{ "results": [ { "org_key": "ABCD1234", "alert_url": "https://defense.conferdeploy.net/alerts?s[c][query_string]=id:708d7dbf-2020-42d4-9cbc-0cddd0ffa31a&orgKey=ABCD1234", "id": "708d7dbf-2020-42d4-9cbc-0cddd0ffa31a", "type": "WATCHLIST", "backend_timestamp": "2023-04-03T08:48:47.211Z", "user_update_timestamp": "2023-04-13T11:55:20.860Z", "backend_update_timestamp": "2023-04-03T08:48:47.211Z", "detection_timestamp": "2023-04-03T08:46:52.302Z", "first_event_timestamp": "2023-04-03T08:44:43.552Z", "last_event_timestamp": "2023-04-03T08:44:43.552Z", "severity": 6, "reason": "Process taskhostw.exe was detected by the report \"Abnormally Large DNS Exchanges (exfil or zone transfer)\" in watchlist \"zzz_XDR Sample IOCs\"", "reason_code": "19261158-dbbf-3077-9959-f8aa7f7551a1:0cc402b0-ea96-35c6-8418-a2f07acf616d", "threat_id": "19261158DBBF00775959F8AA7F7551A1", "primary_event_id": "t6a_TNVuQb6seMjk_VyDsg-0", "policy_applied": "NOT_APPLIED", "run_state": "RAN", "sensor_action": "ALLOW", "workflow": { "change_timestamp": "2023-04-13T11:55:20.860Z", "changed_by_type": "USER", "changed_by": "demouser@demoorg.com", "closure_reason": "NO_REASON", "status": "IN_PROGRESS" }, "determination": { "change_timestamp": "1970-01-01T00:00:00.000Z", "value": "ALERT_CLASSIFICATION_UNKNOWN", "changed_by_type": "OPERATOR_UNKNOWN", "changed_by": null }, "tags": null, "alert_notes_present": false, "threat_notes_present": false, "is_updated": false, "device_id": 18078555, "device_name": "DEMO\\DEMOMACHINE", "device_uem_id": "", "device_target_value": "MEDIUM", "device_policy": "Demo-policy", "device_policy_id": 12345678, "device_os": "WINDOWS", "device_os_version": "Windows 10 x64", "device_username": "DEMOMACHINE\\Administrator", "device_location": "UNKNOWN", "device_external_ip": "1.2.3.4", "device_internal_ip": "1.2.3.4", "mdr_alert": false, "report_id": "Fm0YsPDyQ1Kp1Pdd6Lnd8w-abd-defg-123", "report_name": "Abnormally Large DNS Exchanges (exfil or zone transfer)", "report_description": "IOC leveraging XDR fields to identify abnormally large DNS exchanges. The typical client DNS query to your DNS server is between 50-550 bytes. Large exchanges could be indicative of attack exfiltration or zone transfer attempts.", "report_tags": [], "ioc_id": "abd-defg-123", "ioc_hit": "netconn_application_protocol:DNS AND netconn_bytes_sent:[551 TO *]", "watchlists": [ { "id": "lgaClyOmQ86ZwZttq3ZDxg", "name": "Demo IOCs" } ], "process_guid": "ABCD1234-0113db5b-000011bc-00000000-1d966088928e609", "process_pid": 4540, "process_name": "c:\\windows\\system32\\taskhostw.exe", "process_sha256": "1234cd567ab3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad", "process_md5": "123a4566ab18f93b93d551cd10c1598e", "process_effective_reputation": "COMPANY_WHITE_LIST", "process_reputation": "TRUSTED_WHITE_LIST", "process_cmdline": "taskhostw.exe SYSTEM", "process_username": "DEMOSERVER\\DEMO", "process_issuer_": "Demo CA", "process_publisher": "Demo Publisher", "parent_guid": "ABCD1234-0113db5b-000006bc-00000000-1d94225f1bb0897", "parent_pid": 1724, "parent_name": "c:\\windows\\system32\\svchost.exe", "parent_sha256": "123ab451a82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7", "parent_md5": "a123456789f632dc8d9404d83bc16316", "parent_effective_reputation": "TRUSTED_WHITE_LIST", "parent_reputation": "TRUSTED_WHITE_LIST", "parent_cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", "parent_username": "NT AUTHORITY\\SYSTEM", "childproc_guid": "", "childproc_username": "", "childproc_cmdline": "", "ml_classification_anomalies": [ { "anomalous_field": "actor_process_modload_count", "anomaly_name": "Process modloads", "anomalous_field_baseline_values": [ "0", "1" ], "anomalous_value": "65" }, { "anomalous_field": "actor_process_filemod_count", "anomaly_name": "Process filemods", "anomalous_field_baseline_values": [ "0" ], "anomalous_value": "8" } ] } ], "num_found": 147, "num_available": 147}
Preview this Workflow on desktop