Chapter 9. Advanced Querying

“The world is full of obvious things which nobody by any chance ever observes.”

Sherlock Holmes

In the preceding chapter, we laid out the basic foundations of creating queries for reports based on the data available. Most of the query ideas presented were limited, based on looking for specific indicators and previously known activity. Additionally, most of the queries were based on looking at events in a single data source, or events related to the activity of a single host. Certainly, using known indicators or finding indicators in your data to create new reports goes a long way. However, you can dig a little deeper by applying more sophisticated analysis to your event data to uncover indicators and additional patterns not evident through basic searching. Statistics provide tools and methods for sorting through your security event data in ways that are less obvious than matching an event to a single, static indicator. It will also help to find the outliers and the commonalities in the data, which can also yield valuable information.

In this chapter, we’ll cover:

• More false positive elimination strategies

• How to identify and filter common traffic

• How to detect anomalous traffic

• How to pair statistical formulae with security event data to discover incidents