i s P u b l i s h : N o Da t e : 2 02 2  03  1 1 F r i d a y d a t e : 2 02 2 / 03 / 1 1 2 0 03  9 1 C a t e g o r y : t a g : r e l a t e d : 告警类 外⽹暴⼒破解 内⽹暴⼒破解 内⽹暴⼒破解 - e r r o r 内⽹暴⼒破解 - c r i t i c a l 异常登录  L i n u x & W i n d o w sindex=hids event_type=bruteforce_ext | eval time=strftime(_time, "%Y-%m-%d %H:%M:%S") | stats count(detail_uname) as brutefrorce_times by detail_src_ip | rename detail_src_ip as " 来源 IP", brutefrorce_times as " 爆破次数 " index=hids event_type=bruteforce_inter | eval time=strftime(_time, "%Y-%m-%d %H:%M:%S") | stats count(detail_uname) as brutefrorce_times by detail_src_ip | where brutefrorce_times < 10 | rename detail_src_ip as " 来源 IP", brutefrorce_times as " 爆破次数 " index=hids event_type=bruteforce_inter | eval time=strftime(_time, "%Y-%m-%d %H:%M:%S") | stats count(detail_uname) as brutefrorce_times by detail_src_ip | where brutefrorce_times > 10 | rename detail_src_ip as " 来源 IP", brutefrorce_times as " 爆破次数 " index=hids event_type=excep_login | eval time=strftime(_time, "%Y-%m-%d %H:%M:%S") | APPEND [SEARCH index=hids datatype=excep_login FIELDS detail_src_ip | DEDUP detail_src_ip] | dedup detail_src_ip | table time ,event_content, detail_uname, group_name 反弹 s h e l l - c r i t i c a l L i n u x 本地提权 - c r i t i c a l 后⻔检测 - c r i t i c a l W e b后⻔ - c r i t i c a l L i n u x 可疑操作 L i n u x 可疑操作 - c r i t i c a l| rename time as " 时间 ", event_content as " 内容 ", detail_uname as " 登录⽤户名 ", group_name as " 机房位 置" index=hids event_type=bounce_shell OR event_type=win_bounce_shell | eval time=strftime(_time, "%Y-%m-%d %H:%M:%S") | table time ,event_content | rename time as " 时间 ", event_content as " 内容 " index=hids event_type=privilege_escalation | eval time=strftime(datatime, "%Y-%m-%d %H:%M:%S") | table time, event_content, detail_uname, detail_process_tree, group_name | rename time as " 时间 ", event_content as " 内容 ", detail_uname as " 登录⽤户名 ", group_name as " 机房位置 " index=hids event_type=backdoor_diagnose OR event_type=backdoor_diagnose_win | eval time=strftime(datatime, "%Y-%m-%d %H:%M:%S"),detail_ctime=strftime(detail_ctime, "%Y-%m-%d %H:%M:%S") | table time, detail_ctime, event_content, detail_uname, detail_path, detail_sha256, detail_md5, group_name | rename time as " 事件时间 ", event_content as " 内容 ", detail_ctime as " ⽂件创建时间 ",detail_path as " 路 径", detail_uname as " 登录⽤户名 ", group_name as " 机房位置 " index=hids event_type=webshell | eval time=strftime(datatime, "%Y-%m-%d %H:%M:%S"),detail_ctime=strftime(detail_ctime, "%Y-%m-%d %H:%M:%S") | table time, detail_ctime, event_content, detail_uname, detail_path, detail_sha256, detail_md5, group_name | rename time as " 事件时间 ", event_content as " 内容 ", detail_ctime as " ⽂件创建时间 ",detail_path as " 路 径", detail_uname as " 登录⽤户名 ", group_name as " 机房位置 " index=hids event_type="malic_opera" detail_hit_rule_names!="dubbo ⾼危命令 " AND detail_hit_rule_names!=" ⾼危命令告警 " AND detail_hit_rule_names!=" 信息收集 . 查看或修改 host key" | eval time=strftime(datatime, "%Y-%m-%d %H:%M:%S") | table time, event_content, detail_uname, detail_hit_rule_names, group_name | rename time as " 事件时间 ", event_content as " 内容 ", detail_uname as " 登录⽤户 名",detail_hit_rule_names as " 匹配规则 " group_name as " 机房位置 " L i n u x 可疑操作 - e r r o r 动态蜜罐 动态蜜罐告警 - e r r o r 动态蜜罐告警 - c r i t i c a l 单扫描 I P ，每分钟访问蜜罐端⼝⼤于⼗次打电话 W e b命令执⾏ – L i n u x & W i n d o w s d o c k e r本地提权 - c r i t i c a l d o c k e r暴⼒破解 D o c k e r暴⼒破解 - e r r o rindex=hids event_type="malic_opera" detail_hit_rule_names="dubbo ⾼危命令 " OR detail_hit_rule_names=" ⾼危命令告警 " OR detail_hit_rule_names=" 信息收集 . 查看或修改 host key" | eval time=strftime(datatime, "%Y-%m-%d %H:%M:%S") | table time, event_content, detail_uname, detail_hit_rule_names, group_name | rename time as " 事件时间 ", event_content as " 内容 ", detail_uname as " 登录⽤户 名",detail_hit_rule_names as " 匹配规则 " group_name as " 机房位置 " index="HIDS" event_type=honeypot | eval time=strftime(_time, "%