previously_seen_zoom_child_processes___update.yml

name: Previously Seen Zoom Child Processes - Update
id: 80aea7fd-5da2-4533-b3c2-560533bfbaee
version: 1
date: '2020-05-20'
author: David Dorsey, Splunk
type: Baseline
status: production
description: This search returns the first and last time a process was seen per endpoint
  with a parent process of zoom.exe (Windows) or zoom.us (macOS) within the last hour.
  It then updates this information with historical data and filters out proces_name
  and endpoint pairs that have not been seen within the specified time window. This
  updated table is outputed to disk.
search: '| tstats `security_content_summariesonly` min(_time) as firstTimeSeen max(_time)
  as lastTimeSeen from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe
  OR Processes.parent_process_name=zoom.us) by Processes.process_name Processes.dest|
  `drop_dm_object_name(Processes)` | table firstTimeSeen, lastTimeSeen, process_name,
  dest | inputlookup zoom_first_time_child_process append=t | stats min(firstTimeSeen)
  as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by process_name, dest | where
  lastTimeSeen > relative_time(now(), "`previously_seen_zoom_child_processes_forget_window`")
  | outputlookup zoom_first_time_child_process'
how_to_implement: You must be ingesting endpoint data that tracks process activity,
  including parent-child relationships from your endpoints, to populate the Endpoint
  data model in the Processes node.
known_false_positives: none
references: []
tags:
  analytic_story:
  - Suspicious Zoom Child Processes
  detections:
  - First Time Seen Child Process of Zoom
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  security_domain: endpoint
deployment:
  scheduling:
    cron_schedule: 55 * * * *
    earliest_time: -70m@m
    latest_time: -10m@m
    schedule_window: auto