Introduction
This article will provide information on using different queries to quickly progress event analysis during an event investigation in the incident management panel.
Logsign Response Query
When a case is created in the event management panel, the findings related to the event are automatically collected and processed. In some cases, data analysis may require different queries instead of the existing findings, and in such cases, we can perform log analysis with Logsign Response's ready-made or custom queries.
The ready-made queries are as follows:
Network Connection |
Retrieves logs of network activity. |
Process Termination Activities |
Brings process actions. ( cmd.exe, powershell.exe , findstr.exe etc.) |
Dns Activities |
Brings the logs containing the domain address information that the DNS requested. |
Registry Object Changes |
Retrieves logs of registry changes. |
Kerberos Authentication Requests |
Retrieves Kerberos session logs. |
Failed Logon Activities |
Retrieves failed session logs. |
Successful Logon Activities | Retrieves successful session logs. |
Scheduler Task Activities |
Retrieves logs of scheduled task activities. |
Loaded Images Activities |
Retrieves logs with access or modification content about injected or processing dll files. |
Process Creations Activities |
Retrieves logs about service activities. |
File Creation Activities |
Retrieves the file creation logs. |
File Deletion Activities |
Retrieves file deletion logs. |
Custom Query |
Returns log with custom query. |
Let's explain this situation with an example case. In the case below, it was observed that the T1059 MITRE scenario was executed on a server and traffic was directed towards the internet side. With the triggering of the alarm, blocking was done with the firewall, the associated user was disabled, and the user was removed from Logsign Security Automation from high-privilege groups.
When we check the findings, we see that the adminlgs user, the detected MITRE source, and the domain address it was trying to reach are available.
Let's investigate the event more deeply with Logsign response queries.
Let's examine the network activities between the server and the external source it accessed with the following query.
We examined the start time of the first network activity, the used port information, and the destination IP information in the incoming logs.
We can also check for a reverse P2P connection.
We observed that there was no P2P connection within the 24-hour event time.