forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathget_process_info.yml
61 lines (61 loc) · 2.13 KB
/
get_process_info.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
name: Get Process Info
id: bc91a8cf-35e7-4bb2-8140-e756cc06fd71
version: 2
date: '2019-04-01'
author: Bhavin Patel, Splunk
type: Investigation
datamodel:
- Endpoint
description: This search queries the Endpoint data model to give you details about
the process running on a host which is under investigation. To gather the process
info, enter the values for the process name in question and the destination IP address.
search: '| tstats `security_content_summariesonly` count values(Processes.process)
as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
by Processes.user Processes.parent_process_name Processes.process_name Processes.dest
| `drop_dm_object_name("Processes")` | search process_name= $process_name$ | search
dest = $dest$ | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
how_to_implement: To successfully implement this search you must be ingesting endpoint
data and populating the Endpoint data model.
known_false_positives: ''
references: []
tags:
analytic_story:
- AWS Network ACL Activity
- Collection and Staging
- DHS Report TA18-074A
- Data Protection
- Disabling Security Tools
- Emotet Malware DHS Report TA18-201A
- Hidden Cobra Malware
- Lateral Movement
- Malicious PowerShell
- Monitor for Unauthorized Software
- Netsh Abuse
- Orangeworm Attack Group
- Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
- Prohibited Traffic Allowed or Protocol Mismatch
- Ransomware
- SamSam Ransomware
- Suspicious AWS Traffic
- Suspicious Command-Line Executions
- Suspicious DNS Traffic
- Suspicious MSHTA Activity
- Suspicious WMI Use
- Suspicious Windows Registry Activities
- Unusual Processes
- Windows Defense Evasion Tactics
- Windows File Extension and Association Abuse
- Windows Log Manipulation
- Windows Persistence Techniques
- Windows Privilege Escalation
- Windows Service Abuse
- Command And Control
product:
- Splunk Phantom
required_fields:
- _time
- Processes.user
- Processes.parent_process_name
- Processes.process_name
- Processes.dest
security_domain: endpoint