Security Onion Playbook for ET INFO PE EXE or DLL Windows file download HTTP Public Id: 2018959

[security-companion]

Version

2.4.160

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

24GB

Storage for /

314GB

Storage for /nsm

670GB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi,
first, thanks a lot for all the effort you put into the new security onion playbooks.
I would like to provide some feedback.

I tried from testmynides the calc.exe download on a client which has elastic agent with elastic defend (only data collection enabled) and execute it afterwards on the client.
In alerts "ET INFO PE EXE or DLL Windows file download HTTP" properly shows up with cloudfron.net being the source and my endpoint the destination.
However when I go inside guided analysis to "Was the downloaded PE file executed on this system?" I can not see the result.
Properly it's because the playbook has host.ip: '{source.ip}' defined.

- question: Was the downloaded PE file executed on this system?

...
host.ip: '{source.ip}'

Shouldn't it be here host.ip: '{destination.ip}' ?

When I click the hunt icon and then remove the AND host.ip I can see the calc.exe showing up.

Best regards
security-companion

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.