MSSP Elastic Security Query

by | Mar 3, 2023 | Blog

MSSP Elastic Security Query – it can be used to detect for known exploitable vulnerabilities and or malicious behavior. Check out the two examples below.

MSSP Elastic Security Query to Detect Log4j

Assuming that the network logs are being stored in an Elasticsearch index named “network-logs”, you could use the following query:

GET /network-logs/_search { "query": { "bool": { "must": [ { "match": { "message": "log4j exploit" } } ], "filter": [ { "range": { "@timestamp": { "gte": "now-24h" } } } ] } } }
See more blog posts

MSSP Elastic Security Query to Detect C2

Detecting command and control (C2) activity within a network can be a complex task that requires a combination of network analysis, machine learning, and threat intelligence. Elastic search can be used as part of this process to index, search, and analyze network data to identify potential C2 activity.

Here is an example of a query that you can use in Elastic search to search for potential C2 activity: 

GET network-data/_search { "query": { "bool": { "must": [ {"match": {"protocol": "tcp"}}, {"match": {"destination_ip": "C2_server_ip"}}, {"range": {"destination_port": {"gte": 1024}}} ], "must_not": [ {"match": {"source_ip": "trusted_ip"}}, {"match": {"destination_ip": "trusted_ip"}} ] } } }

 In this example, we are searching for TCP traffic to a known C2 server IP address on any destination port greater than or equal to 1024. We are also excluding any traffic from or to a trusted IP address to filter out legitimate traffic.

This is just one example of a query that can be used to detect C2 activity. The exact query and approach will depend on the specific network and threat landscape. It’s important to work with experienced security professionals to design and implement an effective C2 detection strategy.

 

See more blog posts