Insight IDR - Custom Detection Rule - Generic Endpoint Acitivity

InsightIDR Event Sources
1

Howdy all,

I have been slowly working my way around the Rapid7 IDR platform. I figured I would take a crack at writing my own detection rules to help alert when a user downloads and installs some PUP/PUA. As my starting point of reference I looked at the built-in rule logic for Suspicious Registry Event - Unusual Registry Run Keys. This is an almost idetnical use case for what I want, just replaced with a specific software. Which can be found here -

from(
  event_type = "endpoint_activity"
)
where(
    event.System.EventID = "13"
  AND
    event.EventData.Data.TargetObject
      ICONTAINS-ANY [
        "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
        "\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Run\\",
        "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\"
      ]
  AND
    NOT
      event.EventData.Data.Image
        ICONTAINS-ANY [
          "\\system32\\",
          "\\Program Files",
          "\\SysWow64\\",
          "Microsoft\\OneDrive"
        ]
  AND
    NOT
      event.EventData.Data.Details
        ICONTAINS-ANY [
          "\\system32\\",
          "\\Program Files",
          "\\SysWow64\\",
          "Microsoft\\OneDrive",
          "bomgar",
          "(Empty)",
          "\\teams\\update.exe",
          "%%ProgramFiles%%",
          "\\Programs\\Webex\\",
          "\\Google\\Update\\",
          "\\SunloginClient\\SunloginClient.exe"
        ]
)

Essentially I wanted to duplicated the rule but swap out the where portion to be focused on the specific IoCs we have for this software. I see in the from portion the event_type = endpoint_activity. Which makes sense. However when I got into the create custom rule window, when I go to select my event source. I see several specific options for Endpoint Activity but nothing generic or for lack of a better wording - a wildcard option. See picture:

image

Any ideas why? Or what I might be able to do to enable that as an event source for custom rules? Checked the documentation here and here and could not find a solution.

I checked to see if I needed to enable some other data source in the data collection portion of IDR, however I realized that I would not be getting alerts if the data was not already available. If I am not able to use the generic Endpoint Acitivity event source. What would be the next best source to use? Or could I just amend an exsisting rule to meet my needs?

Stuck and would love some help and input.

2

The different sub types under “endpoint_activity” may have different structure, and therefore keys available. Although this rule does not specify the sub type as “sysmon” i believe it will be matching on those events by virtue of the keys used in the where clause. It is my understanding that the “Endpoint Activity - Sysmon” event type is the one you should select here.

1 Like
3

The different sub types under “endpoint_activity” may have different structure, and therefore keys available

I figured this was the case. Thank you for confirming.

Although this rule does not specify the sub type as “sysmon” i believe it will be matching on those events by virtue of the keys used in the where clause. It is my understanding that the “Endpoint Activity - Sysmon” event type is the one you should select here.

Good observation! I had not thought to check some of the rule context to see if I could find key pairs being used and cross reference them with available options in the current data sets. I will go ahead and give it a shot and see. Thanks @christopher_kane1

Is there any documentation or KBs about testing rules prior to being fully implemented? I’d like to test the rule logic prior to pushing it into production.

4

Nice one. You can try it out in log search, and also set the rule action to “Assess Activity” to trial how it would behave.
There is some documentation here describing those options.

1 Like