updating detections

splunk · Nov 1, 2023 · 367e3fe · 367e3fe
1 parent b9dc457
commit 367e3fe
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 5 deletions.
diff --git a/detections/application/user_added_to_privileged_group.yml b/detections/application/user_added_to_privileged_group.yml
@@ -21,7 +21,8 @@ references:
 - https://splunkbase.splunk.com/app/6853
 tags:
   analytic_story:
-  - UPDATE_STORY_NAME
+  - Active Directory Privilege Escalation
+  - Sneaky Active Directory Persistence Tricks
   asset_type: Endpoint
   confidence: 100
   impact: 50
@@ -46,6 +47,7 @@ tags:
   - Group_Name
   - dest
   security_domain: identity
+  manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested.
 tests:
 - name: True Positive Test
   attack_data:

diff --git a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml
@@ -18,7 +18,7 @@ search: '`wineventlog_security` EventCode=5136
   | rex field=AttributeValue max_match=10000 "OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;(?P<DSRGetChanges_user_sid>S-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3})\)"
   | rex field=AttributeValue max_match=10000 "OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;(?P<DSRGetChangesAll_user_sid>S-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3})\)"
   | rex field=AttributeValue max_match=10000 "OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?P<DSRGetChangesFiltered_user_sid>S-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3})\)"
-  | table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid\
+  | table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid
   | mvexpand DSRGetChanges_user_sid
   | eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,"true","false"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,"true","false")
   | where minDCSyncPermissions="true"
@@ -72,7 +72,7 @@ tags:
     - ObjectClass
   risk_score: 80
   security_domain: endpoint
-  manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested.
+  manual_test: False
 tests:
   - name: True Positive Test
     attack_data:

diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml
@@ -52,4 +52,6 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log
+    source: aws:cloudwatchlogs:vpcflow
     sourcetype: aws:cloudwatchlogs:vpcflow
+    update_timestamp: true
diff --git a/detections/network/internal_vulnerability_scan.yml b/detections/network/internal_vulnerability_scan.yml
@@ -3,7 +3,7 @@ id: 46f946ed-1c78-4e96-9906-c7a4be15e39b
 version: 1
 date: '2023-10-27'
 author: Dean Luxton
-status: Experimental
+status: experimental
 type: TTP
 data_source: []
 description: This analytic detects internal hosts triggering multiple IDS signatures (either more than 25 signatures against a single host, or a single signature across over 25 destinations), which can be indicative of active vulnerability scanning performed within the network.
@@ -35,7 +35,7 @@ tags:
   - T1595.002
   - T1046
   observable:
-  - name: src_ip
+  - name: src
     type: Hostname
     role:
     - Victim