cbecks2 · July 3, 2023 19:53
diff --git a/gistfile1.txt b/gistfile1.txt
 This search is designed to work with Crowdstrike FDR data ingested into Splunk. I will leave the exercise to you to translate this into your own SIEM.

 ``` Identied PatternIds via |  inputlookup detect_patterns.csv where description="mything ```

 ```Join AssociateIndicator events to the process and command that did them. We sub-search for our suspect aid + TargetProcessId combination and use them to look for the associated ProcessRollup2 events.```

 ``` Process rollup events ```
    ( `Your FDR Index` 
    event_platform="Win"
    event_simpleName IN (ProcessRollup2,SyntheticProcessRollup2) 
    ``` Subsearch with our actual logic to get aid + process pairs + PatternId ```
    [ search `Your FDR Index`` 
        event_platform="Win"
        ``` Relevant PatternIds ```
        (event_simpleName = "AssociateIndicator" PatternId IN ("1","2","3")) 
    | table aid, TargetProcessId])
    OR 
    (`Your FDR Index`` 
    event_platform="Win"
    ``` Relevant pattern IDs ```
    (event_simpleName = "AssociateIndicator" PatternId IN ("1","2","3"))
    ) 
 ``` Join the two different event types from above to try to piece together the whole story. Avoid actually using the "join" command because most SIEM engineers are great people ```
 | stats earliest(_time) AS _time values(event_simpleName) AS event_simpleName values(PatternId) AS PatternId values(UserSid) AS sid values(ParentBaseFileName) AS parent_process_exec values(ImageFileName) AS process_exec values(CommandLine) AS process dc(event_simpleName) as unique_event_simpleName by aid TargetProcessId index
 | where unique_event_simpleName > 1 OR event_simpleName = "AssociateIndicator"
 | fillnull PatternId,sid,parent_process_exec,process_exec,process value="Unable to Resolve" 
 | stats earliest(_time) AS _time values(PatternId) AS PatternId by aid sid parent_process_exec process_exec process index 
 | rename values(*) AS * 

 ~ do your identity enrichment here ~

 ~ do your asset enrichment here ~ 

 | stats values(user) AS user values(email) AS email count by _time dest dest_host process_exec process PatternId index
 | rename values(*) AS *

 | eval PatternIdDescription=if(match(PatternId,"1"),"Friendly Description 1", if(match(PatternId,"2"),"Friendly Description 2", if(match(PatternId,"3"),"Friendly Description 3", "-")))
 | table _time dest dest_host user process_exec process PatternId PatternIdDescription index
	This search is designed to work with Crowdstrike FDR data ingested into Splunk. I will leave the exercise to you to translate this into your own SIEM.

	``` Identied PatternIds via \| inputlookup detect_patterns.csv where description="mything ```

	```Join AssociateIndicator events to the process and command that did them. We sub-search for our suspect aid + TargetProcessId combination and use them to look for the associated ProcessRollup2 events.```

	``` Process rollup events ```
	( `Your FDR Index`
	event_platform="Win"
	event_simpleName IN (ProcessRollup2,SyntheticProcessRollup2)
	``` Subsearch with our actual logic to get aid + process pairs + PatternId ```
	[ search `Your FDR Index``
	event_platform="Win"
	``` Relevant PatternIds ```
	(event_simpleName = "AssociateIndicator" PatternId IN ("1","2","3"))
	\| table aid, TargetProcessId])
	OR
	(`Your FDR Index``
	event_platform="Win"
	``` Relevant pattern IDs ```
	(event_simpleName = "AssociateIndicator" PatternId IN ("1","2","3"))
	)
	``` Join the two different event types from above to try to piece together the whole story. Avoid actually using the "join" command because most SIEM engineers are great people ```
	\| stats earliest(_time) AS _time values(event_simpleName) AS event_simpleName values(PatternId) AS PatternId values(UserSid) AS sid values(ParentBaseFileName) AS parent_process_exec values(ImageFileName) AS process_exec values(CommandLine) AS process dc(event_simpleName) as unique_event_simpleName by aid TargetProcessId index
	\| where unique_event_simpleName > 1 OR event_simpleName = "AssociateIndicator"
	\| fillnull PatternId,sid,parent_process_exec,process_exec,process value="Unable to Resolve"
	\| stats earliest(_time) AS _time values(PatternId) AS PatternId by aid sid parent_process_exec process_exec process index
	\| rename values() AS

	~ do your identity enrichment here ~

	~ do your asset enrichment here ~

	\| stats values(user) AS user values(email) AS email count by _time dest dest_host process_exec process PatternId index
	\| rename values() AS

	\| eval PatternIdDescription=if(match(PatternId,"1"),"Friendly Description 1", if(match(PatternId,"2"),"Friendly Description 2", if(match(PatternId,"3"),"Friendly Description 3", "-")))
	\| table _time dest dest_host user process_exec process PatternId PatternIdDescription index