As part of an insider threat investigation, you want to profile web activity to characterize some specific host activity.
- To complete this process, your deployment needs to ingest web traffic. You should also ensure you are ingesting normalized data, populating the Web data model in the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
|from datamodel Web.Web |search src=<dest>
3. Update the second line of the search to reflect the source, rather than the destination, to gather more information and rerun the search:
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
||from datamodel Web.Web
|Query the Web.Web data model object.|
||search src=<dest>||Search for web activity from a source. The required <dest> field is the remote host.|
This search returns all web traffic for the specific IP addresses. The results show URls you can investigate to verify maliciousness.
For additional information about this search, such as its applicability to common frameworks and standards, see this project on GitHub.
You might also be interested in other processes associated with the Monitoring for signs of Windows privilege escalation attacks and Detecting techniques in the Orangeworm attack group use cases.