Home > CyberSecurity > SIEM > Tech > Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-7

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-7

April 14, 2024 , ,

 

  1. Search for Blocked Traffic by Source IP:

    • Query: Identify blocked traffic originating from a specific source IP address.
    sql
    SELECT * FROM firewall_logs WHERE action = 'deny' AND src_ip = 'xxx.xxx.xxx.xxx';

  2. Search for Allowed Traffic to a Specific Destination Port:

    • Query: Look for allowed traffic directed to a specific destination port.
    sql
    SELECT * FROM firewall_logs WHERE action = 'accept' AND dst_port = <port_number>;

  3. Search for Denied Traffic from a Specific Country:

    • Query: Identify denied traffic originating from a specific country.
    sql
    SELECT * FROM firewall_logs WHERE action = 'deny' AND src_country = 'CountryCode';

  4. Search for Traffic Blocked by Intrusion Prevention System (IPS):

    • Query: Look for traffic blocked by the IPS module.
    sql
    SELECT * FROM firewall_logs WHERE action = 'deny' AND log_subtype = 'intrusion prevention';

  5. Search for Traffic Blocked by Web Filter:

    • Query: Identify traffic blocked by the web filter module.
    sql
    SELECT * FROM firewall_logs WHERE action = 'deny' AND log_subtype = 'webfilter';

  6. Search for Denied Traffic due to Antivirus Detection:

    • Query: Look for traffic denied due to antivirus detection.
    sql
    SELECT * FROM firewall_logs WHERE action = 'deny' AND log_subtype = 'av';

  7. Search for VPN Connection Establishment Logs:

    • Query: Identify logs related to VPN connection establishment.
    sql
    SELECT * FROM firewall_logs WHERE log_subtype = 'vpn' AND event_type = 'ipsec';

  8. Search for Traffic Matching a Specific Firewall Policy:

    • Query: Look for traffic that matches a specific firewall policy.
    sql
    SELECT * FROM firewall_logs WHERE policy_id = '<policy_id>';

  9. Search for Traffic with a High Risk Rating:

    • Query: Identify traffic with a high risk rating based on FortiGuard threat intelligence.
    sql
    SELECT * FROM firewall_logs WHERE risk_rating >= <threshold>;

  10. Search for Traffic Matching a Specific Application Control Rule:

    • Query: Look for traffic that matches a specific application control rule.
    sql
    SELECT * FROM firewall_logs WHERE app_control_rule = '<rule_name>';

These queries allow you to analyze FortiGate firewall logs for various security events and traffic patterns, helping you monitor network activity, detect threats, and troubleshoot issues effectively. Adjust the parameters and conditions in each query as needed to match your specific use cases and requirements.

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-6

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-8

Post a Comment

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.