Security ContentExabeam Security Content in the Common Information Model

In the following example, a new field called win_command_count allows a rule to count the occurrences of a specific value for the field process-name within a sequence or session.

count-win-command {
  EventTypes = ['process-created','privileged-object-access']
  Condition = "exists(process_name) &&
 ((InList(toLower(process_name),'net.exe') && InList(toLower(arg),'start','user','time','view','use','localgroup','group','config','share')) || (InList(toLower(process_name),'netsh.exe') &&
InList(toLower(arg),'advfirewall')) ||
(InList(toLower(process_name),'tasklist.exe','ver.exe','ipconfig.exe','systeminfo.exe','netstat.exe','whoami','qprocess.exe','query.exe','type.exe','at.exe','reg.exe','wmic.exe','wusa.exe','sc.exe','rundll32.exe','psexesvc.exe', 'icacls.exe', 'arp.exe', 'route.exe')))"
  Map = [
    {
      Field = "win_command_count"
      Value = """'1'"""
    },
    {
      Field = "win_critical_command"
      Value = """process_name"""
    }
  ]
}

In the analytics engine, count expressions allow the occurrences of a field to be counted. In the above example, the counting occurs on the process-name field. However, the expression does not specify which process-name values should be counted. The enriched expression below ensures that the new count field is only created when the process-created value occurs.

Sum(win_command_count, 'process-created')

A rule can use the field to know the unique number of processes that satisfied the condition.

DistinctCount(win_critical_command, 'process-created')