forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
baseline_of_command_line_length___mltk.yml
58 lines (56 loc) · 2.58 KB
/
baseline_of_command_line_length___mltk.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
name: Baseline of Command Line Length - MLTK
id: d2a4d85b-fc6a-47a0-82f6-bc1ec2ebc459
version: 1
date: '2019-05-08'
author: Rico Valdez, Splunk
type: Baseline
datamodel: []
description: This search is used to build a Machine Learning Toolkit (MLTK) model
to characterize the length of the command lines observed for each user in the environment.
By default, the search uses the last 30 days of data to build the model. The model
created by this search is then used in the corresponding detection search, which
identifies outliers in the length of the command line.
search: '| tstats `security_content_summariesonly` count min(_time) as start_time
max(_time) as end_time FROM datamodel=Endpoint.Processes by Processes.user Processes.dest
Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | search
user!=unknown | `security_content_ctime(start_time)`| `security_content_ctime(end_time)`|
eval processlen=len(process) | fit DensityFunction processlen by user into cmdline_pdfmodel'
how_to_implement: You must be ingesting endpoint data and populating the Endpoint
data model. In addition, you must have the Machine Learning Toolkit (MLTK) version
>= 4.2 installed, along with any required dependencies. Depending on the number
of users in your environment, you may also need to adjust the value for max_inputs
in the MLTK settings for the DensityFunction algorithm, then ensure that the search
completes in a reasonable timeframe. By default, the search builds the model using
the past 30 days of data. You can modify the search window to build the model over
a longer period of time, which may give you better results. You may also want to
periodically re-run this search to rebuild the model with the latest data. More
information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.
known_false_positives: none
references: []
tags:
analytic_story:
- Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
- Ransomware
- Suspicious Command-Line Executions
- Suspicious MSHTA Activity
- Unusual Processes
detections:
- Detect Prohibited Applications Spawning cmd.exe
- Unusually Long Command Line - MLTK
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.user
- Processes.dest
- Processes.process_name
- Processes.process
security_domain: endpoint
deployment:
scheduling:
cron_schedule: 0 0 1 * *
earliest_time: -30d@d
latest_time: -1d@d
schedule_window: auto