update logic to avoid duplicate alerting

nasbench · nasbench · commit 7ebb49e63cda · 2025-02-05T22:01:51.000+01:00
diff --git a/detections/endpoint/system_user_discovery_with_query.yml b/detections/endpoint/system_user_discovery_with_query.yml
@@ -1,7 +1,7 @@
 name: System User Discovery With Query
 id: ad03bfcf-8a91-4bc2-a500-112993deba87
-version: 4
-date: '2024-11-13'
+version: 5
+date: '2025-02-05'
 author: Mauricio Velazco, Splunk
 status: production
 type: Hunting
@@ -17,9 +17,8 @@ data_source:
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="query.exe")
-  (Processes.process=*user*) by Processes.dest Processes.user Processes.parent_process
-  Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
+  as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="query.exe" OR Processes.original_file_name="query.exe")
+  AND Processes.process="*user*" AND ((NOT Processes.process="*/server*") OR Processes.process IN ("*/server:localhost*", "*/server:127.0.0.1*")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
   | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `system_user_discovery_with_query_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
diff --git a/detections/endpoint/windows_system_remote_discovery_with_query.yml b/detections/endpoint/windows_system_remote_discovery_with_query.yml
@@ -1,7 +1,7 @@
 name: Windows System Remote Discovery With Query
 id: 94859172-a521-474f-97ac-4cf4b09634a3
 version: 1
-date: '2025-01-06'
+date: '2025-02-05'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -11,7 +11,7 @@ data_source:
 - Windows Security Event ID 4688
 - CrowdStrike ProcessRollup2
 search: |-
-  | tstats `security_content_summariesonly` values(Processes.process_current_directory) as Processes.process_current_directory values(Processes.process_id) as Processes.process_id values(Processes.process) as Processes.process values(Processes.parent_process_id) as Processes.parent_process_id values(Processes.parent_process) as Processes.parent_process count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="query.exe" OR Processes.original_file_name="query.exe") AND (Processes.process=*/server*) by Processes.dest Processes.user Processes.process_name Processes.parent_process_name 
+  | tstats `security_content_summariesonly` values(Processes.process_current_directory) as Processes.process_current_directory values(Processes.process_id) as Processes.process_id values(Processes.process) as Processes.process values(Processes.parent_process_id) as Processes.parent_process_id values(Processes.parent_process) as Processes.parent_process count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="query.exe" OR Processes.original_file_name="query.exe") AND (Processes.process="*/server*") AND NOT Processes.process IN ("*/server:localhost*", "*/server:127.0.0.1*") by Processes.dest Processes.user Processes.process_name Processes.parent_process_name 
   | `drop_dm_object_name(Processes)` 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` 
