Blue Team Field NotesDFIR · SOC · Vulnerability Management
Elastic Security

KQL et ES|QL

Ingestion ECS, requêtes KQL/ES|QL, règles de détection et investigations dans Kibana.

KQL

# Processus PowerShell
process.name : "powershell.exe"

# Commande encodée
process.name : "powershell.exe" and process.command_line : (*-enc* or *EncodedCommand*)

# Connexions sortantes hors réseau privé
network.direction : outbound and not destination.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)

# Event ID Windows
event.code : "4625" and winlog.channel : "Security"

ES|QL

Échecs d'authentification

FROM logs-windows.*
| WHERE event.code == "4625"
| STATS failures = COUNT(*), hosts = COUNT_DISTINCT(host.name)
  BY user.name, source.ip
| WHERE failures >= 10
| SORT failures DESC

Processus rares

FROM logs-endpoint.events.process-*
| WHERE event.category == "process" and event.type == "start"
| STATS executions = COUNT(*), host_count = COUNT_DISTINCT(host.name)
  BY process.executable
| WHERE executions < 5 and host_count <= 2
| SORT executions ASC

Volume réseau

FROM logs-network_traffic.*
| STATS bytes_out = SUM(source.bytes), events = COUNT(*)
  BY source.ip, destination.domain
| SORT bytes_out DESC
| LIMIT 50

Bonnes pratiques

Références officielles