i s P u b l i s h : N o
Da t e : 2 02 2 03 1 1 F r i d a y
d a t e : 2 02 2 / 03 / 1 1 2 0 03 9 1
C a t e g o r y :
t a g :
r e l a t e d :
告警类
外⽹暴⼒破解
内⽹暴⼒破解
内⽹暴⼒破解 - e r r o r
内⽹暴⼒破解 - c r i t i c a l
异常登录 L i n u x & W i n d o w sindex=hids event_type=bruteforce_ext
| eval time=strftime(_time, "%Y-%m-%d %H:%M:%S")
| stats count(detail_uname) as brutefrorce_times by detail_src_ip
| rename detail_src_ip as " 来源 IP", brutefrorce_times as " 爆破次数 "
index=hids event_type=bruteforce_inter
| eval time=strftime(_time, "%Y-%m-%d %H:%M:%S")
| stats count(detail_uname) as brutefrorce_times by detail_src_ip
| where brutefrorce_times < 10
| rename detail_src_ip as " 来源 IP", brutefrorce_times as " 爆破次数 "
index=hids event_type=bruteforce_inter
| eval time=strftime(_time, "%Y-%m-%d %H:%M:%S")
| stats count(detail_uname) as brutefrorce_times by detail_src_ip
| where brutefrorce_times > 10
| rename detail_src_ip as " 来源 IP", brutefrorce_times as " 爆破次数 "
index=hids event_type=excep_login
| eval time=strftime(_time, "%Y-%m-%d %H:%M:%S")
| APPEND
[SEARCH index=hids datatype=excep_login
FIELDS detail_src_ip | DEDUP detail_src_ip]
| dedup detail_src_ip
| table time ,event_content, detail_uname, group_name 反弹 s h e l l - c r i t i c a l
L i n u x 本地提权 - c r i t i c a l
后⻔检测 - c r i t i c a l
W e b后⻔ - c r i t i c a l
L i n u x 可疑操作
L i n u x 可疑操作 - c r i t i c a l| rename time as " 时间 ", event_content as " 内容 ", detail_uname as " 登录⽤户名 ", group_name as " 机房位
置"
index=hids event_type=bounce_shell OR event_type=win_bounce_shell
| eval time=strftime(_time, "%Y-%m-%d %H:%M:%S")
| table time ,event_content
| rename time as " 时间 ", event_content as " 内容 "
index=hids event_type=privilege_escalation
| eval time=strftime(datatime, "%Y-%m-%d %H:%M:%S")
| table time, event_content, detail_uname, detail_process_tree, group_name
| rename time as " 时间 ", event_content as " 内容 ", detail_uname as " 登录⽤户名 ", group_name as " 机房位置 "
index=hids event_type=backdoor_diagnose OR event_type=backdoor_diagnose_win
| eval time=strftime(datatime, "%Y-%m-%d %H:%M:%S"),detail_ctime=strftime(detail_ctime, "%Y-%m-%d
%H:%M:%S")
| table time, detail_ctime, event_content, detail_uname, detail_path, detail_sha256, detail_md5,
group_name
| rename time as " 事件时间 ", event_content as " 内容 ", detail_ctime as " ⽂件创建时间 ",detail_path as " 路
径", detail_uname as " 登录⽤户名 ", group_name as " 机房位置 "
index=hids event_type=webshell
| eval time=strftime(datatime, "%Y-%m-%d %H:%M:%S"),detail_ctime=strftime(detail_ctime, "%Y-%m-%d
%H:%M:%S")
| table time, detail_ctime, event_content, detail_uname, detail_path, detail_sha256, detail_md5,
group_name
| rename time as " 事件时间 ", event_content as " 内容 ", detail_ctime as " ⽂件创建时间 ",detail_path as " 路
径", detail_uname as " 登录⽤户名 ", group_name as " 机房位置 "
index=hids event_type="malic_opera" detail_hit_rule_names!="dubbo ⾼危命令 " AND
detail_hit_rule_names!=" ⾼危命令告警 " AND detail_hit_rule_names!=" 信息收集 . 查看或修改 host key"
| eval time=strftime(datatime, "%Y-%m-%d %H:%M:%S")
| table time, event_content, detail_uname, detail_hit_rule_names, group_name
| rename time as " 事件时间 ", event_content as " 内容 ", detail_uname as " 登录⽤户
名",detail_hit_rule_names as " 匹配规则 " group_name as " 机房位置 " L i n u x 可疑操作 - e r r o r
动态蜜罐
动态蜜罐告警 - e r r o r
动态蜜罐告警 - c r i t i c a l
单扫描 I P ,每分钟访问蜜罐端⼝⼤于⼗次打电话
W e b命令执⾏ – L i n u x & W i n d o w s
d o c k e r本地提权 - c r i t i c a l
d o c k e r暴⼒破解
D o c k e r暴⼒破解 - e r r o rindex=hids event_type="malic_opera" detail_hit_rule_names="dubbo ⾼危命令 " OR
detail_hit_rule_names=" ⾼危命令告警 " OR detail_hit_rule_names=" 信息收集 . 查看或修改 host key"
| eval time=strftime(datatime, "%Y-%m-%d %H:%M:%S")
| table time, event_content, detail_uname, detail_hit_rule_names, group_name
| rename time as " 事件时间 ", event_content as " 内容 ", detail_uname as " 登录⽤户
名",detail_hit_rule_names as " 匹配规则 " group_name as " 机房位置 "
index="HIDS" event_type=honeypot
| eval time=strftime(_time, "%
青藤云HIDS Splunk syslog
文档预览
中文文档
6 页
50 下载
1000 浏览
0 评论
0 收藏
3.0分
温馨提示:本文档共6页,可预览 3 页,如浏览全部内容或当前文档出现乱码,可开通会员下载原始文档
本文档由 SC 于 2023-05-03 01:08:01上传分享