Merge pull request #3022 from splunk/gitlab_release_v4.34.0

Release v4.34.0

app_template/default/distsearch.conf

@@ -1,5 +1,5 @@
 [replicationSettings:refineConf]
 replicate.analytic_stories = false
 
-[replicationBlacklist]
+[replicationDenylist]
 excludeESCU = apps[/\\]DA-ESS-ContentUpdate[/\\]lookups[/\\]...

baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml

@@ -10,7 +10,7 @@ description: This search is used to build a Machine Learning Toolkit (MLTK) mode
   the last 90 days of data to build the model. The model created by this search is
   then used in the corresponding detection search, which identifies subsequent outliers
   in the number of RunInstances performed by a user in a small time window.
-search: '`cloudtrail` eventName=RunInstances errorCode=success `ec2_excessive_runinstances_mltk_input_filter`
+search: '`cloudtrail` eventName=RunInstances errorCode=success
   | bucket span=10m _time | stats count as instances_launched by _time src_user |
   fit DensityFunction instances_launched threshold=0.0005 into ec2_excessive_runinstances_v1'
 how_to_implement: 'You must install the AWS App for Splunk (version 5.1.0 or later)

baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml

@@ -11,7 +11,7 @@ description: This search is used to build a Machine Learning Toolkit (MLTK) mode
   is then used in the corresponding detection search, which identifies subsequent
   outliers in the number of TerminateInstances performed by a user in a small time
   window.
-search: '`cloudtrail` eventName=TerminateInstances errorCode=success `ec2_excessive_terminateinstances_mltk_input_filter`
+search: '`cloudtrail` eventName=TerminateInstances errorCode=success
   | bucket span=10m _time | stats count as instances_terminated by _time src_user
   | fit DensityFunction instances_terminated threshold=0.0005 into ec2_excessive_terminateinstances_v1'
 how_to_implement: 'You must install the AWS App for Splunk (version 5.1.0 or later)

contentctl.yml

@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 4.33.0
+  version: 4.34.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU
@@ -47,12 +47,12 @@ apps:
   version: 2.2.0
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-okta-identity-cloud_220.tgz
-- uid: 6176
+- uid: 6652
   title: Add-on for Linux Sysmon
   appid: Splunk_TA_linux_sysmon
-  version: 1.0.4
+  version: 1.0.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/add-on-for-linux-sysmon_104.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-sysmon-for-linux_100.tgz
 - uid: null
   title: Splunk Fix XmlWinEventLog HEC Parsing
   appid: Splunk_FIX_XMLWINEVENTLOG_HEC_PARSING
@@ -71,9 +71,9 @@ apps:
 - uid: 5709
   title: Splunk Add-on for Sysmon
   appid: Splunk_TA_microsoft_sysmon
-  version: 4.0.0
+  version: 4.0.1
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-sysmon_400.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-sysmon_401.tgz
 - uid: 833
   title: Splunk Add-on for Unix and Linux
   appid: Splunk_TA_nix

data_sources/endpoint/Sysmon_for_Linux_EventID.yml

@@ -2,7 +2,7 @@ name: Sysmon for Linux EventID
 id: da9fc0c9-4b15-4537-aa91-19ca0cb1eba5
 author: Patrick Bareiss, Splunk
 source: Syslog:Linux-Sysmon/Operational
-sourcetype: sysmon_linux
+sourcetype: sysmon:linux
 separator: EventID
 supported_TA:
   name: Splunk Add-on for Sysmon for Linux

data_sources/endpoint/Windows_Event_Log_Security.yml

@@ -1,7 +1,7 @@
 name: Windows Event Log Security
 id: e3e44de1-57b1-462d-b57c-c7657af7ae6e
 author: Patrick Bareiss, Splunk
-source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
 supported_TA:

data_sources/endpoint/event_sources/Windows_Event_Log_Security_5145.yml

@@ -91,18 +91,20 @@ field_mappings:
       AccessList: access_list
       AccessMask: access_mask
       AccessReason: access_result
-      ShareLocalPath: share_local_path
       RelativeTargetName: relative_target_name
+      ObjectType: object_type
       IpAddress: src_ip
       IpPort: src_port
+      SubjectDomainName: user_domain
       SubjectUserName: user
+      SubjectLogonId: user_logon_id
+      SubjectUserSid: user_sid
       ShareName: share
   - data_model: ocsf
     mapping:
       AccessList: access_list
       AccessMask: access_mask
       AccessReason: access_result
-      ShareLocalPath: file.path
       RelativeTargetName: file.path
       ObjectType: file.type
       IpAddress: src_endpoint.ip

detections/application/detect_risky_spl_using_pretrained_ml_model.yml

@@ -1,18 +1,17 @@
 name: Detect Risky SPL using Pretrained ML Model
 id: b4aefb5f-1037-410d-a149-1e091288ba33
-version: 1
-date: '2022-06-16'
+version: 2
+date: '2024-05-26'
 author: Abhinav Mishra, Kumar Sharad, Namratha Sreekanta and Xiao Lin, Splunk
 status: experimental
 type: Anomaly
-description: The following analytic uses a pretrained machine learning text classifier
-  to detect potentially risky commands. The model is trained independently and then
-  the model file is packaged within ESCU for usage. A command is deemed risky based
-  on the presence of certain trigger keywords, along with the context and the role
-  of the user (please see references). The model uses custom features to predict whether
-  a SPL is risky using text classification. The model takes as input the command text,
-  user and search type and outputs a risk score between [0,1]. A high score indicates
-  higher likelihood of a command being risky. This model is on-prem only.
+description: The following analytic identifies potentially risky SPL commands executed
+  by users. It leverages a pretrained machine learning text classifier that analyzes
+  command text, user, and search type to assign a risk score between 0 and 1. This
+  detection is significant as it helps identify suspicious or unauthorized search
+  activities that could indicate malicious intent or misuse of the Splunk environment.
+  If confirmed malicious, such activity could lead to unauthorized data access, data
+  exfiltration, or further exploitation of the system.
 data_source: []
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc
@@ -62,7 +61,8 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://github.com/splunk/attack_data/raw/master/datasets/attack_techniques/T1203/search_activity.txt
+  - data: 
+      https://github.com/splunk/attack_data/raw/master/datasets/attack_techniques/T1203/search_activity.txt
     source: audittrail
     sourcetype: audittrail
     update_timestamp: true

detections/application/email_files_written_outside_of_the_outlook_directory.yml

@@ -21,7 +21,7 @@ search: '| tstats `security_content_summariesonly` count values(Filesystem.file_
   != "C:\\Users\\*\\My Documents\\Outlook Files\\*"  Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*"
   by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest
   | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|
-  `email_files_written_outside_of_the_outlook_directory_filter` '
+  `email_files_written_outside_of_the_outlook_directory_filter`'
 how_to_implement: To successfully implement this search, you must be ingesting data
   that records the file-system activity from your hosts to populate the Endpoint.Filesystem
   data model node. This is typically populated via endpoint detection-and-response

detections/application/no_windows_updates_in_a_time_frame.yml

@@ -1,15 +1,18 @@
 name: No Windows Updates in a time frame
 id: 1a77c08c-2f56-409c-a2d3-7d64617edd4f
-version: 1
-date: '2017-09-15'
+version: 2
+date: '2024-05-15'
 author: Bhavin Patel, Splunk
 status: experimental
 type: Hunting
-description: This search looks for Windows endpoints that have not generated an event
-  indicating a successful Windows update in the last 60 days. Windows updates are
-  typically released monthly and applied shortly thereafter. An endpoint that has
-  not successfully applied an update in this time frame indicates the endpoint is
-  not regularly being patched for some reason.
+description: The following analytic identifies Windows endpoints that have not generated
+  an event indicating a successful Windows update in the last 60 days. It leverages
+  the 'Update' data model in Splunk, specifically looking for the latest 'Installed'
+  status events from Microsoft Windows. This activity is significant for a SOC because
+  endpoints that are not regularly patched are vulnerable to known exploits and security
+  vulnerabilities. If confirmed malicious, this could indicate a compromised endpoint
+  that is intentionally being kept unpatched, potentially allowing attackers to exploit
+  unpatched vulnerabilities and gain unauthorized access or control.
 data_source: []
 search: '| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates
   where Updates.status=Installed Updates.vendor_product="Microsoft Windows" by Updates.dest

detections/application/okta_authentication_failed_during_mfa_challenge.yml

@@ -1,16 +1,32 @@
 name: Okta Authentication Failed During MFA Challenge
 id: e2b99e7d-d956-411a-a120-2b14adfdde93
-version: 1
-date: '2024-03-11'
+version: 2
+date: '2024-05-29'
 author: Bhavin Patel, Splunk
 data_source: []
 type: TTP
 status: production
-description: The following analytic identifies an authentication attempt event against
-  an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime  values(Authentication.app) as app values(Authentication.reason) as reason values(Authentication.signature) as signature  values(Authentication.method) as method  from datamodel=Authentication where  Authentication.signature=user.authentication.auth_via_mfa Authentication.action = failure by _time Authentication.src Authentication.user Authentication.dest Authentication.action | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| iplocation src | `okta_authentication_failed_during_mfa_challenge_filter`'
-how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
-known_false_positives: A user may have accidentally entered the wrong credentials during the MFA challenge. If the user is new to MFA, they may have trouble authenticating. Ensure that the user is aware of the MFA process and has the correct credentials.
+description: The following analytic identifies failed authentication attempts during
+  the Multi-Factor Authentication (MFA) challenge in an Okta tenant. It uses the Authentication
+  datamodel to detect specific failed events where the authentication signature is
+  `user.authentication.auth_via_mfa`. This activity is significant as it may indicate
+  an adversary attempting to authenticate with compromised credentials on an account
+  with MFA enabled. If confirmed malicious, this could suggest an ongoing attempt
+  to bypass MFA protections, potentially leading to unauthorized access and further
+  compromise of the affected account.
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime  values(Authentication.app) as app values(Authentication.reason) as
+  reason values(Authentication.signature) as signature  values(Authentication.method)
+  as method  from datamodel=Authentication where  Authentication.signature=user.authentication.auth_via_mfa
+  Authentication.action = failure by _time Authentication.src Authentication.user
+  Authentication.dest Authentication.action | `drop_dm_object_name("Authentication")`
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| iplocation
+  src | `okta_authentication_failed_during_mfa_challenge_filter`'
+how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the
+  Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
+known_false_positives: A user may have accidentally entered the wrong credentials
+  during the MFA challenge. If the user is new to MFA, they may have trouble authenticating.
+  Ensure that the user is aware of the MFA process and has the correct credentials.
 references:
 - https://sec.okta.com/everythingisyes
 - https://splunkbase.splunk.com/app/6553
@@ -55,6 +71,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.log
     source: okta_log
-    sourcetype: OktaIM2:log
+    sourcetype: OktaIM2:log

detections/application/okta_idp_lifecycle_modifications.yml

@@ -1,16 +1,31 @@
 name: Okta IDP Lifecycle Modifications
 id: e0be2c83-5526-4219-a14f-c3db2e763d15
-version: 1
-date: '2024-03-14'
+version: 2
+date: '2024-05-28'
 author: Bhavin Patel, Splunk
 data_source: []
 type: Anomaly
 status: production
-description: This detection identifies modifications to Okta Identity Provider (IDP) lifecycle events, such as creation, activation, deactivation, and deletion of IDP configurations. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms within an organization. By detecting unauthorized or anomalous changes, organizations can quickly respond to potential security breaches or misconfigurations, ensuring that their identity management systems remain secure and operational.
-search: '`okta` eventType IN ("system.idp.lifecycle.activate","system.idp.lifecycle.create","system.idp.lifecycle.delete","system.idp.lifecycle.deactivate") 
-  |  stats count  min(_time) as firstTime max(_time) as lastTime values(target{}.id) as target_id values(target{}.type) as target_modified by src dest src_user_id user user_agent command description | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_idp_lifecycle_modifications_filter`'
-how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
-known_false_positives: It's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to Okta IDP lifecycle events. Review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior.
+description: The following analytic identifies modifications to Okta Identity Provider
+  (IDP) lifecycle events, including creation, activation, deactivation, and deletion
+  of IDP configurations. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta
+  Identity Cloud. Monitoring these events is crucial for maintaining the integrity
+  and security of authentication mechanisms. Unauthorized or anomalous changes could
+  indicate potential security breaches or misconfigurations. If confirmed malicious,
+  attackers could manipulate authentication processes, potentially gaining unauthorized
+  access or disrupting identity management systems.
+search: '`okta` eventType IN ("system.idp.lifecycle.activate","system.idp.lifecycle.create","system.idp.lifecycle.delete","system.idp.lifecycle.deactivate")
+  |  stats count  min(_time) as firstTime max(_time) as lastTime values(target{}.id)
+  as target_id values(target{}.type) as target_modified by src dest src_user_id user
+  user_agent command description | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `okta_idp_lifecycle_modifications_filter`'
+how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the
+  Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
+known_false_positives: It's possible for legitimate administrative actions or automated
+  processes to trigger this detection, especially if there are bulk modifications
+  to Okta IDP lifecycle events. Review the context of the modification, such as the
+  user making the change and the specific lifecycle event modified, to determine if
+  it aligns with expected behavior.
 references:
 - https://www.obsidiansecurity.com/blog/behind-the-breach-cross-tenant-impersonation-in-okta/
 - https://splunkbase.splunk.com/app/6553
@@ -20,7 +35,8 @@ tags:
   asset_type: Okta Tenant
   confidence: 90
   impact: 90
-  message: A user [$user$] is attempting IDP lifecycle modification - [$description$] from IP Address - [$src$]"
+  message: A user [$user$] is attempting IDP lifecycle modification - [$description$]
+    from IP Address - [$src$]"
   mitre_attack_id:
   - T1087.004
   observable:
@@ -52,6 +68,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/okta_idp/okta.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/okta_idp/okta.log
     source: Okta
-    sourcetype: OktaIM2:log
+    sourcetype: OktaIM2:log