On prem EDR Executive reports - botnet - how to find it?
search cancel

On prem EDR Executive reports - botnet - how to find it?

book

Article ID: 281110

calendar_today

Updated On:

Products

Endpoint Security Complete

Issue/Introduction

Customer is seeing in the Execute reports a daily botnet behavior generated by endpoints in their environment 

Environment

EDR on prem

Resolution

Use Filter value: 4124 AND exists:data_source_url_domain to search for malicious traffic:

An alternative way to search for the same information is from the EDR CLI:

Customer can run the same command from the root user and check the output json:

curl -ks -XGET -H 'Content-Type: Application/json' 'localhost:9200/epmp_trackdb/_search/?pretty' -d '{
    "size" : 100000,
    "_source": ["first_seen", "last_seen", "unique", "latest"],
    "query" : {
        "term" : {"type": "external_domain_latest"}
    }
}
' > /home/external_domain_latest.json

There are different types of behavior same as on UI:

            "types": [
                "infection_by_source_malware",
                "infection_by_source_cnc",
                "infection_by_source_fraud",
                "infection_by_source_phishing",
                "infection_by_source_attack"
            ],
Powered by Wolken Software