1-7 查到主機"we1149srv"有異常，加到關鍵搜尋

2016-08-10 14:56:18 host we1149srv 3791.exe

index="botsv1" "we1149srv" Task=3

查看之後有3筆網路行為，連到另一台主機"we8105desk"

2016-08-24 09:34:06 host we8105desk dest_ip 192.168.250.70:137

前面資訊顯示另一台主機"we8105desk"在8/24有異狀，可能有AD連線行為
index="botsv1" "we8105desk" sourcetype="stream:ldap"

2016-08-24 9:30:36 to 2016-08-24 11:18:37
Src IP 192.168.250.100 to Dest IP 192.168.250.20:389

IDS檢測到Cerber惡意軟體，來調查其觸發的規則
index="botsv1" "Cerber" sourcetype=suricata