Merge pull request #3058 from splunk/correlation_search_risk_index

Critical Alerts detection - Microsoft Defender

contentctl.yml

@@ -176,6 +176,12 @@ apps:
   version: 5.4.1
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-machine-learning-toolkit_541.tgz
+- uid: 5518
+  title: Splunk add on for Microsoft Defender Advanced Hunting
+  appid: SPLUNK_ADD_ON_FOR_MICROSOFT_DEFENDER_ADVANCED_HUNTING
+  version: 1.4.1
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/microsoft-defender-advanced-hunting-add-on-for-splunk_141.tgz
 - uid: 2734
   title: URL Toolbox
   appid: URL_TOOLBOX

data_sources/windows_defender_alerts.yml

@@ -0,0 +1,67 @@
+name: Windows Defender Alerts
+id: 91738e9e-d112-41c9-b91b-e5868d8993d7
+version: 1
+date: '2024-09-24'
+author: Gowthamaraj Rajendran
+description: Data source object for Windows Defender alerts
+source: eventhub://windowsdefenderlogs
+sourcetype: mscs:azure:eventhub:defender:advancedhunting
+separator: AlertId
+supported_TA:
+  - name: Splunk add on for Microsoft Defender Advanced Hunting
+    url: https://splunkbase.splunk.com/app/5518
+    version: 1.4.1
+fields:
+  - _time
+  - AlertId
+  - TenantId
+  - OperationName
+  - Category
+  - Timestamp
+  - EntityType
+  - EvidenceRole
+  - SHA1
+  - SHA256
+  - RemoteIP
+  - LocalIP
+  - RemoteUrl
+  - AccountName
+  - AccountDomain
+  - AccountSid
+  - AccountObjectId
+  - DeviceId
+  - ThreatFamily
+  - EvidenceDirection
+  - AdditionalFields
+  - MachineGroup
+  - NetworkMessageId
+  - ServiceSource
+  - FileName
+  - FolderPath
+  - ProcessCommandLine
+  - EmailSubject
+  - ApplicationId
+  - Application
+  - DeviceName
+  - FileSize
+  - RegistryKey
+  - RegistryValueName
+  - RegistryValueData
+  - AccountUpn
+  - OAuthApplicationId
+  - Categories
+  - Title
+  - AttackTechniques
+  - DetectionSource
+  - Severity
+example_log: '{"time": "2024-06-14T20:12:23.3360383Z", "tenantId": "abced-c7ee-abce-1123-123", "operationName": "Publish", 
+  "category": "AdvancedHunting-AlertEvidence", "properties": {"Timestamp": "2024-04-14T19:59:59.1549925Z", "AlertId": "dc25", 
+  "EntityType": "CloudResource", "EvidenceRole": "Impacted", "SHA1": null, "SHA256": null, "RemoteIP": null, "LocalIP": null, 
+  "RemoteUrl": null, "AccountName": null, "AccountDomain": null, "AccountSid": null, "AccountObjectId": null, "DeviceId": null, 
+  "ThreatFamily": null, "EvidenceDirection": null, "AdditionalFields": "{\"ResourceId\":\"/subscriptions/1-2-3-4/resourceGroups/pluginframework/
+  providers/Microsoft.Compute/virtualMachines/phantom-identity\",\"ResourceType\":\"Virtual Machine\",\"ResourceName\":\"phantom-identity\",\"Asset\":true,\"
+  Type\":\"azure-resource\",\"Role\":0,\"MergeByKey\":\"abcd=\",\"MergeByKeyHex\":\"1234\"}", "MachineGroup": null, "NetworkMessageId": null, "ServiceSource": 
+  "Microsoft Defender for Cloud", "FileName": null, "FolderPath": null, "ProcessCommandLine": null, "EmailSubject": null, "ApplicationId": null, "Application": 
+  null, "DeviceName": null, "FileSize": null, "RegistryKey": null, "RegistryValueName": null, "RegistryValueData": null, "AccountUpn": null, "OAuthApplicationId": 
+  null, "Categories": "[\"InitialAccess\"]", "Title": "Suspicious authentication activity", "AttackTechniques": "", "DetectionSource": "DefenderForServers", 
+  "Severity": "High"}, "Tenant": "DefaultTenant"}'

detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml

@@ -1,7 +1,7 @@
 name: Detect Spike in AWS Security Hub Alerts for EC2 Instance
 id: 2a9b80d3-6340-4345-b5ad-290bf5d0d222
-version: 4
-date: '2024-05-19'
+version: 5
+date: '2024-10-09'
 author: Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -31,6 +31,7 @@ references: []
 tags:
   analytic_story:
   - AWS Security Hub Alerts
+  - Critical Alerts
   asset_type: AWS Instance
   confidence: 50
   impact: 30

detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml

@@ -1,7 +1,7 @@
 name: Detect Spike in AWS Security Hub Alerts for User
 id: 2a9b80d3-6220-4345-b5ad-290bf5d0d222
-version: 4
-date: '2024-05-18'
+version: 5
+date: '2024-10-09'
 author: Bhavin Patel, Splunk
 status: experimental
 type: Anomaly
@@ -28,6 +28,7 @@ references: []
 tags:
   analytic_story:
   - AWS Security Hub Alerts
+  - Critical Alerts
   asset_type: AWS Instance
   confidence: 50
   impact: 50

detections/endpoint/detect_critical_alerts_from_security_tools.yml

@@ -0,0 +1,50 @@
+name: Detect Critical Alerts from Security Tools
+id: 483e8a68-f2f7-45be-8fc9-bf725f0e22fd
+version: 1
+date: '2024-10-09'
+author: Gowthamaraj Rajendran, Patrick Bareiss, Bhavin Patel, Splunk
+status: production
+type: TTP
+data_source:
+- Windows Defender Alerts
+description: The following analytics is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model.
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.signature Alerts.app, Alerts.severity, Alerts.description, source, Alerts.id, Alerts.dest 
+  | `drop_dm_object_name("Alerts")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `detect_critical_alerts_from_security_tools_filter`'
+how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. 
+known_false_positives: False positives may vary by endpoint protection tool; monitor and filter out the alerts that are not relevant to your environment.
+references:
+  - https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/accessing-microsoft-defender-for-cloud-alerts-in-splunk-using/ba-p/938228
+  - https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts
+  - https://learn.microsoft.com/en-us/defender-endpoint/api/raw-data-export-event-hub
+tags:
+  analytic_story:
+  - Critical Alerts
+  asset_type: Endpoint
+  atomic_guid: []
+  confidence: 90
+  impact: 90
+  message: $severity$ alert for $dest$ from $source$ - $signature$
+  mitre_attack_id:
+  - T1484
+  observable:
+  - name: dest
+    type: Endpoint
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - app
+  - name
+  risk_score: 81
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/AdvancedHunting.log
+    source: eventhub://windowsdefenderlogs
+    sourcetype: mscs:azure:eventhub:defender:advancedhunting

stories/critical_alerts.yml

@@ -0,0 +1,17 @@
+name: Critical Alerts
+id: bc7056a5-c2b0-4b83-93ce-5f31739305c8
+date: '2024-06-21'
+author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk
+description: This analytic story contains detections that monitor critical alerts data from security tools ingested into Splunk. By correlating these alerts and enriching them with MITRE ATT&CK annotations and other risk events, it offers a nuanced perspective on potential threats and security posture of your organization.
+narrative: Monitoring alerts from security tools is crucial because they act as an early warning system for potential threats. High and critical alerts signal serious issues that could compromise your systems if not addressed promptly. By keeping an eye on these alerts, you can quickly identify and respond to threats, minimizing damage and protecting sensitive data. This proactive approach not only strengthens your security posture but also ensures you're ready to tackle any compliance requirements by maintaining a detailed record of significant security events. This story has rules that integrates and assesses critical alerts from Endpoint, DLP, and firewall sources in Splunk. By correlating alerts and adding MITRE annotations, it provides a comprehensive view of customer risk. It triggers an alert when critical alerts are detected, preserving the source and assigning risk scores. This helps security analysts understand threats and respond effectively.
+references:
+  - https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts
+  - https://docs.splunk.com/Documentation/CIM/5.3.2/User/UsetheCAM
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection