Merge pull request #3355 from splunk/installutil_improvement

patel-bhavin · web-flow · commit a3f20ac1793f · 2025-02-25T12:11:55.000-08:00
Updating search output!
diff --git a/contentctl.yml b/contentctl.yml
@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 5.0.0
+  version: 5.1.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU
@@ -30,11 +30,11 @@ splunk_api_username: null
 post_test_behavior: pause_on_failure
 apps:
 - uid: 1621
-  title: Splunk Common Information Model (CIM)
+  title: Splunk_SA_CIM
   appid: Splunk_SA_CIM
-  version: 6.0.1
+  version: 6.0.2
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-common-information-model-cim_601.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-common-information-model-cim_602.tgz
 - uid: 6553
   title: Splunk Add-on for Okta Identity Cloud
   appid: Splunk_TA_okta_identity_cloud
diff --git a/data_sources/splunk_cim.yml b/data_sources/splunk_cim.yml
@@ -0,0 +1,12 @@
+name: Splunk CIM
+id: d3dd8270-7e1c-4bcd-8f3a-e5ec4a0e740a
+version: 1
+date: '2025-01-14'
+author: Bhavin Patel, Splunk
+description: Data source object for Splunk CIM
+source: not_applicable
+sourcetype: not_applicable
+supported_TA:
+- name: Splunk_SA_CIM
+  url: https://splunkbase.splunk.com/app/1621
+  version: 6.0.2
diff --git a/detections/endpoint/windows_installutil_remote_network_connection.yml b/detections/endpoint/windows_installutil_remote_network_connection.yml
@@ -1,7 +1,7 @@
 name: Windows InstallUtil Remote Network Connection
 id: 4fbf9270-43da-11ec-9486-acde48001122
-version: 10
-date: '2025-02-10'
+version: 11 
+date: '2025-02-22'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -16,15 +16,25 @@ description: The following analytic detects the Windows InstallUtil.exe binary m
   of this activity.
 data_source:
 - Sysmon EventID 1 AND Sysmon EventID 3
-search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
-  where `process_installutil` by _time span=1h  Processes.process_id Processes.process_name
-  Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name
-  Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | join  process_id [| tstats `security_content_summariesonly`
-  count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port !=
-  0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)`
-  | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path
-  process process_id dest_port C2 | `windows_installutil_remote_network_connection_filter`'
+search: |-
+  | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
+    where `process_installutil` by _time span=1h Processes.process_id Processes.process_name
+    Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name
+    Processes.original_file_name 
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | join process_id dest
+      [| tstats `security_content_summariesonly`
+          count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port !=
+          0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.src
+      | `drop_dm_object_name(All_Traffic)` 
+      | rename dest as command_and_control
+      | rename src as dest] 
+  | table _time user src dest parent_process_name process_name process_path process process_id dest_port command_and_control
+  | stats count min(_time) as firstTime max(_time) as lastTime values(process) as process values(command_and_control) as command_and_control by user dest process_name process_id dest_port parent_process_name 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`| `windows_installutil_remote_network_connection_filter`
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
@@ -68,6 +78,8 @@ rba:
     type: parent_process_name
   - field: process_name
     type: process_name
+  - field: command_and_control
+    type: ip_address
 tags:
   analytic_story:
   - Living Off The Land
