All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Analytic Story Detail "Unusual Processes" - whitelist_process.csv

robert_miller
Path Finder
‎12-01-2017 07:24 PM

I am trying to figure out the correct format the csv file whitelist_process.csv that is referenced in the "ESCU - Detect Rare Executables" under "Unusual Processes". When opening the lookup file, below is what is listed:

process,whitelist
*C:\Program Files\Common Files\Adobe*, whitelist
*C:\Program Files\Google*, whitelist

My question is, should this file contain the fullpath to the process, process name, or both? Using the Splunk executable "splunk-regmon.exe" as an example, what is the correct format? My goal is to create a search that will auto-update this file from the information we are getting from Bit9.

C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
splunk-regmon.exe

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bpatel_splunk
Splunk Employee
Splunk Employee
‎12-07-2017 10:24 AM

Thanks for the question. The answer is to match the whitelist to how your “process” field is extracted in Splunk. According to the documentation (here), the process field will be just the name of the executable. So we recommend using only the name of the process in the whitelist_process.csv under the “process” column.
For example: the whitelist_process.csv would look something like:

process,whitelist
splunk-regmon.exe, whitelist
winword.exe, whitelist
excel.exe, whitelist
outlook.exe, whitelist
powerpnt.exe, whitelist
visio.exe, whitelist
The following steps may be helpful in achieving your goal:

Considering your datamodel: All_Application_State.Processes is populated correctly and accelerated.

1) Get a count of process’ from your logs and curate this list. 

| tstats `summariesonly` count from datamodel=Application_State.All_Application_State where nodename=All_Application_State.Processes by All_Application_State.process   |`drop_dm_object_name("All_Application_State")`| `drop_dm_object_name("Processes")` | sort -count

2) Automatically add process to the whitelist_process.csv by appending the following to above search:

<bit9 search to get process names> | eval whitelist="whitelist" | table process whitelist | outputlookup whitelist_process append=true

3) Make sure this list if thoroughly curated by checking the values using:
|inputlookup whitelist_process

View solution in original post

Reply
Solved! Jump to solution
Solution

bpatel_splunk
Splunk Employee
Splunk Employee
‎12-07-2017 10:24 AM

Thanks for the question. The answer is to match the whitelist to how your “process” field is extracted in Splunk. According to the documentation (here), the process field will be just the name of the executable. So we recommend using only the name of the process in the whitelist_process.csv under the “process” column.
For example: the whitelist_process.csv would look something like:

process,whitelist
splunk-regmon.exe, whitelist
winword.exe, whitelist
excel.exe, whitelist
outlook.exe, whitelist
powerpnt.exe, whitelist
visio.exe, whitelist
The following steps may be helpful in achieving your goal:

Considering your datamodel: All_Application_State.Processes is populated correctly and accelerated.

1) Get a count of process’ from your logs and curate this list. 

| tstats `summariesonly` count from datamodel=Application_State.All_Application_State where nodename=All_Application_State.Processes by All_Application_State.process   |`drop_dm_object_name("All_Application_State")`| `drop_dm_object_name("Processes")` | sort -count

2) Automatically add process to the whitelist_process.csv by appending the following to above search:

<bit9 search to get process names> | eval whitelist="whitelist" | table process whitelist | outputlookup whitelist_process append=true

3) Make sure this list if thoroughly curated by checking the values using:
|inputlookup whitelist_process

Reply
Solved! Jump to solution

robert_miller
Path Finder
‎12-07-2017 02:42 PM

Hey bpatel,

That is actually a better solution than what I was going to do. Using the datamodel makes the most sense. Below is the final query using that suggestion.

| tstats summariesonly count from datamodel=Application_State.All_Application_State where nodename=All_Application_State.Processes by All_Application_State.process |drop_dm_object_name("All_Application_State")| drop_dm_object_name("Processes")
| eval whitelist="whitelist"
| append [| inputlookup whitelist_process | table process, whitelist ]
| dedup process
| table process, whitelist
| outputlookup whitelist_process append=true

However, there is one catch. Not every process we see should be whitelisted because those could be some malicious ones. I think I will still have to correlate with my known good from Bit9. Below is my final query using the data from Bit9.

index=bit9 sourcetype=bit9 source=Event ProcessTrust>=8
| eval whitelist="whitelist"
| append [| inputlookup whitelist_process | table process, whitelist ]
| dedup process
| table process, whitelist
| outputlookup whitelist_process append=true

0 Karma
Reply
Solved! Jump to solution

bpatel_splunk
Splunk Employee
Splunk Employee
‎12-08-2017 12:38 PM

Hey Robert!

That's smart. Not every process should be whitelisted and the ProcessTrust>=8 is a much needed filter to have . I would still recommend you go through that whitelist atleast once after its created. It will also help you reinforce the ProcessTrust ratings given by Biit9.

From my previous life as a security analyst, I also found it useful to include a "time" field in the lookup file which would correspond to when a process is added to the whitelist. This becomes useful in the long run to maintain and keep the whitelist accurate.

Please let us know if you have any additional questions with ESCU.

0 Karma
Reply
Solved! Jump to solution

robert_miller
Path Finder
‎12-01-2017 07:30 PM

My guess is that I need to add the fullpath that includes the filename. That way its very specific. However, I am not sure how the logic is setup and whether or not it will know how to use that.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...