From 6f56a467c1d3bff83e632f9edbde97f97e70ae69 Mon Sep 17 00:00:00 2001 From: ljstella Date: Fri, 10 Jan 2025 14:07:48 -0600 Subject: [PATCH] New detection conversion --- ..._remote_access_software_usage_registry.yml | 36 +++++++++---------- 1 file changed, 16 insertions(+), 20 deletions(-) diff --git a/detections/endpoint/detect_remote_access_software_usage_registry.yml b/detections/endpoint/detect_remote_access_software_usage_registry.yml index a89b8e1e71..e6bd858882 100644 --- a/detections/endpoint/detect_remote_access_software_usage_registry.yml +++ b/detections/endpoint/detect_remote_access_software_usage_registry.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage Registry id: 33804986-25dd-43cf-bb6b-dc14956c7cbc -version: 1 -date: '2024-11-21' +version: 2 +date: '2025-01-10' author: Steven Dick status: production type: Anomaly @@ -39,6 +39,20 @@ drilldown_searches: search: '| from datamodel:Endpoint.Registry| search dest=$dest$ registry_path=$registry_path$' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process for a known remote access software [$signature$] was detected on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: + - field: registry_path + type: registry_path + - field: signature + type: signature tags: analytic_story: - Insider Threat @@ -49,26 +63,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: A process for a known remote access software [$signature$] was detected on $dest$ mitre_attack_id: - T1219 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - - name: registry_path - type: Other - role: - - Attacker - - name: signature - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security