Dashboards & Queries

Hello there R7 Community, I have recently started the journey of trying to make really meaningful dashboards or alerts to help my team threat hunt more efficiently. I wanted to throw this post out here and see if anyone has any useful queries or ideas they would be willing to share. I have some ideas floating around in my head, but was just curious what the community may be doing to fight the good fight!

4 Likes

Hey Patrick, I would be more than happy to share some of the queries I’ve made for dashboards! Did you have any specific log sets you were looking at in particular?

Hi Stephen,

We are monitoring PAN firewall logs, newly added R7 ETT & endpoint data, azure sso, o365, other windows events that are forwarded to be ingested.

Hey Patrick,

Sorry for the delayed response, so I will share some queries that might help give you some ideas, please keep in mind results will depend on whether you are actually logging these events on your side and sending them to IDR:

EET:

  • where(process.name=/psexecsvc.exe/i OR parent_process.name=/psexecsvc.exe/i)groupby(hostname)calculate(unique:hostname)

  • where(process.name=/mstsc.exe/i)groupby(hostname, process.cmd_line)

  • where(process.name=/mmc.exe/i AND process.cmd_line=/.*dsa.msc/i)groupby(hostname, parent_process.username)

  • where(process.name=“msiexec.exe” AND process.cmd_line=/./i./i)groupby(process.cmd_line)

O365: Cloud Service Activity

  • where(source_user=/.#EXT#./i)groupby(source_json.Workload)
  • where(source_user=/.#EXT#./i AND source_json.Workload=SharePoint)groupby(action)
  • where(source_user=/.#EXT#./i AND source_json.Workload=AzureActiveDirectory)groupby(action)
  • groupby(source_json.Workload)
  • where(source_json.Workload=Exchange AND action=DlpRuleMatch)groupby(source_json.PolicyDetails.0.PolicyName)
  • where(source_json.Workload=SharePoint)groupby(action)
  • where(source_json.Workload=SharePoint AND action=FileDownloaded)groupby(source_user)
  • where(source_json.Workload=AzureActiveDirectory)groupby(action)
  • where(source_json.Workload=AzureActiveDirectory AND action=“Add member to group.” AND source_json.ResultStatus=Success)groupby(source_json.ModifiedProperties.1.NewValue)

Firewall:

  • groupby(connection_status, direction)
  • where(direction=OUTBOUND AND connection_status!=DENY AND destination_port=/21|22|23|25|53|80|110|111|135|139|143|443|445|993|995|1723|3306|3389|5900|8080/)groupby(geoip_organization)
  • where(connection_status!=“DENY” AND direction=“OUTBOUND”)groupby(destination_port)calculate(sum:outgoing_bytes)
  • where(asset=/vpn asset.*/i AND direction=OUTBOUND)groupby(user, geoip_organization, destination_port)calculate(sum:outgoing_bytes)limit(100)
  • where(direction=OUTBOUND AND connection_status=DENY)calculate(count)
  • where(direction=INBOUND AND connection_status=DENY)calculate(count)
  • where(direction=OUTBOUND AND connection_status=ACCEPT)calculate(count)
  • where(direction=INBOUND AND connection_status=ACCEPT)calculate(count)
4 Likes

Thank you so much for sharing these Stephen! These look awesome and give me some ideas. =)

Yeah, thanks @stephen_davis, those are really nice querys! :wink:

My pleasure and glad to hear it!

Thank you, and you’re very welcome!