Built-in filters
Filters that have been built into the System are shown in the table below.
| Name | Description | Source | Query |
|---|---|---|---|
| Abnormal activity | The search allows for analyzing network traffic in 3-hour time periods in context of countries, which may help to detect abnormal activities. | netflowByCountryAggr | set sumClientBytesAndServerBytes = add(clientBytes, serverBytes) | timeAggr dcCountry=dc(country), avgSumClientBytesAndServerBytes=avg(sumClientBytesAndServerBytes),sum1 = sum(sumClientBytesAndServerBytes), countries=join(country), mintimestamp=min(timestamp),maxtimestamp=max(timestamp) on timestamp interval="3h" | set timestampStr=tsToStr(_bucket),mintimestampStr=tsToStr(mintimestamp),maxtimestampStr=tsToStr(maxtimestamp) | project +avgSumClientBytesAndServerBytes as clientBytes, +countries as country, +timestampStr as timestamp, +mintimestampStr as activeTime, +maxtimestampStr as tenantId |
| Activity on non-standard ports | The search allows for detecing suspicious ports (e.g. based on MITRE non-standard ports list) | netflow | lookupKeyExists("ports-suspicious", {"Port": serverPort} ) |
| Bottom Client IPs | The search allows to display at least common client IP Addresses, which help to identify potential bad hosts. | netflow | aggr countClientIp=count(clientIp) by clientIp unwind=true | sort countClientIp asc | limit 10 | project +clientIp, +countClientIp as flows |
| Brute Force - SSH | The search allows for detection a brute force attack against SSH services. | netflow | (serverPort=22 or applicationNameNtop="SSH") | aggr _countSessions=count(timestamp), _sumBytes=sum(add(clientBytes,serverBytes)), _sumPackets=sum(add(clientPackets,serverPackets)) by clientIp, serverIp, serverPort unwind=true | sort _countSessions desc | _countSessions > 50 and _sumBytes > 1000 | project +clientIp,+serverIp,+_sumBytes as clientBytes,+_countSessions as flows,+_sumPackets as clientPackets,+serverPort |
| Chat | The search allows for detection chat traffic such as for example Signal, QQ, IRC, WhatsApp, Telegram, KakaoTalk or WeChat. | netflow | applicationNameNtop in ["Signal","QQ","IRC","WhatsApp","Telegram","KakaoTalk","WeChat"] |
| Cloud | The search allows for monitoring cloud traffic. | netflow | applicationNameNtop in ["NestLogSin","Dropbox","UbuntuONE","Microsoft","GoogleDrive","MS_OneDrive","LISP","ApplePush","AmazonVideo","AmazonAWS","Salesforce","Azure","GoogleCloud","Edgecast","Cachefly"] |
| Collaborative | The search allows for monitoring collaborative applications, such as for example Discord or Slack. | netflow | applicationNameNtop in ["Discord","Slack","LotusNotes","Github","Microsoft365","Git","GoogleDocs","Teams","GitLab","GoogleClassroom"] |
| CTI Alerts | The search allows displaying alerts detected by Sycope CTI. | alerts | any(["CTI"], alertTags) |
| Dangerous system | The search allows for detection dangerous applications, such as for example SBMv1. | netflow | applicationNameNtop in ["SMBv1"] |
| Dangerous VPN | The search allows for detecting network traffic regarding dangerous VPN as Tor or HotspotShield. | netflow | applicationNameNtop in ["Tor","HotspotShield"] |
| Data Transfer | The search allows for monitoring applications from the Data Transfer category. | netflow | applicationNameNtop in ["NFS","TFTP","AFP","CHECKMK","RSYNC","Crashlytics"] |
| Database | The search allows for monitoring DB traffic. | netflow | applicationNameNtop in ["MySQL","MongoDB","MsSQL-TDS","Oracle","Redis","DRDA","Cassandra"] |
| DoS | The search allows for detecting denial of service attacks. | netflow | aggr countSessions=count(timestamp), uniqueClientIPs=dc(clientIp), clientBytes=sum(clientBytes) by serverIp unwind=true | sort countSessions desc | project +serverIp,+countSessions as flows, +uniqueClientIPs as clientPackets, +clientBytes | clientPackets > 200 and flows > 10000 and clientBytes >10000 |
| Exfiltration over Web Service (Cloud Storages) | The search allows for detecting data exfiltration via cloud storages. | netflow | httpHost in ["dropbox.com","box.com","drive.google.com","mega.io","mediafire.com"] |
| Exfiltration over Web Service (Code Repositories) | The search allows for detecting data exfiltration via web code repositories. | netflow | httpHost in ["github.com","justpaste.it","pastebin.com","onpaste.com","transfernow.net","codepad.org"] |
| External Threats | The search allows displaying internal threats, that is, alerts where either the client or the server has a public address. | alerts | (isIpPrivate(clientIp) and not isIpPrivate(serverIp)) or(not isIpPrivate(clientIp) and isIpPrivate(serverIp)) |
| Game | The search allows for monitoring traffic from the Game category. | netflow | applicationNameNtop in ["Xbox","AmongUs","Steam","HalfLife2","WorldOfWarcraft","Armagetron","Dofus","Fiesta", "Florensia","Guildwars","MapleStory","Warcraft3","WorldOfKungFu","Nintendo","Starcraft","Playstation","CSGO","GenshinImpact","Activision","RakNet"] |
| Horizontal Scan | The search allows for detecting many connections/flows from one host to many on the same port. Such activity may indicate on horizontal scans. | netflow | $_INT$ | aggr _uniqueServerIps=dc(serverIp), _countSessions=count(timestamp) by clientIp, serverPort unwind=true | sort _uniqueServerIps desc | where _countSessions > 100 and _uniqueServerIps > 30 | project +clientIp,+serverPort,+_countSessions as flows,+_uniqueServerIps as clientPort |
| Internal Threats | The search allows displaying internal threats, that is, alerts where the client and server IP addresses are private. | alerts | isIpPrivate(clientIp) and isIpPrivate(serverIp) |
| IoT-Scada | The search allows for monitoring IoT/OT traffic, such as Modbus, DNP3 or IEC60870. | netflow | applicationNameNtop in ["Modbus","DNP3","IEC60870"] |
| Large Google Cloud Upload | This search detects a large Google Drive upload traffic. Such activity may indicate on policy violation or exfiltration attempt. | netflow | serverAsNumber = 15169 | aggr sumBytes=sum(add(clientBytes,serverBytes)) by serverIp, clientIp unwind=true | sort sumBytes desc | sumBytes > 1000000 | project +clientIp,+serverIp,+sumBytes as clientBytes |
| Malicious IoC | The search detects communications with malicious IoC (IPs and Domains) > 20kB. | netflow | lookupKeyExists("sec-cti-ip-malware", {"ip": clientIp} ) OR lookupKeyExists("sec-cti-ip-malware", {"ip": serverIp}) OR lookupKeyExists("sec-cti-domain-malware-db", {"domain": dnsQuery}) | set bytes=add(clientBytes, serverBytes) | aggr bytes=sum(bytes) by clientIp,serverIp unwind=true | sort bytes desc | bytes > 20000 | project +clientIp,+serverIp,+bytes as clientBytes |
| Malicious IP/Host | The search allows for detection communication to/from malicious IP addresses. | netflow | lookupKeyExists("sec-cti-ip-malware", {"ip": clientIp} ) OR lookupKeyExists("sec-cti-ip-malware", {"ip": serverIp}) OR lookupKeyExists("sec-cti-domain-malware-db", {"domain": dnsQuery}) |
| Monitor unauthorized dynDNS services | The search allows for detecting dynamic DNS services, which can be used to host malicious payloads or C2 nodes to bypass firewalls and other threat detection systems. There are many common dynamic DNS services, e.g. 123DDNS, AFRAID.ORG, CHANGEIP, ClouDNS, DNS Max, DNSEXIT, DNSMADEEASY, DUCKDNS, DVRLISTS, DYIP, DYN, DYNDNSS, DYNS, DYNU, DYNV6, EASTERNDNS, EASYDNS, EuroDynDNS, FREEDNS, LAVIEW, NO-IP, SECUREPOINT, SWANN, THATIP, ULTRADNS, YDNS, ZONEEDIT. The created query is an example of searching for only a few of them. | netflow | regex(dnsQuery,".cloud.dns") or regex(dnsQuery,".dynu.net") or regex(dnsQuery,".*mywire.org") |
| Multi-host threats | The search allows displaying multi-host threats, that is, alerts where multiple hosts could participate as either client or server. | alerts | clientIp = null or serverIp = null |
| Potentially Dangerous Download | The search allows for monitoring potentially dangerous download applications. | netflow | applicationNameNtop in ["Pastebin"] |
| Potentially Dangerous Network | The search allows for detection potentially dangerous network traffic. | netflow | applicationNameNtop in ["RemoteScan"] |
| Remote Access Software | The search allows for detecting unathorized usage of Remote Monitoring and Management software. Cybercriminals may use such software for C2 activities, so as part of threat hunting, consider to analyze anomalies related to such services as for example: 5938/tcp - Team Viewer 15000/udp - Go2Assist 5631/tcp - PCAnywhere 5632/udp - PCAnywhere 5650/tcp - Remote Utilities 5655/tcp - Remote Utilities remoteutilities.com - Remote Utilities 6568/tcp - AnyDesk | netflow | (protocol ="6" and serverPort in [5938, 6568, 5650, 5655, 5631] ) or (protocol = "17" and serverPort in [15000, 5632]) or httpHost = "remoteutilities.com" |
| Resource Hijacking | The search detects crypto-mining activity based on characteristics ports (3333, 3334, 3335, 4444, 5555, 5556, 6633, 6666, 7777, 8788, 8888, 8899, 9980, 9999, 13333, 14433, 14444, 16633, 16666). | netflow | lookupKeyExists("sec-port-cryptomining", {"Port": serverPort }) or lookupKeyExists("sec-port-cryptomining", {"Port": clientPort }) |
| Reverse Proxy - Ngrok | The search allows for detecting connections to a reverse proxy tool - Ngrok. The tool can create a secure tunnel to servers behind firewalls or on local computers that don't have a public IP address. Ngrok has been used by cybercrime groups in several campaigns, including lateral movement and data exfiltration. | netflow | regex(httpSite,".ngrok.") |
| Social Networks | The search allows for monitoring social networks applications. | netflow | applicationNameNtop in ["TikTok","GooglePlus","Tumblr","Facebook","Twitter","Pinterest","Snapchat","Sina(Weibo)","Reddit","Instagram","LinkedIn","Likee","Badoo","Tencent"] |
| Streaming | The search allows for monitoring streaming applications. | netflow | applicationNameNtop in ["PPStream","DisneyPlus","Hulu","AppleiTunes","Pandora","Vimeo","Dazn","1kxun"] |
| Suspicious ASN | Analyzing of communication to/from suspicious ASNs should be a part of the threat hunting process. You can find a list of suspicious ASNs, e.g. on the https://www.spamhaus.org/ website. | netflow | clientAsNumber in [4134,4837,45609,36947,7713,14618, 24560, 23969 ,17557] or serverAsNumber in [4134,4837,45609,36947,7713,14618, 24560, 23969 ,17557] |
| Suspicious Country | Analyzing of communication to/from suspispicious countries should be a part of the threat hunting process. You can find a list of suspicious countries, e.g. on the https://www.spamhaus.org/statistics/botnet-cc/ website. | netflow | clientCountry = "CN" or clientCountry="ID" or clientCountry="TH" |
| Suspicious LDAP Activity | Cybercriminals may use LDAP protocol to malicious activities, as for example in the Log4j vulnerability, so as a Threat Hunter consider to analyze anomalies related to this protocol, e.g. connections to/from external LDAP servers. | netflow | ($INT_EXT$ or $EXT_INT$) AND (serverPort = 636 AND protocol = 6) OR (serverPort = 389 AND protocol = 17) | not any(serverFunction,["LDAP"]) |
| Suspicius host | A search allows for detection suspicious host based on unusual network traffic characteristics. | netflow | aggr _countSessions=count(timestamp), _sumPackets=sum(add(clientPackets,serverPackets)) by clientIp,serverIp unwind=true | set _ppf=div(_sumPackets,_countSessions) | sort _ppf,_countSessions desc | _ppf >50 and _countSessions>100 | project +clientIp,+serverIp,+_ppf as clientPackets,+_countSessions as flows |
| Top Client IPs | A search allows to display most common client IP Addresses, which help to identify potential abuses. | netflow | aggr countClientIp=count(clientIp) by clientIp unwind=true | sort countClientIp desc | limit 10 | project +clientIp, +countClientIp as flows |
| Unauthorized SSH Activity (External -> Internal) | The search allows for detection unauthorized SSH traffic from external to internal host. | netflow | $EXT_INT$ and serverPort = 22 AND not any(serverFunction,["SSH"]) | aggr _sumBytes=sum(add(clientBytes,serverBytes)) by clientIp, serverIp, serverPort unwind=true | sort _sumBytes desc | _sumBytes > 1000 | project +clientIp, +serverIp, +_sumBytes as clientBytes, +serverPort |
| Unauthorized SSH Activity (Internal -> External) | The search allows for detection unauthorized SSH traffic from internal to external host. | netflow | serverPort = 443 AND not any(serverFunction,["SSH"]) | aggr _sumBytes=sum(add(clientBytes,serverBytes)) by clientIp, serverIp, serverPort unwind=true | sort _sumBytes desc | _sumBytes > 1000 | project +clientIp, +serverIp, +_sumBytes as clientBytes, +serverPort |
| Unauthorized SSH activity on non-standard port | The search allows for detection SSH traffic on non-standard ports. | netflow | applicationNameNtop = "SSH" and serverPort != 22 and not any(serverFunction,["SSH"]) |
| Vertical Scan | The search allows for detecting many connections/flows between two hosts on many ports. Such activity may indicate on vertical scans. | netflow | $_INT$ | aggr _countUniqueServerPorts=dc(serverPort), _countSessions=count(timestamp) by clientIp, serverIp unwind=true | sort _countSessions desc, _countUniqueServerPorts desc | where _countUniqueServerPorts > 30 and _countSessions > 200 | project +clientIp,+serverIp,+_countSessions as flows,+_countUniqueServerPorts as serverPort |
| Video | The search allows for monitoring video traffic. | netflow | applicationNameNtop in ["Zattoo","Sopcast","TVUplayer","QQLive","PS_VUE","NetFlix","Zoom","Twitch","IFLIX"] |
| VirtAssistant | The search allows for detection virtual assistants. | netflow | applicationNameNtop in ["AmazonAlexa","AppleSiri"] |
| VoIP | The search allows for monitoring VoIP applications. | netflow | applicationNameNtop in ["SkypeCall","WhatsAppCall","MGCP","IAX","SIP","TruPhone","Skype_Teams","Webex","Viber","Tuenti","H323","NOE","TeamSpeak","CiscoSkinny","RTCP","Megaco","KakaoTalk_Voice","IMO","SnapchatCall","FacebookVoip","SignalVoip","Fuze","GoTo"] |
| VPN | The search allows for monitoring VPN traffic. | netflow | applicationNameNtop in ["PTTP","OpenVPN","CiscoVPN","WireGuard","TINC","FortiClient","iCloudPrivateRelay","Softether"] |