Merge pull request #1999 from splunk/ssa_incident

SSA package
splunk · Feb 7, 2022 · 5dbd79c · 5dbd79c
2 parents 376c5a8 + a8c6f8f
commit 5dbd79c
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/dist/ssa/srs/ssa___detect_dump_lsass_memory_using_comsvcs.yml b/dist/ssa/srs/ssa___detect_dump_lsass_memory_using_comsvcs.yml
@@ -24,10 +24,11 @@ search: '| from read_ssa_enriched_events() | eval tenant=ucast(map_get(input_eve
   "string", null), process_name=lower(ucast(map_get(input_event, "process_name"),
   "string", null)), timestamp=parse_long(ucast(map_get(input_event, "_time"), "string",
   null)), process=lower(ucast(map_get(input_event, "process"), "string", null)), event_id=ucast(map_get(input_event,
-  "event_id"), "string", null) | where process_name LIKE "%rundll32.exe%" AND match_regex(process,
-  /(?i)comsvcs.dll[,\s]+MiniDump/)=true | eval start_time = timestamp, end_time =
-  timestamp, entities = mvappend(machine), body=create_map(["event_id", event_id,
-  "process_name", process_name, "process", process]) | into write_ssa_detected_events();'
+  "event_id"), "string", null) | where process IS NOT NULL AND process_name IS NOT
+  NULL AND process_name LIKE "%rundll32.exe%" AND match_regex(process, /(?i)comsvcs.dll[,\s]+MiniDump/)=true
+  | eval start_time = timestamp, end_time = timestamp, entities = mvappend(machine),
+  body=create_map(["event_id", event_id, "process_name", process_name, "process",
+  process]) | into write_ssa_detected_events();'
 tags:
   analytic_story:
   - Credential Dumping

diff --git a/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml b/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml
@@ -27,9 +27,9 @@ search: '| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map
   "string", null)), process_path=ucast(map_get(input_event, "process_path"), "string",
   null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string",
   null), event_id=ucast(map_get(input_event, "event_id"), "string", null) | where
-  cmd_line IS NOT NULL AND process_name IS NOT NULL AND process_name="wbadmin.exe"
+  (cmd_line IS NOT NULL AND process_name IS NOT NULL) AND (process_name="wbadmin.exe"
   AND like (cmd_line, "%delete%") OR like (cmd_line, "%catalog%") OR like (cmd_line,
-  "%systemstatebackup%") | eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event,
+  "%systemstatebackup%")) | eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event,
   "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"),
   "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name",
   process_name, "parent_process_name", parent_process_name, "process_path", process_path])