Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Alerts detection update #3175

Merged
merged 14 commits into from
Oct 29, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions contentctl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,12 @@ apps:
version: 1.4.1
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/microsoft-defender-advanced-hunting-add-on-for-splunk_141.tgz
- uid: 6207
title: Splunk Add-on for Microsoft Security
appid: Splunk_TA_MS_Security
version: 2.3.0
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_230.tgz
- uid: 2734
title: URL Toolbox
appid: URL_TOOLBOX
Expand Down
234 changes: 234 additions & 0 deletions data_sources/ms365_defender_incident_alerts.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,234 @@
name: MS365 Defender Incident Alerts
id: 12345678-90ab-cdef-1234-567890abcdef
version: 1
date: '2024-07-18'
author: Bhavin Patel, Splunk
description: Data source object for MS365 Defender Incident Alerts
source: ms365_defender_incident_alerts
sourcetype: ms365:defender:incident:alerts
supported_TA:
- name: Splunk Add-on for Microsoft Security
url: https://splunkbase.splunk.com/app/6207
version: 2.3.0
fields:
- actorName
- alertId
- app
- assignedTo
- body
- category
- classification
- creationTime
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- description
- dest
- detectionSource
- detectorId
- determination
- devices{}.aadDeviceId
- devices{}.defenderAvStatus
- devices{}.deviceDnsName
- devices{}.firstSeen
- devices{}.healthStatus
- devices{}.loggedOnUsers{}.accountName
- devices{}.loggedOnUsers{}.domainName
- devices{}.mdatpDeviceId
- devices{}.onboardingStatus
- devices{}.osBuild
- devices{}.osPlatform
- devices{}.osProcessor
- devices{}.rbacGroupName
- devices{}.riskScore
- devices{}.version
- devices{}.vmMetadata
- devices{}.vmMetadata.cloudProvider
- devices{}.vmMetadata.resourceId
- devices{}.vmMetadata.subscriptionId
- devices{}.vmMetadata.vmId
- entities{}.aadUserId
- entities{}.accountName
- entities{}.applicationId
- entities{}.applicationName
- entities{}.detectionStatus
- entities{}.deviceId
- entities{}.domainName
- entities{}.entityType
- entities{}.evidenceCreationTime
- entities{}.fileName
- entities{}.filePath
- entities{}.ipAddress
- entities{}.parentProcessCreationTime
- entities{}.parentProcessFileName
- entities{}.parentProcessFilePath
- entities{}.parentProcessId
- entities{}.processCommandLine
- entities{}.processCreationTime
- entities{}.processId
- entities{}.remediationStatus
- entities{}.remediationStatusDetails
- entities{}.sha1
- entities{}.sha256
- entities{}.userPrincipalName
- entities{}.userSid
- entities{}.verdict
- eventtype
- firstActivity
- host
- id
- incidentId
- index
- investigationId
- investigationState
- lastActivity
- lastUpdatedTime
- linecount
- mitreTechniques{}
- mitre_technique_id
- providerAlertId
- resolvedTime
- serviceSource
- severity
- signature
- signature_id
- source
- sourcetype
- splunk_server
- splunk_server_group
- src
- status
- subject
- tag
- tag::app
- tag::eventtype
- threatFamilyName
- timeendpos
- timestartpos
- title
- type
- user
- user_name
- _bkt
- _cd
- _eventtype_color
- _indextime
- _raw
- _serial
- _si
- _sourcetype
- _subsecond
- _time
example_log: |
{
"alertId": "da638001130101730338_582949328",
"providerAlertId": "da638001130101730338_582949328",
"incidentId": 486,
"serviceSource": "MicrosoftDefenderForEndpoint",
"creationTime": "2022-09-30T05:36:50.1732198Z",
"lastUpdatedTime": "2022-11-19T01:35:42.7033333Z",
"resolvedTime": "2022-10-01T01:36:00.5066667Z",
"firstActivity": "2022-09-30T05:06:43.8196597Z",
"lastActivity": "2022-09-30T05:06:43.8196597Z",
"title": "Suspicious URL clicked",
"description": "A user opened a potentially malicious URL. This alert was triggered based on a Microsoft Defender for Office 365 alert.",
"category": "InitialAccess",
"status": "Resolved",
"severity": "High",
"investigationId": null,
"investigationState": "UnsupportedAlertType",
"classification": "TruePositive",
"determination": "SecurityTesting",
"detectionSource": "MTP",
"detectorId": "359b36eb-337c-4f1c-b280-8c5e08f9c4a0",
"assignedTo": "[email protected]",
"actorName": null,
"threatFamilyName": null,
"mitreTechniques": [
"T1566.002"
],
"devices": [
{
"mdatpDeviceId": "c7e147cb0eb3534a4dcea5acb8e61c933713b145",
"aadDeviceId": null,
"deviceDnsName": "metal-win10v.metal.m365dpoc.com",
"osPlatform": "Windows10",
"version": "1809",
"osProcessor": "x64",
"osBuild": 17763,
"healthStatus": "Active",
"riskScore": "High",
"rbacGroupName": "Full Auto Clients",
"firstSeen": "2022-08-08T08:51:02.455Z",
"tags": [
"Full auto"
],
"defenderAvStatus": "Updated",
"onboardingStatus": "Onboarded",
"vmMetadata": {
"vmId": "17881b39-b03f-4a2c-9b56-078be1330bd0",
"cloudProvider": "Unknown",
"resourceId": "/subscriptions/29e73d07-8740-4164-a257-592a19a7b77c/resourceGroups/MSDXV2/providers/Microsoft.Compute/virtualMachines/MSDXV2-Win10V",
"subscriptionId": "29e73d07-8740-4164-a257-592a19a7b77c"
},
"loggedOnUsers": [
{
"accountName": "hetfield",
"domainName": "MSDXV2"
}
]
}
],
"entities": [
{
"entityType": "Process",
"evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
"verdict": "Suspicious",
"remediationStatus": "None",
"sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c",
"sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"fileName": "powershell.exe",
"filePath": "",
"processId": 7068,
"processCommandLine": "powershell.exe -command \" $Process = New-Object System.Diagnostics.Process; $Process.StartInfo.FileName = 'https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgcajebahdi.corporatelogon.xyz%2Fab%2Fjnkmbkkdnlgedc&data=05%7C01%7Chetfield%40metal.m365dpoc.com%7Cca409616a82145bd6a5f08daa2a10255%7C1a49212958c8401191cd245285f5345c%7C0%7C0%7C638001109710345383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FyEjRS5qOd2SkJELlueibuxLFMYNjL7fz8EbuOAvFwg%3D&reserved=0'; $Process.StartInfo.UseShellExecute = $true; $Process.Start() | Out-Null; \" ",
"processCreationTime": "2022-09-30T05:06:43.3390523Z",
"parentProcessId": 7116,
"parentProcessCreationTime": "2022-09-30T05:06:43.3100364Z",
"accountName": "hetfield",
"userSid": "S-1-5-21-2300221942-1987151257-321556088-1104"
},
{
"entityType": "File",
"evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
"verdict": "Suspicious",
"remediationStatus": "None",
"sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c",
"sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"fileName": "powershell.exe",
"filePath": ""
},
{
"entityType": "User",
"evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
"verdict": "Suspicious",
"remediationStatus": "None",
"accountName": "hetfield",
"domainName": "metal.m365dpoc",
"userSid": "S-1-5-21-2300221942-1987151257-321556088-1104",
"aadUserId": "e848b07a-87af-4448-9979-09f0b809c8d4",
"userPrincipalName": "daftpunk"
},
{
"entityType": "Url",
"evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
"verdict": "Suspicious",
"remediationStatus": "None",
"url": "http://gcajebahdi.corporatelogon.xyz/ab/jnkmbkkdnlgedc"
}
]
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,39 +2,47 @@ name: Detect Critical Alerts from Security Tools
id: 483e8a68-f2f7-45be-8fc9-bf725f0e22fd
version: 1
date: '2024-10-09'
author: Gowthamaraj Rajendran, Patrick Bareiss, Bhavin Patel, Splunk
author: Gowthamaraj Rajendran, Patrick Bareiss, Bhavin Patel, Bryan Pluta, Splunk
status: production
type: TTP
data_source:
- Windows Defender Alerts
- MS365 Defender Incident Alerts
description: The following analytics is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.signature Alerts.app, Alerts.severity, Alerts.description, source, Alerts.id, Alerts.dest | `drop_dm_object_name("Alerts")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_critical_alerts_from_security_tools_filter`'
how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Alerts.description) as description values(Alerts.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id values(Alerts.severity) as severity values(Alerts.type) as type values(Alerts.severity_id) as severity_id values(Alerts.signature) as signature values(Alerts.signature_id) as signature_id values(Alerts.dest) as dest from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.src Alerts.user Alerts.id Alerts.vendor sourcetype
| `drop_dm_object_name("Alerts")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| eval risk_score=case(severity="informational", 2, severity="low", 5, severity="medium", 10, severity="high", 50, severity="critical" , 100) | `detect_critical_alerts_from_security_tools_filter`'
how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. The risk_score field is used to calculate the risk score for the alerts and the mitre_technique_id field is used to map the alerts to the MITRE ATT&CK framework is dynamically created by the detection when this is triggered. These fields need not be set in the adaptive response actions.
known_false_positives: False positives may vary by endpoint protection tool; monitor and filter out the alerts that are not relevant to your environment.
references:
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/accessing-microsoft-defender-for-cloud-alerts-in-splunk-using/ba-p/938228
- https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts
- https://learn.microsoft.com/en-us/defender-endpoint/api/raw-data-export-event-hub
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
- name: View the detection results for - "$dest$" and "$user$"
search: '%original_detection_search% | search dest = "$dest$" user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
tags:
analytic_story:
- Critical Alerts
asset_type: Endpoint
atomic_guid: []
confidence: 90
impact: 90
message: $severity$ alert for $dest$ from $source$ - $signature$
mitre_attack_id:
- T1484
confidence: 50
impact: 50
message: $severity$ alert for $user$ from $sourcetype$ - $signature$
mitre_attack_id: []
observable:
- name: user
type: User
role:
- Victim
- name: dest
type: Endpoint
role:
Expand All @@ -44,14 +52,28 @@ tags:
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- app
- name
risk_score: 81
- Alerts.description
- Alerts.mitre_technique_id
- Alerts.severity
- Alerts.type
- Alerts.severity_id
- Alerts.signature
- Alerts.dest
- Alerts.src
- Alerts.user
- Alerts.id
- Alerts.vendor
- sourcetype
risk_score: 25
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/AdvancedHunting.log
source: eventhub://windowsdefenderlogs
sourcetype: mscs:azure:eventhub:defender:advancedhunting
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/defender_incident_alerts.log
source: m365_defender_incident_alerts
sourcetype: ms365:defender:incident:alerts