Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-4


Here are some more queries you can use with Wazuh SIEM to search and analyze logs:

  1. Search for Suspicious HTTP Requests:

    • Identify alerts related to potentially malicious HTTP requests, such as SQL injection attempts or cross-site scripting (XSS) attacks.
    sql
    SELECT * FROM alerts WHERE rule.category = 'http' AND source.http.method = 'GET' AND (source.http.uri LIKE '%sql%' OR source.http.uri LIKE '%xss%');
  2. Search for Authentication Failures by Source IP:

    • Look for authentication failures from specific source IP addresses.
    sql
    SELECT * FROM alerts WHERE rule.category = 'authentication_failed' AND source.ip = 'xxx.xxx.xxx.xxx';
  3. Search for Outbound Traffic to Known Botnet IPs:

    • Identify alerts related to outbound network traffic to known botnet IP addresses.
    sql
    SELECT * FROM alerts WHERE rule.category = 'network_traffic' AND destination.ip IN ('botnet_ip1', 'botnet_ip2', ...);
  4. Search for Suspicious Registry Modifications:

    • Look for alerts related to suspicious modifications to the Windows registry.
    sql
    SELECT * FROM alerts WHERE rule.category = 'registry_modification';
  5. Search for Failed Authentication Attempts by User:

    • Identify failed authentication attempts for a specific user or username.
    sql
    SELECT * FROM alerts WHERE rule.category = 'authentication_failed' AND user.name = 'username';
  6. Search for Access Denied Events:

    • Look for alerts related to access denied events or unauthorized access attempts.
    sql
    SELECT * FROM alerts WHERE rule.category = 'access_denied';
  7. Search for Suspicious Process Execution:

    • Identify alerts related to the execution of suspicious processes or binaries.
    sql
    SELECT * FROM alerts WHERE rule.category = 'process_execution' AND (rule.description LIKE '%suspicious%' OR rule.description LIKE '%malicious%');
  8. Search for Large File Transfers:

    • Identify alerts related to large file transfers or data uploads.
    sql
    SELECT * FROM alerts WHERE rule.category = 'file_transfer' AND source.bytes > <threshold>;
  9. Search for Expired Passwords:

    • Look for alerts related to expired user passwords.
    sql
    SELECT * FROM alerts WHERE rule.category = 'password_expired';
  10. Search for SQL Injection Attempts:

    • Identify alerts related to potential SQL injection attacks in web application logs.
    sql
    SELECT * FROM alerts WHERE rule.category = 'web' AND source.http.uri LIKE '%sql%';

These queries offer additional options for analyzing various types of security events and anomalies within your environment. Customize them based on your specific use cases and security monitoring requirements to effectively detect and respond to potential security threats. 

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-3

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-5

No comments

Powered by Blogger.