Enhancement Suggestion: Join Endpoint.Processes Datamodel to Improve Windows Archived Data in TEMP Folder Detection Rule

[thegreatmhn]

I reviewed the Windows Archived Collected Data In TEMP Folder analytic rule designed to detect the creation of archived files (*.zip, *.rar, *.tar, *.7z) in temporary directories, typically indicative of malicious data collection and exfiltration attempts.

The original rule uses the Endpoint.Filesystem datamodel to identify archive creation events based on filename and path filters in temp folders:

| tstats security_content_summariesonly count min(_time) as firstTime max(_time) as lastTime
FROM datamodel=Endpoint.Filesystem
where Filesystem.file_name IN (".zip", ".rar", ".tar", ".7z")
Filesystem.file_path = "\temp\"
by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product
| drop_dm_object_name(Filesystem)
| security_content_ctime(firstTime)
| security_content_ctime(lastTime)
| windows_archived_collected_data_in_temp_folder_filter

Enhancement Implemented:

To improve context and investigation efficiency, I joined the Filesystem datamodel with Endpoint.Processes datamodel to associate the archive creation events with their originating process paths. This enables security analysts to identify which process is creating these archive files in temp folders, adding valuable forensic context and potential attribution.

Here is the enhanced query with the join on process_guid and host:

| tstats security_content_summariesonly count min(_time) as firstTime max(_time) as lastTime
FROM datamodel=Endpoint.Filesystem
where Filesystem.file_name IN (".zip", ".rar", ".tar", ".7z")
Filesystem.file_path = "\temp\"
by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product host
| drop_dm_object_name(Filesystem)
| join host firstTime lastTime process_guid
[| tstats security_content_summariesonly count min(_time) as firstTime max(_time) as lastTime
FROM datamodel=Endpoint.Processes
by Processes.process_guid Processes.process_path host
| drop_dm_object_name(Processes)
| table host firstTime lastTime process_guid process_path]
| stats count by host firstTime lastTime process_path file_path file_name file_create_time process_guid
| security_content_ctime(firstTime)
| security_content_ctime(lastTime)
| windows_archived_collected_data_in_temp_folder_filter

[patel-bhavin]

Thanks @thegreatmhn - Thanks for reviewing the analytic and proposing the enhancement. We initially had the join for a lot of our detections with Endpoint.Processes to enrich with data from other nodes of the datamodel, but removed it due to Splunk's subsearch limit (50k results).

Using your suggested method works well when the dataset returned by the second search is less than 50k and for Endpoint.Processes we can easily hit these limits.

We are still evaluating how can we use joins and make them work at scale!

Curious to know what kind of environment are you using to run some of these analytics? Do you see any issues with limits when you run this for say 24h?