Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-5
Here are more queries for your Wazuh SIEM log analysis:
- Search for Excessive Failed Login Attempts by User:
- Identify users with a high number of failed login attempts.
sqlSELECT user.name, COUNT(*) AS failed_login_attempts
FROM alerts
WHERE rule.category = 'authentication_failed'
GROUP BY user.name
HAVING failed_login_attempts > <threshold>;
- Search for Outbound Traffic to Unusual Destinations:
- Identify outbound network traffic to uncommon or suspicious destinations.
sqlSELECT destination.ip, COUNT(*) AS event_count
FROM alerts
WHERE rule.category = 'network_traffic' AND destination.ip NOT IN ('trusted_ip1', 'trusted_ip2', ...)
GROUP BY destination.ip
ORDER BY event_count DESC;
- Search for Unusual User-Agent Strings:
- Look for HTTP requests with unusual or suspicious user-agent strings.
sqlSELECT source.ip, source.http.useragent
FROM alerts
WHERE rule.category = 'http' AND source.http.useragent NOT LIKE '%common_useragent%';
- Search for Expired SSL Certificates:
- Identify SSL certificates that have expired.
sqlSELECT *
FROM alerts
WHERE rule.category = 'ssl_certificate_expired';
- Search for Suspicious Activity in System Logs:
- Look for suspicious activity in system logs such as the syslog or Windows Event Logs.
sqlSELECT *
FROM alerts
WHERE rule.category = 'ossec';
- Search for Failed SSH Logins by User:
- Identify failed SSH login attempts for a specific user.
sqlSELECT *
FROM alerts
WHERE rule.category = 'authentication_failed' AND source.user = 'username';
- Search for Privilege Escalation Attempts by User:
- Look for attempts to escalate privileges by users.
sqlSELECT *
FROM alerts
WHERE rule.category = 'privilege_escalation';
- Search for Webshell Activity:
- Identify alerts related to the detection of webshells on web servers.
sqlSELECT *
FROM alerts
WHERE rule.category = 'webshell_detection';
- Search for Successful sudo Access:
- Look for successful sudo access by users.
sqlSELECT *
FROM alerts
WHERE rule.category = 'sudo_success';
- Search for Suspicious DNS Queries:
- Identify DNS queries for suspicious or blacklisted domains.
sqlSELECT *
FROM alerts
WHERE rule.category = 'dns' AND destination.domain IN ('suspicious_domain1', 'suspicious_domain2', ...);
These queries provide additional options for analyzing various security events and threats within your environment. Customize them according to your specific use cases and monitoring requirements to effectively detect and respond to potential security incidents.
Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-4
Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-6
Post a Comment