topic Rule to detect change in file extensions over a given period in a single system in Cortex XDR Discussions

Rule to detect change in file extensions over a given period in a single system

meanmach — Wed, 20 Mar 2024 13:19:24 GMT

Hi,

We want to write a logic to detect if there have been X number of file renames in Y time for a particular system

Please let me know what is the way to achieve the same ?

Re: Rule to detect change in file extensions over a given period in a single system

jmazzeo — Wed, 20 Mar 2024 14:58:38 GMT

Hi @meanmach, thanks for reaching us using the Live Community.

I have created this XQL Query to detect the file renames on a determined system, and return a "true" statement if the actions were more than X value.

dataset = xdr_data | filter agent_hostname = "YOUR_HOSTNAME" | filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_RENAME | comp count_distinct(action_file_previous_file_name) as File_Count | alter files_alert = if (File_Count >=50) // Set your threshold

You can save this as a Correlation Rule and then set the timeframe in the correlation execution.

With this other XQL Query you can see the details about what files were renamed and which process did it:

dataset = xdr_data | filter agent_hostname = "YOUR_HOSTNAME" | filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_RENAME | fields _time, agent_hostname, agent_ip_addresses, actor_effective_username, actor_process_image_name, actor_process_image_path, actor_process_command_line, actor_process_signature_vendor, action_file_previous_file_name, action_file_name

If this post answers your question, please mark it as the solution.

Re: Rule to detect change in file extensions over a given period in a single system

meanmach — Thu, 21 Mar 2024 05:30:41 GMT

Thanks a lot will update you shortly on this

Re: Rule to detect change in file extensions over a given period in a single system

meanmach — Fri, 22 Mar 2024 04:35:15 GMT

Hi @jmazzeo Thanks a lot for the answer provided however i have following doubts

Will the co relation rule if scheduled to run every 10 mins cause an over head on the systems ?
Will the corellation rule run the query on each system and if a system threshold is crossed will generate an alert ?
can i write a BIOC rule or any detection rule to achieve the same

Re: Rule to detect change in file extensions over a given period in a single system

jmazzeo — Fri, 22 Mar 2024 12:08:21 GMT

Hi @meanmach, let me help you with the answers:

1- The correlation rules are executed at server side on the XDR Console tenant, there is no impact on the systems.

2- The correlation rule can be executed to get info from every system, or only the ones you define on the XQL Query using the "| filter agent_hostname = "YOUR_HOSTNAME"" statement. If you want to retrieve the information of all the endpoints you just have to remove that filter.

3- You can create a BIOC rule too. The BIOC rule can be used to block the source process that is generating the filename changes.

Re: Rule to detect change in file extensions over a given period in a single system

meanmach — Fri, 22 Mar 2024 13:16:12 GMT

Thanks a lot for the information.