Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-6

 Here are more queries for your Wazuh SIEM log analysis:

  1. Use Case: Brute Force Attack Detection

    • Query: Identify failed login attempts from multiple source IP addresses within a short time frame.
    sql
    SELECT source.ip, COUNT(*) AS failed_login_attempts FROM alerts WHERE rule.category = 'authentication_failed' GROUP BY source.ip HAVING failed_login_attempts > <threshold> AND TIMESTAMP_DIFF(MAX(timestamp), MIN(timestamp), SECOND) < <time_threshold>;
  2. Use Case: Web Application Security

    • Query: Look for HTTP requests containing potential SQL injection payloads.
    sql
    SELECT * FROM alerts WHERE rule.category = 'http' AND source.http.uri LIKE '%union%' OR source.http.uri LIKE '%sql%';
  3. Use Case: Insider Threat Detection

    • Query: Identify users accessing sensitive files or directories they typically don't access.
    sql
    SELECT user.name, destination.file FROM alerts WHERE rule.category = 'file_access' AND user.name NOT IN ('authorized_user1', 'authorized_user2', ...) AND destination.file IN ('sensitive_file1', 'sensitive_file2', ...);
  4. Use Case: Malware Detection

    • Query: Look for alerts related to the detection of malware or suspicious file activity.
    sql
    SELECT * FROM alerts WHERE rule.category = 'malware_detection';
  5. Use Case: Data Exfiltration

    • Query: Identify large outbound data transfers to external destinations.
    sql
    SELECT destination.ip, SUM(destination.bytes) AS total_bytes_transferred FROM alerts WHERE rule.category = 'network_traffic' AND destination.bytes > <threshold> GROUP BY destination.ip ORDER BY total_bytes_transferred DESC;
  6. Use Case: Compliance Monitoring

    • Query: Look for violations of regulatory compliance policies, such as failed PCI DSS compliance checks.
    sql
    SELECT * FROM alerts WHERE rule.category = 'compliance_failure' AND rule.description LIKE '%PCI%';
  7. Use Case: Anomaly Detection

    • Query: Identify anomalies in user login patterns, such as login attempts from unusual locations or at unusual times.
    sql
    SELECT user.name, source.ip, COUNT(*) AS login_attempts FROM alerts WHERE rule.category = 'authentication_successful' AND TIMESTAMP_DIFF(MAX(timestamp), MIN(timestamp), SECOND) > <time_threshold> GROUP BY user.name, source.ip;
  8. Use Case: Network Intrusion Detection

    • Query: Look for alerts related to potential network intrusion attempts, such as port scanning or exploit attempts.
    sql
    SELECT * FROM alerts WHERE rule.category = 'network_intrusion';
  9. Use Case: Suspicious Process Execution

    • Query: Identify suspicious processes executed on endpoints, such as known malware executables.
    sql
    SELECT * FROM alerts WHERE rule.category = 'process_execution' AND rule.description LIKE '%malware%';
  10. Use Case: Privilege Escalation Attempt

    • Query: Identify attempts to escalate privileges by users.
    sql
    SELECT * FROM alerts WHERE rule.category = 'privilege_escalation';

These queries are tailored to specific security use cases, enabling you to effectively monitor and respond to various security incidents within your environment. Adjust the thresholds and conditions in each query to match your organization's specific requirements and risk tolerance.

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-5

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-7

No comments

Powered by Blogger.