all but one fixes

detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml

@@ -60,9 +60,9 @@ references:
 - https://splunkbase.splunk.com/app/6553
 rba:
   message: A mismatch between source and response for verifying a push request has
-    occurred for $actor.alternateId$
+    occurred for $user$
   risk_objects:
-  - field: actor.alternateId
+  - field: user
     type: user
     score: 64
   threat_objects: []

detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml

@@ -8,7 +8,8 @@ type: TTP
 description: The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions.
 data_source: 
 - ASL AWS CloudTrail
-search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`'
+search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account.uid
+ as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity.
 references:

detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml

@@ -8,7 +8,7 @@ type: TTP
 description: The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
 data_source: 
 - ASL AWS CloudTrail
-search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`'
+search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account.uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity.
 references:

detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml

@@ -16,8 +16,8 @@ search: '`amazon_security_lake` api.operation=CreateNetworkAclEntry OR api.opera
   | spath input=api.request.data path=networkAclId output=networkAclId
   | search ruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0
   | fillnull 
-  | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region networkAclId
-  | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id 
+  | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region networkAclId cidrBlock
+  | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account.uid as aws_account_id 
   | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_created_with_all_open_ports_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.
@@ -32,7 +32,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: User $user$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$
+  message: User $user$ has created network ACLs with all the ports opens to $cidrBlock$
   risk_objects:
   - field: user
     type: user

detections/cloud/azure_ad_service_principal_enumeration.yml

@@ -6,15 +6,15 @@ author: Dean Luxton
 data_source:
 - Azure Active Directory MicrosoftGraphActivityLogs
 type: TTP
-status: production
+status: production 
 description: >-
   This detection leverages azure graph activity logs to identify when graph APIs have been used to identify 10 or more service principals. 
   This type of behaviour is associated with tools such as Azure enumberation tools such as AzureHound or ROADtools.
 search: >-
-  `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs) TERM(servicePrincipals)
+  `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs) TERM(servicePrincipals) | fillnull
   | rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/beta\/servicePrincipals\/(?P<servicePrincipalb>.*?)\/"
   | rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/v1.0\/servicePrincipals\/(?P<servicePrincipalv1>.*?)\/"
-  | eval spn=coalesce(servicePrincipalb,servicePrincipalv1) | stats min(_time) as _time dc(spn) as spn_count values(user) as user values(user_category) as user_category values(src_category) as src_category count by src tenantId properties.userAgent
+  | eval spn=coalesce(servicePrincipalb,servicePrincipalv1) | stats count min(_time) as _time dc(spn) as spn_count values(user_id) as user_id by src tenantId properties.userAgent
   | rename properties.userAgent as user_agent
   | where spn_count>9 | `azure_ad_service_principal_enumeration_filter`
 how_to_implement: >-
@@ -27,16 +27,16 @@ references:
 - https://splunkbase.splunk.com/app/3110
 - https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install
 drilldown_searches:
-- name: View the detection results for - "$user$"
-  search: '%original_detection_search% | search  user = "$user$"'
+- name: View the detection results for - "$user_id$"
+  search: '%original_detection_search% | search  user_id = "$user_id$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$user$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+- name: View risk events for the last 7 days for - "$user_id$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: $spn_count$ Service Principals have been enumerated by $user$ from IP $src$
+  message: $spn_count$ Service Principals have been enumerated by $user_id$ from IP $src$
   risk_objects:
   - field: tenantId
     type: other