Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Detection for Inactive Users with a Certain Period Who Suddenly Have Activity #3159

Closed

Conversation

zake1god
Copy link

@zake1god zake1god commented Oct 13, 2024

Details

This PR introduces a new detection for Detection for Inactive Users with a Certain Period Who Suddenly Have Activity under the Network category. The detection identifies users who have not logged in for an extended period (over 30 days), based on network traffic logs. The detection uses the Network_Traffic data model to calculate the inactivity period and flag inactive users.

No changes to lookups or additional dependencies are required for this detection.

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature.
    Filename: network_inactivity_detection.yml
  • CI/CD jobs passed ✔️
  • Validated SPL logic. ✔️
  • Validated tags, description, and how to implement.
    • Tags: T1078, network, inactivity
    • Description: Monitors for inactive users over a 30-day period.
    • How to implement: Ensure the Network_Traffic data model is populated.
  • Verified references match analytic.
    • References: MITRE ATT&CK T1078 (Valid Accounts)
  • Confirm updates to lookups are handled properly.
    • No lookup updates required.

Notes for Submitters and Reviewers

  • The detection is focused on identifying inactive users based on extended inactivity in network traffic logs. Please validate that the SPL logic matches the expected behavior.
  • No changes to lookup files were made. The detection should work without additional dependencies.

@zake1god zake1god changed the title Add Detection for Inactive Users with Extended Inactivity Period Add Detection for Inactive Users with a Certain Period Who Suddenly Have Activity Oct 13, 2024
…enly_have_activity.yml to detections/network/
@zake1god
Copy link
Author

Downloading latest ESCU build from Splunkbase to serve as previous build during validation...
Latest release downloaded from Splunkbase to: downloads/splunk-es-content-update_4410.tgz

Detection Metadata Validation:
❌ ESCU - Detect Risky SPL using Pretrained ML Model - Rule
🔸 Detection from previous build not found in current build.
❌ ESCU - Path traversal SPL injection - Rule
🔸 Detection from previous build not found in current build.
❌ ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule
🔸 Detection from previous build not found in current build. , etc..

Anyone can help me with this issue ? i only want to contribute my logic to Research Splunk. Would you please fix this? i was download latest splunk-es-content-update_4410.tgz but i still can't found that metadata @patel-bhavin @ljstella

@zake1god zake1god closed this Oct 14, 2024
@ljstella
Copy link
Contributor

@zake1god these issues will be fixed once we get #3149 merged. If you want to open a new PR or re-open this one, there were a few other issues in your changes that we wanted to fix up.

@zake1god
Copy link
Author

@zake1god these issues will be fixed once we get #3149 merged. If you want to open a new PR or re-open this one, there were a few other issues in your changes that we wanted to fix up.

I will create new one, too much error since i want to fixed it alone. Thankyou for your reply, will push with the new fresh and clean one

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants