Splunk Enterprise Security

Assistance with Alerts Related to PowerShell Execution Policy in Splunk

kn450
Engager

Hello everyone,

I am facing an issue with the alerts triggered by the "Set Default PowerShell Execution Policy To Unrestricted or Bypass" (Correlation Search) rule in Splunk, as many alerts are being generated unexpectedly.

After reviewing the details, I added the command `| stats count BY process_name` to analyze the data more precisely. After executing this, the result was 389 processes within 24 hours. However, it seems there might be false positives and I’m unable to determine if this alert is normal or if there’s a misconfiguration.

I would appreciate any help in identifying whether these alerts are expected or if there is an issue with the configuration or the rule itself.

Any assistance or advice would be greatly appreciated.

Thank you in advance.

 

Tags (1)
0 Karma
1 Solution

General_Talos
Path Finder

Hey, 

If you’re referring to the correlation search detailed at Splunk Research, here are some suggestions to help reduce false positives (though these depend on your current user activity patterns):

- Identify list of legitimate users or admins who are authorized to perform such PowerShell activities by running:

| stats count BY process_name user process_path

- Initially, you can try excluding processes running from trusted directories like C:\\Windows\\System32\\* or C:\\Program Files\\*. However, note that some ransomware has been observed executing from the System32 directory as a parent process. So, consider excluding these paths only after analyzing and reducing the alert volume:

| where NOT (process_path IN ("C:\\Windows\\System32\\*", "C:\\Program Files\\*") AND user IN ("admin_user"))
| stats count BY process_name user process_path

- Pay close attention to processes that frequently appear. Cross-reference them with known benign activities to further refine your filtering logic.

- If the alerts are not time-sensitive, consider reducing the correlation search frequency (e.g., to every 6 hours) to mitigate alert fatigue.

View solution in original post

General_Talos
Path Finder

Hey, 

If you’re referring to the correlation search detailed at Splunk Research, here are some suggestions to help reduce false positives (though these depend on your current user activity patterns):

- Identify list of legitimate users or admins who are authorized to perform such PowerShell activities by running:

| stats count BY process_name user process_path

- Initially, you can try excluding processes running from trusted directories like C:\\Windows\\System32\\* or C:\\Program Files\\*. However, note that some ransomware has been observed executing from the System32 directory as a parent process. So, consider excluding these paths only after analyzing and reducing the alert volume:

| where NOT (process_path IN ("C:\\Windows\\System32\\*", "C:\\Program Files\\*") AND user IN ("admin_user"))
| stats count BY process_name user process_path

- Pay close attention to processes that frequently appear. Cross-reference them with known benign activities to further refine your filtering logic.

- If the alerts are not time-sensitive, consider reducing the correlation search frequency (e.g., to every 6 hours) to mitigate alert fatigue.

Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques

Hello! We are excited to kick off a new series of blogs from SplunkTrust member ITWhisperer, who demonstrates ...

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...