40 строки
1.6 KiB
YAML
40 строки
1.6 KiB
YAML
id: 5550b630-7b8a-444e-a585-ec8c7533c028
|
|
name: Hosts running a rare process with commandline
|
|
description: |
|
|
Looking for hosts running a rare process. Less than 1% of the average for 30 days and less than a count of 100 on a given host or less than a 14 count on a given host from the last 7 days
|
|
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- Execution
|
|
- Persistence
|
|
- Discovery
|
|
- LateralMovement
|
|
- Collection
|
|
|
|
query: |
|
|
let v_StartTime = ago(7d);
|
|
let v_EndTime = ago(1m);
|
|
let basic=materialize(
|
|
SecurityEvent
|
|
| where TimeGenerated >= ago(30d)
|
|
| where EventID == 4688
|
|
| where isnotempty(CommandLine) and NewProcessName !endswith ":\\windows\\system32\\conhost.exe" and CommandLine !~ NewProcessName and CommandLine !~ strcat('\"',NewProcessName,'\"'," ")
|
|
| extend CommandLine=tolower(CommandLine)
|
|
| summarize FullCount = count()
|
|
, Count= countif(TimeGenerated between (v_StartTime .. v_EndTime))
|
|
, min_TimeGenerated=min(TimeGenerated)
|
|
, max_TimeGenerated=max(TimeGenerated)
|
|
by Computer, NewProcessName, CommandLine
|
|
| where Count > 0 and Count < 100);
|
|
let basic_avg = basic
|
|
| summarize Avg = avg(FullCount) by NewProcessName, CommandLine;
|
|
basic | project-away FullCount
|
|
| join kind=inner
|
|
basic_avg
|
|
on NewProcessName, CommandLine | project-away NewProcessName1, CommandLine1
|
|
| where Count < 7 or (Count <= Avg*0.01 and Count < 100)
|
|
| extend HostCustomEntity=Computer
|