Home > CyberSecurity > SIEM > Tech > Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-9

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-9

April 14, 2024 , ,

Here are some queries tailored for analyzing logs from Network Intrusion Prevention System (NIPS) appliances:

  1. Search for Detected Intrusion Attempts:

    • Query: Identify logs indicating the detection of intrusion attempts.
    sql
    SELECT * FROM nips_logs WHERE event_type = 'intrusion_detected';

  2. Search for Blocked Intrusion Attempts:

    • Query: Look for logs indicating the blocking of intrusion attempts.
    sql
    SELECT * FROM nips_logs WHERE event_type = 'intrusion_blocked';

  3. Search for Top Intrusion Signatures:

    • Query: Identify the top intrusion signatures detected by the NIPS appliance.
    sql
    SELECT intrusion_signature, COUNT(*) AS signature_count FROM nips_logs WHERE event_type = 'intrusion_detected' GROUP BY intrusion_signature ORDER BY signature_count DESC LIMIT 10;

  4. Search for Intrusion Attempts by Source IP:

    • Query: Look for logs indicating intrusion attempts originating from a specific source IP address.
    sql
    SELECT * FROM nips_logs WHERE event_type = 'intrusion_detected' AND source_ip = 'xxx.xxx.xxx.xxx';

  5. Search for Intrusion Attempts Targeting Specific Ports:

    • Query: Identify intrusion attempts targeting specific destination ports.
    sql
    SELECT * FROM nips_logs WHERE event_type = 'intrusion_detected' AND dest_port = <port_number>;

  6. Search for Intrusion Attempts by Severity Level:

    • Query: Look for logs indicating intrusion attempts with a specific severity level.
    sql
    SELECT * FROM nips_logs WHERE event_type = 'intrusion_detected' AND severity = <severity_level>;

  7. Search for Intrusion Attempts by Protocol:

    • Query: Identify intrusion attempts targeting a specific protocol.
    sql
    SELECT * FROM nips_logs WHERE event_type = 'intrusion_detected' AND protocol = 'tcp';

  8. Search for Intrusion Attempts Triggering Mitigation Actions:

    • Query: Look for intrusion attempts that triggered mitigation actions.
    sql
    SELECT * FROM nips_logs WHERE event_type = 'intrusion_blocked';

  9. Search for Intrusion Attempts Related to Specific Attack Types:

    • Query: Identify intrusion attempts related to specific attack types, such as SQL injection or cross-site scripting (XSS).
    sql
    SELECT * FROM nips_logs WHERE event_type = 'intrusion_detected' AND attack_type IN ('SQL Injection', 'XSS');

  10. Search for Intrusion Attempts Triggering Alarm Thresholds:

    • Query: Look for intrusion attempts that triggered alarm thresholds.
    sql
    SELECT * FROM nips_logs WHERE event_type = 'intrusion_detected' AND alarm_triggered = true;

These queries can assist you in analyzing logs from NIPS appliances, allowing you to monitor and detect intrusion attempts on your network infrastructure. Adjust the parameters and conditions in each query as needed to match your specific use cases and requirements. 

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-8

Post a Comment

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.