32 строки
1.6 KiB
YAML
32 строки
1.6 KiB
YAML
id: 513e3a11-e1bb-4cfc-8af9-451da0407e6b
|
|
name: New processes observed in last 24 hours
|
|
description: |
|
|
'These new processes could be benign new programs installed on hosts; however, especially in normally stable environments,
|
|
these new processes could provide an indication of an unauthorized/malicious binary that has been installed and run.
|
|
Reviewing the wider context of the logon sessions in which these binaries ran can provide a good starting point for identifying possible attacks.'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- Execution
|
|
query: |
|
|
|
|
let starttime = 14d;
|
|
let endtime = 1d;
|
|
let ProcessCreationEvents=() {
|
|
let processEvents=SecurityEvent
|
|
| where EventID==4688
|
|
| where TimeGenerated >= ago(starttime)
|
|
| project TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName, AccountDomain=SubjectDomainName, FileName=tostring(split(NewProcessName, @'')[(-1)]), ProcessCommandLine = CommandLine, InitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine='',InitiatingProcessParentFileName='';
|
|
processEvents};
|
|
ProcessCreationEvents
|
|
| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)
|
|
| summarize HostCount=dcount(ComputerName) by tostring(FileName)
|
|
| join kind=rightanti (
|
|
ProcessCreationEvents
|
|
| where TimeGenerated >= ago(endtime)
|
|
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computers = makeset(ComputerName) , HostCount=dcount(ComputerName) by tostring(FileName)
|
|
) on FileName
|
|
| project StartTimeUtc, Computers, HostCount, FileName
|
|
| extend timestamp = StartTimeUtc |