Home > CyberSecurity > SIEM > Tech > Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-5

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-5

April 14, 2024 , ,

 Here are more queries for your Wazuh SIEM log analysis:

  1. Search for Excessive Failed Login Attempts by User:
  • Identify users with a high number of failed login attempts.
sql
SELECT user.name, COUNT(*) AS failed_login_attempts
FROM alerts
WHERE rule.category = 'authentication_failed'
GROUP BY user.name
HAVING failed_login_attempts > <threshold>;
  1. Search for Outbound Traffic to Unusual Destinations:
  • Identify outbound network traffic to uncommon or suspicious destinations.
sql
SELECT destination.ip, COUNT(*) AS event_count
FROM alerts
WHERE rule.category = 'network_traffic' AND destination.ip NOT IN ('trusted_ip1', 'trusted_ip2', ...)
GROUP BY destination.ip
ORDER BY event_count DESC;
  1. Search for Unusual User-Agent Strings:
  • Look for HTTP requests with unusual or suspicious user-agent strings.
sql
SELECT source.ip, source.http.useragent
FROM alerts
WHERE rule.category = 'http' AND source.http.useragent NOT LIKE '%common_useragent%';
  1. Search for Expired SSL Certificates:
  • Identify SSL certificates that have expired.
sql
SELECT *
FROM alerts
WHERE rule.category = 'ssl_certificate_expired';
  1. Search for Suspicious Activity in System Logs:
  • Look for suspicious activity in system logs such as the syslog or Windows Event Logs.
sql
SELECT *
FROM alerts
WHERE rule.category = 'ossec';
  1. Search for Failed SSH Logins by User:
  • Identify failed SSH login attempts for a specific user.
sql
SELECT *
FROM alerts
WHERE rule.category = 'authentication_failed' AND source.user = 'username';
  1. Search for Privilege Escalation Attempts by User:
  • Look for attempts to escalate privileges by users.
sql
SELECT *
FROM alerts
WHERE rule.category = 'privilege_escalation';
  1. Search for Webshell Activity:
  • Identify alerts related to the detection of webshells on web servers.
sql
SELECT *
FROM alerts
WHERE rule.category = 'webshell_detection';
  1. Search for Successful sudo Access:
  • Look for successful sudo access by users.
sql
SELECT *
FROM alerts
WHERE rule.category = 'sudo_success';
  1. Search for Suspicious DNS Queries:
  • Identify DNS queries for suspicious or blacklisted domains.
sql
SELECT *
FROM alerts
WHERE rule.category = 'dns' AND destination.domain IN ('suspicious_domain1', 'suspicious_domain2', ...);

These queries provide additional options for analyzing various security events and threats within your environment. Customize them according to your specific use cases and monitoring requirements to effectively detect and respond to potential security incidents.

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-4

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-6

Post a Comment

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.