You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As an analyst in a SOC with different level/stages it is very helful to build Drilldown Searches for the analysts. To reduce workload during daily Work it would be cool to have this capability in the detection specs. Hence we could build pre defined "Drilldown Searches"
Example:
ESCU - Account Discovery With Net App - Rule
SPL:
| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
where `process_net` AND (Processes.process="*user*" OR Processes.process="*config*" OR Processes.process="*view /all*")
by Processes.process_name Processes.dest Processes.user Processes.parent_process_name
| where count >=5
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `account_discovery_with_net_app_filter`
Instead of Risk I want a Search for the Drilldown with a variable like "dest"
| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
where `process_net` AND (Processes.process="*user*" OR Processes.process="*config*" OR Processes.process="*view /all*")
by Processes.process_name Processes.dest Processes.user Processes.parent_process_name
| where count >=5
| `drop_dm_object_name(Processes)`
| search dest=$dest$
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `account_discovery_with_net_app_filter`
and that would be the result in .yml with new to fileds:
search_drilldown: drilldown_name:
search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
where `process_net` AND (Processes.process="*user*" OR Processes.process="*config*" OR Processes.process="*view /all*")
by Processes.process_name Processes.dest Processes.user Processes.parent_process_name
| where count >=5
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `account_discovery_with_net_app_filter`'
search_drilldown: | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
where `process_net` AND (Processes.process="*user*" OR Processes.process="*config*" OR Processes.process="*view /all*")
by Processes.process_name Processes.dest Processes.user Processes.parent_process_name
| where count >=5
| `drop_dm_object_name(Processes)`
| search dest=$dest$
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `account_discovery_with_net_app_filter`
drilldown_name: Check Events
how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
known_false_positives: Pentesting
Thanks in advance
Regards,
The text was updated successfully, but these errors were encountered:
Hey @gs3cl thank you so much for the request, we are absolutely looking to introduce this feature as part of a major update security content 4.0.0, this is not likely slated until EOY closer to November/December timeframe with that said lets keep it open and we will update you once we have a PR ready.
Hey,
it is possible to include both functions regarding Drilldowns
Why ?
As an analyst in a SOC with different level/stages it is very helful to build Drilldown Searches for the analysts. To reduce workload during daily Work it would be cool to have this capability in the detection specs. Hence we could build pre defined "Drilldown Searches"
Example:
ESCU - Account Discovery With Net App - Rule
SPL:
Instead of Risk I want a Search for the Drilldown with a variable like "dest"
and that would be the result in .yml with new to fileds:
search_drilldown:
drilldown_name:
Thanks in advance
Regards,
The text was updated successfully, but these errors were encountered: