Community Feedback - Searches


(Taylor) #1

What are the top 5 searches you have automated or would like to automate in Graylog?

Please share your thoughts below :slight_smile:


#2

What do you mean by “automating searches”?


(Jan Doberstein) #3

@jtkarvo that could be every “saved search” or search that you are do at least once a day. Like you search for the browser agents in your web server log files and build quick values from that.


#4
  • Security focused searches, like looking for people trying to send tags, or sql queries. Then if I find anything, I then look for all the traffic from that person.
  • 200’s/404’s over time
  • java exceptions
  • PHP fatal errors

(Sachin) #5
  1. WebServer
    Top IPs with # of hits

  2. OS
    Top IPs/users with failed login attempts
    Top ports accessed

  3. Network Device
    Top SNMP Traps received


(Nick Siakotos) #6
  1. Failed logins by IP, Computer, User from AD and Exchange, ADFS
  2. VDI Session Usage
  3. Web Browser type, codes
  4. Source IP Maps
  5. Exchange Message Tracking top senders, recipients

(Johan THOMAS) #7
  1. WebServer and proxy (apache & Squid, top web sites, denied, httpd_status, duration_usec, …)
  2. Mail infrastructure (Postfix, Cyrus)
  3. Identity: openldap & AD & workflow rules (users, groups, workstations, audit, etc)
  4. Freeradius (Top users, etc)
  5. Network Device & DHCP/DNS servers

I would really like to automate a way to correlate all IPs that are involved in an access denied, or too much access in the last day/week with common threat intelligence DB (hopefully can do this soon with the threat intelligence plugin)