Merge pull request #27 from splunk/CRL-1301

Crl 1301
splunk · Mar 5, 2019 · 9a1b5bd · 9a1b5bd
2 parents 564b40a + b3bb3dc
commit 9a1b5bd
Show file tree

Hide file tree

Showing 16 changed files with 105 additions and 69 deletions.
diff --git a/escu/searches/detection_activity_related_to_pass_the_hash.json b/escu/searches/detection_activity_related_to_pass_the_hash.json
@@ -4,7 +4,7 @@
   "confidence": "low",
   "correlation_rule": {
     "notable": {
-      "nes_fields": "",
+      "nes_fields": "src_ip, dest, user",
       "rule_description": "This search looks for Authentication log events from the Windows Security Audit logs to detect potential attempts for Passing the Hash",
       "rule_title": "Detect Activity Related to Pass the Hash"
     },
@@ -16,24 +16,24 @@
       "risk_score": 10
     },
     "suppress": {
-      "suppress_fields": "ComputerName",
+      "suppress_fields": "dest",
       "suppress_period": "86400s"
     }
   },
   "creation_date": "2016-09-13",
   "data_metadata": {
+    "data_eventtypes": [
+      "wineventlog_security"
+    ],
     "data_source": [
       "Authentication"
     ],
-    "data_sourcetypes": [
-      "WinEventLog:Security"
-    ],
     "providing_technologies": [
       "Microsoft Windows"
     ]
   },
   "eli5": "To detect pass the hash activity, we look at all events with event code 4624 or 4625 that specify a logon type 3 (network logons). We are looking for the NtLmSsP account, with a key length set to 0. These indicate lower level protocols that are typically used through Pass the Hash (WMI, SMB, etc.). The search also filters out events with an account name of 'Anonymous' to help reduce false positives.",
-  "how_to_implement": "To successfully implement this search, you must ingest your Windows Security Event logs and leverage the TA for Windows to extract EventCode, Logon_Process, Logon_Type, Key_Length and Account_Name fields from these events.",
+  "how_to_implement": "To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows.",
   "known_false_positives": "Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate.",
   "maintainers": [
     {
@@ -62,7 +62,7 @@
       "PR.IP"
     ]
   },
-  "modification_date": "2017-09-18",
+  "modification_date": "2019-02-27",
   "original_authors": [
     {
       "company": "Splunk",
@@ -75,7 +75,7 @@
     "earliest_time": "-70m@m",
     "latest_time": "-10m@m"
   },
-  "search": "sourcetype=\"WinEventLog:Security\" (EventCode=4624 OR EventCode=4625) Logon_Process=NtLmSsp Logon_Type=3 Account_Name !=\"ANONYMOUS LOGON\" Key_Length=0 | table _time Source_Network_Address Account_Name Account_Domain ComputerName Workstation_Name",
+  "search": "eventtype=wineventlog_security (signature_id=4624 OR signature_id=4625) Logon_Process=NtLmSsp Logon_Type=3 Account_Name !=\"ANONYMOUS LOGON\" Key_Length=0 | table _time src_ip user dest dest_nt_domain signature_id signature",
   "search_description": "This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique.",
   "search_id": "f5939373-8054-40ad-8c64-cec478a22a4b",
   "search_name": "Detect Activity Related to Pass the Hash Attacks",

diff --git a/escu/searches/detection_excessive_lockouts_from_endpoint.json b/escu/searches/detection_excessive_lockouts_from_endpoint.json
@@ -22,18 +22,18 @@
   },
   "creation_date": "2017-08-17",
   "data_metadata": {
+    "data_models": [
+      "Change"
+    ],
     "data_source": [
       "Windows Event Logs"
     ],
-    "data_sourcetypes": [
-      "WinEventLog:Security"
-    ],
     "providing_technologies": [
       "Microsoft Windows"
     ]
   },
-  "eli5": "This search looks for the Windows event code 4740 within your Windows Security Logs, which indicates that an account has been locked out. It then counts the number of times an endpoint has caused an account lockout within a four hour window and displays those hosts with a count greater than or equal to five.",
-  "how_to_implement": "While this search does not require you to adhere to Splunk CIM, you must ingest your Windows security event logs in order for this search to execute successfully.<br></br> <b>Splunk>Phantom Playbook Integration</b><br></br>If Splunk>Phantom is also configured in your environment, a Playbook called \"Excessive Account Lockouts Enrichment and Response\" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk <code>https://splunkbase.splunk.com/app/3411/</code>, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. <br/>(Playbook Link:<code>https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/</code>).<br></br>",
+  "eli5": "This search queries the `Change.All_Changes` datamodel under the nodename is `Account_Management` , where the result is \"lockout\", which indicates that an account has been locked out. It then counts the number of times an endpoint has caused an account lockout within a four hour window and displays those hosts with a count greater than or equal to five.",
+  "how_to_implement": "You must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. <br></br> <b>Splunk>Phantom Playbook Integration</b><br></br>If Splunk>Phantom is also configured in your environment, a Playbook called \"Excessive Account Lockouts Enrichment and Response\" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk <code>https://splunkbase.splunk.com/app/3411/</code>, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. <br/>(Playbook Link:<code>https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/</code>).<br></br>",
   "known_false_positives": "It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.",
   "maintainers": [
     {
@@ -58,7 +58,7 @@
       "PR.IP"
     ]
   },
-  "modification_date": "2017-09-23",
+  "modification_date": "2019-02-28",
   "original_authors": [
     {
       "company": "Splunk",
@@ -81,7 +81,7 @@
     "earliest_time": "-4h@h",
     "latest_time": "-5m@m"
   },
-  "search": "sourcetype=WinEventLog:Security EventCode=4740 | stats count min(_time) as firstTime max(_time) as lastTime by dest, signature | `ctime(firstTime)` | `ctime(lastTime)` | search count > 5",
+  "search": "| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result=\"lockout\" by All_Changes.dest All_Changes.result |`drop_dm_object_name(\"All_Changes\")` |`drop_dm_object_name(\"Account_Management\")`| `ctime(firstTime)` | `ctime(lastTime)` | search count > 5",
   "search_description": "This search identifies endpoints that have caused a relatively high number of account lockouts in a short period.",
   "search_id": "d4f5a28c-d889-4692-a8de-073c09d2c469",
   "search_name": "Detect Excessive Account Lockouts From Endpoint",

diff --git a/escu/searches/detection_excessive_user_account_lockouts.json b/escu/searches/detection_excessive_user_account_lockouts.json
@@ -22,18 +22,18 @@
   },
   "creation_date": "2017-08-17",
   "data_metadata": {
+    "data_models": [
+      "Change"
+    ],
     "data_source": [
       "Windows Event Logs"
     ],
-    "data_sourcetypes": [
-      "WinEventLog:Security"
-    ],
     "providing_technologies": [
       "Microsoft Windows"
     ]
   },
-  "eli5": "This search looks for the Windows event code 4740 within your Windows Security Logs, which indicates that an account locked out. It then counts the numbers of times an account has been locked out in a four hour window and displays those accounts with a count greater than five.",
-  "how_to_implement": "While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows security event logs in order for this search to execute successfully.",
+  "eli5": "This search queries the `Change.All_Changes` datamodel under the nodename is `Account_Management` , where the result is \"lockout\", which indicates that an account has been locked out. It then counts the number of times a user  has caused an account lockout within a four hour window and displays those users with a count greater than or equal to five.",
+  "how_to_implement": "ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.",
   "known_false_positives": "It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.",
   "maintainers": [
     {
@@ -53,7 +53,7 @@
       "PR.IP"
     ]
   },
-  "modification_date": "2017-09-23",
+  "modification_date": "2019-03-01",
   "original_authors": [
     {
       "company": "Splunk",
@@ -66,8 +66,8 @@
     "earliest_time": "-4h@h",
     "latest_time": "-10m@m"
   },
-  "search": "sourcetype=WinEventLog:Security EventCode=4740 | stats count min(_time) as firstTime max(_time) as lastTime by user, signature | `ctime(firstTime)` | `ctime(lastTime)` | search count > 5",
-  "search_description": "This search detects accounts that have been locked out a relatively high number of times in a short period.",
+  "search": "| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result=\"lockout\" by All_Changes.user All_Changes.result |`drop_dm_object_name(\"All_Changes\")` |`drop_dm_object_name(\"Account_Management\")`| `ctime(firstTime)` | `ctime(lastTime)` | search count > 5",
+  "search_description": "This search detects user accounts that have been locked out a relatively high number of times in a short period.",
   "search_id": "95a7f9a5-6096-437e-a19e-86f42ac609bd",
   "search_name": "Detect Excessive User Account Lockouts",
   "search_type": "detection",

diff --git a/escu/searches/detection_first_time_seen_running_windows_service.json b/escu/searches/detection_first_time_seen_running_windows_service.json
@@ -22,12 +22,12 @@
   },
   "creation_date": "2018-07-22",
   "data_metadata": {
+    "data_eventtypes": [
+      "wineventlog_system"
+    ],
     "data_source": [
       "Windows Event Logs"
     ],
-    "data_sourcetypes": [
-      "WinEventLog:System"
-    ],
     "providing_technologies": [
       "Microsoft Windows"
     ]
@@ -62,7 +62,7 @@
       "DE.AE"
     ]
   },
-  "modification_date": "2018-07-22",
+  "modification_date": "2019-02-27",
   "original_authors": [
     {
       "company": "Splunk",
@@ -75,7 +75,7 @@
     "earliest_time": "-70m@m",
     "latest_time": "-10m@m"
   },
-  "search": "sourcetype=WinEventLog:System EventCode=7036 | rex field=Message \"The (?<serviceName>[\\w\\s-]*) service entered the (?<action>\\w*) state\" | where action=\"running\" | inputlookup append=t previously_seen_running_windows_services | multireport [| stats earliest(eval(coalesce(_time, firstTime))) as firstTime, latest(eval(coalesce(_time, lastTime))) as lastTime by serviceName | outputlookup previously_seen_running_windows_services | where fact=fiction] [| eventstats earliest(eval(coalesce(_time, firstTime))) as firstTime, latest(eval(coalesce(_time, lastTime))) as lastTime by serviceName | where firstTime >= relative_time(now(), \"-60m@m\") AND isnotnull(_time) | stats values(dest) as dest by _time, serviceName] | table _time, serviceName, dest",
+  "search": "eventtype=wineventlog_system signature_id=7036 | rex field=Message \"The (?<serviceName>[\\w\\s-]*) service entered the (?<action>\\w*) state\" | where action=\"running\" | inputlookup append=t previously_seen_running_windows_services | multireport [| stats earliest(eval(coalesce(_time, firstTime))) as firstTime, latest(eval(coalesce(_time, lastTime))) as lastTime by serviceName | outputlookup previously_seen_running_windows_services | where fact=fiction] [| eventstats earliest(eval(coalesce(_time, firstTime))) as firstTime, latest(eval(coalesce(_time, lastTime))) as lastTime by serviceName | where firstTime >= relative_time(now(), \"-60m@m\") AND isnotnull(_time) | stats values(dest) as dest by _time, serviceName] | table _time, serviceName, dest",
   "search_description": "This search looks for the first time a Windows service is seen running in your environment.",
   "search_id": "823136f2-d755-4b6d-ae04-372b486a5808",
   "search_name": "First Time Seen Running Windows Service",

diff --git a/escu/searches/detection_local_admin_account_creation.json b/escu/searches/detection_local_admin_account_creation.json
@@ -22,12 +22,12 @@
   },
   "creation_date": "2018-03-26",
   "data_metadata": {
+    "data_eventtypes": [
+      "wineventlog_security"
+    ],
     "data_source": [
       "Windows Event Logs"
     ],
-    "data_sourcetypes": [
-      "wineventlog:security"
-    ],
     "providing_technologies": [
       "Microsoft Windows"
     ]
@@ -60,7 +60,7 @@
       "DE.CM"
     ]
   },
-  "modification_date": "2018-03-26",
+  "modification_date": "2019-02-28",
   "original_authors": [
     {
       "company": "Splunk",
@@ -73,7 +73,7 @@
     "earliest_time": "-1440m@m",
     "latest_time": "-10m@m"
   },
-  "search": "sourcetype=wineventlog:security EventCode=4720 OR (EventCode=4732 Group_Name= Administrators) | transaction Security_ID maxspan=180m | search EventCode=4720 EventCode=4732 | table _time user dest EventCode Security_ID Group_Name src_user Message",
+  "search": "eventtype = wineventlog_security signature_id=4720 OR (signature_id=4732 Group_Name= Administrators) | transaction Security_ID maxspan=180m | search signature_id=4720 signature_id=4732 | table _time user dest signature_id Security_ID Group_Name src_user Message",
   "search_description": "This search looks for newly created accounts that have been elevated to local administrators.",
   "search_id": "b25f6f62-0712-43c1-b203-083231ffd97d",
   "search_name": "Detect New Local Admin account",

diff --git a/escu/searches/detection_powershell_get_sedebug.json b/escu/searches/detection_powershell_get_sedebug.json
@@ -6,7 +6,7 @@
     "notable": {
       "nes_fields": "user, dest",
       "rule_description": "Possible attempt at credential dumping via PowerShell was detected on $dest$ by $user$.",
-      "rule_title": "Event ID 4703 Specifying PowerShell Acquiring A Token with SeDebugPrivilege Identified on $dest$."
+      "rule_title": "Event Code 4703 Specifying PowerShell Acquiring A Token with SeDebugPrivilege Identified on $dest$."
     },
     "risk": {
       "risk_object": "dest",
@@ -22,17 +22,17 @@
   },
   "creation_date": "2018-08-28",
   "data_metadata": {
+    "data_eventtypes": [
+      "wineventlog_security"
+    ],
     "data_source": [
       "Windows Event Logs"
     ],
-    "data_sourcetypes": [
-      "wineventlog:security"
-    ],
     "providing_technologies": [
       "Microsoft Windows"
     ]
   },
-  "eli5": "This search looks for Windows Event Code 4703 (token right adjusted), where the process requesting the token change is PowerShell.exe and the requested privilege is \"SeDebugPrivilege\". This is consistent with the use of PowerShell to execute Mimikatz using sekurlsa::logonpasswords. It will return the host where the activity occurred, the process and associated id, the enabled privilege, and the message in the event.",
+  "eli5": "This search looks for Windows Event Code(signature_id) 4703 (token right adjusted), where the process requesting the token change is PowerShell.exe and the requested privilege is \"SeDebugPrivilege\". This is consistent with the use of PowerShell to execute Mimikatz using sekurlsa::logonpasswords. It will return the host where the activity occurred, the process and associated id, the enabled privilege, and the message in the event.",
   "how_to_implement": "You must be ingesting Windows Security logs. You must also enable the account change auditing here: http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorWindowseventlogdata. Additionally, this search requires you to enable your Group Management Audit Logs in your Local Windows Security Policy and to be ingesting those logs.  More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. Finally, please make sure that the local administrator group name is \"Administrators\" to be able to look for the right group membership changes.",
   "known_false_positives": "The activity may be legitimate. PowerShell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.",
   "maintainers": [
@@ -61,7 +61,7 @@
       "DE.CM"
     ]
   },
-  "modification_date": "2018-08-28",
+  "modification_date": "2019-02-27",
   "original_authors": [
     {
       "company": "Splunk",
@@ -74,7 +74,7 @@
     "earliest_time": "-70m@m",
     "latest_time": "-10m@m"
   },
-  "search": "sourcetype=wineventlog:security EventCode=4703 Process_Name=*powershell.exe | rex field=Message \"Enabled Privileges:\\s+(?<privs>\\w+)\\s+Disabled Privileges:\" | where privs=\"SeDebugPrivilege\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, privs, Process_ID, Message | rename privs as \"Enabled Privilege\" | rename Process_Name as process |  `ctime(firstTime)`| `ctime(lastTime)`",
+  "search": "eventtype=wineventlog_security signature_id=4703 Process_Name=*powershell.exe | rex field=Message \"Enabled Privileges:\\s+(?<privs>\\w+)\\s+Disabled Privileges:\" | where privs=\"SeDebugPrivilege\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, privs, Process_ID, Message | rename privs as \"Enabled Privilege\" | rename Process_Name as process |  `ctime(firstTime)`| `ctime(lastTime)`",
   "search_description": "This search looks for PowerShell requesting privileges consistent with credential dumping.",
   "search_id": "98917be2-bfc8-475a-8618-a9bb06575188",
   "search_name": "Detect Mimikatz Via PowerShell And EventCode 4703",