Branch was auto-updated.

.github/workflows/appinspect.yml

@@ -1,10 +1,9 @@
 name: appinspect
 on:
   pull_request_target:
+  pull_request:
+    types: [opened, reopened, synchronize]
   push:
-    branches:
-      - develop
-
 jobs:
   appinspect:
     runs-on: ubuntu-latest

baselines/baseline_of_kubernetes_container_network_io.yml

@@ -1,7 +1,7 @@
 name: Baseline Of Kubernetes Container Network IO
 id: 6edaca1d-d436-42d0-8df0-6895d3bf5b70
-version: 1
-date: '2023-12-19'
+version: 4
+date: '2024-09-24'
 author: Matthew Moore, Splunk
 type: Baseline
 datamodel: []
@@ -15,7 +15,7 @@ search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8
   | stats avg(eval(if(direction="transmit", io,null()))) as avg_outbound_network_io avg(eval(if(direction="receive", io,null()))) as avg_inbound_network_io 
         stdev(eval(if(direction="transmit", io,null()))) as stdev_outbound_network_io stdev(eval(if(direction="receive", io,null()))) as stdev_inbound_network_io
         count latest(_time) as last_seen by key
-  | outputlookup k8s_container_network_io_baseline '
+  | outputlookup k8s_container_network_io_baseline'
 how_to_implement: 'To implement this detection, follow these steps:
   1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.
   2. Enable the hostmetrics/process receiver in the OTEL configuration.

baselines/baseline_of_kubernetes_container_network_io_ratio.yml

@@ -1,7 +1,7 @@
 name: Baseline Of Kubernetes Container Network IO Ratio
 id: f395003b-6389-4e14-89bf-ac4dbea215bd
-version: 1
-date: '2023-12-19'
+version: 2
+date: '2024-09-24'
 author: Matthew Moore, Splunk
 type: Baseline
 datamodel: []
@@ -18,7 +18,7 @@ search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8
   | eval outbound:inbound = outbound_network_io/inbound_network_io 
   | stats avg(*:*) as avg_*:* stdev(*:*) as stdev_*:*
     count latest(_time) as last_seen by key 
-  | outputlookup k8s_container_network_io_ratio_baseline '
+  | outputlookup k8s_container_network_io_ratio_baseline'
 how_to_implement: 'To implement this detection, follow these steps:
   1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.
   2. Enable the hostmetrics/process receiver in the OTEL configuration.

baselines/baseline_of_kubernetes_process_resource_ratio.yml

@@ -1,7 +1,7 @@
 name: Baseline Of Kubernetes Process Resource Ratio
 id: 427f81cf-ce6a-4a24-a73d-70c50171ea66
-version: 1
-date: '2023-12-18'
+version: 2
+date: '2024-09-24'
 author: Matthew Moore, Splunk
 type: Baseline
 datamodel: []
@@ -20,7 +20,7 @@ search: '| mstats avg(process.*) as process.* where `kubernetes_metrics` by host
   | stats avg(cpu:mem) as avg_cpu:mem stdev(cpu:mem) as stdev_cpu:mem avg(cpu:disk) as avg_cpu:disk stdev(cpu:disk) as stdev_cpu:disk
     avg(mem:disk) as avg_mem:disk stdev(mem:disk) as stdev_mem:disk avg(cpu:threads) as avg_cpu:threads stdev(cpu:threads) as stdev_cpu:threads
     avg(disk:threads) as avg_disk:threads stdev(disk:threads) as stdev_disk:threads count latest(_time) as last_seen by key 
-  | outputlookup k8s_process_resource_ratio_baseline '
+  | outputlookup k8s_process_resource_ratio_baseline'
 how_to_implement: 'To implement this detection, follow these steps:
   1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.
   2. Enable the hostmetrics/process receiver in the OTEL configuration.

detections/application/okta_multi_factor_authentication_disabled.yml

@@ -1,7 +1,7 @@
 name: Okta Multi-Factor Authentication Disabled
 id: 7c0348ce-bdf9-45f6-8a57-c18b5976f00a
-version: 2
-date: '2024-05-13'
+version: 3
+date: '2024-09-24'
 author: Mauricio Velazco, Splunk
 data_source: 
 - Okta
@@ -15,7 +15,7 @@ description: The following analytic identifies an attempt to disable multi-facto
   could enable attackers to bypass additional security layers, potentially leading
   to unauthorized access to sensitive information and prolonged undetected presence
   in the network.
-search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime,
+search: '| tstats `security_content_summariesonly` count max(_time) as lastTime,
   min(_time) as firstTime from datamodel=Change where sourcetype="OktaIM2:log" All_Changes.object_category=User
   AND All_Changes.action=modified All_Changes.command=user.mfa.factor.deactivate by
   All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src

detections/application/okta_multiple_failed_mfa_requests_for_user.yml

@@ -1,7 +1,7 @@
 name: Okta Multiple Failed MFA Requests For User
 id: 826dbaae-a1e6-4c8c-b384-d16898956e73
-version: 2
-date: '2024-05-20'
+version: 3
+date: '2024-09-24'
 author: Mauricio Velazco, Splunk
 data_source: 
 - Okta
@@ -14,7 +14,7 @@ description: The following analytic identifies multiple failed multi-factor auth
   MFA by bombarding the user with repeated authentication requests, a technique used
   by threat actors like Lapsus and APT29. If confirmed malicious, this could lead
   to unauthorized access, potentially compromising sensitive information and systems.
-search: ' `okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE
+search: '`okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE
   debugContext.debugData.factor!=PASSWORD_AS_FACTOR | bucket _time span=5m | stats
   count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip)
   as src_ip values(debugContext.debugData.factor) by _time src_user | where count

detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml

@@ -1,7 +1,7 @@
 name: Okta Multiple Users Failing To Authenticate From Ip
 id: de365ffa-42f5-46b5-b43f-fa72290b8218
-version: 2
-date: '2024-05-28'
+version: 3
+date: '2024-09-24'
 author: Michael Haag, Mauricio Velazco, Splunk
 data_source: 
 - Okta
@@ -15,7 +15,7 @@ description: The following analytic identifies instances where more than 10 uniq
   behavior suggests an external entity is attempting to compromise multiple user accounts,
   potentially leading to unauthorized access to organizational resources and data
   breaches.
-search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime,
+search: '| tstats `security_content_summariesonly` count max(_time) as lastTime,
   min(_time) as firstTime dc(Authentication.user) as unique_accounts values(Authentication.signature)
   as signature values(Authentication.user) as user values(Authentication.app) as app
   values(Authentication.authentication_method) as authentication_method from datamodel=Authentication

detections/application/okta_new_api_token_created.yml

@@ -1,7 +1,7 @@
 name: Okta New API Token Created
 id: c3d22720-35d3-4da4-bd0a-740d37192bd4
-version: 3
-date: '2024-05-11'
+version: 4
+date: '2024-09-24'
 author: Michael Haag, Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -15,7 +15,7 @@ description: The following analytic detects the creation of a new API token with
   environment.
 data_source: 
 - Okta
-search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime,
+search: '| tstats `security_content_summariesonly` count max(_time) as lastTime,
   min(_time) as firstTime from datamodel=Change where All_Changes.action=created AND
   All_Changes.command=system.api_token.create by _time span=5m All_Changes.user All_Changes.result
   All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category

detections/application/okta_new_device_enrolled_on_account.yml

@@ -1,7 +1,7 @@
 name: Okta New Device Enrolled on Account
 id: bb27cbce-d4de-432c-932f-2e206e9130fb
-version: 3
-date: '2024-05-24'
+version: 4
+date: '2024-09-24'
 author: Michael Haag, Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -15,7 +15,7 @@ description: The following analytic identifies when a new device is enrolled on
   and mitigating unauthorized access attempts.
 data_source: 
 - Okta
-search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime,
+search: '| tstats `security_content_summariesonly` count max(_time) as lastTime,
   min(_time) as firstTime from datamodel=Change where All_Changes.action=created All_Changes.command=device.enrollment.create
   by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype
   All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name("All_Changes")`

detections/application/windows_ad_object_owner_updated.yml

@@ -1,14 +1,14 @@
 name: Windows AD Object Owner Updated
 id: 4af01f6b-d8d4-4f96-8635-758a01557130
-version: 1
-date: '2023-11-13'
+version: 2
+date: '2024-09-24'
 author: Dean Luxton
 status: production
 type: TTP
 data_source:
 - Windows Security 5136
 description: AD Object Owner Updated. The owner provides Full control level privileges over the target AD Object. This event has significant impact alone and is also a precursor activity for hiding an AD object. 
-search: ' `wineventlog_security` EventCode=5136 
+search: '`wineventlog_security` EventCode=5136 
   | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId DSName
   | rex field=old_value "O:(?P<old_owner>.*?)G:"
   | rex field=new_value "O:(?P<new_owner>.*?)G:"

detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml

@@ -1,7 +1,7 @@
 name: ASL AWS Concurrent Sessions From Different Ips
 id: b3424bbe-3204-4469-887b-ec144483a336
-version: 3
-date: '2024-05-24'
+version: 4
+date: '2024-09-24'
 author: Patrick Bareiss, Splunk
 status: production
 type: Anomaly
@@ -15,7 +15,7 @@ description: The following analytic identifies an AWS IAM account with concurren
   to sensitive corporate resources, leading to potential data breaches or further
   exploitation.
 data_source: []
-search: ' `amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" 
+search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" 
   | bin span=5m _time
   | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count 
   by _time identity.user.credential_uid identity.user.name

detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml

@@ -1,7 +1,7 @@
 name: ASL AWS New MFA Method Registered For User
 id: 33ae0931-2a03-456b-b1d7-b016c5557fbd
-version: 3
-date: '2024-05-18'
+version: 4
+date: '2024-09-24'
 author: Patrick Bareiss, Splunk
 status: experimental
 type: TTP
@@ -14,7 +14,7 @@ description: The following analytic identifies the registration of a new Multi-F
   to secure their access, making it harder to detect and remove their presence from
   the compromised environment.
 data_source: []
-search: ' `amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull |
+search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull |
   stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid
   actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
   | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region,

detections/cloud/aws_concurrent_sessions_from_different_ips.yml

@@ -1,7 +1,7 @@
 name: AWS Concurrent Sessions From Different Ips
 id: 51c04fdb-2746-465a-b86e-b413a09c9085
-version: 2
-date: '2024-05-15'
+version: 3
+date: '2024-09-24'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -15,7 +15,7 @@ description: The following analytic identifies an AWS IAM account with concurren
   exploitation within the AWS environment.
 data_source:
 - AWS CloudTrail DescribeEventAggregates
-search: ' `cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal"
+search: '`cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal"
   | bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) as
   src_ip  dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count
   > 1 | `aws_concurrent_sessions_from_different_ips_filter`'

detections/cloud/aws_new_mfa_method_registered_for_user.yml

@@ -1,7 +1,7 @@
 name: AWS New MFA Method Registered For User
 id: 4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b
-version: 2
-date: '2024-05-13'
+version: 3
+date: '2024-09-24'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -14,7 +14,7 @@ description: The following analytic detects the registration of a new Multi-Fact
   potentially leading to further unauthorized activities and data breaches.
 data_source:
 - AWS CloudTrail CreateVirtualMFADevice
-search: ' `cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName)
+search: '`cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName)
   as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource
   aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
   src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`

detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml

@@ -1,7 +1,7 @@
 name: AWS Successful Console Authentication From Multiple IPs
 id: 395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb
-version: 3
-date: '2024-05-26'
+version: 4
+date: '2024-09-24'
 author: Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -14,7 +14,7 @@ description: The following analytic detects an AWS account successfully authenti
   resources, leading to data breaches or further exploitation within the AWS environment.
 data_source:
 - AWS CloudTrail ConsoleLogin
-search: ' `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent)
+search: '`cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent)
   as userAgent values(eventName) as eventName values(src_ip) as src_ip dc(src_ip)
   as distinct_ip_count by _time user_arn | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter`'
 how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This

detections/cloud/aws_updateloginprofile.yml

@@ -1,7 +1,7 @@
 name: AWS UpdateLoginProfile
 id: 2a9b80d3-6a40-4115-11ad-212bf3d0d111
-version: 4
-date: '2024-05-17'
+version: 5
+date: '2024-09-24'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -15,7 +15,7 @@ description: The following analytic detects an AWS CloudTrail event where a user
   resources within the AWS environment.
 data_source:
 - AWS CloudTrail UpdateLoginProfile
-search: ' `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com
+search: '`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com
   errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),
   1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime
   by requestParameters.userName src eventName eventSource aws_account_id errorCode

detections/cloud/azure_active_directory_high_risk_sign_in.yml

@@ -1,7 +1,7 @@
 name: Azure Active Directory High Risk Sign-in
 id: 1ecff169-26d7-4161-9a7b-2ac4c8e61bea
-version: 3
-date: '2024-05-22'
+version: 4
+date: '2024-09-24'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production
 type: TTP
@@ -14,7 +14,7 @@ description: The following analytic detects high-risk sign-in attempts against A
   exploitation within the environment.
 data_source:
 - Azure Active Directory
-search: ' `azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high |
+search: '`azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high |
   rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime
   values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_active_directory_high_risk_sign_in_filter`'

detections/cloud/azure_ad_application_administrator_role_assigned.yml

@@ -1,7 +1,7 @@
 name: Azure AD Application Administrator Role Assigned
 id: eac4de87-7a56-4538-a21b-277897af6d8d
-version: 3
-date: '2024-05-15'
+version: 4
+date: '2024-09-24'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production
 type: TTP
@@ -15,7 +15,7 @@ description: The following analytic identifies the assignment of the Application
   malicious, an attacker could escalate privileges, manage application settings, and
   potentially access sensitive resources by impersonating application identities,
   posing a significant security risk to the Azure AD tenant.
-search: ' `azure_monitor_aad`  "operationName"="Add member to role"  "properties.targetResources{}.modifiedProperties{}.newValue"="\"Application
+search: '`azure_monitor_aad`  "operationName"="Add member to role"  "properties.targetResources{}.modifiedProperties{}.newValue"="\"Application
   Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName
   as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user
   initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`

detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml

@@ -1,7 +1,7 @@
 name: Azure AD Authentication Failed During MFA Challenge
 id: e62c9c2e-bf51-4719-906c-3074618fcc1c
-version: 3
-date: '2024-05-18'
+version: 4
+date: '2024-09-24'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production
 type: TTP
@@ -14,7 +14,7 @@ description: 'The following analytic identifies failed authentication attempts a
   to unauthorized access and further compromise of the affected account.'
 data_source:
 - Azure Active Directory
-search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121
+search: '`azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121
   | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime
   by user, src_ip, status.additionalDetails, appDisplayName, user_agent | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `azure_ad_authentication_failed_during_mfa_challenge_filter`'

detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml

@@ -1,7 +1,7 @@
 name: Azure AD Concurrent Sessions From Different Ips
 id: a9126f73-9a9b-493d-96ec-0dd06695490d
-version: 4
-date: '2024-08-05'
+version: 5
+date: '2024-09-24'
 author: Mauricio Velazco, Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -14,7 +14,7 @@ description: The following analytic detects an Azure AD account with concurrent
   information and potential data breaches.
 data_source:
 - Azure Active Directory
-search: ' `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs action=success 
+search: '`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs action=success 
 | rename properties.* as * 
 | bucket span=5m _time
 | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips dc(location.city) as dc_city values(location.city) as city values(src_ip) as src_ip values(appDisplayName) as appDisplayName values(location.countryOrRegion) by user _time 

detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml

@@ -1,7 +1,7 @@
 name: Azure AD High Number Of Failed Authentications For User
 id: 630b1694-210a-48ee-a450-6f79e7679f2c
-version: 3
-date: '2024-05-29'
+version: 4
+date: '2024-09-24'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -15,7 +15,7 @@ description: The following analytic identifies an Azure AD account experiencing
   based on their specific environment to reduce false positives.
 data_source:
 - Azure Active Directory
-search: ' `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126
+search: '`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126
   properties.authenticationDetails{}.succeeded=false | rename properties.* as * |
   bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime
   values(src_ip) as src_ip by user | where count > 20 | `security_content_ctime(firstTime)`