From 3c42ae457789f728eac460b4bed5e6a36a7366c4 Mon Sep 17 00:00:00 2001
From: dluxtron <106139814+dluxtron@users.noreply.github.com>
Date: Wed, 1 Nov 2023 17:13:22 +1000
Subject: [PATCH] updating detections

---
 ...thentication_from_a_distributed_source.yml | 53 +++++++++++++++++
 ...ed_authentication_from_a_single_source.yml | 59 +++++++++++++++++++
 ...ows_ad_domain_replication_acl_addition.yml |  2 +-
 3 files changed, 113 insertions(+), 1 deletion(-)
 create mode 100644 detections/application/authentication_datamodel_unusual_volume_of_failed_authentication_from_a_distributed_source.yml
 create mode 100644 detections/application/authentication_datamodel_unusual_volume_of_failed_authentication_from_a_single_source.yml

diff --git a/detections/application/authentication_datamodel_unusual_volume_of_failed_authentication_from_a_distributed_source.yml b/detections/application/authentication_datamodel_unusual_volume_of_failed_authentication_from_a_distributed_source.yml
new file mode 100644
index 0000000000..e3bc83abe6
--- /dev/null
+++ b/detections/application/authentication_datamodel_unusual_volume_of_failed_authentication_from_a_distributed_source.yml
@@ -0,0 +1,53 @@
+name: Authentication Datamodel Unusual Volume of Failed Authentication from a Distributed
+  Source
+id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57
+version: 1
+date: '2023-11-01'
+author: Dean Luxton
+status: experimental
+type: TTP
+data_source:
+- Authentication Datamodel
+description: This analytic uses the 3-sigma approach to detect a distributed password spray attack. Utilising the authentication datamodel this detection is affective for all CIM mapped authication events.
+search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time  span=5m
+  | `drop_dm_object_name("Authentication")`
+  | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by signature_id, sourcetype
+  | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3)
+  | eval isOutlier=if((unique_accounts > 10 and unique_accounts >= upperBoundUser) and (unique_src > 10 and unique_accounts >= upperBoundsrc), 1, 0)
+  | replace "::ffff:*" with * in src
+  | where isOutlier=1
+  | foreach * 
+      [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] 
+  | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id'
+how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. 
+known_false_positives: Mondays?
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+tags:
+  analytic_story:
+  - Compromised User Account
+  - Active Directory Password Spraying
+  asset_type: Endpoint
+  atomic_guid:
+  - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
+  confidence: 70
+  impact: 70
+  message: Not a risk rule 
+  mitre_attack_id:
+  - T1110.003
+  - T1110
+  observable:
+  - name: src
+    type: Endpoint
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 49
+  required_fields:
+  - Authentication.action
+  - Authentication.user
+  - Authentication.src
+  security_domain: access
diff --git a/detections/application/authentication_datamodel_unusual_volume_of_failed_authentication_from_a_single_source.yml b/detections/application/authentication_datamodel_unusual_volume_of_failed_authentication_from_a_single_source.yml
new file mode 100644
index 0000000000..bff0ba36fd
--- /dev/null
+++ b/detections/application/authentication_datamodel_unusual_volume_of_failed_authentication_from_a_single_source.yml
@@ -0,0 +1,59 @@
+name: Authentication Datamodel Unusual Volume of Failed Authentication from a Single
+  Source
+id: 086ab581-8877-42b3-9aee-4a7ecb0923af
+version: 1
+date: '2023-11-01'
+author: Dean Luxton
+status: production
+type: TTP
+data_source:
+- Authentication Datamodel
+description: This analytic uses the 3-sigma approach to detect an unusual volume of failed authentication from a single source. Utilising the authentication datamodel this detection is affective for all CIM mapped authication events.
+search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time  span=2m
+  | `drop_dm_object_name("Authentication")`
+  | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by src signature_id, sourcetype
+  | eval upperBound=(comp_avg+comp_std*3)
+  | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
+  | replace "::ffff:*" with * in src
+  | where isOutlier=1
+  | foreach * 
+      [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] 
+  | table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id'
+how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. 
+known_false_positives: Unknown
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+tags:
+  analytic_story:
+  - Compromised User Account
+  - Active Directory Password Spraying
+  asset_type: Endpoint
+  atomic_guid:
+  - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
+  confidence: 70
+  impact: 70
+  message: Potential Password Spraying attack from $src$ targeting $unique_accounts$ unique accounts. 
+  mitre_attack_id:
+  - T1110.003
+  - T1110
+  observable:
+  - name: src
+    type: Endpoint
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 49
+  required_fields:
+  - Authentication.action
+  - Authentication.user
+  - Authentication.src
+  security_domain: access
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log
+    source: XmlWinEventLog:Security
+    sourcetype: XmlWinEventLog
\ No newline at end of file
diff --git a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml
index c41c71b3a6..91403cb40d 100644
--- a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml
+++ b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml
@@ -72,7 +72,7 @@ tags:
     - ObjectClass
   risk_score: 80
   security_domain: endpoint
-  manual_test: False
+  manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested.
 tests:
   - name: True Positive Test
     attack_data: