Vous êtes sur la page 1sur 6

Threat Hunting:

A Quick Reference Guide

WWW.LOGRHYTHM.COM Page 1
Threat Hunting Reference: Threat Lifecycle Management
Detect indicators of compromise across your environment

Description Importance How To Perform LogRhythm Filter Criteria Important Metadata Fields Recommended Log Sources AIE Tips

Top Common Event Data Identifies repeated operation From the Executive Impacted Host Origin, All Log Sources N/A
or security events. Dashboard, double-click Host Impacted,
each of the top 10 Common User Origin,
Events to drill-down. Use User Impacted
LogRhythm Analyzer to
perform the initial analytics
pass of events by double-
click filtering interesting
data as well as using the
log table.
Search on Classification LogRhythm's use of Search in Web Console for Classification is Attack, Varies All Log Sources N/A
Classification Metadata can general activity. Compromise, Denial
give insight into log source of Service, Malware,
events. Grouping all Security Suspicious, Reconnaissance,
classifications together Vulnerability.
or selecting a specific
classification can point you
in a new direction.

LOGRHYTHM.COM/SOLUTIONS/SECURITY/THREAT-MANAGEMENT/ Page 2
Threat Hunting Reference: User
Leveraging LogRhythm’s User and Entity Behavior Analytics

Description Importance How To Perform Filter Criteria Important Metadata Recommended Log AIE Tips
LogRhythm Fields Sources
Interactive Logins on Service accounts are often Search in Web Console MPE Rule Name is: MPE Rule Name, Windows Security Create a Log Observed
Service Accounts targeted by attackers, because for Windows Type 2, 7, 10 Host (Origin), Event Logs Ruleblock in AIE grouped
EVID 4624 : Administrator Logon Type 2
their password hashes are stored events. Host (Impacted), by metadata fields.
EVID 4624 : Administrator Logon Type 7
on large numbers of systems. User (Origin)
EVID 4624 : Anonymous Logon Type 2
These accounts are typically not EVID 4624 : Anonymous Logon Type 2
used for interactive RDP but are EVID 4624 : Anonymous Logon Type 7
rarely locked down. Attackers take EVID 4624 : Anonymous Logon Type 7
advantage of this and use them for EVID 4624 : System Logon Type 2
pivoting around the network. EVID 4624 : System Logon Type 7
EVID 4624 : User Logon Type 10
EVID 4624 : User Logon Type 2
EVID 4624 : User Logon Type 7
EVID 528 : Administrator Logon Type 10
EVID 528 : Anonymous Logon Type 10
EVID 528 : Anonymous Logon Type 10
EVID 528 : System Logon Type 10
EVID 528 : User Logon Type 10
Privileged Account Identifies all activity from users with Search in Web Console for User (Origin) is ‘list: Privileged Users’ Host (Origin), Windows Security Event Create a Behavioral
Activity the highest access and subject to privileged user account Host (Impacted), logs, *NIX Syslog Ruleblock in AIE grouped
the highest risk. activity. User (Origin or Impacted) by metadata fields.
Recommendation: Review
the LogRhythm Privileged
Users list in LogRhythm
Console.
Domain Admin Identifies all activity from users with Search in Web Console for User by Active Directory Group is Host (Origin), Windows Security N/A
Activity the highest access and subject to all activity from Domain ‘Domain Admins’ Host (Impacted), Event logs
the highest risk. Admin users. User (Origin),
User (Impacted)
Account Lockouts Locked accounts can indicate Search in Web Console Common Event is Account Locked or Host (Origin), Windows Security Event Create a Log Observed
potential malicious issues within an for account lock events. Account Unlocked Host (Impacted), logs Ruleblock in AIE grouped
environment dependent upon the Use the pivot feature to User (Impacted) by metadata fields.
frequency and the actions leading identify related activity.
up to the account lock. Multiple
account locks within a short period
of time is indicative of account
sweeping or brute-force operations,
while administrator locks attacks
could highlight a targeted account.

LOGRHYTHM.COM/SOLUTIONS/SECURITY/USER-BEHAVIOR-ANALYTICS/ Page 3
Threat Hunting Reference: Host
Leveraging LogRhythm’s Endpoint Monitoring

Description Importance How To Perform LogRhythm Filter Criteria Important Metadata Fields Recommended Log Sources AIE Tips

Operational Errors Error and critical messages Search in Web Console for Classification is Host (Impacted), All log sources Create a Threshold Observed
reflect operational errors, and critical events. ‘Error’,’Critical’ Common Event Ruleblock in AIE grouped
challenges that could result by Host (Impacted). Set Log
in platform compromise and Count to 10 in 10 minutes.
availability issues.
Anti-Malware Activity Anti-malware activity Search in Web Console for Search for Classification is Host (Impacted), Antivirus, Endpoint Enable the ‘Malware:
indicates a possible Antivirus activity. Use the ‘Malware’, ‘Failed Malware’ Object Monitoring, IDS/IPS, Malware Event’ rule from the
compromise of a system. pivot feature to identify Windows, Application Logs LogRhythm Knowledge Base.
Pivot on Host (Origin) and
Anti-malware systems related activity. then Host (Impacted) to
attempt to clean files. identify other components
This does not necessarily where the malware may
indicate the compromise has have touched.
been remediated. Toolkits
often have one or two
detections and may leave
behind undetected code.
Remote Access PSExec is a powerful Search in Web Console for Log message contains Process Name, Windows Security Logs, Create a Log Observed
with PSExec tool allowing the user any execution of PSExec. psexec or Process Name Host (Impacted) LogRhythm Process Monitor Ruleblock in AIE grouped
to execute processes on contains psexec by metadata fields.
remote systems, including
interactive command-
prompt commands. For this
reason, it is favored among
attacks when pivoting
around the network.
Application Crashes Application crashed often Search in Web Console Classification is ‘Error’ Common Event, Windows Application Logs Create a Threshold Observed
occur when exploited by for application faults. Host (Impacted), Ruleblock in AIE grouped
Log Source Type is ‘MS Event
attackers. Any application Frequency of crashes and Object by Host (Impacted). Set Log
Log for Win7/Win8/2008/2012
crash should be investigated users of the application Count to 5 in 10 minutes.
- Application’
as a possible exploit. can be identified using the
timeline and the widgets.

LOGRHYTHM.COM/SOLUTIONS/SECURITY/ENDPOINT-THREAT-DETECTION/ Page 4
Threat Hunting Reference: Network
Leveraging LogRhythm’s Network Behavioral Analytics

Description Importance How To Perform LogRhythm Filter Criteria Important Metadata Fields Recommended Log Sources AIE Tips

Outbound Web Traffic Communication from Search in Web Console for Host (origin) is ServerA, Host(Origin), Firewall Create a Log Observed
from Servers non-Web Server systems host activity. ServerB Host(Impacted), IDS/IPS Ruleblock in AIE grouped
is suspicious and could Application, Proxy by Metadata fields.
Recommendation: Create Direction is Outbound
indicate compromise. Direction Network Monitor
a list of web servers in Application is HTTP, HTTP
LogRhythm Console and Alternate , HTTP RPC Endpoint
use the list for Host (Origin) Mapper, http_tunnel, http2,
search criteria. http-mgmt, HTTPS
Outbound Traffic Traffic from internal critical Search in Web Console for Host (origin) is ServerA, Host(Origin), Firewall Create a Log Observed
from Servers servers to the outside world host activity. ServerB Host(Impacted), IDS/IPS Ruleblock in AIE grouped
could reflect an IOC. Direction Proxy by metadata fields.
Recommendation: Create a Direction is Outbound
Network Monitor
list of servers in LogRhythm
Console and use the list for
Host (Origin) search criteria.
Outbound Traffic Any non-web, DNS, and Search in Web Console for Host (origin) is ServerA, Host(Origin), Firewall Create a Log Observed
from Servers common port connection host activity. ServerB Host(Impacted), IDS/IPS Ruleblock in AIE grouped
(to Unknown Ports) to the outside world from a Direction Proxy by metadata fields.
Recommendation: Create a Direction is Outbound
production server Network Monitor
list of servers in LogRhythm TCP/UDP Port Range
Console and use the list for (Impacted) is not 1 - 1024.
Host (Origin) search criteria.
Communication to Communication with Search in Web Console for Direction is 'Outbound' and Host (Origin), LogRhythm Network Monitor, Create a Log Observed
Non-Friendly/ Non-Business countries/zones where activity going to locations Location (Impacted) is NOT Host (Impacted), Firewalls, Netflow Ruleblock in AIE grouped
Geographical Points we don't have business where business is not 'United States', 'blank' TCP/UDP Port (Impacted), by metadata fields.
relationships are common typically conducted. Country (Impacted)
indicators of compromise.
Search for Non-Common Deep Packet Inspection Search in Web Console for Search for Application List Host (Origin), LogRhythm Network Monitor Create a Log Observed
Corporate Applications can provide better insight network traffic classified by for each of the following: Host (Impacted), Ruleblock in AIE grouped
to network activity related network monitor using lists Application by metadata fields.
‘Network: Functional: Adult/
topolicy violations or provided by LogRhythm. Mature Content’, ‘Network:
compromise. Functional: Online Storage’,
‘Network: Functional:
P2P’, ‘Network: Functional:
Remote Access’, ‘Network:
Functional:Tunneling’

LOGRHYTHM.COM/SOLUTIONS/SECURITY/NETWORK-THREAT-DETECTION/ Page 5
Threat Hunting:
A Quick Reference Guide

Gartner SIEM Magic Quadrant Leader

COMMERCIAL-GRADE NETWORK
FORENSICS FOR FREE!!
• Automatic identification of over 2,700 applications
• Full or selectrive packet capture
• File reconstruction
• Customizable dashboard

DOWNLOAD TODAY!
Get Gartner’s Complete Analysis LogRhythm.com/NetMonFreemium
in the SIEM 2016 Magic Quadrant
A 2016 LEADER
SIEM Magic Quadrant
LogRhythm.com/Gartner-MQ