Merge pull request #3061 from splunk/rba_is_tricky

Updated Observable config
splunk · Aug 21, 2024 · 14450cb · 14450cb
2 parents 9f85603 + 1ff2c9b
commit 14450cb
Show file tree

Hide file tree

Showing 342 changed files with 1,378 additions and 1,394 deletions.
diff --git a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml
@@ -1,7 +1,7 @@
 name: Abnormally High Number Of Cloud Infrastructure API Calls
 id: 0840ddf1-8c89-46ff-b730-c8d6722478c0
-version: 2
-date: '2024-05-12'
+version: 3
+date: '2024-08-16'
 author: David Dorsey, Splunk
 status: experimental
 type: Anomaly
@@ -47,7 +47,7 @@ tags:
   - name: user
     type: User
     role:
-    - Attacker
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml
@@ -1,7 +1,7 @@
 name: Abnormally High Number Of Cloud Security Group API Calls
 id: d4dfb7f3-7a37-498a-b5df-f19334e871af
-version: 2
-date: '2024-05-22'
+version: 3
+date: '2024-08-16'
 author: David Dorsey, Splunk
 status: experimental
 type: Anomaly
@@ -47,7 +47,7 @@ tags:
   - name: user
     type: User
     role:
-    - Attacker
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/cloud/aws_saml_update_identity_provider.yml b/detections/cloud/aws_saml_update_identity_provider.yml
@@ -1,7 +1,7 @@
 name: AWS SAML Update identity provider
 id: 2f0604c6-6030-11eb-ae93-0242ac130002
-version: 2
-date: '2024-05-19'
+version: 3
+date: '2024-08-19'
 author: Rod Soto, Splunk
 status: production
 type: TTP
@@ -48,7 +48,6 @@ tags:
     type: User
     role:
     - Victim
-    - Target
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml
@@ -1,7 +1,7 @@
 name: Cloud Instance Modified By Previously Unseen User
 id: 7fb15084-b14e-405a-bd61-a6de15a40722
-version: 2
-date: '2024-05-17'
+version: 3
+date: '2024-08-16'
 author: Rico Valdez, Splunk
 status: experimental
 type: Anomaly
@@ -45,7 +45,7 @@ tags:
   - name: user
     type: User
     role:
-    - Attacker
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml b/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml
@@ -1,7 +1,7 @@
 name: Abnormally High AWS Instances Launched by User
 id: 2a9b80d3-6340-4345-b5ad-290bf5d0dac4
-version: 2
-date: '2020-07-21'
+version: 3
+date: '2024-08-15'
 author: Bhavin Patel, Splunk
 status: deprecated
 type: Anomaly
@@ -36,10 +36,10 @@ tags:
   mitre_attack_id:
   - T1078.004
   observable:
-  - name: field
-    type: Unknown
+  - name: userName
+    type: User
     role:
-    - Unknown
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml b/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml
@@ -1,7 +1,7 @@
 name: Abnormally High AWS Instances Launched by User - MLTK
 id: dec41ad5-d579-42cb-b4c6-f5dbb778bbe5
-version: 2
-date: '2020-07-21'
+version: 3
+date: '2024-08-15'
 author: Jason Brewer, Splunk
 status: deprecated
 type: Anomaly
@@ -32,10 +32,10 @@ tags:
   mitre_attack_id:
   - T1078.004
   observable:
-  - name: field
-    type: Unknown
+  - name: src_user
+    type: User
     role:
-    - Unknown
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml
@@ -1,7 +1,7 @@
 name: Abnormally High AWS Instances Terminated by User
 id: 8d301246-fccf-45e2-a8e7-3655fd14379c
-version: 2
-date: '2020-07-21'
+version: 3
+date: '2024-08-15'
 author: Bhavin Patel, Splunk
 status: deprecated
 type: Anomaly
@@ -36,10 +36,10 @@ tags:
   mitre_attack_id:
   - T1078.004
   observable:
-  - name: field
-    type: Unknown
+  - name: userName
+    type: User
     role:
-    - Unknown
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml
@@ -1,7 +1,7 @@
 name: Abnormally High AWS Instances Terminated by User - MLTK
 id: 1c02b86a-cd85-473e-a50b-014a9ac8fe3e
-version: 2
-date: '2020-07-21'
+version: 3
+date: '2024-08-15'
 author: Jason Brewer, Splunk
 status: deprecated
 type: Anomaly
@@ -31,10 +31,10 @@ tags:
   mitre_attack_id:
   - T1078.004
   observable:
-  - name: field
-    type: Unknown
+  - name: src_user
+    type: User
     role:
-    - Unknown
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/deprecated/asl_aws_excessive_security_scanning.yml b/detections/deprecated/asl_aws_excessive_security_scanning.yml
@@ -1,7 +1,7 @@
 name: ASL AWS Excessive Security Scanning
 id: ff2bfdbc-65b7-4434-8f08-d55761d1d446
-version: 1
-date: '2023-06-01'
+version: 2
+date: '2024-08-16'
 author: Patrick Bareiss, Splunk
 status: deprecated
 type: Anomaly
@@ -35,7 +35,7 @@ tags:
   - name: identity.user.name
     type: User
     role:
-    - Attacker
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml
@@ -1,7 +1,7 @@
 name: AWS Cloud Provisioning From Previously Unseen City
 id: 344a1778-0b25-490c-adb1-de8beddf59cd
-version: 1
-date: '2018-03-16'
+version: 2
+date: '2024-08-16'
 author: David Dorsey, Splunk
 status: deprecated
 type: Anomaly
@@ -48,10 +48,10 @@ tags:
   mitre_attack_id:
   - T1535
   observable:
-  - name: field
-    type: Unknown
+  - name: src_ip
+    type: IP Address
     role:
-    - Unknown
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml
@@ -1,7 +1,7 @@
 name: AWS Cloud Provisioning From Previously Unseen Country
 id: ceb8d3d8-06cb-49eb-beaf-829526e33ff0
-version: 1
-date: '2018-03-16'
+version: 2
+date: '2024-08-15'
 author: David Dorsey, Splunk
 status: deprecated
 type: Anomaly
@@ -49,10 +49,10 @@ tags:
   mitre_attack_id:
   - T1535
   observable:
-  - name: field
-    type: Unknown
+  - name: user
+    type: User
     role:
-    - Unknown
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml
@@ -1,7 +1,7 @@
 name: AWS Cloud Provisioning From Previously Unseen IP Address
 id: 42e15012-ac14-4801-94f4-f1acbe64880b
-version: 1
-date: '2018-03-16'
+version: 2
+date: '2024-08-15'
 author: David Dorsey, Splunk
 status: deprecated
 type: Anomaly
@@ -46,10 +46,10 @@ tags:
   impact: 50
   message: tbd
   observable:
-  - name: field
-    type: Unknown
+  - name: user
+    type: User
     role:
-    - Unknown
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml
@@ -1,7 +1,7 @@
 name: AWS Cloud Provisioning From Previously Unseen Region
 id: 7971d3df-da82-4648-a6e5-b5637bea5253
-version: 1
-date: '2018-03-16'
+version: 2
+date: '2024-08-15'
 author: David Dorsey, Splunk
 status: deprecated
 type: Anomaly
@@ -48,10 +48,14 @@ tags:
   mitre_attack_id:
   - T1535
   observable:
-  - name: field
-    type: Unknown
+  - name: user
+    type: User Name
     role:
-    - Unknown
+    - Victim
+  - name: src_ip
+    type: IP Address
+    role:
+    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml b/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml
@@ -1,7 +1,7 @@
 name: AWS EKS Kubernetes cluster sensitive object access
 id: 7f227943-2196-4d4d-8d6a-ac8cb308e61c
-version: 1
-date: '2020-06-23'
+version: 2
+date: '2024-08-15'
 author: Rod Soto, Splunk
 status: deprecated
 type: Hunting
@@ -25,10 +25,10 @@ tags:
   impact: 50
   message: tbd
   observable:
-  - name: field
-    type: Unknown
+  - name: user.username
+    type: User
     role:
-    - Unknown
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml b/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml
@@ -1,7 +1,7 @@
 name: Clients Connecting to Multiple DNS Servers
 id: 74ec6f18-604b-4202-a567-86b2066be3ce
-version: 3
-date: '2020-07-21'
+version: 4
+date: '2024-08-15'
 author: David Dorsey, Splunk
 status: deprecated
 type: TTP
@@ -42,10 +42,10 @@ tags:
   mitre_attack_id:
   - T1048.003
   observable:
-  - name: field
-    type: Unknown
+  - name: src
+    type: Hostname
     role:
-    - Unknown
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/deprecated/cloud_network_access_control_list_deleted.yml b/detections/deprecated/cloud_network_access_control_list_deleted.yml
@@ -1,7 +1,7 @@
 name: Cloud Network Access Control List Deleted
 id: 021abc51-1862-41dd-ad43-43c739c0a983
-version: 1
-date: '2020-09-08'
+version: 2
+date: '2024-08-15'
 author: Peter Gael, Splunk
 status: deprecated
 type: Anomaly
@@ -30,10 +30,10 @@ tags:
   impact: 50
   message: tbd
   observable:
-  - name: field
-    type: Unknown
+  - name: userName
+    type: User
     role:
-    - Unknown
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml b/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml
@@ -1,7 +1,7 @@
 name: Detect Activity Related to Pass the Hash Attacks
 id: f5939373-8054-40ad-8c64-cec478a22a4b
-version: 6
-date: '2020-10-15'
+version: 7
+date: '2024-08-15'
 author: Bhavin Patel, Patrick Bareiss, Splunk
 status: deprecated
 type: Hunting
@@ -40,10 +40,6 @@ tags:
     type: Hostname
     role:
     - Victim
-  - name: EventCode
-    type: Other
-    role:
-    - Other
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security