This search will hunt for frequently occurring suspicious outbound connections made to non-standard destination port numbers from your internal network, that are common by Bytes Sent and Bytes Received over a 30 day period.
index=sniffa sourcetype="connections" ts!="#*" host="*" src_ip="*" src_port="*" (dest_port!="443" AND dest_port!=80) service="*" transport="*" conn_state="*" history="*" uid="*" earliest=-30d latest=now
| dedup uid
| eval Direction=case(local_orig="T" AND local_resp="T", "Internal", local_orig="T" AND local_resp="F", "Outbound", local_orig="F" AND local_resp="F", "External", local_orig="F" AND local_resp="T", "Inbound", 1=1, "-")
| search Direction="Outbound"
| stats count by src_ip, dest_port, transport, orig_bytes, resp_bytes
| where count > 5
| sort -count
| rename src_ip AS "Src IP", dest_ip AS "Dest IP", dest_port AS "Dest Port", service AS Service, transport AS Transport, conn_state AS State, history AS History, uid AS UID, count AS Count, orig_bytes AS "Bytes Out", resp_bytes AS "Bytes In"
This search will hunt for frequently occurring suspicious outbound connections made to non-standard destination port numbers from your internal network, that are common by Connection State and History over a 30 day period.
index=sniffa sourcetype="connections" ts!="#*" host="*" src_ip="*" src_port="*" (dest_port!="443" AND dest_port!=80) service="*" transport="*" conn_state="*" history="*" uid="*" earliest=-30d latest=now
| dedup uid
| eval Direction=case(local_orig="T" AND local_resp="T", "Internal", local_orig="T" AND local_resp="F", "Outbound", local_orig="F" AND local_resp="F", "External", local_orig="F" AND local_resp="T", "Inbound", 1=1, "-")
| search Direction="Outbound"
| stats count by src_ip, dest_port, transport, conn_state, history
| where count > 5
| sort -count
| rename src_ip AS "Src IP", dest_ip AS "Dest IP", dest_port AS "Dest Port", service AS Service, transport AS Transport, conn_state AS State, history AS History, uid AS UID, count AS Count, conn_state AS "Connection State", history AS History
This search will hunt for frequently occurring suspicious outbound connections made to web servers using the HTTPS protocol from your internal network, that are common by Bytes Sent and Bytes Received over a 14 day period and share a common Server Name and SSL history when establishing a connection.
index=sniffa sourcetype="https" ssl_history="cs*" earliest=-14d latest=now
[
search index=sniffa sourcetype="connections" ts!="#*" host="*" src_ip="*" src_port="*" resp_bytes!="0" orig_bytes!="0" resp_bytes!="-" orig_bytes!="-" dest_port="*" service="ssl" transport="*" conn_state="*" history="*" uid="*" earliest=-14d latest=now
| dedup uid
| eval Direction=case(local_orig="T" AND local_resp="T", "Internal", local_orig="T" AND local_resp="F", "Outbound", local_orig="F" AND local_resp="F", "External", local_orig="F" AND local_resp="T", "Inbound", 1=1, "-")
| search Direction="Outbound"
| eventstats values(uid) AS uid count by src_ip, transport, orig_bytes, resp_bytes
| where count > 10
| fields uid
| format
]
| stats count by server_name, ssl_history
| where count > 10
| sort -count
| rename count AS Count, server_name AS "Server Name", ssl_history AS "SSL History"
This search will hunt for frequently occurring suspicious outbound connections made to web servers using the HTTP protocol from your internal network, that are common by Bytes Sent and Bytes Received over a 14 day period and share a common HTTP Host, Request Body Length and Response Body Length when establishing a connection.
index=sniffa sourcetype="http" http_status_code="200" earliest=-14d latest=now
[
search index=sniffa sourcetype="connections" ts!="#*" host="*" src_ip="*" src_port="*" resp_bytes!="0" orig_bytes!="0" resp_bytes!="-" orig_bytes!="-" dest_port="*" service="http" transport="*" conn_state="*" history="*" uid="*" earliest=-14d latest=now
| dedup uid
| eval Direction=case(local_orig="T" AND local_resp="T", "Internal", local_orig="T" AND local_resp="F", "Outbound", local_orig="F" AND local_resp="F", "External", local_orig="F" AND local_resp="T", "Inbound", 1=1, "-")
| search Direction="Outbound"
| eventstats values(uid) AS uid count by src_ip, transport, orig_bytes, resp_bytes
| where count > 10
| fields uid
| format
]
| stats count by http_host, request_body_len, response_body_len
| where count > 10
| sort -count
| rename count AS Count, http_host AS "Host", request_body_len AS "Request Length", response_body_len AS "Response Length"
Important Note:
The searches shown on this page are free to copy and use without licence, copyright or limitation.
However, Sniffa Network Security Solutions Ltd make no representations or warranties of any kind, express or implied, about the reliability of the searches on this page. Therefore, you will be running any searches copied from this page strictly at your own risk. In no event will Sniffa Network Security Solutions Ltd be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of any searches copied from this page.
