forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathfile_write_spikes.yml
More file actions
107 lines (107 loc) · 3.73 KB
/
file_write_spikes.yml
File metadata and controls
107 lines (107 loc) · 3.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
asset_type: Endpoint
confidence: low
creation_date: '2017-08-20'
data_metadata:
data_models:
- Endpoint
data_source:
- Endpoint Intel
providing_technologies:
- Carbon Black Response
- CrowdStrike Falcon
- Sysmon
- Tanium
- Ziften
description: The search looks for a sharp increase in the number of files written
to a particular host
detect:
splunk:
correlation_rule:
notable:
nes_fields: dest
rule_description: A sharp increase in file writes was detected on $dest
rule_title: Spike in file writes on $dest$
risk:
risk_object: dest
risk_object_type:
- system
risk_score: 30
schedule:
cron_schedule: 0 * * * *
earliest_time: -7d@d
latest_time: -10m@m
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where
Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)`
| eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time
>= relative_time(maxtime, "-1d@d"), count, null))) as "count" avg(eval(if(_time<relative_time(maxtime,
"-1d@d"), count,null))) as avg stdev(eval(if(_time<relative_time(maxtime,
"-1d@d"), count, null))) as stdev by "dest" | eval upperBound=(avg+stdev*4),
isOutlier=if((count > upperBound) AND num_data_samples >=20, 1, 0) | search
isOutlier=1'
suppress:
suppress_fields: dest
suppress_period: 7200s
eli5: This search calculates counts the number of file modification events per hour
per host in your environment. It then takes the average and standard deviations
of those numbers and displays any hosts with more than 20 events that have over
four times the standard deviation more than the average number of file modifications.
entities:
- dest
how_to_implement: In order to implement this search, you must populate the Endpoint
file-system data model node. This is typically populated via endpoint detection
and response products, such as Carbon Black or endpoint data sources such as Sysmon.
The data used for this search is typically generated via logs that report reads
and writes to the file system.
id: fdb0f805-74e4-4539-8c00-618927333aae
investigations:
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
name: Get Authentication Logs For Endpoint
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
name: Get User Information from Identity Table
type: splunk
- id: fecf2918-670d-4f1c-872b-3d7317a41bf9
name: Get Parent Process Info
type: splunk
- id: fdcfb369-1725-4c24-824a-22972d7f0d55
name: Get Risk Modifiers For User
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd71
name: Get Process Info
type: splunk
- id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
name: Get Notable History
type: splunk
- id: fdcfb369-1725-4c24-824a-22972d7f0d65
name: Get Risk Modifiers For Endpoint
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd22
name: Investigate Web Activity From Host
type: splunk
known_false_positives: It is important to understand that if you happen to install
any new applications on your hosts or are copying a large number of files, you can
expect to see a large increase of file modifications.
maintainers:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
mappings:
cis20:
- CIS 8
kill_chain_phases:
- Actions on Objectives
mitre_attack:
- Execution
nist:
- DE.CM
modification_date: '2018-12-03'
name: Spike in File Writes
original_authors:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: '2.0'