Find Instances of Malicious Communication

Use the API to find examples of malicious communication.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

DNS requests and connections to unknown domains

Use this request to find examples of DNS requests or connections to unknown domains.

Query 1:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                            "queryPath":
                                                    [
                                                            {
                                                                    "requestedType":"DnsQueryResolvedDomainToDomain",
                                                                    "filters":[],
                                                                    "connectionFeature": {
                                                                                                                    "elementInstanceType":"DnsQueryResolvedDomainToDomain",
                                                                                                                    "featureName":"targetDomain"
                                                                                                              }
                                                            },
                                                            {
                                                                    "requestedType":"DomainName",
                                                                    "filters": [
                                                                                            {
                                                                                                    "facetName":"maliciousClassificationType",
                                                                                                    "values": ["unknown","no_type_found"],
                                                                                                    "filterType":"Equals"
                                                                                            }
                                                                                       ],
                                                                    "isResult": true
                                                            }
                                                    ],
                            "totalResultLimit":1000,
                            "perGroupLimit":100,
                            "perFeatureLimit":100,
                            "templateContext":"SPECIFIC",
                            "queryTimeout": 120000,
                            "customFields": [
                                                            "maliciousClassificationType",
                                                            "isInternalDomain",
                                                            "everResolvedDomain",
                                                            "everResolvedSecondLevelDomain",
                                                            "elementDisplayName"
                                                        ]
                 }'

Query 2:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {       "requestedType":"Connection",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"Connection",
                                                                                                                            "featureName":"urlDomains"
                                                                                                                    }
                                                                },
                                                                {
                                                                    "requestedType":"DomainName",
                                                                    "filters": [
                                                                                            {
                                                                                                    "facetName":"maliciousClassificationType",
                                                                                                    "values": ["no_type_found","unknown"],
                                                                                                    "filterType":"Equals"
                                                                                            }
                                                                                       ],
                                                                    "isResult":true
                                                                    }
                                                              ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "maliciousClassificationType",
                                                                            "isInternalDomain",
                                                                            "everResolvedDomain",
                                                                            "everResolvedSecondLevelDomain",
                                                                            "elementDisplayName"
                                                                    ]
                            }'

Outbound communication to a hostile domain

Use this request to find communications to domains classified as hostile.

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Connection",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"direction",
                                                                                                            "values":["OUTGOING","OUTGOING_GUESSED"],
                                                                                                            "filterType":"Equals"
                                                                                                    }
                                                                                               ],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"Connection",
                                                                                                                            "featureName":"urlDomains"
                                                                                                                 }
                                                                    },
                                                                    {
                                                                            "requestedType": "DomainName",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"maliciousClassificationType",
                                                                                                            "values": ["hacktool","maltool","malware","suspicious"],
                                                                                                            "filterType":"Equals"
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                              ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "maliciousClassificationType",
                                                                            "isInternalDomain",
                                                                            "everResolvedDomain",
                                                                            "everResolvedSecondLevelDomain",
                                                                            "elementDisplayName"
                                                                    ]
                            }'

Communication with dynamic DNS servers

Use this request to find instances of communication with servers that use a dynamic DNS configuration.

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Connection",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":
                                                                                                            "remoteAddressInternalExternalLocal",
                                                                                                            "values": ["DYNAMIC_CONFIGURATION"],
                                                                                                            "filterType":"Equals"
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                              ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "direction",
                                                                            "serverAddress",
                                                                            "serverPort",
                                                                            "portType",
                                                                            "aggregatedReceivedBytesCount",
                                                                            "aggregatedTransmittedBytesCount",
                                                                            "remoteAddressCountryName",
                                                                            "accessedByMalwareEvidence",
                                                                            "ownerMachine",
                                                                            "ownerProcess",
                                                                            "dnsQuery",
                                                                            "calculatedCreationTime",
                                                                            "endTime",
                                                                            "elementDisplayName"
                                                                     ]
                            }'