Hello there R7 Community, I have recently started the journey of trying to make really meaningful dashboards or alerts to help my team threat hunt more efficiently. I wanted to throw this post out here and see if anyone has any useful queries or ideas they would be willing to share. I have some ideas floating around in my head, but was just curious what the community may be doing to fight the good fight!
5 Likes
Hey Patrick, I would be more than happy to share some of the queries I’ve made for dashboards! Did you have any specific log sets you were looking at in particular?
Hi Stephen,
We are monitoring PAN firewall logs, newly added R7 ETT & endpoint data, azure sso, o365, other windows events that are forwarded to be ingested.
Hey Patrick,
Sorry for the delayed response, so I will share some queries that might help give you some ideas, please keep in mind results will depend on whether you are actually logging these events on your side and sending them to IDR:
EET:
-
where(process.name=/psexecsvc.exe/i OR parent_process.name=/psexecsvc.exe/i)groupby(hostname)calculate(unique:hostname)
-
where(process.name=/mstsc.exe/i)groupby(hostname, process.cmd_line)
-
where(process.name=/mmc.exe/i AND process.cmd_line=/.*dsa.msc/i)groupby(hostname, parent_process.username)
-
where(process.name=“msiexec.exe” AND process.cmd_line=/./i./i)groupby(process.cmd_line)
O365: Cloud Service Activity
- where(source_user=/.#EXT#./i)groupby(source_json.Workload)
- where(source_user=/.#EXT#./i AND source_json.Workload=SharePoint)groupby(action)
- where(source_user=/.#EXT#./i AND source_json.Workload=AzureActiveDirectory)groupby(action)
- groupby(source_json.Workload)
- where(source_json.Workload=Exchange AND action=DlpRuleMatch)groupby(source_json.PolicyDetails.0.PolicyName)
- where(source_json.Workload=SharePoint)groupby(action)
- where(source_json.Workload=SharePoint AND action=FileDownloaded)groupby(source_user)
- where(source_json.Workload=AzureActiveDirectory)groupby(action)
- where(source_json.Workload=AzureActiveDirectory AND action=“Add member to group.” AND source_json.ResultStatus=Success)groupby(source_json.ModifiedProperties.1.NewValue)
Firewall:
- groupby(connection_status, direction)
- where(direction=OUTBOUND AND connection_status!=DENY AND destination_port=/21|22|23|25|53|80|110|111|135|139|143|443|445|993|995|1723|3306|3389|5900|8080/)groupby(geoip_organization)
- where(connection_status!=“DENY” AND direction=“OUTBOUND”)groupby(destination_port)calculate(sum:outgoing_bytes)
- where(asset=/vpn asset.*/i AND direction=OUTBOUND)groupby(user, geoip_organization, destination_port)calculate(sum:outgoing_bytes)limit(100)
- where(direction=OUTBOUND AND connection_status=DENY)calculate(count)
- where(direction=INBOUND AND connection_status=DENY)calculate(count)
- where(direction=OUTBOUND AND connection_status=ACCEPT)calculate(count)
- where(direction=INBOUND AND connection_status=ACCEPT)calculate(count)
6 Likes
Thank you so much for sharing these Stephen! These look awesome and give me some ideas. =)
My pleasure and glad to hear it!
Thank you, and you’re very welcome!
I started a post similar to this once ( Custom Alert Collection ) The idea was to create a spot in the library that we can all contribute to and pull from. As mentioned, they will all depend on what pieces and parts we all have. Log names may need to be changed to match environments and so forth, but I bet that there is enough similarity that the library would be great to have and useful.
1 Like
That is a great idea!