Creating and Triggering New Respond Queries

Introduction

This article will provide information on using different queries to quickly progress event analysis during an event investigation in the incident management panel.

Logsign Response Query

When a case is created in the event management panel, the findings related to the event are automatically collected and processed. In some cases, data analysis may require different queries instead of the existing findings, and in such cases, we can perform log analysis with Logsign Response's ready-made or custom queries.

The ready-made queries are as follows:

1.png

2.png

 

 

Network Connection

Retrieves logs of network activity.

Process Termination Activities

Brings process actions. ( cmd.exe, powershell.exe , findstr.exe etc.)

Dns Activities

Brings the logs containing the domain address information that the DNS requested.

Registry Object Changes

Retrieves logs of registry changes.

Kerberos Authentication Requests

Retrieves Kerberos session logs.

Failed Logon Activities

Retrieves failed session logs.
Successful Logon Activities Retrieves successful session logs.

Scheduler Task Activities

Retrieves logs of scheduled task activities.

Loaded Images Activities

Retrieves logs with access or modification content about injected or processing dll files.

Process Creations Activities

Retrieves logs about service activities.

File Creation Activities

Retrieves the file creation logs.

File Deletion Activities

Retrieves file deletion logs.

Custom Query

Returns log with custom query.

 

Let's explain this situation with an example case. In the case below, it was observed that the T1059 MITRE scenario was executed on a server and traffic was directed towards the internet side. With the triggering of the alarm, blocking was done with the firewall, the associated user was disabled, and the user was removed from Logsign Security Automation from high-privilege groups.

3.png

4.png

 

When we check the findings, we see that the adminlgs user, the detected MITRE source, and the domain address it was trying to reach are available.

5.png

 

Let's investigate the event more deeply with Logsign response queries.

6.png

 

Let's examine the network activities between the server and the external source it accessed with the following query.

7.png

 

We examined the start time of the first network activity, the used port information, and the destination IP information in the incoming logs.

8.png

9.png

We can also check for a reverse P2P connection.

10.png

 

We observed that there was no P2P connection within the 24-hour event time.

11.png

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.