updating data source files

splunk · Jul 16, 2024 · 40248a3 · 40248a3
1 parent 996861a
commit 40248a3
Show file tree

Hide file tree

Showing 10 changed files with 170 additions and 11 deletions.
diff --git a/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml b/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml
@@ -0,0 +1,66 @@
+name: AWS CloudWatchLogs VPCflow
+id: 38a34fc4-e128-4478-a8f4-7835d51d5135
+author: Bhavin Patel, Splunk
+source: aws_cloudwatchlogs_vpcflow
+sourcetype: aws:cloudwatchlogs:vpcflow
+separator: eventName
+supported_TA:
+  name: Splunk Add-on for Amazon Web Services (AWS)
+  version: 7.4.1
+  url: https://splunkbase.splunk.com/app/1876
+event_names: []
+fields:
+- _raw
+- _time
+- account_id
+- action
+- app
+- aws_account_id
+- bytes
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_ip
+- dest_port
+- duration
+- dvc
+- end_time
+- eventtype
+- host
+- index
+- interface_id
+- linecount
+- log_status
+- packets
+- protocol
+- protocol_code
+- protocol_full_name
+- protocol_version
+- punct
+- region
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_ip
+- src_port
+- start_time
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- transport
+- user_id
+- vendor_account
+- vendor_product
+- version
+- vpcflow_action
+example_log: '2 123397614277 eni-0b0f9f261f45e6489 10.0.1.30 10.0.1.1 47254 22 17 2 98 1697608042 1697608070 ACCEPT OK'
diff --git a/data_sources/endpoint/Windows_Event_Log_Security.yml b/data_sources/endpoint/Windows_Event_Log_Security.yml
@@ -45,6 +45,8 @@ event_names:
   data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4725.yml
 - event_name: Windows Event Log Security 4726
   data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4726.yml
+- event_name: Windows Event Log Security 4728
+  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4728.yml
 - event_name: Windows Event Log Security 4732
   data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4732.yml
 - event_name: Windows Event Log Security 4738

diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml
@@ -0,0 +1,89 @@
+
+event_name: Windows Event Log System 4728
+fields:
+- _time
+- Account_Domain
+- Account_Name
+- CategoryString
+- ComputerName
+- Error_Code
+- EventCode
+- EventType
+- Keywords
+- LogName
+- Logon_ID
+- Message
+- OpCode
+- RecordNumber
+- Security_ID
+- SourceName
+- Subject_Account_Domain
+- Subject_Account_Name
+- Subject_Logon_ID
+- Subject_Security_ID
+- Target_Account_Domain
+- Target_Account_Name
+- Target_Security_ID
+- TaskCategory
+- Type
+- action
+- app
+- body
+- category
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dest_nt_host
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- member_dn
+- member_id
+- member_nt_domain
+- msad_action
+- name
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- punct
+- result
+- session_id
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- src_user_name
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- user_name
+- vendor
+- vendor_product
+example_log: 10/09/2020 10:41:29 AM
diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml
@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: Hunting
 data_source:
-- Authentication Datamodel
+- Azure Active Directory Sign-in activity
 description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A 
   distributed password spray attack is a type of brute force attack where the attacker attempts a few 
   common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. 
@@ -49,17 +49,17 @@ tags:
   - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
   confidence: 70
   impact: 70
-  message: Distributed Password Spray Attempt Detected
+  message: Distributed Password Spray Attempt Detected from $src$
   mitre_attack_id:
   - T1110.003
   - T1110
   observable:
   - name: src
-    type: Endpoint
+    type: IP Address
     role:
     - Attacker
-  - name: sourcetype
-    type: Other
+  - name: unique_accounts
+    type: User
     role:
     - Victim
   product:

diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml
@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Authentication Datamodel
+- Windows Event Log Security 4625
 description: This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts
   from a single source. A password spray attack is a type of brute force attack where an attacker tries a few
   common passwords across many different accounts to avoid detection and account lockouts. By utilizing the

diff --git a/detections/application/windows_increase_in_group_or_object_modification_activity.yml b/detections/application/windows_increase_in_group_or_object_modification_activity.yml
@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- XmlWinEventLog:Security
+- Windows Event Log Security 4663
 description: This analytic detects an increase in modifications to AD groups or objects.
   Frequent changes to AD groups or objects can indicate potential security risks,
   such as unauthorized access attempts, impairing defences or establishing persistence.

diff --git a/detections/application/windows_increase_in_user_modification_activity.yml b/detections/application/windows_increase_in_user_modification_activity.yml
@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- XmlWinEventLog:Security
+- Windows Event Log Security 4720
 description: This analytic detects an increase in modifications to AD user objects.
   A large volume of changes to user objects can indicate potential security risks,
   such as unauthorized access attempts, impairing defences or establishing persistence.

diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml
@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- XmlWinEventLog System EventCode 7045
+- Windows Event Log System 7045
 description: The following analytic detects the loading of known vulnerable Windows
   drivers, which may indicate potential persistence or privilege escalation attempts.
   It leverages Windows System service install EventCode 7045 to identify driver loading 

diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml
@@ -5,7 +5,8 @@ date: '2023-10-20'
 author: Dean Luxton
 status: production
 type: TTP
-data_source: []
+data_source:
+- AWS CloudWatchLogs VPCflow
 description: This analytic identifies instances where an internal host has attempted to communicate
   with 250 or more destination IP addresses using the same port and protocol. Horizontal
   port scans from internal hosts can indicate reconnaissance or scanning activities,

diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml
@@ -5,7 +5,8 @@ date: '2023-10-20'
 author: Dean Luxton
 status: production
 type: TTP
-data_source: []
+data_source:
+- AWS CloudWatchLogs VPCflow
 description: This analytic detects instances where an internal host attempts to communicate
   with over 500 ports on a single destination IP address. It includes filtering
   criteria to exclude applications performing scans over ephemeral port ranges,