Critical Alerts detection - Microsoft Defender

contentctl.yml

@@ -176,6 +176,12 @@ apps:
   version: 5.4.1
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-machine-learning-toolkit_541.tgz
+- uid: 5518
+  title: Splunk add on for Microsoft Defender Advanced Hunting
+  appid: SPLUNK_ADD_ON_FOR_MICROSOFT_DEFENDER_ADVANCED_HUNTING
+  version: 1.3.7
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/microsoft-defender-advanced-hunting-add-on-for-splunk_137.tgz
 - uid: 2734
   title: URL Toolbox
   appid: URL_TOOLBOX

detections/endpoint/critical_alerts_to_risk_index.yml

@@ -0,0 +1,47 @@
+name: Critical Alerts To Risk Index
+id: 483e8a68-f2f7-45be-8fc9-bf725f0e22fd
+version: 1
+date: '2024-06-04'
+author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk
+status: production
+type: TTP
+data_source: []
+description: The primary objective of this rule is to integrate and assess critical alerts from Endpoint, DLP, and firewall sources within the splunk system. By correlating these alerts and incorporating MITRE annotations, the rule provides a comprehensive view of customer risk. It triggers an alert when critical alerts from these categories are detected, preserving the originating source and assigning risk scores. The rule helps security analysts better understand potential threats, enabling timely and effective responses to mitigate risks. The results are collected in the risk index for continuous monitoring and analysis.
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.signature Alerts.app, Alerts.severity, Alerts.description, source, Alerts.id, Alerts.dest 
+  | `drop_dm_object_name("Alerts")`
+  | `critical_alerts_to_risk_index_filter`'
+how_to_implement: In order to properly run this search, Splunk needs to ingest data from other security products. 
+known_false_positives: False positives may vary by endpoint protection tool; monitor and adjust the risk scores as needed.
+references:
+  - https://attack.mitre.org/tactics/
+tags:
+  analytic_story:
+  - Critical Alerts
+  asset_type: Endpoint
+  atomic_guid: []
+  confidence: 90
+  impact: 90
+  message: $severity$ alert from $dest$ for $app$ with signature $signature$ and description $description$
+  mitre_attack_id:
+  - T1484
+  observable:
+  - name: dest
+    type: Other
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - app
+  - name
+  risk_score: 81
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/AdvancedHunting.log
+    source: eventhub://windowsdefenderlogs
+    sourcetype: mscs:azure:eventhub:defender:advancedhunting

stories/critical_alerts.yml

@@ -0,0 +1,15 @@
+name: Critical Alerts
+id: bc7056a5-c2b0-4b83-93ce-5f31739305c8
+date: '2024-06-21'
+author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk
+description: Rule for sending alerts to risk index.
+narrative: This story has rules that integrates and assesses critical alerts from Endpoint, DLP, and firewall sources in Splunk. By correlating alerts and adding MITRE annotations, it provides a comprehensive view of customer risk. It triggers an alert when critical alerts are detected, preserving the source and assigning risk scores. This helps security analysts understand threats and respond effectively.
+references:
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection