Home > CyberSecurity > SIEM > Tech > Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-8

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-8

April 14, 2024 , ,

 Here are some queries tailored for analyzing logs from Distributed Denial of Service (DDoS) protection appliances:

  1. Search for Detected DDoS Attacks:

    • Query: Identify logs indicating the detection of DDoS attacks.
    sql
    SELECT * FROM ddos_logs WHERE event_type = 'attack_detected';

  2. Search for Mitigated DDoS Attacks:

    • Query: Look for logs indicating the mitigation of DDoS attacks.
    sql
    SELECT * FROM ddos_logs WHERE event_type = 'attack_mitigated';

  3. Search for DDoS Attack Traffic Volume:

    • Query: Calculate the total volume of DDoS attack traffic.
    sql
    SELECT SUM(attack_traffic_volume) AS total_attack_traffic FROM ddos_logs WHERE event_type = 'attack_detected';

  4. Search for Top DDoS Attack Sources:

    • Query: Identify the top sources of DDoS attacks based on the number of attack events.
    sql
    SELECT source_ip, COUNT(*) AS attack_count FROM ddos_logs WHERE event_type = 'attack_detected' GROUP BY source_ip ORDER BY attack_count DESC LIMIT 10;

  5. Search for DDoS Attack Types:

    • Query: Identify different types of DDoS attacks detected.
    sql
    SELECT attack_type, COUNT(*) AS attack_count FROM ddos_logs WHERE event_type = 'attack_detected' GROUP BY attack_type;

  6. Search for DDoS Attack Duration:

    • Query: Calculate the average duration of DDoS attacks.
    sql
    SELECT AVG(attack_duration) AS average_attack_duration FROM ddos_logs WHERE event_type = 'attack_detected';

  7. Search for DDoS Attack Trend Over Time:

    • Query: Analyze the trend of DDoS attacks over a specific time period.
    sql
    SELECT DATE_TRUNC('hour', event_timestamp) AS hour_bucket, COUNT(*) AS attack_count FROM ddos_logs WHERE event_type = 'attack_detected' GROUP BY hour_bucket ORDER BY hour_bucket;

  8. Search for DDoS Attack Events Triggering Mitigation Actions:

    • Query: Look for DDoS attack events that triggered mitigation actions.
    sql
    SELECT * FROM ddos_logs WHERE event_type = 'attack_mitigated';

  9. Search for DDoS Attack Traffic Patterns:

    • Query: Identify patterns in DDoS attack traffic, such as high-volume bursts.
    sql
    SELECT event_timestamp, attack_traffic_volume FROM ddos_logs WHERE event_type = 'attack_detected' ORDER BY attack_traffic_volume DESC LIMIT 100;

  10. Search for DDoS Attack Events Reaching Thresholds:

    • Query: Look for DDoS attack events that exceeded predefined thresholds.
    sql
    SELECT * FROM ddos_logs WHERE attack_traffic_volume > <threshold>;

These queries can help you effectively analyze logs from DDoS protection appliances, allowing you to monitor, detect, and mitigate DDoS attacks on your network infrastructure. Adjust the parameters and conditions in each query as needed to match your specific use cases and requirements.

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-7

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-9

Post a Comment

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.