How To: ArcSight Recon Threat Hunting Searches


November 12, 2021

Below are threat hunting searches that can be used in ArcSight Recon. The MITRE ATT&CK searches are Logger searches from the MITRE ATTACK Package for ArcSight Logger on ArcSight Marketplace. These searches can be used in ArcSight Recon and are based on base events from SmartConnectors and do not rely on correlation events from ArcSight ESM. For environments that are feeding ESM correlation events into Recon, the last search will show you all the MITRE ATT&CK activity that the ESM real-time engine has detected. These can be used in Recon searches, saved searches, and in the reporting.

MITRE ATT&CK-T1083-File and Directory Discovery
categoryTechnique="/Information Leak/Directory Traversal"

MITRE ATT&CK-T1046-Network Service Scanning
categoryTechnique startswith "/Scan" and Source Hostname is not null

MITRE ATT&CK-T1498-Network Denial of Service
categoryBehavior startswith "/Communicate" and ( name contains "DoS" or categoryTechnique=/DoS or categoryObject="/Host/Application/Malware/DoS Client" )

MITRE ATT&CK-T1571-Non-Standard Port
destinationPort is not null and (categoryBehavior startswith /Communicate or categoryBehavior=/Execute/Query ) and destinationPort > 1023

MITRE ATT&CK-T1059-Command and Scripting Interpreter
categoryTechnique="/Code/Shell Command" or ( (categoryTechnique in "/scanner/device/vulnerability" , "/Code/Application Command" or deviceProduct=Snort) and (name contains "shell" or name contains "Shell" )) or (deviceProduct=UnityOne and name contains "Command Shell") or (deviceProduct=Qualys and name contains "Shell Command Execution")

MITRE ATT&CK-T1543.003-Create or Modify System Process: Windows Service
deviceProduct="Microsoft Windows" and deviceEventClassId = "Microsoft-Windows-Security-Auditing:4697" or deviceEventClassID = "Service Control Manager:7045"

MITRE ATT&CK-T1074-Data Staged
filePath is not null and (filePath contains "AppData\\Local\\"  or filePath contains "\\AppData\\Roaming" or filePath contains  "\\Temp\\" )AND  deviceEventClassId = "Microsoft-Windows-Sysmon:11","Microsoft-Windows-Sysmon:15"

Attacks and Suspicious Activity
categorySignificance = "/Hostile" OR categorySignificance = "/Compromise" or categorySignificance = "/Suspicious" or categoryTechnique Contains "/Code" or categoryTechnique = "/Exploit/Privilege Escalation" or categoryTechnique = "/Exploit/Vulnerability" or categoryTechnique = "/Exploit/Weak Configuration"

Malicious Code
categoryObject STARTSWITH "/Vector" OR categoryObject STARTSWITH "/Host/Infection" OR categoryObject STARTSWITH "/Host/Application/Malware" OR categoryTechnique STARTSWITH "/Code" OR categoryObject = "/Host/Application/DoS Client" OR categoryObject = "/Host/Application/Backdoor"

Malware Activity
( categoryObject STARTSWITH "/Vector" OR categoryObject STARTSWITH "/Host/Infection" OR categoryObject STARTSWITH "/Host/Application/Malware" OR categoryObject = "/Host/Application/DoS Client" OR categoryObject = "/Host/Application/Backdoor" OR categoryTechnique STARTSWITH "/Code" OR deviceCustomString1Label = "Virus Name" OR ( name STARTSWITH "Virus" and deviceProduct = "Sophos Anti-Virus" ) OR ( name STARTSWITH "Security risk found" and deviceProduct = "Endpoint Protection" ) OR ( deviceProduct = "SafeNet ProtectDB" and deviceCustomString1Label = "Virus Name" ) ) and deviceCustomString1 is not null

MITRE ATT&CK-Real-Time Correlation (Use the "All Fields" Fieldset)
Device Custom String 6 Label = "MITRE ID" and Device Custom String 6 Label is not null | rename Device Custom String 6 as "Technique ID" | rename name as "Real-Time Rule"


How To-Best Practice
Comment List