...
Interesting Insights: These are built in queries that serve as a useful starting point for an advanced investigation. Oftentimes they point to weaknesses in the security environment (such as use of weak ciphers, potentially unauthorized recursive DNS servers, unusual SMB/RPC activity etc. These insights can be run on ingested data as well as to do retroactive pursuits of attacks and RCA.
Queries: Queries are based on the Kibana Query Language (KQL). These can be extremely simple to complex for exposing very specific threat scenarios. For example, consider a query like:
_exists_:dns_server_country AND dns_server_country:"United States" AND orig_h:10.70.120.10 AND -orig_h:10.150.120.10 AND -dns_server_ip:10.255.8.8 AND -dns_server_ip:10.150.120.10 AND -dns_server_ip:10.150.117.100 AND -dns_server_ip:10.30.223.10 AND dns_server_country:"United States" AND _exists_:dns_server_country
This query can expose all DNS servers that hosts in an enterprise are connecting to that are not in the United States and are not in the set of authorized DNS servers. Additional threat use cases are shown in the table below.
...