QUERIES > BRIM > ACTIVITY OVERVIEW
 count() by _path | sort -r

QUERIES > BRIM > WINDOWS NETWORKING ACTIVITY
 _path matches smb* OR _path=="dce_rpc" | sort -r _path

#start w/ unique network connections
QUERIES > BRIM > UNIQUE NETWORK CONNECTIONS
 _path=="conn" | cut id.orig_h, id.resp_p, id.resp_h | sort|uniq
 
 * uniq list provides a clear list of unique connections that help identify anomalies
 
#correlate output w/ connection received data
QUERIES > BRIM > CONNECTION RECEIVED DATA
 _path=="conn" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes
 
 * data list summarises the data transfer rate that supports the anomaly investigation hypothesis

#start w/ the dns
QUERIES > BRIM > UNIQUE DNS QUERIES
 _path=="dns" | count() by query | sort -r
 
#correlate output w/ http requests
QUERIES > BRIM > HTTP REQUESTS
 _path=="http" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c

QUERIES > BRIM > FILE ACTIVITY
 filename!=null | cut _path, tx_hosts, rx_hosts, conn_uids, mime_type, filename, md5, sha1

 * this specific query provides info on the detected file MIME and file name and hash values (MD5, SHA1).

QUERIES > BRIM > SHOW IP SUBNETS
 _path=="conn" | put classnet := network_of(id.resp_h) | cut classnet | count() by classnet | sort -r

#
QUERIES > BRIM > SURICATA ALERTS BY CATEGORY
 event_type=="alert" | count() by alert.severity, alert.category | sort count
 
#
QUERIES > BRIM > SURICATA ALERTS BY SOURCE & DESTINATION
 event_type=="alert" | alerts := union(alert.category) by src_ip, dest_ip
 
#
QUERIES > BRIM > SURICATA ALERTS BY SUBNET
 event_type=="alert" | alerts := union(alert.category) by network_of(dest_ip)