this query focuses on Windows networking activity and details the source and destination addresses and named pipe, endpoint and operation detection. the output of this specific query may assist analysts in understanding specific Windows events such as SMB enumeration, logins and service exploitation
QUERIES > BRIM > WINDOWS NETWORKING ACTIVITY
_path matches smb* OR _path=="dce_rpc" | sort -r _path
UNIQUE NETWORK CONNECTIONS & CONNECTION RECEIVED DATA
these two queries provide information on unique connections and connection-data correlation. these two when combined can assist analysts in detecting weird & malicious connections along with suspicious and beaconing activities
#start w/ unique network connections
QUERIES > BRIM > UNIQUE NETWORK CONNECTIONS
_path=="conn" | cut id.orig_h, id.resp_p, id.resp_h | sort|uniq
* uniq list provides a clear list of unique connections that help identify anomalies
#correlate output w/ connection received data
QUERIES > BRIM > CONNECTION RECEIVED DATA
_path=="conn" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes
* data list summarises the data transfer rate that supports the anomaly investigation hypothesis
UNIQUE DNS QUERIES & HTTP REQUESTS
these two queries when combined can help analysts detect anomalous DNS and HTTP traffic
#start w/ the dns
QUERIES > BRIM > UNIQUE DNS QUERIES
_path=="dns" | count() by query | sort -r
#correlate output w/ http requests
QUERIES > BRIM > HTTP REQUESTS
_path=="http" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c
FILE ACTIVITY
this query helps analysts in detecting possible data leakage attempts and suspicious file activity.
QUERIES > BRIM > FILE ACTIVITY
filename!=null | cut _path, tx_hosts, rx_hosts, conn_uids, mime_type, filename, md5, sha1
* this specific query provides info on the detected file MIME and file name and hash values (MD5, SHA1).
IP SUBNET STATISTICS
this query helps analysts in detecting possible communications outside the scope
QUERIES > BRIM > SHOW IP SUBNETS
_path=="conn" | put classnet := network_of(id.resp_h) | cut classnet | count() by classnet | sort -r
SURICATA ALERTS
these queries provide information based on Suricata rule results
#
QUERIES > BRIM > SURICATA ALERTS BY CATEGORY
event_type=="alert" | count() by alert.severity, alert.category | sort count
#
QUERIES > BRIM > SURICATA ALERTS BY SOURCE & DESTINATION
event_type=="alert" | alerts := union(alert.category) by src_ip, dest_ip
#
QUERIES > BRIM > SURICATA ALERTS BY SUBNET
event_type=="alert" | alerts := union(alert.category) by network_of(dest_ip)
