Correlation Rule for services

cancel
Showing results for 
Search instead for 
Did you mean: 

Correlation Rule for services

L2 Linker

Is it possible to create a correlation rule to identify when new services are present on an endpoint

For example,

Create a correlation rule ,using a query that returns all services on an endpoint, that creates a new data set of the results..say there are 201 services

Create a rule that then alarms when either a new service is present or just when the result is greater than 201

 

2 REPLIES 2

L2 Linker

Hi @NathanBradley,

 

Using the Cortex XDR Forensics add-on you could enable the collection of services via the Agent Settings Profile, that data can then be queried in XQL using the dataset forensics_services, you could then craft a correlation rule against that dataset to get the outcome you want. 
Another way would be via the Host Insights add-on you could retrieve a list of services for a given endpoint, but this data is not currently exposed in XQL so you would have to export from the UI and would not be able to build a correlation rule against it.

 

Regards,

Ben

 

I can currently query and get a list of services using xql

Using that query im building a correlation rule to save to a new dataset

 

Im stuck on how to build a new rule to alert when a service has been added

 

config case_sensitive = false
| dataset = host_inventory
| filter services != null
| arrayexpand services
| alter Display_Name=json_extract(services, "$.display_name")
| alter Path_Name=json_extract(services, "$.path_name")
| alter Service_Name=json_extract(services, "$.service_name")
| alter UserName=json_extract(services, "$.start_user_name")
| alter Start_Mode=json_extract(services, "$.start_mode")
| alter Started=json_extract(services, "$.started")
| alter State=json_extract(services, "$.state")
| alter Service_Type=json_extract(services, "$.service_type")
| alter Accept_Pause=json_extract(services, "$.accept_pause")
| alter Accept_Stop=json_extract(services, "$.accept_stop")
| alter Delayed=json_extract(services, "$.delayed")
| alter Desktop_Interact=json_extract(services, "$.desktop_interact")
| alter state = replace(replace(replace(replace(replace(replace(replace(state, "1", "Start_Pending"),"2", "Stop_Pending"), "3", "Running"), "4", "Continue_Pending"), "5", "Pause_Pending"), "6", "Paused"), "0", "Stopped")
| alter start_mode = replace(replace(replace(replace(replace(start_mode, "4", "Disabled"),"2", "Automatic"),"0", "Boot"),"1", "System,"),"3", "Manual")
| fields host_name,Display_Name,Service_Name,Path_Name,UserName,Start_Mode,Started,Service_Type,state,Accept_Pause,Accept_Stop, Delayed, Desktop_Interact
| sort asc Display_Name
| filter (host_name contains """NameofHost""")

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!