LOGS

Last updated 3 months ago

THREAT HUNTING: ANOMALY DETECTION & LOG CORRELATION

the table below can be used during threat hunting and describes a sample investigation procedure

OVERALL INFO: the first step of the investigation is to review the overall connections, shared files, loaded scripts & indicators

PROTOCOL BASED: conduct a more in-depth investigation by focusing on a specific protocol

DETECTION: use the prebuilt/custom detection scripts & signature outcomes to support findings

OBSERVATION: use the logs in this category to discover possible missing points

#identify relevant fields
root@dco:~$ cat conn.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1488571051.943250	CTMFXm1AcIsSnq2Ric	192.168.121.2	51153	192.168.120.22	53	udp	dns	0.001263	36	106	SF	-	-0	Dd	1	64	1	134	-
 1488571038.380901	CLsSsA3HLB2N6uJwW	192.168.121.10	50080	192.168.120.10	514	udp	-	

#only retrieve the 5-tuples during investigation as those are the most important
root@dco:~$ cat conn.log | zeek-cut uid proto id.orig_h id.orig_p id.resp_h id.resp_p 
 CTMFXm1AcIsSnq2Ric	udp	192.168.121.2	51153	192.168.120.22	53
 CLsSsA3HLB2N6uJwW	udp	192.168.121.10	50080	192.168.120.10	514
 
 * zeekcut is an auxiliary program used for extracting columns from zeek log files
    - it is specifically used against zeeks' log field names and NOT against the log's type section

LOGS

LOGS

LOG CATEGORIES

COMMON LOGS

THREAT HUNTING: ANOMALY DETECTION & LOG CORRELATION

LOG CATEGORIES

COMMON LOGS

THREAT HUNTING: ANOMALY DETECTION & LOG CORRELATION