diff --git a/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml b/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml new file mode 100644 index 0000000000..7ba4fc7362 --- /dev/null +++ b/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml @@ -0,0 +1,66 @@ +name: AWS CloudWatchLogs VPCflow +id: 38a34fc4-e128-4478-a8f4-7835d51d5135 +author: Bhavin Patel, Splunk +source: aws_cloudwatchlogs_vpcflow +sourcetype: aws:cloudwatchlogs:vpcflow +separator: eventName +supported_TA: + name: Splunk Add-on for Amazon Web Services (AWS) + version: 7.4.1 + url: https://splunkbase.splunk.com/app/1876 +event_names: [] +fields: +- _raw +- _time +- account_id +- action +- app +- aws_account_id +- bytes +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- dest +- dest_ip +- dest_port +- duration +- dvc +- end_time +- eventtype +- host +- index +- interface_id +- linecount +- log_status +- packets +- protocol +- protocol_code +- protocol_full_name +- protocol_version +- punct +- region +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- src_ip +- src_port +- start_time +- tag +- tag::action +- tag::eventtype +- timeendpos +- timestartpos +- transport +- user_id +- vendor_account +- vendor_product +- version +- vpcflow_action +example_log: '2 123397614277 eni-0b0f9f261f45e6489 10.0.1.30 10.0.1.1 47254 22 17 2 98 1697608042 1697608070 ACCEPT OK' diff --git a/data_sources/endpoint/Windows_Event_Log_Security.yml b/data_sources/endpoint/Windows_Event_Log_Security.yml index 46e786a697..ca5c7355c4 100644 --- a/data_sources/endpoint/Windows_Event_Log_Security.yml +++ b/data_sources/endpoint/Windows_Event_Log_Security.yml @@ -45,6 +45,8 @@ event_names: data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4725.yml - event_name: Windows Event Log Security 4726 data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4726.yml +- event_name: Windows Event Log Security 4728 + data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4728.yml - event_name: Windows Event Log Security 4732 data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4732.yml - event_name: Windows Event Log Security 4738 diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml new file mode 100644 index 0000000000..0f8a2baa8a --- /dev/null +++ b/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml @@ -0,0 +1,89 @@ + +event_name: Windows Event Log System 4728 +fields: +- _time +- Account_Domain +- Account_Name +- CategoryString +- ComputerName +- Error_Code +- EventCode +- EventType +- Keywords +- LogName +- Logon_ID +- Message +- OpCode +- RecordNumber +- Security_ID +- SourceName +- Subject_Account_Domain +- Subject_Account_Name +- Subject_Logon_ID +- Subject_Security_ID +- Target_Account_Domain +- Target_Account_Name +- Target_Security_ID +- TaskCategory +- Type +- action +- app +- body +- category +- change_type +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- dest +- dest_nt_domain +- dest_nt_host +- dvc +- dvc_nt_host +- event_id +- eventtype +- host +- id +- index +- linecount +- member_dn +- member_id +- member_nt_domain +- msad_action +- name +- object +- object_attrs +- object_category +- object_id +- product +- punct +- result +- session_id +- severity +- severity_id +- signature +- signature_id +- source +- sourcetype +- splunk_server +- src_nt_domain +- src_user +- src_user_name +- status +- subject +- ta_windows_action +- ta_windows_security_CategoryString +- tag +- tag::eventtype +- timeendpos +- timestartpos +- user +- user_group +- user_name +- vendor +- vendor_product +example_log: 10/09/2020 10:41:29 AM diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml index 7d6f8bd09f..518b80d315 100644 --- a/detections/application/detect_distributed_password_spray_attempts.yml +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -6,7 +6,7 @@ author: Dean Luxton status: production type: Hunting data_source: -- Authentication Datamodel +- Azure Active Directory Sign-in activity description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A distributed password spray attack is a type of brute force attack where the attacker attempts a few common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. @@ -49,17 +49,17 @@ tags: - 90bc2e54-6c84-47a5-9439-0a2a92b4b175 confidence: 70 impact: 70 - message: Distributed Password Spray Attempt Detected + message: Distributed Password Spray Attempt Detected from $src$ mitre_attack_id: - T1110.003 - T1110 observable: - name: src - type: Endpoint + type: IP Address role: - Attacker - - name: sourcetype - type: Other + - name: unique_accounts + type: User role: - Victim product: diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml index c084024e91..6a90bbebdc 100644 --- a/detections/application/detect_password_spray_attempts.yml +++ b/detections/application/detect_password_spray_attempts.yml @@ -6,7 +6,7 @@ author: Dean Luxton status: production type: TTP data_source: -- Authentication Datamodel +- Windows Event Log Security 4625 description: This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts from a single source. A password spray attack is a type of brute force attack where an attacker tries a few common passwords across many different accounts to avoid detection and account lockouts. By utilizing the diff --git a/detections/application/windows_increase_in_group_or_object_modification_activity.yml b/detections/application/windows_increase_in_group_or_object_modification_activity.yml index 185773ebc9..e3099cbb2a 100644 --- a/detections/application/windows_increase_in_group_or_object_modification_activity.yml +++ b/detections/application/windows_increase_in_group_or_object_modification_activity.yml @@ -6,7 +6,7 @@ author: Dean Luxton status: production type: TTP data_source: -- XmlWinEventLog:Security +- Windows Event Log Security 4663 description: This analytic detects an increase in modifications to AD groups or objects. Frequent changes to AD groups or objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. diff --git a/detections/application/windows_increase_in_user_modification_activity.yml b/detections/application/windows_increase_in_user_modification_activity.yml index f7eceacd10..2f6baf93a7 100644 --- a/detections/application/windows_increase_in_user_modification_activity.yml +++ b/detections/application/windows_increase_in_user_modification_activity.yml @@ -6,7 +6,7 @@ author: Dean Luxton status: production type: TTP data_source: -- XmlWinEventLog:Security +- Windows Event Log Security 4720 description: This analytic detects an increase in modifications to AD user objects. A large volume of changes to user objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml index e0324ffc1a..373abfb0ea 100644 --- a/detections/endpoint/windows_vulnerable_driver_installed.yml +++ b/detections/endpoint/windows_vulnerable_driver_installed.yml @@ -6,7 +6,7 @@ author: Dean Luxton status: production type: TTP data_source: -- XmlWinEventLog System EventCode 7045 +- Windows Event Log System 7045 description: The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Windows System service install EventCode 7045 to identify driver loading diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml index f2670befd9..2482756b8d 100644 --- a/detections/network/internal_horizontal_port_scan.yml +++ b/detections/network/internal_horizontal_port_scan.yml @@ -5,7 +5,8 @@ date: '2023-10-20' author: Dean Luxton status: production type: TTP -data_source: [] +data_source: +- AWS CloudWatchLogs VPCflow description: This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using the same port and protocol. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml index 8a18aac5f3..d322a38390 100644 --- a/detections/network/internal_vertical_port_scan.yml +++ b/detections/network/internal_vertical_port_scan.yml @@ -5,7 +5,8 @@ date: '2023-10-20' author: Dean Luxton status: production type: TTP -data_source: [] +data_source: +- AWS CloudWatchLogs VPCflow description: This analytic detects instances where an internal host attempts to communicate with over 500 ports on a single destination IP address. It includes filtering criteria to exclude applications performing scans over ephemeral port ranges,