Skip to content

Commit

Permalink
updating drilldown_formatting
Browse files Browse the repository at this point in the history
  • Loading branch information
@patel-bhavin
patel-bhavin committed Oct 24, 2024
1 parent 385ac7a commit 7bc11be
Show file tree
Hide file tree
Showing 1,309 changed files with 2,618 additions and 2,618 deletions.
4 changes: 2 additions & 2 deletions detections/application/crushftp_server_side_template_injection.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ references:
- https://github.com/airbus-cert/CVE-2024-4040
- https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
drilldown_searches:
- name: View the detection results for $dest$
- name: View the detection results for - $dest$
search: '%original_detection_search% | search dest = $dest$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $dest$
- name: View risk events for the last 7 days for - $dest$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/detect_password_spray_attempts.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@ known_false_positives: Unknown
references:
- https://attack.mitre.org/techniques/T1110/003/
drilldown_searches:
- name: View the detection results for $sourcetype$
- name: View the detection results for - $sourcetype$
search: '%original_detection_search% | search sourcetype = $sourcetype$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $sourcetype$
- name: View risk events for the last 7 days for - $sourcetype$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($sourcetype$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/ivanti_vtm_new_account_creation.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ references:
- https://www.ivanti.com/security/security-advisories/ivanti-virtual-traffic-manager-vtm-cve-2024-7593
- https://nvd.nist.gov/vuln/detail/CVE-2024-7593
drilldown_searches:
- name: View the detection results for $MODUSER$
- name: View the detection results for - $MODUSER$
search: '%original_detection_search% | search MODUSER = $MODUSER$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $MODUSER$
- name: View risk events for the last 7 days for - $MODUSER$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($MODUSER$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/okta_authentication_failed_during_mfa_challenge.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ references:
- https://sec.okta.com/everythingisyes
- https://splunkbase.splunk.com/app/6553
drilldown_searches:
- name: View the detection results for $user$
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $user$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/okta_idp_lifecycle_modifications.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ references:
- https://www.obsidiansecurity.com/blog/behind-the-breach-cross-tenant-impersonation-in-okta/
- https://splunkbase.splunk.com/app/6553
drilldown_searches:
- name: View the detection results for $user$
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $user$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/okta_multi_factor_authentication_disabled.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ references:
- https://attack.mitre.org/techniques/T1556/
- https://splunkbase.splunk.com/app/6553
drilldown_searches:
- name: View the detection results for $user$
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $user$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/okta_multiple_accounts_locked_out.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ references:
- https://attack.mitre.org/techniques/T1110/
- https://splunkbase.splunk.com/app/6553
drilldown_searches:
- name: View the detection results for $user$
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $user$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/okta_multiple_failed_mfa_requests_for_user.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@ known_false_positives: Multiple Failed MFA requests may also be a sign of authen
references:
- https://attack.mitre.org/techniques/T1621/
drilldown_searches:
- name: View the detection results for $src_user$
- name: View the detection results for - $src_user$
search: '%original_detection_search% | search src_user = $src_user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $src_user$
- name: View risk events for the last 7 days for - $src_user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ references:
- https://attack.mitre.org/techniques/T1110/003/
- https://splunkbase.splunk.com/app/6553
drilldown_searches:
- name: View the detection results for $user$
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $user$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/okta_new_api_token_created.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ references:
- https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected
- https://splunkbase.splunk.com/app/6553
drilldown_searches:
- name: View the detection results for $user$
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $user$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/okta_new_device_enrolled_on_account.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ references:
- https://attack.mitre.org/techniques/T1098/005/
- https://developer.okta.com/docs/reference/api/event-types/?q=device.enrollment.create
drilldown_searches:
- name: View the detection results for $user$
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $user$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/okta_risk_threshold_exceeded.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ references:
- https://developer.okta.com/docs/reference/api/event-types
- https://sec.okta.com/everythingisyes
drilldown_searches:
- name: View the detection results for $risk_object$
- name: View the detection results for - $risk_object$
search: '%original_detection_search% | search risk_object = $risk_object$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $risk_object$
- name: View risk events for the last 7 days for - $risk_object$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($risk_object$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/okta_successful_single_factor_authentication.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ references:
- https://sec.okta.com/everythingisyes
- https://attack.mitre.org/techniques/T1078/004/
drilldown_searches:
- name: View the detection results for $user$
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $user$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/okta_suspicious_activity_reported.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@ known_false_positives: False positives should be minimal, given the high fidelit
references:
- https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm
drilldown_searches:
- name: View the detection results for $user$
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $user$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/okta_suspicious_use_of_a_session_cookie.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@ known_false_positives: False positives may occur, depending on the organization'
references:
- https://attack.mitre.org/techniques/T1539/
drilldown_searches:
- name: View the detection results for $user$
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $user$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/okta_threatinsight_threat_detected.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@ known_false_positives: False positives may occur. It is recommended to fine-tune
references:
- https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected
drilldown_searches:
- name: View the detection results for $app$
- name: View the detection results for - $app$
search: '%original_detection_search% | search app = $app$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $app$
- name: View risk events for the last 7 days for - $app$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($app$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/okta_unauthorized_access_to_application.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@ known_false_positives: There is a possibility that a user may accidentally click
references:
- https://attack.mitre.org/techniques/T1110/003/
drilldown_searches:
- name: View the detection results for $user$
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $user$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
4 changes: 2 additions & 2 deletions detections/application/okta_user_logins_from_multiple_cities.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@ known_false_positives: It is uncommon for a user to log in from multiple cities
references:
- https://attack.mitre.org/techniques/T1110/003/
drilldown_searches:
- name: View the detection results for $user$
- name: View the detection results for - $user$
search: '%original_detection_search% | search user = $user$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $user$
- name: View risk events for the last 7 days for - $user$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
Expand Down
Loading

0 comments on commit 7bc11be

Please sign in to comment.