Track Specific Field Values
In the following example, a new field called win_command_count
allows a rule to count the occurrences of a specific value for the field process-name
within a sequence or session.
count-win-command { EventTypes = ['process-created','privileged-object-access'] Condition = "exists(process_name) && ((InList(toLower(process_name),'net.exe') && InList(toLower(arg),'start','user','time','view','use','localgroup','group','config','share')) || (InList(toLower(process_name),'netsh.exe') && InList(toLower(arg),'advfirewall')) || (InList(toLower(process_name),'tasklist.exe','ver.exe','ipconfig.exe','systeminfo.exe','netstat.exe','whoami','qprocess.exe','query.exe','type.exe','at.exe','reg.exe','wmic.exe','wusa.exe','sc.exe','rundll32.exe','psexesvc.exe', 'icacls.exe', 'arp.exe', 'route.exe')))" Map = [ { Field = "win_command_count" Value = """'1'""" }, { Field = "win_critical_command" Value = """process_name""" } ] }
In the analytics engine, count expressions allow the occurrences of a field to be counted. In the above example, the counting occurs on the process-name
field. However, the expression does not specify which process-name
values should be counted. The enriched expression below ensures that the new count field is only created when the process-created
value occurs.
Sum(win_command_count, 'process-created')
Note
To count the number of times a set of conditions is satisfied in a session, create a field and assign it a value of 1
to indicate the condition must be satisfied for the event. This allows implementation of abnormal number based use cases.
A rule can use the field to know the unique number of processes that satisfied the condition.
DistinctCount(win_critical_command, 'process-created')