Skip to content

Commit 1ab7990

Browse files
committed
updating detections
1 parent 374a272 commit 1ab7990

1 file changed

Lines changed: 31 additions & 10 deletions

File tree

detections/endpoint/suspicious_process_executed_from_container_file.yml

Lines changed: 31 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -14,33 +14,54 @@ data_source:
1414
search: |-
1515
| tstats `security_content_summariesonly`
1616
count
17-
values(Processes.process_name) as process_name
1817
min(_time) as firstTime
1918
max(_time) as lastTime
2019
from datamodel=Endpoint.Processes
2120
where Processes.process IN (
2221
"*.ZIP\\*",
22+
"*.zip\\*",
2323
"*.ISO\\*",
24+
"*.iso\\*",
2425
"*.IMG\\*",
26+
"*.img\\*",
2527
"*.CAB\\*",
28+
"*.cab\\*",
2629
"*.TAR\\*",
30+
"*.tar\\*",
2731
"*.GZ\\*",
32+
"*.gz\\*",
2833
"*.RAR\\*",
29-
"*.7Z\\*"
34+
"*.rar\\*",
35+
"*.7Z\\*",
36+
"*.7z\\*"
3037
)
3138
AND Processes.action="allowed"
3239
by
33-
Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.process_name Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_path Processes.user Processes.user_id Processes.vendor_product
34-
40+
Processes.action
41+
Processes.dest
42+
Processes.original_file_name
43+
Processes.parent_process
44+
Processes.parent_process_exec
45+
Processes.parent_process_guid
46+
Processes.parent_process_id
47+
Processes.parent_process_name
48+
Processes.parent_process_path
49+
Processes.process
50+
Processes.process_exec
51+
Processes.process_guid
52+
Processes.process_hash
53+
Processes.process_id
54+
Processes.process_integrity_level
55+
Processes.process_name
56+
Processes.process_path
57+
Processes.user
58+
Processes.user_id
59+
Processes.vendor_product
3560
| `drop_dm_object_name(Processes)`
36-
37-
| regex process="(?i).*(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z)\\\\.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX|HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH)\"?$"
38-
39-
| rex field=process "(?i).+\\\\(?<file_name>[^\\\\]+\.(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z))\\\\((.+\\\\)+)?(?<container_file_name>.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX|HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH))\"?$"
40-
61+
| regex process="(?i).*\.(zip|iso|img|cab|tar|gz|rar|7z)\\\\.+\.(bat|bin|cab|cmd|com|cpl|ex_|exe|gadget|inf1|ins|inx|htm|html|isu|jar|job|js|jse|lnk|msc|msi|msp|mst|paf|pif|ps1|reg|rgs|scr|sct|shb|shs|u3p|vb|vbe|vbs|vbscript|ws|wsf|wsh)\"?$"
62+
| rex field=process "(?i).+\\\\(?<file_name>[^\\\\]+\.(?:zip|iso|img|cab|tar|gz|rar|7z))\\\\(?:.+\\\\)?(?<container_file_name>[^\\\\\"]+\.(?:bat|bin|cab|cmd|com|cpl|ex_|exe|gadget|inf1|ins|inx|htm|html|isu|jar|job|js|jse|lnk|msc|msi|msp|mst|paf|pif|ps1|reg|rgs|scr|sct|shb|shs|u3p|vb|vbe|vbs|vbscript|ws|wsf|wsh))\"?$"
4163
| `security_content_ctime(firstTime)`
4264
| `security_content_ctime(lastTime)`
43-
4465
| `suspicious_process_executed_from_container_file_filter`
4566
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
4667
known_false_positives: Various business process or userland applications and behavior.

0 commit comments

Comments
 (0)