IPS High Risk Alert Not Blocked. Below is an example using Palo Alto Networks (PAN) IPS
index=pan sourcetype="pan:threat" ",threat," (critical OR high) (severity=critical OR severity=high) action!="blocked" action!="dropped" | bucket span=1h _time | stats values(signature) as signature mode(dest) as dest values(dest_port) as dest_port values(file_name) as file_name values(file_hash) as file_hash count by _time, src, severity, action | eval signature=mvjoin(signature," , ") | eval dest_port=mvjoin(dest_port," , ") | eval file_name=mvjoin(file_name," , ") | eval file_hash=mvjoin(file_hash," , ")
DOS- Firewall Large number of DENIED Connections by Firewall
| tstats summariesonly=1 allow_old_summaries=1 count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="blocked" sourcetype=* AND host=* by All_Traffic.dvc host _time span=1h | rename All_Traffic.dvc AS dvc | eval dvc=if(dvc="unknown",host,dvc) | timechart span=1h sum(count) by dvc
Detect Many Unauthorized Access Attempts
| `Load_Sample_Log_Data(Windows Logons with Failure Codes)` | search Failure_Reason=* Status=0xC000015B
Data Exfiltration - Suspicious Destinations
| tstats summariesonly=1 allow_old_summaries=1 sum(All_Traffic.bytes) as bytes dc(All_Traffic.src) as "Unique Sources" from datamodel=Network_Traffic.All_Traffic where host=* by _time span=1h All_Traffic.dest
| rename All_Traffic.* as *
| eval MBytes=round(bytes/1024/1024,2)
| eventstats dc(_time) as Frequency by dest
| eval Risk=round(MBytes/(pow(Frequency,Frequency))/'Unique Sources')
| sort - Risk
| head 250
| iplocation dest
| fillnull value="" Country
| table _time, Risk, dest, "Unique Sources", MBytes, Country
Detects when the number of successful Windows logon events are more than the daily average for a user account
index=windows EventCode=4624 | eval user=lower(Account_Name) | timechart span=1d avg(count) as daily_avg by user | where count > daily_avg
Unusual Traffic by Volume
index=firewall sourcetype=access_combined | bucket span=1h _time | stats sum(bytes_out) as sum_bytes by _time, src_ip | streamstats avg(sum_bytes) as avg stdev(sum_bytes) as stdev by src_ip | eval isOutlier=if(sum_bytes > (avg + (4*stdev)), 1, 0) | search isOutlier=1
Suspiciously High Process Creation
index=os_logs sourcetype=WinEventLog:Security EventCode=4688 | timechart span=1h count as process_start by host | where process_start > avg(process_start)*2
Network Traffic from Rare Countries
index=firewall | iplocation src_ip | stats count by Country | eventstats sum(count) as total | eval percentage=(count/total)*100 | where percentage < 1
index=network sourcetype=cisco:asa dest_ip=* | bucket _time span=1h | stats count by _time, dest_ip | eventstats avg(count) as avg stdev(count) as stdev by dest_ip | eval isOutlier=if(count > (avg + (4*stdev)), 1, 0) | search isOutlier=1
Unique Domains Requested by Host
index=dns_logs | stats dc(query) as unique_domains by src_ip | eventstats avg(unique_domains) as avg stdev(unique_domains) as stdev | where unique_domains > avg + 4*stdevspl
Suspicious Executables Downloaded
index=proxy_logs action=download status=200 | rex field=file_path "\.(?<file_extension>\w+)$" | where file_extension IN ("exe", "dll", "bat", "ps1") | stats count by src_ip, file_path
Unusual Increase in Network Traffic
index=network_logs | bucket _time span=1h | stats sum(bytes) as sum_bytes by _time | streamstats avg(sum_bytes) as avg stdev(sum_bytes) as stdev | eval isOutlier=if(sum_bytes > (avg + (4*stdev)), 1, 0) | search isOutlier=1
Unexpected System Changes
index=syslog_changes sourcetype=syslog | stats values(change) as changes by host, user | search changes=* AND changes!=expected_value
Unknown Processes Running on Critical Servers
index=server_logs server=critical_server | stats values(process_name) as process_list by user | search process_name NOT IN (list_of_known_processes)spl
Unusual Database Activities
index=db_logs action=insert OR action=delete | timechart span=1h count by action | where count > avg(count)*2
index=network_logs | where NOT (port IN (80, 443, 21, 22)) | stats sum(bytes) as total_bytes by port | sort - total_bytes
Connections to Blacklisted IPs
index=firewall_logs | lookup ip_blacklist.csv ip as dest_ip OUTPUT description as threat_type | where isnotnull(threat_type)
Multiple VPN Logins from Same User but Different Locations
index=vpn_logs | iplocation src_ip | stats count by user, Country | where count > 1
File Access Patterns
index=filesystem_logs action=accessed | stats count by user, file_path | eventstats avg(count) as avg, stdev(count) as stdev by file_path | where count > avg + 4*stdev
Attempts to Access Unusual URLs
index=web_logs sourcetype=access_combined status=404 | top limit=10 uri | table _time, uri, count
Outgoing Traffic To Blacklisted Domains
index=proxy_logs NOT [inputlookup domain_blacklist.csv] | top limit=20 src_ip | table _time, src_ip, count
Unique Connections by Non-Standard Ports
index=network_logs NOT (port IN (80, 443, 21, 22)) | stats dc(dest_ip) as unique_connections by src_ip, port | where unique_connections > 20
Spike in Error Logs
index=system_logs level=error | timechart span=1h count as error_count | where error_count > avg(error_count) + 4*stdev(error_count)
Longest Running User Sessions
index=system_logs level=error | timechart span=1h count as error_count | where error_count > avg(error_count) + 4*stdev(error_count)
Suspicious Database Transactions
index=db_logs action=transaction | stats sum(amount) as total_amount by user | where total_amount > avg(total_amount) + 4*stdev(total_amount)
index=file_change_logs | stats count by user, file_path | where count > 5 | table _time, user, file_path, count
Inbound Connections from TOR Network
index=firewall_logs direction=inbound | lookup tor_exit_nodes.csv src_ip OUTPUT description as threat_type | where isnotnull(threat_type)
Unusual Print Activities
index=printer_logs | stats count by user, printer_name | where count > avg(count) + 4*stdev(count) | table _time, user, printer_name, countlu
User Account Anomalies
index=authentication_logs | stats count by user | eventstats avg(count) as avg stdev(count) as stdev by user | where count > avg + 3*stdev | table _time, user, count
Unusual Command Execution
index=command_logs | stats count by user, command | where count > 10 | table _time, user, command, count
Outbound Traffic to High-Risk Countries
index=network_logs direction=outbound | iplocation dest_ip | stats count by dest_country | where count > 100 | table _time, dest_country, count
Large Number of Failed Database Queries
index=database_logs status=failed | stats count by user, query | where count > 50 | table _time, user, query, count
Unusual System Service Behavior
index=system_logs sourcetype=service_logs | stats count by service_name | where count > 100 | table _time, service_name, count
Uncommon Firewall Rule Modifications
index=firewall_logs eventtype=rule_change | stats count by user, rule_name | where count > 5 | table _time, user, rule_name, count
Large Number of Login Failures from Single IP
index=authentication_logs | stats count by src_ip | where count > 20 | table _time, src_ip, count
Suspicious File Access Patterns
index=file_access_logs | stats count by user, file_path | where count > 10 | table _time, user, file_path, count
Abnormal Process Behavior
index=process_logs | stats count by process_name | where count > 100 | table _time, process_name, count
Outliers in Network Bandwidth Usage
index=network_logs | timechart span=1h sum(bytes) as total_bytes by src_ip | eventstats avg(total_bytes) as avg stdev(total_bytes) as stdev by src_ip | eval isOutlier=if(total_bytes > (avg + (3*stdev)), 1, 0) | search isOutlier=1 | table _time, src_ip, total_bytes