Merge branch 'develop' into public_change_1

.github/workflows/build.yml

@@ -2,6 +2,9 @@ name: build
 on:
   pull_request:
     types: [opened, reopened, synchronize]
+  push:
+    branches:
+      - develop
 jobs:
   build:
     #Note that the CircleCI job used a Container.  The way to do this with Github Actions

.github/workflows/unit-testing.yml

@@ -7,11 +7,14 @@ jobs:
     runs-on: ubuntu-latest
     if: "!contains(github.ref, 'refs/tags/')" #don't run on tags - future steps won't run either since they depend on this job
     # needs: [validate-tag-if-present, quit-for-dependabot]
-    steps: 
+    steps:
+        #For fork PRs, always check out security_content and the PR target in security content!
         - name: Check out the repository code
           uses: actions/checkout@v4
           with:
-            ref: develop
+            repository: 'splunk/security_content' #this should be the TARGET repo of the PR. we hardcode it for now
+            ref: ${{ github.base_ref }}
+
 
         - uses: actions/setup-python@v5
           with:
@@ -24,13 +27,20 @@ jobs:
             pip install contentctl
            
         # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop
+        # Make sure we check out the PR, even if it actually lives in a fork
+        # Instructions for pulling a PR were taken from: 
+        # https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally
         - name: Run ContentCTL test for changes against target branch
           run: |
+            
             echo "Current Branch (Head Ref): ${{ github.head_ref }}"
             echo "Target Branch (Base Ref): ${{ github.base_ref }}"
             git pull > /dev/null 2>&1
-            git checkout ${{ github.head_ref }}
-            echo "The target branch for this PR is ${{ github.base_ref }}"
+            git fetch origin pull/${{ github.event.pull_request.number }}/head:${{ github.head_ref }}
+            #We must specifically get the PR's target branch from security_content, not the one that resides in the fork PR's forked repo
+            git switch ${{ github.head_ref }}
+            #git checkout ${{ github.head_ref }}
+            #echo "The target branch for this PR is ${{ github.base_ref }}"
             contentctl test --disable-tqdm --no-enable-integration-testing --post-test-behavior never_pause mode:changes --mode.target-branch ${{ github.base_ref }}
             echo "contentctl test - COMPLETED"
           continue-on-error: true
@@ -55,5 +65,4 @@ jobs:
           run: |       
             echo "This job will fail if there are failures in unit-testing"  
             python .github/workflows/format_test_results.py >> $GITHUB_STEP_SUMMARY
-            echo "The Unit testing is completed. See details in the unit-testing job summary UI "
-            
+            echo "The Unit testing is completed. See details in the unit-testing job summary UI "

README.md

@@ -2,8 +2,8 @@
 <p align="center">
     <a href="https://github.com/splunk/security_content/releases">
         <img src="https://img.shields.io/github/v/release/splunk/security_content" /></a>
-    <a href="https://github.com/splunk/security_content/actions/workflows/validate-and-build.yml/badge.svg?branch=develop">
-        <img src="https://github.com/splunk/security_content/actions/workflows/validate-and-build.yml/badge.svg?branch=develop" /></a>
+    <a href="https://github.com/splunk/security_content/actions/workflows/build.yml/badge.svg?branch=develop">
+        <img src="https://github.com/splunk/security_content/actions/workflows/build.yml/badge.svg?branch=develop" /></a>
     <a href="https://github.com/splunk/security_content">
         <img src="https://security-content.s3-us-west-2.amazonaws.com/reporting/detection_count.svg" /></a>
     <a href="https://github.com/splunk/security_content">

data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml

@@ -0,0 +1,66 @@
+name: AWS CloudWatchLogs VPCflow
+id: 38a34fc4-e128-4478-a8f4-7835d51d5135
+author: Bhavin Patel, Splunk
+source: aws_cloudwatchlogs_vpcflow
+sourcetype: aws:cloudwatchlogs:vpcflow
+separator: eventName
+supported_TA:
+  name: Splunk Add-on for Amazon Web Services (AWS)
+  version: 7.4.1
+  url: https://splunkbase.splunk.com/app/1876
+event_names: []
+fields:
+- _raw
+- _time
+- account_id
+- action
+- app
+- aws_account_id
+- bytes
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_ip
+- dest_port
+- duration
+- dvc
+- end_time
+- eventtype
+- host
+- index
+- interface_id
+- linecount
+- log_status
+- packets
+- protocol
+- protocol_code
+- protocol_full_name
+- protocol_version
+- punct
+- region
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_ip
+- src_port
+- start_time
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- transport
+- user_id
+- vendor_account
+- vendor_product
+- version
+- vpcflow_action
+example_log: '2 123397614277 eni-0b0f9f261f45e6489 10.0.1.30 10.0.1.1 47254 22 17 2 98 1697608042 1697608070 ACCEPT OK'

data_sources/endpoint/Windows_Event_Log_Security.yml

@@ -45,6 +45,8 @@ event_names:
   data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4725.yml
 - event_name: Windows Event Log Security 4726
   data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4726.yml
+- event_name: Windows Event Log Security 4728
+  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4728.yml
 - event_name: Windows Event Log Security 4732
   data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4732.yml
 - event_name: Windows Event Log Security 4738

data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml

@@ -0,0 +1,88 @@
+event_name: Windows Event Log System 4728
+fields:
+- _time
+- Account_Domain
+- Account_Name
+- CategoryString
+- ComputerName
+- Error_Code
+- EventCode
+- EventType
+- Keywords
+- LogName
+- Logon_ID
+- Message
+- OpCode
+- RecordNumber
+- Security_ID
+- SourceName
+- Subject_Account_Domain
+- Subject_Account_Name
+- Subject_Logon_ID
+- Subject_Security_ID
+- Target_Account_Domain
+- Target_Account_Name
+- Target_Security_ID
+- TaskCategory
+- Type
+- action
+- app
+- body
+- category
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dest_nt_host
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- member_dn
+- member_id
+- member_nt_domain
+- msad_action
+- name
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- punct
+- result
+- session_id
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- src_user_name
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- user_name
+- vendor
+- vendor_product
+example_log: 10/09/2020 10:41:29 AM

detections/application/detect_distributed_password_spray_attempts.yml

@@ -0,0 +1,81 @@
+name: Detect Distributed Password Spray Attempts
+id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57
+version: 1
+date: '2023-11-01'
+author: Dean Luxton
+status: production
+type: Hunting
+data_source:
+- Azure Active Directory Sign-in activity
+description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A 
+  distributed password spray attack is a type of brute force attack where the attacker attempts a few 
+  common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. 
+  By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication 
+  events, providing comprehensive coverage and enhancing security against these attacks.
+search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time  span=2m
+  | `drop_dm_object_name("Authentication")`
+  ```fill out time buckets for 0-count events during entire search length```
+  | appendpipe [| timechart limit=0 span=5m count | table _time]
+  | fillnull value=0 unique_accounts, unique_src
+  ``` remove duplicate & empty time buckets```
+  | sort - total_failures
+  | dedup _time
+  ``` Create aggregation field & apply to all null events```
+  | eval counter=sourcetype+"__"+signature_id
+  | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter)
+  ``` 3-sigma detection logic ```
+  | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter
+  | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3)
+  | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0)
+  | replace "::ffff:*" with * in src
+  | where isOutlier=1
+  | foreach * 
+      [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] 
+  | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id
+  | sort - total_failures | `detect_distributed_password_spray_attempts_filter`'
+how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM)
+  and that the src field is populated with the source device information. Additionally, ensure that 
+  fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from 
+  log sources that do not feature the signature_id field in the results.
+known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings.
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+tags:
+  analytic_story:
+  - Compromised User Account
+  - Active Directory Password Spraying
+  asset_type: Endpoint
+  atomic_guid:
+  - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
+  confidence: 70
+  impact: 70
+  message: Distributed Password Spray Attempt Detected from $src$
+  mitre_attack_id:
+  - T1110.003
+  - T1110
+  observable:
+  - name: src
+    type: IP Address
+    role:
+    - Attacker
+  - name: unique_accounts
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 49
+  required_fields:
+  - Authentication.action
+  - Authentication.user
+  - Authentication.src
+  security_domain: access
+  manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion. 
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log
+    source: azure:monitor:aad
+    sourcetype: azure:monitor:aad

detections/application/detect_password_spray_attempts.yml

@@ -0,0 +1,75 @@
+name: Detect Password Spray Attempts
+id: 086ab581-8877-42b3-9aee-4a7ecb0923af
+version: 1
+date: '2023-11-01'
+author: Dean Luxton
+status: production
+type: TTP
+data_source:
+- Windows Event Log Security 4625
+description: This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts
+  from a single source. A password spray attack is a type of brute force attack where an attacker tries a few
+  common passwords across many different accounts to avoid detection and account lockouts. By utilizing the
+  Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing
+  comprehensive coverage and enhancing security against these attacks.
+search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time  span=2m
+  | `drop_dm_object_name("Authentication")`
+  ```fill out time buckets for 0-count events during entire search length```
+  | appendpipe [| timechart limit=0 span=5m count | table _time]
+  | fillnull value=0 unique_accounts, unique_src
+  ``` remove duplicate & empty time buckets```
+  | sort - total_failures
+  | dedup _time
+  ``` Create aggregation field & apply to all null events```
+  | eval counter=src+"__"+sourcetype+"__"+signature_id
+  | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter)
+  | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by counter
+  | eval upperBound=(comp_avg+comp_std*3)
+  | eval isOutlier=if(unique_accounts > 30 and unique_accounts >= upperBound, 1, 0)
+  | replace "::ffff:*" with * in src
+  | where isOutlier=1
+  | foreach * [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] 
+  | table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id
+  | `detect_password_spray_attempts_filter`'
+how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. 
+known_false_positives: Unknown
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+tags:
+  analytic_story:
+  - Compromised User Account
+  - Active Directory Password Spraying
+  asset_type: Endpoint
+  atomic_guid:
+  - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
+  confidence: 70
+  impact: 70
+  message: Potential Password Spraying attack from $src$ targeting $unique_accounts$ unique accounts. 
+  mitre_attack_id:
+  - T1110.003
+  - T1110
+  observable:
+  - name: src
+    type: Endpoint
+    role:
+    - Attacker
+  - name: sourcetype
+    type: Other
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 49
+  required_fields:
+  - Authentication.action
+  - Authentication.user
+  - Authentication.src
+  security_domain: access
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log
+    source: XmlWinEventLog:Security
+    sourcetype: XmlWinEventLog