Comments (3)
Hello @wkleinhenz Thanks for re-raising the issue. We may have missed updating this detection correctly in the past!
We updated this search to join on both dest and process_id. Will ship this updated detections in the next release!
Please feel free to create issues for things like this and we really appreciate you!!]!
Note: We couldnt use the process_guid field which would have been more accurate but the network traffic datamodel doesnt have that field.
from security_content.
Here's how to the new search looks like :
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name!=lsass.exe by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| join process_id dest
[| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 88 by All_Traffic.src All_Traffic.process_id All_Traffic.dest_port
| `drop_dm_object_name(All_Traffic)`
| rename src as dest ]
| table _time dest parent_process_name process_name process_path process process_id dest_port
| `unknown_process_using_the_kerberos_protocol_filter````
Note: to better avoid collisions, process_guid field is better however the Network DM currently has limitation from using that.
from security_content.
Please feel free to reopen this issue if it persists! Thank you
from security_content.
Related Issues (20)
- Include `tags.atomic_guid` and `tags.required_fields` into ESCU
- Add custom annotation for versioning HOT 4
- [BUG] "Kerberos TGT Request Using RC4 Encryption" using non-CIM field "Account_Name" HOT 1
- CMD Carry Out String Command Parameter - false negatives due to trailing space before wildcard in search [BUG] HOT 2
- [BUG] ESCU - Detect Excessive Account Lockouts From Endpoint HOT 3
- [BUG] O365 Mailbox Inbox Folder Shared with All Users. Field "object" doesn't exist. HOT 1
- [BUG] sourcetype macro not consistent across Azure AD correlations HOT 2
- pre trained Deep Learning models for ESCU - Support for DSDL Version 5.1.1 HOT 1
- [BUG] Linux Service Started Or Enabled triggering on Windows events HOT 2
- [BUG] Build is not working HOT 6
- Consider adding Scope for search Azure AD Tenant Wide Admin Consent Granted HOT 1
- [BUG] DNS Query Length With High Standard Deviation HOT 1
- [BUG] Datasource is set incorrectly on this detection
- [BUG] ESCU - Get ADUser with PowerShell - Rule has no Adaptive Reponse Actions HOT 3
- Scheduled Task Initiation on Remote Endpoint - Update Analytics
- Azure AD Multi-Source Failed Authentications Spike - Missing ADFSSignInLogs category
- Minor malicious_powershell_process___encoded_command search update
- [BUG] Detections with joins failed to properly translate to Sigma
- [BUG] Missing Wildcards in Splunk Rule for Detecting Known Services Killed by Ransomware
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security_content.