APT

Suricata signatures

earliest=0 index=botsv1 imreallynotbatman.com src=40.80.148.42 sourcetype=suricata
| stats count by signature
| eventstats sum(count) as percent | eval percent=round(count*100/percent,2)
| sort -count
# or just | top signature

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/01cf9a57-56a4-4dc6-a030-c9ace9ab1cf4/Untitled.png

Source IPs

earliest=0 index=botsv1 imreallynotbatman.com sourcetype=stream*
| stats count(src_ip) by src_ip
| sort -src_ip

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f75ca3bf-6638-460f-a81c-3d948d1f6574/Untitled.png

Scanner (user agent)

earliest=0 index=botsv1 src=40.80.148.42 sourcetype=stream:http 
| stats count by http_user_agent
| sort -count

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/ab8d19ed-c807-407d-83ac-6a4524bba2c4/Untitled.png

Scanner (headers)

earliest=0 index=botsv1 src=40.80.148.42 sourcetype=stream:http 
| stats count by src_headers
| sort -count

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/5b2a8b9e-b1e1-4e1c-9126-d72353bb233c/Untitled.png

Target

earliest=0 index=botsv1 src=40.80.148.42 sourcetype=stream:http
| stats count by dest_ip

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/519e8a5c-fc21-43e0-a91a-f727541bcfcb/Untitled.png

CMS

earliest=0 index=botsv1 sourcetype=stream:http dest_ip="192.168.250.70"
| top limit=5 uri

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/3f212161-63d9-4b92-bdf2-15e1ffad8335/Untitled.png