Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Children of Office processes that made more than 5 connections

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Children of Office processes that made more than 5 connections

L4 Transporter

Hello dear community members!

 

with this correlation rule we get a lot of FPs. I have allready find a way to exclude the actor_process_command_line, but what about the FP IP-Adresses which are OK?

Because in case of office updates we get the alerts, which communicate to legitime destinations. 

 

How would you make this exclusions and will they make sense? 

 

dataset = xdr_data // Using the xdr dataset
| filter event_type = ENUM.NETWORK and lowercase(causality_actor_process_image_name) in ("winword.exe", "excel.exe", "powerpnt.exe") and causality_actor_process_image_name != actor_process_image_name and actor_process_command_line not contains
" --single-argument https://support" // Filtering for cases where the CGO is an office process and is not doing the network connections on its own
| fields agent_hostname as host_name, causality_actor_process_image_path as CGO_Path, causality_actor_process_command_line as CGO_CMD, causality_actor_primary_username as Username, actor_process_image_path as child_path, actor_process_command_line as child_cmd, actor_process_os_pid as child_pid, actor_process_image_sha256 as child_sha256, event_id, actor_process_instance_id as instance_id, agent_id, actor_process_execution_time as start_date, action_remote_ip // Selecting notable fields
| comp count(event_id) as Counter by host_name, CGO_Path, CGO_CMD, Username, child_path, child_cmd, child_pid, child_sha256, instance_id, agent_id, start_date, action_remote_ip // Counting how many connections were done by the child process
| filter Counter >= 5 // Filtering for more than 5 connections
| sort desc Counter // Sorting in descending order
|join (dataset = xdr_data | filter event_type = ENUM.FILE and (event_sub_type = ENUM.FILE_CREATE_NEW or event_sub_type = ENUM.FILE_WRITE) and lowercase(action_file_extension) in ("exe","dll","sys") | fields actor_process_instance_id as instance_id, agent_id, action_file_path) as file instance_id = file.instance_id and agent_id = file.agent_id // Joining for file create or write events of binary files by the same process (by the unique instance ID and agent id)
| dedup start_date, host_name, CGO_Path, CGO_CMD, Username, child_path, child_cmd, child_pid, child_sha256, Counter, action_file_path, action_remote_ip by desc _time // Dedupping results since there could be multiple writes to the same file
| fields start_date, host_name, CGO_Path, CGO_CMD, Username, child_path, child_cmd, child_pid, child_sha256, Counter, action_file_path as File_Path, action_remote_ip// Showing fields of interest

 

action_remote_ip was my first step for exclusions for IP-Adresses. 

And why did PA choose 5 connections? 

 

RFeyertag_1-1662671896478.png

 

BR

 

Rob

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @RFeyertag ,

 

Thank you for writing to live community.

 

Since you mentioned that this is a correlation rule created, this has been user created and whatever parameters are supplied here would be adhered to. In this case, you can create either create exclusions for alerts with false positive IP addresses so that Cortex XDR suppresses alerts and events of FPs within the same rule, without you having to tune out this correlation rule all the time.

 

Alternatively, you can think about adding a filter for not including the IPs and URLs listed in the ranges for Microsoft Office 365 URLs and IP address ranges

 This should be done on the correlation rule itself. 

 

On your query for this rule looking up for more than 5 connections is because of the command line in the query itself:

 

| filter Counter >= 5 // Filtering for more than 5 connections

 

You can choose to tweak this as per your choice.

 

Hope this helps.

 

Best Regards.

 

View solution in original post

2 REPLIES 2

L5 Sessionator

Hi @RFeyertag ,

 

Thank you for writing to live community.

 

Since you mentioned that this is a correlation rule created, this has been user created and whatever parameters are supplied here would be adhered to. In this case, you can create either create exclusions for alerts with false positive IP addresses so that Cortex XDR suppresses alerts and events of FPs within the same rule, without you having to tune out this correlation rule all the time.

 

Alternatively, you can think about adding a filter for not including the IPs and URLs listed in the ranges for Microsoft Office 365 URLs and IP address ranges

 This should be done on the correlation rule itself. 

 

On your query for this rule looking up for more than 5 connections is because of the command line in the query itself:

 

| filter Counter >= 5 // Filtering for more than 5 connections

 

You can choose to tweak this as per your choice.

 

Hope this helps.

 

Best Regards.

 

L4 Transporter

Thank you @neelrohit ! 

I tweaked the Rule. 

 

BR

 

Rob

  • 1 accepted solution
  • 1797 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!