Skip to content

Instantly share code, notes, and snippets.

@MHaggis
Created Apr 18, 2022
Embed
What would you like to do?

While working on the following analytic, mappings on the datamodel could not be completed properly due to process and registry items not mapping correctly.

Full query with Join:

| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry
  where Registry.registry_path IN ("*\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\*") AND Registry.registry_value_name="SD" AND Registry.user="SYSTEM" 
  by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data 
  | `drop_dm_object_name(Registry)` 
  | join process_guid _time 
  [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
  by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid 
  | `drop_dm_object_name(Processes)`]
  | table
  _time dest user process_name process process_guid registry_path registry_value_name registry_value_data registry_key_name action

Without join

| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry
  where Registry.registry_path IN ("*\\Schedule\\TaskCache\\Tree\\*") Registry.user="SYSTEM" Registry.registry_value_name="SD" (Registry.action=Deleted OR Registry.action=modified)
  by _time  Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data Registry.status Registry.action
  | `drop_dm_object_name(Registry)`

Works best, but you miss the context of which process performed the action. The action field is modified or deleted because that is not being mapped correctly with the TA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment