Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include "Drilldown name and Search" in the detection template #2385

Open
gs3cl opened this issue Sep 23, 2022 · 3 comments
Open

Include "Drilldown name and Search" in the detection template #2385

gs3cl opened this issue Sep 23, 2022 · 3 comments
Assignees
@patel-bhavin
Labels
4.0.0 Security Content 4.0.0 enhancement New feature or request

Comments

@gs3cl
Copy link

gs3cl commented Sep 23, 2022

Hey,

it is possible to include both functions regarding Drilldowns

action.notable.param.drilldown_name = 
action.notable.param.drilldown_search =

Why ?

As an analyst in a SOC with different level/stages it is very helful to build Drilldown Searches for the analysts. To reduce workload during daily Work it would be cool to have this capability in the detection specs. Hence we could build pre defined "Drilldown Searches"

Example:

ESCU - Account Discovery With Net App - Rule

SPL:

| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
where `process_net` AND (Processes.process="*user*" OR Processes.process="*config*" OR Processes.process="*view /all*") 
by Processes.process_name Processes.dest Processes.user Processes.parent_process_name 
| where count >=5 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `account_discovery_with_net_app_filter`

Instead of Risk I want a Search for the Drilldown with a variable like "dest"

grafik

| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
where `process_net` AND (Processes.process="*user*" OR Processes.process="*config*" OR Processes.process="*view /all*") 
by Processes.process_name Processes.dest Processes.user Processes.parent_process_name 
| where count >=5 
| `drop_dm_object_name(Processes)` 
|  search dest=$dest$
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `account_discovery_with_net_app_filter`

and that would be the result in .yml with new to fileds:

search_drilldown:
drilldown_name:

search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
where `process_net` AND (Processes.process="*user*" OR Processes.process="*config*" OR Processes.process="*view /all*") 
by Processes.process_name Processes.dest Processes.user Processes.parent_process_name 
| where count >=5 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `account_discovery_with_net_app_filter`'
search_drilldown: | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
where `process_net` AND (Processes.process="*user*" OR Processes.process="*config*" OR Processes.process="*view /all*") 
by Processes.process_name Processes.dest Processes.user Processes.parent_process_name 
| where count >=5 
| `drop_dm_object_name(Processes)` 
|  search dest=$dest$
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `account_discovery_with_net_app_filter`
drilldown_name: Check Events
how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
known_false_positives: Pentesting

Thanks in advance

Regards,
@josehelps josehelps added 4.0.0 Security Content 4.0.0 enhancement New feature or request labels Sep 23, 2022
@josehelps
Copy link
Collaborator

Hey @gs3cl thank you so much for the request, we are absolutely looking to introduce this feature as part of a major update security content 4.0.0, this is not likely slated until EOY closer to November/December timeframe with that said lets keep it open and we will update you once we have a PR ready.

@gs3cl
Copy link
Author

gs3cl commented Sep 23, 2022

Hey @d1vious thanks for the information sounds great.

@yaroslav-nakonechnikov
Copy link

was it implemented?

@patel-bhavin patel-bhavin assigned patel-bhavin and unassigned P4T12ICK Feb 1, 2024
@patel-bhavin patel-bhavin mentioned this issue Apr 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@patel-bhavin patel-bhavin

Labels
4.0.0 Security Content 4.0.0 enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@josehelps @patel-bhavin @P4T12ICK @gs3cl @yaroslav-nakonechnikov