size= bytes_in / packets_in | where size > 1518 | stats values(packets_in) values(size) As sizeofpacket by src_ip dest_ip src_port dest_port protoid|sort -sizeofpacket
  194.  
  195.  
  196. UDP Bandwidth Exhaustion Attacks index=* sourcetype=firewall protoid=17|bucket _time span=1m|stats sum(bytes_in) as Bytes by src_ip, dest_ip, _time | eval MB=Bytes/(1024*1024)| rename src_ip as Source, dest_ip as Destination | table _time Source, Destination, MB |where MB>1024| sort 5 -MB
  197.  
  198.  
  199. ICMP Banwidth Exhaustion Attacks index=* sourcetype=firewall protoid=1|bucket _time span=1m|stats sum(bytes_in) as Bytes by src_ip, dest_ip, _time | eval MB=Bytes/(1024*1024)| rename src_ip as Source, dest_ip as Destination | table _time Source, Destination, MB | sort 5 -MB
  200.  
  201.  
  202. DNS Flood index=* sourcetype=firewall NOT (src_ip=DNS_SERVER OR src_ip=DNS_SERVER OR src_ip=DNS_SERVER OR src_ip=DNS_SERVER)|bucket _time span=1m| search dest_port=53|stats sum(bytes_in) sum(packets_in) count by src_ip dest_ip dest_port src_port | sort -count
  203.  
  204.  
  205. Data dumping activity/Probable SQL Injection index=* sourcetype=firewall| where match(src_port, "^(1443|1521|3306)$") | stats sum(bytes_in) as Bytes by src_ip, dest_ip src_port | eval MB=Bytes/(1024*1024) | where Bytes>1200 | sort -MB
  206.  
  207. Top 10 internal hosts or sources performing large amount of Data transfer that require investigation. index=* sourcetype=firewall | stats sum(bytes_in) as Bytes by src_ip, dest_ip, protoid | eval MB=Bytes/(1024*1024)| rename src_ip as Source, dest_ip as Destination | sort 10 -MB
  208.  
  209.  
  210. Top Denied Inbound by Ports index=* sourcetype=FIREWALL NOT src_ip=10.0.0.0/8 NOT src_ip=172.16.0.0/12 NOT src_ip=192.168.0.0/16 (action=dropped OR action=blocked) | top 10 dest_port
  211.  
  212. Denied Outbound Connections (Address) index=* sourcetype=FIREWALL NOT dest_ip=10.0.0.0/8 NOT dest_ip=172.16.0.0/12 NOT dest_ip=192.168.0.0/16 NOT dest_ip=169.254.0.0/16 (action=dropped OR action=blocked) | top 10 src_ip
  213.  
  214.  
  215. Denied Outbound Connections (Ports apart from 80, 443) - Internal Host index=* sourcetype=FIREWALL NOT dest_ip=10.0.0.0/8 NOT dest_ip=172.16.0.0/12 NOT dest_ip=192.168.0.0/16 NOT (action=dropped OR action=blocked) NOT (dest_port=80 OR dest_port=443) | top 10 src_ip
  216.  
  217.  
  218. Top 10 Accepted Ports (Inbound) index=* sourcetype=FIREWALL NOT src_ip=10.0.0.0/8 NOT src_ip=172.16.0.0/12 NOT src_ip=192.168.0.0/16 NOT src_ip=169.254.0.0/16 action=allowed | top 10 dest_port
  219.  
  220. Top 10 Accepted Ports (Outbound) index=* sourcetype=FIREWALL NOT dest_ip=10.0.0.0/8 NOT dest_ip=172.16.0.0/12 NOT dest_ip=192.168.0.0/16 NOT dest_ip=169.254.0.0/16 NOT dest_ip=255.255.255.255 action=allowed | top 10 dest_port
  221.  
  222. TOP Connections Drop - 10 events index=* sourcetype=FIREWALL (action=dropped OR action=blocked) | stats count by src_ip dest_ip dest_port | sort 10 -count
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!