forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
get_process_file_activity.yml
34 lines (34 loc) · 1.18 KB
/
get_process_file_activity.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
name: Get Process File Activity
id: 6a9ad4d9-6ef2-4b85-953f-a37ab256acd5
version: 2
date: '2019-11-06'
author: David Dorsey, Splunk
type: Investigation
datamodel:
- Endpoint
description: This search returns the file activity for a specific process on a specific
endpoint
search: '| tstats `security_content_summariesonly` values(Filesystem.file_name) as
file_name values(Filesystem.dest) as dest, values(Filesystem.process_name) as process_name
from datamodel=Endpoint.Filesystem by Filesystem.dest Filesystem.process_name Filesystem.file_path,
Filesystem.action, _time | `drop_dm_object_name(Filesystem)` | search dest=$dest$ |
search process_name=$process_name$ | table _time, process_name, dest, action, file_name,
file_path'
how_to_implement: To successfully implement this search you must be ingesting endpoint
data and populating the Endpoint data model.
known_false_positives: ''
references: []
tags:
analytic_story:
- DHS Report TA18-074A
- Suspicious Zoom Child Processes
product:
- Splunk Phantom
required_fields:
- _time
- Filesystem.file_name
- Filesystem.dest
- Filesystem.process_name
- Filesystem.file_path
- Filesystem.action
security_domain: endpoint