Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Assistance with Alerts Related to PowerShell Execution Policy in Splunk

kn450
Engager
‎01-05-2025 04:42 AM

Hello everyone,

I am facing an issue with the alerts triggered by the "Set Default PowerShell Execution Policy To Unrestricted or Bypass" (Correlation Search) rule in Splunk, as many alerts are being generated unexpectedly.

After reviewing the details, I added the command `| stats count BY process_name` to analyze the data more precisely. After executing this, the result was 389 processes within 24 hours. However, it seems there might be false positives and I’m unable to determine if this alert is normal or if there’s a misconfiguration.

I would appreciate any help in identifying whether these alerts are expected or if there is an issue with the configuration or the rule itself.

Any assistance or advice would be greatly appreciated.

Thank you in advance.

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

General_Talos
Path Finder
‎01-05-2025 10:25 AM

Hey, 

If you’re referring to the correlation search detailed at Splunk Research, here are some suggestions to help reduce false positives (though these depend on your current user activity patterns):

- Identify list of legitimate users or admins who are authorized to perform such PowerShell activities by running:

| stats count BY process_name user process_path

- Initially, you can try excluding processes running from trusted directories like C:\\Windows\\System32\\* or C:\\Program Files\\*. However, note that some ransomware has been observed executing from the System32 directory as a parent process. So, consider excluding these paths only after analyzing and reducing the alert volume:

| where NOT (process_path IN ("C:\\Windows\\System32\\*", "C:\\Program Files\\*") AND user IN ("admin_user"))
| stats count BY process_name user process_path

- Pay close attention to processes that frequently appear. Cross-reference them with known benign activities to further refine your filtering logic.

- If the alerts are not time-sensitive, consider reducing the correlation search frequency (e.g., to every 6 hours) to mitigate alert fatigue.

View solution in original post

Reply
Solved! Jump to solution
Solution

General_Talos
Path Finder
‎01-05-2025 10:25 AM

Hey, 

If you’re referring to the correlation search detailed at Splunk Research, here are some suggestions to help reduce false positives (though these depend on your current user activity patterns):

- Identify list of legitimate users or admins who are authorized to perform such PowerShell activities by running:

| stats count BY process_name user process_path

- Initially, you can try excluding processes running from trusted directories like C:\\Windows\\System32\\* or C:\\Program Files\\*. However, note that some ransomware has been observed executing from the System32 directory as a parent process. So, consider excluding these paths only after analyzing and reducing the alert volume:

| where NOT (process_path IN ("C:\\Windows\\System32\\*", "C:\\Program Files\\*") AND user IN ("admin_user"))
| stats count BY process_name user process_path

- Pay close attention to processes that frequently appear. Cross-reference them with known benign activities to further refine your filtering logic.

- If the alerts are not time-sensitive, consider reducing the correlation search frequency (e.g., to every 6 hours) to mitigate alert fatigue.

Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top