need query with threatIntel and Apache logs

Comments

6 comments

  • Official comment
    Avatar
    Graham

    Hey Dungar,

    I recommend installing our Threat Intel Quick Analysis App and pointing it at your apache data so you can use all of the pre-built dashboards and searches without having to manually create them.




    An example of a search from this app applied to your apache data is:

    _sourceCategory=*apache*
    | parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
    | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
    | count as ip_count by ip_address
    | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
    | json field=raw "labels[*].name" as label_name
    | replace(label_name, "\\/","->") as label_name
    | replace(label_name, "\""," ") as label_name
    | where type="ip_address" and !isNull(malicious_confidence)
    | if (isEmpty(actor), "Unassigned", actor) as Actor
    |sum (ip_count) as threat_count

    Comment actions Permalink
  • Avatar
    Dungar Rathod

    Thanks Graham.

    Just wanted to if there a way to see status code along with destination IP with POST request.

    0
    Comment actions Permalink
  • Avatar
    Graham Watts

    Hey Dungar,

    Can you paste the query you have built so I can add on to it here?

    0
    Comment actions Permalink
  • Avatar
    Dungar Rathod

    Hi Graham ,

    Thanks for your suggestion.

    find below query and let me know if it is possible to apply threat intel rule to check destination IP.

    If destination IP found in threatintel database then we should see that destination  IP along with status code.

     

    _sourceCategory=Apache/Access POST
    | parse "GET * HTTP/1.1\" * * \"*\"" as url,status_code,size,referrer
    | timeslice 1m
    | count by status_code, _timeslice
    | sort by _timeslice, status_code asc
    | transpose row _timeslice column status_code

    0
    Comment actions Permalink
  • Avatar
    Graham

    Hey Dungar,

    Can you provide a query that has the dest_ip parsed out?

    This might be what you're looking for, which I used our Threat Intel App queries to create:

    _sourceCategory=Apache/Access
    | parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
    | parse "GET * HTTP/1.1\" * * \"*\"" as url,status_code,size,referrer
    | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
    | timeslice 5m
    | count as ip_count by ip_address, _source, status_code
    | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
    | json field=raw "labels[*].name" as label_name
    | replace(label_name, "\\/","->") as label_name
    | replace(label_name, "\""," ") as label_name
    | where type="ip_address" and !isNull(malicious_confidence) //and malicious_confidence in ("Low","Medium","High")
    | if (isEmpty(actor), "Unassigned", actor) as Actor
    |sum (ip_count) as threat_count by ip_address, malicious_confidence, status_code, Actor, _source, label_name
    | sort by threat_count

    0
    Comment actions Permalink
  • Avatar
    Dungar Rathod

    Hi Graham,

     

    thanks for your help.
    this query will work for me.

     

    -Dungar

    0
    Comment actions Permalink

Please sign in to leave a comment.