Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Detection for Inactive Users with a Certain Period Who Suddenly Have Activity #3159

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21,503 changes: 21,503 additions & 0 deletions app_template/default/analyticstories.conf

Large diffs are not rendered by default.

17 changes: 14 additions & 3 deletions app_template/default/app.conf
Original file line number Diff line number Diff line change
@@ -1,13 +1,21 @@
#############
# Automatically generated by 'contentctl build' from
# https://github.com/splunk/contentctl
# On Date: 2024-09-26T15:42:57 UTC
# Author: Splunk Threat Research Team - Splunk
# Contact: [email protected]
#############
## Splunk app configuration file

[install]
is_configured = false
state = enabled
state_change_requires_restart = false
build = 16367
build = 20240926154241

[triggers]
reload.analytic_stories = simple
reload.usage_searches = simple
reload.use_case_library = simple
reload.correlationsearches = simple
reload.analyticstories = simple
Expand All @@ -19,12 +27,15 @@ reload.es_investigations = simple

[launcher]
author = Splunk
version = 4.9.0
version = 4.41.0
description = Explore the Analytic Stories included with ES Content Updates.

[ui]
is_visible = true
label = ES Content Updates
label = ES Content Updates

[package]
id = DA-ESS-ContentUpdate



104 changes: 104 additions & 0 deletions app_template/default/collections.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
#############
# Automatically generated by 'contentctl build' from
# https://github.com/splunk/contentctl
# On Date: 2024-09-26T15:42:57 UTC
# Author: Splunk Threat Research Team - Splunk
# Contact: [email protected]
#############

[api_call_by_user_baseline]
enforceTypes = false
replicate = false

[cloud_instances_enough_data]
enforceTypes = false
replicate = false

[k8s_container_network_io_baseline]
enforceTypes = false
replicate = false

[k8s_container_network_io_ratio_baseline]
enforceTypes = false
replicate = false

[k8s_process_resource_baseline]
enforceTypes = false
replicate = false

[k8s_process_resource_ratio_baseline]
enforceTypes = false
replicate = false

[previously_seen_api_calls_from_user_roles]
enforceTypes = false
replicate = false

[previously_seen_aws_cross_account_activity]
enforceTypes = false
replicate = false

[previously_seen_aws_regions]
enforceTypes = false
replicate = false

[previously_seen_cloud_api_calls_per_user_role]
enforceTypes = false
replicate = false

[previously_seen_cloud_compute_creations_by_user]
enforceTypes = false
replicate = false

[previously_seen_cloud_compute_images]
enforceTypes = false
replicate = false

[previously_seen_cloud_compute_instance_types]
enforceTypes = false
replicate = false

[previously_seen_cloud_instance_modifications_by_user]
enforceTypes = false
replicate = false

[previously_seen_cloud_provisioning_activity_sources]
enforceTypes = false
replicate = false

[previously_seen_cloud_regions]
enforceTypes = false
replicate = false

[previously_seen_gcp_storage_access_from_remote_ip]
enforceTypes = false
replicate = false

[previously_seen_running_windows_services]
enforceTypes = false
replicate = false

[previously_seen_S3_access_from_remote_ip]
enforceTypes = false
replicate = false

[previously_seen_users_console_logins]
enforceTypes = false
replicate = false

[remote_access_software_exceptions]
enforceTypes = false
replicate = false

[s3_deletion_baseline]
enforceTypes = false
replicate = false

[security_group_activity_baseline]
enforceTypes = false
replicate = false

[zoom_first_time_child_process]
enforceTypes = false
replicate = false

9 changes: 8 additions & 1 deletion app_template/default/content-version.conf
Original file line number Diff line number Diff line change
@@ -1,2 +1,9 @@
#############
# Automatically generated by 'contentctl build' from
# https://github.com/splunk/contentctl
# On Date: 2024-09-26T15:42:57 UTC
# Author: Splunk Threat Research Team - Splunk
# Contact: [email protected]
#############
[content-version]
version = 4.9.0
version = 4.41.0
Empty file.
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<!--
#############
# Automatically generated by 'contentctl build' from
# https://github.com/splunk/contentctl
# On Date: 2024-09-26T15:42:58 UTC
# Author: Splunk Threat Research Team - Splunk
# Contact: [email protected]
#############
-->
<panel>
<table>
<search>
<query>| search `netbackup` dest=$dest$</query>
</search>
<option name="drilldown">cell</option>
<option name="wrap">false</option>
</table>
</panel>
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<!--
#############
# Automatically generated by 'contentctl build' from
# https://github.com/splunk/contentctl
# On Date: 2024-09-26T15:42:58 UTC
# Author: Splunk Threat Research Team - Splunk
# Contact: [email protected]
#############
-->
<panel>
<table>
<search>
<query>`aws_cloudwatchlogs_eks` |rename sourceIPs{} as src_ip |search src_ip=$src_ip$ | stats count min(_time) as firstTime max(_time) as lastTime values(user.username) values(requestURI) values(verb) values(userAgent) by source annotations.authorization.k8s.io/decision src_ip</query>
</search>
<option name="drilldown">cell</option>
<option name="wrap">false</option>
</table>
</panel>
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<!--
#############
# Automatically generated by 'contentctl build' from
# https://github.com/splunk/contentctl
# On Date: 2024-09-26T15:42:58 UTC
# Author: Splunk Threat Research Team - Splunk
# Contact: [email protected]
#############
-->
<panel>
<table>
<search>
<query>`aws_securityhub_firehose` "findings{}.Resources{}.Type"=AWSEC2Instance | rex field=findings{}.Resources{}.Id .*instance/(?&lt;instance&gt;.*)| rename instance as dest| search dest = $dest$ |rename findings{}.* as * | rename Remediation.Recommendation.Text as Remediation | table dest Title ProductArn Description FirstObservedAt RecordState Remediation</query>
</search>
<option name="drilldown">cell</option>
<option name="wrap">false</option>
</table>
</panel>
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<!--
#############
# Automatically generated by 'contentctl build' from
# https://github.com/splunk/contentctl
# On Date: 2024-09-26T15:42:58 UTC
# Author: Splunk Threat Research Team - Splunk
# Contact: [email protected]
#############
-->
<panel>
<table>
<search>
<query>`cloudtrail` | rename userIdentity.accessKeyId as accessKeyId| search accessKeyId=$accessKeyId$ | spath output=user path=userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, awsRegion, eventName, errorCode, errorMessage</query>
</search>
<option name="drilldown">cell</option>
<option name="wrap">false</option>
</table>
</panel>
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<!--
#############
# Automatically generated by 'contentctl build' from
# https://github.com/splunk/contentctl
# On Date: 2024-09-26T15:42:58 UTC
# Author: Splunk Threat Research Team - Splunk
# Contact: [email protected]
#############
-->
<panel>
<table>
<search>
<query>`cloudtrail` | search user=$user$| table _time userIdentity.type userIdentity.userName userIdentity.arn aws_account_id src awsRegion eventName eventType</query>
</search>
<option name="drilldown">cell</option>
<option name="wrap">false</option>
</table>
</panel>
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<!--
#############
# Automatically generated by 'contentctl build' from
# https://github.com/splunk/contentctl
# On Date: 2024-09-26T15:42:58 UTC
# Author: Splunk Threat Research Team - Splunk
# Contact: [email protected]
#############
-->
<panel>
<table>
<search>
<query>`aws_description` | rename id as networkAclId | search networkAclId=$networkAclId$ | table id account_id vpc_id network_acl_entries{}.*</query>
</search>
<option name="drilldown">cell</option>
<option name="wrap">false</option>
</table>
</panel>
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<!--
#############
# Automatically generated by 'contentctl build' from
# https://github.com/splunk/contentctl
# On Date: 2024-09-26T15:42:58 UTC
# Author: Splunk Threat Research Team - Splunk
# Contact: [email protected]
#############
-->
<panel>
<table>
<search>
<query>`aws_config` resourceId=$resourceId$ | table _time ARN relationships{}.resourceType relationships{}.name relationships{}.resourceId configuration.privateIpAddresses{}.privateIpAddress configuration.privateIpAddresses{}.association.publicIp</query>
</search>
<option name="drilldown">cell</option>
<option name="wrap">false</option>
</table>
</panel>
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<!--
#############
# Automatically generated by 'contentctl build' from
# https://github.com/splunk/contentctl
# On Date: 2024-09-26T15:42:58 UTC
# Author: Splunk Threat Research Team - Splunk
# Contact: [email protected]
#############
-->
<panel>
<table>
<search>
<query>`aws_config` | rename resourceId as bucketName |search bucketName=$bucketName$ | table resourceCreationTime bucketName vendor_region action aws_account_id supplementaryConfiguration.AccessControlList</query>
</search>
<option name="drilldown">cell</option>
<option name="wrap">false</option>
</table>
</panel>
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<!--
#############
# Automatically generated by 'contentctl build' from
# https://github.com/splunk/contentctl
# On Date: 2024-09-26T15:42:58 UTC
# Author: Splunk Threat Research Team - Splunk
# Contact: [email protected]
#############
-->
<panel>
<table>
<search>
<query>`google_gcp_pubsub_message` | rename data.protoPayload.requestMetadata.callerIp as src_ip | search src_ip =$src_ip$ | stats count min(_time) as firstTime max(_time) as lastTime values(data.protoPayload.methodName) as method_names values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent values(data.protoPayload.authenticationInfo.principalEmail) as user values(data.protoPayload.status.message) by src_ip data.resource.labels.cluster_name data.resource.type</query>
</search>
<option name="drilldown">cell</option>
<option name="wrap">false</option>
</table>
</panel>
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<!--
#############
# Automatically generated by 'contentctl build' from
# https://github.com/splunk/contentctl
# On Date: 2024-09-26T15:42:58 UTC
# Author: Splunk Threat Research Team - Splunk
# Contact: [email protected]
#############
-->
<panel>
<table>
<search>
<query>`cloudtrail` | iplocation sourceIPAddress | search City=$City$ | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table _time, City, user, userName, userType, src_ip, awsRegion, eventName, errorCode</query>
</search>
<option name="drilldown">cell</option>
<option name="wrap">false</option>
</table>
</panel>
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<!--
#############
# Automatically generated by 'contentctl build' from
# https://github.com/splunk/contentctl
# On Date: 2024-09-26T15:42:58 UTC
# Author: Splunk Threat Research Team - Splunk
# Contact: [email protected]
#############
-->
<panel>
<table>
<search>
<query>`cloudtrail` | iplocation sourceIPAddress | search Country=$Country$ | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table _time, Country, user, userName, userType, src_ip, awsRegion, eventName, errorCode</query>
</search>
<option name="drilldown">cell</option>
<option name="wrap">false</option>
</table>
</panel>
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<!--
#############
# Automatically generated by 'contentctl build' from
# https://github.com/splunk/contentctl
# On Date: 2024-09-26T15:42:58 UTC
# Author: Splunk Threat Research Team - Splunk
# Contact: [email protected]
#############
-->
<panel>
<table>
<search>
<query>`cloudtrail` | iplocation sourceIPAddress | search src_ip=$src_ip$ | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table _time, user, userName, userType, src_ip, awsRegion, eventName, errorCode</query>
</search>
<option name="drilldown">cell</option>
<option name="wrap">false</option>
</table>
</panel>
Loading
Loading