Correct "remote_access_software" Lookup to Match macOS Processes from NVM Input #3569
Conversation
Changed "remote_utility" column name in CSV to "process_name" to reflect fields returned by nvm Splunk datasource. Gathered the macOS process rows at the bottom of the file. Changes to be committed: modified: lookups/remote_access_software.csv
This reverts commit 6d909f9.
Changed "remote_utility" column name in CSV to "process_name" to reflect fields returned by nvm Splunk datasource. Gathered the macOS process rows at the bottom of the file. Changes to be committed: modified: lookups/remote_access_software.csv
This reverts commit 34c8626. Reverting because I realized the lookups/remote_access_software.csv file also needs modified.
Changed "remote_utility" column name in CSV to "process_name" to reflect fields returned by nvm Splunk datasource. Gathered the macOS process rows at the bottom of the file. Modified YML to with current date and to reflect renamed column name. Changes to be committed: modified: lookups/remote_access_software.csv modified: lookups/remote_access_software.yml
|
AppInspect failure in CI is expected for PRs coming from a fork. |
| @@ -1,4 +1,4 @@ | |||
| description,remote_domain,remote_utility,remote_utility_fileinfo,remote_appid,isutility,category,comment_reference,last_update | |||
There was a problem hiding this comment.
This lookup is used by other analytics. Why not rename the field in your search instead?
There was a problem hiding this comment.
The original query had a rename (left it in here commented out), but it never matched any processes on macOS hosts:
earliest=-24h index=nvm process_name=* AND dst_name!=*.cisco.com
| stats values(dst_name) as Destination by logged_in_user_name, process_name
| join process_name
[| inputlookup remote_access_software_combined
```| rename remote_utility as process_name```
| where isnotnull(process_name)
| table process_name, category, comment_reference, description, remote_appid, remote_domain ]
There was a problem hiding this comment.
Here is a working example from the repo renaming the field to process for use
I'm no expert on SPL but I think this might be an issue in your search.
But imo the solution is not renaming the lookup to fit (only) your need.
|
@gneff : i think @nasbench is correct here. This lookup file is used in several other detections and changing the lookup field here will cause many other detections to not work. I also think there may be an opportunity to make this detection work for Mac OS processes but we do not have appropriate attack data to test that change. What data are you ingesting for processes from macOS hosts? Can you help provide a sample event and we can have this change tested ? |
|
@gneff : Any thoughts on the above ask wrt attack_data ? |
|
@gneff : hello there! Can you please help us with a sample event that you have been testing with for Mac OS? That will help with testing this PR and getting it shipped! |
Details
What does this PR have in it? Screenshots are worth 1000 words 😄
Checklist
<platform>_<mitre att&ck technique>_<short description>nomenclatureValidated lookup changes with this query on the CSIRT Splunk Development cluster:
(The 'inputlookup' name is unique to the CSIRT Dev server and should normally reflect the standard remote_access_software name.)
Notes For Submitters and Reviewers
buildCI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.