Skip to content

Commit

Permalink
Merge branch 'develop' into fix_missing_summariesonly
Browse files Browse the repository at this point in the history
  • Loading branch information
pyth0n1c authored Oct 29, 2024
2 parents 8c9f561 + 937b39b commit 815e1d3
Show file tree
Hide file tree
Showing 1,613 changed files with 7,036 additions and 12,697 deletions.
6 changes: 6 additions & 0 deletions contentctl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,12 @@ apps:
version: 1.4.1
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/microsoft-defender-advanced-hunting-add-on-for-splunk_141.tgz
- uid: 6207
title: Splunk Add-on for Microsoft Security
appid: Splunk_TA_MS_Security
version: 2.3.0
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_230.tgz
- uid: 2734
title: URL Toolbox
appid: URL_TOOLBOX
Expand Down
234 changes: 234 additions & 0 deletions data_sources/ms365_defender_incident_alerts.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,234 @@
name: MS365 Defender Incident Alerts
id: 12345678-90ab-cdef-1234-567890abcdef
version: 1
date: '2024-07-18'
author: Bhavin Patel, Splunk
description: Data source object for MS365 Defender Incident Alerts
source: ms365_defender_incident_alerts
sourcetype: ms365:defender:incident:alerts
supported_TA:
- name: Splunk Add-on for Microsoft Security
url: https://splunkbase.splunk.com/app/6207
version: 2.3.0
fields:
- actorName
- alertId
- app
- assignedTo
- body
- category
- classification
- creationTime
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- description
- dest
- detectionSource
- detectorId
- determination
- devices{}.aadDeviceId
- devices{}.defenderAvStatus
- devices{}.deviceDnsName
- devices{}.firstSeen
- devices{}.healthStatus
- devices{}.loggedOnUsers{}.accountName
- devices{}.loggedOnUsers{}.domainName
- devices{}.mdatpDeviceId
- devices{}.onboardingStatus
- devices{}.osBuild
- devices{}.osPlatform
- devices{}.osProcessor
- devices{}.rbacGroupName
- devices{}.riskScore
- devices{}.version
- devices{}.vmMetadata
- devices{}.vmMetadata.cloudProvider
- devices{}.vmMetadata.resourceId
- devices{}.vmMetadata.subscriptionId
- devices{}.vmMetadata.vmId
- entities{}.aadUserId
- entities{}.accountName
- entities{}.applicationId
- entities{}.applicationName
- entities{}.detectionStatus
- entities{}.deviceId
- entities{}.domainName
- entities{}.entityType
- entities{}.evidenceCreationTime
- entities{}.fileName
- entities{}.filePath
- entities{}.ipAddress
- entities{}.parentProcessCreationTime
- entities{}.parentProcessFileName
- entities{}.parentProcessFilePath
- entities{}.parentProcessId
- entities{}.processCommandLine
- entities{}.processCreationTime
- entities{}.processId
- entities{}.remediationStatus
- entities{}.remediationStatusDetails
- entities{}.sha1
- entities{}.sha256
- entities{}.userPrincipalName
- entities{}.userSid
- entities{}.verdict
- eventtype
- firstActivity
- host
- id
- incidentId
- index
- investigationId
- investigationState
- lastActivity
- lastUpdatedTime
- linecount
- mitreTechniques{}
- mitre_technique_id
- providerAlertId
- resolvedTime
- serviceSource
- severity
- signature
- signature_id
- source
- sourcetype
- splunk_server
- splunk_server_group
- src
- status
- subject
- tag
- tag::app
- tag::eventtype
- threatFamilyName
- timeendpos
- timestartpos
- title
- type
- user
- user_name
- _bkt
- _cd
- _eventtype_color
- _indextime
- _raw
- _serial
- _si
- _sourcetype
- _subsecond
- _time
example_log: |
{
"alertId": "da638001130101730338_582949328",
"providerAlertId": "da638001130101730338_582949328",
"incidentId": 486,
"serviceSource": "MicrosoftDefenderForEndpoint",
"creationTime": "2022-09-30T05:36:50.1732198Z",
"lastUpdatedTime": "2022-11-19T01:35:42.7033333Z",
"resolvedTime": "2022-10-01T01:36:00.5066667Z",
"firstActivity": "2022-09-30T05:06:43.8196597Z",
"lastActivity": "2022-09-30T05:06:43.8196597Z",
"title": "Suspicious URL clicked",
"description": "A user opened a potentially malicious URL. This alert was triggered based on a Microsoft Defender for Office 365 alert.",
"category": "InitialAccess",
"status": "Resolved",
"severity": "High",
"investigationId": null,
"investigationState": "UnsupportedAlertType",
"classification": "TruePositive",
"determination": "SecurityTesting",
"detectionSource": "MTP",
"detectorId": "359b36eb-337c-4f1c-b280-8c5e08f9c4a0",
"assignedTo": "[email protected]",
"actorName": null,
"threatFamilyName": null,
"mitreTechniques": [
"T1566.002"
],
"devices": [
{
"mdatpDeviceId": "c7e147cb0eb3534a4dcea5acb8e61c933713b145",
"aadDeviceId": null,
"deviceDnsName": "metal-win10v.metal.m365dpoc.com",
"osPlatform": "Windows10",
"version": "1809",
"osProcessor": "x64",
"osBuild": 17763,
"healthStatus": "Active",
"riskScore": "High",
"rbacGroupName": "Full Auto Clients",
"firstSeen": "2022-08-08T08:51:02.455Z",
"tags": [
"Full auto"
],
"defenderAvStatus": "Updated",
"onboardingStatus": "Onboarded",
"vmMetadata": {
"vmId": "17881b39-b03f-4a2c-9b56-078be1330bd0",
"cloudProvider": "Unknown",
"resourceId": "/subscriptions/29e73d07-8740-4164-a257-592a19a7b77c/resourceGroups/MSDXV2/providers/Microsoft.Compute/virtualMachines/MSDXV2-Win10V",
"subscriptionId": "29e73d07-8740-4164-a257-592a19a7b77c"
},
"loggedOnUsers": [
{
"accountName": "hetfield",
"domainName": "MSDXV2"
}
]
}
],
"entities": [
{
"entityType": "Process",
"evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
"verdict": "Suspicious",
"remediationStatus": "None",
"sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c",
"sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"fileName": "powershell.exe",
"filePath": "",
"processId": 7068,
"processCommandLine": "powershell.exe -command \" $Process = New-Object System.Diagnostics.Process; $Process.StartInfo.FileName = 'https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgcajebahdi.corporatelogon.xyz%2Fab%2Fjnkmbkkdnlgedc&data=05%7C01%7Chetfield%40metal.m365dpoc.com%7Cca409616a82145bd6a5f08daa2a10255%7C1a49212958c8401191cd245285f5345c%7C0%7C0%7C638001109710345383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FyEjRS5qOd2SkJELlueibuxLFMYNjL7fz8EbuOAvFwg%3D&reserved=0'; $Process.StartInfo.UseShellExecute = $true; $Process.Start() | Out-Null; \" ",
"processCreationTime": "2022-09-30T05:06:43.3390523Z",
"parentProcessId": 7116,
"parentProcessCreationTime": "2022-09-30T05:06:43.3100364Z",
"accountName": "hetfield",
"userSid": "S-1-5-21-2300221942-1987151257-321556088-1104"
},
{
"entityType": "File",
"evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
"verdict": "Suspicious",
"remediationStatus": "None",
"sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c",
"sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"fileName": "powershell.exe",
"filePath": ""
},
{
"entityType": "User",
"evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
"verdict": "Suspicious",
"remediationStatus": "None",
"accountName": "hetfield",
"domainName": "metal.m365dpoc",
"userSid": "S-1-5-21-2300221942-1987151257-321556088-1104",
"aadUserId": "e848b07a-87af-4448-9979-09f0b809c8d4",
"userPrincipalName": "daftpunk"
},
{
"entityType": "Url",
"evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
"verdict": "Suspicious",
"remediationStatus": "None",
"url": "http://gcajebahdi.corporatelogon.xyz/ab/jnkmbkkdnlgedc"
}
]
}
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,12 @@ references:
- https://github.com/airbus-cert/CVE-2024-4040
- https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
drilldown_searches:
- name: View the detection results for $dest$
search: '%original_detection_search% | search dest = $dest$'
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $dest$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
tags:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,36 +7,9 @@ status: production
type: Hunting
data_source:
- Azure Active Directory Sign-in activity
description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A
distributed password spray attack is a type of brute force attack where the attacker attempts a few
common passwords against many different accounts, connecting from multiple IP addresses to avoid detection.
By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication
events, providing comprehensive coverage and enhancing security against these attacks.
search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time span=2m
| `drop_dm_object_name("Authentication")`
```fill out time buckets for 0-count events during entire search length```
| appendpipe [| timechart limit=0 span=5m count | table _time]
| fillnull value=0 unique_accounts, unique_src
``` remove duplicate & empty time buckets```
| sort - total_failures
| dedup _time
``` Create aggregation field & apply to all null events```
| eval counter=sourcetype+"__"+signature_id
| eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter)
``` 3-sigma detection logic ```
| eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter
| eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3)
| eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0)
| replace "::ffff:*" with * in src
| where isOutlier=1
| foreach *
[ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)]
| table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id
| sort - total_failures | `detect_distributed_password_spray_attempts_filter`'
how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM)
and that the src field is populated with the source device information. Additionally, ensure that
fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from
log sources that do not feature the signature_id field in the results.
description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A distributed password spray attack is a type of brute force attack where the attacker attempts a few common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks.
search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time span=2m | `drop_dm_object_name("Authentication")` ```fill out time buckets for 0-count events during entire search length``` | appendpipe [| timechart limit=0 span=5m count | table _time] | fillnull value=0 unique_accounts, unique_src ``` remove duplicate & empty time buckets``` | sort - total_failures | dedup _time ``` Create aggregation field & apply to all null events``` | eval counter=sourcetype+"__"+signature_id | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) ``` 3-sigma detection logic ``` | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3) | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0) | replace "::ffff:*" with * in src | where isOutlier=1 | foreach * [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id | sort - total_failures | `detect_distributed_password_spray_attempts_filter`'
how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM) and that the src field is populated with the source device information. Additionally, ensure that fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from log sources that do not feature the signature_id field in the results.
known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings.
references:
- https://attack.mitre.org/techniques/T1110/003/
Expand Down Expand Up @@ -72,10 +45,10 @@ tags:
- Authentication.user
- Authentication.src
security_domain: access
manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion.
manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion.
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log
source: azure:monitor:aad
sourcetype: azure:monitor:aad
sourcetype: azure:monitor:aad
19 changes: 3 additions & 16 deletions detections/application/detect_new_login_attempts_to_routers.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,23 +5,10 @@ date: '2024-10-17'
author: Bhavin Patel, Splunk
status: experimental
type: TTP
description: The following analytic identifies new login attempts to routers. It leverages
authentication logs from the ES Assets and Identity Framework, focusing on assets
categorized as routers. The detection flags connections that have not been observed
in the past 30 days. This activity is significant because unauthorized access to
routers can lead to network disruptions or data interception. If confirmed malicious,
attackers could gain control over network traffic, potentially leading to data breaches
or further network compromise.
description: The following analytic identifies new login attempts to routers. It leverages authentication logs from the ES Assets and Identity Framework, focusing on assets categorized as routers. The detection flags connections that have not been observed in the past 30 days. This activity is significant because unauthorized access to routers can lead to network disruptions or data interception. If confirmed malicious, attackers could gain control over network traffic, potentially leading to data breaches or further network compromise.
data_source: []
search: '| tstats `security_content_summariesonly` count earliest(_time) as earliest
latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router
by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(),
"-30d@d"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)`
| `drop_dm_object_name("Authentication")` | `detect_new_login_attempts_to_routers_filter`'
how_to_implement: To successfully implement this search, you must ensure the network
router devices are categorized as "router" in the Assets and identity table. You
must also populate the Authentication data model with logs related to users authenticating
to routing infrastructure.
search: '| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), "-30d@d"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `drop_dm_object_name("Authentication")` | `detect_new_login_attempts_to_routers_filter`'
how_to_implement: To successfully implement this search, you must ensure the network router devices are categorized as "router" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure.
known_false_positives: Legitimate router connections may appear as new connections
references: []
tags:
Expand Down
Loading

0 comments on commit 815e1d3

Please sign in to comment.