Include "Drilldown name and Search" in the detection template

[gs3cl]

Hey,

it is possible to include both functions regarding Drilldowns

action.notable.param.drilldown_name = 
action.notable.param.drilldown_search =

Why ?

As an analyst in a SOC with different level/stages it is very helful to build Drilldown Searches for the analysts. To reduce workload during daily Work it would be cool to have this capability in the detection specs. Hence we could build pre defined "Drilldown Searches"

Example:

ESCU - Account Discovery With Net App - Rule

SPL:

| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
where `process_net` AND (Processes.process="*user*" OR Processes.process="*config*" OR Processes.process="*view /all*") 
by Processes.process_name Processes.dest Processes.user Processes.parent_process_name 
| where count >=5 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `account_discovery_with_net_app_filter`

Instead of Risk I want a Search for the Drilldown with a variable like "dest"

| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
where `process_net` AND (Processes.process="*user*" OR Processes.process="*config*" OR Processes.process="*view /all*") 
by Processes.process_name Processes.dest Processes.user Processes.parent_process_name 
| where count >=5 
| `drop_dm_object_name(Processes)` 
|  search dest=$dest$
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `account_discovery_with_net_app_filter`

and that would be the result in .yml with new to fileds:

search_drilldown: drilldown_name:

search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
where `process_net` AND (Processes.process="*user*" OR Processes.process="*config*" OR Processes.process="*view /all*") 
by Processes.process_name Processes.dest Processes.user Processes.parent_process_name 
| where count >=5 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `account_discovery_with_net_app_filter`'
search_drilldown: | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
where `process_net` AND (Processes.process="*user*" OR Processes.process="*config*" OR Processes.process="*view /all*") 
by Processes.process_name Processes.dest Processes.user Processes.parent_process_name 
| where count >=5 
| `drop_dm_object_name(Processes)` 
|  search dest=$dest$
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `account_discovery_with_net_app_filter`
drilldown_name: Check Events
how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
known_false_positives: Pentesting

Thanks in advance

Regards,

[josehelps]

Hey @gs3cl thank you so much for the request, we are absolutely looking to introduce this feature as part of a major update security content 4.0.0, this is not likely slated until EOY closer to November/December timeframe with that said lets keep it open and we will update you once we have a PR ready.

[gs3cl]

Hey @d1vious thanks for the information sounds great.

[yaroslav-nakonechnikov]

was it implemented?