updating drilldowns

detections/application/crushftp_server_side_template_injection.yml

@@ -17,12 +17,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$dest$"
   search: '%original_detection_search% | search  dest = "$dest$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$dest$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - CrushFTP Vulnerabilities

detections/application/detect_password_spray_attempts.yml

@@ -16,12 +16,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$sourcetype$"
   search: '%original_detection_search% | search  sourcetype = "$sourcetype$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$sourcetype$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$sourcetype$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Compromised User Account

detections/application/ivanti_vtm_new_account_creation.yml

@@ -17,12 +17,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$MODUSER$"
   search: '%original_detection_search% | search  MODUSER = "$MODUSER$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$MODUSER$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$MODUSER$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Ivanti Virtual Traffic Manager CVE-2024-7593

detections/application/okta_authentication_failed_during_mfa_challenge.yml

@@ -17,12 +17,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$user$"
   search: '%original_detection_search% | search  user = "$user$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$user$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Okta Account Takeover

detections/application/okta_idp_lifecycle_modifications.yml

@@ -17,12 +17,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$user$"
   search: '%original_detection_search% | search  user = "$user$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$user$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Suspicious Okta Activity

detections/application/okta_multi_factor_authentication_disabled.yml

@@ -17,12 +17,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$user$"
   search: '%original_detection_search% | search  user = "$user$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$user$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Okta Account Takeover

detections/application/okta_multiple_accounts_locked_out.yml

@@ -17,12 +17,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$user$"
   search: '%original_detection_search% | search  user = "$user$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$user$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Okta Account Takeover

detections/application/okta_multiple_failed_mfa_requests_for_user.yml

@@ -16,12 +16,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$src_user$"
   search: '%original_detection_search% | search  src_user = "$src_user$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$src_user$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Okta Account Takeover

detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml

@@ -17,12 +17,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$user$"
   search: '%original_detection_search% | search  user = "$user$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$user$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Okta Account Takeover

detections/application/okta_new_api_token_created.yml

@@ -17,12 +17,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$user$"
   search: '%original_detection_search% | search  user = "$user$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$user$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Okta Account Takeover

detections/application/okta_new_device_enrolled_on_account.yml

@@ -17,12 +17,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$user$"
   search: '%original_detection_search% | search  user = "$user$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$user$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Okta Account Takeover

detections/application/okta_risk_threshold_exceeded.yml

@@ -17,12 +17,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$risk_object$"
   search: '%original_detection_search% | search  risk_object = "$risk_object$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$risk_object$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Okta Account Takeover

detections/application/okta_successful_single_factor_authentication.yml

@@ -17,12 +17,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$user$"
   search: '%original_detection_search% | search  user = "$user$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$user$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Okta Account Takeover

detections/application/okta_suspicious_activity_reported.yml

@@ -16,12 +16,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$user$"
   search: '%original_detection_search% | search  user = "$user$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$user$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Okta Account Takeover

detections/application/okta_suspicious_use_of_a_session_cookie.yml

@@ -16,12 +16,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$user$"
   search: '%original_detection_search% | search  user = "$user$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$user$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Suspicious Okta Activity

detections/application/okta_threatinsight_threat_detected.yml

@@ -16,12 +16,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$app$"
   search: '%original_detection_search% | search  app = "$app$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$app$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$app$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Okta Account Takeover

detections/application/okta_unauthorized_access_to_application.yml

@@ -16,12 +16,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$user$"
   search: '%original_detection_search% | search  user = "$user$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$user$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Okta Account Takeover

detections/application/okta_user_logins_from_multiple_cities.yml

@@ -16,12 +16,12 @@ references:
 drilldown_searches:
 - name: View the detection results for - "$user$"
   search: '%original_detection_search% | search  user = "$user$"'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$user$"
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: '"$info_min_time$"'
-  latest_offset: '"$info_max_time$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Okta Account Takeover