Merge branch 'develop' into typo-non_chrome_process_accessing_chrome_…

…default_dir
splunk · Jul 23, 2024 · 007c471 · 007c471
2 parents d96865b + eac3b61
commit 007c471
Show file tree

Hide file tree

Showing 17 changed files with 811 additions and 76 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -2,6 +2,9 @@ name: build
 on:
   pull_request:
     types: [opened, reopened, synchronize]
+  push:
+    branches:
+      - develop
 jobs:
   build:
     #Note that the CircleCI job used a Container.  The way to do this with Github Actions

diff --git a/README.md b/README.md
@@ -2,8 +2,8 @@
 <p align="center">
     <a href="https://github.com/splunk/security_content/releases">
         <img src="https://img.shields.io/github/v/release/splunk/security_content" /></a>
-    <a href="https://github.com/splunk/security_content/actions/workflows/validate-and-build.yml/badge.svg?branch=develop">
-        <img src="https://github.com/splunk/security_content/actions/workflows/validate-and-build.yml/badge.svg?branch=develop" /></a>
+    <a href="https://github.com/splunk/security_content/actions/workflows/build.yml/badge.svg?branch=develop">
+        <img src="https://github.com/splunk/security_content/actions/workflows/build.yml/badge.svg?branch=develop" /></a>
     <a href="https://github.com/splunk/security_content">
         <img src="https://security-content.s3-us-west-2.amazonaws.com/reporting/detection_count.svg" /></a>
     <a href="https://github.com/splunk/security_content">

diff --git a/app_template/default/app.conf b/app_template/default/app.conf
@@ -8,7 +8,6 @@ build = 16367
 
 [triggers]
 reload.analytic_stories = simple
-reload.usage_searches = simple
 reload.use_case_library = simple
 reload.correlationsearches = simple
 reload.analyticstories = simple

diff --git a/app_template/default/usage_searches.conf b/app_template/default/usage_searches.conf
diff --git a/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml b/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml
@@ -0,0 +1,66 @@
+name: AWS CloudWatchLogs VPCflow
+id: 38a34fc4-e128-4478-a8f4-7835d51d5135
+author: Bhavin Patel, Splunk
+source: aws_cloudwatchlogs_vpcflow
+sourcetype: aws:cloudwatchlogs:vpcflow
+separator: eventName
+supported_TA:
+  name: Splunk Add-on for Amazon Web Services (AWS)
+  version: 7.4.1
+  url: https://splunkbase.splunk.com/app/1876
+event_names: []
+fields:
+- _raw
+- _time
+- account_id
+- action
+- app
+- aws_account_id
+- bytes
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_ip
+- dest_port
+- duration
+- dvc
+- end_time
+- eventtype
+- host
+- index
+- interface_id
+- linecount
+- log_status
+- packets
+- protocol
+- protocol_code
+- protocol_full_name
+- protocol_version
+- punct
+- region
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_ip
+- src_port
+- start_time
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- transport
+- user_id
+- vendor_account
+- vendor_product
+- version
+- vpcflow_action
+example_log: '2 123397614277 eni-0b0f9f261f45e6489 10.0.1.30 10.0.1.1 47254 22 17 2 98 1697608042 1697608070 ACCEPT OK'
diff --git a/data_sources/endpoint/Windows_Event_Log_Security.yml b/data_sources/endpoint/Windows_Event_Log_Security.yml
@@ -45,6 +45,8 @@ event_names:
   data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4725.yml
 - event_name: Windows Event Log Security 4726
   data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4726.yml
+- event_name: Windows Event Log Security 4728
+  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4728.yml
 - event_name: Windows Event Log Security 4732
   data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4732.yml
 - event_name: Windows Event Log Security 4738

diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml
@@ -0,0 +1,88 @@
+event_name: Windows Event Log System 4728
+fields:
+- _time
+- Account_Domain
+- Account_Name
+- CategoryString
+- ComputerName
+- Error_Code
+- EventCode
+- EventType
+- Keywords
+- LogName
+- Logon_ID
+- Message
+- OpCode
+- RecordNumber
+- Security_ID
+- SourceName
+- Subject_Account_Domain
+- Subject_Account_Name
+- Subject_Logon_ID
+- Subject_Security_ID
+- Target_Account_Domain
+- Target_Account_Name
+- Target_Security_ID
+- TaskCategory
+- Type
+- action
+- app
+- body
+- category
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dest_nt_host
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- member_dn
+- member_id
+- member_nt_domain
+- msad_action
+- name
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- punct
+- result
+- session_id
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- src_user_name
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- user_name
+- vendor
+- vendor_product
+example_log: 10/09/2020 10:41:29 AM
diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml
@@ -0,0 +1,81 @@
+name: Detect Distributed Password Spray Attempts
+id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57
+version: 1
+date: '2023-11-01'
+author: Dean Luxton
+status: production
+type: Hunting
+data_source:
+- Azure Active Directory Sign-in activity
+description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A 
+  distributed password spray attack is a type of brute force attack where the attacker attempts a few 
+  common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. 
+  By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication 
+  events, providing comprehensive coverage and enhancing security against these attacks.
+search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time  span=2m
+  | `drop_dm_object_name("Authentication")`
+  ```fill out time buckets for 0-count events during entire search length```
+  | appendpipe [| timechart limit=0 span=5m count | table _time]
+  | fillnull value=0 unique_accounts, unique_src
+  ``` remove duplicate & empty time buckets```
+  | sort - total_failures
+  | dedup _time
+  ``` Create aggregation field & apply to all null events```
+  | eval counter=sourcetype+"__"+signature_id
+  | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter)
+  ``` 3-sigma detection logic ```
+  | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter
+  | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3)
+  | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0)
+  | replace "::ffff:*" with * in src
+  | where isOutlier=1
+  | foreach * 
+      [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] 
+  | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id
+  | sort - total_failures | `detect_distributed_password_spray_attempts_filter`'
+how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM)
+  and that the src field is populated with the source device information. Additionally, ensure that 
+  fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from 
+  log sources that do not feature the signature_id field in the results.
+known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings.
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+tags:
+  analytic_story:
+  - Compromised User Account
+  - Active Directory Password Spraying
+  asset_type: Endpoint
+  atomic_guid:
+  - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
+  confidence: 70
+  impact: 70
+  message: Distributed Password Spray Attempt Detected from $src$
+  mitre_attack_id:
+  - T1110.003
+  - T1110
+  observable:
+  - name: src
+    type: IP Address
+    role:
+    - Attacker
+  - name: unique_accounts
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 49
+  required_fields:
+  - Authentication.action
+  - Authentication.user
+  - Authentication.src
+  security_domain: access
+  manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion. 
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log
+    source: azure:monitor:aad
+    sourcetype: azure:monitor:aad