Summary: This guide goes over searching the Huntress SIEM Logs
Please note it's not currently possible to use a NOT operator with a wildcard.
Basic Search Syntax
We leverage ES|QL for Huntress SIEM, and documentation is linked in the Huntress Portal. This documentation is not meant to be exhaustive, but is meant to provide some examples that may inspire your searches without becoming an expert in the ES|QL language.
The basic structure is as follows:
from logs | where [column_name] == [value]
Let’s look specifically for Event ID 4624, which is a successful account logon:
from logs | where event.code==4624
The default return time range is the previous hour, and you can expand that timeframe by modifying the “Time Range” field:
or by clicking the “Load logs older than {}” button at the bottom of the search results:
“Keep”
Keep is a command in ES|QL that allows you to specify the columns returned in your search results. Let’s say you want to find events for a specific user. This command will allow you to return that TargetUserName field from the Event Logs in your search, as shown below:
from logs | where winlog.event_data.TargetUserName == "john.doe" | keep event.code, winlog.event_data.TargetUserName
Since Huntress already knows the Agent hostname, you don’t necessarily need to include that field in your KEEP statement, because we’ll show the host where the event was collected from.
All fields from the <EventData> tag in the XML from the Event Logs are being extracted and placed under the winlog.event_data scope. This means, depending on the EventID, you can pull a variety of fields and have them returned in your results.
In the example below, we’re including the logon type to help identify any interactive logins that may have occurred by this particular user:
from logs | where winlog.event_data.TargetUserName == "john.doe"| keep event.code, winlog.event_data.TargetUserName, winlog.event_data.LogonType
Here we can see there was an interactive logon at 08:39 AM Eastern Time (as noted by the -04:00 at the end of the timestamp).
“Where”
This is the most basic of search commands. You can “chain” multiple where statements in order to do filtering with multiple criteria. Let’s take the above example, but instead of returning all the logs with John.Doe as the user, let’s “filter” for successful logons instead of just showing all the events containing his name:
from logs | where winlog.event_data.TargetUserName == "john.doe" | where event.code == 4624| keep event.code, winlog.event_data.TargetUserName, winlog.event_data.LogonType
Notice the second | where statement, which indicates we’re adding an additional field. Huntress takes these multiple where statements and combines them (similar to how you would use AND in other tools), filtering results to see just the ones that match all the criteria:
Let’s go one step further, because John Doe seems to log on a lot. Let’s find just interactive sessions, because that means they are directly logging into a machine which is more relevant for our search:
from logs | where winlog.event_data.TargetUserName == "john.doe" | where event.code == 4624 | where winlog.event_data.LogonType == "2" | keep event.code, winlog.event_data.TargetUserName, winlog.event_data.LogonType
That’s more like it:
Available Fields
Due to Event Logs providing different data based on the type, the field may vary. However, you can click on “View” for any event and see what fields are available as ECS fields as well as the raw data. This can help you determine which fields you want to have visible as well as provide you with the raw data should you need it. See below for an example:
Note: make sure for any where statements in your search that you use double-quotes for values you are searching for. This is especially important in the winlog.event_data scope, as the values are converted to strings in the ECS data that you are querying.
Syslog Events
Huntress is currently building parsers for a variety of firewall devices, which is required due to the lack of a standard message format. Once those have been built, you will see the event.provider available for those messages and have fields available for searching.
Example Queries
To show only syslog messages, you can use the following query:
from logs | where event.capability == "syslog"
Comments
0 comments
Article is closed for comments.