-
Notifications
You must be signed in to change notification settings - Fork 377
/
Copy pathget_process_creating_dns_traffic.json
56 lines (56 loc) · 2.02 KB
/
get_process_creating_dns_traffic.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
{
"creation_date": "2017-04-10",
"data_metadata": {
"data_models": [
"Endpoint"
],
"data_source": [
"Endpoint Intel"
],
"providing_technologies": [
"Carbon Black Response",
"CrowdStrike Falcon",
"Sysmon",
"Tanium",
"Ziften"
]
},
"description": "While investigating, an analyst will want to know what process and parent_process is responsible for generating suspicious DNS traffic. Use the following search and enter the value of `dest` in the search to get specific details on the process responsible for creating the DNS traffic.",
"entities": [
"dest"
],
"how_to_implement": "You must be ingesting endpoint data that associates processes with network events into the Endpoint datamodel. This can come from endpoint protection products such as carbon black, or endpoint data sources such as Sysmon.",
"id": "910e6512-edc9-4f93-ba24-5b786f47a672",
"investigate": {
"splunk": {
"fields_required": [
"dest"
],
"schedule": {
"cron_schedule": "",
"earliest_time": "3600",
"latest_time": "86400"
},
"search": "| tstats `summariesonly` count min(_time) max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest = {dest} by Processes.parent_process Processes.process_name Processes.user Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `ctime(firstTime)`|`ctime(lastTime)` | search [| tstats `summariesonly` count from datamodel=Endpoint.Ports where Ports.dest_port=53 by Ports.process_id Ports.src | `drop_dm_object_name(Ports)` | rename src as dest]"
}
},
"maintainers": [
{
"company": "Splunk",
"email": "bpatel@splunk.com",
"name": "Bhavin Patel"
}
],
"modification_date": "2019-04-01",
"name": "Get Process Responsible For The DNS Traffic",
"original_authors": [
{
"company": "Splunk",
"email": "bpatel@splunk.com",
"name": "Bhavin Patel"
}
],
"spec_version": 2,
"type": "splunk",
"version": "2.0"
}