Splunk Enterprise Security

Can you help me troubleshoot the Splunk Enterprise Security (ES) correlation search called Anomalous New Process?



I am troubleshooting the built in notable "Anomalous New Process" that comes with Splunk ES on version 5.1.1. Basically, the alert is spamming us non-stop with processes that are far from anomalous and actually quite common.

I believe the issue is with this lookup table, which is not being built/updated correctly, but I cannot find the documentation telling me how this table is constructed.

As we can see here

| from inputlookup:"localprocesses_tracker"

dest    firstTime   lastTime    process
AWINDOWSHOST    1539049271  1539049271  LogonUI.exe

Clearly this isn't the first time LogonUI.exe has ever run since stood up Splunk_TA_Windows. So I am working under the impression that the lookup table isn't being appended often enough.

Any idea how I can troubleshoot and fine tune this?

0 Karma


No, adjusting the search window will not help. It will actually make it worse in this case. That correlation rule alerts when anomalous number hosts are detected with a new process. Local Processes tracker contains destination, first and last timeseen and process.

If any data is returned, add it to the localprocesses_tracker file. Evaluate the time range and return values where the firsttime is between the evaluated time fields. Return a distinct count of destination grouped by process when the count is greater than 9.

Is this a new deployment of ES? If so, the 'noise' should reduce overtime.

0 Karma


So I tracked it back to this search which runs every 70 minutes. If I am reading this right, then we only have ~1 hour of historical run data on the box. So if I crank this notable to something like a 2 weeks we should have a better collection of what the box actually does in it's day to day operations. Correct? Anything I should worry about with that?

| tstats `summariesonly` min(_time) as firstTime,max(_time) as lastTime from datamodel=Application_State.All_Application_State where nodename=All_Application_State.Processes by All_Application_State.dest,All_Application_State.process 
| `drop_dm_object_name("All_Application_State")` 
| inputlookup append=T localprocesses_tracker 
| rex field=process "^\s*(?<process>[^\s]+)" 
| stats min(firstTime) as firstTime,max(lastTime) as lastTime by dest,process 
| outputlookup override_if_empty=false localprocesses_tracker 
| stats count
0 Karma


That didn't seem to work, clearly this isn't the first time we're ever seen "cron" before. "An suspicious number of new processes were identified. 1089 hosts were discovered with new instances of crond in the last 24 hours."

Not sure how this is supposed to work here.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...