Use cases

It is highly suggested to use field names and filtering options and not rely on the blind/irregular search function. Brim provides great indexing of log sources, but it is not performing well in irregular search queries. The best practice is always to use the field filters to search for the event of interest.

Identifying the list of communicated hosts is the first step of the investigation.
Security analysts need to know which hosts are actively communicating on the
network to detect any suspicious and abnormal activity in the first place.
This approach will help analysts to detect possible access violations, exploitation
attempts and malware infections.

Query: _path=="conn" | cut id.orig_h, id.resp_h | sort | uniq
After having the list of communicated hosts, it is important to identify which hosts
communicate with each other most frequently. This will help security analysts to
detect possible data exfiltration, exploitation and backdooring activities.

Query: _path=="conn" | cut id.orig_h, id.resp_h | sort | uniq -c | sort -r
Suspicious activities are not always detectable in the first place. Attackers use multiple
ways of hiding and bypassing methods to avoid detection. However, since the data is
evidence, it is impossible to hide the packet traces. Investigating the most active ports
will help analysts to detect silent and well-hidden anomalies by focusing on the data
bus and used services.

Query: _path=="conn" | cut id.resp_p, service | sort | uniq -c | sort -r count
Query: _path=="conn" | cut id.orig_h, id.resp_h, id.resp_p, service | sort id.resp_p | uniq -c | sort -r
For security analysts, the long connections could be the first anomaly indicator.
If the client is not designed to serve a continuous service, investigating the connection
duration between two IP addresses can reveal possible anomalies like backdoors.

Query: _path=="conn" | cut id.orig_h, id.resp_p, id.resp_h, duration | sort -r duration
Another essential point is calculating the transferred data size. If the client is not
designed to serve and receive files and act as a file server, it is important to
investigate the total bytes for each connection. Thus, analysts can distinguish
possible data exfiltration or suspicious file actions like malware downloading and

Query: _path=="conn" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes
DNS and
Identifying suspicious and out of ordinary domain connections and requests is another
significant point for a security analyst. Abnormal connections can help detect C2
communications and possible compromised/infected hosts. Identifying the suspicious
DNS queries and HTTP requests help security analysts to detect malware C2 channels
and support the investigation hypothesis.

Query: _path=="dns" | count () by query | sort -r
Query: _path=="http" | count () by uri | sort -r
Identifying suspicious and out of ordinary hostnames helps analysts to detect rogue
hosts. Investigating the DHCP logs provides the hostname and domain information.

Query: _path=="dhcp" | cut host_name, domain
IP Addresses
For security analysts, identifying suspicious and out of ordinary IP addresses is as
essential as identifying weird domain addresses. Since the connection logs are stored in one
single log file (conn), filtering IP addresses is more manageable and provides more
reliable results.

Query: _path=="conn" | put classnet := network_of(id.resp_h) | cut classnet | count() by classnet | sort -r
Investigating transferred files is another important point of traffic investigation.
Performing this hunt will help security analysts to detect the transfer of malware or
infected files by correlating the hash values. This act is also valuable for detecting
transferring of sensitive files.

Query: filename!=null
Another significant point is investigating the SMB activity. This will help analysts
to detect possible malicious activities like exploitation, lateral movement and
malicious file sharing. When running an investigation, it is suggested to ask,
"What is going on in SMB?"

Query: _path=="dce_rpc" OR _path=="smb_mapping" OR _path=="smb_files"
Known patterns represent alerts generated by security solutions. These alerts are
generated against the common attack/threat/malware patterns and known by
endpoint security products, firewalls and IDS/IPS solutions. This data source highly
relies on available signatures, attacks and anomaly patterns. Investigating available
log sources containing alerts is vital for a security analyst.

Brim supports the Zeek and Suricata logs, so any anomaly detected by these products
will create a log file. Investigating these log files can provide a clue where the analyst
should focus.

Query: event_type=="alert" or _path=="notice" or _path=="signatures"