Merge branch 'develop' into crypto_campaign

detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml

@@ -60,9 +60,9 @@ references:
 - https://splunkbase.splunk.com/app/6553
 rba:
   message: A mismatch between source and response for verifying a push request has
-    occurred for $actor.alternateId$
+    occurred for $user$
   risk_objects:
-  - field: actor.alternateId
+  - field: user
     type: user
     score: 64
   threat_objects: []

detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml

@@ -8,7 +8,8 @@ type: TTP
 description: The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions.
 data_source: 
 - ASL AWS CloudTrail
-search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`'
+search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account.uid
+ as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity.
 references:

detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml

@@ -8,7 +8,7 @@ type: TTP
 description: The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
 data_source: 
 - ASL AWS CloudTrail
-search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`'
+search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account.uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity.
 references:

detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml

@@ -16,8 +16,8 @@ search: '`amazon_security_lake` api.operation=CreateNetworkAclEntry OR api.opera
   | spath input=api.request.data path=networkAclId output=networkAclId
   | search ruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0
   | fillnull 
-  | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region networkAclId
-  | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id 
+  | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region networkAclId cidrBlock
+  | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account.uid as aws_account_id 
   | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_created_with_all_open_ports_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.
@@ -32,7 +32,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: User $user$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$
+  message: User $user$ has created network ACLs with all the ports opens to $cidrBlock$
   risk_objects:
   - field: user
     type: user

detections/cloud/azure_ad_service_principal_enumeration.yml

@@ -6,15 +6,15 @@ author: Dean Luxton
 data_source:
 - Azure Active Directory MicrosoftGraphActivityLogs
 type: TTP
-status: production
+status: production 
 description: >-
   This detection leverages azure graph activity logs to identify when graph APIs have been used to identify 10 or more service principals. 
   This type of behaviour is associated with tools such as Azure enumberation tools such as AzureHound or ROADtools.
 search: >-
-  `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs) TERM(servicePrincipals)
+  `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs) TERM(servicePrincipals) | fillnull
   | rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/beta\/servicePrincipals\/(?P<servicePrincipalb>.*?)\/"
   | rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/v1.0\/servicePrincipals\/(?P<servicePrincipalv1>.*?)\/"
-  | eval spn=coalesce(servicePrincipalb,servicePrincipalv1) | stats min(_time) as _time dc(spn) as spn_count values(user) as user values(user_category) as user_category values(src_category) as src_category count by src tenantId properties.userAgent
+  | eval spn=coalesce(servicePrincipalb,servicePrincipalv1) | stats count min(_time) as _time dc(spn) as spn_count values(user_id) as user_id by src tenantId properties.userAgent
   | rename properties.userAgent as user_agent
   | where spn_count>9 | `azure_ad_service_principal_enumeration_filter`
 how_to_implement: >-
@@ -27,16 +27,16 @@ references:
 - https://splunkbase.splunk.com/app/3110
 - https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install
 drilldown_searches:
-- name: View the detection results for - "$user$"
-  search: '%original_detection_search% | search  user = "$user$"'
+- name: View the detection results for - "$user_id$"
+  search: '%original_detection_search% | search  user_id = "$user_id$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$user$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+- name: View risk events for the last 7 days for - "$user_id$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: $spn_count$ Service Principals have been enumerated by $user$ from IP $src$
+  message: $spn_count$ Service Principals have been enumerated by $user_id$ from IP $src$
   risk_objects:
   - field: tenantId
     type: other

detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml

@@ -16,8 +16,7 @@ description: The following analytic detects when the Kerberos Pre-Authentication
 data_source:
 - Windows Event Log Security 4738
 search: >
-  `wineventlog_security` EventCode=4738 MSADChangedAttributes=\"*Don't Require Preauth'
-  - Enabled*\" |rename Account_Name as user | table EventCode, user, dest, Security_ID,
+  `wineventlog_security` EventCode=4738 MSADChangedAttributes="*\'Don\'t Require Preauth\' - Enabled*" |rename Account_Name as user | table EventCode, user, dest, Security_ID,
   MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`
 how_to_implement: To successfully implement this search, you need to be ingesting
   Domain Controller events. The Advanced Security Audit policy setting `User Account
@@ -68,3 +67,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-security.log
     source: WinEventLog:Security
     sourcetype: WinEventLog
+

detections/endpoint/windows_ad_short_lived_server_object.yml

@@ -48,7 +48,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: Potential DCShadow Attack Detected on $Computer$
+  message: A short-lived server object was created and deleted on $Computer$
   risk_objects:
   - field: Computer
     type: system

detections/endpoint/windows_bitlockertogo_process_execution.yml

@@ -42,15 +42,6 @@ tags:
   asset_type: Endpoint
   mitre_attack_id:
   - T1218
-  observable:
-  - name: dest
-    type: Endpoint
-    role:
-    - Victim
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

detections/endpoint/windows_bitlockertogo_with_network_activity.yml

@@ -38,11 +38,6 @@ tags:
   asset_type: Endpoint
   mitre_attack_id:
   - T1218
-  observable:
-  - name: dest
-    type: Endpoint
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

detections/endpoint/windows_file_share_discovery_with_powerview.yml

@@ -17,7 +17,7 @@ description: The following analytic detects the execution of the Invoke-ShareFin
   and sensitive data.
 search: '`powershell` EventCode=4104  (ScriptBlockText=Invoke-ShareFinder*) | stats
   count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode
-  ScriptBlockText | rename UserID as user | `security_content_ctime(firstTime)` |
+  ScriptBlockText | rename UserID as user | rename Computer as dest | `security_content_ctime(firstTime)` |
   `security_content_ctime(lastTime)` | `windows_file_share_discovery_with_powerview_filter`'
 how_to_implement: To successfully implement this analytic, you will need to enable
   PowerShell Script Block Logging on some or all endpoints. Additional setup here
@@ -29,12 +29,12 @@ references:
 - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/
 - https://attack.mitre.org/techniques/T1135/
 drilldown_searches:
-- name: View the detection results for - "$Computer$" and "$user$"
-  search: '%original_detection_search% | search  Computer = "$Computer$" user = "$user$"'
+- name: View the detection results for - "$dest$" and "$user$"
+  search: '%original_detection_search% | search  dest = "$dest$" user = "$user$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$Computer$" and "$user$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$",
+- name: View risk events for the last 7 days for - "$dest$" and "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$",
     "$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
     as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
     Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
@@ -43,12 +43,12 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: Invoke-ShareFinder commandlet was executed on $Computer$
+  message: Invoke-ShareFinder commandlet was executed on $dest$
   risk_objects:
-  - field: Computer
+  - field: dest
     type: system
     score: 48
-  - field: User
+  - field: user
     type: user
     score: 48
   threat_objects: []

detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml

@@ -20,7 +20,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Services\\Eventlog\\*"
   AND Registry.registry_value_name=CustomSD BY Registry.dest Registry.registry_value_data
   Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name
-  Registry.user Registry.registry_value_name | `drop_dm_object_name(Registry)` | where
+  Registry.user Registry.registry_value_name Registry.registry_path | `drop_dm_object_name(Registry)` | where
   isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `windows_new_custom_security_descriptor_set_on_eventlog_channel_filter`'
 how_to_implement: To successfully implement this search, you must be ingesting data

detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml

@@ -20,7 +20,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN ("*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\*",
   "*\Microsoft\Windows\EventLog\*") AND Registry.registry_value_name=ChannelAccess
   BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid
-  Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name
+  Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name Registry.registry_path
   | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `windows_new_eventlog_channelaccess_registry_value_set_filter`'
 how_to_implement: To successfully implement this search, you must be ingesting data