Skip to content

Commit

Permalink
updating score
Browse files Browse the repository at this point in the history
  • Loading branch information
patel-bhavin committed Oct 24, 2024
1 parent a452d54 commit f32e110
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 7 deletions.
6 changes: 6 additions & 0 deletions contentctl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,12 @@ apps:
version: 1.4.1
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/microsoft-defender-advanced-hunting-add-on-for-splunk_141.tgz
- uid: 6207
title: Splunk Add-on for Microsoft Security
appid: Splunk_TA_MS_Security
version: 2.3.0
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_230.tgz
- uid: 2734
title: URL Toolbox
appid: URL_TOOLBOX
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,12 +20,12 @@ references:
- https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts
- https://learn.microsoft.com/en-us/defender-endpoint/api/raw-data-export-event-hub
drilldown_searches:
- name: View the detection results for $dest$
search: '%original_detection_search% | search dest = $dest$'
- name: View the detection results for "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $dest$
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- name: View risk events for the last 7 days for "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
tags:
Expand All @@ -35,11 +35,11 @@ tags:
atomic_guid: []
confidence: 50
impact: 50
message: $severity$ alert for $dest$ from $source$ - $signature$
message: $severity$ alert for $user$ from $sourcetype$ - $signature$
mitre_attack_id: []
observable:
- name: dest
type: Endpoint
- name: user
type: User
role:
- Victim
product:
Expand Down

0 comments on commit f32e110

Please sign in to comment.