分析溯源
事后对攻防过程中重要攻击或防守成果进行溯源分析,针对过程中暴露的安全能力风险、应急处理流程缺失、安全意识薄弱等问题进行梳理,输出复盘报告。
安全分析能力提供原始日志数据查询统计能力,可以针对原始数据进行溯源分析。
操作步骤
常用查询语句
需求 |
管道 |
查询语句 |
|---|---|---|
某IP访问查询 |
sec-waf-access |
x_forwarded_for='x.x.x.x' or remote_ip='x.x.x.x' and response_code='200' | select x_forwarded_for,remote_ip,http_host,url,response_code |
url关键词访问查询 |
sec-waf-access |
url like '*actuator*' and response_code='200' | select *,count(x_forwarded_for) as num group by x_forwarded_for,remote_ip,http_host,url |
某域名访问iptop |
sec-waf-attack |
http_host=MATCH_QUERY('www.xx.com') | select *,count(remote_ip) as num group by http_host,remote_ip |
某IP攻击查询 |
sec-waf-attack |
sip='x.x.x.x' and not attack='custom_whiteblackip' and not attack='custom_custom' | select attack,sip,http_host,uri,hit_data,status |
某域名被攻击查询 |
sec-waf-attack |
http_host='www.aa.com' and not attack='custom_whiteblackip' and not attack='custom_custom' and not attack='robot' | select attack,sip,http_host,uri,hit_data,status |
某主机执行命令查询 |
sec-hss-log |
(dest_asset.name='aa' or ipList='x.x.x.x') and alarmKey='proc_report_2' | select dest_asset.name,ipList,appendInfo.cmdline,appendInfo.path |
某主机登录查询 |
sec-hss-log |
alarmKey like 'login_check_*' and ipList='x.x.x.x' | select ipList,appendInfo.service_type,appendInfo.service_port,appendInfo.login_ip ,hostIp |
某主机告警查询 |
sec-hss-alarm |
(dest_asset.name='hostname' or ipList='x.x.x.x' ) | select dest_asset.name,ipList,appendInfo.event_name,appendInfo.file_info,appendInfo.process_info |
某主机登录查询 |
sec-hss-alarm |
appendInfo.event_type=4007 and (ipList='x.x.x.x' or appendInfo.forensic_info.login_ip='x.x.x.x') | select appendInfo.forensic_info.login_ip,appendInfo.forensic_info.service_type,appendInfo.forensic_info.user_name,appendInfo.event_name,ipList |
