fixing up detections

splunk · Oct 17, 2024 · ab830eb · ab830eb
1 parent b17c2d1
commit ab830eb
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 14 deletions.
diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml
@@ -13,26 +13,30 @@ description: This analytic employs the 3-sigma approach to identify distributed
   By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication 
   events, providing comprehensive coverage and enhancing security against these attacks.
 search: >-
-  | tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time  span=5m
+  | tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src values(Authentication.app) as app values(Authentication.src) as src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" NOT Authentication.src IN ("-","unknown") Authentication.user_agent="*" by Authentication.signature_id, Authentication.user_agent, sourcetype, _time  span=10m
   | `drop_dm_object_name("Authentication")`
   ```fill out time buckets for 0-count events during entire search length```
-  | appendpipe [| timechart limit=0 span=5m count | table _time]
-  | fillnull value=0 unique_accounts, unique_src, total_failures
+  | appendpipe [| timechart limit=0 span=10m count | table _time]
+  | fillnull value=0 unique_accounts, unique_src
   ``` Create aggregation field & apply to all null events```
   | eval counter=sourcetype+"__"+signature_id
-  | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) | mvexpand counter
-    ``` remove duplicate & empty time buckets```
+  | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) 
+  | stats values(total_failures) as total_failures values(signature_id) as signature_id values(src) as src values(sourcetype) as sourcetype values(app) as app count by counter unique_accounts unique_src user_agent _time
+    ``` remove 0 count rows where counter has data```
   | sort - _time unique_accounts
   | dedup _time counter
   ``` 3-sigma detection logic ```
-  | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter
+  | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter user_agent
   | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3)
-  | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0)
+  | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_src >= upperBoundsrc), 1, 0)
   | replace "::ffff:*" with * in src
   | where isOutlier=1
   | foreach * 
       [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] 
-  | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id
+  | mvexpand src 
+  | iplocation src 
+  | table _time, unique_src, unique_accounts, total_failures, sourcetype, signature_id, user_agent, src, Country
+  | eval date_wday=strftime(_time,"%a"), date_hour=strftime(_time,"%H")
   | `detect_distributed_password_spray_attempts_filter`
 how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM)
   and that the src field is populated with the source device information. Additionally, ensure that 
@@ -59,13 +63,16 @@ tags:
     type: IP Address
     role:
     - Attacker
+  - name: user_agent
+    type: user_agent
+    role:
+    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
   risk_score: 49
   required_fields:
-  - Authentication.action
   - Authentication.user
   - Authentication.src
   security_domain: access

diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml
@@ -36,7 +36,12 @@ search: >-
       [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] 
   | table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id, counter
   | `detect_password_spray_attempts_filter`
-how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. 
+how_to_implement: >-
+  Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. 
+  Also ensure fill_nullvalue is set within the macro security_content_summariesonly. 
+
+  This search opporates best on a 5 minute schedule, looking back over the past 70 minutes. 
+  Configure 70 minute throttling on the two fields _time and counter. 
 known_false_positives: Unknown
 references:
 - https://attack.mitre.org/techniques/T1110/003/
@@ -58,10 +63,6 @@ tags:
     type: Endpoint
     role:
     - Attacker
-  - name: sourcetype
-    type: Other
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security