From f32e110c5c089b8dbf48078e7edfb11832262777 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 24 Oct 2024 16:14:10 -0700 Subject: [PATCH] updating score --- contentctl.yml | 6 ++++++ .../detect_critical_alerts_from_security_tools.yml | 14 +++++++------- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/contentctl.yml b/contentctl.yml index 43c4ee9306..9fdb8e316f 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -182,6 +182,12 @@ apps: version: 1.4.1 description: description of app hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/microsoft-defender-advanced-hunting-add-on-for-splunk_141.tgz +- uid: 6207 + title: Splunk Add-on for Microsoft Security + appid: Splunk_TA_MS_Security + version: 2.3.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_230.tgz - uid: 2734 title: URL Toolbox appid: URL_TOOLBOX diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index 54ada8afa3..6b82eba6d4 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -20,12 +20,12 @@ references: - https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts - https://learn.microsoft.com/en-us/defender-endpoint/api/raw-data-export-event-hub drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: @@ -35,11 +35,11 @@ tags: atomic_guid: [] confidence: 50 impact: 50 - message: $severity$ alert for $dest$ from $source$ - $signature$ + message: $severity$ alert for $user$ from $sourcetype$ - $signature$ mitre_attack_id: [] observable: - - name: dest - type: Endpoint + - name: user + type: User role: - Victim product: