03-20-2024 06:19 AM
Hi,
We want to write a logic to detect if there have been X number of file renames in Y time for a particular system
Please let me know what is the way to achieve the same ?
03-22-2024 05:08 AM
Hi @meanmach, let me help you with the answers:
1- The correlation rules are executed at server side on the XDR Console tenant, there is no impact on the systems.
2- The correlation rule can be executed to get info from every system, or only the ones you define on the XQL Query using the "| filter agent_hostname = "YOUR_HOSTNAME"" statement. If you want to retrieve the information of all the endpoints you just have to remove that filter.
3- You can create a BIOC rule too. The BIOC rule can be used to block the source process that is generating the filename changes.
03-20-2024 07:58 AM
Hi @meanmach, thanks for reaching us using the Live Community.
I have created this XQL Query to detect the file renames on a determined system, and return a "true" statement if the actions were more than X value.
dataset = xdr_data
| filter agent_hostname = "YOUR_HOSTNAME"
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_RENAME
| comp count_distinct(action_file_previous_file_name) as File_Count
| alter files_alert = if (File_Count >=50) // Set your thresholdYou can save this as a Correlation Rule and then set the timeframe in the correlation execution.
With this other XQL Query you can see the details about what files were renamed and which process did it:
dataset = xdr_data
| filter agent_hostname = "YOUR_HOSTNAME"
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_RENAME
| fields _time, agent_hostname, agent_ip_addresses, actor_effective_username, actor_process_image_name, actor_process_image_path, actor_process_command_line, actor_process_signature_vendor, action_file_previous_file_name, action_file_name
If this post answers your question, please mark it as the solution.
03-20-2024 10:30 PM
Thanks a lot will update you shortly on this
03-21-2024 09:35 PM
Hi @jmazzeo Thanks a lot for the answer provided however i have following doubts
03-22-2024 05:08 AM
Hi @meanmach, let me help you with the answers:
1- The correlation rules are executed at server side on the XDR Console tenant, there is no impact on the systems.
2- The correlation rule can be executed to get info from every system, or only the ones you define on the XQL Query using the "| filter agent_hostname = "YOUR_HOSTNAME"" statement. If you want to retrieve the information of all the endpoints you just have to remove that filter.
3- You can create a BIOC rule too. The BIOC rule can be used to block the source process that is generating the filename changes.
03-22-2024 06:16 AM
Thanks a lot for the information.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
