Last active
November 26, 2018 16:52
-
-
Save MHaggis/f08ba5d6cab4e39182fd17fa59ad3266 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Stats | |
| | metadata type=sourcetypes index=carbonblack | |
| `cb` | stats values(computer_name) | |
| `cb` type=alert | stats values(docs{}.endpoint) by watchlist_name | |
| `cb` notification_type="watchlist.hit.*" | stats values(watchlist_name) | |
| `cb` | stats values(feed_name) | |
| `cb` | stats count by feed_name | |
| `cb` notification_type=feed.*| stats values(feed_name) count by computer_name | |
| `cb` | stats values(type) | |
| ### Critical Process Check by process | |
| `cb` process="powershell.exe" OR process="msbuild.exe" OR process="psexec.exe" OR process="at.exe" OR process="schtasks.exe" OR process="net.exe" OR process="vssadmin.exe" OR process="utilman.exe" OR process="wmic.exe" OR process="mshta.exe" OR process="wscript.exe" OR process="cscript.exe" OR process="cmd.exe" OR process="whoami.exe" OR process="mmc.exe" OR process="systeminfo.exe" OR process="csvde.exe" OR process="certutil.exe" | stats values(command_line) by process | |
| ### Critical Process Check by computer | |
| `cb` process="powershell.exe" OR process="msbuild.exe" OR process="psexec.exe" OR process="at.exe" OR process="schtasks.exe" OR process="net.exe" OR process="vssadmin.exe" OR process="utilman.exe" OR process="wmic.exe" OR process="mshta.exe" OR process="wscript.exe" OR process="cscript.exe" OR process="cmd.exe" OR process="whoami.exe" OR process="mmc.exe" OR process="systeminfo.exe" OR process="csvde.exe" OR process="certutil.exe" | stats values(command_line) by computer_name | |
| ### Endpoint Deep Dive | |
| `cb` computer_name=collider01 type="ingress.event.procstart" | stats values(command_line) by process | |
| `cb` process=net.exe | stats values(computer_name) by date_hour | |
| `cb` process=net.exe | stats values(command_line) by date_hour | |
| ### Feeds, Watchlist Alerts | |
| `cb` feed_name=bit9endpointvisibility | stats values(ioc_query_string) by docs{}.cmdline | |
| ### Username Analysis | |
| `cb` | stats values(username) count by computer_name | |
| `cb` | stats values(computer_name) count by username | |
| `cb` [ inputlookup adminaccounts ]| stats values(username) count | |
| `cb` | stats dc(username) count by computer_name | |
| `cb` | stats dc(computer_name) count by username | |
| `cb` username!=SYSTEM username!="LOCAL SERVICE" username!="NETWORK SERVICE" | stats dc(computer_name) count by username | |
| ### Network Analysis | |
| `cb` computer_name=collider01 type="ingress.event.netconn" direction="outbound" | stats count by remote_port | |
| `cb` type="ingress.event.netconn" direction="outbound" | stats count by remote_port | |
| `cb` type="ingress.event.netconn" direction="outbound" | stats dc(remote_port) by local_port | |
| `cb` type="ingress.event.netconn" direction="outbound" | stats dc(local_port) by remote_port | |
| `cb` type="ingress.event.netconn" | iplocation remote_ip AS geoip | stats values(City) by computer_name | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment