From ddcb8942f3a8d23831a85690c6a955e0234384bd Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Wed, 24 Jul 2024 09:17:46 -0700 Subject: [PATCH 01/10] Add critical alerts to risk index --- contentctl.yml | 6 +++ .../critical_alerts_to_risk_index.yml | 47 +++++++++++++++++++ stories/critical_alerts.yml | 15 ++++++ 3 files changed, 68 insertions(+) create mode 100644 detections/endpoint/critical_alerts_to_risk_index.yml create mode 100644 stories/critical_alerts.yml diff --git a/contentctl.yml b/contentctl.yml index 93279c5acc..ecdbb7485a 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -176,6 +176,12 @@ apps: version: 5.4.1 description: description of app hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-machine-learning-toolkit_541.tgz +- uid: 5518 + title: Splunk add on for Microsoft Defender Advanced Hunting + appid: SPLUNK_ADD_ON_FOR_MICROSOFT_DEFENDER_ADVANCED_HUNTING + version: 1.3.7 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/microsoft-defender-advanced-hunting-add-on-for-splunk_137.tgz - uid: 2734 title: URL Toolbox appid: URL_TOOLBOX diff --git a/detections/endpoint/critical_alerts_to_risk_index.yml b/detections/endpoint/critical_alerts_to_risk_index.yml new file mode 100644 index 0000000000..3d57e218df --- /dev/null +++ b/detections/endpoint/critical_alerts_to_risk_index.yml @@ -0,0 +1,47 @@ +name: Critical Alerts To Risk Index +id: 483e8a68-f2f7-45be-8fc9-bf725f0e22fd +version: 1 +date: '2024-06-04' +author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk +status: production +type: TTP +data_source: [] +description: The primary objective of this rule is to integrate and assess critical alerts from Endpoint, DLP, and firewall sources within the splunk system. By correlating these alerts and incorporating MITRE annotations, the rule provides a comprehensive view of customer risk. It triggers an alert when critical alerts from these categories are detected, preserving the originating source and assigning risk scores. The rule helps security analysts better understand potential threats, enabling timely and effective responses to mitigate risks. The results are collected in the risk index for continuous monitoring and analysis. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.signature Alerts.app, Alerts.severity, Alerts.description, source, Alerts.id, Alerts.dest + | `drop_dm_object_name("Alerts")` + | `critical_alerts_to_risk_index_filter`' +how_to_implement: In order to properly run this search, Splunk needs to ingest data from other security products. +known_false_positives: False positives may vary by endpoint protection tool; monitor and adjust the risk scores as needed. +references: + - https://attack.mitre.org/tactics/ +tags: + analytic_story: + - Critical Alerts + asset_type: Endpoint + atomic_guid: [] + confidence: 90 + impact: 90 + message: $severity$ alert from $dest$ for $app$ with signature $signature$ and description $description$ + mitre_attack_id: + - T1484 + observable: + - name: dest + type: Other + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - app + - name + risk_score: 81 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/AdvancedHunting.log + source: eventhub://windowsdefenderlogs + sourcetype: mscs:azure:eventhub:defender:advancedhunting \ No newline at end of file diff --git a/stories/critical_alerts.yml b/stories/critical_alerts.yml new file mode 100644 index 0000000000..cc0ec67793 --- /dev/null +++ b/stories/critical_alerts.yml @@ -0,0 +1,15 @@ +name: Critical Alerts +id: bc7056a5-c2b0-4b83-93ce-5f31739305c8 +date: '2024-06-21' +author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk +description: Rule for sending alerts to risk index. +narrative: This story has rules that integrates and assesses critical alerts from Endpoint, DLP, and firewall sources in Splunk. By correlating alerts and adding MITRE annotations, it provides a comprehensive view of customer risk. It triggers an alert when critical alerts are detected, preserving the source and assigning risk scores. This helps security analysts understand threats and respond effectively. +references: +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file From 93e3af152cd69a3a43c383693c7accf5188e4cb4 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Mon, 5 Aug 2024 10:15:40 -0700 Subject: [PATCH 02/10] Edit the detection --- detections/endpoint/critical_alerts_to_risk_index.yml | 8 ++++---- stories/critical_alerts.yml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/detections/endpoint/critical_alerts_to_risk_index.yml b/detections/endpoint/critical_alerts_to_risk_index.yml index 3d57e218df..4e5546aeb1 100644 --- a/detections/endpoint/critical_alerts_to_risk_index.yml +++ b/detections/endpoint/critical_alerts_to_risk_index.yml @@ -1,4 +1,4 @@ -name: Critical Alerts To Risk Index +name: Detect Critical Alerts from Security Tools id: 483e8a68-f2f7-45be-8fc9-bf725f0e22fd version: 1 date: '2024-06-04' @@ -9,8 +9,8 @@ data_source: [] description: The primary objective of this rule is to integrate and assess critical alerts from Endpoint, DLP, and firewall sources within the splunk system. By correlating these alerts and incorporating MITRE annotations, the rule provides a comprehensive view of customer risk. It triggers an alert when critical alerts from these categories are detected, preserving the originating source and assigning risk scores. The rule helps security analysts better understand potential threats, enabling timely and effective responses to mitigate risks. The results are collected in the risk index for continuous monitoring and analysis. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.signature Alerts.app, Alerts.severity, Alerts.description, source, Alerts.id, Alerts.dest | `drop_dm_object_name("Alerts")` - | `critical_alerts_to_risk_index_filter`' -how_to_implement: In order to properly run this search, Splunk needs to ingest data from other security products. + | `detect_critical_alerts_from_security_tools_filter`' +how_to_implement: In order to properly run this search, Splunk needs to ingest data from other security products such as crowdstrike, microsoft defender, or carbon black. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. known_false_positives: False positives may vary by endpoint protection tool; monitor and adjust the risk scores as needed. references: - https://attack.mitre.org/tactics/ @@ -28,7 +28,7 @@ tags: - name: dest type: Other role: - - Victim + - Endpoint product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/stories/critical_alerts.yml b/stories/critical_alerts.yml index cc0ec67793..abc59966c9 100644 --- a/stories/critical_alerts.yml +++ b/stories/critical_alerts.yml @@ -2,7 +2,7 @@ name: Critical Alerts id: bc7056a5-c2b0-4b83-93ce-5f31739305c8 date: '2024-06-21' author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk -description: Rule for sending alerts to risk index. +description: The rules are designed to integrate and assess critical alerts from Endpoint, DLP, and firewall sources within Splunk. By correlating these alerts and enriching them with MITRE ATT&CK annotations, it offers a nuanced perspective on alerts risk profiles. This rule actively monitors for critical alerts, and upon detection, it triggers an alert that not only preserves the original source information but also assigns a quantified risk score. narrative: This story has rules that integrates and assesses critical alerts from Endpoint, DLP, and firewall sources in Splunk. By correlating alerts and adding MITRE annotations, it provides a comprehensive view of customer risk. It triggers an alert when critical alerts are detected, preserving the source and assigning risk scores. This helps security analysts understand threats and respond effectively. references: tags: From b0d440aacc7f64149d227df77996e03e66bc4bc1 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Thu, 12 Sep 2024 11:22:59 -0700 Subject: [PATCH 03/10] edit detection --- ...index.yml => detect_critical_alerts_from_security_tools.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename detections/endpoint/{critical_alerts_to_risk_index.yml => detect_critical_alerts_from_security_tools.yml} (99%) diff --git a/detections/endpoint/critical_alerts_to_risk_index.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml similarity index 99% rename from detections/endpoint/critical_alerts_to_risk_index.yml rename to detections/endpoint/detect_critical_alerts_from_security_tools.yml index 4e5546aeb1..c90beaa60d 100644 --- a/detections/endpoint/critical_alerts_to_risk_index.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -28,7 +28,7 @@ tags: - name: dest type: Other role: - - Endpoint + - Victim product: - Splunk Enterprise - Splunk Enterprise Security From 602d2c9c1e887b8dde22867f5925dc703144262d Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Thu, 12 Sep 2024 17:23:00 -0700 Subject: [PATCH 04/10] edit SPL and dataset --- .../endpoint/detect_critical_alerts_from_security_tools.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index c90beaa60d..f3b1a84347 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -5,10 +5,10 @@ date: '2024-06-04' author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk status: production type: TTP -data_source: [] +data_source: ["windows defender logs"] description: The primary objective of this rule is to integrate and assess critical alerts from Endpoint, DLP, and firewall sources within the splunk system. By correlating these alerts and incorporating MITRE annotations, the rule provides a comprehensive view of customer risk. It triggers an alert when critical alerts from these categories are detected, preserving the originating source and assigning risk scores. The rule helps security analysts better understand potential threats, enabling timely and effective responses to mitigate risks. The results are collected in the risk index for continuous monitoring and analysis. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.signature Alerts.app, Alerts.severity, Alerts.description, source, Alerts.id, Alerts.dest - | `drop_dm_object_name("Alerts")` + | `drop_dm_object_name("Alerts")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_critical_alerts_from_security_tools_filter`' how_to_implement: In order to properly run this search, Splunk needs to ingest data from other security products such as crowdstrike, microsoft defender, or carbon black. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. known_false_positives: False positives may vary by endpoint protection tool; monitor and adjust the risk scores as needed. From 77aa23917945d3effac881359232e71dcd05d48c Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Thu, 12 Sep 2024 18:26:48 -0700 Subject: [PATCH 05/10] Update TA to 1.4.1 --- contentctl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contentctl.yml b/contentctl.yml index 1065261ec1..8e58f7eabf 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -181,7 +181,7 @@ apps: appid: SPLUNK_ADD_ON_FOR_MICROSOFT_DEFENDER_ADVANCED_HUNTING version: 1.3.7 description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/microsoft-defender-advanced-hunting-add-on-for-splunk_137.tgz + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/microsoft-defender-advanced-hunting-add-on-for-splunk_141.tgz - uid: 2734 title: URL Toolbox appid: URL_TOOLBOX From 19f81c24ef99a2d1f520a645c16bcd129b12f45d Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Tue, 24 Sep 2024 10:00:05 -0700 Subject: [PATCH 06/10] Add data source object --- data_sources/windows_defender_alerts.yml | 67 +++++++++++++++++++ ...ct_critical_alerts_from_security_tools.yml | 6 +- stories/critical_alerts.yml | 2 + 3 files changed, 73 insertions(+), 2 deletions(-) create mode 100644 data_sources/windows_defender_alerts.yml diff --git a/data_sources/windows_defender_alerts.yml b/data_sources/windows_defender_alerts.yml new file mode 100644 index 0000000000..eae9475267 --- /dev/null +++ b/data_sources/windows_defender_alerts.yml @@ -0,0 +1,67 @@ +name: Windows Defender Alerts +id: 91738e9e-d112-41c9-b91b-e5868d8993d7 +version: 1 +date: '2024-09-24' +author: Gowthamaraj Rajendran +description: Data source object for Windows Defender alerts +source: eventhub://windowsdefenderlogs +sourcetype: mscs:azure:eventhub:defender:advancedhunting +separator: AlertId +supported_TA: + - name: Splunk add on for Microsoft Defender Advanced Hunting + url: https://splunkbase.splunk.com/app/5518 + version: 1.3.7 +fields: + - _time + - AlertId + - TenantId + - OperationName + - Category + - Timestamp + - EntityType + - EvidenceRole + - SHA1 + - SHA256 + - RemoteIP + - LocalIP + - RemoteUrl + - AccountName + - AccountDomain + - AccountSid + - AccountObjectId + - DeviceId + - ThreatFamily + - EvidenceDirection + - AdditionalFields + - MachineGroup + - NetworkMessageId + - ServiceSource + - FileName + - FolderPath + - ProcessCommandLine + - EmailSubject + - ApplicationId + - Application + - DeviceName + - FileSize + - RegistryKey + - RegistryValueName + - RegistryValueData + - AccountUpn + - OAuthApplicationId + - Categories + - Title + - AttackTechniques + - DetectionSource + - Severity +example_log: {"time": "2024-06-14T20:12:23.3360383Z", "tenantId": "abced-c7ee-abce-1123-123", "operationName": "Publish", + "category": "AdvancedHunting-AlertEvidence", "properties": {"Timestamp": "2024-04-14T19:59:59.1549925Z", "AlertId": "dc25", + "EntityType": "CloudResource", "EvidenceRole": "Impacted", "SHA1": null, "SHA256": null, "RemoteIP": null, "LocalIP": null, + "RemoteUrl": null, "AccountName": null, "AccountDomain": null, "AccountSid": null, "AccountObjectId": null, "DeviceId": null, + "ThreatFamily": null, "EvidenceDirection": null, "AdditionalFields": "{\"ResourceId\":\"/subscriptions/1-2-3-4/resourceGroups/pluginframework/ + providers/Microsoft.Compute/virtualMachines/phantom-identity\",\"ResourceType\":\"Virtual Machine\",\"ResourceName\":\"phantom-identity\",\"Asset\":true,\" + Type\":\"azure-resource\",\"Role\":0,\"MergeByKey\":\"abcd=\",\"MergeByKeyHex\":\"1234\"}", "MachineGroup": null, "NetworkMessageId": null, "ServiceSource": + "Microsoft Defender for Cloud", "FileName": null, "FolderPath": null, "ProcessCommandLine": null, "EmailSubject": null, "ApplicationId": null, "Application": + null, "DeviceName": null, "FileSize": null, "RegistryKey": null, "RegistryValueName": null, "RegistryValueData": null, "AccountUpn": null, "OAuthApplicationId": + null, "Categories": "[\"InitialAccess\"]", "Title": "Suspicious authentication activity", "AttackTechniques": "", "DetectionSource": "DefenderForServers", + "Severity": "High"}, "Tenant": "DefaultTenant"} diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index f3b1a84347..111f1ebe6d 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -5,7 +5,7 @@ date: '2024-06-04' author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk status: production type: TTP -data_source: ["windows defender logs"] +data_source: ["windows defender alerts"] description: The primary objective of this rule is to integrate and assess critical alerts from Endpoint, DLP, and firewall sources within the splunk system. By correlating these alerts and incorporating MITRE annotations, the rule provides a comprehensive view of customer risk. It triggers an alert when critical alerts from these categories are detected, preserving the originating source and assigning risk scores. The rule helps security analysts better understand potential threats, enabling timely and effective responses to mitigate risks. The results are collected in the risk index for continuous monitoring and analysis. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.signature Alerts.app, Alerts.severity, Alerts.description, source, Alerts.id, Alerts.dest | `drop_dm_object_name("Alerts")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` @@ -14,6 +14,8 @@ how_to_implement: In order to properly run this search, Splunk needs to ingest d known_false_positives: False positives may vary by endpoint protection tool; monitor and adjust the risk scores as needed. references: - https://attack.mitre.org/tactics/ + - https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts + - https://docs.splunk.com/Documentation/CIM/5.3.2/User/UsetheCAM tags: analytic_story: - Critical Alerts @@ -26,7 +28,7 @@ tags: - T1484 observable: - name: dest - type: Other + type: Endpoint role: - Victim product: diff --git a/stories/critical_alerts.yml b/stories/critical_alerts.yml index abc59966c9..b4abd69f4e 100644 --- a/stories/critical_alerts.yml +++ b/stories/critical_alerts.yml @@ -5,6 +5,8 @@ author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk description: The rules are designed to integrate and assess critical alerts from Endpoint, DLP, and firewall sources within Splunk. By correlating these alerts and enriching them with MITRE ATT&CK annotations, it offers a nuanced perspective on alerts risk profiles. This rule actively monitors for critical alerts, and upon detection, it triggers an alert that not only preserves the original source information but also assigns a quantified risk score. narrative: This story has rules that integrates and assesses critical alerts from Endpoint, DLP, and firewall sources in Splunk. By correlating alerts and adding MITRE annotations, it provides a comprehensive view of customer risk. It triggers an alert when critical alerts are detected, preserving the source and assigning risk scores. This helps security analysts understand threats and respond effectively. references: + - https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts + - https://docs.splunk.com/Documentation/CIM/5.3.2/User/UsetheCAM tags: category: - Adversary Tactics From 8451aead4f4179636498ba5eb6c79534bd000a4d Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Tue, 24 Sep 2024 10:03:31 -0700 Subject: [PATCH 07/10] edit the data source example --- data_sources/windows_defender_alerts.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data_sources/windows_defender_alerts.yml b/data_sources/windows_defender_alerts.yml index eae9475267..f0a30d0c78 100644 --- a/data_sources/windows_defender_alerts.yml +++ b/data_sources/windows_defender_alerts.yml @@ -54,7 +54,7 @@ fields: - AttackTechniques - DetectionSource - Severity -example_log: {"time": "2024-06-14T20:12:23.3360383Z", "tenantId": "abced-c7ee-abce-1123-123", "operationName": "Publish", +example_log: '{"time": "2024-06-14T20:12:23.3360383Z", "tenantId": "abced-c7ee-abce-1123-123", "operationName": "Publish", "category": "AdvancedHunting-AlertEvidence", "properties": {"Timestamp": "2024-04-14T19:59:59.1549925Z", "AlertId": "dc25", "EntityType": "CloudResource", "EvidenceRole": "Impacted", "SHA1": null, "SHA256": null, "RemoteIP": null, "LocalIP": null, "RemoteUrl": null, "AccountName": null, "AccountDomain": null, "AccountSid": null, "AccountObjectId": null, "DeviceId": null, @@ -64,4 +64,4 @@ example_log: {"time": "2024-06-14T20:12:23.3360383Z", "tenantId": "abced-c7ee-ab "Microsoft Defender for Cloud", "FileName": null, "FolderPath": null, "ProcessCommandLine": null, "EmailSubject": null, "ApplicationId": null, "Application": null, "DeviceName": null, "FileSize": null, "RegistryKey": null, "RegistryValueName": null, "RegistryValueData": null, "AccountUpn": null, "OAuthApplicationId": null, "Categories": "[\"InitialAccess\"]", "Title": "Suspicious authentication activity", "AttackTechniques": "", "DetectionSource": "DefenderForServers", - "Severity": "High"}, "Tenant": "DefaultTenant"} + "Severity": "High"}, "Tenant": "DefaultTenant"}' From ee35624da02a1766d54d79dd15d822d5ab2850ce Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 9 Oct 2024 16:05:40 -0700 Subject: [PATCH 08/10] updating --- ...detect_critical_alerts_from_security_tools.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index 111f1ebe6d..232aa34073 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -1,17 +1,18 @@ name: Detect Critical Alerts from Security Tools id: 483e8a68-f2f7-45be-8fc9-bf725f0e22fd version: 1 -date: '2024-06-04' -author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk +date: '2024-10-09' +author: Gowthamaraj Rajendran, Patrick Bareiss, Bhavin Patel, Splunk status: production type: TTP -data_source: ["windows defender alerts"] -description: The primary objective of this rule is to integrate and assess critical alerts from Endpoint, DLP, and firewall sources within the splunk system. By correlating these alerts and incorporating MITRE annotations, the rule provides a comprehensive view of customer risk. It triggers an alert when critical alerts from these categories are detected, preserving the originating source and assigning risk scores. The rule helps security analysts better understand potential threats, enabling timely and effective responses to mitigate risks. The results are collected in the risk index for continuous monitoring and analysis. +data_source: +- Windows Defender Alerts +description: The following analytics is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.signature Alerts.app, Alerts.severity, Alerts.description, source, Alerts.id, Alerts.dest | `drop_dm_object_name("Alerts")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_critical_alerts_from_security_tools_filter`' -how_to_implement: In order to properly run this search, Splunk needs to ingest data from other security products such as crowdstrike, microsoft defender, or carbon black. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. -known_false_positives: False positives may vary by endpoint protection tool; monitor and adjust the risk scores as needed. +how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. +known_false_positives: False positives may vary by endpoint protection tool; monitor and filter out the alerts that are not relevant to your environment. references: - https://attack.mitre.org/tactics/ - https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts @@ -23,7 +24,7 @@ tags: atomic_guid: [] confidence: 90 impact: 90 - message: $severity$ alert from $dest$ for $app$ with signature $signature$ and description $description$ + message: $severity$ alert from dest - [$dest$] for $app$ with signature [$signature$] from vendor source - [$source$] mitre_attack_id: - T1484 observable: From ad27516532bad3025db54b2ec513f77b575345d5 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 9 Oct 2024 16:05:43 -0700 Subject: [PATCH 09/10] updating --- ...ect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml | 5 +++-- .../detect_spike_in_aws_security_hub_alerts_for_user.yml | 5 +++-- .../endpoint/detect_critical_alerts_from_security_tools.yml | 4 ++-- stories/critical_alerts.yml | 4 ++-- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml index 131d791a79..bc038dda3a 100644 --- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml +++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml @@ -1,7 +1,7 @@ name: Detect Spike in AWS Security Hub Alerts for EC2 Instance id: 2a9b80d3-6340-4345-b5ad-290bf5d0d222 -version: 4 -date: '2024-05-19' +version: 5 +date: '2024-10-09' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -31,6 +31,7 @@ references: [] tags: analytic_story: - AWS Security Hub Alerts + - Critical Alerts asset_type: AWS Instance confidence: 50 impact: 30 diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml index 14a717bb9a..9bcb340cbe 100644 --- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml +++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml @@ -1,7 +1,7 @@ name: Detect Spike in AWS Security Hub Alerts for User id: 2a9b80d3-6220-4345-b5ad-290bf5d0d222 -version: 4 -date: '2024-05-18' +version: 5 +date: '2024-10-09' author: Bhavin Patel, Splunk status: experimental type: Anomaly @@ -28,6 +28,7 @@ references: [] tags: analytic_story: - AWS Security Hub Alerts + - Critical Alerts asset_type: AWS Instance confidence: 50 impact: 50 diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index 232aa34073..ea402f751c 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -14,9 +14,9 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. known_false_positives: False positives may vary by endpoint protection tool; monitor and filter out the alerts that are not relevant to your environment. references: - - https://attack.mitre.org/tactics/ + - https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/accessing-microsoft-defender-for-cloud-alerts-in-splunk-using/ba-p/938228 - https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts - - https://docs.splunk.com/Documentation/CIM/5.3.2/User/UsetheCAM + - https://learn.microsoft.com/en-us/defender-endpoint/api/raw-data-export-event-hub tags: analytic_story: - Critical Alerts diff --git a/stories/critical_alerts.yml b/stories/critical_alerts.yml index b4abd69f4e..4ca55286b5 100644 --- a/stories/critical_alerts.yml +++ b/stories/critical_alerts.yml @@ -2,8 +2,8 @@ name: Critical Alerts id: bc7056a5-c2b0-4b83-93ce-5f31739305c8 date: '2024-06-21' author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk -description: The rules are designed to integrate and assess critical alerts from Endpoint, DLP, and firewall sources within Splunk. By correlating these alerts and enriching them with MITRE ATT&CK annotations, it offers a nuanced perspective on alerts risk profiles. This rule actively monitors for critical alerts, and upon detection, it triggers an alert that not only preserves the original source information but also assigns a quantified risk score. -narrative: This story has rules that integrates and assesses critical alerts from Endpoint, DLP, and firewall sources in Splunk. By correlating alerts and adding MITRE annotations, it provides a comprehensive view of customer risk. It triggers an alert when critical alerts are detected, preserving the source and assigning risk scores. This helps security analysts understand threats and respond effectively. +description: This analytic story contains detections that monitor critical alerts data from security tools ingested into Splunk. By correlating these alerts and enriching them with MITRE ATT&CK annotations and other risk events, it offers a nuanced perspective on potential threats and security posture of your organization. +narrative: Monitoring alerts from security tools is crucial because they act as an early warning system for potential threats. High and critical alerts signal serious issues that could compromise your systems if not addressed promptly. By keeping an eye on these alerts, you can quickly identify and respond to threats, minimizing damage and protecting sensitive data. This proactive approach not only strengthens your security posture but also ensures you're ready to tackle any compliance requirements by maintaining a detailed record of significant security events. This story has rules that integrates and assesses critical alerts from Endpoint, DLP, and firewall sources in Splunk. By correlating alerts and adding MITRE annotations, it provides a comprehensive view of customer risk. It triggers an alert when critical alerts are detected, preserving the source and assigning risk scores. This helps security analysts understand threats and respond effectively. references: - https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts - https://docs.splunk.com/Documentation/CIM/5.3.2/User/UsetheCAM From f0dfaebf3915826711aca6ef558c923375904d6e Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 15 Oct 2024 13:44:46 -0700 Subject: [PATCH 10/10] updates per Lous feedback --- contentctl.yml | 2 +- data_sources/windows_defender_alerts.yml | 2 +- .../endpoint/detect_critical_alerts_from_security_tools.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/contentctl.yml b/contentctl.yml index 3260573651..43c4ee9306 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -179,7 +179,7 @@ apps: - uid: 5518 title: Splunk add on for Microsoft Defender Advanced Hunting appid: SPLUNK_ADD_ON_FOR_MICROSOFT_DEFENDER_ADVANCED_HUNTING - version: 1.3.7 + version: 1.4.1 description: description of app hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/microsoft-defender-advanced-hunting-add-on-for-splunk_141.tgz - uid: 2734 diff --git a/data_sources/windows_defender_alerts.yml b/data_sources/windows_defender_alerts.yml index f0a30d0c78..83a470bf4b 100644 --- a/data_sources/windows_defender_alerts.yml +++ b/data_sources/windows_defender_alerts.yml @@ -10,7 +10,7 @@ separator: AlertId supported_TA: - name: Splunk add on for Microsoft Defender Advanced Hunting url: https://splunkbase.splunk.com/app/5518 - version: 1.3.7 + version: 1.4.1 fields: - _time - AlertId diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index ea402f751c..be849e941a 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -24,7 +24,7 @@ tags: atomic_guid: [] confidence: 90 impact: 90 - message: $severity$ alert from dest - [$dest$] for $app$ with signature [$signature$] from vendor source - [$source$] + message: $severity$ alert for $dest$ from $source$ - $signature$ mitre_attack_id: - T1484 observable: