From d1c7e1b6e5513ea9e4804a1b9769b0564e2cbee2 Mon Sep 17 00:00:00 2001 From: research-bot Date: Wed, 30 Oct 2024 18:42:30 -0700 Subject: [PATCH] udpating sysmon source --- .../endpoint/7zip_commandline_to_smb_share_path.yml | 2 +- .../endpoint/access_lsass_memory_for_dump_creation.yml | 2 +- detections/endpoint/account_discovery_with_net_app.yml | 2 +- .../endpoint/active_setup_registry_autostart.yml | 2 +- .../add_defaultuser_and_password_in_registry.yml | 2 +- .../endpoint/add_or_set_windows_defender_exclusion.yml | 2 +- .../allow_file_and_printing_sharing_in_firewall.yml | 2 +- ...allow_inbound_traffic_by_firewall_rule_registry.yml | 2 +- .../endpoint/allow_network_discovery_in_firewall.yml | 2 +- .../endpoint/allow_operation_with_consent_admin.yml | 2 +- detections/endpoint/anomalous_usage_of_7zip.yml | 2 +- detections/endpoint/any_powershell_downloadfile.yml | 2 +- detections/endpoint/any_powershell_downloadstring.yml | 2 +- detections/endpoint/attacker_tools_on_endpoint.yml | 2 +- .../attempt_to_add_certificate_to_untrusted_store.yml | 2 +- .../endpoint/attempt_to_stop_security_service.yml | 2 +- ...mpted_credential_dump_from_registry_via_reg_exe.yml | 2 +- .../endpoint/auto_admin_logon_registry_entry.yml | 2 +- detections/endpoint/batch_file_write_to_system32.yml | 2 +- .../bcdedit_command_back_to_normal_mode_boot.yml | 2 +- .../endpoint/bcdedit_failure_recovery_modification.yml | 2 +- detections/endpoint/bits_job_persistence.yml | 2 +- detections/endpoint/bitsadmin_download_file.yml | 2 +- ...util_download_with_urlcache_and_split_arguments.yml | 2 +- ...til_download_with_verifyctl_and_split_arguments.yml | 2 +- .../endpoint/certutil_exe_certificate_extraction.yml | 2 +- detections/endpoint/certutil_with_decode_argument.yml | 2 +- .../endpoint/change_default_file_association.yml | 2 +- .../change_to_safe_mode_with_network_config.yml | 2 +- detections/endpoint/chcp_command_execution.yml | 2 +- .../endpoint/check_elevated_cmd_using_whoami.yml | 2 +- .../clear_unallocated_sector_using_cipher_app.yml | 2 +- detections/endpoint/clop_common_exec_parameter.yml | 2 +- .../cmd_carry_out_string_command_parameter.yml | 2 +- detections/endpoint/cmd_echo_pipe___escalation.yml | 2 +- .../cmdline_tool_not_executed_in_cmd_shell.yml | 2 +- detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml | 2 +- detections/endpoint/cobalt_strike_named_pipes.yml | 2 +- detections/endpoint/common_ransomware_extensions.yml | 2 +- detections/endpoint/common_ransomware_notes.yml | 2 +- .../connectwise_screenconnect_path_traversal.yml | 2 +- detections/endpoint/conti_common_exec_parameter.yml | 2 +- .../control_loading_from_world_writable_directory.yml | 2 +- .../create_or_delete_windows_shares_using_net_exe.yml | 2 +- .../create_remote_thread_in_shell_application.yml | 2 +- .../endpoint/create_remote_thread_into_lsass.yml | 2 +- .../endpoint/creation_of_lsass_dump_with_taskmgr.yml | 2 +- detections/endpoint/creation_of_shadow_copy.yml | 2 +- ...reation_of_shadow_copy_with_wmic_and_powershell.yml | 2 +- ...ntial_dumping_via_copy_command_from_shadow_copy.yml | 2 +- .../credential_dumping_via_symlink_to_shadow_copy.yml | 2 +- detections/endpoint/csc_net_on_the_fly_compilation.yml | 2 +- detections/endpoint/deleting_of_net_users.yml | 2 +- detections/endpoint/deleting_shadow_copies.yml | 2 +- .../detect_azurehound_command_line_arguments.yml | 2 +- .../endpoint/detect_azurehound_file_modifications.yml | 2 +- .../endpoint/detect_certify_command_line_arguments.yml | 2 +- .../endpoint/detect_certipy_file_modifications.yml | 2 +- .../detect_credential_dumping_through_lsass_access.yml | 2 +- .../detect_critical_alerts_from_security_tools.yml | 10 +++------- detections/endpoint/detect_exchange_web_shell.yml | 2 +- detections/endpoint/detect_html_help_renamed.yml | 2 +- .../endpoint/detect_html_help_spawn_child_process.yml | 2 +- .../endpoint/detect_html_help_url_in_command_line.yml | 2 +- ...etect_html_help_using_infotech_storage_handlers.yml | 2 +- .../endpoint/detect_mshta_inline_hta_execution.yml | 2 +- detections/endpoint/detect_mshta_renamed.yml | 2 +- .../endpoint/detect_mshta_url_in_command_line.yml | 2 +- ...ct_path_interception_by_creation_of_program_exe.yml | 2 +- ...used_for_system_network_configuration_discovery.yml | 2 +- ...detect_prohibited_applications_spawning_cmd_exe.yml | 2 +- .../endpoint/detect_psexec_with_accepteula_flag.yml | 2 +- detections/endpoint/detect_rare_executables.yml | 2 +- .../endpoint/detect_rclone_command_line_usage.yml | 2 +- .../endpoint/detect_regasm_spawning_a_process.yml | 2 +- .../endpoint/detect_regasm_with_network_connection.yml | 2 +- .../detect_regasm_with_no_command_line_arguments.yml | 2 +- .../endpoint/detect_regsvcs_spawning_a_process.yml | 2 +- .../detect_regsvcs_with_network_connection.yml | 2 +- .../detect_regsvcs_with_no_command_line_arguments.yml | 2 +- .../detect_regsvr32_application_control_bypass.yml | 2 +- detections/endpoint/detect_renamed_7_zip.yml | 2 +- detections/endpoint/detect_renamed_psexec.yml | 2 +- detections/endpoint/detect_renamed_rclone.yml | 2 +- detections/endpoint/detect_renamed_winrar.yml | 2 +- detections/endpoint/detect_rtlo_in_file_name.yml | 2 +- detections/endpoint/detect_rtlo_in_process.yml | 2 +- ...t_rundll32_application_control_bypass___advpack.yml | 2 +- ..._rundll32_application_control_bypass___setupapi.yml | 2 +- ..._rundll32_application_control_bypass___syssetup.yml | 2 +- .../endpoint/detect_rundll32_inline_hta_execution.yml | 2 +- .../detect_sharphound_command_line_arguments.yml | 2 +- .../endpoint/detect_sharphound_file_modifications.yml | 2 +- detections/endpoint/detect_sharphound_usage.yml | 2 +- ...ct_use_of_cmd_exe_to_launch_script_interpreters.yml | 2 +- .../endpoint/detect_webshell_exploit_behavior.yml | 2 +- .../detect_wmi_event_subscription_persistence.yml | 2 +- detections/endpoint/disable_amsi_through_registry.yml | 2 +- .../endpoint/disable_defender_antivirus_registry.yml | 2 +- .../disable_defender_blockatfirstseen_feature.yml | 2 +- .../disable_defender_enhanced_notification.yml | 2 +- .../endpoint/disable_defender_mpengine_registry.yml | 2 +- .../endpoint/disable_defender_spynet_reporting.yml | 2 +- ...disable_defender_submit_samples_consent_feature.yml | 2 +- detections/endpoint/disable_etw_through_registry.yml | 2 +- detections/endpoint/disable_logs_using_wevtutil.yml | 2 +- detections/endpoint/disable_registry_tool.yml | 2 +- detections/endpoint/disable_schedule_task.yml | 2 +- .../disable_security_logs_using_minint_registry.yml | 2 +- detections/endpoint/disable_show_hidden_files.yml | 2 +- detections/endpoint/disable_uac_remote_restriction.yml | 2 +- detections/endpoint/disable_windows_app_hotkeys.yml | 2 +- .../endpoint/disable_windows_behavior_monitoring.yml | 2 +- .../disable_windows_smartscreen_protection.yml | 2 +- detections/endpoint/disabling_cmd_application.yml | 2 +- detections/endpoint/disabling_controlpanel.yml | 2 +- detections/endpoint/disabling_defender_services.yml | 2 +- detections/endpoint/disabling_firewall_with_netsh.yml | 2 +- .../disabling_folderoptions_windows_feature.yml | 2 +- detections/endpoint/disabling_net_user_account.yml | 2 +- detections/endpoint/disabling_norun_windows_app.yml | 2 +- .../endpoint/disabling_remote_user_account_control.yml | 2 +- .../endpoint/disabling_systemrestore_in_registry.yml | 4 ++-- detections/endpoint/disabling_task_manager.yml | 2 +- ..._local_security_authority_defences_via_registry.yml | 2 +- .../endpoint/dns_exfiltration_using_nslookup_app.yml | 2 +- .../endpoint/domain_account_discovery_with_dsquery.yml | 2 +- .../endpoint/domain_account_discovery_with_net_app.yml | 2 +- .../endpoint/domain_account_discovery_with_wmic.yml | 2 +- .../domain_controller_discovery_with_nltest.yml | 2 +- .../endpoint/domain_controller_discovery_with_wmic.yml | 2 +- .../endpoint/domain_group_discovery_with_dsquery.yml | 2 +- .../endpoint/domain_group_discovery_with_net.yml | 2 +- .../endpoint/domain_group_discovery_with_wmic.yml | 2 +- detections/endpoint/download_files_using_telegram.yml | 2 +- detections/endpoint/drop_icedid_license_dat.yml | 2 +- detections/endpoint/dsquery_domain_discovery.yml | 2 +- detections/endpoint/dump_lsass_via_comsvcs_dll.yml | 2 +- detections/endpoint/dump_lsass_via_procdump.yml | 2 +- .../endpoint/elevated_group_discovery_with_net.yml | 2 +- .../elevated_group_discovery_with_powerview.yml | 2 +- .../endpoint/elevated_group_discovery_with_wmic.yml | 2 +- .../endpoint/enable_rdp_in_other_port_number.yml | 2 +- .../enable_wdigest_uselogoncredential_registry.yml | 2 +- detections/endpoint/esentutl_sam_copy.yml | 2 +- detections/endpoint/etw_registry_disabled.yml | 2 +- detections/endpoint/eventvwr_uac_bypass.yml | 2 +- detections/endpoint/excel_spawning_powershell.yml | 2 +- .../endpoint/excel_spawning_windows_script_host.yml | 2 +- .../endpoint/excessive_attempt_to_disable_services.yml | 2 +- .../excessive_file_deletion_in_windefender_folder.yml | 2 +- ...ive_number_of_service_control_start_as_disabled.yml | 2 +- detections/endpoint/excessive_service_stop_attempt.yml | 2 +- detections/endpoint/excessive_usage_of_cacls_app.yml | 2 +- detections/endpoint/excessive_usage_of_net_app.yml | 2 +- .../endpoint/excessive_usage_of_nslookup_app.yml | 2 +- .../endpoint/excessive_usage_of_sc_service_utility.yml | 2 +- detections/endpoint/excessive_usage_of_taskkill.yml | 2 +- ...ecutables_or_script_creation_in_suspicious_path.yml | 2 +- .../execute_javascript_with_jscript_com_clsid.yml | 2 +- .../execution_of_file_with_multiple_extensions.yml | 2 +- detections/endpoint/extraction_of_registry_hives.yml | 2 +- detections/endpoint/file_with_samsam_extension.yml | 2 +- .../endpoint/firewall_allowed_program_enable.yml | 2 +- detections/endpoint/fodhelper_uac_bypass.yml | 2 +- detections/endpoint/fsutil_zeroing_file.yml | 2 +- ...t_addefaultdomainpasswordpolicy_with_powershell.yml | 2 +- detections/endpoint/get_aduser_with_powershell.yml | 2 +- ...t_aduserresultantpasswordpolicy_with_powershell.yml | 2 +- .../endpoint/get_domainpolicy_with_powershell.yml | 2 +- .../endpoint/get_domaintrust_with_powershell.yml | 2 +- detections/endpoint/get_domainuser_with_powershell.yml | 2 +- .../endpoint/get_foresttrust_with_powershell.yml | 2 +- detections/endpoint/get_wmiobject_group_discovery.yml | 2 +- detections/endpoint/getadcomputer_with_powershell.yml | 2 +- detections/endpoint/getadgroup_with_powershell.yml | 2 +- .../endpoint/getcurrent_user_with_powershell.yml | 2 +- .../endpoint/getdomaincomputer_with_powershell.yml | 2 +- .../endpoint/getdomaincontroller_with_powershell.yml | 2 +- detections/endpoint/getdomaingroup_with_powershell.yml | 2 +- detections/endpoint/getlocaluser_with_powershell.yml | 2 +- .../endpoint/getnettcpconnection_with_powershell.yml | 2 +- .../getwmiobject_ds_computer_with_powershell.yml | 2 +- .../endpoint/getwmiobject_ds_group_with_powershell.yml | 2 +- .../endpoint/getwmiobject_ds_user_with_powershell.yml | 2 +- .../getwmiobject_user_account_with_powershell.yml | 2 +- ...ate_with_no_command_line_arguments_with_network.yml | 2 +- .../headless_browser_mockbin_or_mocky_request.yml | 2 +- detections/endpoint/headless_browser_usage.yml | 2 +- .../endpoint/hide_user_account_from_sign_in_screen.yml | 2 +- .../hiding_files_and_directories_with_attrib_exe.yml | 2 +- .../endpoint/high_process_termination_frequency.yml | 2 +- detections/endpoint/hunting_3cxdesktopapp_software.yml | 2 +- detections/endpoint/icacls_deny_command.yml | 2 +- detections/endpoint/icacls_grant_command.yml | 2 +- .../icedid_exfiltrated_archived_file_creation.yml | 2 +- ...mpacket_lateral_movement_commandline_parameters.yml | 2 +- ...lateral_movement_smbexec_commandline_parameters.yml | 2 +- ...lateral_movement_wmiexec_commandline_parameters.yml | 2 +- .../endpoint/jscript_execution_using_cscript_app.yml | 2 +- detections/endpoint/loading_of_dynwrapx_module.yml | 2 +- .../endpoint/local_account_discovery_with_net.yml | 2 +- .../endpoint/local_account_discovery_with_wmic.yml | 2 +- .../endpoint/logon_script_event_trigger_execution.yml | 2 +- detections/endpoint/lolbas_with_network_traffic.yml | 2 +- .../endpoint/malicious_inprocserver32_modification.yml | 2 +- .../malicious_powershell_process___encoded_command.yml | 2 +- ...us_powershell_process___execution_policy_bypass.yml | 2 +- ..._powershell_process_with_obfuscation_techniques.yml | 2 +- .../mimikatz_passtheticket_commandline_parameters.yml | 2 +- .../endpoint/mmc_lolbas_execution_process_spawn.yml | 2 +- detections/endpoint/modification_of_wallpaper.yml | 2 +- .../modify_acl_permission_to_files_or_folder.yml | 2 +- .../monitor_registry_keys_for_print_monitors.yml | 2 +- .../ms_scripting_process_loading_ldap_module.yml | 2 +- .../ms_scripting_process_loading_wmi_module.yml | 2 +- .../msbuild_suspicious_spawned_by_script_process.yml | 2 +- .../mshta_spawning_rundll32_or_regsvr32_process.yml | 2 +- .../endpoint/mshtml_module_load_in_office_product.yml | 2 +- .../msi_module_loaded_by_non_system_binary.yml | 2 +- .../endpoint/msmpeng_application_dll_side_loading.yml | 2 +- detections/endpoint/net_localgroup_discovery.yml | 2 +- detections/endpoint/net_profiler_uac_bypass.yml | 2 +- .../endpoint/network_connection_discovery_with_arp.yml | 2 +- .../endpoint/network_connection_discovery_with_net.yml | 2 +- .../network_connection_discovery_with_netstat.yml | 2 +- .../network_discovery_using_route_windows_app.yml | 2 +- ...affic_to_active_directory_web_services_protocol.yml | 2 +- detections/endpoint/nishang_powershelltcponeline.yml | 2 +- detections/endpoint/nltest_domain_trust_discovery.yml | 2 +- .../notepad_with_no_command_line_arguments.yml | 2 +- detections/endpoint/ntdsutil_export_ntds.yml | 2 +- .../endpoint/office_application_drop_executable.yml | 2 +- .../office_application_spawn_regsvr32_process.yml | 2 +- .../office_application_spawn_rundll32_process.yml | 2 +- .../office_document_creating_schedule_task.yml | 2 +- .../endpoint/office_document_executing_macro_code.yml | 2 +- ...fice_document_spawned_child_process_to_download.yml | 2 +- .../endpoint/office_product_spawn_cmd_process.yml | 2 +- .../endpoint/office_product_spawning_bitsadmin.yml | 2 +- .../endpoint/office_product_spawning_certutil.yml | 2 +- detections/endpoint/office_product_spawning_mshta.yml | 2 +- .../office_product_spawning_rundll32_with_no_dll.yml | 2 +- .../office_product_spawning_windows_script_host.yml | 2 +- detections/endpoint/office_product_spawning_wmic.yml | 2 +- .../endpoint/office_product_writing_cab_or_inf.yml | 2 +- detections/endpoint/office_spawning_control.yml | 2 +- ...etwork_connection_from_java_using_default_ports.yml | 2 +- .../endpoint/overwriting_accessibility_binaries.yml | 2 +- .../endpoint/password_policy_discovery_with_net.yml | 2 +- .../permission_modification_using_takeown_app.yml | 2 +- detections/endpoint/ping_sleep_batch_command.yml | 2 +- .../endpoint/possible_browser_pass_view_parameter.yml | 2 +- .../possible_lateral_movement_powershell_spawn.yml | 2 +- .../potentially_malicious_code_on_commandline.yml | 2 +- ...rshell___connect_to_internet_with_hidden_window.yml | 2 +- .../powershell_disable_security_monitoring.yml | 2 +- .../endpoint/powershell_get_localgroup_discovery.yml | 2 +- ...wershell_remote_thread_to_known_windows_process.yml | 2 +- detections/endpoint/powershell_start_bitstransfer.yml | 2 +- .../prevent_automatic_repair_mode_using_bcdedit.yml | 2 +- ...rocess_creating_lnk_file_in_suspicious_location.yml | 2 +- .../process_deleting_its_process_file_path.yml | 2 +- detections/endpoint/process_execution_via_wmi.yml | 2 +- detections/endpoint/process_kill_base_on_file_path.yml | 2 +- .../endpoint/process_writing_dynamicwrapperx.yml | 2 +- detections/endpoint/processes_launching_netsh.yml | 2 +- detections/endpoint/ransomware_notes_bulk_creation.yml | 2 +- .../recursive_delete_of_directory_in_batch_cmd.yml | 2 +- ...exe_manipulating_windows_services_registry_keys.yml | 2 +- .../registry_keys_for_creating_shim_databases.yml | 2 +- .../endpoint/registry_keys_used_for_persistence.yml | 2 +- .../registry_keys_used_for_privilege_escalation.yml | 2 +- .../regsvr32_silent_and_install_param_dll_loading.yml | 2 +- .../regsvr32_with_known_silent_switch_cmdline.yml | 2 +- .../endpoint/remcos_client_registry_install_entry.yml | 2 +- .../remcos_rat_file_creation_in_remcos_folder.yml | 2 +- ...e_process_instantiation_via_dcom_and_powershell.yml | 2 +- ..._process_instantiation_via_winrm_and_powershell.yml | 2 +- ...emote_process_instantiation_via_winrm_and_winrs.yml | 2 +- .../endpoint/remote_process_instantiation_via_wmi.yml | 2 +- ...te_process_instantiation_via_wmi_and_powershell.yml | 2 +- .../endpoint/remote_system_discovery_with_dsquery.yml | 2 +- .../endpoint/remote_system_discovery_with_net.yml | 2 +- .../endpoint/remote_system_discovery_with_wmic.yml | 2 +- detections/endpoint/remote_wmi_command_attempt.yml | 2 +- detections/endpoint/resize_shadowstorage_volume.yml | 2 +- detections/endpoint/revil_common_exec_parameter.yml | 2 +- detections/endpoint/revil_registry_entry.yml | 2 +- detections/endpoint/rubeus_command_line_parameters.yml | 2 +- ...kerberos_ticket_exports_through_winlogon_access.yml | 2 +- detections/endpoint/runas_execution_in_commandline.yml | 2 +- detections/endpoint/rundll32_control_rundll_hunt.yml | 2 +- ...undll32_control_rundll_world_writable_directory.yml | 2 +- .../rundll32_create_remote_thread_to_a_process.yml | 2 +- .../rundll32_createremotethread_in_browser.yml | 2 +- detections/endpoint/rundll32_dnsquery.yml | 2 +- detections/endpoint/rundll32_lockworkstation.yml | 2 +- .../rundll32_process_creating_exe_dll_files.yml | 2 +- detections/endpoint/rundll32_shimcache_flush.yml | 2 +- ...l32_with_no_command_line_arguments_with_network.yml | 2 +- detections/endpoint/rundll_loading_dll_by_ordinal.yml | 2 +- detections/endpoint/ryuk_test_files_detected.yml | 2 +- detections/endpoint/ryuk_wake_on_lan_command.yml | 2 +- detections/endpoint/samsam_test_file_write.yml | 2 +- .../endpoint/sc_exe_manipulating_windows_services.yml | 2 +- ...he_change_by_app_connect_and_create_adsi_object.yml | 2 +- ...duled_task_creation_on_remote_endpoint_using_at.yml | 2 +- .../scheduled_task_deleted_or_created_via_cmd.yml | 2 +- .../scheduled_task_initiation_on_remote_endpoint.yml | 2 +- detections/endpoint/schtasks_run_task_on_demand.yml | 2 +- .../schtasks_scheduling_job_on_remote_system.yml | 2 +- .../endpoint/schtasks_used_for_forcing_a_reboot.yml | 2 +- .../endpoint/screensaver_event_trigger_execution.yml | 2 +- detections/endpoint/script_execution_via_wmi.yml | 2 +- detections/endpoint/sdclt_uac_bypass.yml | 2 +- detections/endpoint/sdelete_application_execution.yml | 2 +- ...hprotocolhost_with_no_command_line_with_network.yml | 2 +- .../endpoint/secretdumps_offline_ntds_dumping_tool.yml | 2 +- .../serviceprincipalnames_discovery_with_setspn.yml | 2 +- detections/endpoint/services_escalate_exe.yml | 2 +- .../services_lolbas_execution_process_spawn.yml | 2 +- ...hell_execution_policy_to_unrestricted_or_bypass.yml | 2 +- detections/endpoint/shim_database_file_creation.yml | 2 +- ...atabase_installation_with_suspicious_parameters.yml | 2 +- detections/endpoint/silentcleanup_uac_bypass.yml | 2 +- .../endpoint/single_letter_process_on_endpoint.yml | 2 +- detections/endpoint/slui_runas_elevated.yml | 2 +- detections/endpoint/slui_spawning_a_process.yml | 2 +- detections/endpoint/spoolsv_spawning_rundll32.yml | 2 +- .../endpoint/spoolsv_suspicious_loaded_modules.yml | 2 +- .../endpoint/spoolsv_suspicious_process_access.yml | 2 +- detections/endpoint/spoolsv_writing_a_dll.yml | 2 +- detections/endpoint/spoolsv_writing_a_dll___sysmon.yml | 2 +- detections/endpoint/sqlite_module_in_temp_folder.yml | 2 +- detections/endpoint/suspicious_copy_on_system32.yml | 2 +- .../suspicious_dllhost_no_command_line_arguments.yml | 2 +- detections/endpoint/suspicious_driver_loaded_path.yml | 2 +- .../suspicious_gpupdate_no_command_line_arguments.yml | 2 +- .../endpoint/suspicious_icedid_rundll32_cmdline.yml | 2 +- .../suspicious_image_creation_in_appdata_folder.yml | 2 +- .../suspicious_microsoft_workflow_compiler_rename.yml | 2 +- .../suspicious_microsoft_workflow_compiler_usage.yml | 2 +- detections/endpoint/suspicious_msbuild_path.yml | 2 +- detections/endpoint/suspicious_msbuild_rename.yml | 2 +- detections/endpoint/suspicious_msbuild_spawn.yml | 2 +- detections/endpoint/suspicious_mshta_child_process.yml | 2 +- detections/endpoint/suspicious_mshta_spawn.yml | 2 +- ...ious_process_dns_query_known_abuse_web_services.yml | 2 +- ...suspicious_process_executed_from_container_file.yml | 2 +- detections/endpoint/suspicious_process_file_path.yml | 2 +- .../suspicious_process_with_discord_dns_query.yml | 2 +- detections/endpoint/suspicious_reg_exe_process.yml | 2 +- .../suspicious_regsvr32_register_suspicious_path.yml | 2 +- .../endpoint/suspicious_rundll32_dllregisterserver.yml | 2 +- .../suspicious_rundll32_no_command_line_arguments.yml | 2 +- detections/endpoint/suspicious_rundll32_plugininit.yml | 2 +- detections/endpoint/suspicious_rundll32_startw.yml | 2 +- ...suspicious_scheduled_task_from_public_directory.yml | 2 +- ...us_searchprotocolhost_no_command_line_arguments.yml | 2 +- .../endpoint/suspicious_wav_file_in_appdata_folder.yml | 2 +- detections/endpoint/suspicious_wevtutil_usage.yml | 2 +- .../suspicious_writes_to_windows_recycle_bin.yml | 2 +- .../system_info_gathering_using_dxdiag_application.yml | 2 +- .../system_information_discovery_detection.yml | 2 +- .../system_processes_run_from_unexpected_locations.yml | 2 +- .../endpoint/system_user_discovery_with_query.yml | 2 +- .../endpoint/system_user_discovery_with_whoami.yml | 2 +- .../endpoint/time_provider_persistence_registry.yml | 2 +- detections/endpoint/trickbot_named_pipe.yml | 2 +- .../endpoint/uac_bypass_mmc_load_unsigned_dll.yml | 2 +- .../endpoint/uac_bypass_with_colorui_com_object.yml | 2 +- detections/endpoint/uninstall_app_using_msiexec.yml | 2 +- .../unknown_process_using_the_kerberos_protocol.yml | 2 +- detections/endpoint/unload_sysmon_filter_driver.yml | 2 +- .../user_discovery_with_env_vars_powershell.yml | 2 +- detections/endpoint/usn_journal_deletion.yml | 2 +- .../endpoint/vbscript_execution_using_wscript_app.yml | 2 +- detections/endpoint/verclsid_clsid_execution.yml | 2 +- detections/endpoint/w3wp_spawning_shell.yml | 2 +- detections/endpoint/wbadmin_delete_system_backups.yml | 2 +- detections/endpoint/wbemprox_com_object_execution.yml | 2 +- ...mgr_process_connecting_to_ip_check_web_services.yml | 2 +- .../endpoint/wermgr_process_create_executable_file.yml | 2 +- ...ermgr_process_spawned_cmd_or_powershell_process.yml | 2 +- detections/endpoint/windows_abused_web_services.yml | 2 +- ...en_manipulation_winlogon_duplicate_token_handle.yml | 2 +- ...oken_winlogon_duplicate_handle_in_uncommon_path.yml | 2 +- .../endpoint/windows_ad_dsrm_account_changes.yml | 2 +- detections/endpoint/windows_adfind_exe.yml | 2 +- .../endpoint/windows_admin_permission_discovery.yml | 2 +- .../endpoint/windows_apache_benchmark_binary.yml | 2 +- .../windows_app_layer_protocol_qakbot_namedpipe.yml | 2 +- ..._app_layer_protocol_wermgr_connect_to_namedpipe.yml | 2 +- ...cation_layer_protocol_rms_radmin_tool_namedpipe.yml | 2 +- .../windows_archive_collected_data_via_rar.yml | 2 +- detections/endpoint/windows_autoit3_execution.yml | 2 +- ...rt_execution_lsass_driver_registry_modification.yml | 2 +- ..._binary_proxy_execution_mavinject_dll_injection.yml | 2 +- ..._or_logon_autostart_execution_in_startup_folder.yml | 2 +- .../endpoint/windows_bypass_uac_via_pkgmgr_tool.yml | 2 +- detections/endpoint/windows_cab_file_on_disk.yml | 2 +- .../windows_cached_domain_credentials_reg_query.yml | 2 +- ...change_default_file_association_for_no_file_ext.yml | 2 +- ...ndows_com_hijacking_inprocserver32_modification.yml | 2 +- ...nd_scripting_interpreter_hunting_path_traversal.yml | 2 +- ...d_and_scripting_interpreter_path_traversal_exec.yml | 2 +- .../windows_command_shell_dcrat_forkbomb_payload.yml | 2 +- .../windows_command_shell_fetch_env_variables.yml | 2 +- ...dows_credential_dumping_lsass_memory_createdump.yml | 2 +- ...ndows_credentials_from_password_stores_creation.yml | 2 +- ...ndows_credentials_from_password_stores_deletion.yml | 2 +- .../windows_credentials_from_password_stores_query.yml | 2 +- .../windows_credentials_in_registry_reg_query.yml | 2 +- .../windows_curl_download_to_suspicious_path.yml | 2 +- .../windows_curl_upload_to_remote_destination.yml | 2 +- ..._data_destruction_recursive_exec_files_deletion.yml | 2 +- .../endpoint/windows_debugger_tool_execution.yml | 2 +- ...dows_defacement_modify_transcodedwallpaper_file.yml | 2 +- ..._default_group_policy_object_modified_with_gpme.yml | 2 +- .../windows_defender_exclusion_registry_entry.yml | 2 +- .../windows_delete_or_modify_system_firewall.yml | 2 +- ...ed_registry_by_a_non_critical_process_file_path.yml | 2 +- ...indows_disable_change_password_through_registry.yml | 2 +- ...sable_lock_workstation_feature_through_registry.yml | 2 +- .../windows_disable_logoff_button_through_registry.yml | 2 +- .../endpoint/windows_disable_memory_crash_dump.yml | 2 +- .../endpoint/windows_disable_notification_center.yml | 2 +- .../windows_disable_or_modify_tools_via_taskkill.yml | 2 +- ...indows_disable_shutdown_button_through_registry.yml | 2 +- ...able_windows_event_logging_disable_http_logging.yml | 2 +- ..._windows_group_policy_features_through_registry.yml | 2 +- .../endpoint/windows_disableantispyware_registry.yml | 2 +- detections/endpoint/windows_diskcryptor_usage.yml | 2 +- .../endpoint/windows_diskshadow_proxy_execution.yml | 2 +- detections/endpoint/windows_dism_remove_defender.yml | 2 +- ...ows_dll_search_order_hijacking_hunt_with_sysmon.yml | 2 +- ...indows_dll_search_order_hijacking_with_iscsicpl.yml | 2 +- .../endpoint/windows_dll_side_loading_in_calc.yml | 2 +- .../windows_dll_side_loading_process_child_of_calc.yml | 2 +- .../endpoint/windows_dns_gather_network_info.yml | 2 +- .../windows_dotnet_binary_in_non_standard_path.yml | 2 +- .../endpoint/windows_drivers_loaded_by_signature.yml | 2 +- .../windows_enable_win32_scheduledjob_via_registry.yml | 2 +- .../windows_esx_admins_group_creation_via_net.yml | 2 +- .../endpoint/windows_executable_in_loaded_modules.yml | 2 +- .../windows_execute_arbitrary_commands_with_msdt.yml | 2 +- ...le_transfer_protocol_in_non_common_process_path.yml | 2 +- ...ndows_file_without_extension_in_critical_folder.yml | 2 +- ..._and_dirs_access_rights_modification_via_icacls.yml | 2 +- detections/endpoint/windows_findstr_gpp_discovery.yml | 2 +- .../windows_gather_victim_identity_sam_info.yml | 2 +- ...ctim_network_info_through_ip_check_web_services.yml | 2 +- ...ows_hide_notification_features_through_registry.yml | 2 +- .../endpoint/windows_high_file_deletion_frequency.yml | 2 +- ...ows_hijack_execution_flow_version_dll_side_load.yml | 2 +- .../windows_hunting_system_account_targeting_lsass.yml | 2 +- .../endpoint/windows_identify_protocol_handlers.yml | 2 +- .../endpoint/windows_iis_components_add_new_module.yml | 2 +- .../windows_impair_defense_add_xml_applocker_rules.yml | 2 +- ...ense_change_win_defender_health_check_intervals.yml | 2 +- ...defense_change_win_defender_quick_scan_interval.yml | 2 +- ...mpair_defense_change_win_defender_throttle_rate.yml | 2 +- ...mpair_defense_change_win_defender_tracing_level.yml | 2 +- ...ws_impair_defense_configure_app_install_control.yml | 2 +- ...mpair_defense_define_win_defender_threat_action.yml | 2 +- ...impair_defense_delete_win_defender_context_menu.yml | 2 +- ...ir_defense_delete_win_defender_profile_registry.yml | 2 +- ...r_defense_deny_security_software_with_applocker.yml | 2 +- ...impair_defense_disable_controlled_folder_access.yml | 2 +- ...r_defense_disable_defender_firewall_and_network.yml | 2 +- ...r_defense_disable_defender_protocol_recognition.yml | 2 +- .../windows_impair_defense_disable_pua_protection.yml | 2 +- ...air_defense_disable_realtime_signature_delivery.yml | 2 +- .../windows_impair_defense_disable_web_evaluation.yml | 2 +- ...s_impair_defense_disable_win_defender_app_guard.yml | 2 +- ...efense_disable_win_defender_compute_file_hashes.yml | 2 +- ...impair_defense_disable_win_defender_gen_reports.yml | 2 +- ...defense_disable_win_defender_network_protection.yml | 2 +- ...r_defense_disable_win_defender_report_infection.yml | 2 +- ...air_defense_disable_win_defender_scan_on_update.yml | 2 +- ...fense_disable_win_defender_signature_retirement.yml | 2 +- ...ir_defense_overide_win_defender_phishing_filter.yml | 2 +- ...dows_impair_defense_override_smartscreen_prompt.yml | 2 +- ...nse_set_win_defender_smart_screen_level_to_warn.yml | 2 +- ...pair_defenses_disable_av_autostart_via_registry.yml | 2 +- .../endpoint/windows_impair_defenses_disable_hvci.yml | 2 +- ...pair_defenses_disable_win_defender_auto_logging.yml | 2 +- .../endpoint/windows_indicator_removal_via_rmdir.yml | 2 +- ...windows_indirect_command_execution_via_forfiles.yml | 2 +- .../windows_indirect_command_execution_via_pcalua.yml | 2 +- ...direct_command_execution_via_series_of_forfiles.yml | 2 +- .../endpoint/windows_information_discovery_fsutil.yml | 2 +- .../windows_ingress_tool_transfer_using_explorer.yml | 2 +- .../windows_inprocserver32_new_outlook_form.yml | 2 +- .../windows_input_capture_using_credential_ui_dll.yml | 2 +- .../endpoint/windows_installutil_credential_theft.yml | 2 +- .../windows_installutil_in_non_standard_path.yml | 2 +- .../windows_installutil_remote_network_connection.yml | 2 +- .../endpoint/windows_installutil_uninstall_option.yml | 2 +- ...ndows_installutil_uninstall_option_with_network.yml | 2 +- .../windows_installutil_url_in_command_line.yml | 2 +- detections/endpoint/windows_iso_lnk_file_creation.yml | 2 +- .../windows_known_graphicalproton_loaded_modules.yml | 2 +- .../endpoint/windows_lateral_tool_transfer_remcom.yml | 2 +- .../windows_ldifde_directory_object_behavior.yml | 2 +- .../windows_lolbas_executed_as_renamed_file.yml | 2 +- .../windows_lolbas_executed_outside_expected_path.yml | 2 +- .../endpoint/windows_lsa_secrets_nolmhash_registry.yml | 2 +- ...indows_mail_protocol_in_non_common_process_path.yml | 2 +- detections/endpoint/windows_mark_of_the_web_bypass.yml | 2 +- .../windows_masquerading_explorer_as_child_process.yml | 2 +- .../endpoint/windows_masquerading_msdtc_process.yml | 2 +- .../endpoint/windows_mimikatz_binary_execution.yml | 2 +- .../windows_mimikatz_crypto_export_file_extensions.yml | 2 +- ...ows_modify_registry_authenticationleveloverride.yml | 2 +- .../windows_modify_registry_auto_minor_updates.yml | 2 +- .../windows_modify_registry_auto_update_notif.yml | 2 +- .../windows_modify_registry_configure_bitlocker.yml | 2 +- .../windows_modify_registry_default_icon_setting.yml | 2 +- .../windows_modify_registry_delete_firewall_rules.yml | 2 +- .../endpoint/windows_modify_registry_disable_rdp.yml | 2 +- ...indows_modify_registry_disable_restricted_admin.yml | 2 +- ...ows_modify_registry_disable_toast_notifications.yml | 2 +- ...y_registry_disable_win_defender_raw_write_notif.yml | 2 +- ...dify_registry_disable_windefender_notifications.yml | 2 +- ..._registry_disable_windows_security_center_notif.yml | 2 +- ...s_modify_registry_disableremotedesktopantialias.yml | 2 +- ...windows_modify_registry_disablesecuritysettings.yml | 2 +- .../windows_modify_registry_disabling_wer_settings.yml | 2 +- .../windows_modify_registry_disallow_windows_app.yml | 2 +- ...ws_modify_registry_do_not_connect_to_win_update.yml | 2 +- .../endpoint/windows_modify_registry_dontshowui.yml | 2 +- ...windows_modify_registry_enablelinkedconnections.yml | 2 +- .../windows_modify_registry_longpathsenabled.yml | 2 +- .../windows_modify_registry_maxconnectionperserver.yml | 2 +- ..._modify_registry_no_auto_reboot_with_logon_user.yml | 2 +- .../windows_modify_registry_no_auto_update.yml | 2 +- .../windows_modify_registry_nochangingwallpaper.yml | 2 +- ...dows_modify_registry_on_smart_card_group_policy.yml | 2 +- .../endpoint/windows_modify_registry_proxyenable.yml | 2 +- .../endpoint/windows_modify_registry_proxyserver.yml | 2 +- ...ows_modify_registry_qakbot_binary_data_registry.yml | 2 +- .../endpoint/windows_modify_registry_reg_restore.yml | 2 +- ...ndows_modify_registry_regedit_silent_reg_import.yml | 2 +- ...ows_modify_registry_suppress_win_defender_notif.yml | 2 +- .../windows_modify_registry_tamper_protection.yml | 2 +- ..._modify_registry_to_add_or_modify_firewall_rule.yml | 2 +- ...ndows_modify_registry_updateserviceurlalternate.yml | 2 +- .../endpoint/windows_modify_registry_usewuserver.yml | 2 +- .../windows_modify_registry_utilize_progids.yml | 2 +- .../windows_modify_registry_valleyrat_c2_config.yml | 2 +- ...windows_modify_registry_valleyrat_pwn_reg_entry.yml | 2 +- .../windows_modify_registry_with_md5_reg_key_name.yml | 2 +- .../endpoint/windows_modify_registry_wuserver.yml | 2 +- .../windows_modify_registry_wustatusserver.yml | 2 +- ...odify_show_compress_color_and_info_tip_registry.yml | 2 +- ...odify_system_firewall_with_notable_process_path.yml | 2 +- .../windows_mof_event_triggered_execution_via_wmi.yml | 2 +- .../endpoint/windows_mshta_execution_in_registry.yml | 2 +- .../windows_mshta_writing_to_world_writable_path.yml | 2 +- .../endpoint/windows_msiexec_dllregisterserver.yml | 2 +- .../windows_msiexec_hidewindow_rundll32_execution.yml | 2 +- .../endpoint/windows_msiexec_remote_download.yml | 2 +- .../windows_msiexec_spawn_discovery_command.yml | 2 +- detections/endpoint/windows_msiexec_spawn_windbg.yml | 2 +- .../windows_msiexec_unregister_dllregisterserver.yml | 2 +- .../windows_msiexec_with_network_connections.yml | 2 +- .../windows_multi_hop_proxy_tor_website_query.yml | 2 +- .../windows_network_share_interaction_with_net.yml | 2 +- .../endpoint/windows_new_inprocserver32_added.yml | 2 +- .../endpoint/windows_ngrok_reverse_proxy_usage.yml | 2 +- detections/endpoint/windows_nirsoft_advancedrun.yml | 2 +- detections/endpoint/windows_nirsoft_utilities.yml | 2 +- .../windows_njrat_fileless_storage_via_registry.yml | 2 +- .../windows_non_system_account_targeting_lsass.yml | 2 +- detections/endpoint/windows_odbcconf_hunting.yml | 2 +- detections/endpoint/windows_odbcconf_load_dll.yml | 2 +- .../endpoint/windows_odbcconf_load_response_file.yml | 2 +- .../endpoint/windows_office_product_spawning_msdt.yml | 2 +- .../windows_outlook_webview_registry_modification.yml | 2 +- .../endpoint/windows_papercut_ng_spawn_shell.yml | 2 +- .../windows_parent_pid_spoofing_with_explorer.yml | 2 +- .../endpoint/windows_password_managers_discovery.yml | 2 +- .../windows_phishing_outlook_drop_dll_in_form_dir.yml | 2 +- .../windows_phishing_pdf_file_executes_url_link.yml | 2 +- .../windows_phishing_recent_iso_exec_registry.yml | 2 +- .../endpoint/windows_possible_credential_dumping.yml | 2 +- .../endpoint/windows_powershell_remotesigned_file.yml | 2 +- detections/endpoint/windows_private_keys_discovery.yml | 2 +- .../endpoint/windows_process_commandline_discovery.yml | 2 +- ..._process_injection_in_non_service_searchindexer.yml | 2 +- .../windows_process_injection_into_notepad.yml | 2 +- ...ws_process_injection_of_wermgr_to_known_browser.yml | 2 +- .../windows_process_injection_remote_thread.yml | 2 +- .../windows_process_injection_wermgr_child_process.yml | 2 +- ...ndows_process_injection_with_public_source_path.yml | 2 +- .../windows_process_with_namedpipe_commandline.yml | 2 +- ...ows_process_writing_file_to_world_writable_path.yml | 2 +- ...indows_processes_killed_by_industroyer2_malware.yml | 2 +- .../endpoint/windows_protocol_tunneling_with_plink.yml | 2 +- detections/endpoint/windows_proxy_via_netsh.yml | 2 +- detections/endpoint/windows_proxy_via_registry.yml | 2 +- .../endpoint/windows_query_registry_reg_save.yml | 2 +- .../windows_raccine_scheduled_task_deletion.yml | 2 +- detections/endpoint/windows_rasautou_dll_execution.yml | 2 +- .../windows_raw_access_to_disk_volume_partition.yml | 2 +- .../windows_raw_access_to_master_boot_record_drive.yml | 2 +- .../windows_registry_bootexecute_modification.yml | 2 +- .../endpoint/windows_registry_certificate_added.yml | 2 +- .../endpoint/windows_registry_delete_task_sd.yml | 2 +- ...registry_modification_for_safe_mode_persistence.yml | 2 +- .../endpoint/windows_registry_payload_injection.yml | 2 +- .../windows_registry_sip_provider_modification.yml | 2 +- .../endpoint/windows_regsvr32_renamed_binary.yml | 2 +- .../windows_remote_access_software_brc4_loaded_dll.yml | 2 +- .../endpoint/windows_remote_access_software_hunt.yml | 2 +- .../windows_remote_access_software_rms_registry.yml | 2 +- .../windows_remote_assistance_spawning_process.yml | 2 +- detections/endpoint/windows_remote_create_service.yml | 2 +- .../windows_remote_service_rdpwinst_tool_execution.yml | 2 +- .../windows_remote_services_allow_rdp_in_firewall.yml | 2 +- ...windows_remote_services_allow_remote_assistance.yml | 2 +- .../endpoint/windows_remote_services_rdp_enable.yml | 2 +- .../windows_replication_through_removable_media.yml | 2 +- .../windows_rundll32_apply_user_settings_changes.yml | 2 +- .../endpoint/windows_rundll32_webdav_request.yml | 2 +- .../windows_scheduled_task_created_via_xml.yml | 2 +- .../windows_scheduled_task_dll_module_loaded.yml | 2 +- .../windows_scheduled_task_service_spawned_shell.yml | 2 +- .../windows_scheduled_task_with_highest_privileges.yml | 2 +- .../endpoint/windows_schtasks_create_run_as_system.yml | 2 +- .../windows_security_account_manager_stopped.yml | 2 +- .../windows_security_support_provider_reg_query.yml | 2 +- ...erver_software_component_gacutil_install_to_gac.yml | 2 +- .../windows_service_create_kernel_mode_driver.yml | 2 +- .../endpoint/windows_service_create_with_tscon.yml | 2 +- .../windows_service_creation_on_remote_endpoint.yml | 2 +- .../windows_service_creation_using_registry_entry.yml | 2 +- .../endpoint/windows_service_deletion_in_registry.yml | 2 +- .../windows_service_initiation_on_remote_endpoint.yml | 2 +- .../endpoint/windows_service_stop_by_deletion.yml | 2 +- ...indows_service_stop_via_net__and_sc_application.yml | 2 +- .../windows_snake_malware_file_modification_crmlog.yml | 2 +- .../windows_snake_malware_kernel_driver_comadmin.yml | 2 +- ...lware_registry_modification_wav_openwithprogids.yml | 2 +- .../endpoint/windows_soaphound_binary_execution.yml | 2 +- ...ing_attachment_connect_to_none_ms_office_domain.yml | 2 +- ...ws_spearphishing_attachment_onenote_spawn_mshta.yml | 2 +- .../windows_sqlwriter_sqldumper_dll_sideload.yml | 2 +- ...eal_authentication_certificates_certutil_backup.yml | 2 +- ..._authentication_certificates_export_certificate.yml | 2 +- ...thentication_certificates_export_pfxcertificate.yml | 2 +- .../windows_steal_or_forge_kerberos_tickets_klist.yml | 2 +- ...ows_suspect_process_with_authentication_traffic.yml | 2 +- ...ry_proxy_execution_compiled_html_file_decompile.yml | 2 +- .../windows_system_discovery_using_ldap_nslookup.yml | 2 +- .../windows_system_discovery_using_qwinsta.yml | 2 +- detections/endpoint/windows_system_file_on_disk.yml | 2 +- .../endpoint/windows_system_logoff_commandline.yml | 2 +- ...ows_system_network_config_discovery_display_dns.yml | 2 +- ...dows_system_network_connections_discovery_netsh.yml | 2 +- .../endpoint/windows_system_reboot_commandline.yml | 2 +- ...script_proxy_execution_syncappvpublishingserver.yml | 2 +- .../endpoint/windows_system_shutdown_commandline.yml | 2 +- .../windows_system_time_discovery_w32tm_delay.yml | 2 +- .../windows_system_user_discovery_via_quser.yml | 2 +- .../windows_system_user_privilege_discovery.yml | 2 +- .../endpoint/windows_terminating_lsass_process.yml | 2 +- detections/endpoint/windows_time_based_evasion.yml | 2 +- .../windows_time_based_evasion_via_choice_exec.yml | 2 +- .../endpoint/windows_unsigned_dll_side_loading.yml | 2 +- ..._unsigned_dll_side_loading_in_same_process_path.yml | 2 +- .../endpoint/windows_unsigned_ms_dll_side_loading.yml | 2 +- ...dows_user_execution_malicious_url_shortcut_file.yml | 2 +- ...ndows_valid_account_with_never_expires_password.yml | 2 +- .../endpoint/windows_vulnerable_3cx_software.yml | 2 +- .../endpoint/windows_windbg_spawning_autoit3.yml | 2 +- detections/endpoint/windows_wmi_impersonate_token.yml | 2 +- .../endpoint/windows_wmi_process_and_service_list.yml | 2 +- .../endpoint/windows_wmi_process_call_create.yml | 2 +- detections/endpoint/winhlp32_spawning_a_process.yml | 2 +- .../endpoint/winrar_spawning_shell_application.yml | 2 +- detections/endpoint/winword_spawning_cmd.yml | 2 +- detections/endpoint/winword_spawning_powershell.yml | 2 +- .../endpoint/winword_spawning_windows_script_host.yml | 2 +- .../wmi_permanent_event_subscription___sysmon.yml | 2 +- detections/endpoint/wmic_group_discovery.yml | 2 +- .../wmic_noninteractive_app_uninstallation.yml | 2 +- detections/endpoint/wmic_xsl_execution_via_url.yml | 2 +- .../wmiprsve_lolbas_execution_process_spawn.yml | 2 +- .../wscript_or_cscript_suspicious_child_process.yml | 2 +- .../wsmprovhost_lolbas_execution_process_spawn.yml | 2 +- detections/endpoint/wsreset_uac_bypass.yml | 2 +- detections/endpoint/xmrig_driver_loaded.yml | 2 +- detections/endpoint/xsl_script_execution_with_wmic.yml | 2 +- ...ct_hosts_connecting_to_dynamic_domain_providers.yml | 2 +- .../dns_query_length_with_high_standard_deviation.yml | 2 +- detections/network/ngrok_reverse_proxy_on_network.yml | 2 +- 699 files changed, 702 insertions(+), 706 deletions(-) diff --git a/detections/endpoint/7zip_commandline_to_smb_share_path.yml b/detections/endpoint/7zip_commandline_to_smb_share_path.yml index 71873d5e3c..ca31319fdc 100644 --- a/detections/endpoint/7zip_commandline_to_smb_share_path.yml +++ b/detections/endpoint/7zip_commandline_to_smb_share_path.yml @@ -55,4 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon_7z.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/access_lsass_memory_for_dump_creation.yml b/detections/endpoint/access_lsass_memory_for_dump_creation.yml index c26fa2f16d..22ecef9a15 100644 --- a/detections/endpoint/access_lsass_memory_for_dump_creation.yml +++ b/detections/endpoint/access_lsass_memory_for_dump_creation.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/account_discovery_with_net_app.yml b/detections/endpoint/account_discovery_with_net_app.yml index e5d8aedc23..cd9bb1d64b 100644 --- a/detections/endpoint/account_discovery_with_net_app.yml +++ b/detections/endpoint/account_discovery_with_net_app.yml @@ -74,4 +74,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/active_setup_registry_autostart.yml b/detections/endpoint/active_setup_registry_autostart.yml index 3b7773c18a..9d319657fa 100644 --- a/detections/endpoint/active_setup_registry_autostart.yml +++ b/detections/endpoint/active_setup_registry_autostart.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1547.014/active_setup_stubpath/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/add_defaultuser_and_password_in_registry.yml b/detections/endpoint/add_defaultuser_and_password_in_registry.yml index 810006c1ea..57593fe34e 100644 --- a/detections/endpoint/add_defaultuser_and_password_in_registry.yml +++ b/detections/endpoint/add_defaultuser_and_password_in_registry.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/add_or_set_windows_defender_exclusion.yml b/detections/endpoint/add_or_set_windows_defender_exclusion.yml index 14ba3a5c23..8aadcef903 100644 --- a/detections/endpoint/add_or_set_windows_defender_exclusion.yml +++ b/detections/endpoint/add_or_set_windows_defender_exclusion.yml @@ -75,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml index e915e23406..668a33d0a7 100644 --- a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml +++ b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml index 457ded1701..540fb49535 100644 --- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml +++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/allow_network_discovery_in_firewall.yml b/detections/endpoint/allow_network_discovery_in_firewall.yml index ec58bec71c..babafb69ba 100644 --- a/detections/endpoint/allow_network_discovery_in_firewall.yml +++ b/detections/endpoint/allow_network_discovery_in_firewall.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/allow_operation_with_consent_admin.yml b/detections/endpoint/allow_operation_with_consent_admin.yml index acefa48c4d..074042bf6b 100644 --- a/detections/endpoint/allow_operation_with_consent_admin.yml +++ b/detections/endpoint/allow_operation_with_consent_admin.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml index 6c7eda482c..1ee3ac76d2 100644 --- a/detections/endpoint/anomalous_usage_of_7zip.yml +++ b/detections/endpoint/anomalous_usage_of_7zip.yml @@ -79,4 +79,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml index 0e86cc6a14..d4bfd021eb 100644 --- a/detections/endpoint/any_powershell_downloadfile.yml +++ b/detections/endpoint/any_powershell_downloadfile.yml @@ -86,4 +86,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/any_powershell_downloadstring.yml b/detections/endpoint/any_powershell_downloadstring.yml index 8cf3f150b6..de94ebccd4 100644 --- a/detections/endpoint/any_powershell_downloadstring.yml +++ b/detections/endpoint/any_powershell_downloadstring.yml @@ -87,4 +87,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/attacker_tools_on_endpoint.yml b/detections/endpoint/attacker_tools_on_endpoint.yml index 8e608cb29d..354bc5570d 100644 --- a/detections/endpoint/attacker_tools_on_endpoint.yml +++ b/detections/endpoint/attacker_tools_on_endpoint.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/attacker_scan_tools/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml index 298cc14346..07d66a4703 100644 --- a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml +++ b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml @@ -72,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/attempt_to_stop_security_service.yml b/detections/endpoint/attempt_to_stop_security_service.yml index 5c691e1f70..291fdd52fc 100644 --- a/detections/endpoint/attempt_to_stop_security_service.yml +++ b/detections/endpoint/attempt_to_stop_security_service.yml @@ -81,4 +81,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml index 8adca0282a..f58ea1455f 100644 --- a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml +++ b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml @@ -80,7 +80,7 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/crowdstrike_falcon.log diff --git a/detections/endpoint/auto_admin_logon_registry_entry.yml b/detections/endpoint/auto_admin_logon_registry_entry.yml index d114d607bd..1765d1eaac 100644 --- a/detections/endpoint/auto_admin_logon_registry_entry.yml +++ b/detections/endpoint/auto_admin_logon_registry_entry.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/batch_file_write_to_system32.yml b/detections/endpoint/batch_file_write_to_system32.yml index f835fc5114..7dd17efe27 100644 --- a/detections/endpoint/batch_file_write_to_system32.yml +++ b/detections/endpoint/batch_file_write_to_system32.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml index 65a28615e6..1c7b896fd7 100644 --- a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml +++ b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/bcdedit_failure_recovery_modification.yml b/detections/endpoint/bcdedit_failure_recovery_modification.yml index a1745ecbb9..347b2bf825 100644 --- a/detections/endpoint/bcdedit_failure_recovery_modification.yml +++ b/detections/endpoint/bcdedit_failure_recovery_modification.yml @@ -69,5 +69,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/bits_job_persistence.yml b/detections/endpoint/bits_job_persistence.yml index 22b3f92dde..7995f7c75f 100644 --- a/detections/endpoint/bits_job_persistence.yml +++ b/detections/endpoint/bits_job_persistence.yml @@ -78,7 +78,7 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml index 5f2db72ccd..b5de4a939c 100644 --- a/detections/endpoint/bitsadmin_download_file.yml +++ b/detections/endpoint/bitsadmin_download_file.yml @@ -83,7 +83,7 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log diff --git a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml index b1c1f7e2a5..9732998fcf 100644 --- a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml @@ -82,4 +82,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml index 8d349f5391..5573c72b0e 100644 --- a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml @@ -79,4 +79,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/certutil_exe_certificate_extraction.yml b/detections/endpoint/certutil_exe_certificate_extraction.yml index 61a51e3950..4add9a11c6 100644 --- a/detections/endpoint/certutil_exe_certificate_extraction.yml +++ b/detections/endpoint/certutil_exe_certificate_extraction.yml @@ -76,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/certutil_exe_certificate_extraction/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/certutil_with_decode_argument.yml b/detections/endpoint/certutil_with_decode_argument.yml index f1e9d823ed..d9faca4128 100644 --- a/detections/endpoint/certutil_with_decode_argument.yml +++ b/detections/endpoint/certutil_with_decode_argument.yml @@ -84,4 +84,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/change_default_file_association.yml b/detections/endpoint/change_default_file_association.yml index 2cf5dc4d06..dc0816a4f0 100644 --- a/detections/endpoint/change_default_file_association.yml +++ b/detections/endpoint/change_default_file_association.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.001/txtfile_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/change_to_safe_mode_with_network_config.yml b/detections/endpoint/change_to_safe_mode_with_network_config.yml index 3b1c5a3fc8..67ed7a88b0 100644 --- a/detections/endpoint/change_to_safe_mode_with_network_config.yml +++ b/detections/endpoint/change_to_safe_mode_with_network_config.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/endpoint/chcp_command_execution.yml index cf5f6e3aba..dd27f38f08 100644 --- a/detections/endpoint/chcp_command_execution.yml +++ b/detections/endpoint/chcp_command_execution.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/check_elevated_cmd_using_whoami.yml b/detections/endpoint/check_elevated_cmd_using_whoami.yml index fb451f78e1..6eff5b566d 100644 --- a/detections/endpoint/check_elevated_cmd_using_whoami.yml +++ b/detections/endpoint/check_elevated_cmd_using_whoami.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml index 46476e654e..c6d2e5070a 100644 --- a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml +++ b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml @@ -76,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/clop_common_exec_parameter.yml b/detections/endpoint/clop_common_exec_parameter.yml index 1d79649be3..1bced9bc90 100644 --- a/detections/endpoint/clop_common_exec_parameter.yml +++ b/detections/endpoint/clop_common_exec_parameter.yml @@ -75,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_b/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index 993c1a9197..96576aa548 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -79,4 +79,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/cmd_carry_str_param/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/cmd_echo_pipe___escalation.yml b/detections/endpoint/cmd_echo_pipe___escalation.yml index dd4902e31f..f203dde237 100644 --- a/detections/endpoint/cmd_echo_pipe___escalation.yml +++ b/detections/endpoint/cmd_echo_pipe___escalation.yml @@ -80,4 +80,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml index c72cf1154f..c74dff7cdf 100644 --- a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml +++ b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml @@ -84,4 +84,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/jssloader/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index 93a677c2f9..251eef2d1d 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/darkside_cmstp_com/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/cobalt_strike_named_pipes.yml b/detections/endpoint/cobalt_strike_named_pipes.yml index 834651ff2f..67d819e9fd 100644 --- a/detections/endpoint/cobalt_strike_named_pipes.yml +++ b/detections/endpoint/cobalt_strike_named_pipes.yml @@ -71,4 +71,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/common_ransomware_extensions.yml b/detections/endpoint/common_ransomware_extensions.yml index 818569d4b6..fb396c4d20 100644 --- a/detections/endpoint/common_ransomware_extensions.yml +++ b/detections/endpoint/common_ransomware_extensions.yml @@ -54,4 +54,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/ransom-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/common_ransomware_notes.yml b/detections/endpoint/common_ransomware_notes.yml index f4ca5f9f09..cfc4042b94 100644 --- a/detections/endpoint/common_ransomware_notes.yml +++ b/detections/endpoint/common_ransomware_notes.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/connectwise_screenconnect_path_traversal.yml b/detections/endpoint/connectwise_screenconnect_path_traversal.yml index ff931ce485..b6c356ed9d 100644 --- a/detections/endpoint/connectwise_screenconnect_path_traversal.yml +++ b/detections/endpoint/connectwise_screenconnect_path_traversal.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/sysmon_app_extensions.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/conti_common_exec_parameter.yml b/detections/endpoint/conti_common_exec_parameter.yml index dba79959d6..6eccb43569 100644 --- a/detections/endpoint/conti_common_exec_parameter.yml +++ b/detections/endpoint/conti_common_exec_parameter.yml @@ -74,4 +74,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/inf1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/control_loading_from_world_writable_directory.yml b/detections/endpoint/control_loading_from_world_writable_directory.yml index 7e55e49eab..5862382170 100644 --- a/detections/endpoint/control_loading_from_world_writable_directory.yml +++ b/detections/endpoint/control_loading_from_world_writable_directory.yml @@ -81,4 +81,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml index a2f645d962..66367f1466 100644 --- a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml +++ b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml @@ -79,4 +79,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/create_remote_thread_in_shell_application.yml b/detections/endpoint/create_remote_thread_in_shell_application.yml index d628c43f6b..21b2f1b81a 100644 --- a/detections/endpoint/create_remote_thread_in_shell_application.yml +++ b/detections/endpoint/create_remote_thread_in_shell_application.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/create_remote_thread_into_lsass.yml b/detections/endpoint/create_remote_thread_into_lsass.yml index 50b28812d4..1a9c68b97d 100644 --- a/detections/endpoint/create_remote_thread_into_lsass.yml +++ b/detections/endpoint/create_remote_thread_into_lsass.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml index 37b2a6b958..cf57d0d457 100644 --- a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml +++ b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/creation_of_shadow_copy.yml b/detections/endpoint/creation_of_shadow_copy.yml index 7a2fe63f71..e5d9de5d59 100644 --- a/detections/endpoint/creation_of_shadow_copy.yml +++ b/detections/endpoint/creation_of_shadow_copy.yml @@ -73,7 +73,7 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/crowdstrike_falcon.log diff --git a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml index fc2051438e..645cf56b85 100644 --- a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml +++ b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml @@ -70,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml index 14f5e9b08c..5878f74548 100644 --- a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml +++ b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml index 812446cfa7..89b2fd60ef 100644 --- a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml +++ b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/csc_net_on_the_fly_compilation.yml b/detections/endpoint/csc_net_on_the_fly_compilation.yml index aada2ca714..98839480d7 100644 --- a/detections/endpoint/csc_net_on_the_fly_compilation.yml +++ b/detections/endpoint/csc_net_on_the_fly_compilation.yml @@ -52,4 +52,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/deleting_of_net_users.yml b/detections/endpoint/deleting_of_net_users.yml index 4607f1e1f6..cd6c749a53 100644 --- a/detections/endpoint/deleting_of_net_users.yml +++ b/detections/endpoint/deleting_of_net_users.yml @@ -76,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/deleting_shadow_copies.yml b/detections/endpoint/deleting_shadow_copies.yml index 69df45e726..70a950f633 100644 --- a/detections/endpoint/deleting_shadow_copies.yml +++ b/detections/endpoint/deleting_shadow_copies.yml @@ -83,4 +83,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_azurehound_command_line_arguments.yml b/detections/endpoint/detect_azurehound_command_line_arguments.yml index 20dbae6517..374d026ff0 100644 --- a/detections/endpoint/detect_azurehound_command_line_arguments.yml +++ b/detections/endpoint/detect_azurehound_command_line_arguments.yml @@ -83,4 +83,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_azurehound_file_modifications.yml b/detections/endpoint/detect_azurehound_file_modifications.yml index da44e3a321..14f158fa32 100644 --- a/detections/endpoint/detect_azurehound_file_modifications.yml +++ b/detections/endpoint/detect_azurehound_file_modifications.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_certify_command_line_arguments.yml b/detections/endpoint/detect_certify_command_line_arguments.yml index 12a560f63f..d119494309 100644 --- a/detections/endpoint/detect_certify_command_line_arguments.yml +++ b/detections/endpoint/detect_certify_command_line_arguments.yml @@ -70,5 +70,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/detect_certipy_file_modifications.yml b/detections/endpoint/detect_certipy_file_modifications.yml index 80ff34e21c..456f88432f 100644 --- a/detections/endpoint/detect_certipy_file_modifications.yml +++ b/detections/endpoint/detect_certipy_file_modifications.yml @@ -80,5 +80,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml index 8b388ea2a8..ee96f5217c 100644 --- a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml +++ b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index d0d4eb1e62..873645916d 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -9,12 +9,8 @@ data_source: - Windows Defender Alerts - MS365 Defender Incident Alerts description: The following analytics is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Alerts.description) as description values(Alerts.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id values(Alerts.severity) as severity values(Alerts.type) as type values(Alerts.severity_id) as severity_id values(Alerts.signature) as signature values(Alerts.signature_id) as signature_id values(Alerts.dest) as dest from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.src Alerts.user Alerts.id Alerts.vendor sourcetype -| `drop_dm_object_name("Alerts")` -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| eval risk_score=case(severity="informational", 2, severity="low", 5, severity="medium", 10, severity="high", 50, severity="critical" , 100) | `detect_critical_alerts_from_security_tools_filter`' -how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. The risk_score field is used to calculate the risk score for the alerts and the mitre_technique_id field is used to map the alerts to the MITRE ATT&CK framework is dynamically created by the detection when this is triggered. These fields need not be set in the adaptive response actions. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Alerts.description) as description values(Alerts.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id values(Alerts.severity) as severity values(Alerts.type) as type values(Alerts.severity_id) as severity_id values(Alerts.signature) as signature values(Alerts.signature_id) as signature_id values(Alerts.dest) as dest from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.src Alerts.user Alerts.id Alerts.vendor sourcetype | `drop_dm_object_name("Alerts")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval risk_score=case(severity="informational", 2, severity="low", 5, severity="medium", 10, severity="high", 50, severity="critical" , 100) | `detect_critical_alerts_from_security_tools_filter`' +how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. The risk_score field is used to calculate the risk score for the alerts and the mitre_technique_id field is used to map the alerts to the MITRE ATT&CK framework is dynamically created by the detection when this is triggered. These fields need not be set in the adaptive response actions. known_false_positives: False positives may vary by endpoint protection tool; monitor and filter out the alerts that are not relevant to your environment. references: - https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/accessing-microsoft-defender-for-cloud-alerts-in-splunk-using/ba-p/938228 @@ -76,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/defender_incident_alerts.log source: m365_defender_incident_alerts - sourcetype: ms365:defender:incident:alerts \ No newline at end of file + sourcetype: ms365:defender:incident:alerts diff --git a/detections/endpoint/detect_exchange_web_shell.yml b/detections/endpoint/detect_exchange_web_shell.yml index ed39d29d60..778123d7ec 100644 --- a/detections/endpoint/detect_exchange_web_shell.yml +++ b/detections/endpoint/detect_exchange_web_shell.yml @@ -72,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon_proxylogon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_html_help_renamed.yml b/detections/endpoint/detect_html_help_renamed.yml index 9fd38fef12..c7ed196285 100644 --- a/detections/endpoint/detect_html_help_renamed.yml +++ b/detections/endpoint/detect_html_help_renamed.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_html_help_spawn_child_process.yml b/detections/endpoint/detect_html_help_spawn_child_process.yml index 53b7bb5919..faeb70c71b 100644 --- a/detections/endpoint/detect_html_help_spawn_child_process.yml +++ b/detections/endpoint/detect_html_help_spawn_child_process.yml @@ -81,4 +81,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_html_help_url_in_command_line.yml b/detections/endpoint/detect_html_help_url_in_command_line.yml index 6d2fe4dc48..e2de280732 100644 --- a/detections/endpoint/detect_html_help_url_in_command_line.yml +++ b/detections/endpoint/detect_html_help_url_in_command_line.yml @@ -81,4 +81,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml index faf70867f4..4a60301b6e 100644 --- a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml +++ b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml @@ -77,4 +77,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml index 5e2519388b..aca378f00b 100644 --- a/detections/endpoint/detect_mshta_inline_hta_execution.yml +++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml @@ -79,4 +79,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_mshta_renamed.yml b/detections/endpoint/detect_mshta_renamed.yml index ba279d868f..e6030aa238 100644 --- a/detections/endpoint/detect_mshta_renamed.yml +++ b/detections/endpoint/detect_mshta_renamed.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_mshta_url_in_command_line.yml b/detections/endpoint/detect_mshta_url_in_command_line.yml index c1d180fb47..e173fa6d46 100644 --- a/detections/endpoint/detect_mshta_url_in_command_line.yml +++ b/detections/endpoint/detect_mshta_url_in_command_line.yml @@ -78,4 +78,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml index 79ce69dd82..809752b41c 100644 --- a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml +++ b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml @@ -75,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml b/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml index 41d03ad4f5..46d5f6fdd0 100644 --- a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml +++ b/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml @@ -73,4 +73,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/discovery_commands/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml index c2fac6c038..400d22e66b 100644 --- a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml +++ b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_psexec_with_accepteula_flag.yml b/detections/endpoint/detect_psexec_with_accepteula_flag.yml index 428e2951a6..64e8434189 100644 --- a/detections/endpoint/detect_psexec_with_accepteula_flag.yml +++ b/detections/endpoint/detect_psexec_with_accepteula_flag.yml @@ -86,4 +86,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_rare_executables.yml b/detections/endpoint/detect_rare_executables.yml index fe2493587a..5d0e7e91f5 100644 --- a/detections/endpoint/detect_rare_executables.yml +++ b/detections/endpoint/detect_rare_executables.yml @@ -54,4 +54,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/rare_executables/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml index 5979ea5d23..1b2c246620 100644 --- a/detections/endpoint/detect_rclone_command_line_usage.yml +++ b/detections/endpoint/detect_rclone_command_line_usage.yml @@ -75,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_regasm_spawning_a_process.yml b/detections/endpoint/detect_regasm_spawning_a_process.yml index c041600a65..6f339a6ca8 100644 --- a/detections/endpoint/detect_regasm_spawning_a_process.yml +++ b/detections/endpoint/detect_regasm_spawning_a_process.yml @@ -78,4 +78,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_regasm_with_network_connection.yml b/detections/endpoint/detect_regasm_with_network_connection.yml index 2658456753..4252923c65 100644 --- a/detections/endpoint/detect_regasm_with_network_connection.yml +++ b/detections/endpoint/detect_regasm_with_network_connection.yml @@ -70,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml index f8ee2864df..abe9c7bb74 100644 --- a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml @@ -79,4 +79,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_regsvcs_spawning_a_process.yml b/detections/endpoint/detect_regsvcs_spawning_a_process.yml index a5b2b58b98..06eca7cffe 100644 --- a/detections/endpoint/detect_regsvcs_spawning_a_process.yml +++ b/detections/endpoint/detect_regsvcs_spawning_a_process.yml @@ -75,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_regsvcs_with_network_connection.yml b/detections/endpoint/detect_regsvcs_with_network_connection.yml index b25b50322a..9e15481596 100644 --- a/detections/endpoint/detect_regsvcs_with_network_connection.yml +++ b/detections/endpoint/detect_regsvcs_with_network_connection.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml index 7d6e9eb3bd..4191aa105a 100644 --- a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml @@ -78,4 +78,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_regsvr32_application_control_bypass.yml b/detections/endpoint/detect_regsvr32_application_control_bypass.yml index c8f572716c..72ca8e27b4 100644 --- a/detections/endpoint/detect_regsvr32_application_control_bypass.yml +++ b/detections/endpoint/detect_regsvr32_application_control_bypass.yml @@ -82,4 +82,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_renamed_7_zip.yml b/detections/endpoint/detect_renamed_7_zip.yml index 4c504d26b6..ff1d252d19 100644 --- a/detections/endpoint/detect_renamed_7_zip.yml +++ b/detections/endpoint/detect_renamed_7_zip.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_renamed_psexec.yml b/detections/endpoint/detect_renamed_psexec.yml index fa2d687c66..2ddce2de43 100644 --- a/detections/endpoint/detect_renamed_psexec.yml +++ b/detections/endpoint/detect_renamed_psexec.yml @@ -76,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_renamed_rclone.yml b/detections/endpoint/detect_renamed_rclone.yml index 0d40c44f97..1339466d42 100644 --- a/detections/endpoint/detect_renamed_rclone.yml +++ b/detections/endpoint/detect_renamed_rclone.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_renamed_winrar.yml b/detections/endpoint/detect_renamed_winrar.yml index 5a12ffbe14..850fd452f8 100644 --- a/detections/endpoint/detect_renamed_winrar.yml +++ b/detections/endpoint/detect_renamed_winrar.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_rtlo_in_file_name.yml b/detections/endpoint/detect_rtlo_in_file_name.yml index 6409c49384..10d95a02dd 100644 --- a/detections/endpoint/detect_rtlo_in_file_name.yml +++ b/detections/endpoint/detect_rtlo_in_file_name.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_rtlo_in_process.yml b/detections/endpoint/detect_rtlo_in_process.yml index 8cff62a534..83644c3be9 100644 --- a/detections/endpoint/detect_rtlo_in_process.yml +++ b/detections/endpoint/detect_rtlo_in_process.yml @@ -72,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml index 4ab52981ad..8fc417731d 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml @@ -80,4 +80,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml index 0b99c228fb..6707d35cd0 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml @@ -80,4 +80,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml index f5110c0e08..b8224a530a 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml @@ -80,4 +80,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_rundll32_inline_hta_execution.yml b/detections/endpoint/detect_rundll32_inline_hta_execution.yml index 37d7b3b5be..32d8358be3 100644 --- a/detections/endpoint/detect_rundll32_inline_hta_execution.yml +++ b/detections/endpoint/detect_rundll32_inline_hta_execution.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_sharphound_command_line_arguments.yml b/detections/endpoint/detect_sharphound_command_line_arguments.yml index e3f2ad27dd..3032fefdcd 100644 --- a/detections/endpoint/detect_sharphound_command_line_arguments.yml +++ b/detections/endpoint/detect_sharphound_command_line_arguments.yml @@ -70,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_sharphound_file_modifications.yml b/detections/endpoint/detect_sharphound_file_modifications.yml index 71d0dc3adc..1e220115ee 100644 --- a/detections/endpoint/detect_sharphound_file_modifications.yml +++ b/detections/endpoint/detect_sharphound_file_modifications.yml @@ -70,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_sharphound_usage.yml b/detections/endpoint/detect_sharphound_usage.yml index ee91afac98..dfdb64ae9a 100644 --- a/detections/endpoint/detect_sharphound_usage.yml +++ b/detections/endpoint/detect_sharphound_usage.yml @@ -73,4 +73,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml index ba0c6da771..18ef45ed0f 100644 --- a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml +++ b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_webshell_exploit_behavior.yml b/detections/endpoint/detect_webshell_exploit_behavior.yml index a0091101de..9ead50398f 100644 --- a/detections/endpoint/detect_webshell_exploit_behavior.yml +++ b/detections/endpoint/detect_webshell_exploit_behavior.yml @@ -79,4 +79,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/generic_webshell_exploit/generic_webshell_exploit.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/detect_wmi_event_subscription_persistence.yml b/detections/endpoint/detect_wmi_event_subscription_persistence.yml index 2f44aa56a1..9a0de15116 100644 --- a/detections/endpoint/detect_wmi_event_subscription_persistence.yml +++ b/detections/endpoint/detect_wmi_event_subscription_persistence.yml @@ -56,4 +56,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_amsi_through_registry.yml b/detections/endpoint/disable_amsi_through_registry.yml index cd38605bed..888202d269 100644 --- a/detections/endpoint/disable_amsi_through_registry.yml +++ b/detections/endpoint/disable_amsi_through_registry.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml index 7646711d53..fede9963a8 100644 --- a/detections/endpoint/disable_defender_antivirus_registry.yml +++ b/detections/endpoint/disable_defender_antivirus_registry.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml index 658391eb17..5cee08686d 100644 --- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml +++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_defender_enhanced_notification.yml b/detections/endpoint/disable_defender_enhanced_notification.yml index b53d37ba33..17ef99e6dd 100644 --- a/detections/endpoint/disable_defender_enhanced_notification.yml +++ b/detections/endpoint/disable_defender_enhanced_notification.yml @@ -73,4 +73,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_defender_mpengine_registry.yml b/detections/endpoint/disable_defender_mpengine_registry.yml index 9f70961a03..cc61d98727 100644 --- a/detections/endpoint/disable_defender_mpengine_registry.yml +++ b/detections/endpoint/disable_defender_mpengine_registry.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_defender_spynet_reporting.yml b/detections/endpoint/disable_defender_spynet_reporting.yml index 59737c29ae..0f08971d4a 100644 --- a/detections/endpoint/disable_defender_spynet_reporting.yml +++ b/detections/endpoint/disable_defender_spynet_reporting.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml index fe796df3bd..e5c909164b 100644 --- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml +++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml index cfe22cc92a..3c048355b4 100644 --- a/detections/endpoint/disable_etw_through_registry.yml +++ b/detections/endpoint/disable_etw_through_registry.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_logs_using_wevtutil.yml b/detections/endpoint/disable_logs_using_wevtutil.yml index 929f47e34d..6c22af21ef 100644 --- a/detections/endpoint/disable_logs_using_wevtutil.yml +++ b/detections/endpoint/disable_logs_using_wevtutil.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_registry_tool.yml b/detections/endpoint/disable_registry_tool.yml index 2b6549ce50..5c1fc785c2 100644 --- a/detections/endpoint/disable_registry_tool.yml +++ b/detections/endpoint/disable_registry_tool.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_schedule_task.yml b/detections/endpoint/disable_schedule_task.yml index e9eb199b1b..26a070afd9 100644 --- a/detections/endpoint/disable_schedule_task.yml +++ b/detections/endpoint/disable_schedule_task.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_schtask/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_security_logs_using_minint_registry.yml b/detections/endpoint/disable_security_logs_using_minint_registry.yml index 0393bb0b30..b68d23e365 100644 --- a/detections/endpoint/disable_security_logs_using_minint_registry.yml +++ b/detections/endpoint/disable_security_logs_using_minint_registry.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/minint_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_show_hidden_files.yml b/detections/endpoint/disable_show_hidden_files.yml index 115452823a..ecae56c55c 100644 --- a/detections/endpoint/disable_show_hidden_files.yml +++ b/detections/endpoint/disable_show_hidden_files.yml @@ -68,4 +68,4 @@ tests: sourcetype: WinEventLog - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_uac_remote_restriction.yml b/detections/endpoint/disable_uac_remote_restriction.yml index 08c1308808..51627872fb 100644 --- a/detections/endpoint/disable_uac_remote_restriction.yml +++ b/detections/endpoint/disable_uac_remote_restriction.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_windows_app_hotkeys.yml b/detections/endpoint/disable_windows_app_hotkeys.yml index e5442a24d9..7c465acd59 100644 --- a/detections/endpoint/disable_windows_app_hotkeys.yml +++ b/detections/endpoint/disable_windows_app_hotkeys.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 83455657f9..40ec981b05 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disable_windows_smartscreen_protection.yml b/detections/endpoint/disable_windows_smartscreen_protection.yml index 92614f3e49..d968b2a7a5 100644 --- a/detections/endpoint/disable_windows_smartscreen_protection.yml +++ b/detections/endpoint/disable_windows_smartscreen_protection.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disabling_cmd_application.yml b/detections/endpoint/disabling_cmd_application.yml index 65b769780d..bcd9cc1939 100644 --- a/detections/endpoint/disabling_cmd_application.yml +++ b/detections/endpoint/disabling_cmd_application.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disabling_controlpanel.yml b/detections/endpoint/disabling_controlpanel.yml index 9ccc5bcc46..63ca09d963 100644 --- a/detections/endpoint/disabling_controlpanel.yml +++ b/detections/endpoint/disabling_controlpanel.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disabling_defender_services.yml b/detections/endpoint/disabling_defender_services.yml index 80ceceae5b..915c67771e 100644 --- a/detections/endpoint/disabling_defender_services.yml +++ b/detections/endpoint/disabling_defender_services.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disabling_firewall_with_netsh.yml b/detections/endpoint/disabling_firewall_with_netsh.yml index adaaf3d219..2c7fd87d31 100644 --- a/detections/endpoint/disabling_firewall_with_netsh.yml +++ b/detections/endpoint/disabling_firewall_with_netsh.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disabling_folderoptions_windows_feature.yml b/detections/endpoint/disabling_folderoptions_windows_feature.yml index 2ff6061235..aab956a0b0 100644 --- a/detections/endpoint/disabling_folderoptions_windows_feature.yml +++ b/detections/endpoint/disabling_folderoptions_windows_feature.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disabling_net_user_account.yml b/detections/endpoint/disabling_net_user_account.yml index 8d089e8f1d..e89bfa3208 100644 --- a/detections/endpoint/disabling_net_user_account.yml +++ b/detections/endpoint/disabling_net_user_account.yml @@ -74,4 +74,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disabling_norun_windows_app.yml b/detections/endpoint/disabling_norun_windows_app.yml index 79c9ae00ff..c2c382c1b4 100644 --- a/detections/endpoint/disabling_norun_windows_app.yml +++ b/detections/endpoint/disabling_norun_windows_app.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disabling_remote_user_account_control.yml b/detections/endpoint/disabling_remote_user_account_control.yml index e64bce1520..2c97bf9b97 100644 --- a/detections/endpoint/disabling_remote_user_account_control.yml +++ b/detections/endpoint/disabling_remote_user_account_control.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disabling_systemrestore_in_registry.yml b/detections/endpoint/disabling_systemrestore_in_registry.yml index 5ca79f0aa6..8c36d09463 100644 --- a/detections/endpoint/disabling_systemrestore_in_registry.yml +++ b/detections/endpoint/disabling_systemrestore_in_registry.yml @@ -68,7 +68,7 @@ tests: sourcetype: WinEventLog - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disabling_task_manager.yml b/detections/endpoint/disabling_task_manager.yml index d58a2f843e..f807d9524f 100644 --- a/detections/endpoint/disabling_task_manager.yml +++ b/detections/endpoint/disabling_task_manager.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml index 9003ecb849..2c593c3c15 100644 --- a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml +++ b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/disable_lsa_protection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml index e7df193853..cffc781d41 100644 --- a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml +++ b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml @@ -79,4 +79,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/domain_account_discovery_with_dsquery.yml b/detections/endpoint/domain_account_discovery_with_dsquery.yml index 58207713cc..244de40085 100644 --- a/detections/endpoint/domain_account_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_account_discovery_with_dsquery.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/domain_account_discovery_with_net_app.yml b/detections/endpoint/domain_account_discovery_with_net_app.yml index b06663809c..6cb2fc15dd 100644 --- a/detections/endpoint/domain_account_discovery_with_net_app.yml +++ b/detections/endpoint/domain_account_discovery_with_net_app.yml @@ -71,4 +71,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/domain_account_discovery_with_wmic.yml b/detections/endpoint/domain_account_discovery_with_wmic.yml index 787aa5c906..d617a608c7 100644 --- a/detections/endpoint/domain_account_discovery_with_wmic.yml +++ b/detections/endpoint/domain_account_discovery_with_wmic.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/domain_controller_discovery_with_nltest.yml b/detections/endpoint/domain_controller_discovery_with_nltest.yml index 8558fd8990..90f286ff61 100644 --- a/detections/endpoint/domain_controller_discovery_with_nltest.yml +++ b/detections/endpoint/domain_controller_discovery_with_nltest.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/domain_controller_discovery_with_wmic.yml b/detections/endpoint/domain_controller_discovery_with_wmic.yml index 8a4ae4c2a1..2434075c94 100644 --- a/detections/endpoint/domain_controller_discovery_with_wmic.yml +++ b/detections/endpoint/domain_controller_discovery_with_wmic.yml @@ -52,4 +52,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/domain_group_discovery_with_dsquery.yml b/detections/endpoint/domain_group_discovery_with_dsquery.yml index fa9766e496..608676f902 100644 --- a/detections/endpoint/domain_group_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_group_discovery_with_dsquery.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/domain_group_discovery_with_net.yml b/detections/endpoint/domain_group_discovery_with_net.yml index 9dc04ce016..f80ec861dd 100644 --- a/detections/endpoint/domain_group_discovery_with_net.yml +++ b/detections/endpoint/domain_group_discovery_with_net.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/domain_group_discovery_with_wmic.yml b/detections/endpoint/domain_group_discovery_with_wmic.yml index 6043a46e3a..53cf64914d 100644 --- a/detections/endpoint/domain_group_discovery_with_wmic.yml +++ b/detections/endpoint/domain_group_discovery_with_wmic.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/download_files_using_telegram.yml b/detections/endpoint/download_files_using_telegram.yml index 7799999278..e5d848c210 100644 --- a/detections/endpoint/download_files_using_telegram.yml +++ b/detections/endpoint/download_files_using_telegram.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/minergate/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/drop_icedid_license_dat.yml b/detections/endpoint/drop_icedid_license_dat.yml index 9767f3bcb4..3594609976 100644 --- a/detections/endpoint/drop_icedid_license_dat.yml +++ b/detections/endpoint/drop_icedid_license_dat.yml @@ -45,4 +45,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/dsquery_domain_discovery.yml b/detections/endpoint/dsquery_domain_discovery.yml index 4eba33b0b5..7ee387ec15 100644 --- a/detections/endpoint/dsquery_domain_discovery.yml +++ b/detections/endpoint/dsquery_domain_discovery.yml @@ -74,4 +74,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml index 34322b3007..34f0f8a62a 100644 --- a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml +++ b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml @@ -87,4 +87,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/dump_lsass_via_procdump.yml b/detections/endpoint/dump_lsass_via_procdump.yml index c988e05912..9174934deb 100644 --- a/detections/endpoint/dump_lsass_via_procdump.yml +++ b/detections/endpoint/dump_lsass_via_procdump.yml @@ -76,7 +76,7 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/crowdstrike_falcon.log diff --git a/detections/endpoint/elevated_group_discovery_with_net.yml b/detections/endpoint/elevated_group_discovery_with_net.yml index 94d35b119f..a10b95eb4a 100644 --- a/detections/endpoint/elevated_group_discovery_with_net.yml +++ b/detections/endpoint/elevated_group_discovery_with_net.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/elevated_group_discovery_with_powerview.yml b/detections/endpoint/elevated_group_discovery_with_powerview.yml index 4045b8f9ad..2332d0361f 100644 --- a/detections/endpoint/elevated_group_discovery_with_powerview.yml +++ b/detections/endpoint/elevated_group_discovery_with_powerview.yml @@ -51,4 +51,4 @@ tests: sourcetype: xmlwineventlog - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/elevated_group_discovery_with_wmic.yml b/detections/endpoint/elevated_group_discovery_with_wmic.yml index 753b0c45b4..b345c51380 100644 --- a/detections/endpoint/elevated_group_discovery_with_wmic.yml +++ b/detections/endpoint/elevated_group_discovery_with_wmic.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/enable_rdp_in_other_port_number.yml b/detections/endpoint/enable_rdp_in_other_port_number.yml index f8fa9ed8c2..dabc246376 100644 --- a/detections/endpoint/enable_rdp_in_other_port_number.yml +++ b/detections/endpoint/enable_rdp_in_other_port_number.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml index d64bc36006..fcd064d3db 100644 --- a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml +++ b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/wdigest_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/esentutl_sam_copy.yml b/detections/endpoint/esentutl_sam_copy.yml index b6494efe8d..a7a8c4fc83 100644 --- a/detections/endpoint/esentutl_sam_copy.yml +++ b/detections/endpoint/esentutl_sam_copy.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/etw_registry_disabled.yml b/detections/endpoint/etw_registry_disabled.yml index 07be78558f..6b85211561 100644 --- a/detections/endpoint/etw_registry_disabled.yml +++ b/detections/endpoint/etw_registry_disabled.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/etw_disable/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/eventvwr_uac_bypass.yml b/detections/endpoint/eventvwr_uac_bypass.yml index 6cad3bf82c..e5f4eda443 100644 --- a/detections/endpoint/eventvwr_uac_bypass.yml +++ b/detections/endpoint/eventvwr_uac_bypass.yml @@ -78,4 +78,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/excel_spawning_powershell.yml b/detections/endpoint/excel_spawning_powershell.yml index 09034c1a69..420b344f27 100644 --- a/detections/endpoint/excel_spawning_powershell.yml +++ b/detections/endpoint/excel_spawning_powershell.yml @@ -75,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/excel_spawning_windows_script_host.yml b/detections/endpoint/excel_spawning_windows_script_host.yml index 526227673d..0ff10037f0 100644 --- a/detections/endpoint/excel_spawning_windows_script_host.yml +++ b/detections/endpoint/excel_spawning_windows_script_host.yml @@ -71,4 +71,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/excessive_attempt_to_disable_services.yml b/detections/endpoint/excessive_attempt_to_disable_services.yml index ab382b8e6a..63859d843d 100644 --- a/detections/endpoint/excessive_attempt_to_disable_services.yml +++ b/detections/endpoint/excessive_attempt_to_disable_services.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml index b0dc9d5d3c..fbc4640764 100644 --- a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml +++ b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml index cf2e2de914..a648a66879 100644 --- a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml +++ b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/sc_service_start_disabled/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/excessive_service_stop_attempt.yml b/detections/endpoint/excessive_service_stop_attempt.yml index 66b3ed0898..82e9f80f32 100644 --- a/detections/endpoint/excessive_service_stop_attempt.yml +++ b/detections/endpoint/excessive_service_stop_attempt.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/excessive_usage_of_cacls_app.yml b/detections/endpoint/excessive_usage_of_cacls_app.yml index 0cb90ef55f..97708d0f5c 100644 --- a/detections/endpoint/excessive_usage_of_cacls_app.yml +++ b/detections/endpoint/excessive_usage_of_cacls_app.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/excessive_usage_of_net_app.yml b/detections/endpoint/excessive_usage_of_net_app.yml index efffc17624..eedd816c45 100644 --- a/detections/endpoint/excessive_usage_of_net_app.yml +++ b/detections/endpoint/excessive_usage_of_net_app.yml @@ -76,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/excessive_usage_of_nslookup_app.yml b/detections/endpoint/excessive_usage_of_nslookup_app.yml index b7a8fbe72d..aecc657cf3 100644 --- a/detections/endpoint/excessive_usage_of_nslookup_app.yml +++ b/detections/endpoint/excessive_usage_of_nslookup_app.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/excessive_usage_of_sc_service_utility.yml b/detections/endpoint/excessive_usage_of_sc_service_utility.yml index 609cd79d31..9516e54424 100644 --- a/detections/endpoint/excessive_usage_of_sc_service_utility.yml +++ b/detections/endpoint/excessive_usage_of_sc_service_utility.yml @@ -56,4 +56,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/excessive_usage_of_taskkill.yml b/detections/endpoint/excessive_usage_of_taskkill.yml index 0de1d58bce..e499bc19e9 100644 --- a/detections/endpoint/excessive_usage_of_taskkill.yml +++ b/detections/endpoint/excessive_usage_of_taskkill.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index a7b570e394..299255bf44 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -94,4 +94,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml index 89c3b7d9a9..145954e5b8 100644 --- a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml +++ b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/execution_of_file_with_multiple_extensions.yml b/detections/endpoint/execution_of_file_with_multiple_extensions.yml index 5574f34c31..e9253f110c 100644 --- a/detections/endpoint/execution_of_file_with_multiple_extensions.yml +++ b/detections/endpoint/execution_of_file_with_multiple_extensions.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/extraction_of_registry_hives.yml b/detections/endpoint/extraction_of_registry_hives.yml index 1254dd54ec..608f1d9c82 100644 --- a/detections/endpoint/extraction_of_registry_hives.yml +++ b/detections/endpoint/extraction_of_registry_hives.yml @@ -77,4 +77,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/file_with_samsam_extension.yml b/detections/endpoint/file_with_samsam_extension.yml index 24740f075c..73d61b03b8 100644 --- a/detections/endpoint/file_with_samsam_extension.yml +++ b/detections/endpoint/file_with_samsam_extension.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/samsam_extension/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/firewall_allowed_program_enable.yml b/detections/endpoint/firewall_allowed_program_enable.yml index 6ff2687e3f..50ae0fef83 100644 --- a/detections/endpoint/firewall_allowed_program_enable.yml +++ b/detections/endpoint/firewall_allowed_program_enable.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/fodhelper_uac_bypass.yml b/detections/endpoint/fodhelper_uac_bypass.yml index a8ecf8d037..c571fe680a 100644 --- a/detections/endpoint/fodhelper_uac_bypass.yml +++ b/detections/endpoint/fodhelper_uac_bypass.yml @@ -74,4 +74,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/fsutil_zeroing_file.yml b/detections/endpoint/fsutil_zeroing_file.yml index 79105d3614..0a03834f51 100644 --- a/detections/endpoint/fsutil_zeroing_file.yml +++ b/detections/endpoint/fsutil_zeroing_file.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/fsutil_file_zero/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml index 41436e0b0f..d84d559702 100644 --- a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml +++ b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/get_aduser_with_powershell.yml b/detections/endpoint/get_aduser_with_powershell.yml index 82320418c7..ff0464f03f 100644 --- a/detections/endpoint/get_aduser_with_powershell.yml +++ b/detections/endpoint/get_aduser_with_powershell.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml index 8280bc5935..36dfeedd52 100644 --- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml +++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml @@ -70,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/get_domainpolicy_with_powershell.yml b/detections/endpoint/get_domainpolicy_with_powershell.yml index eee3a88cf3..19e0d25c0a 100644 --- a/detections/endpoint/get_domainpolicy_with_powershell.yml +++ b/detections/endpoint/get_domainpolicy_with_powershell.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/get_domaintrust_with_powershell.yml b/detections/endpoint/get_domaintrust_with_powershell.yml index 68d49a0d5a..84e3e88436 100644 --- a/detections/endpoint/get_domaintrust_with_powershell.yml +++ b/detections/endpoint/get_domaintrust_with_powershell.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/get_domainuser_with_powershell.yml b/detections/endpoint/get_domainuser_with_powershell.yml index 09157e6c35..d2105909cf 100644 --- a/detections/endpoint/get_domainuser_with_powershell.yml +++ b/detections/endpoint/get_domainuser_with_powershell.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/get_foresttrust_with_powershell.yml b/detections/endpoint/get_foresttrust_with_powershell.yml index 6630dcef06..58d73e1388 100644 --- a/detections/endpoint/get_foresttrust_with_powershell.yml +++ b/detections/endpoint/get_foresttrust_with_powershell.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/get_wmiobject_group_discovery.yml b/detections/endpoint/get_wmiobject_group_discovery.yml index 47d25afbcd..75d9122a7d 100644 --- a/detections/endpoint/get_wmiobject_group_discovery.yml +++ b/detections/endpoint/get_wmiobject_group_discovery.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/getadcomputer_with_powershell.yml b/detections/endpoint/getadcomputer_with_powershell.yml index 0709b3e36c..993ad0c3d2 100644 --- a/detections/endpoint/getadcomputer_with_powershell.yml +++ b/detections/endpoint/getadcomputer_with_powershell.yml @@ -52,4 +52,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/getadgroup_with_powershell.yml b/detections/endpoint/getadgroup_with_powershell.yml index 43a23bcc17..8f56508eab 100644 --- a/detections/endpoint/getadgroup_with_powershell.yml +++ b/detections/endpoint/getadgroup_with_powershell.yml @@ -54,4 +54,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/getcurrent_user_with_powershell.yml b/detections/endpoint/getcurrent_user_with_powershell.yml index ce68940054..3f68d3461d 100644 --- a/detections/endpoint/getcurrent_user_with_powershell.yml +++ b/detections/endpoint/getcurrent_user_with_powershell.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/getdomaincomputer_with_powershell.yml b/detections/endpoint/getdomaincomputer_with_powershell.yml index 64a1d96544..287f88aced 100644 --- a/detections/endpoint/getdomaincomputer_with_powershell.yml +++ b/detections/endpoint/getdomaincomputer_with_powershell.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/getdomaincontroller_with_powershell.yml b/detections/endpoint/getdomaincontroller_with_powershell.yml index 0bf984e0a3..8b2554298c 100644 --- a/detections/endpoint/getdomaincontroller_with_powershell.yml +++ b/detections/endpoint/getdomaincontroller_with_powershell.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/getdomaingroup_with_powershell.yml b/detections/endpoint/getdomaingroup_with_powershell.yml index a29fe2c2ef..afed30a78c 100644 --- a/detections/endpoint/getdomaingroup_with_powershell.yml +++ b/detections/endpoint/getdomaingroup_with_powershell.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/getlocaluser_with_powershell.yml b/detections/endpoint/getlocaluser_with_powershell.yml index 8b38153004..dc2380c016 100644 --- a/detections/endpoint/getlocaluser_with_powershell.yml +++ b/detections/endpoint/getlocaluser_with_powershell.yml @@ -43,4 +43,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/getnettcpconnection_with_powershell.yml b/detections/endpoint/getnettcpconnection_with_powershell.yml index aa2bb7d679..0877f41da1 100644 --- a/detections/endpoint/getnettcpconnection_with_powershell.yml +++ b/detections/endpoint/getnettcpconnection_with_powershell.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml index bc2cbd76f7..09c88b1d3c 100644 --- a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml index 7b57b3aca3..f38d7e7560 100644 --- a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml index ff815d99d1..bd4947ff79 100644 --- a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/getwmiobject_user_account_with_powershell.yml b/detections/endpoint/getwmiobject_user_account_with_powershell.yml index 402fefd94a..2eb1b2ce97 100644 --- a/detections/endpoint/getwmiobject_user_account_with_powershell.yml +++ b/detections/endpoint/getwmiobject_user_account_with_powershell.yml @@ -44,4 +44,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml index 38dcf715b3..70d8fbbb32 100644 --- a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml @@ -70,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml index 20e425a60e..93cf904fd1 100644 --- a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml +++ b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/headlessbrowser/headless_mockbin.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/headless_browser_usage.yml b/detections/endpoint/headless_browser_usage.yml index 2c3003632a..a13b73c119 100644 --- a/detections/endpoint/headless_browser_usage.yml +++ b/detections/endpoint/headless_browser_usage.yml @@ -54,4 +54,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/headlessbrowser/headless_mockbin.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/hide_user_account_from_sign_in_screen.yml b/detections/endpoint/hide_user_account_from_sign_in_screen.yml index 400a9a755f..5379e95869 100644 --- a/detections/endpoint/hide_user_account_from_sign_in_screen.yml +++ b/detections/endpoint/hide_user_account_from_sign_in_screen.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml index 53680b5454..5e7a7876ea 100644 --- a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml +++ b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/high_process_termination_frequency.yml b/detections/endpoint/high_process_termination_frequency.yml index d9018a2741..25e39f6f9a 100644 --- a/detections/endpoint/high_process_termination_frequency.yml +++ b/detections/endpoint/high_process_termination_frequency.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/hunting_3cxdesktopapp_software.yml b/detections/endpoint/hunting_3cxdesktopapp_software.yml index fb75fc0106..b3355429d6 100644 --- a/detections/endpoint/hunting_3cxdesktopapp_software.yml +++ b/detections/endpoint/hunting_3cxdesktopapp_software.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/icacls_deny_command.yml b/detections/endpoint/icacls_deny_command.yml index bee4629890..67313025eb 100644 --- a/detections/endpoint/icacls_deny_command.yml +++ b/detections/endpoint/icacls_deny_command.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/icacls_grant_command.yml b/detections/endpoint/icacls_grant_command.yml index 127d0b98f6..bdff1e1ac8 100644 --- a/detections/endpoint/icacls_grant_command.yml +++ b/detections/endpoint/icacls_grant_command.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml index a674ae77d6..b33ebce2ef 100644 --- a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml +++ b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml @@ -52,4 +52,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml index 010d0697a6..6ca33dbb65 100644 --- a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml @@ -82,4 +82,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/impacket/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml index a45a3d10e5..7f1658367c 100644 --- a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml @@ -77,4 +77,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/smbexec_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml index 38c7f924c7..e88a71ed80 100644 --- a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml @@ -78,4 +78,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/wmiexec_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/jscript_execution_using_cscript_app.yml b/detections/endpoint/jscript_execution_using_cscript_app.yml index dc4b4c37a8..783f3f0f14 100644 --- a/detections/endpoint/jscript_execution_using_cscript_app.yml +++ b/detections/endpoint/jscript_execution_using_cscript_app.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/loading_of_dynwrapx_module.yml b/detections/endpoint/loading_of_dynwrapx_module.yml index 358a659122..6736061523 100644 --- a/detections/endpoint/loading_of_dynwrapx_module.yml +++ b/detections/endpoint/loading_of_dynwrapx_module.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_dynwrapx/sysmon_dynwraper.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/local_account_discovery_with_net.yml b/detections/endpoint/local_account_discovery_with_net.yml index 80dfef195c..cdc38d7b7a 100644 --- a/detections/endpoint/local_account_discovery_with_net.yml +++ b/detections/endpoint/local_account_discovery_with_net.yml @@ -44,4 +44,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/local_account_discovery_with_wmic.yml b/detections/endpoint/local_account_discovery_with_wmic.yml index a6e3fd90db..ee4c393af6 100644 --- a/detections/endpoint/local_account_discovery_with_wmic.yml +++ b/detections/endpoint/local_account_discovery_with_wmic.yml @@ -43,4 +43,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/logon_script_event_trigger_execution.yml b/detections/endpoint/logon_script_event_trigger_execution.yml index 175e61a6b8..701e25f73b 100644 --- a/detections/endpoint/logon_script_event_trigger_execution.yml +++ b/detections/endpoint/logon_script_event_trigger_execution.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1037.001/logonscript_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml index 8490f5c38b..906a7d618c 100644 --- a/detections/endpoint/lolbas_with_network_traffic.yml +++ b/detections/endpoint/lolbas_with_network_traffic.yml @@ -71,5 +71,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/malicious_inprocserver32_modification.yml b/detections/endpoint/malicious_inprocserver32_modification.yml index e8cd494d7e..fc6ed44d8e 100644 --- a/detections/endpoint/malicious_inprocserver32_modification.yml +++ b/detections/endpoint/malicious_inprocserver32_modification.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml index c62dfcaf1a..51924e7bed 100644 --- a/detections/endpoint/malicious_powershell_process___encoded_command.yml +++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index b176d1452b..3d1e44da05 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml index e5f91292fa..6bee959739 100644 --- a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml +++ b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/obfuscated_powershell/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml index d37da92210..af191df396 100644 --- a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml +++ b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml @@ -72,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/mimikatz/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml index 11b164e8ff..af7e827a94 100644 --- a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/modification_of_wallpaper.yml b/detections/endpoint/modification_of_wallpaper.yml index 656209104f..ebda5ffc24 100644 --- a/detections/endpoint/modification_of_wallpaper.yml +++ b/detections/endpoint/modification_of_wallpaper.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml index a45a6ba3fb..a5975e2eca 100644 --- a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml +++ b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml index 690aa52a0f..8725f6bb90 100644 --- a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml +++ b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml index 988ef2b1a8..2613e31e94 100644 --- a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml index 7bfc8d9d7e..f39cbddc4f 100644 --- a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml index d3b9ae8123..e06f17dc5a 100644 --- a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml +++ b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/regsvr32_silent/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml index aa365f9a6c..ba604e8ef1 100644 --- a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml +++ b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/mshtml_module_load_in_office_product.yml b/detections/endpoint/mshtml_module_load_in_office_product.yml index cbd77b91a6..cc87f1f8cf 100644 --- a/detections/endpoint/mshtml_module_load_in_office_product.yml +++ b/detections/endpoint/mshtml_module_load_in_office_product.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_mshtml.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml index 52feeee8f6..4a125293bb 100644 --- a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml +++ b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/msmpeng_application_dll_side_loading.yml b/detections/endpoint/msmpeng_application_dll_side_loading.yml index c1b1c4763c..af9be75d9b 100644 --- a/detections/endpoint/msmpeng_application_dll_side_loading.yml +++ b/detections/endpoint/msmpeng_application_dll_side_loading.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets//malware/revil/msmpeng_side/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/net_localgroup_discovery.yml b/detections/endpoint/net_localgroup_discovery.yml index 495f910b19..aed94de65f 100644 --- a/detections/endpoint/net_localgroup_discovery.yml +++ b/detections/endpoint/net_localgroup_discovery.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/net_profiler_uac_bypass.yml b/detections/endpoint/net_profiler_uac_bypass.yml index 36dbf34cd1..bb40af4bbe 100644 --- a/detections/endpoint/net_profiler_uac_bypass.yml +++ b/detections/endpoint/net_profiler_uac_bypass.yml @@ -55,4 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/network_connection_discovery_with_arp.yml b/detections/endpoint/network_connection_discovery_with_arp.yml index 3a698a0968..a28c353975 100644 --- a/detections/endpoint/network_connection_discovery_with_arp.yml +++ b/detections/endpoint/network_connection_discovery_with_arp.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/network_connection_discovery_with_net.yml b/detections/endpoint/network_connection_discovery_with_net.yml index f4637e4b4c..032b7f8774 100644 --- a/detections/endpoint/network_connection_discovery_with_net.yml +++ b/detections/endpoint/network_connection_discovery_with_net.yml @@ -55,4 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/network_connection_discovery_with_netstat.yml b/detections/endpoint/network_connection_discovery_with_netstat.yml index 6fb53975b9..c51adf9ee1 100644 --- a/detections/endpoint/network_connection_discovery_with_netstat.yml +++ b/detections/endpoint/network_connection_discovery_with_netstat.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/network_discovery_using_route_windows_app.yml b/detections/endpoint/network_discovery_using_route_windows_app.yml index e74a3d4e74..1aec0021e9 100644 --- a/detections/endpoint/network_discovery_using_route_windows_app.yml +++ b/detections/endpoint/network_discovery_using_route_windows_app.yml @@ -55,4 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml b/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml index ecfce144ff..b22bd5ee4c 100644 --- a/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml +++ b/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml @@ -55,4 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/soaphound/sysmon_soaphound.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/nishang_powershelltcponeline.yml b/detections/endpoint/nishang_powershelltcponeline.yml index ea3ccfb711..4c87b3b56b 100644 --- a/detections/endpoint/nishang_powershelltcponeline.yml +++ b/detections/endpoint/nishang_powershelltcponeline.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/nltest_domain_trust_discovery.yml b/detections/endpoint/nltest_domain_trust_discovery.yml index 523af7443f..e05ca659f9 100644 --- a/detections/endpoint/nltest_domain_trust_discovery.yml +++ b/detections/endpoint/nltest_domain_trust_discovery.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/notepad_with_no_command_line_arguments.yml b/detections/endpoint/notepad_with_no_command_line_arguments.yml index d63ce534dc..1046829637 100644 --- a/detections/endpoint/notepad_with_no_command_line_arguments.yml +++ b/detections/endpoint/notepad_with_no_command_line_arguments.yml @@ -71,4 +71,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/notepad_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/ntdsutil_export_ntds.yml b/detections/endpoint/ntdsutil_export_ntds.yml index fc65c5c99d..41fd0e7e4a 100644 --- a/detections/endpoint/ntdsutil_export_ntds.yml +++ b/detections/endpoint/ntdsutil_export_ntds.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/office_application_drop_executable.yml b/detections/endpoint/office_application_drop_executable.yml index 2ec756dcdb..91c9678ba4 100644 --- a/detections/endpoint/office_application_drop_executable.yml +++ b/detections/endpoint/office_application_drop_executable.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/office_application_spawn_regsvr32_process.yml b/detections/endpoint/office_application_spawn_regsvr32_process.yml index 2999d0101d..7b9012a7f8 100644 --- a/detections/endpoint/office_application_spawn_regsvr32_process.yml +++ b/detections/endpoint/office_application_spawn_regsvr32_process.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/phish_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/office_application_spawn_rundll32_process.yml b/detections/endpoint/office_application_spawn_rundll32_process.yml index 882738f42d..f995d35657 100644 --- a/detections/endpoint/office_application_spawn_rundll32_process.yml +++ b/detections/endpoint/office_application_spawn_rundll32_process.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/office_document_creating_schedule_task.yml b/detections/endpoint/office_document_creating_schedule_task.yml index 192be8219e..e32eddb088 100644 --- a/detections/endpoint/office_document_creating_schedule_task.yml +++ b/detections/endpoint/office_document_creating_schedule_task.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/office_document_executing_macro_code.yml b/detections/endpoint/office_document_executing_macro_code.yml index aa1813ff52..5af847755f 100644 --- a/detections/endpoint/office_document_executing_macro_code.yml +++ b/detections/endpoint/office_document_executing_macro_code.yml @@ -72,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/office_document_spawned_child_process_to_download.yml b/detections/endpoint/office_document_spawned_child_process_to_download.yml index 3c236c26af..ff6f63f85e 100644 --- a/detections/endpoint/office_document_spawned_child_process_to_download.yml +++ b/detections/endpoint/office_document_spawned_child_process_to_download.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/office_product_spawn_cmd_process.yml b/detections/endpoint/office_product_spawn_cmd_process.yml index ab6a93a70a..9f345f47d0 100644 --- a/detections/endpoint/office_product_spawn_cmd_process.yml +++ b/detections/endpoint/office_product_spawn_cmd_process.yml @@ -80,4 +80,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/office_product_spawning_bitsadmin.yml b/detections/endpoint/office_product_spawning_bitsadmin.yml index 28321613dd..eb224ff6ee 100644 --- a/detections/endpoint/office_product_spawning_bitsadmin.yml +++ b/detections/endpoint/office_product_spawning_bitsadmin.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/office_product_spawning_certutil.yml b/detections/endpoint/office_product_spawning_certutil.yml index 4e0ef4b5e5..be4f2d627a 100644 --- a/detections/endpoint/office_product_spawning_certutil.yml +++ b/detections/endpoint/office_product_spawning_certutil.yml @@ -72,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/office_product_spawning_mshta.yml b/detections/endpoint/office_product_spawning_mshta.yml index 1957a45e42..ab6fddbc71 100644 --- a/detections/endpoint/office_product_spawning_mshta.yml +++ b/detections/endpoint/office_product_spawning_mshta.yml @@ -71,4 +71,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml b/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml index 364f77cf22..7326f324ec 100644 --- a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml +++ b/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml @@ -70,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_icedid.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/office_product_spawning_windows_script_host.yml b/detections/endpoint/office_product_spawning_windows_script_host.yml index 5d86a8d0a1..068be8762a 100644 --- a/detections/endpoint/office_product_spawning_windows_script_host.yml +++ b/detections/endpoint/office_product_spawning_windows_script_host.yml @@ -75,5 +75,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/office_product_spawning_wmic.yml b/detections/endpoint/office_product_spawning_wmic.yml index d92d17ab18..0fd28dad8b 100644 --- a/detections/endpoint/office_product_spawning_wmic.yml +++ b/detections/endpoint/office_product_spawning_wmic.yml @@ -72,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/office_product_writing_cab_or_inf.yml b/detections/endpoint/office_product_writing_cab_or_inf.yml index 8b0c361d95..613ad76c7c 100644 --- a/detections/endpoint/office_product_writing_cab_or_inf.yml +++ b/detections/endpoint/office_product_writing_cab_or_inf.yml @@ -70,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_cabinf.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/office_spawning_control.yml b/detections/endpoint/office_spawning_control.yml index dd5cd336d4..91c6381bb1 100644 --- a/detections/endpoint/office_spawning_control.yml +++ b/detections/endpoint/office_spawning_control.yml @@ -79,4 +79,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_control.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml index e30c443d3a..2035678e67 100644 --- a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml +++ b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/outbound_java/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/overwriting_accessibility_binaries.yml b/detections/endpoint/overwriting_accessibility_binaries.yml index aa57c7e002..0b9b83cf52 100644 --- a/detections/endpoint/overwriting_accessibility_binaries.yml +++ b/detections/endpoint/overwriting_accessibility_binaries.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.008/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/password_policy_discovery_with_net.yml b/detections/endpoint/password_policy_discovery_with_net.yml index ee7db9cc02..6dcb35f64d 100644 --- a/detections/endpoint/password_policy_discovery_with_net.yml +++ b/detections/endpoint/password_policy_discovery_with_net.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/permission_modification_using_takeown_app.yml b/detections/endpoint/permission_modification_using_takeown_app.yml index d1d6f3b3a3..646486edcf 100644 --- a/detections/endpoint/permission_modification_using_takeown_app.yml +++ b/detections/endpoint/permission_modification_using_takeown_app.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml index 2196b95beb..bcd84eb329 100644 --- a/detections/endpoint/ping_sleep_batch_command.yml +++ b/detections/endpoint/ping_sleep_batch_command.yml @@ -70,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/ping_sleep/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/possible_browser_pass_view_parameter.yml b/detections/endpoint/possible_browser_pass_view_parameter.yml index 6a5a7d02eb..111528165f 100644 --- a/detections/endpoint/possible_browser_pass_view_parameter.yml +++ b/detections/endpoint/possible_browser_pass_view_parameter.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/web_browser_pass_view/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index 17658c4af8..903fdf8f48 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -78,4 +78,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/potentially_malicious_code_on_commandline.yml b/detections/endpoint/potentially_malicious_code_on_commandline.yml index 4a5fc719a2..b650d0e772 100644 --- a/detections/endpoint/potentially_malicious_code_on_commandline.yml +++ b/detections/endpoint/potentially_malicious_code_on_commandline.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml index 60634905c0..fcf3eedbc4 100644 --- a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml +++ b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/powershell_disable_security_monitoring.yml b/detections/endpoint/powershell_disable_security_monitoring.yml index a300d30223..4d80c31c20 100644 --- a/detections/endpoint/powershell_disable_security_monitoring.yml +++ b/detections/endpoint/powershell_disable_security_monitoring.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/pwh_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/powershell_get_localgroup_discovery.yml b/detections/endpoint/powershell_get_localgroup_discovery.yml index 05fe846d76..8a981a52b3 100644 --- a/detections/endpoint/powershell_get_localgroup_discovery.yml +++ b/detections/endpoint/powershell_get_localgroup_discovery.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml index 73a2f148d0..50e91df033 100644 --- a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml +++ b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/powershell_start_bitstransfer.yml b/detections/endpoint/powershell_start_bitstransfer.yml index b97e51d061..0a1c6983ca 100644 --- a/detections/endpoint/powershell_start_bitstransfer.yml +++ b/detections/endpoint/powershell_start_bitstransfer.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml index e3f32be78b..c0a71213a5 100644 --- a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml +++ b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml index a92f38c750..74f0ebbcda 100644 --- a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml +++ b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/process_deleting_its_process_file_path.yml b/detections/endpoint/process_deleting_its_process_file_path.yml index c558eea80a..2971687ccc 100644 --- a/detections/endpoint/process_deleting_its_process_file_path.yml +++ b/detections/endpoint/process_deleting_its_process_file_path.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/process_execution_via_wmi.yml b/detections/endpoint/process_execution_via_wmi.yml index c4e6e69d12..dc4506e5d8 100644 --- a/detections/endpoint/process_execution_via_wmi.yml +++ b/detections/endpoint/process_execution_via_wmi.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/process_kill_base_on_file_path.yml b/detections/endpoint/process_kill_base_on_file_path.yml index 95353e08e2..6fbaa82ef3 100644 --- a/detections/endpoint/process_kill_base_on_file_path.yml +++ b/detections/endpoint/process_kill_base_on_file_path.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/process_writing_dynamicwrapperx.yml b/detections/endpoint/process_writing_dynamicwrapperx.yml index cbbc2efa2c..5bb8d42b2a 100644 --- a/detections/endpoint/process_writing_dynamicwrapperx.yml +++ b/detections/endpoint/process_writing_dynamicwrapperx.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/processes_launching_netsh.yml b/detections/endpoint/processes_launching_netsh.yml index 112b405b55..f892cd6654 100644 --- a/detections/endpoint/processes_launching_netsh.yml +++ b/detections/endpoint/processes_launching_netsh.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/ransomware_notes_bulk_creation.yml b/detections/endpoint/ransomware_notes_bulk_creation.yml index 0b70a6b0b5..b773a423cb 100644 --- a/detections/endpoint/ransomware_notes_bulk_creation.yml +++ b/detections/endpoint/ransomware_notes_bulk_creation.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml index 8952a38ecb..963087fb21 100644 --- a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml +++ b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml index 9350f9d234..42612433ca 100644 --- a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml +++ b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/registry_keys_for_creating_shim_databases.yml b/detections/endpoint/registry_keys_for_creating_shim_databases.yml index 0056b1b9f5..ae6341c649 100644 --- a/detections/endpoint/registry_keys_for_creating_shim_databases.yml +++ b/detections/endpoint/registry_keys_for_creating_shim_databases.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 69a5ecd970..8cf05c1436 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -82,4 +82,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml index 55221706f7..77b3badcd3 100644 --- a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml +++ b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml index 57d92f765d..4787018b48 100644 --- a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml +++ b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml @@ -81,4 +81,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml index 9cd05c803f..5358821c65 100644 --- a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml +++ b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml @@ -81,4 +81,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/remcos_client_registry_install_entry.yml b/detections/endpoint/remcos_client_registry_install_entry.yml index d1b295fb0b..eb59e83868 100644 --- a/detections/endpoint/remcos_client_registry_install_entry.yml +++ b/detections/endpoint/remcos_client_registry_install_entry.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml b/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml index c716bd1ab2..5c3a568cbf 100644 --- a/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml +++ b/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml @@ -54,4 +54,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml index d1ac027894..d51549e0cb 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml index bd63fa4598..34b6ff3897 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml index 328a38a745..279e78dc52 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/remote_process_instantiation_via_wmi.yml b/detections/endpoint/remote_process_instantiation_via_wmi.yml index 531c6b55c2..573a77e839 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi.yml @@ -70,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml index 1dc6f57353..d932a6c03d 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/remote_system_discovery_with_dsquery.yml b/detections/endpoint/remote_system_discovery_with_dsquery.yml index fd2bd3832c..0f937f648b 100644 --- a/detections/endpoint/remote_system_discovery_with_dsquery.yml +++ b/detections/endpoint/remote_system_discovery_with_dsquery.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/remote_system_discovery_with_net.yml b/detections/endpoint/remote_system_discovery_with_net.yml index 4a0370e951..46ea7f834e 100644 --- a/detections/endpoint/remote_system_discovery_with_net.yml +++ b/detections/endpoint/remote_system_discovery_with_net.yml @@ -54,4 +54,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/remote_system_discovery_with_wmic.yml b/detections/endpoint/remote_system_discovery_with_wmic.yml index 7678004cbd..5445f99d4f 100644 --- a/detections/endpoint/remote_system_discovery_with_wmic.yml +++ b/detections/endpoint/remote_system_discovery_with_wmic.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/remote_wmi_command_attempt.yml b/detections/endpoint/remote_wmi_command_attempt.yml index 5b53da8d9b..7f00ea6498 100644 --- a/detections/endpoint/remote_wmi_command_attempt.yml +++ b/detections/endpoint/remote_wmi_command_attempt.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/resize_shadowstorage_volume.yml b/detections/endpoint/resize_shadowstorage_volume.yml index 5a20472e2c..e98ff9262e 100644 --- a/detections/endpoint/resize_shadowstorage_volume.yml +++ b/detections/endpoint/resize_shadowstorage_volume.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/revil_common_exec_parameter.yml b/detections/endpoint/revil_common_exec_parameter.yml index 24718860a8..5b054eae31 100644 --- a/detections/endpoint/revil_common_exec_parameter.yml +++ b/detections/endpoint/revil_common_exec_parameter.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/revil_registry_entry.yml b/detections/endpoint/revil_registry_entry.yml index dee2de3271..3d4369ef71 100644 --- a/detections/endpoint/revil_registry_entry.yml +++ b/detections/endpoint/revil_registry_entry.yml @@ -75,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/rubeus_command_line_parameters.yml b/detections/endpoint/rubeus_command_line_parameters.yml index fb8429edb0..1e20d98b72 100644 --- a/detections/endpoint/rubeus_command_line_parameters.yml +++ b/detections/endpoint/rubeus_command_line_parameters.yml @@ -77,4 +77,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml index 14ef443792..f0ff3ecda4 100644 --- a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml +++ b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/runas_execution_in_commandline.yml b/detections/endpoint/runas_execution_in_commandline.yml index d8459f2780..c40721a24f 100644 --- a/detections/endpoint/runas_execution_in_commandline.yml +++ b/detections/endpoint/runas_execution_in_commandline.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/rundll32_control_rundll_hunt.yml b/detections/endpoint/rundll32_control_rundll_hunt.yml index 5bea3eb21e..ec31fc12b6 100644 --- a/detections/endpoint/rundll32_control_rundll_hunt.yml +++ b/detections/endpoint/rundll32_control_rundll_hunt.yml @@ -74,4 +74,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml index b6f36085a1..c21474c62f 100644 --- a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml +++ b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml @@ -83,4 +83,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml index ad4ebdb94f..b88cf1f7c8 100644 --- a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml +++ b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/rundll32_createremotethread_in_browser.yml b/detections/endpoint/rundll32_createremotethread_in_browser.yml index a875e57d85..f75c6ae114 100644 --- a/detections/endpoint/rundll32_createremotethread_in_browser.yml +++ b/detections/endpoint/rundll32_createremotethread_in_browser.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/rundll32_dnsquery.yml b/detections/endpoint/rundll32_dnsquery.yml index 6f95860d9b..df9ffc2636 100644 --- a/detections/endpoint/rundll32_dnsquery.yml +++ b/detections/endpoint/rundll32_dnsquery.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/rundll32_lockworkstation.yml b/detections/endpoint/rundll32_lockworkstation.yml index e2423a8179..fd5e280de7 100644 --- a/detections/endpoint/rundll32_lockworkstation.yml +++ b/detections/endpoint/rundll32_lockworkstation.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml index d5ec57090b..6dcca74d40 100644 --- a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml +++ b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/rundll32_shimcache_flush.yml b/detections/endpoint/rundll32_shimcache_flush.yml index 6baad9987a..8783cc89b5 100644 --- a/detections/endpoint/rundll32_shimcache_flush.yml +++ b/detections/endpoint/rundll32_shimcache_flush.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/shimcache_flush/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml index 820ae0f7cf..4b0b9a0cf4 100644 --- a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml @@ -75,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/rundll_loading_dll_by_ordinal.yml b/detections/endpoint/rundll_loading_dll_by_ordinal.yml index 2a4500700d..71ef68c13f 100644 --- a/detections/endpoint/rundll_loading_dll_by_ordinal.yml +++ b/detections/endpoint/rundll_loading_dll_by_ordinal.yml @@ -72,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/ordinal_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/ryuk_test_files_detected.yml b/detections/endpoint/ryuk_test_files_detected.yml index 70be8a8a3a..53728619be 100644 --- a/detections/endpoint/ryuk_test_files_detected.yml +++ b/detections/endpoint/ryuk_test_files_detected.yml @@ -55,4 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ryuk/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/ryuk_wake_on_lan_command.yml b/detections/endpoint/ryuk_wake_on_lan_command.yml index 0f3c1cc637..d337a5bb7e 100644 --- a/detections/endpoint/ryuk_wake_on_lan_command.yml +++ b/detections/endpoint/ryuk_wake_on_lan_command.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ryuk/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/samsam_test_file_write.yml b/detections/endpoint/samsam_test_file_write.yml index 94555cc112..259bd9d49f 100644 --- a/detections/endpoint/samsam_test_file_write.yml +++ b/detections/endpoint/samsam_test_file_write.yml @@ -56,4 +56,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/sam_sam_note/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/sc_exe_manipulating_windows_services.yml b/detections/endpoint/sc_exe_manipulating_windows_services.yml index 9a822462fe..5b2f0062a1 100644 --- a/detections/endpoint/sc_exe_manipulating_windows_services.yml +++ b/detections/endpoint/sc_exe_manipulating_windows_services.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml index 3cdb058f4c..805a94453a 100644 --- a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml +++ b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/blackmatter_schcache/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml index eb699569bc..a621f67fe2 100644 --- a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml +++ b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index 745b9c6de1..b783694f51 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -86,4 +86,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml index c65cb62562..349287071d 100644 --- a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/schtasks_run_task_on_demand.yml b/detections/endpoint/schtasks_run_task_on_demand.yml index 888e79c42c..38033b33d1 100644 --- a/detections/endpoint/schtasks_run_task_on_demand.yml +++ b/detections/endpoint/schtasks_run_task_on_demand.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml index 47ab8fc62f..64931d7bb5 100644 --- a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml +++ b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml @@ -70,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml index 39ca99671a..5dd7434354 100644 --- a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml +++ b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_shutdown/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/screensaver_event_trigger_execution.yml b/detections/endpoint/screensaver_event_trigger_execution.yml index 4d5ce36a7c..d518349201 100644 --- a/detections/endpoint/screensaver_event_trigger_execution.yml +++ b/detections/endpoint/screensaver_event_trigger_execution.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.002/scrnsave_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/script_execution_via_wmi.yml b/detections/endpoint/script_execution_via_wmi.yml index c424461676..cb68053fc6 100644 --- a/detections/endpoint/script_execution_via_wmi.yml +++ b/detections/endpoint/script_execution_via_wmi.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/execution_scrcons/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/sdclt_uac_bypass.yml b/detections/endpoint/sdclt_uac_bypass.yml index 81a0297a91..c71470531d 100644 --- a/detections/endpoint/sdclt_uac_bypass.yml +++ b/detections/endpoint/sdclt_uac_bypass.yml @@ -72,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/sdelete_application_execution.yml b/detections/endpoint/sdelete_application_execution.yml index b29026f448..b8c98ce6d2 100644 --- a/detections/endpoint/sdelete_application_execution.yml +++ b/detections/endpoint/sdelete_application_execution.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/sdelete/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml index aba78e4139..7b1b92d57c 100644 --- a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml +++ b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_searchprotocolhost.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml index 56ebe07973..58e1ef4977 100644 --- a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml +++ b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml index 4cffa16ce6..d8b2e41ffa 100644 --- a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml +++ b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml @@ -84,4 +84,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon_setspn.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/services_escalate_exe.yml b/detections/endpoint/services_escalate_exe.yml index 536e2628e4..315d9550c5 100644 --- a/detections/endpoint/services_escalate_exe.yml +++ b/detections/endpoint/services_escalate_exe.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/services_lolbas_execution_process_spawn.yml b/detections/endpoint/services_lolbas_execution_process_spawn.yml index f406f3302b..cd332b38ec 100644 --- a/detections/endpoint/services_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/services_lolbas_execution_process_spawn.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml index a17b13b7df..30573b30d6 100644 --- a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml +++ b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml @@ -77,4 +77,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/shim_database_file_creation.yml b/detections/endpoint/shim_database_file_creation.yml index 1c467680e9..009f479d30 100644 --- a/detections/endpoint/shim_database_file_creation.yml +++ b/detections/endpoint/shim_database_file_creation.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml index 985144d2bd..dcebed763b 100644 --- a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml +++ b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/silentcleanup_uac_bypass.yml b/detections/endpoint/silentcleanup_uac_bypass.yml index d58a0b9776..c7032b1bf4 100644 --- a/detections/endpoint/silentcleanup_uac_bypass.yml +++ b/detections/endpoint/silentcleanup_uac_bypass.yml @@ -72,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/single_letter_process_on_endpoint.yml b/detections/endpoint/single_letter_process_on_endpoint.yml index 780a4fae48..b0e951a362 100644 --- a/detections/endpoint/single_letter_process_on_endpoint.yml +++ b/detections/endpoint/single_letter_process_on_endpoint.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/single_letter_exe/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/slui_runas_elevated.yml b/detections/endpoint/slui_runas_elevated.yml index f39e96c958..beb32563ac 100644 --- a/detections/endpoint/slui_runas_elevated.yml +++ b/detections/endpoint/slui_runas_elevated.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/slui_spawning_a_process.yml b/detections/endpoint/slui_spawning_a_process.yml index 55c1b67c27..955d2c175b 100644 --- a/detections/endpoint/slui_spawning_a_process.yml +++ b/detections/endpoint/slui_spawning_a_process.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/spoolsv_spawning_rundll32.yml b/detections/endpoint/spoolsv_spawning_rundll32.yml index b72bc01c9c..3f551c2fc9 100644 --- a/detections/endpoint/spoolsv_spawning_rundll32.yml +++ b/detections/endpoint/spoolsv_spawning_rundll32.yml @@ -71,4 +71,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml index 996aef7d4c..6ae55358eb 100644 --- a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml +++ b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml @@ -56,4 +56,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/spoolsv_suspicious_process_access.yml b/detections/endpoint/spoolsv_suspicious_process_access.yml index b3ade394c1..8acafff3be 100644 --- a/detections/endpoint/spoolsv_suspicious_process_access.yml +++ b/detections/endpoint/spoolsv_suspicious_process_access.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/spoolsv_writing_a_dll.yml b/detections/endpoint/spoolsv_writing_a_dll.yml index ea892a81f0..93df5a06cd 100644 --- a/detections/endpoint/spoolsv_writing_a_dll.yml +++ b/detections/endpoint/spoolsv_writing_a_dll.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml index 27bade6322..7a656a56b1 100644 --- a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml +++ b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/sqlite_module_in_temp_folder.yml b/detections/endpoint/sqlite_module_in_temp_folder.yml index ae93356e72..3457d90e00 100644 --- a/detections/endpoint/sqlite_module_in_temp_folder.yml +++ b/detections/endpoint/sqlite_module_in_temp_folder.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml index 41696465f4..3da6abee3b 100644 --- a/detections/endpoint/suspicious_copy_on_system32.yml +++ b/detections/endpoint/suspicious_copy_on_system32.yml @@ -73,4 +73,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/copy_sysmon/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml index 6bfd3a3bc5..8c17115c8f 100644 --- a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_driver_loaded_path.yml b/detections/endpoint/suspicious_driver_loaded_path.yml index 67b8694b9a..5e7491a67f 100644 --- a/detections/endpoint/suspicious_driver_loaded_path.yml +++ b/detections/endpoint/suspicious_driver_loaded_path.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml index ce5a0bcd3a..0ee2bf5156 100644 --- a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml index b2b25965c3..9311946a25 100644 --- a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml +++ b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml index ac4cf766f8..8e706575f4 100644 --- a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml +++ b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml index c2e856034a..9753b97c03 100644 --- a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml +++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml index 5bbac14901..3817bb1bd0 100644 --- a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml +++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_msbuild_path.yml b/detections/endpoint/suspicious_msbuild_path.yml index 00e97a7d27..3876d743b8 100644 --- a/detections/endpoint/suspicious_msbuild_path.yml +++ b/detections/endpoint/suspicious_msbuild_path.yml @@ -75,5 +75,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/suspicious_msbuild_rename.yml b/detections/endpoint/suspicious_msbuild_rename.yml index 4266d65578..49ac395fb4 100644 --- a/detections/endpoint/suspicious_msbuild_rename.yml +++ b/detections/endpoint/suspicious_msbuild_rename.yml @@ -67,5 +67,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/suspicious_msbuild_spawn.yml b/detections/endpoint/suspicious_msbuild_spawn.yml index c78f7366c5..c0993f7983 100644 --- a/detections/endpoint/suspicious_msbuild_spawn.yml +++ b/detections/endpoint/suspicious_msbuild_spawn.yml @@ -69,5 +69,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/suspicious_mshta_child_process.yml b/detections/endpoint/suspicious_mshta_child_process.yml index 61f61ed6c4..d95c567a84 100644 --- a/detections/endpoint/suspicious_mshta_child_process.yml +++ b/detections/endpoint/suspicious_mshta_child_process.yml @@ -68,5 +68,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/suspicious_mshta_spawn.yml b/detections/endpoint/suspicious_mshta_spawn.yml index b0aa56d27a..b5ddcbebee 100644 --- a/detections/endpoint/suspicious_mshta_spawn.yml +++ b/detections/endpoint/suspicious_mshta_spawn.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml index 3ed272729f..13826431bb 100644 --- a/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml +++ b/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_pastebin_download/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_process_executed_from_container_file.yml b/detections/endpoint/suspicious_process_executed_from_container_file.yml index cd062ee8a4..7f33ccd2f0 100644 --- a/detections/endpoint/suspicious_process_executed_from_container_file.yml +++ b/detections/endpoint/suspicious_process_executed_from_container_file.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml index 6dd1b7cdf0..d24a46bb78 100644 --- a/detections/endpoint/suspicious_process_file_path.yml +++ b/detections/endpoint/suspicious_process_file_path.yml @@ -98,4 +98,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_process_with_discord_dns_query.yml b/detections/endpoint/suspicious_process_with_discord_dns_query.yml index a84295c241..389c9d0187 100644 --- a/detections/endpoint/suspicious_process_with_discord_dns_query.yml +++ b/detections/endpoint/suspicious_process_with_discord_dns_query.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/discord_dnsquery/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_reg_exe_process.yml b/detections/endpoint/suspicious_reg_exe_process.yml index 8896ff6c18..24bc8b0700 100644 --- a/detections/endpoint/suspicious_reg_exe_process.yml +++ b/detections/endpoint/suspicious_reg_exe_process.yml @@ -72,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml index 761341a9fe..0612f30c7a 100644 --- a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml +++ b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml @@ -82,4 +82,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml index bdc96d88d3..79b54a9bd5 100644 --- a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml +++ b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml @@ -83,4 +83,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml index 4e20ffac7f..ff8c5cf35d 100644 --- a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml @@ -76,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_rundll32_plugininit.yml b/detections/endpoint/suspicious_rundll32_plugininit.yml index 80f12c6f0b..b5f7cd8d73 100644 --- a/detections/endpoint/suspicious_rundll32_plugininit.yml +++ b/detections/endpoint/suspicious_rundll32_plugininit.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_rundll32_startw.yml b/detections/endpoint/suspicious_rundll32_startw.yml index 8dbb686b56..ab9ef5a9d4 100644 --- a/detections/endpoint/suspicious_rundll32_startw.yml +++ b/detections/endpoint/suspicious_rundll32_startw.yml @@ -75,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index e39a3b9b00..6f9d6d6a0e 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -73,4 +73,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtasks/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml index 95532cc1ad..fa40277e06 100644 --- a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml index ef8c54d576..dc09d13ea5 100644 --- a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml +++ b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon_wav.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_wevtutil_usage.yml b/detections/endpoint/suspicious_wevtutil_usage.yml index 2aa3d2e0a7..741cc73179 100644 --- a/detections/endpoint/suspicious_wevtutil_usage.yml +++ b/detections/endpoint/suspicious_wevtutil_usage.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/windows_pwh_log_cleared/wevtutil_clear_log.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml index 68240472f8..04596763f4 100644 --- a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml +++ b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/write_to_recycle_bin/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml index 3c95640e63..d0c8e3b1f9 100644 --- a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml +++ b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/host_info_dxdiag/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index 4564981fd2..5b2191315e 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/system_processes_run_from_unexpected_locations.yml b/detections/endpoint/system_processes_run_from_unexpected_locations.yml index dcfd6a9f86..d001f4547c 100644 --- a/detections/endpoint/system_processes_run_from_unexpected_locations.yml +++ b/detections/endpoint/system_processes_run_from_unexpected_locations.yml @@ -70,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/system_user_discovery_with_query.yml b/detections/endpoint/system_user_discovery_with_query.yml index eb0e65adc9..68f8389cfa 100644 --- a/detections/endpoint/system_user_discovery_with_query.yml +++ b/detections/endpoint/system_user_discovery_with_query.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/system_user_discovery_with_whoami.yml b/detections/endpoint/system_user_discovery_with_whoami.yml index bb1d31cf1e..22d89f026b 100644 --- a/detections/endpoint/system_user_discovery_with_whoami.yml +++ b/detections/endpoint/system_user_discovery_with_whoami.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/time_provider_persistence_registry.yml b/detections/endpoint/time_provider_persistence_registry.yml index f04837d216..6af99b7ddf 100644 --- a/detections/endpoint/time_provider_persistence_registry.yml +++ b/detections/endpoint/time_provider_persistence_registry.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.003/timeprovider_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/trickbot_named_pipe.yml b/detections/endpoint/trickbot_named_pipe.yml index 0b99c4b0a8..da682850bb 100644 --- a/detections/endpoint/trickbot_named_pipe.yml +++ b/detections/endpoint/trickbot_named_pipe.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/namedpipe/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml index c214cac061..cc4e9e73ae 100644 --- a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml +++ b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/uac_bypass_with_colorui_com_object.yml b/detections/endpoint/uac_bypass_with_colorui_com_object.yml index ba04bc7c48..dc362a11c8 100644 --- a/detections/endpoint/uac_bypass_with_colorui_com_object.yml +++ b/detections/endpoint/uac_bypass_with_colorui_com_object.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/uac_colorui/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/uninstall_app_using_msiexec.yml b/detections/endpoint/uninstall_app_using_msiexec.yml index 92c97108a3..2db0dbcd8f 100644 --- a/detections/endpoint/uninstall_app_using_msiexec.yml +++ b/detections/endpoint/uninstall_app_using_msiexec.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml index c0959df676..f14496cb13 100644 --- a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml +++ b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml @@ -63,4 +63,4 @@ tests: sourcetype: WinEventLog - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/unload_sysmon_filter_driver.yml b/detections/endpoint/unload_sysmon_filter_driver.yml index b453db7779..dda9af360f 100644 --- a/detections/endpoint/unload_sysmon_filter_driver.yml +++ b/detections/endpoint/unload_sysmon_filter_driver.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/unload_sysmon/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/user_discovery_with_env_vars_powershell.yml b/detections/endpoint/user_discovery_with_env_vars_powershell.yml index ee9bb7977a..a6932bcb21 100644 --- a/detections/endpoint/user_discovery_with_env_vars_powershell.yml +++ b/detections/endpoint/user_discovery_with_env_vars_powershell.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/usn_journal_deletion.yml b/detections/endpoint/usn_journal_deletion.yml index a3cee3e80a..abeb81c67d 100644 --- a/detections/endpoint/usn_journal_deletion.yml +++ b/detections/endpoint/usn_journal_deletion.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/vbscript_execution_using_wscript_app.yml b/detections/endpoint/vbscript_execution_using_wscript_app.yml index 2cedd04375..e6f772180f 100644 --- a/detections/endpoint/vbscript_execution_using_wscript_app.yml +++ b/detections/endpoint/vbscript_execution_using_wscript_app.yml @@ -70,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/verclsid_clsid_execution.yml b/detections/endpoint/verclsid_clsid_execution.yml index 8214dd95e1..e1f3d6765c 100644 --- a/detections/endpoint/verclsid_clsid_execution.yml +++ b/detections/endpoint/verclsid_clsid_execution.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.012/verclsid_exec/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/w3wp_spawning_shell.yml b/detections/endpoint/w3wp_spawning_shell.yml index 58537bedab..98323cb4b5 100644 --- a/detections/endpoint/w3wp_spawning_shell.yml +++ b/detections/endpoint/w3wp_spawning_shell.yml @@ -79,4 +79,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/wbadmin_delete_system_backups.yml b/detections/endpoint/wbadmin_delete_system_backups.yml index 711f67ee0f..eaeee848af 100644 --- a/detections/endpoint/wbadmin_delete_system_backups.yml +++ b/detections/endpoint/wbadmin_delete_system_backups.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/wbemprox_com_object_execution.yml b/detections/endpoint/wbemprox_com_object_execution.yml index 1c0f20aa16..9be9d140f5 100644 --- a/detections/endpoint/wbemprox_com_object_execution.yml +++ b/detections/endpoint/wbemprox_com_object_execution.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml b/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml index be38120750..f5695b98a7 100644 --- a/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml +++ b/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/wermgr_process_create_executable_file.yml b/detections/endpoint/wermgr_process_create_executable_file.yml index a2e112a1cc..cd77810fe6 100644 --- a/detections/endpoint/wermgr_process_create_executable_file.yml +++ b/detections/endpoint/wermgr_process_create_executable_file.yml @@ -56,4 +56,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml index 643944fe5e..56ad7d5b39 100644 --- a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml +++ b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_abused_web_services.yml b/detections/endpoint/windows_abused_web_services.yml index 3e031ce9c4..bfe6d92b3c 100644 --- a/detections/endpoint/windows_abused_web_services.yml +++ b/detections/endpoint/windows_abused_web_services.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1102/njrat_ngrok_connection/ngrok.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml b/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml index 58b172de9b..e0d90c7bf2 100644 --- a/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml +++ b/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml @@ -56,5 +56,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml index 3b2e1e6897..ef13c5a78f 100644 --- a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml +++ b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml @@ -65,5 +65,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_ad_dsrm_account_changes.yml b/detections/endpoint/windows_ad_dsrm_account_changes.yml index a72f5e68a8..57b62ded52 100644 --- a/detections/endpoint/windows_ad_dsrm_account_changes.yml +++ b/detections/endpoint/windows_ad_dsrm_account_changes.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_adfind_exe.yml b/detections/endpoint/windows_adfind_exe.yml index 77872b400e..968d142b2d 100644 --- a/detections/endpoint/windows_adfind_exe.yml +++ b/detections/endpoint/windows_adfind_exe.yml @@ -72,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_admin_permission_discovery.yml b/detections/endpoint/windows_admin_permission_discovery.yml index 27fec4c315..09fbac82a2 100644 --- a/detections/endpoint/windows_admin_permission_discovery.yml +++ b/detections/endpoint/windows_admin_permission_discovery.yml @@ -61,5 +61,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/njrat_admin_check/win_dat.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_apache_benchmark_binary.yml b/detections/endpoint/windows_apache_benchmark_binary.yml index 3087896da9..ac189d6b35 100644 --- a/detections/endpoint/windows_apache_benchmark_binary.yml +++ b/detections/endpoint/windows_apache_benchmark_binary.yml @@ -74,5 +74,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/apachebench_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml b/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml index db73d7f0c0..039b618576 100644 --- a/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml +++ b/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml @@ -60,5 +60,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml b/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml index 643ba7c867..6fcaf7da8a 100644 --- a/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml +++ b/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml @@ -59,5 +59,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml b/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml index 0453680bac..364c422175 100644 --- a/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml +++ b/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml @@ -57,5 +57,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_archive_collected_data_via_rar.yml b/detections/endpoint/windows_archive_collected_data_via_rar.yml index d74800dee7..e2352299d0 100644 --- a/detections/endpoint/windows_archive_collected_data_via_rar.yml +++ b/detections/endpoint/windows_archive_collected_data_via_rar.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility_darkgate/rar_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_autoit3_execution.yml b/detections/endpoint/windows_autoit3_execution.yml index 330a726707..21c8f94ea7 100644 --- a/detections/endpoint/windows_autoit3_execution.yml +++ b/detections/endpoint/windows_autoit3_execution.yml @@ -72,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml index ed8499e8bf..cb13c94167 100644 --- a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml +++ b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml @@ -57,5 +57,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.008/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml index 48ae936440..74b7ef6619 100644 --- a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml +++ b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml @@ -77,5 +77,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.013/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index 293c5a51a0..aad4836898 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -65,5 +65,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml index c88cb997b8..9bfe9e856b 100644 --- a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml +++ b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/warzone_rat/pkgmgr_uac_bypass/pkgmgr_create_file.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_cab_file_on_disk.yml b/detections/endpoint/windows_cab_file_on_disk.yml index 2702cb574f..4e366525c8 100644 --- a/detections/endpoint/windows_cab_file_on_disk.yml +++ b/detections/endpoint/windows_cab_file_on_disk.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/cab_files.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml index b7440814a3..59ef16f1ab 100644 --- a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml +++ b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml @@ -68,5 +68,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml index d728f58be6..e50387eeb5 100644 --- a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml +++ b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml index 555712086c..ef186667a9 100644 --- a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml +++ b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml @@ -66,5 +66,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml index 0e1a115673..9737145f38 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml @@ -54,5 +54,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml index 9c3cfe53af..0853afa763 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml index 9a3a12023d..795908ea4a 100644 --- a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml +++ b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml @@ -65,5 +65,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_forkbomb/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_command_shell_fetch_env_variables.yml b/detections/endpoint/windows_command_shell_fetch_env_variables.yml index 37d5515237..3a8eb9726d 100644 --- a/detections/endpoint/windows_command_shell_fetch_env_variables.yml +++ b/detections/endpoint/windows_command_shell_fetch_env_variables.yml @@ -62,5 +62,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml index 15be7ea770..7aefef5f67 100644 --- a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml +++ b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml @@ -74,5 +74,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/createdump_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_credentials_from_password_stores_creation.yml b/detections/endpoint/windows_credentials_from_password_stores_creation.yml index 0304e3c50c..99da099a92 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_creation.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_creation.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_gen_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml index c188847697..ec16ef2c86 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_del_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_credentials_from_password_stores_query.yml b/detections/endpoint/windows_credentials_from_password_stores_query.yml index 7e9de9347e..a739e19973 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_query.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_query.yml @@ -68,5 +68,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_credentials_in_registry_reg_query.yml b/detections/endpoint/windows_credentials_in_registry_reg_query.yml index b1ef7baa6f..5d335275fb 100644 --- a/detections/endpoint/windows_credentials_in_registry_reg_query.yml +++ b/detections/endpoint/windows_credentials_in_registry_reg_query.yml @@ -68,5 +68,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd/query-putty-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml index c1c899e3d2..3463212c76 100644 --- a/detections/endpoint/windows_curl_download_to_suspicious_path.yml +++ b/detections/endpoint/windows_curl_download_to_suspicious_path.yml @@ -78,4 +78,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_curl_upload_to_remote_destination.yml b/detections/endpoint/windows_curl_upload_to_remote_destination.yml index 07874b6a6c..4d7bf7ec4a 100644 --- a/detections/endpoint/windows_curl_upload_to_remote_destination.yml +++ b/detections/endpoint/windows_curl_upload_to_remote_destination.yml @@ -76,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl_upload.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml index fcd65f925e..ee31d1738d 100644 --- a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml +++ b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/swift_slicer/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_debugger_tool_execution.yml b/detections/endpoint/windows_debugger_tool_execution.yml index 08c6495c63..09f52be9b1 100644 --- a/detections/endpoint/windows_debugger_tool_execution.yml +++ b/detections/endpoint/windows_debugger_tool_execution.yml @@ -54,4 +54,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/debugger_execution/debugger.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml index aa34f4214a..757601bbfb 100644 --- a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml +++ b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml index f542d76204..d3a57beb56 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml @@ -76,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index 416607e73d..6bdf6a51c2 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_delete_or_modify_system_firewall.yml b/detections/endpoint/windows_delete_or_modify_system_firewall.yml index 32e1a10c38..5c40b8c9b6 100644 --- a/detections/endpoint/windows_delete_or_modify_system_firewall.yml +++ b/detections/endpoint/windows_delete_or_modify_system_firewall.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml index de035375e4..8d4a408bed 100644 --- a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml +++ b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/doublezero_wiper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_disable_change_password_through_registry.yml b/detections/endpoint/windows_disable_change_password_through_registry.yml index 53ccea6f2d..2f829e076c 100644 --- a/detections/endpoint/windows_disable_change_password_through_registry.yml +++ b/detections/endpoint/windows_disable_change_password_through_registry.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml index a32a24096c..77c825f461 100644 --- a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml +++ b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_disable_logoff_button_through_registry.yml b/detections/endpoint/windows_disable_logoff_button_through_registry.yml index d46252a1c5..020a21eceb 100644 --- a/detections/endpoint/windows_disable_logoff_button_through_registry.yml +++ b/detections/endpoint/windows_disable_logoff_button_through_registry.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_disable_memory_crash_dump.yml b/detections/endpoint/windows_disable_memory_crash_dump.yml index 0ffb6633cc..5eac4c1146 100644 --- a/detections/endpoint/windows_disable_memory_crash_dump.yml +++ b/detections/endpoint/windows_disable_memory_crash_dump.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_disable_notification_center.yml b/detections/endpoint/windows_disable_notification_center.yml index cda91935bf..b56ee6e437 100644 --- a/detections/endpoint/windows_disable_notification_center.yml +++ b/detections/endpoint/windows_disable_notification_center.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disable_notif_center/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml index b458094207..53d9cd1add 100644 --- a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml +++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/taskkill/taskkill_im.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml index 93b72a101c..c9bd569fb1 100644 --- a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml +++ b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml index ada5b7c1aa..24992e8d25 100644 --- a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml +++ b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml @@ -82,5 +82,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/disable_http_logging_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml index 0637e0fd43..a4a4e4656e 100644 --- a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml +++ b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_disableantispyware_registry.yml b/detections/endpoint/windows_disableantispyware_registry.yml index 9c391d1087..54ad8a356c 100644 --- a/detections/endpoint/windows_disableantispyware_registry.yml +++ b/detections/endpoint/windows_disableantispyware_registry.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_diskcryptor_usage.yml b/detections/endpoint/windows_diskcryptor_usage.yml index fc463028cc..b530c20243 100644 --- a/detections/endpoint/windows_diskcryptor_usage.yml +++ b/detections/endpoint/windows_diskcryptor_usage.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/dcrypt/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_diskshadow_proxy_execution.yml b/detections/endpoint/windows_diskshadow_proxy_execution.yml index 4a83a41826..2d41cd9a59 100644 --- a/detections/endpoint/windows_diskshadow_proxy_execution.yml +++ b/detections/endpoint/windows_diskshadow_proxy_execution.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/diskshadow/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_dism_remove_defender.yml b/detections/endpoint/windows_dism_remove_defender.yml index 632220d18c..6ce8de7eab 100644 --- a/detections/endpoint/windows_dism_remove_defender.yml +++ b/detections/endpoint/windows_dism_remove_defender.yml @@ -76,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_dism.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml index d9ee423c66..3187d87e57 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml @@ -46,5 +46,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml index aabd8c17cf..57308b20e9 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml @@ -76,5 +76,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_dll_side_loading_in_calc.yml b/detections/endpoint/windows_dll_side_loading_in_calc.yml index 8865f519f8..4a1ddcdea5 100644 --- a/detections/endpoint/windows_dll_side_loading_in_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_in_calc.yml @@ -59,5 +59,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml index 7756b8d365..270b99776c 100644 --- a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_dns_gather_network_info.yml b/detections/endpoint/windows_dns_gather_network_info.yml index 166dba229f..3c0b01c98c 100644 --- a/detections/endpoint/windows_dns_gather_network_info.yml +++ b/detections/endpoint/windows_dns_gather_network_info.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1590.002/enum_dns_record/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml index 6a2d52948a..8dd198abfc 100644 --- a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml +++ b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml @@ -85,4 +85,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon_installutil_path.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_drivers_loaded_by_signature.yml b/detections/endpoint/windows_drivers_loaded_by_signature.yml index c93389b598..9841019721 100644 --- a/detections/endpoint/windows_drivers_loaded_by_signature.yml +++ b/detections/endpoint/windows_drivers_loaded_by_signature.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml index 21285d3cda..e6ebde7905 100644 --- a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml +++ b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml index 3ec75a5970..55969d2426 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_executable_in_loaded_modules.yml b/detections/endpoint/windows_executable_in_loaded_modules.yml index da48443049..9bedc3cd86 100644 --- a/detections/endpoint/windows_executable_in_loaded_modules.yml +++ b/detections/endpoint/windows_executable_in_loaded_modules.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1129/executable_shared_modules/image_loaded_exe.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml index 8db0c9c9d6..7568f6cfee 100644 --- a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml +++ b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml @@ -81,5 +81,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml index dbe9cecede..2e7bb5ec0f 100644 --- a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml @@ -62,5 +62,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_ftp/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml index 2a2945b46f..1fe55854b9 100644 --- a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml +++ b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml index 15f4c2fb7c..215dc993ce 100644 --- a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml +++ b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/amadey/access_permission/amadey_sysmon2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_findstr_gpp_discovery.yml b/detections/endpoint/windows_findstr_gpp_discovery.yml index e0029429f2..64e93cc269 100644 --- a/detections/endpoint/windows_findstr_gpp_discovery.yml +++ b/detections/endpoint/windows_findstr_gpp_discovery.yml @@ -71,4 +71,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-security.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_gather_victim_identity_sam_info.yml b/detections/endpoint/windows_gather_victim_identity_sam_info.yml index e832fcc4cb..437ca8e342 100644 --- a/detections/endpoint/windows_gather_victim_identity_sam_info.yml +++ b/detections/endpoint/windows_gather_victim_identity_sam_info.yml @@ -48,5 +48,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/loading_samlib/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml index 3c218b411a..cd4c7446c3 100644 --- a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml +++ b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml @@ -52,5 +52,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_hide_notification_features_through_registry.yml b/detections/endpoint/windows_hide_notification_features_through_registry.yml index 8db0b915fd..0046662ab9 100644 --- a/detections/endpoint/windows_hide_notification_features_through_registry.yml +++ b/detections/endpoint/windows_hide_notification_features_through_registry.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_high_file_deletion_frequency.yml b/detections/endpoint/windows_high_file_deletion_frequency.yml index 82439b25fe..c4ca525fd5 100644 --- a/detections/endpoint/windows_high_file_deletion_frequency.yml +++ b/detections/endpoint/windows_high_file_deletion_frequency.yml @@ -76,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml index c3fe83a959..6a4b6be0ed 100644 --- a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml +++ b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml @@ -57,5 +57,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml index 16e963298f..f2dc36f8b9 100644 --- a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_identify_protocol_handlers.yml b/detections/endpoint/windows_identify_protocol_handlers.yml index 4372d816c0..c614f9d717 100644 --- a/detections/endpoint/windows_identify_protocol_handlers.yml +++ b/detections/endpoint/windows_identify_protocol_handlers.yml @@ -73,5 +73,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/protocol_handlers/protocolhandlers.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_add_new_module.yml b/detections/endpoint/windows_iis_components_add_new_module.yml index 6a9fe8082f..7dc2d6f136 100644 --- a/detections/endpoint/windows_iis_components_add_new_module.yml +++ b/detections/endpoint/windows_iis_components_add_new_module.yml @@ -80,5 +80,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/appcmd_install-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml index f3eb00a6db..b3cb76a665 100644 --- a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml +++ b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml @@ -49,5 +49,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml index 16365ffe02..7bea458bd8 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml index 110e191218..9c18cde2f6 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml index db6fdc1bb2..c1384dbe3c 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml index 9311d81cbc..ba013524a0 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml index e4fd8d30c4..ba66e1e6f8 100644 --- a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml +++ b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml index 4f3c32de30..e073087694 100644 --- a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml +++ b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml index 7c1ddca49d..386d9cbf77 100644 --- a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml +++ b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml @@ -50,5 +50,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml index 61855e422f..335148cb34 100644 --- a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml +++ b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml @@ -59,5 +59,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml index 14ed082b61..6f33cebd9b 100644 --- a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml +++ b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml index 4c8b7bd899..ddc78f7466 100644 --- a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml +++ b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml index 8ba421485a..ee837c1749 100644 --- a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml +++ b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml index f9ca2eb107..a0bfdbc90a 100644 --- a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml +++ b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml index a7be75397f..f15a2036d4 100644 --- a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml index ac5bad3cb0..7fa8f0e6e3 100644 --- a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml +++ b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml index ecc4583494..8cbbbdae5e 100644 --- a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml +++ b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml index 0b538ecd9a..91558ebc94 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml index 7ab6c284cf..5a0c3bde0d 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml index 707b6e9d2e..3bbca265b0 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml index 13f66cd837..1b4d946ea5 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml index 4ad3706628..02875255fb 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml index 7314387e18..228e34ea4a 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml index 87b559f94e..24d43623c3 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml index 0282f61043..482bbd2350 100644 --- a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml +++ b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml index f63e05df45..c2d3e4c6d0 100644 --- a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml +++ b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml index 4526fc4a78..986abc526f 100644 --- a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml +++ b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml index 99dc7b688d..fb0bb4cb15 100644 --- a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml +++ b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/kingsoft_reg/kingsoft_reg.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defenses_disable_hvci.yml b/detections/endpoint/windows_impair_defenses_disable_hvci.yml index 7f68d9c4fe..88d52673a7 100644 --- a/detections/endpoint/windows_impair_defenses_disable_hvci.yml +++ b/detections/endpoint/windows_impair_defenses_disable_hvci.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/hvci_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml index eaf0b880ae..b1f3db185b 100644 --- a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml +++ b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml @@ -60,5 +60,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_indicator_removal_via_rmdir.yml b/detections/endpoint/windows_indicator_removal_via_rmdir.yml index 2144d86244..6de57f92b5 100644 --- a/detections/endpoint/windows_indicator_removal_via_rmdir.yml +++ b/detections/endpoint/windows_indicator_removal_via_rmdir.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml index 5e78e63eff..d289b8615f 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml index 0d53d3a046..04941547d0 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml index 1bb7c296e8..8f2d4556e7 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml @@ -65,5 +65,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_information_discovery_fsutil.yml b/detections/endpoint/windows_information_discovery_fsutil.yml index d89c3c02f0..742142a017 100644 --- a/detections/endpoint/windows_information_discovery_fsutil.yml +++ b/detections/endpoint/windows_information_discovery_fsutil.yml @@ -67,5 +67,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_fsutil/fsutil-fsinfo-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml index 9228603221..3c75a69bc2 100644 --- a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml +++ b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml @@ -74,5 +74,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_explorer_url/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml index e7c32fc6aa..b5821fa802 100644 --- a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml +++ b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml index bcc723ae28..7eec90908e 100644 --- a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml +++ b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml @@ -49,5 +49,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_installutil_credential_theft.yml b/detections/endpoint/windows_installutil_credential_theft.yml index e49dd98b82..da336a12cd 100644 --- a/detections/endpoint/windows_installutil_credential_theft.yml +++ b/detections/endpoint/windows_installutil_credential_theft.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_installutil_in_non_standard_path.yml b/detections/endpoint/windows_installutil_in_non_standard_path.yml index 2f246ae4c0..9330b1a9e6 100644 --- a/detections/endpoint/windows_installutil_in_non_standard_path.yml +++ b/detections/endpoint/windows_installutil_in_non_standard_path.yml @@ -86,4 +86,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon_installutil_path.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_installutil_remote_network_connection.yml b/detections/endpoint/windows_installutil_remote_network_connection.yml index f469f3e1c3..888e87472d 100644 --- a/detections/endpoint/windows_installutil_remote_network_connection.yml +++ b/detections/endpoint/windows_installutil_remote_network_connection.yml @@ -77,4 +77,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_installutil_uninstall_option.yml b/detections/endpoint/windows_installutil_uninstall_option.yml index d865a51b17..a64f795b7e 100644 --- a/detections/endpoint/windows_installutil_uninstall_option.yml +++ b/detections/endpoint/windows_installutil_uninstall_option.yml @@ -78,4 +78,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml index 6f904f9d01..3f4d332b5f 100644 --- a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml +++ b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml @@ -79,4 +79,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_installutil_url_in_command_line.yml b/detections/endpoint/windows_installutil_url_in_command_line.yml index 1f27fc8cc3..13fdb1775e 100644 --- a/detections/endpoint/windows_installutil_url_in_command_line.yml +++ b/detections/endpoint/windows_installutil_url_in_command_line.yml @@ -77,4 +77,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_iso_lnk_file_creation.yml b/detections/endpoint/windows_iso_lnk_file_creation.yml index a3f7c9b8dc..473b019fc7 100644 --- a/detections/endpoint/windows_iso_lnk_file_creation.yml +++ b/detections/endpoint/windows_iso_lnk_file_creation.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.001/atomic_red_team/iso_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml index 17eaa35bf4..60ea21c54d 100644 --- a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml +++ b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/svr_loaded_modules/loaded_module_svr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_lateral_tool_transfer_remcom.yml b/detections/endpoint/windows_lateral_tool_transfer_remcom.yml index 658cdc47b8..22d7f3c748 100644 --- a/detections/endpoint/windows_lateral_tool_transfer_remcom.yml +++ b/detections/endpoint/windows_lateral_tool_transfer_remcom.yml @@ -75,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1570/remcom/remcom_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_ldifde_directory_object_behavior.yml b/detections/endpoint/windows_ldifde_directory_object_behavior.yml index 69652be4fc..31fbb366ea 100644 --- a/detections/endpoint/windows_ldifde_directory_object_behavior.yml +++ b/detections/endpoint/windows_ldifde_directory_object_behavior.yml @@ -80,4 +80,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/ldifde_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml b/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml index 36e57df4a1..cc91ca309c 100644 --- a/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml +++ b/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml index 27e77c85c2..f670ad6468 100644 --- a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml +++ b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml index 4f53ec3065..2625a5907d 100644 --- a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml +++ b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml index 39ebaf7753..ad10531089 100644 --- a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml @@ -61,5 +61,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_smtp/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_mark_of_the_web_bypass.yml b/detections/endpoint/windows_mark_of_the_web_bypass.yml index 3062dc55a8..d249b2ddc8 100644 --- a/detections/endpoint/windows_mark_of_the_web_bypass.yml +++ b/detections/endpoint/windows_mark_of_the_web_bypass.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.005/mark_of_the_web_bypass/possible-motw-deletion.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml index 844c2fd0d2..9adc028d37 100644 --- a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml +++ b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_masquerading_msdtc_process.yml b/detections/endpoint/windows_masquerading_msdtc_process.yml index f3d78e6776..0d2f490cbd 100644 --- a/detections/endpoint/windows_masquerading_msdtc_process.yml +++ b/detections/endpoint/windows_masquerading_msdtc_process.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_a_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_mimikatz_binary_execution.yml b/detections/endpoint/windows_mimikatz_binary_execution.yml index cd0adf281f..f37b18e0b5 100644 --- a/detections/endpoint/windows_mimikatz_binary_execution.yml +++ b/detections/endpoint/windows_mimikatz_binary_execution.yml @@ -81,5 +81,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/mimikatzwindows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml b/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml index 71a31e678d..4bc80986af 100644 --- a/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml +++ b/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml @@ -55,5 +55,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certwrite_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml index 9be80f4534..12be8fca3d 100644 --- a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml +++ b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml @@ -56,4 +56,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/AuthenticationLevelOverride/auth_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml index 68b539a714..e72b5f7c85 100644 --- a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml +++ b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml @@ -48,4 +48,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_auto_update_notif.yml b/detections/endpoint/windows_modify_registry_auto_update_notif.yml index 40396d91ed..0174b8b3cd 100644 --- a/detections/endpoint/windows_modify_registry_auto_update_notif.yml +++ b/detections/endpoint/windows_modify_registry_auto_update_notif.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_configure_bitlocker.yml b/detections/endpoint/windows_modify_registry_configure_bitlocker.yml index a1b9041cf0..ace1dbe430 100644 --- a/detections/endpoint/windows_modify_registry_configure_bitlocker.yml +++ b/detections/endpoint/windows_modify_registry_configure_bitlocker.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/bitlocker_registry_setting//fve-reg.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_default_icon_setting.yml b/detections/endpoint/windows_modify_registry_default_icon_setting.yml index 45a56d96c8..8ee453efcd 100644 --- a/detections/endpoint/windows_modify_registry_default_icon_setting.yml +++ b/detections/endpoint/windows_modify_registry_default_icon_setting.yml @@ -61,5 +61,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/lockbit_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml index 23d4f6d0f2..dd7fea8502 100644 --- a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml +++ b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_disable_rdp.yml b/detections/endpoint/windows_modify_registry_disable_rdp.yml index 125322ed82..a8c73d34e5 100644 --- a/detections/endpoint/windows_modify_registry_disable_rdp.yml +++ b/detections/endpoint/windows_modify_registry_disable_rdp.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disable_rdp//fdenytsconnection-reg.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml index 731ad00687..8b44dba4c9 100644 --- a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml +++ b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml index b104fc7d92..d3016e9981 100644 --- a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml @@ -57,5 +57,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml index c14ebc10aa..80211db14f 100644 --- a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml +++ b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml @@ -58,5 +58,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml index 3d19f5e0be..d58a9aeaad 100644 --- a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml index d7919e7b76..4a876ea19c 100644 --- a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml +++ b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml @@ -58,5 +58,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml index f6e044bc2d..ea61652cb8 100644 --- a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml +++ b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml @@ -56,4 +56,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/disable_remote_alias.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml index e8a8dc5e98..94ac7f3cec 100644 --- a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml +++ b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disablesecuritysetting.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml index 10cd48f314..ae351c488b 100644 --- a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml +++ b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml @@ -58,5 +58,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml index c8acd72850..820a0f7d74 100644 --- a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml +++ b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml @@ -56,5 +56,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml index 685aaae6c7..947fc52a0a 100644 --- a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml +++ b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_dontshowui.yml b/detections/endpoint/windows_modify_registry_dontshowui.yml index 56c87e34d6..55727fcfae 100644 --- a/detections/endpoint/windows_modify_registry_dontshowui.yml +++ b/detections/endpoint/windows_modify_registry_dontshowui.yml @@ -56,4 +56,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/wer_dontshowui/dontshowui_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml index 3498d66a20..3c00618894 100644 --- a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml +++ b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/blackbyte_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_longpathsenabled.yml b/detections/endpoint/windows_modify_registry_longpathsenabled.yml index 8ed7963cd7..13eb907a01 100644 --- a/detections/endpoint/windows_modify_registry_longpathsenabled.yml +++ b/detections/endpoint/windows_modify_registry_longpathsenabled.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpath_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml index 5dd63b2f9b..fb06d7b6f9 100644 --- a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml +++ b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/warzone_rat/maxconnectionperserver/registry_event.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml index 92833a569b..bac59b2f70 100644 --- a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml +++ b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_no_auto_update.yml b/detections/endpoint/windows_modify_registry_no_auto_update.yml index e9789cd02a..a1e27f6196 100644 --- a/detections/endpoint/windows_modify_registry_no_auto_update.yml +++ b/detections/endpoint/windows_modify_registry_no_auto_update.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml index e723b557da..f70c94ead5 100644 --- a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml +++ b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml @@ -56,4 +56,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/no_changing_wallpaper/NoChangingWallPaper.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml index b2c070cf41..0f73f67d1f 100644 --- a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml +++ b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/smart_card_group_policy/scforceoption-reg.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_proxyenable.yml b/detections/endpoint/windows_modify_registry_proxyenable.yml index 582dd2c725..6601274643 100644 --- a/detections/endpoint/windows_modify_registry_proxyenable.yml +++ b/detections/endpoint/windows_modify_registry_proxyenable.yml @@ -56,4 +56,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/proxy_enable/proxyenable.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_proxyserver.yml b/detections/endpoint/windows_modify_registry_proxyserver.yml index 95183500f7..9c2b748582 100644 --- a/detections/endpoint/windows_modify_registry_proxyserver.yml +++ b/detections/endpoint/windows_modify_registry_proxyserver.yml @@ -56,4 +56,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/proxy_server/ProxyServer_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml index f5d81f737e..0917240e86 100644 --- a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml +++ b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml @@ -65,5 +65,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_reg_restore.yml b/detections/endpoint/windows_modify_registry_reg_restore.yml index 7ba525b5a6..45b900b2e8 100644 --- a/detections/endpoint/windows_modify_registry_reg_restore.yml +++ b/detections/endpoint/windows_modify_registry_reg_restore.yml @@ -62,5 +62,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml index 4424b1cb87..6a6c597040 100644 --- a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml +++ b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml index ded57e483a..84fd698435 100644 --- a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml +++ b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml @@ -58,5 +58,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_tamper_protection.yml b/detections/endpoint/windows_modify_registry_tamper_protection.yml index 3133013fec..4e46ec0ac4 100644 --- a/detections/endpoint/windows_modify_registry_tamper_protection.yml +++ b/detections/endpoint/windows_modify_registry_tamper_protection.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml index d9595c03d1..177a4fb7f5 100644 --- a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml +++ b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml index 2c2dbcc256..d37fa4fcdf 100644 --- a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml +++ b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_usewuserver.yml b/detections/endpoint/windows_modify_registry_usewuserver.yml index 15cf6742dc..6dc71e2563 100644 --- a/detections/endpoint/windows_modify_registry_usewuserver.yml +++ b/detections/endpoint/windows_modify_registry_usewuserver.yml @@ -48,4 +48,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_utilize_progids.yml b/detections/endpoint/windows_modify_registry_utilize_progids.yml index ee2e924253..de6031e35b 100644 --- a/detections/endpoint/windows_modify_registry_utilize_progids.yml +++ b/detections/endpoint/windows_modify_registry_utilize_progids.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/pwn_reg/pwn_reg.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml index 641d413fdf..6753642f50 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/valleyrat_c2_reg2/valleyrat_c2_reg2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml index 0312fc699a..0398004650 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/pwn_reg/pwn_reg.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml index 4c9a1f7b60..ecd160273a 100644 --- a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml +++ b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/njrat_md5_registry_entry/njrat_reg_binary.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_wuserver.yml b/detections/endpoint/windows_modify_registry_wuserver.yml index bfa976d90b..a7c2a13fd0 100644 --- a/detections/endpoint/windows_modify_registry_wuserver.yml +++ b/detections/endpoint/windows_modify_registry_wuserver.yml @@ -48,4 +48,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_registry_wustatusserver.yml b/detections/endpoint/windows_modify_registry_wustatusserver.yml index 5e9a3f208e..6cb6f75902 100644 --- a/detections/endpoint/windows_modify_registry_wustatusserver.yml +++ b/detections/endpoint/windows_modify_registry_wustatusserver.yml @@ -48,4 +48,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml index 3b64d090ac..1b0c7d2283 100644 --- a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml +++ b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/globalfolderoptions_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml index 833cf3b5a9..af631186db 100644 --- a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml +++ b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml index a86e12b9bf..9b64367421 100644 --- a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml +++ b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml @@ -78,5 +78,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/mofcomp.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_mshta_execution_in_registry.yml b/detections/endpoint/windows_mshta_execution_in_registry.yml index 7cfc03b336..30ede03e49 100644 --- a/detections/endpoint/windows_mshta_execution_in_registry.yml +++ b/detections/endpoint/windows_mshta_execution_in_registry.yml @@ -61,5 +61,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon3.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml index 74d8aba0d5..73d88b19f3 100644 --- a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml +++ b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml @@ -62,5 +62,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_msiexec_dllregisterserver.yml b/detections/endpoint/windows_msiexec_dllregisterserver.yml index c4575180d6..4fb558edb5 100644 --- a/detections/endpoint/windows_msiexec_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_dllregisterserver.yml @@ -75,5 +75,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml index f80ce78f30..a0953be3c9 100644 --- a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml +++ b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/msiexec-hidewindow-rundll32/hidewndw-rundll32.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml index 2611b3f384..ce192c05e2 100644 --- a/detections/endpoint/windows_msiexec_remote_download.yml +++ b/detections/endpoint/windows_msiexec_remote_download.yml @@ -75,5 +75,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml index 0fd6aaac27..8e3293d447 100644 --- a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml +++ b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml @@ -75,5 +75,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_msiexec_spawn_windbg.yml b/detections/endpoint/windows_msiexec_spawn_windbg.yml index 9a982021d1..8c1c897157 100644 --- a/detections/endpoint/windows_msiexec_spawn_windbg.yml +++ b/detections/endpoint/windows_msiexec_spawn_windbg.yml @@ -73,4 +73,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windbg_msiexec.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml index a524b65da9..1f1947eef7 100644 --- a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml @@ -75,5 +75,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_msiexec_with_network_connections.yml b/detections/endpoint/windows_msiexec_with_network_connections.yml index 8b40052b26..c7ee1b296a 100644 --- a/detections/endpoint/windows_msiexec_with_network_connections.yml +++ b/detections/endpoint/windows_msiexec_with_network_connections.yml @@ -72,5 +72,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml b/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml index 50678bcb59..49e6802aec 100644 --- a/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml +++ b/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml @@ -55,5 +55,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_network_share_interaction_with_net.yml b/detections/endpoint/windows_network_share_interaction_with_net.yml index 09c1afd920..2786a3235a 100644 --- a/detections/endpoint/windows_network_share_interaction_with_net.yml +++ b/detections/endpoint/windows_network_share_interaction_with_net.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_new_inprocserver32_added.yml b/detections/endpoint/windows_new_inprocserver32_added.yml index e67339545b..ec84b6b5aa 100644 --- a/detections/endpoint/windows_new_inprocserver32_added.yml +++ b/detections/endpoint/windows_new_inprocserver32_added.yml @@ -47,5 +47,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml index 2b65e28d02..b7e0603c0a 100644 --- a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml @@ -77,5 +77,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_nirsoft_advancedrun.yml b/detections/endpoint/windows_nirsoft_advancedrun.yml index 7d1bdb1dc3..700db36532 100644 --- a/detections/endpoint/windows_nirsoft_advancedrun.yml +++ b/detections/endpoint/windows_nirsoft_advancedrun.yml @@ -78,4 +78,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_nirsoft_utilities.yml b/detections/endpoint/windows_nirsoft_utilities.yml index a080fc56ff..e39c563864 100644 --- a/detections/endpoint/windows_nirsoft_utilities.yml +++ b/detections/endpoint/windows_nirsoft_utilities.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml index 8b3a376f1f..3ce7147a11 100644 --- a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml +++ b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027.011/njrat_fileless_registry_entry/njrat_registry.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_non_system_account_targeting_lsass.yml b/detections/endpoint/windows_non_system_account_targeting_lsass.yml index fc3a549ac8..ac7d224549 100644 --- a/detections/endpoint/windows_non_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_non_system_account_targeting_lsass.yml @@ -70,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_odbcconf_hunting.yml b/detections/endpoint/windows_odbcconf_hunting.yml index 095ba0525d..74ef2aa500 100644 --- a/detections/endpoint/windows_odbcconf_hunting.yml +++ b/detections/endpoint/windows_odbcconf_hunting.yml @@ -66,5 +66,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_odbcconf_load_dll.yml b/detections/endpoint/windows_odbcconf_load_dll.yml index 8ef98b01fb..7289c1223a 100644 --- a/detections/endpoint/windows_odbcconf_load_dll.yml +++ b/detections/endpoint/windows_odbcconf_load_dll.yml @@ -75,5 +75,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_odbcconf_load_response_file.yml b/detections/endpoint/windows_odbcconf_load_response_file.yml index afc7469efd..a4a6da1060 100644 --- a/detections/endpoint/windows_odbcconf_load_response_file.yml +++ b/detections/endpoint/windows_odbcconf_load_response_file.yml @@ -75,5 +75,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-rsp.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_office_product_spawning_msdt.yml b/detections/endpoint/windows_office_product_spawning_msdt.yml index d73f3ac016..d58c5dfb22 100644 --- a/detections/endpoint/windows_office_product_spawning_msdt.yml +++ b/detections/endpoint/windows_office_product_spawning_msdt.yml @@ -84,5 +84,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_outlook_webview_registry_modification.yml b/detections/endpoint/windows_outlook_webview_registry_modification.yml index fd4cf9a2da..d1969b3771 100644 --- a/detections/endpoint/windows_outlook_webview_registry_modification.yml +++ b/detections/endpoint/windows_outlook_webview_registry_modification.yml @@ -55,4 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_papercut_ng_spawn_shell.yml b/detections/endpoint/windows_papercut_ng_spawn_shell.yml index b9e3610f11..e44202c0eb 100644 --- a/detections/endpoint/windows_papercut_ng_spawn_shell.yml +++ b/detections/endpoint/windows_papercut_ng_spawn_shell.yml @@ -74,4 +74,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-app-spawn_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml index 0e1e5124bf..52335168c3 100644 --- a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml +++ b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_password_managers_discovery.yml b/detections/endpoint/windows_password_managers_discovery.yml index 04a833f62d..c1dd74a848 100644 --- a/detections/endpoint/windows_password_managers_discovery.yml +++ b/detections/endpoint/windows_password_managers_discovery.yml @@ -67,5 +67,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd_db/dir-db-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml b/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml index ab3c8f19a6..fbd23319c3 100644 --- a/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml +++ b/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/outlook_dropped_dll/outlook_phishing_form_dll.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml index e7fdf3b983..958ee03f79 100644 --- a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml +++ b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/phishing_pdf_uri/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml index 1e75a3cbc4..54bc15acd1 100644 --- a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml +++ b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml @@ -58,5 +58,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_possible_credential_dumping.yml b/detections/endpoint/windows_possible_credential_dumping.yml index 1d9aef3512..7605f2a260 100644 --- a/detections/endpoint/windows_possible_credential_dumping.yml +++ b/detections/endpoint/windows_possible_credential_dumping.yml @@ -75,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_powershell_remotesigned_file.yml b/detections/endpoint/windows_powershell_remotesigned_file.yml index 4b4fe89d35..2e2a130f26 100644 --- a/detections/endpoint/windows_powershell_remotesigned_file.yml +++ b/detections/endpoint/windows_powershell_remotesigned_file.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_remotesigned/remotesigned_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_private_keys_discovery.yml b/detections/endpoint/windows_private_keys_discovery.yml index 599a27b0d5..394b89c473 100644 --- a/detections/endpoint/windows_private_keys_discovery.yml +++ b/detections/endpoint/windows_private_keys_discovery.yml @@ -68,5 +68,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_private_key/dir-private-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_process_commandline_discovery.yml b/detections/endpoint/windows_process_commandline_discovery.yml index 793bc4aaf9..d1d25dca61 100644 --- a/detections/endpoint/windows_process_commandline_discovery.yml +++ b/detections/endpoint/windows_process_commandline_discovery.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1057/process_commandline_discovery/wmic-cmdline-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml index e79cc02be1..46b111385a 100644 --- a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml +++ b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/non-service-searchindexer/seaarch-indexer-non-service.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_process_injection_into_notepad.yml b/detections/endpoint/windows_process_injection_into_notepad.yml index 10f22c4423..bd60fd2019 100644 --- a/detections/endpoint/windows_process_injection_into_notepad.yml +++ b/detections/endpoint/windows_process_injection_into_notepad.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/T1055_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml index 41d72da587..0f8d325de3 100644 --- a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml +++ b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml @@ -61,5 +61,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/remote_thread/sysmon_wermgr_remote.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_remote_thread.yml b/detections/endpoint/windows_process_injection_remote_thread.yml index af49ec62f6..ccb8717fe3 100644 --- a/detections/endpoint/windows_process_injection_remote_thread.yml +++ b/detections/endpoint/windows_process_injection_remote_thread.yml @@ -68,5 +68,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_wermgr_child_process.yml b/detections/endpoint/windows_process_injection_wermgr_child_process.yml index a0de132ec7..41d6972b5c 100644 --- a/detections/endpoint/windows_process_injection_wermgr_child_process.yml +++ b/detections/endpoint/windows_process_injection_wermgr_child_process.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_with_public_source_path.yml b/detections/endpoint/windows_process_injection_with_public_source_path.yml index be223128b9..cef531ba6f 100644 --- a/detections/endpoint/windows_process_injection_with_public_source_path.yml +++ b/detections/endpoint/windows_process_injection_with_public_source_path.yml @@ -60,5 +60,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/create_remote_thread/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_process_with_namedpipe_commandline.yml b/detections/endpoint/windows_process_with_namedpipe_commandline.yml index 9d1d4dced6..cc32322fa5 100644 --- a/detections/endpoint/windows_process_with_namedpipe_commandline.yml +++ b/detections/endpoint/windows_process_with_namedpipe_commandline.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml b/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml index 846fd797e3..7be769588b 100644 --- a/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml +++ b/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml @@ -47,5 +47,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml index 834874a5f9..deb2507aac 100644 --- a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml +++ b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/industroyer2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_protocol_tunneling_with_plink.yml b/detections/endpoint/windows_protocol_tunneling_with_plink.yml index 014ee7162a..176b1c381e 100644 --- a/detections/endpoint/windows_protocol_tunneling_with_plink.yml +++ b/detections/endpoint/windows_protocol_tunneling_with_plink.yml @@ -80,5 +80,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_proxy_via_netsh.yml b/detections/endpoint/windows_proxy_via_netsh.yml index fed264ab49..9e79f60aa5 100644 --- a/detections/endpoint/windows_proxy_via_netsh.yml +++ b/detections/endpoint/windows_proxy_via_netsh.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_proxy_via_registry.yml b/detections/endpoint/windows_proxy_via_registry.yml index c5431e9e64..67f841d264 100644 --- a/detections/endpoint/windows_proxy_via_registry.yml +++ b/detections/endpoint/windows_proxy_via_registry.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_query_registry_reg_save.yml b/detections/endpoint/windows_query_registry_reg_save.yml index e13fc7461c..73cbd0c184 100644 --- a/detections/endpoint/windows_query_registry_reg_save.yml +++ b/detections/endpoint/windows_query_registry_reg_save.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml index eb51584563..7dd91dab48 100644 --- a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml +++ b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml @@ -75,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_raccine.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_rasautou_dll_execution.yml b/detections/endpoint/windows_rasautou_dll_execution.yml index c35ed4cd60..74b7e47c12 100644 --- a/detections/endpoint/windows_rasautou_dll_execution.yml +++ b/detections/endpoint/windows_rasautou_dll_execution.yml @@ -75,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055.001/rasautou/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml index 7bb115e47e..e348c33b14 100644 --- a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml +++ b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml index 1537ffec7e..e0f4a26a9f 100644 --- a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml +++ b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1561.002/mbr_raw_access/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_registry_bootexecute_modification.yml b/detections/endpoint/windows_registry_bootexecute_modification.yml index 1d7e0260b2..652f47d281 100644 --- a/detections/endpoint/windows_registry_bootexecute_modification.yml +++ b/detections/endpoint/windows_registry_bootexecute_modification.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/bootexecute-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_registry_certificate_added.yml b/detections/endpoint/windows_registry_certificate_added.yml index 40921a998e..e5dc2219f3 100644 --- a/detections/endpoint/windows_registry_certificate_added.yml +++ b/detections/endpoint/windows_registry_certificate_added.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.002/atomic_red_team/certblob_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_registry_delete_task_sd.yml b/detections/endpoint/windows_registry_delete_task_sd.yml index aa8603a419..cd51537333 100644 --- a/detections/endpoint/windows_registry_delete_task_sd.yml +++ b/detections/endpoint/windows_registry_delete_task_sd.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/taskschedule/sd_delete_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml index ff69d5829f..d0af5906f9 100644 --- a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml +++ b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_registry_payload_injection.yml b/detections/endpoint/windows_registry_payload_injection.yml index b9a60968d8..8b8b42e25f 100644 --- a/detections/endpoint/windows_registry_payload_injection.yml +++ b/detections/endpoint/windows_registry_payload_injection.yml @@ -78,4 +78,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_registry_sip_provider_modification.yml b/detections/endpoint/windows_registry_sip_provider_modification.yml index 8221e68cf7..29094389e2 100644 --- a/detections/endpoint/windows_registry_sip_provider_modification.yml +++ b/detections/endpoint/windows_registry_sip_provider_modification.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_regsvr32_renamed_binary.yml b/detections/endpoint/windows_regsvr32_renamed_binary.yml index 8b1c246ff7..023e74e75e 100644 --- a/detections/endpoint/windows_regsvr32_renamed_binary.yml +++ b/detections/endpoint/windows_regsvr32_renamed_binary.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_3/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml index 63500bc299..bd1e3888d5 100644 --- a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml +++ b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_remote_access_software_hunt.yml b/detections/endpoint/windows_remote_access_software_hunt.yml index 6aa7c2e518..460d61df52 100644 --- a/detections/endpoint/windows_remote_access_software_hunt.yml +++ b/detections/endpoint/windows_remote_access_software_hunt.yml @@ -60,5 +60,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_remote_access_software_rms_registry.yml b/detections/endpoint/windows_remote_access_software_rms_registry.yml index 315648ff7e..61b4c60f3a 100644 --- a/detections/endpoint/windows_remote_access_software_rms_registry.yml +++ b/detections/endpoint/windows_remote_access_software_rms_registry.yml @@ -57,5 +57,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_remote_assistance_spawning_process.yml b/detections/endpoint/windows_remote_assistance_spawning_process.yml index 8999d4e184..5cce74f323 100644 --- a/detections/endpoint/windows_remote_assistance_spawning_process.yml +++ b/detections/endpoint/windows_remote_assistance_spawning_process.yml @@ -71,4 +71,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/msra/msra-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_remote_create_service.yml b/detections/endpoint/windows_remote_create_service.yml index ab93a955a1..5ab186ab0d 100644 --- a/detections/endpoint/windows_remote_create_service.yml +++ b/detections/endpoint/windows_remote_create_service.yml @@ -77,5 +77,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remote_service_create_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml index 0459042cfb..a5fb10ddb3 100644 --- a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml +++ b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml index 5d4920f8e7..d94b296ba3 100644 --- a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml +++ b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml @@ -60,5 +60,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml index 0e836f545e..685e9eb227 100644 --- a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml +++ b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml @@ -58,5 +58,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_remote_services_rdp_enable.yml b/detections/endpoint/windows_remote_services_rdp_enable.yml index 237182e98e..aafd93fbb3 100644 --- a/detections/endpoint/windows_remote_services_rdp_enable.yml +++ b/detections/endpoint/windows_remote_services_rdp_enable.yml @@ -58,5 +58,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml index 90e87efb94..8c84c9b81f 100644 --- a/detections/endpoint/windows_replication_through_removable_media.yml +++ b/detections/endpoint/windows_replication_through_removable_media.yml @@ -61,5 +61,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/spread_in_root_drives/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml index 001de8ffb9..a5b265a493 100644 --- a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml +++ b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/update_per_user_system/rundll32_updateperusersystem.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_rundll32_webdav_request.yml b/detections/endpoint/windows_rundll32_webdav_request.yml index b6960dada5..4f4c25be8d 100644 --- a/detections/endpoint/windows_rundll32_webdav_request.yml +++ b/detections/endpoint/windows_rundll32_webdav_request.yml @@ -80,4 +80,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml index 2568eb5434..7b351d6ae8 100644 --- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml +++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml @@ -71,5 +71,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml b/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml index 318450a1ad..49610ae63b 100644 --- a/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml +++ b/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/taskschd_dll/taskschd_dll.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml index a242e9528e..0769d71067 100644 --- a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml +++ b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml @@ -70,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index 1e1f6fa1ae..a74614fccd 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -66,5 +66,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml index 0766c5480f..99590c358c 100644 --- a/detections/endpoint/windows_schtasks_create_run_as_system.yml +++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml @@ -71,4 +71,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_system/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_security_account_manager_stopped.yml b/detections/endpoint/windows_security_account_manager_stopped.yml index faee18f8e9..e96c3c0321 100644 --- a/detections/endpoint/windows_security_account_manager_stopped.yml +++ b/detections/endpoint/windows_security_account_manager_stopped.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ryuk/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_security_support_provider_reg_query.yml b/detections/endpoint/windows_security_support_provider_reg_query.yml index efe07e8d00..7d16d2e889 100644 --- a/detections/endpoint/windows_security_support_provider_reg_query.yml +++ b/detections/endpoint/windows_security_support_provider_reg_query.yml @@ -69,5 +69,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml index b5f063ed13..d249e92917 100644 --- a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml +++ b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml @@ -78,5 +78,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/gacutil_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_service_create_kernel_mode_driver.yml b/detections/endpoint/windows_service_create_kernel_mode_driver.yml index 47e23d86ee..4a3a7177be 100644 --- a/detections/endpoint/windows_service_create_kernel_mode_driver.yml +++ b/detections/endpoint/windows_service_create_kernel_mode_driver.yml @@ -67,5 +67,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sc_kernel.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_service_create_with_tscon.yml b/detections/endpoint/windows_service_create_with_tscon.yml index 98749f4b30..59a2fe620b 100644 --- a/detections/endpoint/windows_service_create_with_tscon.yml +++ b/detections/endpoint/windows_service_create_with_tscon.yml @@ -77,4 +77,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/rdphijack/tscon_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml index c2e2d07938..e980461f37 100644 --- a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index 4263ba6ad9..942363c787 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_service_deletion_in_registry.yml b/detections/endpoint/windows_service_deletion_in_registry.yml index 77afb2be18..9f86daaca5 100644 --- a/detections/endpoint/windows_service_deletion_in_registry.yml +++ b/detections/endpoint/windows_service_deletion_in_registry.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/service_deletion/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml index 8ccf495466..55dc68195f 100644 --- a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_service_stop_by_deletion.yml b/detections/endpoint/windows_service_stop_by_deletion.yml index e71e897ab6..cbc395ea5b 100644 --- a/detections/endpoint/windows_service_stop_by_deletion.yml +++ b/detections/endpoint/windows_service_stop_by_deletion.yml @@ -62,5 +62,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml index 4a7e17eaf6..9a41590935 100644 --- a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml +++ b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml b/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml index d3acabd8c9..8ee315c743 100644 --- a/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml +++ b/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml @@ -56,4 +56,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_crmlog-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml b/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml index e0280450a7..2157668242 100644 --- a/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml +++ b/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml @@ -56,4 +56,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/comadmin_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml index f679f8cc4a..cd0d1ec000 100644 --- a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml +++ b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_malware_regblob-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_soaphound_binary_execution.yml b/detections/endpoint/windows_soaphound_binary_execution.yml index f567ff9905..fd2dc91b78 100644 --- a/detections/endpoint/windows_soaphound_binary_execution.yml +++ b/detections/endpoint/windows_soaphound_binary_execution.yml @@ -74,4 +74,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/soaphound/sysmon_soaphound.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml b/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml index b8ffd65206..4bfc96ea9d 100644 --- a/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml +++ b/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml @@ -48,5 +48,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml index f714e30a6b..86fe855c69 100644 --- a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml +++ b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml @@ -69,5 +69,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/onenote_spear_phishing/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml index a80f26a0c0..a9f798ca55 100644 --- a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml +++ b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml @@ -62,5 +62,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/wineloader/sqlwriter_sqldumper_sideload_windows-sysmon.log - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml index 794001b99a..0543eb72c4 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml @@ -74,5 +74,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/backupdb_certutil_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml index 2b02ca877b..297c9079c8 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml @@ -75,5 +75,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_certificate_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml index c9d6971039..ac6d07d19b 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml @@ -75,5 +75,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_pfxcertificate_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml index ff9743a531..8171a93f46 100644 --- a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml +++ b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml @@ -57,5 +57,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml index 514117a7b2..788662cdf2 100644 --- a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml +++ b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml @@ -72,5 +72,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml index 21fd6cf2dc..4e57bdab40 100644 --- a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml +++ b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml @@ -75,5 +75,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/hh_decom_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml index ae8c902197..932d86d18c 100644 --- a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml +++ b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_system_discovery_using_qwinsta.yml b/detections/endpoint/windows_system_discovery_using_qwinsta.yml index 26f67cd726..1c0d524da6 100644 --- a/detections/endpoint/windows_system_discovery_using_qwinsta.yml +++ b/detections/endpoint/windows_system_discovery_using_qwinsta.yml @@ -54,5 +54,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_system_file_on_disk.yml b/detections/endpoint/windows_system_file_on_disk.yml index 4c11b9c8dd..5f8107f188 100644 --- a/detections/endpoint/windows_system_file_on_disk.yml +++ b/detections/endpoint/windows_system_file_on_disk.yml @@ -50,5 +50,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_system_logoff_commandline.yml b/detections/endpoint/windows_system_logoff_commandline.yml index d5aa78063f..6a066ac037 100644 --- a/detections/endpoint/windows_system_logoff_commandline.yml +++ b/detections/endpoint/windows_system_logoff_commandline.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml index 080f775c36..2c537db205 100644 --- a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml +++ b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml @@ -67,5 +67,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml index bce973bef6..73332d6018 100644 --- a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml +++ b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml @@ -68,5 +68,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index cd8a00644e..94f5284548 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -66,5 +66,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml index 8b40401f6e..926938b02a 100644 --- a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml +++ b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml @@ -76,5 +76,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1216/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml index a86dd41d85..6c4111cdfc 100644 --- a/detections/endpoint/windows_system_shutdown_commandline.yml +++ b/detections/endpoint/windows_system_shutdown_commandline.yml @@ -67,5 +67,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/shutdown_commandline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml index 8dd5bb80e6..81b857807f 100644 --- a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml +++ b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_delay_execution/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_system_user_discovery_via_quser.yml b/detections/endpoint/windows_system_user_discovery_via_quser.yml index e9024cae44..01a040621b 100644 --- a/detections/endpoint/windows_system_user_discovery_via_quser.yml +++ b/detections/endpoint/windows_system_user_discovery_via_quser.yml @@ -58,5 +58,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_system_user_privilege_discovery.yml b/detections/endpoint/windows_system_user_privilege_discovery.yml index bf22a1a506..521bbafaaa 100644 --- a/detections/endpoint/windows_system_user_privilege_discovery.yml +++ b/detections/endpoint/windows_system_user_privilege_discovery.yml @@ -54,4 +54,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/whoami_priv/whoami-priv-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_terminating_lsass_process.yml b/detections/endpoint/windows_terminating_lsass_process.yml index b753550ec6..fe5ab36d29 100644 --- a/detections/endpoint/windows_terminating_lsass_process.yml +++ b/detections/endpoint/windows_terminating_lsass_process.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/doublezero_wiper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_time_based_evasion.yml b/detections/endpoint/windows_time_based_evasion.yml index f0f25bd798..27a6af046c 100644 --- a/detections/endpoint/windows_time_based_evasion.yml +++ b/detections/endpoint/windows_time_based_evasion.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/njrat_ping_delay_before_delete/ping_0.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml index a166d8dc41..29d66e8442 100644 --- a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml +++ b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/time_delay_using_choice_exe/snakekeylogger_choice.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml index 938fdb3eeb..8facd1fbc2 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/warzone_rat/unsigned_dll_loaded/loaded_unsigned_dll.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml index 392466be84..c9cab2ca32 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/unsigned_dll_loaded_same_process_path/unsigned_dll_process_path.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml index afaa7f03b5..cfb578003a 100644 --- a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml @@ -63,5 +63,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/unsigned_dll_load//wineloader_dll_sideload.log - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml index 6f0f7a3b8f..37797ece86 100644 --- a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml +++ b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_valid_account_with_never_expires_password.yml b/detections/endpoint/windows_valid_account_with_never_expires_password.yml index 1963047e00..478cd7c7db 100644 --- a/detections/endpoint/windows_valid_account_with_never_expires_password.yml +++ b/detections/endpoint/windows_valid_account_with_never_expires_password.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_vulnerable_3cx_software.yml b/detections/endpoint/windows_vulnerable_3cx_software.yml index c2d6096e0b..5894918970 100644 --- a/detections/endpoint/windows_vulnerable_3cx_software.yml +++ b/detections/endpoint/windows_vulnerable_3cx_software.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_windbg_spawning_autoit3.yml b/detections/endpoint/windows_windbg_spawning_autoit3.yml index 68c4441221..a0987ec223 100644 --- a/detections/endpoint/windows_windbg_spawning_autoit3.yml +++ b/detections/endpoint/windows_windbg_spawning_autoit3.yml @@ -71,4 +71,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/windbg_autoit.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_wmi_impersonate_token.yml b/detections/endpoint/windows_wmi_impersonate_token.yml index 0807d007a1..e03ce18ab8 100644 --- a/detections/endpoint/windows_wmi_impersonate_token.yml +++ b/detections/endpoint/windows_wmi_impersonate_token.yml @@ -59,5 +59,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_wmi_process_and_service_list.yml b/detections/endpoint/windows_wmi_process_and_service_list.yml index a01dda2385..97c3b59e52 100644 --- a/detections/endpoint/windows_wmi_process_and_service_list.yml +++ b/detections/endpoint/windows_wmi_process_and_service_list.yml @@ -66,5 +66,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true diff --git a/detections/endpoint/windows_wmi_process_call_create.yml b/detections/endpoint/windows_wmi_process_call_create.yml index 64d2b07654..e5849e5c5d 100644 --- a/detections/endpoint/windows_wmi_process_call_create.yml +++ b/detections/endpoint/windows_wmi_process_call_create.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/winhlp32_spawning_a_process.yml b/detections/endpoint/winhlp32_spawning_a_process.yml index c69dc86ece..f1c1da3062 100644 --- a/detections/endpoint/winhlp32_spawning_a_process.yml +++ b/detections/endpoint/winhlp32_spawning_a_process.yml @@ -76,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/winrar_spawning_shell_application.yml b/detections/endpoint/winrar_spawning_shell_application.yml index 6f6d816cfa..db52e24364 100644 --- a/detections/endpoint/winrar_spawning_shell_application.yml +++ b/detections/endpoint/winrar_spawning_shell_application.yml @@ -74,4 +74,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/winrar.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/winword_spawning_cmd.yml b/detections/endpoint/winword_spawning_cmd.yml index d1cf7bdc45..957d498bdb 100644 --- a/detections/endpoint/winword_spawning_cmd.yml +++ b/detections/endpoint/winword_spawning_cmd.yml @@ -73,4 +73,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/winword_spawning_powershell.yml b/detections/endpoint/winword_spawning_powershell.yml index 47c68b2e53..a43ca6ffb6 100644 --- a/detections/endpoint/winword_spawning_powershell.yml +++ b/detections/endpoint/winword_spawning_powershell.yml @@ -76,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/winword_spawning_windows_script_host.yml b/detections/endpoint/winword_spawning_windows_script_host.yml index 7c73358d65..b4fdc0e8d2 100644 --- a/detections/endpoint/winword_spawning_windows_script_host.yml +++ b/detections/endpoint/winword_spawning_windows_script_host.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_wsh.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml b/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml index 9ade701b1b..ed313bc366 100644 --- a/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml +++ b/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/wmic_group_discovery.yml b/detections/endpoint/wmic_group_discovery.yml index e16b5a8384..c455203e83 100644 --- a/detections/endpoint/wmic_group_discovery.yml +++ b/detections/endpoint/wmic_group_discovery.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml index 5c1cdf4d3c..9bb81c37d5 100644 --- a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml +++ b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/wmic_xsl_execution_via_url.yml b/detections/endpoint/wmic_xsl_execution_via_url.yml index 85e115116d..982d23b0dd 100644 --- a/detections/endpoint/wmic_xsl_execution_via_url.yml +++ b/detections/endpoint/wmic_xsl_execution_via_url.yml @@ -76,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1220/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml index e653bce937..5949e09b44 100644 --- a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement_lolbas/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml index 5a53dd8b43..112dd6a5c5 100644 --- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml +++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml @@ -76,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml index 6dc9deab8d..1552ee38f0 100644 --- a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/wsreset_uac_bypass.yml b/detections/endpoint/wsreset_uac_bypass.yml index 45f8700407..e7795dbafd 100644 --- a/detections/endpoint/wsreset_uac_bypass.yml +++ b/detections/endpoint/wsreset_uac_bypass.yml @@ -70,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/xmrig_driver_loaded.yml b/detections/endpoint/xmrig_driver_loaded.yml index 1dd153b452..b74a69de9d 100644 --- a/detections/endpoint/xmrig_driver_loaded.yml +++ b/detections/endpoint/xmrig_driver_loaded.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/xsl_script_execution_with_wmic.yml b/detections/endpoint/xsl_script_execution_with_wmic.yml index bca6ec1e2a..2ccff68011 100644 --- a/detections/endpoint/xsl_script_execution_with_wmic.yml +++ b/detections/endpoint/xsl_script_execution_with_wmic.yml @@ -74,4 +74,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml b/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml index 2aa4f9b20f..c4258ca9f8 100644 --- a/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml +++ b/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/dyn_dns_site/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/network/dns_query_length_with_high_standard_deviation.yml b/detections/network/dns_query_length_with_high_standard_deviation.yml index 7fef7b0ab4..8a96649f20 100644 --- a/detections/network/dns_query_length_with_high_standard_deviation.yml +++ b/detections/network/dns_query_length_with_high_standard_deviation.yml @@ -52,4 +52,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/long_dns_queries/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/network/ngrok_reverse_proxy_on_network.yml b/detections/network/ngrok_reverse_proxy_on_network.yml index 4ae24f5b36..c03b112f7a 100644 --- a/detections/network/ngrok_reverse_proxy_on_network.yml +++ b/detections/network/ngrok_reverse_proxy_on_network.yml @@ -55,5 +55,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational update_timestamp: true