Rule to detect change in file extensions over a given period in a single system

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Rule to detect change in file extensions over a given period in a single system

L1 Bithead

Hi,

 

We want to write a logic to detect if there have been X number of file renames in Y time for a particular system

Please let me know what is the way to achieve the same ?

 

1 accepted solution

Accepted Solutions

Hi @meanmach, let me help you with the answers:

 

1- The correlation rules are executed at server side on the XDR Console tenant, there is no impact on the systems.

2- The correlation rule can be executed to get info from every system, or only the ones you define on the XQL Query using the "| filter agent_hostname = "YOUR_HOSTNAME"" statement. If you want to retrieve the information of all the endpoints you just have to remove that filter.

3- You can create a BIOC rule too. The BIOC rule can be used to block the source process that is generating the filename changes.

JM

View solution in original post

5 REPLIES 5

L5 Sessionator

Hi @meanmach, thanks for reaching us using the Live Community.

 

I have created this XQL Query to detect the file renames on a determined system, and return a "true" statement if the actions were more than X value.

 

dataset = xdr_data 
| filter agent_hostname = "YOUR_HOSTNAME"
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_RENAME
| comp count_distinct(action_file_previous_file_name) as File_Count
| alter files_alert = if (File_Count >=50) // Set your threshold

You can save this as a Correlation Rule and then set the timeframe in the correlation execution.

 

With this other XQL Query you can see the details about what files were renamed and which process did it:

dataset = xdr_data 
| filter agent_hostname = "YOUR_HOSTNAME"
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_RENAME
| fields _time, agent_hostname, agent_ip_addresses, actor_effective_username, actor_process_image_name, actor_process_image_path, actor_process_command_line, actor_process_signature_vendor, action_file_previous_file_name, action_file_name 

 

If this post answers your question, please mark it as the solution.

JM

L1 Bithead

Thanks a lot will update you shortly on this

L1 Bithead

Hi @jmazzeo Thanks a lot for the answer provided however i have following doubts

  • Will the co relation rule if scheduled to run every 10 mins cause an over head on the systems ?
  • Will the corellation rule run the query on each system and if a system threshold is crossed will generate an alert ?
  • can i write a BIOC rule or any detection rule  to achieve the same

Hi @meanmach, let me help you with the answers:

 

1- The correlation rules are executed at server side on the XDR Console tenant, there is no impact on the systems.

2- The correlation rule can be executed to get info from every system, or only the ones you define on the XQL Query using the "| filter agent_hostname = "YOUR_HOSTNAME"" statement. If you want to retrieve the information of all the endpoints you just have to remove that filter.

3- You can create a BIOC rule too. The BIOC rule can be used to block the source process that is generating the filename changes.

JM

L1 Bithead

Thanks a lot for the information.

  • 1 accepted solution
  • 1289 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!