Created
March 8, 2023 08:28
-
-
Save luca-m/7d0a83d1b6e56257fbca5ddf3a9bad4e to your computer and use it in GitHub Desktop.
Sentinel1 hunting queries
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Query for Outbound SMTP, SMTPS, STARTLS and SSH communications | |
| dst.port.number in (587,465,25,2525,22) | |
| | let rfc1918 = not ($dst.ip.address matches "((127\\..*)|(192\\.168\..*)|(10\\..*)|(172\\.1[6-9]\\..*)|(172\\.2[0-9]\\..*)|(172\\.3[0-1]\\..*)).*") | |
| | filter rfc1918 = true | |
| | group hits = count(src.process.name), endpoints = hacklist(endpoint.name) by dst.ip.address, dst.port.number | |
| | sort -endpoints |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment