Comments (4)
harsha2010
commented on August 20, 2024
To generate a dataset to test this, use:
import numpy as np
import pandas as pd
processes = ["c:\\\\program files\\\\splunkforwarderforsplunkinc\\\\bin",
"C:\\\\Windows\\\\system32\\\\conhost.exe 0xffffffff",
"C:\\\\Program Files\\\\SplunkForwarderForSplunkInc\\\\bin\\\\splunk-powershell.exe",
"C:\\\\Program Files\\\\SplunkForwarderForSplunkInc\\\\bin\\\\splunk-admon.exe",
"C:\\\\Program Files\\\\SplunkForwarderForSplunkInc\\\\bin\\\\splunk-winhostinfo.exe"]
anomalous_process = "relog.exe C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\Logging\\\\Diagnostics\\\\PerformanceLogsToBeProcessed\\\\ExchangeDiagnosticsPerformanceLog_09242014.blg -f csv -o C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\Logging\\\\Diagnostics\\\\PerformanceLogsToBeProcessed\\\\ExchangeDiagnosticsPerformanceLog_09242014.csv tmp -y"
all = list(np.random.choice(processes, 20))
all.append(anomalous_process)
data = ["{" + "\"process\": \"{}\", \"dest_user_id\": \"a\", \"dest_ip_id\": \"192.168.0.1\", \"_time\": {}, \"process_name\": \"b\"".format(v, i) + "}"
for (i, v) in zip(range(len(all)), all)]
with open("unusual_commandline.json", "w") as outfile:
outfile.write("\n".join(data))from security_content.
harsha2010
commented on August 20, 2024
from security_content.
harsha2010
commented on August 20, 2024
To test this in smle, we don;t need SSA data sources. We can simply use the first two lines to mimic them.
| from read_text("s3://smle-labs-test-customer-bucket/ssa/unusual_commandline.json")
| eval input_event=from_json_object(value)
| eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null))
| eval cmd_line=ucast(map_get(input_event, "process"), "string", null),
dest_user_id=ucast(map_get(input_event, "dest_user_id"), "string", null),
dest_device_id=ucast(map_get(input_event, "dest_device_id"), "string", null),
process_name=ucast(map_get(input_event, "process_name"), "string", null)
| where cmd_line!=null and dest_user_id!=null
| eval cmd_line_norm=replace(cast(cmd_line, "string"), /\s(--?\w+)|(\/\w+)/, " ARG"),
cmd_line_norm=replace(cmd_line_norm, /\w:\\[^\s]+/, "PATH"),
cmd_line_norm=replace(cmd_line_norm, /\d+/, "N"),
input=parse_double(len(coalesce(cmd_line_norm, "")))
| adaptive_threshold algorithm="quantile" entity="process_name" window=60480000
| where label AND quantile>0.99
| first_time_event cache_partitions=1 input_columns="dest_device_id,cmd_line"
| where first_time_dest_device_id_cmd_line
| eval start_time = timestamp,
end_time = timestamp,
entities = mvappend(dest_device_id, dest_user_id),
body = "TBD";from security_content.
josehelps
commented on August 20, 2024
Each detection for SSA now has a test file as that CI will run: https://github.com/splunk/security-content/tree/develop/tests/endpoint as well as individual notebooks used for manual testing: https://github.com/splunk/security-content/tree/develop/notebooks closing this for now.
from security_content.
Related Issues (20)
- [BUG] Linux Service Started Or Enabled triggering on Windows events HOT 2
- [BUG] Build is not working HOT 6
- Consider adding Scope for search Azure AD Tenant Wide Admin Consent Granted HOT 1
- [BUG] DNS Query Length With High Standard Deviation HOT 1
- [BUG] Datasource is set incorrectly on this detection
- [BUG] ESCU - Get ADUser with PowerShell - Rule has no Adaptive Reponse Actions HOT 3
- Scheduled Task Initiation on Remote Endpoint - Update Analytics HOT 2
- Azure AD Multi-Source Failed Authentications Spike - Missing ADFSSignInLogs category
- Minor malicious_powershell_process___encoded_command search update HOT 1
- [BUG] Detections with joins failed to properly translate to Sigma HOT 1
- [BUG] Missing Wildcards in Splunk Rule for Detecting Known Services Killed by Ransomware
- [BUG] Incorrect logic statement in detection search "Detect Renamed PSExec" HOT 1
- [BUG] please, fix links in wiki: https://github.com/splunk/security_content/wiki/Detection-Analytic-Types HOT 1
- [BUG] browser_app_list lookup doesn't exist in indexers, causing query to fail in "Windows Credential Access From Browser Password Store" HOT 1
- [BUG] `Message` vs. `ScriptBlockText` for Powershell rules HOT 1
- Custom Content Development HOT 1
- AppLocker Dashboard Issue - No Policy Review Data
- [BUG] - Windows AD Domain Replication ACL Addition has unnecessary escape chars in SPL causing errors HOT 1
- [BUG] Broken token in `tags.message` (Risk Message) for 11 rules HOT 2
- [BUG] current detections.json has searches with unbalanced parentheses HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security_content.