Suspicious File Write

Description

The search looks for files created with names that have been linked to malicious activity.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Malware

Alert Volume

The search looks for files created with names that have been linked to malicious activity.

SPL Difficulty

None

Journey

Stage 3

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Suspicious File Write Help

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file system reads and writes. In addition, this search leverages an included lookup file that contains the names of the files to watch for, as well as a note to communicate why that file name is being monitored. This lookup file can be edited to add or remove file the file names you want to monitor.

   Search

Open in Search