I am trying to figure out the correct format the csv file whitelist_process.csv that is referenced in the "ESCU - Detect Rare Executables" under "Unusual Processes". When opening the lookup file, below is what is listed:
process,whitelist
*C:\Program Files\Common Files\Adobe*, whitelist
*C:\Program Files\Google*, whitelist
My question is, should this file contain the fullpath to the process, process name, or both? Using the Splunk executable "splunk-regmon.exe" as an example, what is the correct format? My goal is to create a search that will auto-update this file from the information we are getting from Bit9.
C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
splunk-regmon.exe
Thanks
Thanks for the question. The answer is to match the whitelist to how your “process” field is extracted in Splunk. According to the documentation (here), the process field will be just the name of the executable. So we recommend using only the name of the process in the whitelist_process.csv under the “process” column.
For example: the whitelist_process.csv would look something like:
process,whitelist
splunk-regmon.exe, whitelist
winword.exe, whitelist
excel.exe, whitelist
outlook.exe, whitelist
powerpnt.exe, whitelist
visio.exe, whitelist
The following steps may be helpful in achieving your goal:
Considering your datamodel: All_Application_State.Processes is populated correctly and accelerated.
1) Get a count of process’ from your logs and curate this list.
| tstats `summariesonly` count from datamodel=Application_State.All_Application_State where nodename=All_Application_State.Processes by All_Application_State.process |`drop_dm_object_name("All_Application_State")`| `drop_dm_object_name("Processes")` | sort -count
2) Automatically add process to the whitelist_process.csv by appending the following to above search:
<bit9 search to get process names> | eval whitelist="whitelist" | table process whitelist | outputlookup whitelist_process append=true
3) Make sure this list if thoroughly curated by checking the values using:
|inputlookup whitelist_process
Thanks for the question. The answer is to match the whitelist to how your “process” field is extracted in Splunk. According to the documentation (here), the process field will be just the name of the executable. So we recommend using only the name of the process in the whitelist_process.csv under the “process” column.
For example: the whitelist_process.csv would look something like:
process,whitelist
splunk-regmon.exe, whitelist
winword.exe, whitelist
excel.exe, whitelist
outlook.exe, whitelist
powerpnt.exe, whitelist
visio.exe, whitelist
The following steps may be helpful in achieving your goal:
Considering your datamodel: All_Application_State.Processes is populated correctly and accelerated.
1) Get a count of process’ from your logs and curate this list.
| tstats `summariesonly` count from datamodel=Application_State.All_Application_State where nodename=All_Application_State.Processes by All_Application_State.process |`drop_dm_object_name("All_Application_State")`| `drop_dm_object_name("Processes")` | sort -count
2) Automatically add process to the whitelist_process.csv by appending the following to above search:
<bit9 search to get process names> | eval whitelist="whitelist" | table process whitelist | outputlookup whitelist_process append=true
3) Make sure this list if thoroughly curated by checking the values using:
|inputlookup whitelist_process
Hey bpatel,
That is actually a better solution than what I was going to do. Using the datamodel makes the most sense. Below is the final query using that suggestion.
| tstats summariesonly
count from datamodel=Application_State.All_Application_State where nodename=All_Application_State.Processes by All_Application_State.process |drop_dm_object_name("All_Application_State")
| drop_dm_object_name("Processes")
| eval whitelist="whitelist"
| append [| inputlookup whitelist_process | table process, whitelist ]
| dedup process
| table process, whitelist
| outputlookup whitelist_process append=true
However, there is one catch. Not every process we see should be whitelisted because those could be some malicious ones. I think I will still have to correlate with my known good from Bit9. Below is my final query using the data from Bit9.
index=bit9 sourcetype=bit9 source=Event ProcessTrust>=8
| eval whitelist="whitelist"
| append [| inputlookup whitelist_process | table process, whitelist ]
| dedup process
| table process, whitelist
| outputlookup whitelist_process append=true
Hey Robert!
That's smart. Not every process should be whitelisted and the ProcessTrust>=8 is a much needed filter to have . I would still recommend you go through that whitelist atleast once after its created. It will also help you reinforce the ProcessTrust ratings given by Biit9.
From my previous life as a security analyst, I also found it useful to include a "time" field in the lookup file which would correspond to when a process is added to the whitelist. This becomes useful in the long run to maintain and keep the whitelist accurate.
Please let us know if you have any additional questions with ESCU.
My guess is that I need to add the fullpath that includes the filename. That way its very specific. However, I am not sure how the logic is setup and whether or not it will know how to use that.