Merge pull request #34 from splunk/sysmon_to_endpoint

Sysmon to endpoint

escu/searches/detection_badrabbit_schtasks.json

@@ -4,7 +4,7 @@
   "confidence": "medium",
   "correlation_rule": {
     "notable": {
-      "nes_fields": "dest, user, process",
+      "nes_fields": "dest, user, process_name",
       "rule_description": "This search looks for flags passed to schtasks.exe on the command-line that indicate that task names specific to Bad Rabbit ransomware has been created or deleted",
       "rule_title": "Scheduled tasks used in BadRabbit ransomware detected on $dest$"
     },
@@ -16,7 +16,7 @@
       "risk_score": 80
     },
     "suppress": {
-      "suppress_fields": "dest, process",
+      "suppress_fields": "dest, process_name",
       "suppress_period": "28800s"
     }
   },
@@ -63,7 +63,7 @@
       "PR.IP"
     ]
   },
-  "modification_date": "2018-11-15",
+  "modification_date": "2019-02-28",
   "original_authors": [
     {
       "company": "Splunk",
@@ -76,7 +76,7 @@
     "earliest_time": "-70m@m",
     "latest_time": "-10m@m"
   },
-  "search": "| tstats `summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=*schtasks.exe (Processes.process= *create*  OR Processes.process= *delete*) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(\"\")` | `ctime(firstTime)`|`ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*)",
+  "search": "| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process  from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= \"*create*\"  OR Processes.process= \"*delete*\") by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(\"Processes\")` | `ctime(firstTime)`|`ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*)",
   "search_description": "This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted.",
   "search_id": "1297fb80-f42a-4b4a-9c8b-78c066437cf6",
   "search_name": "Scheduled tasks used in BadRabbit ransomware",

escu/searches/detection_change_file_association.json

@@ -22,12 +22,12 @@
   },
   "creation_date": "2018-01-26",
   "data_metadata": {
+    "data_models": [
+      "Endpoint"
+    ],
     "data_source": [
       "Endpoint Intel"
     ],
-    "data_sourcetypes": [
-      "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
-    ],
     "providing_technologies": [
       "Carbon Black Response",
       "CrowdStrike Falcon",
@@ -36,8 +36,8 @@
       "Ziften"
     ]
   },
-  "eli5": "This search looks for changes made to the registry that control Windows file associations. It is typical for users to change the file association to open certain types of files with specific applications. However, when these changes are legitimately performed, they are typically done via the processes explorer.exe or openwith.exe. The search looks at Sysmon data with an event code of 13, which specifies setting a value in the registry. It then looks at the object path for these changes for matches to the area responsible for file associations and excludes changes made by the processes noted as typically being legitimate.",
-  "how_to_implement": "To successfully implement this search you need to be ingesting information on registry changes that include the name of the process responsible for the changes from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.",
+  "eli5": "This search looks for changes made to the registry that control Windows file associations. It is typical for users to change the file association to open certain types of files with specific applications. However, when these changes are legitimately performed, they are typically done via the processes explorer.exe or openwith.exe. The search first executes the subsearch that looks at the Registry node, which specifies setting a value in the registry and creates a table of process_id and dest. It then uses those arguments to find out what process and parent process were responsible for making those registry changes.",
+  "how_to_implement": "To successfully implement this search you need to be ingesting information on registry changes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` nodes.",
   "known_false_positives": "There may be other processes in your environment that users may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions.",
   "maintainers": [
     {
@@ -77,7 +77,7 @@
     "earliest_time": "-70m@m",
     "latest_time": "-10m@m"
   },
-  "search": "(sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR tag=process) EventCode=13 object_path=*\\\\Explorer\\\\FileExts* process!=Explorer.exe AND process!=OpenWith.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, process, object_path, Details | rename Details as value | `ctime(firstTime)`| `ctime(lastTime)`",
+  "search": "| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name!=Explorer.exe AND Processes.process_name!=OpenWith.exe by Processes.process_id Processes.dest | `drop_dm_object_name(\"Processes\")` | `ctime(firstTime)` | `ctime(lastTime)` | join [| tstats `summariesonly` values(Registry.registry_path) as registry_path count  FROM datamodel=Endpoint.Registry where Registry.registry_path=*\\\\Explorer\\\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name(\"Registry\")` | table process_id dest registry_path]",
   "search_description": "This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area.",
   "search_id": "1b989a0e-0129-4446-a695-f193a5b746fc",
   "search_name": "Suspicious Changes to File Associations",

escu/searches/detection_first_time_seen_cmd_line.json

@@ -4,8 +4,8 @@
   "confidence": "medium",
   "correlation_rule": {
     "notable": {
-      "nes_fields": "dest, user, process, cmdline",
-      "rule_description": "The system $dest$ executed a command-line argument, $cmdline$, that has not previously been seen.",
+      "nes_fields": "dest, user, process",
+      "rule_description": "The system $dest$ executed a command-line argument, $process$, that has not previously been seen.",
       "rule_title": "First-time seen command-line argument was detected on $dest$."
     },
     "risk": {
@@ -16,18 +16,18 @@
       "risk_score": 50
     },
     "suppress": {
-      "suppress_fields": "dest, process, cmdline",
+      "suppress_fields": "dest, process, process",
       "suppress_period": "86400s"
     }
   },
   "creation_date": "2018-04-09",
   "data_metadata": {
+    "data_models": [
+      "Endpoint"
+    ],
     "data_source": [
       "Endpoint Intel"
     ],
-    "data_sourcetypes": [
-      "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
-    ],
     "providing_technologies": [
       "Carbon Black Response",
       "CrowdStrike Falcon",
@@ -36,8 +36,8 @@
       "Ziften"
     ]
   },
-  "eli5": "The subsearch returns all events where <code>cmd.exe</code> was used with a <code>/c</code> parameter in the command-line arguments to execute other commands/programs. It appends the historical data to those results in the lookup file. Next, it recalculates the <code>firstTime</code> and <code>lastTime</code> field for command-line execution and outputs this data to the lookup file to update the local cache. It returns only those events that have first been seen in the past four hours. This is combined with the main search to return the time, user, destination, process, parent process, and value of the command-line argument.",
-  "how_to_implement": "You need to be ingesting logs with both the process name and command line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon Technology Add-on (TA). Please make sure you run the support search \"Previously seen command line arguments,\"&#151;which creates a lookup file called <code>previously_seen_cmd_line_arguments.csv</code>&#151;a historical baseline of all command-line arguments. You must also validate this list.",
+  "eli5": "The subsearch returns all events where <code>cmd.exe</code> was used with a <code>/c</code> parameter in the command-line arguments to execute other commands/programs. It appends the historical data to those results in the lookup file. Next, it recalculates the <code>firstTime</code> and <code>lastTime</code> field for command-line execution and outputs this data to the lookup file to update the local cache. It returns only those events that have first been seen in the past one hour. This is combined with the main search to return the time, user, destination, process, parent process, and value of the command-line argument.",
+  "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \"process\" field in the Endpoint data model. Please make sure you run the support search \"Previously seen command line arguments,\"&#151;which creates a lookup file called <code>previously_seen_cmd_line_arguments.csv</code>&#151;a historical baseline of all command-line arguments. You must also validate this list. For the search to do accurate calculation, ensure the search scheduling is the same value as the `relative_time` evaluation function.",
   "known_false_positives": "Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed.",
   "maintainers": [
     {
@@ -67,7 +67,7 @@
       "PR.IP"
     ]
   },
-  "modification_date": "2018-04-16",
+  "modification_date": "2019-03-04",
   "original_authors": [
     {
       "company": "Splunk",
@@ -80,7 +80,7 @@
     "earliest_time": "-70m@m",
     "latest_time": "-10m@m"
   },
-  "search": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational process=cmd.exe cmdline=\"* /c *\"  [ search sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational process=cmd.exe cmdline=\"* /c *\" | stats earliest(_time) as firstTime latest(_time) as lastTime by cmdline | inputlookup append=t previously_seen_cmd_line_arguments  | stats min(firstTime) as firstTime, max(lastTime) as lastTime by cmdline | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCmdLineArgument=1 | `ctime(firstTime)`  | `ctime(lastTime)` | table cmdline] | table _time, user,dest, process, parent_process, cmdline",
+  "search": "| tstats `summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \"* /c *\" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `ctime(firstTime)` | `ctime(lastTime)` | search [| tstats `summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \"* /c *\" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCmdLineArgument=1 | `ctime(firstTime)` | `ctime(lastTime)` | table process]",
   "search_description": "This search looks for command-line arguments that use a <code>/c</code> parameter to execute a command that has not previously been seen.",
   "search_id": "9be56c82-b1cc-4318-87eb-q138afaaqa39",
   "search_name": "First time seen command line argument",

escu/searches/detection_psexec_accepteula.json

@@ -4,7 +4,7 @@
   "confidence": "medium",
   "correlation_rule": {
     "notable": {
-      "nes_fields": "dest,parent_process",
+      "nes_fields": "dest,process_name",
       "rule_description": "The process pssxec.exe was run with the -accepteula flag on $dest$ by $user$.",
       "rule_title": "PsExec executed with accepteula flag on $dest$."
     },
@@ -16,24 +16,24 @@
       "risk_score": 75
     },
     "suppress": {
-      "suppress_fields": "dest, parent_process",
+      "suppress_fields": "dest, process_name",
       "suppress_period": "86400s"
     }
   },
   "creation_date": "2018-03-28",
   "data_metadata": {
+    "data_models": [
+      "Endpoint"
+    ],
     "data_source": [
       "Endpoint Intel"
     ],
-    "data_sourcetypes": [
-      "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
-    ],
     "providing_technologies": [
       "Sysmon"
     ]
   },
   "eli5": "In this search, we are looking for the PsExec process with <code>accepteula</code> on the command line.",
-  "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, command-line arguments, and parent process from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon Technology Add-on (TA).",
+  "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.",
   "known_false_positives": "Administrators can leverage PsExec for accessing remote systems and might pass <code>accepteula</code> as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine",
   "maintainers": [
     {
@@ -58,7 +58,7 @@
       "DE.CM"
     ]
   },
-  "modification_date": "2018-03-28",
+  "modification_date": "2019-02-26",
   "original_authors": [
     {
       "company": "Splunk",
@@ -71,7 +71,7 @@
     "earliest_time": "-70m@m",
     "latest_time": "-10m@m"
   },
-  "search": "sourcetype=xmlwineventlog:microsoft-windows-sysmon/operational process=PsExec.exe accepteula  | search cmdline=*accepteula* | stats count values(cmdline) as cmdlines, min(_time) as firstTime, max(_time) as lastTime by dest, user, parent_process | `ctime(firstTime)`| `ctime(lastTime)` | table firstTime, lastTime, count, dest, user, parent_process, cmdlines",
+  "search": "| tstats `summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = PsExec.exe Processes.process = \"*accepteula*\" by Processes.process_name Processes.dest  Processes.parent_process_name | `drop_dm_object_name(Processes)`| `ctime(firstTime)`| `ctime(lastTime)`",
   "search_description": "This search looks for events where <code>PsExec.exe</code> is run with the <code>accepteula</code> flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument <code>accepteula</code> within the command line.",
   "search_id": "b89919ed-fe5f-492c-b139-151xb162040e",
   "search_name": "Detect PsExec With accepteula Flag",

escu/searches/detection_reg_manipulating_services.json

@@ -22,12 +22,12 @@
   },
   "creation_date": "2018-6-29",
   "data_metadata": {
+    "data_models": [
+      "Endpoint"
+    ],
     "data_source": [
       "Endpoint Intel"
     ],
-    "data_sourcetypes": [
-      "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
-    ],
     "providing_technologies": [
       "Carbon Black Response",
       "CrowdStrike Falcon",
@@ -37,7 +37,7 @@
     ]
   },
   "eli5": "This search looks for modifications to registry paths that specify the definition and configuration of Windows services by reg.exe. Reg.exe is a Windows utility that allows for manipulation of the registry via the command line. Malware often uses the Windows services architecture to persist, hide in plain sight, and gain the ability to interact with the Windows kernel. While it is common to modify the configuration of Windows services (and new services may be created with software installs), the use of reg.exe to create or modify a service configuration is unusual and a technique commonly used by attackers. The search returns the count, the first time the activity was seen, the last time activity was seen, the registry path that was modified, the host where the modification took place, and the user that performed the modification.",
-  "how_to_implement": "To successfully implement this search you need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.",
+  "how_to_implement": "To successfully implement this search you need to be ingesting information on registry changes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` nodes.",
   "known_false_positives": "It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate.",
   "maintainers": [
     {
@@ -71,7 +71,7 @@
       "DE.CM"
     ]
   },
-  "modification_date": "2018-6-29",
+  "modification_date": "2019-03-01",
   "original_authors": [
     {
       "company": "Splunk",
@@ -84,7 +84,7 @@
     "earliest_time": "-70m@m",
     "latest_time": "-10m@m"
   },
-  "search": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational services | search (EventCode=12 OR EventCode=13) process=reg.exe object_path=*\\\\services\\\\* | stats count values(object_path) as object_path min(_time) as firstTime max(_time) as lastTime by dest process | `ctime(firstTime)` |`ctime(lastTime)`",
+  "search": "| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name = reg.exe by Processes.process_id Processes.dest | `drop_dm_object_name(\"Processes\")` | `ctime(firstTime)` | `ctime(lastTime)` | join [| tstats `summariesonly` values(Registry.registry_path) as registry_path count  FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\services\\\\*\" by Registry.process_id Registry.dest | `drop_dm_object_name(\"Registry\")` | table process_id dest registry_path]",
   "search_description": "The search looks for reg.exe modifying registry keys that define Windows services and their configurations.",
   "search_id": "8470d755-0c13-45b3-bd63-387a373c10cf",
   "search_name": "Reg.exe Manipulating Windows Services Registry Keys",