QUERIES

ACTIVITY OVERVIEW

this query provides general information on the pcap file

QUERIES > BRIM > ACTIVITY OVERVIEW
 count() by _path | sort -r

WINDOWS NETWORKING ACTIVITY

this query focuses on Windows networking activity and details the source and destination addresses and named pipe, endpoint and operation detection. the output of this specific query may assist analysts in understanding specific Windows events such as SMB enumeration, logins and service exploitation

QUERIES > BRIM > WINDOWS NETWORKING ACTIVITY
 _path matches smb* OR _path=="dce_rpc" | sort -r _path

UNIQUE NETWORK CONNECTIONS & CONNECTION RECEIVED DATA

these two queries provide information on unique connections and connection-data correlation. these two when combined can assist analysts in detecting weird & malicious connections along with suspicious and beaconing activities

#start w/ unique network connections
QUERIES > BRIM > UNIQUE NETWORK CONNECTIONS
 _path=="conn" | cut id.orig_h, id.resp_p, id.resp_h | sort|uniq
 
 * uniq list provides a clear list of unique connections that help identify anomalies
 
#correlate output w/ connection received data
QUERIES > BRIM > CONNECTION RECEIVED DATA
 _path=="conn" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes
 
 * data list summarises the data transfer rate that supports the anomaly investigation hypothesis

UNIQUE DNS QUERIES & HTTP REQUESTS

these two queries when combined can help analysts detect anomalous DNS and HTTP traffic

#start w/ the dns
QUERIES > BRIM > UNIQUE DNS QUERIES
 _path=="dns" | count() by query | sort -r
 
#correlate output w/ http requests
QUERIES > BRIM > HTTP REQUESTS
 _path=="http" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c

FILE ACTIVITY

this query helps analysts in detecting possible data leakage attempts and suspicious file activity.

QUERIES > BRIM > FILE ACTIVITY
 filename!=null | cut _path, tx_hosts, rx_hosts, conn_uids, mime_type, filename, md5, sha1

 * this specific query provides info on the detected file MIME and file name and hash values (MD5, SHA1).

IP SUBNET STATISTICS

this query helps analysts in detecting possible communications outside the scope

QUERIES > BRIM > SHOW IP SUBNETS
 _path=="conn" | put classnet := network_of(id.resp_h) | cut classnet | count() by classnet | sort -r

SURICATA ALERTS

these queries provide information based on Suricata rule results

#
QUERIES > BRIM > SURICATA ALERTS BY CATEGORY
 event_type=="alert" | count() by alert.severity, alert.category | sort count
 
#
QUERIES > BRIM > SURICATA ALERTS BY SOURCE & DESTINATION
 event_type=="alert" | alerts := union(alert.category) by src_ip, dest_ip
 
#
QUERIES > BRIM > SURICATA ALERTS BY SUBNET
 event_type=="alert" | alerts := union(alert.category) by network_of(dest_ip)

PreviousBRIM NextQUERY REFERENCE

Last updated 10 months ago