
Summary
The 'Prohibited Software On Endpoint' detection rule is designed to identify the installation and execution of applications marked as prohibited on endpoints within an organization. This rule leverages Sysmon EventID 1 (which logs process creation events) to track the creation of processes. The rule aggregates statistics regarding the processes running on various endpoints and correlates them against a predefined list of prohibited software. Specifically, it makes use of the Splunk data model to analyze endpoint processes, ensuring that data from Endpoint Detection and Response (EDR) agents is being leveraged effectively. The process involves normalizing log data to comply with the Splunk Common Information Model (CIM) for efficiency and accuracy. It requires comprehensive log ingestion that includes details such as process GUIDs, names, parent processes, and complete command-line executions. Although this rule is noted to be deprecated, it serves as a crucial part of maintaining endpoint security by highlighting unauthorized software installations which could pose a threat to the environment.
Categories
- Endpoint
Data Sources
- Process
Created: 2024-11-14