You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR introduces a new detection for Inactive User Have Activity Detected. This detection identifies users who have been inactive for more than 30 days and suddenly have activity based on network traffic logs.
Screenshots/Examples :
Checklist
Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
Validated tags, description, and how to implement.
Verified references match analytic.
Confirm updates to lookups are handled properly.
Notes For Submitters and Reviewers
If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, it's also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers, and we'll be happy to help troubleshoot it.
Updates to existing lookup files can be tricky because of how Splunk handles application updates and the differences between existing lookup files being updated vs new lookups. You can read more here, but the short version is that any changes to lookup files need to bump the datestamp in the lookup CSV filename, and the reference to it in the YAML needs to be updated.
Detection Metadata Validation:
❌ ESCU - Detect Risky SPL using Pretrained ML Model - Rule
🔸 Detection from previous build not found in current build.
❌ ESCU - Path traversal SPL injection - Rule
🔸 Detection from previous build not found in current build.
❌ ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule
🔸 Detection from previous build not found in current build.
❌ ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule
🔸 Detection from previous build not found in current build.
❌ ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule
🔸 Detection from previous build not found in current build.
❌ ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule
🔸 Detection from previous build not found in current build.
❌ ESCU - Splunk Authentication Token Exposure in Debug Log - Rule
🔸 Detection from previous build not found in current build.
❌ ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule
🔸 Detection from previous build not found in current build.
❌ ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule
🔸 Detection from previous build not found in current build.
❌ ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule
Somebody can help me to fix this issue ? @patel-bhavin @ljstella
Hey @zake1god - as I mentioned in the other PR, those errors will appear until we merge #3149 - There are also possibly going to be errors as we merge other PRs and have updated our contentctl tooling this morning. We will work with you to get these all cleaned up just as soon as we can.
Yes, like @ljstella mentioned - we are working on getting tooling and git actions a bit straightened out. We will keep you updated! and thank you contributing to security_content!
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
zake1god
changed the title
Details
This PR introduces a new detection for Inactive User Have Activity Detected. This detection identifies users who have been inactive for more than 30 days and suddenly have activity based on network traffic logs.
Screenshots/Examples :
Checklist
<platform>_<mitre att&ck technique>_<short description>nomenclatureNotes For Submitters and Reviewers
buildCI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, it's also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers, and we'll be happy to help troubleshoot it.