Find Data Theft from Attacks

Hunt for malicious behavior occurring during the data theft stage of an attack.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

High data transfer by injected process

Use this request to search for processes with a high data transmission rate and that have a detected injected process.

Request

curl --request POST \
  --url https://12.34.56.78/rest/visualsearch/query/simple \
  --header 'Content-Type: application/json' \
  --data '{
            "queryPath": [
                          {
                            "requestedType": "Process",
                            "filters": [
                                        {
                                          "facetName": "highDataTransmittedSuspicion",
                                          "values": [
                                                      true
                                                    ]
                                        },
                                        {
                                          "facetName":"detectedInjectedEvidence",
                                          "values": [
                                                      true
                                                    ]
                                        }
                                       ],
                            "isResult":true
                           }
                         ],
            "totalResultLimit": 1000,
            "perGroupLimit": 100,
            "perFeatureLimit": 100,
            "templateContext": "SPECIFIC",
            "queryTimeout": 120000,
            "customFields": [
                              "elementDisplayName",
                              "ransomwareAutoRemediationSuspended",
                              "executionPrevented",
                              "creationTime",
                              "endTime",
                              "commandLine",
                              "decodedCommandLine",
                              "isImageFileSignedAndVerified",
                              "productType",
                              "children",
                              "parentProcess",
                              "ownerMachine",
                              "imageFile",
                              "calculatedUser",
                              "pid"
                            ]
          }'