Rule Name : Abnormally High Number of Endpoint Changes By User
Description: Detects an abnormally high number of endpoint changes by user account, as they relate to restarts, audits, filesystem, user, and registry modifications.
tstats count from datamodel=Endpoint.Filesystem where Filesystem.tag="change" by Filesystem.user | eval change_type="filesystem",user='Filesystem.user' |
tstats append=T count from datamodel=Endpoint.Registry where Registry.tag="change" by Registry.user | eval change_type=if(isnull(change_type),"registry",change_type),user=if(isnull(user),'Registry.user',user) |
tstats append=T count from datamodel=Change.All_Changes where nodename="All_Changes.Endpoint_Changes" by All_Changes.change_type,All_Changes.user | eval change_type=if(isnull(change_type),'All_Changes.change_type',change_type),user=if(isnull(user),'All_Changes.user',user) | stats count as change_count by change_type,user | xswhere change_count from change_count_by_user_by_change_type_1d in change_analysis by change_type is above medium
The search looks in the change datamodel for changes that have happened on endpoints.
It looks for hosts which have had a higher number of changes per day that exceeds the medium average for that host and user.
Commonly if a host is compromised, an attacker will make multiple changes to try to exploit it for lateral movement or privilage escalation.
This search looks for hosts that may have been affected.