Is it possible to create a correlation rule to identify when new services are present on an endpoint
Create a correlation rule ,using a query that returns all services on an endpoint, that creates a new data set of the results..say there are 201 services
Create a rule that then alarms when either a new service is present or just when the result is greater than 201
Using the Cortex XDR Forensics add-on you could enable the collection of services via the Agent Settings Profile, that data can then be queried in XQL using the dataset forensics_services, you could then craft a correlation rule against that dataset to get the outcome you want.
Another way would be via the Host Insights add-on you could retrieve a list of services for a given endpoint, but this data is not currently exposed in XQL so you would have to export from the UI and would not be able to build a correlation rule against it.
I can currently query and get a list of services using xql
Using that query im building a correlation rule to save to a new dataset
Im stuck on how to build a new rule to alert when a service has been added
config case_sensitive = false
| dataset = host_inventory
| filter services != null
| arrayexpand services
| alter Display_Name=json_extract(services, "$.display_name")
| alter Path_Name=json_extract(services, "$.path_name")
| alter Service_Name=json_extract(services, "$.service_name")
| alter UserName=json_extract(services, "$.start_user_name")
| alter Start_Mode=json_extract(services, "$.start_mode")
| alter Started=json_extract(services, "$.started")
| alter State=json_extract(services, "$.state")
| alter Service_Type=json_extract(services, "$.service_type")
| alter Accept_Pause=json_extract(services, "$.accept_pause")
| alter Accept_Stop=json_extract(services, "$.accept_stop")
| alter Delayed=json_extract(services, "$.delayed")
| alter Desktop_Interact=json_extract(services, "$.desktop_interact")
| alter state = replace(replace(replace(replace(replace(replace(replace(state, "1", "Start_Pending"),"2", "Stop_Pending"), "3", "Running"), "4", "Continue_Pending"), "5", "Pause_Pending"), "6", "Paused"), "0", "Stopped")
| alter start_mode = replace(replace(replace(replace(replace(start_mode, "4", "Disabled"),"2", "Automatic"),"0", "Boot"),"1", "System,"),"3", "Manual")
| fields host_name,Display_Name,Service_Name,Path_Name,UserName,Start_Mode,Started,Service_Type,state,Accept_Pause,Accept_Stop, Delayed, Desktop_Interact
| sort asc Display_Name
| filter (host_name contains """NameofHost""")
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!