{ "name": "Brimcap", "items": [ { "name": "Activity Overview", "value": "count() by _path | sort -r", "description": "Shows a list of all Zeek streams in the data set, with a count of associated records" }, { "name": "Unique DNS Queries", "value": "_path==\"dns\" | count() by query | sort -r", "description": "Shows all unique DNS queries in the data set with count" }, { "name": "Top Domains", "value": "_path==\"dns\" | count() by domain:=join(split(query,\".\")[-2:],\".\") | sort -r", "description": "Displays the domains appearing most frequently in DNS queries" }, { "name": "Windows Networking Activity", "value": "grep(smb*,_path) OR _path==\"dce_rpc\"", "description": "Filters and displays smb_files, smb_mapping and DCE_RPC activity" }, { "name": "HTTP Requests", "value": "_path==\"http\" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c", "description": "Displays a list of the count of unique HTTP requests including source and destination" }, { "name": "Unique Network Connections", "value": "_path==\"conn\" | cut id.orig_h, id.resp_p, id.resp_h | sort | uniq", "description": "Displays a table showing all unique source:port:destination connections pairings" }, { "name": "Connection Received Data", "value": "_path==\"conn\" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes", "description": "Shows the connections between hosts, sorted by data received" }, { "name": "File Activity", "value": "filename!=null | cut _path, tx_hosts, rx_hosts, conn_uids, mime_type, filename, md5, sha1", "description": "Displays a curated view of file data including md5 and sha1 for complete file transfers" }, { "name": "HTTP Post Requests", "value": "method==\"POST\" | cut ts, uid, id, method, uri, status_code", "description": "Displays all HTTP Post requests including the URI and HTTP status code" }, { "name": "Show IP Subnets", "value": "_path==\"conn\" | put classnet := network_of(id.resp_h) | cut classnet | count() by classnet | sort -r", "description": "Enumerates the classful networks for all destination IP addresses including count of connections" }, { "name": "Suricata Alerts by Severity and Category", "value": "event_type==\"alert\" | count() by alert.severity,alert.category | sort count", "description": "Shows all Suricata alert counts, grouped by category and severity" }, { "name": "Suricata Alerts by Signature", "value": "event_type==\"alert\" | count() by alert.signature | sort count", "description": "Shows all Suricata alert counts, grouped by signature" }, { "name": "Suricata Alert Categories by Source and Destination", "value": "event_type==\"alert\" | alerts := union(alert.category) by src_ip, dest_ip", "description": "Shows a list of Suricata alert categories, grouped by unique source and destination IP addresses" }, { "name": "Suricata Alert Signatures by Source and Destination", "value": "event_type==\"alert\" | alerts := union(alert.signature) by src_ip, dest_ip", "description": "Shows a list of Suricata alert signatures, grouped by unique source and destination IP addresses" }, { "name": "Suricata Alert Categories by Subnet", "value": "event_type==\"alert\" | alerts := union(alert.category) by network_of(dest_ip)", "description": "Shows a list of Suricata alert categories, grouped by CIDR network" }, { "name": "Suricata Alert Signatures by Subnet", "value": "event_type==\"alert\" | alerts := union(alert.signature) by network_of(dest_ip)", "description": "Shows a list of Suricata alert signatures, grouped by CIDR network" } ] }