forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
previously_seen_zoom_child_processes___initial.yml
38 lines (38 loc) · 1.37 KB
/
previously_seen_zoom_child_processes___initial.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
name: Previously Seen Zoom Child Processes - Initial
id: 60b9c00f-a9d6-4e51-803c-5d63ea21b95b
version: 1
date: '2020-05-20'
author: David Dorsey, Splunk
type: Baseline
datamodel:
- Endpoint
description: This search returns the first and last time a process was seen per endpoint
with a parent process of zoom.exe (Windows) or zoom.us (macOS). This table is then
cached.
search: '| tstats `security_content_summariesonly` min(_time) as firstTimeSeen max(_time)
as lastTimeSeen from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe
OR Processes.parent_process_name=zoom.us) by Processes.process_name Processes.dest|
`drop_dm_object_name(Processes)` | table dest, process_name, firstTimeSeen, lastTimeSeen
| outputlookup zoom_first_time_child_process'
how_to_implement: You must be ingesting endpoint data that tracks process activity,
including parent-child relationships from your endpoints, to populate the Endpoint
data model in the Processes node.
known_false_positives: none
references: []
tags:
analytic_story:
- Suspicious Zoom Child Processes
deployments:
- 90 Day Baseline
detections:
- First Time Seen Child Process of Zoom
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.parent_process_name
- Processes.process_name
- Processes.dest
security_domain: endpoint