Application detections

splunk · Nov 13, 2024 · a0a94f3 · a0a94f3
1 parent 3b2cad7
commit a0a94f3
Show file tree

Hide file tree

Showing 54 changed files with 483 additions and 440 deletions.
diff --git a/detections/application/crushftp_server_side_template_injection.yml b/detections/application/crushftp_server_side_template_injection.yml
@@ -23,24 +23,24 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: Potential exploitation of CrushFTP Server Side Template Injection Vulnerability
+    on $dest$ by $src_ip$.
+  risk_objects:
+  - field: dest
+    type: IP Address
+    risk_score: 64.0
+  threat_objects:
+  - field: src_ip
+    type: IP Address
 tags:
   analytic_story:
   - CrushFTP Vulnerabilities
   asset_type: Web Application
   confidence: 80
   impact: 80
-  message: Potential exploitation of CrushFTP Server Side Template Injection Vulnerability on $dest$ by $src_ip$.
   mitre_attack_id:
   - T1190
-  observable:
-  - name: dest
-    type: IP Address
-    role:
-    - Victim
-  - name: src_ip
-    type: IP Address
-    role:
-    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml
@@ -45,6 +45,14 @@ how_to_implement: Ensure that all relevant authentication data is mapped to the
 known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings.
 references:
 - https://attack.mitre.org/techniques/T1110/003/
+rba:
+  message: Distributed Password Spray Attempt Detected from $src$
+  risk_objects: []
+  threat_objects:
+  - field: src
+    type: IP Address
+  - field: user_agent
+    type: Other
 tags:
   analytic_story:
   - Compromised User Account
@@ -54,19 +62,9 @@ tags:
   - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
   confidence: 70
   impact: 70
-  message: Distributed Password Spray Attempt Detected from $src$
   mitre_attack_id:
   - T1110.003
   - T1110
-  observable:
-  - name: src
-    type: IP Address
-    role:
-    - Attacker
-  - name: user_agent
-    type: Other
-    role:
-    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/application/detect_new_login_attempts_to_routers.yml b/detections/application/detect_new_login_attempts_to_routers.yml
@@ -11,22 +11,22 @@ search: '| tstats `security_content_summariesonly` count earliest(_time) as earl
 how_to_implement: To successfully implement this search, you must ensure the network router devices are categorized as "router" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure.
 known_false_positives: Legitimate router connections may appear as new connections
 references: []
+rba:
+  message: tbd
+  risk_objects:
+  - field: user
+    type: User
+    risk_score: 25.0
+  - field: dest
+    type: Hostname
+    risk_score: 25.0
+  threat_objects: []
 tags:
   analytic_story:
   - Router and Infrastructure Security
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: tbd
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
-  - name: dest
-    type: Hostname
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml
@@ -55,6 +55,16 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$sourcetype$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: Potential Password Spraying attack from $src$ targeting $unique_accounts$
+    unique accounts.
+  risk_objects:
+  - field: unique_user_names
+    type: User
+    risk_score: 49.0
+  threat_objects:
+  - field: src
+    type: Endpoint
 tags:
   analytic_story:
   - Compromised User Account
@@ -64,19 +74,9 @@ tags:
   - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
   confidence: 70
   impact: 70
-  message: Potential Password Spraying attack from $src$ targeting $unique_accounts$ unique accounts.
   mitre_attack_id:
   - T1110.003
   - T1110
-  observable:
-  - name: unique_user_names
-    type: User
-    role:
-    - Victim
-  - name: src
-    type: Endpoint
-    role:
-    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/application/email_attachments_with_lots_of_spaces.yml b/detections/application/email_attachments_with_lots_of_spaces.yml
@@ -15,6 +15,13 @@ how_to_implement: 'You need to ingest data from emails. Specifically, the sender
   If Splunk Phantom is also configured in your environment, a playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user''s inbox.'
 known_false_positives: None at this time
 references: []
+rba:
+  message: tbd
+  risk_objects:
+  - field: user
+    type: User
+    risk_score: 25.0
+  threat_objects: []
 tags:
   analytic_story:
   - Data Destruction
@@ -24,12 +31,6 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: tbd
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/application/email_files_written_outside_of_the_outlook_directory.yml b/detections/application/email_files_written_outside_of_the_outlook_directory.yml
@@ -12,21 +12,22 @@ search: '| tstats `security_content_summariesonly` count values(Filesystem.file_
 how_to_implement: To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.
 known_false_positives: Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search.
 references: []
+rba:
+  message: tbd
+  risk_objects:
+  - field: dest
+    type: Hostname
+    risk_score: 25.0
+  threat_objects: []
 tags:
   analytic_story:
   - Collection and Staging
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: tbd
   mitre_attack_id:
   - T1114
   - T1114.001
-  observable:
-  - name: dest
-    type: Hostname
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml b/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml
@@ -11,22 +11,23 @@ search: '| tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as
 how_to_implement: This search requires you to be ingesting your network traffic and populating the Network_Traffic data model.  Your email servers must be categorized as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The "deviation_threshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimum_data_samples" field is the minimum number of connections of data samples required for the statistic to be valid.
 known_false_positives: The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.
 references: []
+rba:
+  message: tbd
+  risk_objects:
+  - field: dest
+    type: Hostname
+    risk_score: 25.0
+  threat_objects: []
 tags:
   analytic_story:
   - Collection and Staging
   - HAFNIUM Group
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: tbd
   mitre_attack_id:
   - T1114
   - T1114.002
-  observable:
-  - name: dest
-    type: Hostname
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/application/ivanti_vtm_new_account_creation.yml b/detections/application/ivanti_vtm_new_account_creation.yml
@@ -23,20 +23,22 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$MODUSER$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: A new administrator account, $MODUSER$, was created on Ivanti vTM device
+    without proper authentication, which may indicate exploitation of CVE-2024-7593.
+  risk_objects:
+  - field: MODUSER
+    type: User
+    risk_score: 72.0
+  threat_objects: []
 tags:
   analytic_story:
   - Ivanti Virtual Traffic Manager CVE-2024-7593
   asset_type: Web Application
   confidence: 80
   impact: 90
-  message: A new administrator account, $MODUSER$, was created on Ivanti vTM device without proper authentication, which may indicate exploitation of CVE-2024-7593.
   mitre_attack_id:
   - T1190
-  observable:
-  - name: MODUSER
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/application/monitor_email_for_brand_abuse.yml b/detections/application/monitor_email_for_brand_abuse.yml
@@ -11,19 +11,20 @@ search: '| tstats `security_content_summariesonly` values(All_Email.recipient) a
 how_to_implement: You need to ingest email header data. Specifically the sender's address (src_user) must be populated.  You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for.
 known_false_positives: None at this time
 references: []
+rba:
+  message: tbd
+  risk_objects:
+  - field: user
+    type: User
+    risk_score: 25.0
+  threat_objects: []
 tags:
   analytic_story:
   - Brand Monitoring
   - Suspicious Emails
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: tbd
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/application/no_windows_updates_in_a_time_frame.yml b/detections/application/no_windows_updates_in_a_time_frame.yml
@@ -11,18 +11,19 @@ search: '| tstats `security_content_summariesonly` max(_time) as lastTime from d
 how_to_implement: To successfully implement this search, it requires that the 'Update' data model is being populated. This can be accomplished by ingesting Windows events or the Windows Update log via a universal forwarder on the Windows endpoints you wish to monitor. The Windows add-on should be also be installed and configured to properly parse Windows events in Splunk. There may be other data sources which can populate this data model, including vulnerability management systems.
 known_false_positives: None identified
 references: []
+rba:
+  message: tbd
+  risk_objects:
+  - field: dest
+    type: Hostname
+    risk_score: 25.0
+  threat_objects: []
 tags:
   analytic_story:
   - Monitor for Updates
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: tbd
-  observable:
-  - name: dest
-    type: Hostname
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/application/okta_authentication_failed_during_mfa_challenge.yml b/detections/application/okta_authentication_failed_during_mfa_challenge.yml
@@ -23,28 +23,27 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: A user [$user$] has failed to authenticate via MFA from IP Address - [$src$]"
+  risk_objects:
+  - field: user
+    type: User
+    risk_score: 48.0
+  threat_objects:
+  - field: src
+    type: IP Address
 tags:
   analytic_story:
   - Okta Account Takeover
   asset_type: Okta Tenant
   confidence: 60
   impact: 80
-  message: A user [$user$] has failed to authenticate via MFA from IP Address - [$src$]"
   mitre_attack_id:
   - T1586
   - T1586.003
   - T1078
   - T1078.004
   - T1621
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
-  - name: src
-    type: IP Address
-    role:
-    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/application/okta_idp_lifecycle_modifications.yml b/detections/application/okta_idp_lifecycle_modifications.yml
@@ -23,24 +23,24 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: A user [$user$] is attempting IDP lifecycle modification - [$description$]
+    from IP Address - [$src$]"
+  risk_objects:
+  - field: user
+    type: User
+    risk_score: 81.0
+  threat_objects:
+  - field: src
+    type: IP Address
 tags:
   analytic_story:
   - Suspicious Okta Activity
   asset_type: Okta Tenant
   confidence: 90
   impact: 90
-  message: A user [$user$] is attempting IDP lifecycle modification - [$description$] from IP Address - [$src$]"
   mitre_attack_id:
   - T1087.004
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
-  - name: src
-    type: IP Address
-    role:
-    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security