Skip to content

Commit

Permalink
Merge pull request #3173 from splunk/fix_dd
Browse files Browse the repository at this point in the history
remove endhoursago=1 from drilldown searches
  • Loading branch information
patel-bhavin authored Oct 28, 2024
2 parents b13b314 + 64e07e9 commit c000869
Show file tree
Hide file tree
Showing 1,611 changed files with 6,764 additions and 12,687 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,12 @@ references:
- https://github.com/airbus-cert/CVE-2024-4040
- https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
drilldown_searches:
- name: View the detection results for $dest$
search: '%original_detection_search% | search dest = $dest$'
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $dest$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
tags:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,36 +7,9 @@ status: production
type: Hunting
data_source:
- Azure Active Directory Sign-in activity
description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A
distributed password spray attack is a type of brute force attack where the attacker attempts a few
common passwords against many different accounts, connecting from multiple IP addresses to avoid detection.
By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication
events, providing comprehensive coverage and enhancing security against these attacks.
search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time span=2m
| `drop_dm_object_name("Authentication")`
```fill out time buckets for 0-count events during entire search length```
| appendpipe [| timechart limit=0 span=5m count | table _time]
| fillnull value=0 unique_accounts, unique_src
``` remove duplicate & empty time buckets```
| sort - total_failures
| dedup _time
``` Create aggregation field & apply to all null events```
| eval counter=sourcetype+"__"+signature_id
| eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter)
``` 3-sigma detection logic ```
| eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter
| eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3)
| eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0)
| replace "::ffff:*" with * in src
| where isOutlier=1
| foreach *
[ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)]
| table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id
| sort - total_failures | `detect_distributed_password_spray_attempts_filter`'
how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM)
and that the src field is populated with the source device information. Additionally, ensure that
fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from
log sources that do not feature the signature_id field in the results.
description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A distributed password spray attack is a type of brute force attack where the attacker attempts a few common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks.
search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time span=2m | `drop_dm_object_name("Authentication")` ```fill out time buckets for 0-count events during entire search length``` | appendpipe [| timechart limit=0 span=5m count | table _time] | fillnull value=0 unique_accounts, unique_src ``` remove duplicate & empty time buckets``` | sort - total_failures | dedup _time ``` Create aggregation field & apply to all null events``` | eval counter=sourcetype+"__"+signature_id | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) ``` 3-sigma detection logic ``` | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3) | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0) | replace "::ffff:*" with * in src | where isOutlier=1 | foreach * [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id | sort - total_failures | `detect_distributed_password_spray_attempts_filter`'
how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM) and that the src field is populated with the source device information. Additionally, ensure that fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from log sources that do not feature the signature_id field in the results.
known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings.
references:
- https://attack.mitre.org/techniques/T1110/003/
Expand Down Expand Up @@ -72,10 +45,10 @@ tags:
- Authentication.user
- Authentication.src
security_domain: access
manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion.
manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion.
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log
source: azure:monitor:aad
sourcetype: azure:monitor:aad
sourcetype: azure:monitor:aad
19 changes: 3 additions & 16 deletions detections/application/detect_new_login_attempts_to_routers.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,23 +5,10 @@ date: '2024-10-17'
author: Bhavin Patel, Splunk
status: experimental
type: TTP
description: The following analytic identifies new login attempts to routers. It leverages
authentication logs from the ES Assets and Identity Framework, focusing on assets
categorized as routers. The detection flags connections that have not been observed
in the past 30 days. This activity is significant because unauthorized access to
routers can lead to network disruptions or data interception. If confirmed malicious,
attackers could gain control over network traffic, potentially leading to data breaches
or further network compromise.
description: The following analytic identifies new login attempts to routers. It leverages authentication logs from the ES Assets and Identity Framework, focusing on assets categorized as routers. The detection flags connections that have not been observed in the past 30 days. This activity is significant because unauthorized access to routers can lead to network disruptions or data interception. If confirmed malicious, attackers could gain control over network traffic, potentially leading to data breaches or further network compromise.
data_source: []
search: '| tstats `security_content_summariesonly` count earliest(_time) as earliest
latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router
by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(),
"-30d@d"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)`
| `drop_dm_object_name("Authentication")` | `detect_new_login_attempts_to_routers_filter`'
how_to_implement: To successfully implement this search, you must ensure the network
router devices are categorized as "router" in the Assets and identity table. You
must also populate the Authentication data model with logs related to users authenticating
to routing infrastructure.
search: '| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), "-30d@d"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `drop_dm_object_name("Authentication")` | `detect_new_login_attempts_to_routers_filter`'
how_to_implement: To successfully implement this search, you must ensure the network router devices are categorized as "router" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure.
known_false_positives: Legitimate router connections may appear as new connections
references: []
tags:
Expand Down
8 changes: 4 additions & 4 deletions detections/application/detect_password_spray_attempts.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,12 @@ known_false_positives: Unknown
references:
- https://attack.mitre.org/techniques/T1110/003/
drilldown_searches:
- name: View the detection results for $sourcetype$
search: '%original_detection_search% | search sourcetype = $sourcetype$'
- name: View the detection results for - "$sourcetype$"
search: '%original_detection_search% | search sourcetype = "$sourcetype$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $sourcetype$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($sourcetype$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- name: View risk events for the last 7 days for - "$sourcetype$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$sourcetype$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
tags:
Expand Down
31 changes: 4 additions & 27 deletions detections/application/email_attachments_with_lots_of_spaces.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,37 +5,14 @@ date: '2024-10-17'
author: David Dorsey, Splunk
status: experimental
type: Anomaly
description: The following analytic detects email attachments with an unusually high
number of spaces in their file names, which is a common tactic used by attackers
to obfuscate file extensions. It leverages the Email data model to identify attachments
where the ratio of spaces to the total file name length exceeds 10%. This behavior
is significant as it may indicate an attempt to bypass security filters and deliver
malicious payloads. If confirmed malicious, this activity could lead to the execution
of harmful code or unauthorized access to sensitive information within the recipient's
environment.
description: The following analytic detects email attachments with an unusually high number of spaces in their file names, which is a common tactic used by attackers to obfuscate file extensions. It leverages the Email data model to identify attachments where the ratio of spaces to the total file name length exceeds 10%. This behavior is significant as it may indicate an attempt to bypass security filters and deliver malicious payloads. If confirmed malicious, this activity could lead to the execution of harmful code or unauthorized access to sensitive information within the recipient's environment.
data_source: []
search: '| tstats `security_content_summariesonly` count values(All_Email.recipient)
as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email
where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")`
| eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) | search space_ratio
>= 0.1 | rex field=recipient_address "(?<recipient_user>.*)@" | `email_attachments_with_lots_of_spaces_filter`'
how_to_implement: 'You need to ingest data from emails. Specifically, the sender''s
address and the file names of any attachments must be mapped to the Email data model.
The threshold ratio is set to 10%, but this value can be configured to suit each
environment.
search: '| tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address "(?<recipient_user>.*)@" | `email_attachments_with_lots_of_spaces_filter`'
how_to_implement: 'You need to ingest data from emails. Specifically, the sender''s address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment.
**Splunk Phantom Playbook Integration**
If Splunk Phantom is also configured in your environment, a playbook called "Suspicious
Email Attachment Investigate and Delete" can be configured to run when any results
are found by this detection search. To use this integration, install the Phantom
App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname
to the "Phantom Instance" field in the Adaptive Response Actions when configuring
this detection search. The notable event will be sent to Phantom and the playbook
will gather further information about the file attachment and its network behaviors.
If Phantom finds malicious behavior and an analyst approves of the results, the
email will be deleted from the user''s inbox.'
If Splunk Phantom is also configured in your environment, a playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user''s inbox.'
known_false_positives: None at this time
references: []
tags:
Expand Down
Loading

0 comments on commit c000869

Please sign in to comment.