Merge pull request #1998 from splunk/DrDoLittleFixes

fixing bug introduced in the macro/lookups addition

bin/jinja2_templates/doc_detections.j2

@@ -101,6 +101,11 @@ The SPL above uses the following Lookups:
 #### Known False Positives
 {{ detection.known_false_positives}}
 
+#### Associated Analytic story
+{% for story in detection.tags.analytic_story -%}
+* [{{ story }}](/stories/{{story|lower|replace(" ", "_")}})
+{% endfor %}
+
 #### Kill Chain Phase
 {% for phase in detection.tags.kill_chain_phases -%}
 * {{ phase }}

docs/_pages/detections.md

@@ -61,8 +61,8 @@ sidebar:
 | [Attempt To Delete Services](/endpoint/attempt_to_delete_services/) | [Service Stop](/tags/#service-stop), [Create or Modify System Process](/tags/#create-or-modify-system-process), [Windows Service](/tags/#windows-service) | TTP |
 | [Attempt To Disable Services](/endpoint/attempt_to_disable_services/) | [Service Stop](/tags/#service-stop) | TTP |
 | [Attempt To Stop Security Service](/endpoint/attempt_to_stop_security_service/) | [Disable or Modify Tools](/tags/#disable-or-modify-tools), [Impair Defenses](/tags/#impair-defenses) | TTP |
-| [Attempted Credential Dump From Registry via Reg exe](/endpoint/attempted_credential_dump_from_registry_via_reg_exe/) | [Security Account Manager](/tags/#security-account-manager), [OS Credential Dumping](/tags/#os-credential-dumping) | TTP |
 | [Attempted Credential Dump From Registry via Reg exe](/endpoint/attempted_credential_dump_from_registry_via_reg_exe/) | [OS Credential Dumping](/tags/#os-credential-dumping), [Security Account Manager](/tags/#security-account-manager) | TTP |
+| [Attempted Credential Dump From Registry via Reg exe](/endpoint/attempted_credential_dump_from_registry_via_reg_exe/) | [Security Account Manager](/tags/#security-account-manager), [OS Credential Dumping](/tags/#os-credential-dumping) | TTP |
 | [Auto Admin Logon Registry Entry](/endpoint/auto_admin_logon_registry_entry/) | [Credentials in Registry](/tags/#credentials-in-registry), [Unsecured Credentials](/tags/#unsecured-credentials) | TTP |
 | [BCDEdit Failure Recovery Modification](/endpoint/bcdedit_failure_recovery_modification/) | [Inhibit System Recovery](/tags/#inhibit-system-recovery) | TTP |
 | [BCDEdit Failure Recovery Modification](/endpoint/bcdedit_failure_recovery_modification/) | [Inhibit System Recovery](/tags/#inhibit-system-recovery) | TTP |

docs/_posts/2017-09-12-detect_new_login_attempts_to_routers.md

@@ -63,6 +63,10 @@ To successfully implement this search, you must ensure the network router device
 #### Known False Positives
 Legitimate router connections may appear as new connections
 
+#### Associated Analytic story
+* [Router and Infrastructure Security](/stories/router_and_infrastructure_security)
+
+
 #### Kill Chain Phase
 * Actions on Objectives
 

docs/_posts/2017-09-13-detect_unauthorized_assets_by_mac_address.md

@@ -64,6 +64,10 @@ This search uses the Network_Sessions data model shipped with Enterprise Securit
 #### Known False Positives
 This search might be prone to high false positives. Please consider this when conducting analysis or investigations. Authorized devices may be detected as unauthorized. If this is the case, verify the MAC address of the system responsible for the false positive and add it to the Assets and Identity framework with the proper information.
 
+#### Associated Analytic story
+* [Asset Tracking](/stories/asset_tracking)
+
+
 #### Kill Chain Phase
 * Reconnaissance
 * Delivery

docs/_posts/2017-09-15-no_windows_updates_in_a_time_frame.md

@@ -66,6 +66,10 @@ To successfully implement this search, it requires that the 'Update' dat
 #### Known False Positives
 None identified
 
+#### Associated Analytic story
+* [Monitor for Updates](/stories/monitor_for_updates)
+
+
 #### Kill Chain Phase
 
 

docs/_posts/2017-09-19-email_attachments_with_lots_of_spaces.md

@@ -68,6 +68,11 @@ If Splunk Phantom is also configured in your environment, a playbook called &#34
 #### Known False Positives
 None at this time
 
+#### Associated Analytic story
+* [Emotet Malware  DHS Report TA18-201A ](/stories/emotet_malware__dhs_report_ta18-201a_)
+* [Suspicious Emails](/stories/suspicious_emails)
+
+
 #### Kill Chain Phase
 * Delivery
 

docs/_posts/2017-09-20-large_volume_of_dns_any_queries.md

@@ -72,6 +72,10 @@ To successfully implement this search you must ensure that DNS data is populatin
 #### Known False Positives
 Legitimate ANY requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. You may modify the threshold in the search to better suit your environment.
 
+#### Associated Analytic story
+* [DNS Amplification Attacks](/stories/dns_amplification_attacks)
+
+
 #### Kill Chain Phase
 * Actions on Objectives
 

docs/_posts/2017-09-23-detect_attackers_scanning_for_vulnerable_jboss_servers.md

@@ -71,6 +71,11 @@ You must be ingesting data from the web server or network traffic that contains
 #### Known False Positives
 It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths.
 
+#### Associated Analytic story
+* [JBoss Vulnerability](/stories/jboss_vulnerability)
+* [SamSam Ransomware](/stories/samsam_ransomware)
+
+
 #### Kill Chain Phase
 * Reconnaissance
 

docs/_posts/2017-09-23-detect_malicious_requests_to_exploit_jboss_servers.md

@@ -65,6 +65,11 @@ You must ingest data from the web server or capture network data that contains w
 #### Known False Positives
 No known false positives for this detection.
 
+#### Associated Analytic story
+* [JBoss Vulnerability](/stories/jboss_vulnerability)
+* [SamSam Ransomware](/stories/samsam_ransomware)
+
+
 #### Kill Chain Phase
 * Delivery
 

docs/_posts/2017-09-23-monitor_web_traffic_for_brand_abuse.md

@@ -66,6 +66,10 @@ You need to ingest data from your web traffic. This can be accomplished by index
 #### Known False Positives
 None at this time
 
+#### Associated Analytic story
+* [Brand Monitoring](/stories/brand_monitoring)
+
+
 #### Kill Chain Phase
 * Delivery
 

docs/_posts/2017-10-13-unusually_long_content-type_length.md

@@ -60,6 +60,10 @@ This particular search leverages data extracted from Stream:HTTP. You must confi
 #### Known False Positives
 Very few legitimate Content-Type fields will have a length greater than 100 characters.
 
+#### Associated Analytic story
+* [Apache Struts Vulnerability](/stories/apache_struts_vulnerability)
+
+
 #### Kill Chain Phase
 * Delivery
 

docs/_posts/2018-01-05-monitor_email_for_brand_abuse.md

@@ -71,6 +71,11 @@ You need to ingest email header data. Specifically the sender's address (src
 #### Known False Positives
 None at this time
 
+#### Associated Analytic story
+* [Brand Monitoring](/stories/brand_monitoring)
+* [Suspicious Emails](/stories/suspicious_emails)
+
+
 #### Kill Chain Phase
 * Delivery
 

docs/_posts/2018-05-07-detect_spike_in_blocked_outbound_traffic_from_your_aws.md

@@ -76,6 +76,12 @@ You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-
 #### Known False Positives
 The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections.
 
+#### Associated Analytic story
+* [AWS Network ACL Activity](/stories/aws_network_acl_activity)
+* [Suspicious AWS Traffic](/stories/suspicious_aws_traffic)
+* [Command and Control](/stories/command_and_control)
+
+
 #### Kill Chain Phase
 * Actions on Objectives
 * Command and Control

docs/_posts/2018-06-01-detect_large_outbound_icmp_packets.md

@@ -75,6 +75,10 @@ In order to run this search effectively, we highly recommend that you leverage t
 #### Known False Positives
 ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with command and control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific IP addresses to an allow list.
 
+#### Associated Analytic story
+* [Command and Control](/stories/command_and_control)
+
+
 #### Kill Chain Phase
 * Command and Control
 

docs/_posts/2018-06-28-detect_s3_access_from_a_new_ip.md

@@ -77,6 +77,10 @@ You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-
 #### Known False Positives
 S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour
 
+#### Associated Analytic story
+* [Suspicious AWS S3 Activities](/stories/suspicious_aws_s3_activities)
+
+
 #### Kill Chain Phase
 * Actions on Objectives
 

docs/_posts/2018-10-12-cloud_compute_instance_created_with_previously_unseen_image.md

@@ -72,6 +72,10 @@ You must be ingesting your cloud infrastructure logs from your cloud provider. Y
 #### Known False Positives
 After a new image is created, the first systems created with that image will cause this alert to fire.  Verify that the image being used was created by a legitimate user.
 
+#### Associated Analytic story
+* [Cloud Cryptomining](/stories/cloud_cryptomining)
+
+
 #### Kill Chain Phase
 
 

docs/_posts/2018-10-23-wmi_permanent_event_subscription.md

@@ -73,6 +73,10 @@ To successfully implement this search, you must be ingesting the Windows WMI act
 #### Known False Positives
 Although unlikely, administrators may use event subscriptions for legitimate purposes.
 
+#### Associated Analytic story
+* [Suspicious WMI Use](/stories/suspicious_wmi_use)
+
+
 #### Kill Chain Phase
 * Actions on Objectives
 

docs/_posts/2018-10-23-wmi_temporary_event_subscription.md

@@ -71,6 +71,10 @@ To successfully implement this search, you must be ingesting the Windows WMI act
 #### Known False Positives
 Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events.
 
+#### Associated Analytic story
+* [Suspicious WMI Use](/stories/suspicious_wmi_use)
+
+
 #### Kill Chain Phase
 * Actions on Objectives
 

docs/_posts/2018-11-27-detect_spike_in_s3_bucket_deletion.md

@@ -88,6 +88,10 @@ You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-
 #### Known False Positives
 Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.
 
+#### Associated Analytic story
+* [Suspicious AWS S3 Activities](/stories/suspicious_aws_s3_activities)
+
+
 #### Kill Chain Phase
 * Actions on Objectives
 

docs/_posts/2018-12-03-remote_wmi_command_attempt.md

@@ -73,6 +73,10 @@ To successfully implement this search you need to be ingesting information on pr
 #### Known False Positives
 Administrators may use this legitimately to gather info from remote systems. Filter as needed.
 
+#### Associated Analytic story
+* [Suspicious WMI Use](/stories/suspicious_wmi_use)
+
+
 #### Kill Chain Phase
 * Actions on Objectives
 

docs/_posts/2018-12-03-usn_journal_deletion.md

@@ -72,6 +72,11 @@ You must be ingesting data that records process activity from your hosts to popu
 #### Known False Positives
 None identified
 
+#### Associated Analytic story
+* [Windows Log Manipulation](/stories/windows_log_manipulation)
+* [Ransomware](/stories/ransomware)
+
+
 #### Kill Chain Phase
 * Actions on Objectives
 

docs/_posts/2018-12-06-suspicious_java_classes.md

@@ -67,6 +67,10 @@ In order to properly run this search, Splunk needs to ingest data from your web-
 #### Known False Positives
 There are no known false positives.
 
+#### Associated Analytic story
+* [Apache Struts Vulnerability](/stories/apache_struts_vulnerability)
+
+
 #### Kill Chain Phase
 * Exploitation
 

docs/_posts/2018-12-14-file_with_samsam_extension.md

@@ -62,6 +62,10 @@ You must be ingesting data that records file-system activity from your hosts to
 #### Known False Positives
 Because these extensions are not typically used in normal operations, you should investigate all results.
 
+#### Associated Analytic story
+* [SamSam Ransomware](/stories/samsam_ransomware)
+
+
 #### Kill Chain Phase
 * Installation
 

docs/_posts/2018-12-14-samsam_test_file_write.md

@@ -69,6 +69,10 @@ You must be ingesting data that records the file-system activity from your hosts
 #### Known False Positives
 No false positives have been identified.
 
+#### Associated Analytic story
+* [SamSam Ransomware](/stories/samsam_ransomware)
+
+
 #### Kill Chain Phase
 * Delivery
 

docs/_posts/2019-01-25-processes_tapping_keyboard_events.md

@@ -62,6 +62,10 @@ In order to properly run this search, Splunk needs to ingest data from your osqu
 #### Known False Positives
 There might be some false positives as keyboard event taps are used by processes like Siri and Zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment.
 
+#### Associated Analytic story
+* [ColdRoot MacOS RAT](/stories/coldroot_macos_rat)
+
+
 #### Kill Chain Phase
 * Command and Control
 

docs/_posts/2019-04-01-web_servers_executing_suspicious_processes.md

@@ -72,6 +72,10 @@ You must be ingesting data that records process activity from your hosts to popu
 #### Known False Positives
 Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks.
 
+#### Associated Analytic story
+* [Apache Struts Vulnerability](/stories/apache_struts_vulnerability)
+
+
 #### Kill Chain Phase
 * Actions on Objectives
 

docs/_posts/2019-05-08-unusually_long_command_line_-_mltk.md

@@ -67,6 +67,13 @@ You must be ingesting endpoint data that monitors command lines and populates th
 #### Known False Positives
 Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model.
 
+#### Associated Analytic story
+* [Suspicious Command-Line Executions](/stories/suspicious_command-line_executions)
+* [Unusual Processes](/stories/unusual_processes)
+* [Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns](/stories/possible_backdoor_activity_associated_with_mudcarp_espionage_campaigns)
+* [Ransomware](/stories/ransomware)
+
+
 #### Kill Chain Phase
 * Actions on Objectives
 

docs/_posts/2019-12-03-detect_credential_dumping_through_lsass_access.md

@@ -76,6 +76,11 @@ This search needs Sysmon Logs and a sysmon configuration, which includes EventCo
 #### Known False Positives
 The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.
 
+#### Associated Analytic story
+* [Credential Dumping](/stories/credential_dumping)
+* [Detect Zerologon Attack](/stories/detect_zerologon_attack)
+
+
 #### Kill Chain Phase
 * Actions on Objectives
 

docs/_posts/2019-12-03-detect_mimikatz_using_loaded_images.md

@@ -74,6 +74,13 @@ This search needs Sysmon Logs and a sysmon configuration, which includes EventCo
 #### Known False Positives
 Other tools can import the same DLLs. These tools should be part of a whitelist. False positives may be present with any process that authenticates or uses credentials, PowerShell included. Filter based on parent process.
 
+#### Associated Analytic story
+* [Credential Dumping](/stories/credential_dumping)
+* [Detect Zerologon Attack](/stories/detect_zerologon_attack)
+* [Cloud Federated Credential Abuse](/stories/cloud_federated_credential_abuse)
+* [DarkSide Ransomware](/stories/darkside_ransomware)
+
+
 #### Kill Chain Phase
 * Actions on Objectives
 

docs/_posts/2019-12-06-access_lsass_memory_for_dump_creation.md

@@ -75,6 +75,10 @@ This search requires Sysmon Logs and a Sysmon configuration, which includes Even
 #### Known False Positives
 Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.
 
+#### Associated Analytic story
+* [Credential Dumping](/stories/credential_dumping)
+
+
 #### Kill Chain Phase
 * Actions on Objectives
 

docs/_posts/2019-12-06-create_remote_thread_into_lsass.md

@@ -75,6 +75,10 @@ This search needs Sysmon Logs with a Sysmon configuration, which includes EventC
 #### Known False Positives
 Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise.
 
+#### Associated Analytic story
+* [Credential Dumping](/stories/credential_dumping)
+
+
 #### Kill Chain Phase
 * Actions on Objectives
 

docs/_posts/2019-12-10-creation_of_shadow_copy.md

@@ -80,6 +80,10 @@ You must be ingesting endpoint data that tracks process activity, including pare
 #### Known False Positives
 Legitimate administrator usage of Vssadmin or Wmic will create false positives.
 
+#### Associated Analytic story
+* [Credential Dumping](/stories/credential_dumping)
+
+
 #### Kill Chain Phase
 * Actions on Objectives
 

docs/_posts/2020-01-22-dns_query_length_outliers_-_mltk.md

@@ -88,6 +88,12 @@ Detailed documentation on how to create a new field within Incident Review may b
 #### Known False Positives
 If you are seeing more results than desired, you may consider reducing the value for threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data.
 
+#### Associated Analytic story
+* [Hidden Cobra Malware](/stories/hidden_cobra_malware)
+* [Suspicious DNS Traffic](/stories/suspicious_dns_traffic)
+* [Command and Control](/stories/command_and_control)
+
+
 #### Kill Chain Phase
 * Command and Control