sequence by process.entity_id with maxspan = 30s
[process where event.type in ("start", "process_started") and process.name:("powershell.exe", "pwsh.exe","cmd.exe","wmic.exe","excel.exe") and process.command_line:("HP", "Connect.Service", "hidden","LoadFile")]
[file where event.type != "deletion" and file.path :("C:\ProgramData\KPIPrinter1259.ico")]
This is the behavior of an office malicious program. There are 2 items in it. There is no problem with each individual test, but after using the sequence keyword, there is no alarm. I really don’t know what is going on. I ask the teacher for help.
Hi , hopefully I can help. You stated that each individual query successfully returns the respective event.
Have you verified that the events occur within 30s, per the defined
maxspan? The other thing to verify would be the
process.entity_id of the two events, ensuring they match.
Lastly, though this would be extremely rare, on occasion, the timestamp of the file event could mistakenly precede the process event, which would result in the sequence not matching.
Hope this helps. If not, you could share a sanitized version of the two docs to dig deeper.
Thank you for your reply, I confirmed that this event can happen within a few seconds, I also tried to remove process.entity_id but it still doesn't work, they are generated by a process powershell, will the timestamp be the same and cause no alarm
Are you able to share the two target events (with all sensitive data sanitized)? It would help to assess the issue.
12:43:54:420, powershell.exe, 8920:9180, 0, FILE_truncate, C:\Users\diguoji\AppData\Local\Temp\WindowsTemp.txt
host && Powershell -WindowStyle hidden [Reflection.Assembly]::LoadFile('C:\ProgramData\KPIPrinter1259.ico');$Connect = New-Object HP.Program;$Connect.Service();
get ip address
REDACTED FOR PRIVACY, REDACTED FOR PRIVACY, AZ, REDACTED FOR PRIVACY, United States
Are you able to provide the actual sanitized elasticsearch documents for the two events to better analyze your query.
(Please do not include any sensitive information. The main fields we need are those referenced in the query)
I'm sorry that I used elastic for too short time, and I still don't understand what you mean, but I still want to know if the command line of the same process performs multiple operations, it must be written as one item, or can write multiple items