Skip to content

Commit

Permalink
FIX: Hunt query for HTTP EXE downloads should work for both Zeek and …
Browse files Browse the repository at this point in the history 
…Suricata #3753
  • Loading branch information
@dougburks
dougburks committed Apr 5, 2021
1 parent 5898939 commit 8ca0626
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion salt/soc/files/soc/hunt.queries.json
View file
Expand Up @@ -34,7 +34,7 @@
{ "name": "HTTP", "description": "HTTP grouped by status code and message", "query": "event.dataset:http | groupby http.status_code http.status_message"},
{ "name": "HTTP", "description": "HTTP grouped by method and user agent", "query": "event.dataset:http | groupby http.method http.useragent"},
{ "name": "HTTP", "description": "HTTP grouped by virtual host", "query": "event.dataset:http | groupby http.virtual_host"},
{ "name": "HTTP", "description": "HTTP with exe downloads", "query": "event.dataset:http AND file.resp_mime_types:dosexec | groupby http.virtual_host"},
{ "name": "HTTP", "description": "HTTP with exe downloads", "query": "event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host"},
{ "name": "Intel", "description": "Intel framework hits grouped by indicator", "query": "event.dataset:intel | groupby intel.indicator.keyword"},
{ "name": "IRC", "description": "IRC grouped by command", "query": "event.dataset:irc | groupby irc.command.type"},
{ "name": "KERBEROS", "description": "KERBEROS grouped by service", "query": "event.dataset:kerberos | groupby kerberos.service"},
Expand Down

0 comments on commit 8ca0626

Please sign in to comment.