You might want to look for uncommon applications on an endpoint when doing the following:
Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Endpoint data model. For information on installing and using the CIM, see the Common Information Model documentation.
Uncommon applications on an endpoint can be a sign of an attack. You want to search for unexpected applications on endpoints on your network so you can verify that they are legitimate.
To optimize the search shown below, you should specify an index and a time range.
- Ensure that your deployment is ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node.
- Ensure that you are ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.
- Define the "uncommon processes" macro in your deployment or replace it in the search below with the SPL found here instead. The macro loads a lookup with a list of uncommon processes like sethc.exe, utilman.exe, osk.exe, magnify.exe, narrator.exe, displayswitch.exe, atbroker.exe, and quser.exe.
- Run the following search:
|tstats summariesonly=true allow_old_summaries=true count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY Processes.dest Processes.user Processes.process Processes.process_name |convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime) |convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime) |rename "Processes.*" as "*" |`uncommon_processes`
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
||tstats summariesonly=true allow_old_summaries=true count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY Processes.dest Processes.user Processes.process Processes.process_name||Query the Endpoint.Process data model object information for destination, user, process command, and process name.|
||convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime)
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)
|Convert these times into readable strings.|
||rename "Processes.*" as "*"
||Rename the data model object for better readability.|
Run a macro that loads a lookup with a list of uncommon processes.
This search returns the number of times, as well as the first and last time, it has seen every process run for each endpoint and user, and then displays only those processes that you have marked as uncommon in the uncommon_processes_default.csv table. Update the uncommon_processes_local.csv lookup file as necessary to hunt for processes that are uncommon in your environment. The process table today is shipped with our latest security content package, or can be downloaded here.
For additional information about this search, such as its applicability to common frameworks and standards, see this project on GitHub.