File Download Dashboard

[arisentow]

I'm trying to create a dashboard that depicts executable downloads with some detailed information. I've developed a query that gets me close, but I'd like to dig in a little further and find out what host process initiated the download (i.e. Firefox, Windows, APT, etc.) and the location where the file was downloaded to on the host. I think I'm running into issues because I'm trying to get data from different datasets and trying to correlate them at the same time.

This is the query that I've come up with so far. I know that it isn't narrowed down to executables at this time and would like to see what that should look like:

event.dataset:zeek.http OR zeek.file | groupby http.method | groupby file.extracted.filename file.source file.mime_type source_geo.organization_name destination.ip source.ip | groupby http.method file.resp_mime_types network.transport server.port client.port http.uri destination_geo.organization_name

[dougburks]

This is the query that I've come up with so far. I know that it isn't narrowed down to executables at this time and would like to see what that should look like:

How about something like this?

(event.dataset:zeek.http AND file.resp_mime_types:"application/x-dosexec") OR (zeek.file AND file.mime_type:"application/x-dosexec") | groupby http.method | groupby file.extracted.filename file.source file.mime_type source_geo.organization_name destination.ip source.ip | groupby http.method file.resp_mime_types network.transport server.port client.port http.uri destination_geo.organization_name

[sjnhawk]

I think that is a pretty good start. Thanks Doug!

The only issue that I ran into was that I can't use the quotes for "application/x-dosexec" for creating a dashboard and the query doesn't work without them. Query editor wouldn't take it. Works great when manually putting it into the search though.

[dougburks]

The only issue that I ran into was that I can't use the quotes for "application/x-dosexec" for creating a dashboard and the query doesn't work without them. Query editor wouldn't take it.

You can escape the quotes like this:
{"description":"Files - From Zeek http.log and files.log","name":"Files Escaping Quotes","query":"(event.dataset:zeek.http AND file.resp_mime_types:\"application/x-dosexec\") OR (zeek.file AND file.mime_type:\"application/x-dosexec\") | groupby http.method | groupby file.extracted.filename file.source file.mime_type source_geo.organization_name destination.ip source.ip | groupby http.method file.resp_mime_types network.transport server.port client.port http.uri destination_geo.organization_name"}

Another option is to rewrite the query to avoid using quotes in the first place:
{"description":"Files - From Zeek http.log and files.log","name":"Files Using Wildcard","query":"(event.dataset:zeek.http AND file.resp_mime_types:*x-dosexec) OR (zeek.file AND file.mime_type:*x-dosexec) | groupby http.method | groupby file.extracted.filename file.source file.mime_type source_geo.organization_name destination.ip source.ip | groupby http.method file.resp_mime_types network.transport server.port client.port http.uri destination_geo.organization_name"}

[sjnhawk]

Thanks Doug. The second option seems to be working well. Much appreciated.