Skip to content

Commit 5f47366

Browse files
zake1godzake1god
authored
Update telegram_detected_access_suspicious_api_url.yml
fix drilldown and change index to macros `wineventlog_security`
1 parent d7629fe commit 5f47366

File tree

1 file changed

+8
-14
lines changed

1 file changed

+8
-14
lines changed

detections/endpoint/telegram_detected_access_suspicious_api_url.yml

Lines changed: 8 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ author: Zaki Zarkasih Al Mustafa
88
type: TTP
99
status: production
1010
description: Detects suspicious process activity related to Telegram API
11-
search: index=windows (sourcetype=Wineventlog:Security OR source=Wineventlog:Security)
11+
search: `wineventlog_security`
1212
AND ParentProcessName=*Telegram* AND CommandLine=*api.telegram* | eval utc_time=strptime(TimeCreated,
1313
"%Y-%m-%dT%H:%M:%S.%6NZ") | eval Time_Created=strftime(utc_time + 25200, "%Y-%m-%d
1414
%H:%M:%S") | rename Time_Created as "Time Created", host as Host, src_user as User
@@ -28,33 +28,27 @@ known_false_positives: |
2828
Developers testing Telegram API functionality in controlled environments.
2929
3030
drilldown_searches:
31-
- name: Original Detection
32-
description: Original detection search results
33-
search: "%original_detection_search%"
34-
earliest_offset: -24h
35-
latest_offset: now
36-
3731
- name: Investigate Parent Process
3832
description: |
3933
This drilldown searches for other processes spawned by the same parent process
4034
to identify potential patterns or related activities.
4135
search: |
42-
index=windows (sourcetype=Wineventlog:Security OR source=Wineventlog:Security)
36+
`wineventlog_security`
4337
AND ParentProcessName="$ParentProcessName$"
4438
| table _time, ParentProcessName, NewProcessName, CommandLine
45-
earliest_offset: -24h
46-
latest_offset: now
39+
earliest_offset: $info_min_time$
40+
latest_offset: $info_max_time$
4741

4842
- name: Investigate User Activity
4943
description: |
5044
This drilldown searches for all activities performed by the same user in the
5145
Windows Event Logs to provide additional context.
5246
search: |
53-
index=windows (sourcetype=Wineventlog:Security OR source=Wineventlog:Security)
47+
`wineventlog_security`
5448
AND src_user="$src_user$"
5549
| table _time, src_user, EventID, host, CommandLine
56-
earliest_offset: -24h
57-
latest_offset: now
50+
earliest_offset: $info_min_time$
51+
latest_offset: $info_max_time$
5852

5953
references:
6054
- https://securelist.com/telegram-phishing-services/109383/
@@ -97,4 +91,4 @@ tests:
9791
attack_data:
9892
- data: https://github.com/splunk/contentctl/wiki
9993
sourcetype: Wineventlog:Security
100-
source: Wineventlog
94+
source: Wineventlog

0 commit comments

Comments
 (0)