/
get_process_information_for_port_activity.yml
46 lines (46 loc) · 1.67 KB
/
get_process_information_for_port_activity.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
name: Get Process Information For Port Activity
id: 9925d08f-561e-4faa-8912-e3888a842341
version: 2
date: '2019-04-01'
author: Bhavin Patel, Splunk
type: Investigation
datamodel:
- Endpoint
description: This search will return information about the process associated with
observed network traffic to a specific destination port from a specific host.
search: '| tstats `security_content_summariesonly` count min(_time) max(_time) as
lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.user
Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | search dest=$dest$ | join dest type=inner
[| tstats `security_content_summariesonly` count from datamodel=Endpoint.Ports by
Ports.process_id Ports.src Ports.dest_port | `drop_dm_object_name(Ports)` | search
dest_port=$dest_port$ | rename src as dest]'
how_to_implement: To successfully implement this search you must be ingesting endpoint
data that associates processes with network events and populate the Endpoint Datamodel
known_false_positives: ''
references: []
tags:
analytic_story:
- AWS Network ACL Activity
- DHS Report TA18-074A
- Emotet Malware DHS Report TA18-201A
- Hidden Cobra Malware
- Lateral Movement
- Prohibited Traffic Allowed or Protocol Mismatch
- Ransomware
- SamSam Ransomware
- Suspicious AWS Traffic
- Use of Cleartext Protocols
- Command And Control
product:
- Splunk Phantom
required_fields:
- _time
- Processes.user
- Processes.process_id
- Processes.process_name
- Processes.dest
- Ports.process_id
- Ports.src
- Ports.dest_port
security_domain: endpoint