From 817f0fe0d239d9989cded536ed67a90192446b5d Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 24 Oct 2024 15:41:04 -0700 Subject: [PATCH 01/12] updating the detection --- ...ct_critical_alerts_from_security_tools.yml | 26 ++++++++++++------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index b176c39e52..54ada8afa3 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -2,15 +2,17 @@ name: Detect Critical Alerts from Security Tools id: 483e8a68-f2f7-45be-8fc9-bf725f0e22fd version: 1 date: '2024-10-09' -author: Gowthamaraj Rajendran, Patrick Bareiss, Bhavin Patel, Splunk +author: Gowthamaraj Rajendran, Patrick Bareiss, Bhavin Patel, Bryan Pluta, Splunk status: production type: TTP data_source: - Windows Defender Alerts description: The following analytics is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.signature Alerts.app, Alerts.severity, Alerts.description, source, Alerts.id, Alerts.dest - | `drop_dm_object_name("Alerts")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `detect_critical_alerts_from_security_tools_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Alerts.description) as description values(Alerts.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id values(Alerts.severity) as severity values(Alerts.type) as type values(Alerts.severity_id) as severity_id values(Alerts.signature) as signature values(Alerts.dest) as dest from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.src Alerts.user Alerts.id Alerts.vendor sourcetype +| `drop_dm_object_name("Alerts")` +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| eval risk_score=case(severity="informational", 2, severity="low", 5, severity="medium", 10, severity="high", 50, severity="critical" , 100) | `detect_critical_alerts_from_security_tools_filter`' how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. known_false_positives: False positives may vary by endpoint protection tool; monitor and filter out the alerts that are not relevant to your environment. references: @@ -31,11 +33,10 @@ tags: - Critical Alerts asset_type: Endpoint atomic_guid: [] - confidence: 90 - impact: 90 + confidence: 50 + impact: 50 message: $severity$ alert for $dest$ from $source$ - $signature$ - mitre_attack_id: - - T1484 + mitre_attack_id: [] observable: - name: dest type: Endpoint @@ -49,11 +50,16 @@ tags: - _time - app - name - risk_score: 81 + risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/AdvancedHunting.log source: eventhub://windowsdefenderlogs - sourcetype: mscs:azure:eventhub:defender:advancedhunting \ No newline at end of file + sourcetype: mscs:azure:eventhub:defender:advancedhunting +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/defender_incident_alerts.json + source: m365_defender_incident_alerts + sourcetype: ms365:defender:incident:alerts \ No newline at end of file From f32e110c5c089b8dbf48078e7edfb11832262777 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 24 Oct 2024 16:14:10 -0700 Subject: [PATCH 02/12] updating score --- contentctl.yml | 6 ++++++ .../detect_critical_alerts_from_security_tools.yml | 14 +++++++------- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/contentctl.yml b/contentctl.yml index 43c4ee9306..9fdb8e316f 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -182,6 +182,12 @@ apps: version: 1.4.1 description: description of app hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/microsoft-defender-advanced-hunting-add-on-for-splunk_141.tgz +- uid: 6207 + title: Splunk Add-on for Microsoft Security + appid: Splunk_TA_MS_Security + version: 2.3.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_230.tgz - uid: 2734 title: URL Toolbox appid: URL_TOOLBOX diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index 54ada8afa3..6b82eba6d4 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -20,12 +20,12 @@ references: - https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts - https://learn.microsoft.com/en-us/defender-endpoint/api/raw-data-export-event-hub drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: @@ -35,11 +35,11 @@ tags: atomic_guid: [] confidence: 50 impact: 50 - message: $severity$ alert for $dest$ from $source$ - $signature$ + message: $severity$ alert for $user$ from $sourcetype$ - $signature$ mitre_attack_id: [] observable: - - name: dest - type: Endpoint + - name: user + type: User role: - Victim product: From c67f17a7eebadddb3ab46bd8a23301296d4625a5 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 24 Oct 2024 16:38:30 -0700 Subject: [PATCH 03/12] comment --- .../detect_critical_alerts_from_security_tools.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index 6b82eba6d4..5df1724f8a 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -53,11 +53,11 @@ tags: risk_score: 25 security_domain: endpoint tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/AdvancedHunting.log - source: eventhub://windowsdefenderlogs - sourcetype: mscs:azure:eventhub:defender:advancedhunting +# - name: True Positive Test +# attack_data: +# - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/AdvancedHunting.log +# source: eventhub://windowsdefenderlogs +# sourcetype: mscs:azure:eventhub:defender:advancedhunting - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/defender_incident_alerts.json From dfe604d4434a74c77a031b56c5b411bcf72edcf6 Mon Sep 17 00:00:00 2001 From: research-bot Date: Tue, 29 Oct 2024 09:59:20 -0700 Subject: [PATCH 04/12] updating detection --- ...ct_critical_alerts_from_security_tools.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index 5df1724f8a..1454828b9b 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -13,7 +13,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval risk_score=case(severity="informational", 2, severity="low", 5, severity="medium", 10, severity="high", 50, severity="critical" , 100) | `detect_critical_alerts_from_security_tools_filter`' -how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. +how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. The risk_score field is used to calculate the risk score for the alerts and the mitre_technique_id field is used to map the alerts to the MITRE ATT&CK framework is dynamically created by the detection when this is triggered. These fields need not be set in the adaptive response actions. known_false_positives: False positives may vary by endpoint protection tool; monitor and filter out the alerts that are not relevant to your environment. references: - https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/accessing-microsoft-defender-for-cloud-alerts-in-splunk-using/ba-p/938228 @@ -25,7 +25,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: @@ -47,9 +47,18 @@ tags: - Splunk Enterprise Security - Splunk Cloud required_fields: - - _time - - app - - name + - Alerts.description + - Alerts.mitre_technique_id + - Alerts.severity + - Alerts.type + - Alerts.severity_id + - Alerts.signature + - Alerts.dest + - Alerts.src + - Alerts.user + - Alerts.id + - Alerts.vendor + - sourcetype risk_score: 25 security_domain: endpoint tests: From 06fb9c4aa7c5441572db93145cc3a26b879a24a2 Mon Sep 17 00:00:00 2001 From: research-bot Date: Tue, 29 Oct 2024 09:59:36 -0700 Subject: [PATCH 05/12] txt --- .../endpoint/detect_critical_alerts_from_security_tools.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index 1454828b9b..584d3aae13 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -69,6 +69,6 @@ tests: # sourcetype: mscs:azure:eventhub:defender:advancedhunting - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/defender_incident_alerts.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/defender_incident_alerts.txt source: m365_defender_incident_alerts sourcetype: ms365:defender:incident:alerts \ No newline at end of file From 7aa3ee68012c59cfe205d5c35bae1bf9882f62be Mon Sep 17 00:00:00 2001 From: research-bot Date: Tue, 29 Oct 2024 10:11:24 -0700 Subject: [PATCH 06/12] adding data source --- .../ms365_defender_incident_alerts.yml | 175 ++++++++++++++++++ ...ct_critical_alerts_from_security_tools.yml | 11 +- 2 files changed, 181 insertions(+), 5 deletions(-) create mode 100644 data_sources/ms365_defender_incident_alerts.yml diff --git a/data_sources/ms365_defender_incident_alerts.yml b/data_sources/ms365_defender_incident_alerts.yml new file mode 100644 index 0000000000..fcb7876c85 --- /dev/null +++ b/data_sources/ms365_defender_incident_alerts.yml @@ -0,0 +1,175 @@ +name: MS365 Defender Incident Alerts +id: 12345678-90ab-cdef-1234-567890abcdef +version: 1 +date: '2024-07-18' +author: Bhavin Patel, Splunk +description: Data source object for MS365 Defender Incident Alerts +source: ms365_defender_incident_alerts +sourcetype: ms365:defender:incident:alerts +supported_TA: +- name: Splunk Add-on for Microsoft Security + url: https://splunkbase.splunk.com/app/6207 + version: 2.3.0 +fields: +- actorName +- alertId +- app +- assignedTo +- body +- category +- classification +- creationTime +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- description +- dest +- detectionSource +- detectorId +- determination +- devices{}.aadDeviceId +- devices{}.defenderAvStatus +- devices{}.deviceDnsName +- devices{}.firstSeen +- devices{}.healthStatus +- devices{}.loggedOnUsers{}.accountName +- devices{}.loggedOnUsers{}.domainName +- devices{}.mdatpDeviceId +- devices{}.onboardingStatus +- devices{}.osBuild +- devices{}.osPlatform +- devices{}.osProcessor +- devices{}.rbacGroupName +- devices{}.riskScore +- devices{}.version +- devices{}.vmMetadata +- devices{}.vmMetadata.cloudProvider +- devices{}.vmMetadata.resourceId +- devices{}.vmMetadata.subscriptionId +- devices{}.vmMetadata.vmId +- entities{}.aadUserId +- entities{}.accountName +- entities{}.applicationId +- entities{}.applicationName +- entities{}.detectionStatus +- entities{}.deviceId +- entities{}.domainName +- entities{}.entityType +- entities{}.evidenceCreationTime +- entities{}.fileName +- entities{}.filePath +- entities{}.ipAddress +- entities{}.parentProcessCreationTime +- entities{}.parentProcessFileName +- entities{}.parentProcessFilePath +- entities{}.parentProcessId +- entities{}.processCommandLine +- entities{}.processCreationTime +- entities{}.processId +- entities{}.remediationStatus +- entities{}.remediationStatusDetails +- entities{}.sha1 +- entities{}.sha256 +- entities{}.userPrincipalName +- entities{}.userSid +- entities{}.verdict +- eventtype +- firstActivity +- host +- id +- incidentId +- index +- investigationId +- investigationState +- lastActivity +- lastUpdatedTime +- linecount +- mitreTechniques{} +- mitre_technique_id +- providerAlertId +- resolvedTime +- serviceSource +- severity +- signature +- signature_id +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- status +- subject +- tag +- tag::app +- tag::eventtype +- threatFamilyName +- timeendpos +- timestartpos +- title +- type +- user +- user_name +- _bkt +- _cd +- _eventtype_color +- _indextime +- _raw +- _serial +- _si +- _sourcetype +- _subsecond +- _time +example_log: | + { + "alertId": "da638001130101730338_582949328", + "providerAlertId": "da638001130101730338_582949328", + "incidentId": 486, + "serviceSource": "MicrosoftDefenderForEndpoint", + "creationTime": "2022-09-30T05:36:50.1732198Z", + "lastUpdatedTime": "2022-11-19T01:35:42.7033333Z", + "resolvedTime": "2022-10-01T01:36:00.5066667Z", + "firstActivity": "2022-09-30T05:06:43.8196597Z", + "lastActivity": "2022-09-30T05:06:43.8196597Z", + "title": "Suspicious URL clicked", + "description": "A user opened a potentially malicious URL. This alert was triggered based on a Microsoft Defender for Office 365 alert.", + "category": "InitialAccess", + "status": "Resolved", + "severity": "High", + "investigationId": null, + "investigationState": "UnsupportedAlertType", + "classification": "TruePositive", + "determination": "SecurityTesting", + "detectionSource": "MTP", + "detectorId": "359b36eb-337c-4f1c-b280-8c5e08f9c4a0", + "assignedTo": "msftadmin@msdxv2.m365dpoc.com", + "actorName": null, + "threatFamilyName": null, + "mitreTechniques": [ + "T1566.002" + ], + "devices": [ + { + "mdatpDeviceId": "c7e147cb0eb3534a4dcea5acb8e61c933713b145", + "aadDeviceId": null, + "deviceDnsName": "msdxv2-win10v.msdxv2.m365dpoc.com", + "osPlatform": "Windows10", + "version": "1809", + "osProcessor": "x64", + "osBuild": 17763, + "healthStatus": "Active", + "riskScore": "High", + "rbacGroupName": "Full Auto Clients", + "firstSeen": "2022-08-08T08:51:02.455Z", + "tags": [ + "Full auto" + ], + "defenderAvStatus": "Updated", + "onboardingStatus": "Onboarded", + "vmMetadata": { + "vmId": "17881b39-b03f-4a2c-9b56-078be1330bd0", + "cloudProvider": "Unknown", \ No newline at end of file diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index 584d3aae13..27cf28d922 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -7,6 +7,7 @@ status: production type: TTP data_source: - Windows Defender Alerts +- MS365 Defender Incident Alerts description: The following analytics is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Alerts.description) as description values(Alerts.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id values(Alerts.severity) as severity values(Alerts.type) as type values(Alerts.severity_id) as severity_id values(Alerts.signature) as signature values(Alerts.dest) as dest from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.src Alerts.user Alerts.id Alerts.vendor sourcetype | `drop_dm_object_name("Alerts")` @@ -62,11 +63,11 @@ tags: risk_score: 25 security_domain: endpoint tests: -# - name: True Positive Test -# attack_data: -# - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/AdvancedHunting.log -# source: eventhub://windowsdefenderlogs -# sourcetype: mscs:azure:eventhub:defender:advancedhunting +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/AdvancedHunting.log + source: eventhub://windowsdefenderlogs + sourcetype: mscs:azure:eventhub:defender:advancedhunting - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/defender_incident_alerts.txt From 5e0afc519e00f3b962b221f06f67ffb107e84f0b Mon Sep 17 00:00:00 2001 From: research-bot Date: Tue, 29 Oct 2024 10:14:32 -0700 Subject: [PATCH 07/12] update example log --- .../ms365_defender_incident_alerts.yml | 61 ++++++++++++++++++- 1 file changed, 60 insertions(+), 1 deletion(-) diff --git a/data_sources/ms365_defender_incident_alerts.yml b/data_sources/ms365_defender_incident_alerts.yml index fcb7876c85..2602fa5989 100644 --- a/data_sources/ms365_defender_incident_alerts.yml +++ b/data_sources/ms365_defender_incident_alerts.yml @@ -172,4 +172,63 @@ example_log: | "onboardingStatus": "Onboarded", "vmMetadata": { "vmId": "17881b39-b03f-4a2c-9b56-078be1330bd0", - "cloudProvider": "Unknown", \ No newline at end of file + "cloudProvider": "Unknown", + "resourceId": "/subscriptions/29e73d07-8740-4164-a257-592a19a7b77c/resourceGroups/MSDXV2/providers/Microsoft.Compute/virtualMachines/MSDXV2-Win10V", + "subscriptionId": "29e73d07-8740-4164-a257-592a19a7b77c" + }, + "loggedOnUsers": [ + { + "accountName": "jeff", + "domainName": "MSDXV2" + } + ] + } + ], + "entities": [ + { + "entityType": "Process", + "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z", + "verdict": "Suspicious", + "remediationStatus": "None", + "sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c", + "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c", + "fileName": "powershell.exe", + "filePath": "", + "processId": 7068, + "processCommandLine": "powershell.exe -command \" $Process = New-Object System.Diagnostics.Process; $Process.StartInfo.FileName = 'https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgcajebahdi.corporatelogon.xyz%2Fab%2Fjnkmbkkdnlgedc&data=05%7C01%7Cjeff%40msdxv2.m365dpoc.com%7Cca409616a82145bd6a5f08daa2a10255%7C1a49212958c8401191cd245285f5345c%7C0%7C0%7C638001109710345383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FyEjRS5qOd2SkJELlueibuxLFMYNjL7fz8EbuOAvFwg%3D&reserved=0'; $Process.StartInfo.UseShellExecute = $true; $Process.Start() | Out-Null; \" ", + "processCreationTime": "2022-09-30T05:06:43.3390523Z", + "parentProcessId": 7116, + "parentProcessCreationTime": "2022-09-30T05:06:43.3100364Z", + "accountName": "jeff", + "userSid": "S-1-5-21-2300221942-1987151257-321556088-1104" + }, + { + "entityType": "File", + "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z", + "verdict": "Suspicious", + "remediationStatus": "None", + "sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c", + "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c", + "fileName": "powershell.exe", + "filePath": "" + }, + { + "entityType": "User", + "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z", + "verdict": "Suspicious", + "remediationStatus": "None", + "accountName": "jeff", + "domainName": "msdxv2.m365dpoc", + "userSid": "S-1-5-21-2300221942-1987151257-321556088-1104", + "aadUserId": "e848b07a-87af-4448-9979-09f0b809c8d4", + "userPrincipalName": "jeff@msdxv2.m365dpoc.com" + }, + { + "entityType": "Url", + "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z", + "verdict": "Suspicious", + "remediationStatus": "None", + "url": "http://gcajebahdi.corporatelogon.xyz/ab/jnkmbkkdnlgedc" + } + ] + } \ No newline at end of file From b640a7675c6349d5cf814316f6cd665136cd075a Mon Sep 17 00:00:00 2001 From: research-bot Date: Tue, 29 Oct 2024 10:16:27 -0700 Subject: [PATCH 08/12] data clean --- data_sources/ms365_defender_incident_alerts.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/data_sources/ms365_defender_incident_alerts.yml b/data_sources/ms365_defender_incident_alerts.yml index 2602fa5989..09eeec400b 100644 --- a/data_sources/ms365_defender_incident_alerts.yml +++ b/data_sources/ms365_defender_incident_alerts.yml @@ -146,7 +146,7 @@ example_log: | "determination": "SecurityTesting", "detectionSource": "MTP", "detectorId": "359b36eb-337c-4f1c-b280-8c5e08f9c4a0", - "assignedTo": "msftadmin@msdxv2.m365dpoc.com", + "assignedTo": "msftadmin@metal.m365dpoc.com", "actorName": null, "threatFamilyName": null, "mitreTechniques": [ @@ -156,7 +156,7 @@ example_log: | { "mdatpDeviceId": "c7e147cb0eb3534a4dcea5acb8e61c933713b145", "aadDeviceId": null, - "deviceDnsName": "msdxv2-win10v.msdxv2.m365dpoc.com", + "deviceDnsName": "metal-win10v.metal.m365dpoc.com", "osPlatform": "Windows10", "version": "1809", "osProcessor": "x64", @@ -178,7 +178,7 @@ example_log: | }, "loggedOnUsers": [ { - "accountName": "jeff", + "accountName": "hetfield", "domainName": "MSDXV2" } ] @@ -195,11 +195,11 @@ example_log: | "fileName": "powershell.exe", "filePath": "", "processId": 7068, - "processCommandLine": "powershell.exe -command \" $Process = New-Object System.Diagnostics.Process; $Process.StartInfo.FileName = 'https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgcajebahdi.corporatelogon.xyz%2Fab%2Fjnkmbkkdnlgedc&data=05%7C01%7Cjeff%40msdxv2.m365dpoc.com%7Cca409616a82145bd6a5f08daa2a10255%7C1a49212958c8401191cd245285f5345c%7C0%7C0%7C638001109710345383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FyEjRS5qOd2SkJELlueibuxLFMYNjL7fz8EbuOAvFwg%3D&reserved=0'; $Process.StartInfo.UseShellExecute = $true; $Process.Start() | Out-Null; \" ", + "processCommandLine": "powershell.exe -command \" $Process = New-Object System.Diagnostics.Process; $Process.StartInfo.FileName = 'https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgcajebahdi.corporatelogon.xyz%2Fab%2Fjnkmbkkdnlgedc&data=05%7C01%7Chetfield%40metal.m365dpoc.com%7Cca409616a82145bd6a5f08daa2a10255%7C1a49212958c8401191cd245285f5345c%7C0%7C0%7C638001109710345383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FyEjRS5qOd2SkJELlueibuxLFMYNjL7fz8EbuOAvFwg%3D&reserved=0'; $Process.StartInfo.UseShellExecute = $true; $Process.Start() | Out-Null; \" ", "processCreationTime": "2022-09-30T05:06:43.3390523Z", "parentProcessId": 7116, "parentProcessCreationTime": "2022-09-30T05:06:43.3100364Z", - "accountName": "jeff", + "accountName": "hetfield", "userSid": "S-1-5-21-2300221942-1987151257-321556088-1104" }, { @@ -217,11 +217,11 @@ example_log: | "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z", "verdict": "Suspicious", "remediationStatus": "None", - "accountName": "jeff", - "domainName": "msdxv2.m365dpoc", + "accountName": "hetfield", + "domainName": "metal.m365dpoc", "userSid": "S-1-5-21-2300221942-1987151257-321556088-1104", "aadUserId": "e848b07a-87af-4448-9979-09f0b809c8d4", - "userPrincipalName": "jeff@msdxv2.m365dpoc.com" + "userPrincipalName": "daftpunk" }, { "entityType": "Url", From 3298d7ec67ae7c58a3f2ea49f8b4a49267e80d82 Mon Sep 17 00:00:00 2001 From: research-bot Date: Tue, 29 Oct 2024 10:29:10 -0700 Subject: [PATCH 09/12] log --- .../endpoint/detect_critical_alerts_from_security_tools.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index f26bc48788..ae08b6281f 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -70,6 +70,6 @@ tests: sourcetype: mscs:azure:eventhub:defender:advancedhunting - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/defender_incident_alerts.txt + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/defender_incident_alerts.log source: m365_defender_incident_alerts sourcetype: ms365:defender:incident:alerts \ No newline at end of file From 89e4b081b5d0f02d98cddb89422895f15bde83a2 Mon Sep 17 00:00:00 2001 From: research-bot Date: Tue, 29 Oct 2024 11:07:40 -0700 Subject: [PATCH 10/12] updating Victim --- ...ct_critical_alerts_from_security_tools.yml | 6 ++- .../endpoint/powershell_encoded_command.yml | 44 +++++++++++++++++++ 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 detections/endpoint/powershell_encoded_command.yml diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index ae08b6281f..f05b092884 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -9,7 +9,7 @@ data_source: - Windows Defender Alerts - MS365 Defender Incident Alerts description: The following analytics is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Alerts.description) as description values(Alerts.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id values(Alerts.severity) as severity values(Alerts.type) as type values(Alerts.severity_id) as severity_id values(Alerts.signature) as signature values(Alerts.dest) as dest from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.src Alerts.user Alerts.id Alerts.vendor sourcetype +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Alerts.description) as description values(Alerts.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id values(Alerts.severity) as severity values(Alerts.type) as type values(Alerts.severity_id) as severity_id values(Alerts.signature) as signature values(Alerts.signature_id) as signature_id values(Alerts.dest) as dest from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.src Alerts.user Alerts.id Alerts.vendor sourcetype | `drop_dm_object_name("Alerts")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` @@ -43,6 +43,10 @@ tags: type: User role: - Victim + - name: dest + type: Endpoint + role: + - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/powershell_encoded_command.yml b/detections/endpoint/powershell_encoded_command.yml new file mode 100644 index 0000000000..5d12de64c8 --- /dev/null +++ b/detections/endpoint/powershell_encoded_command.yml @@ -0,0 +1,44 @@ +name: Powershell Encoded Command +id: 20df5805-f5c0-45ca-b3d5-1abf049f248b +version: 1 +date: '2024-10-29' +author: '' +data_sources: [] +type: TTP +status: production +description: UPDATE_DESCRIPTION +search: '| UPDATE_SPL | `powershell_encoded_command_filter`' +how_to_implement: UPDATE_HOW_TO_IMPLEMENT +known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES +references: +- REFERENCE +tags: + analytic_story: + - UPDATE_STORY_NAME + asset_type: UPDATE asset_type + confidence: UPDATE value between 1-100 + impact: UPDATE value between 1-100 + message: UPDATE message + mitre_attack_id: + - T1003.002 + observable: + - name: UPDATE + type: UPDATE + role: + - UPDATE + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - UPDATE + risk_score: UPDATE (impact * confidence)/100 + security_domain: endpoint + cve: + - UPDATE WITH CVE(S) IF APPLICABLE +tests: +- name: True Positive Test + attack_data: + - data: https://github.com/splunk/contentctl/wiki + sourcetype: UPDATE SOURCETYPE + source: UPDATE SOURCE From c537507793dad10fb962e51ec78b7c5eacb18a33 Mon Sep 17 00:00:00 2001 From: research-bot Date: Tue, 29 Oct 2024 11:20:33 -0700 Subject: [PATCH 11/12] remove wrong detection --- .../endpoint/powershell_encoded_command.yml | 44 ------------------- 1 file changed, 44 deletions(-) delete mode 100644 detections/endpoint/powershell_encoded_command.yml diff --git a/detections/endpoint/powershell_encoded_command.yml b/detections/endpoint/powershell_encoded_command.yml deleted file mode 100644 index 5d12de64c8..0000000000 --- a/detections/endpoint/powershell_encoded_command.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: Powershell Encoded Command -id: 20df5805-f5c0-45ca-b3d5-1abf049f248b -version: 1 -date: '2024-10-29' -author: '' -data_sources: [] -type: TTP -status: production -description: UPDATE_DESCRIPTION -search: '| UPDATE_SPL | `powershell_encoded_command_filter`' -how_to_implement: UPDATE_HOW_TO_IMPLEMENT -known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES -references: -- REFERENCE -tags: - analytic_story: - - UPDATE_STORY_NAME - asset_type: UPDATE asset_type - confidence: UPDATE value between 1-100 - impact: UPDATE value between 1-100 - message: UPDATE message - mitre_attack_id: - - T1003.002 - observable: - - name: UPDATE - type: UPDATE - role: - - UPDATE - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - required_fields: - - UPDATE - risk_score: UPDATE (impact * confidence)/100 - security_domain: endpoint - cve: - - UPDATE WITH CVE(S) IF APPLICABLE -tests: -- name: True Positive Test - attack_data: - - data: https://github.com/splunk/contentctl/wiki - sourcetype: UPDATE SOURCETYPE - source: UPDATE SOURCE From cb2f92b44582d9d4542c927b74bf7e7d495abdeb Mon Sep 17 00:00:00 2001 From: research-bot Date: Tue, 29 Oct 2024 11:23:42 -0700 Subject: [PATCH 12/12] udpating drilldowns --- .../detect_critical_alerts_from_security_tools.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index f05b092884..d0d4eb1e62 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -21,12 +21,12 @@ references: - https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts - https://learn.microsoft.com/en-us/defender-endpoint/api/raw-data-export-event-hub drilldown_searches: -- name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: