forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
previously_seen_running_windows_services___initial.yml
39 lines (39 loc) · 1.3 KB
/
previously_seen_running_windows_services___initial.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
name: Previously Seen Running Windows Services - Initial
id: 64ce0ade-cb01-4678-bddd-d31c0b175394
version: 3
date: '2020-06-23'
author: David Dorsey, Splunk
type: Baseline
datamodel: []
description: This collects the services that have been started across your entire
enterprise.
search: '`wineventlog_system` EventCode=7036 | rex field=Message "The (?<service>[-\(\)\s\w]+)
service entered the (?<state>\w+) state" | where state="running" | stats earliest(_time)
as firstTimeSeen, latest(_time) as lastTimeSeen by service | outputlookup previously_seen_running_windows_services'
how_to_implement: While this search does not require you to adhere to Splunk CIM,
you must be ingesting your Windows security-event logs for it to execute successfully.
Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.
known_false_positives: none
references: []
tags:
analytic_story:
- Orangeworm Attack Group
- Windows Service Abuse
- NOBELIUM Group
detections:
- First Time Seen Running Windows Service
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Message
security_domain: endpoint
deployment:
scheduling:
cron_schedule: 0 2 * * 0
earliest_time: -90d@d
latest_time: -1d@d
schedule_window: auto