Merge pull request #2564 from splunk/appinspect_361

search formatting errors causing app inspect failure

detections/endpoint/windows_ad_domain_controller_promotion.yml

@@ -10,17 +10,7 @@ description: This analytic identifies a genuine DC promotion event. Identifying
   joined domain controller. This detection will serve to identify rogue DCs added to the network. There are 2x detections within this analytic story 
   which identify DCShadow attacks, if you do not currently possess the logging for these detections, remove the where clause within this 
   detection to identify DCShadow activity.  
-search: "`wineventlog_security` EventCode=4742 ServicePrincipalNames IN (\"*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*\"\
-  , \"*GC/*\") \n| stats min(_time) as _time latest(ServicePrincipalNames) as ServicePrincipalNames,\
-  \ values(signature) as signature, values(src_user) as src_user, values(user) as\
-  \ user by Logon_ID, dvc\n| where src_user=user\n| rename Logon_ID as TargetLogonId,\
-  \ user as dest\n| appendpipe [| map search=\"search `wineventlog_security` EventCode=4624\
-  \ TargetLogonId=$TargetLogonId$\" | fields - dest, dvc, signature]\n| stats min(_time)\
-  \ as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain,\
-  \ values(user) as user, values(status) as status, values(src_category) as src_category,\
-  \ values(src_ip) as src_ip values(ServicePrincipalNames) as ServicePrincipalNames\
-  \ values(signature) as signature values(dest) as dest values(dvc) as dvc by TargetLogonId\n\
-  | eval dest=trim(dest,\"$\") | `windows_ad_domain_controller_promotion_filter`"
+search: "`wineventlog_security` EventCode=4742 ServicePrincipalNames IN (\"*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*\",\"*GC/*\")| stats min(_time) as _time latest(ServicePrincipalNames) as ServicePrincipalNames,values(signature) as signature, values(src_user) as src_user, values(user) as user by Logon_ID, dvc| where src_user=user| rename Logon_ID as TargetLogonId, user as dest | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\" | fields - dest, dvc, signature]| stats min(_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip values(ServicePrincipalNames) as ServicePrincipalNames values(signature) as signature values(dest) as dest values(dvc) as dvc by TargetLogonId | eval dest=trim(dest,\"$\") | `windows_ad_domain_controller_promotion_filter`"
 how_to_implement:  To successfully implement this search, you need to be ingesting eventcode
  `4742`. The Advanced Security Audit policy setting `Audit Computer Account Management`
  within `Account Management` needs to be enabled. 

detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml

@@ -9,13 +9,7 @@ description: This alert was written to detect activity associated with the DCSyn
  When a domain controller receives a replication request, the user account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller.
  Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain.
  This alert detects when a user account creates a handle to domainDNS with the necessary replication permissions. 
-search: '`wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}", "domainDNS") AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*", "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*") AND AccessMask="0x100" AND NOT (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18" OR SubjectDomainName="Window Manager" OR SubjectUserName="*$")
- | stats min(_time) as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status
- | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time
- | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"]
- | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType
- | stats min(attack_time) as _time values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId
- | `windows_ad_replication_request_initiated_by_user_account_filter`'
+search: '`wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}", "domainDNS") AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*", "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*") AND AccessMask="0x100" AND NOT (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18" OR SubjectDomainName="Window Manager" OR SubjectUserName="*$") | stats min(_time) as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | `windows_ad_replication_request_initiated_by_user_account_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting eventcode `4662`. 
  The Advanced Security Audit policy settings `Audit Directory Services Access`
  within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root 

detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml

@@ -11,27 +11,22 @@ description: This alert was written to detect activity associated with the DCSyn
  This alert detects when a computer account account creates a handle to domainDNS with the necessary replication permissions. These requests are then filtered to exclude where the events originate 
  from a known domain controller IP address.   
 search: '`wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}",
-  "domainDNS") AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*",
-  "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*")
-  AND AccessMask="0x100" AND (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18" OR SubjectDomainName="Window Manager" OR SubjectUserName="*$") 
-
-  | stats min(_time) as attack_time, count by SubjectDomainName, SubjectUserName,
-  Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status
-
-  | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as
-  TargetLogonId
-
-  | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"]
-
-  | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid,
-  Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName,
-  ObjectServer, ObjectType, OperationType
-
-  | stats min(attack_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain)
-  as Target_Domain, values(user) as user, values(Computer) as Computer, values(status)
-  as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId
-
-  | search NOT src_category="domain_controller" | `windows_ad_replication_request_initiated_from_unsanctioned_location_filter`'
+    "domainDNS") AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*",
+    "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*")
+    AND AccessMask="0x100" AND (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18" OR SubjectDomainName="Window Manager" OR SubjectUserName="*$") 
+| stats min(_time) as attack_time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status 
+| rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as
+    TargetLogonId 
+| appendpipe 
+    [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] 
+| table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid,
+    Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName,
+    ObjectServer, ObjectType, OperationType 
+| stats min(attack_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain)
+    as Target_Domain, values(user) as user, values(Computer) as Computer, values(status)
+    as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId 
+| search NOT src_category="domain_controller" 
+| `windows_ad_replication_request_initiated_from_unsanctioned_location_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting eventcode `4662`.
  The Advanced Security Audit policy settings `Audit Directory Services Access`
  within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root

detections/experimental/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml

@@ -6,19 +6,8 @@ author: Dean Luxton
 type: TTP
 datamodel: []
 description: This analytic looks for audit policies being disabled on a domain controller.
-search: '`wineventlog_security` EventCode=4719 (AuditPolicyChanges IN ("%%8448","%%8450","%%8448,
-  %%8450") OR Changes IN ("Failure removed","Success removed","Success removed, Failure
-  removed")) dest_category="domain_controller"
-
-  | replace "%%8448" with "Success removed", "%%8450" with "Failure removed", "%%8448,
-  %%8450" with "Success removed, Failure removed" in AuditPolicyChanges
-
-  | eval AuditPolicyChanges=coalesce(AuditPolicyChanges,Changes), SubcategoryGuid=coalesce(SubcategoryGuid,Subcategory_GUID)
-
-  | stats min(_time) as _time values(host) as dest by AuditPolicyChanges SubcategoryGuid
-
-  | lookup advanced_audit_policy_guids GUID as SubcategoryGuid OUTPUT Category SubCategory
-  | `windows_ad_domain_controller_audit_policy_disabled_filter`'
+search: '`wineventlog_security` EventCode=4719 (AuditPolicyChanges IN ("%%8448","%%8450","%%8448, %%8450") OR Changes IN ("Failure removed","Success removed","Success removed, Failure
+  removed")) dest_category="domain_controller"| replace "%%8448" with "Success removed", "%%8450" with "Failure removed", "%%8448, %%8450" with "Success removed, Failure removed" in AuditPolicyChanges | eval AuditPolicyChanges=coalesce(AuditPolicyChanges,Changes), SubcategoryGuid=coalesce(SubcategoryGuid,Subcategory_GUID) | stats min(_time) as _time values(host) as dest by AuditPolicyChanges SubcategoryGuid | lookup advanced_audit_policy_guids GUID as SubcategoryGuid OUTPUT Category SubCategory | `windows_ad_domain_controller_audit_policy_disabled_filter`'
 how_to_implement: Ensure you are ingesting EventCode `4719` from your domain controllers, the category domain_controller exists
   in assets and identities, and that assets and identities is enabled. If A&I is not configured, you will need to manually filter the results 
   within the base search. 

detections/experimental/endpoint/windows_ad_domain_replication_acl_addition.yml

@@ -11,26 +11,7 @@ description: This analytic detects the addition of the permissions necessary to
  - DS-Replication-Get-Changes-All
  Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. 
  By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met.
-search: "`wineventlog_security` (EventCode=5136) AttributeLDAPDisplayName=\"ntSecurityDescriptor\"\
-  \ \"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\" OR \"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\"\
-  \ OR \"89e95b76-444d-4c62-991a-0facbeda640c\" \n| where AttributeValue like \"%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%\"\
-  \ AND AttributeValue like \"%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%\" AND AttributeValue\
-  \ like \"%89e95b76-444d-4c62-991a-0facbeda640c%\" \n| search NOT ObjectClass IN\
-  \ (dnsNode,dnsZoneScope,dnsZone)\n| rex field=AttributeValue max_match=10000 \"\
-  OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;(?P<DSRGetChanges_user_sid>S-1-[0-59]-\\\
-  d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{3})\\)\"\n| rex field=AttributeValue\
-  \ max_match=10000 \"OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;(?P<DSRGetChangesAll_user_sid>S-1-[0-59]-\\\
-  d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{3})\\)\"\n| rex field=AttributeValue\
-  \ max_match=10000 \"OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?P<DSRGetChangesFiltered_user_sid>S-1-[0-59]-\\\
-  d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{3})\\)\"\n| table _time dest src_user DSRGetChanges_user_sid\
-  \ DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid\n| mvexpand DSRGetChanges_user_sid\n\
-  | eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,\"\
-  true\",\"false\"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND\
-  \ DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,\"true\",\"false\")\n| where\
-  \ minDCSyncPermissions=\"true\"\n| lookup identity_lookup_expanded  objectSid as\
-  \ DSRGetChanges_user_sid OUTPUT sAMAccountName as user\n| rename DSRGetChanges_user_sid\
-  \ as userSid\n| stats min(_time) as _time values(user) as user by dest src_user userSid minDCSyncPermissions fullSet|\
-  \ `windows_ad_domain_replication_acl_addition_filter`"
+search: '`wineventlog_security`   | rex field=AttributeValue max_match=10000 \"OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?P<DSRGetChangesFiltered_user_sid>S-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[1-9]\d{3})\)\"| table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid| mvexpand DSRGetChanges_user_sid| eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,\"true\",\"false\"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,\"true\",\"false\")| where minDCSyncPermissions=\"true\" | lookup identity_lookup_expanded  objectSid as DSRGetChanges_user_sid OUTPUT sAMAccountName as user | rename DSRGetChanges_user_sid as userSid | stats min(_time) as _time values(user) as user by dest src_user userSid minDCSyncPermissions fullSet| `windows_ad_domain_replication_acl_addition_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting 
  `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to  `Write All Properties` 
  applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing