Children of Office processes that made more than 5 connections

RFeyertag — Thu, 08 Sep 2022 21:19:59 GMT

Hello dear community members!

with this correlation rule we get a lot of FPs. I have allready find a way to exclude the actor_process_command_line, but what about the FP IP-Adresses which are OK?

Because in case of office updates we get the alerts, which communicate to legitime destinations.

How would you make this exclusions and will they make sense?

dataset = xdr_data // Using the xdr dataset
| filter event_type = ENUM.NETWORK and lowercase(causality_actor_process_image_name) in ("winword.exe", "excel.exe", "powerpnt.exe") and causality_actor_process_image_name != actor_process_image_name and actor_process_command_line not contains
" --single-argument https://support" // Filtering for cases where the CGO is an office process and is not doing the network connections on its own
| fields agent_hostname as host_name, causality_actor_process_image_path as CGO_Path, causality_actor_process_command_line as CGO_CMD, causality_actor_primary_username as Username, actor_process_image_path as child_path, actor_process_command_line as child_cmd, actor_process_os_pid as child_pid, actor_process_image_sha256 as child_sha256, event_id, actor_process_instance_id as instance_id, agent_id, actor_process_execution_time as start_date, action_remote_ip // Selecting notable fields
| comp count(event_id) as Counter by host_name, CGO_Path, CGO_CMD, Username, child_path, child_cmd, child_pid, child_sha256, instance_id, agent_id, start_date, action_remote_ip // Counting how many connections were done by the child process
| filter Counter >= 5 // Filtering for more than 5 connections
| sort desc Counter // Sorting in descending order
|join (dataset = xdr_data | filter event_type = ENUM.FILE and (event_sub_type = ENUM.FILE_CREATE_NEW or event_sub_type = ENUM.FILE_WRITE) and lowercase(action_file_extension) in ("exe","dll","sys") | fields actor_process_instance_id as instance_id, agent_id, action_file_path) as file instance_id = file.instance_id and agent_id = file.agent_id // Joining for file create or write events of binary files by the same process (by the unique instance ID and agent id)
| dedup start_date, host_name, CGO_Path, CGO_CMD, Username, child_path, child_cmd, child_pid, child_sha256, Counter, action_file_path, action_remote_ip by desc _time // Dedupping results since there could be multiple writes to the same file
| fields start_date, host_name, CGO_Path, CGO_CMD, Username, child_path, child_cmd, child_pid, child_sha256, Counter, action_file_path as File_Path, action_remote_ip// Showing fields of interest

action_remote_ip was my first step for exclusions for IP-Adresses.

And why did PA choose 5 connections?

Rob

Re: Children of Office processes that made more than 5 connections

neelrohit — Fri, 09 Sep 2022 08:01:38 GMT

Hi @RFeyertag ,

Thank you for writing to live community.

Since you mentioned that this is a correlation rule created, this has been user created and whatever parameters are supplied here would be adhered to. In this case, you can create either create exclusions for alerts with false positive IP addresses so that Cortex XDR suppresses alerts and events of FPs within the same rule, without you having to tune out this correlation rule all the time.

Alternatively, you can think about adding a filter for not including the IPs and URLs listed in the ranges for Microsoft Office 365 URLs and IP address ranges

This should be done on the correlation rule itself.

On your query for this rule looking up for more than 5 connections is because of the command line in the query itself:

| filter Counter >= 5 // Filtering for more than 5 connections

You can choose to tweak this as per your choice.

Hope this helps.

Best Regards.

Re: Children of Office processes that made more than 5 connections

RFeyertag — Sat, 24 Sep 2022 22:03:40 GMT

Thank you @neelrohit !

I tweaked the Rule.

Rob

topic Re: Children of Office processes that made more than 5 connections in Cortex XDR Discussions

Children of Office processes that made more than 5 connections

Re: Children of Office processes that made more than 5 connections

Re: Children of Office processes that made more than 5 connections