Source: socprime.com – Author: Steven Edwards
A very specific and technical question!
The decision tree for the condition part of this s1-event is as follows:
1. Root Node: Evaluate SrcProcImagePath ContainsCIS “explorer.exe”
• If true, proceed to next node
• If false, event does not match
2. Node 2: Evaluate TgtProcImagePath ContainsCIS “notepad.exe”
• If true, proceed to next node
• If false, event does not match
3. Node 3: Evaluate (TgtProcCmdLine ContainsCIS “password.txt” OR TgtProcCmdLine ContainsCIS “password.csv” OR
TgtProcCmdLine ContainsCIS “password.doc” OR TgtProcCmdLine ContainsCIS “password.xls”)
• This node has four child nodes, one for each OR condition:
• Node 3.1: Evaluate TgtProcCmdLine ContainsCIS “password.txt”
– If true, event matches
– If false, proceed to next child node
• Node 3.2: Evaluate TgtProcCmdLine ContainsCIS “password.csv”
– If true, event matches
– If false, proceed to next child node
• Node 3.3: Evaluate TgtProcCmdLine ContainsCIS “password.doc”
– If true, event matches
– If false, proceed to next child node
• Node 3.4: Evaluate TgtProcCmdLine ContainsCIS “password.xls”
– If true, event matches
– If false, event does not match
In summary, the decision tree evaluates three main conditions:
1. The source process image path contains explorer.exe
2. The target process image path contains notepad.exe
3. The target process command line contains any of the specified password-related file names
(password.txt, password.csv, password.doc, or password.xls)
If all three conditions are true, the event matches; otherwise, it does not match.
Original Post URL: https://socprime.com/blog/visualizing-insider-threat-detection-with-uncoder-ais-decision-tree-for-sentinelone-queries/
Category & Tags: Blog,SOC Prime Platform,Decision Tree,explorer.exe,SentinelOne – Blog,SOC Prime Platform,Decision Tree,explorer.exe,SentinelOne
Views: 2
