Try in Splunk Security Cloud

Description

Command lines that are extremely long may be indicative of malicious activity on your hosts.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-12-08
  • Author: David Dorsey, Splunk
  • ID: c77162d3-f93c-45cc-80c8-22f6a4264e7f

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process 
| `drop_dm_object_name("Processes")` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|  eval processlen=len(process) 
| eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest 
| stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process 
| `unusually_long_command_line_filter` 
|eval threshold = 3 
| where maxlen > ((threshold*stdevperhost) + avgperhost)

Associated Analytic Story

How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships, from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the process field in the Endpoint data model.

Required field

  • _time
  • Processes.user
  • Processes.dest
  • Processes.process_name
  • Processes.process

Kill Chain Phase

  • Actions on Objectives

Known False Positives

Some legitimate applications start with long command lines.

RBA

Risk Score Impact Confidence Message
42.0 70 60 Unusually long command line $Processes.process_name$ on $dest$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 5