Merge tag 'v3.0.3'

.circleci/config.yml

@@ -86,40 +86,6 @@ jobs:
           webhook: '${SLACK_WEBHOOK}'
           fail_only: true
 
-  test-links:
-    executor: content-executor
-    steps:
-      - run:
-          name: checkout repo
-          command: |
-            if [[ ! -z "${CIRCLE_PULL_REQUEST}" &&  ! -z "${CIRCLE_PR_NUMBER}" ]]; then
-                git clone https://${GITHUB_TOKEN}@github.com/splunk/security-content.git
-                cd security-content
-                git fetch origin pull/${CIRCLE_PR_NUMBER}/head:${CIRCLE_BRANCH}
-                git checkout ${CIRCLE_BRANCH}
-            elif [ "${CIRCLE_BRANCH}" == "" ]; then
-                git clone https://${GITHUB_TOKEN}@github.com/splunk/security-content.git
-            else
-                git clone --branch ${CIRCLE_BRANCH} https://${GITHUB_TOKEN}@github.com/splunk/security-content.git
-            fi
-      - run: *apt-install
-      - run:
-          name: check for broken links using liche
-          command: |
-            echo 'export GOROOT=~/.go' >> $BASH_ENV
-            echo 'export PATH=$GOROOT/bin:$PATH' >> $BASH_ENV
-            echo 'export GOPATH=~/go' >> $BASH_ENV
-            echo 'export PATH=$GOPATH/bin:$PATH' >> $BASH_ENV
-            echo 'export GO111MODULE="on"' >> $BASH_ENV
-            source $BASH_ENV
-            go get -u github.com/raviqqe/liche
-            cd security-content
-            liche docs/stories_categories.md -v -t 60
-            liche README.md -v -t 60
-      - slack/status:
-          webhook: '${SLACK_WEBHOOK}'
-          fail_only: true
-
   build-sources:
     executor: content-executor
     steps:
@@ -422,17 +388,6 @@ jobs:
 
 workflows:
   version: 2.1
-  test-dead-links:
-    triggers:
-      - schedule:
-          cron: "0 0 * * *"
-          filters:
-            branches:
-              only:
-                - master
-                - develop
-    jobs:
-      - test-links
   validate-and-build:
     jobs:
       - validate-content:

README.md

@@ -28,7 +28,7 @@ curl -s https://content.splunkresearch.com | jq
 }
 ```
 
-#### [GitHub Workflow](https://github.com/splunk/security-content/wiki/2.-Installation-and-Usage)
+#### [GitHub Workflow](https://github.com/splunk/security-content/wiki/Installation-and-Usage)
 Create your customized version of Security Content by forking this project and following this guide.
 
 # What's in an Analytic Story?
@@ -56,7 +56,7 @@ Download and install the latest version of [Splunk Analytic Story Execution]
 
 
 # Writing Content
-Before you begin, follow the steps to install **dependencies and pre-commit hooks** under ["Developing"](https://github.com/splunk/security-content#developing).
+Before you begin, follow the steps to install **dependencies and pre-commit hooks** under [Developing Content](https://github.com/splunk/security-content/wiki/Developing-Content).
 
 # Security Content
 
@@ -72,7 +72,7 @@ Before you begin, follow the steps to install **dependencies and pre-commit hook
 * [bin/](bin/): All binaries required to produce and test content
 
 # Contribution
-We welcome feedback and contributions from the community! Please see our [contribution guidelines](docs/CONTRIBUTING.md) for more information on how to get involved.
+We welcome feedback and contributions from the community! Please see our [contributing to the project](https://github.com/splunk/security-content/wiki/Contributing-to-the-Project) for more information on how to get involved.
 
 ## Support
 Please use the [GitHub Issue Tracker](https://github.com/splunk/security-content/issues) to submit bugs or request features.

baselines/previously_seen_running_windows_services.yml

@@ -1,17 +1,16 @@
 name: Previously Seen Running Windows Services
 id: 64ce0ade-cb01-4678-bddd-d31c0b175394
-version: 2
-date: '2020-01-13'
+version: 3
+date: '2020-06-15'
 description: This collects the services that have been started across your entire
   enterprise.
 how_to_implement: While this search does not require you to adhere to Splunk CIM,
   you must be ingesting your Windows security-event logs for it to execute successfully.
   Please ensure that the Splunk Add-on for Microsoft Windows is version 5.0.0 or above.
 author: David Dorsey, Splunk
-search: '`wineventlog_system` signature_id=7036 | rename param1 as service_name |
+search: '`wineventlog_system` EventCode=7036 | rename param1 as service_name |
   rename param2 as action | search action="running" | stats earliest(_time) as firstTime,
-  latest(_time) as lastTime by service_name | outputlookup previously_seen_running_windows_services
-  | stats count'
+  latest(_time) as lastTime by service_name | outputlookup previously_seen_running_windows_services'
 tags:
   analytics_story:
   - Orangeworm Attack Group

baselines/previously_seen_users_in_cloudtrail___dm.yml

@@ -0,0 +1,25 @@
+name: Previously seen users in CloudTrail - DM
+id: 0a87ecf9-dc6a-43af-861a-205e75a09bf5
+version: 1
+date: '2020-05-28'
+description: This search looks for CloudTrail events where a user logs into the console,
+  then creates a baseline of the latest and earliest times, City, Region, and Country
+  we have encountered this user in our dataset, grouped by username, within the last 30
+  days.
+how_to_implement: You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later)
+  and Enterprise Security 6.2, which contains the required updates to the Authentication data model  
+  for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`,
+  which is a lookup file created by this support search.
+author: Rico Valdez, Splunk
+search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication
+  where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src
+  | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src
+  | table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins.csv | stats count'
+tags:
+  analytics_story:
+  - Suspicious Cloud Authentication Activities
+  detections:
+  - Detect AWS Console Login by User from New Country
+  - Detect AWS Console Login by User from New Region
+  - Detect AWS Console Login by User from New City
+  - Detect new user AWS Console Login - DM

baselines/update_previously_seen_users_in_cloudtrail___dm.yml

@@ -0,0 +1,27 @@
+name: Update previously seen users in CloudTrail - DM
+id: 66ff71c2-7e01-47dd-a041-906688c9d322
+version: 1
+date: '2020-05-28'
+description: This search looks for CloudTrail events where a user logs into the console,
+  then updates the baseline of the latest and earliest times, City, Region, and Country
+  we have encountered this user in our dataset, grouped by user, within the last hour.
+how_to_implement: You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later)
+  and Enterprise Security 6.2, which contains the required updates to the Authentication data model
+  for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`,
+  which is a lookup file created by this support search.
+author: Rico Valdez, Splunk
+search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from
+      datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user
+      Authenticaiton.src | iplocation Authentication.src | rename Authentication.user as user
+      Authentciation.src as src | table user src City Region Country firstTime lastTime
+      | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as
+      firstTime max(lastTime) as lastTime by user src City Region Country
+      | outputlookup previously_seen_users_console_logins.csv'
+tags:
+  analytics_story:
+  - Suspicious Cloud Authentication Activities
+  detections:
+  - Detect AWS Console Login by User from New Country
+  - Detect AWS Console Login by User from New Region
+  - Detect AWS Console Login by User from New City
+  - Detect new user AWS Console Login - DM

deployments/enterprise_security_deployment_configuration.yml → deployments/10_enterprise_security_deployment_configuration.yml

@@ -4,9 +4,9 @@ date: '2020-04-27'
 description: This configuration file applies to all correlation searches that are used for detection
 author: Bhavin Patel
 scheduling:
-  cron_schedule: '*/30 * * * *'
-  earliest_time: -30m
-  latest_time: now
+  cron_schedule: '1 * * * *'
+  earliest_time: -70m@m
+  latest_time: -10m@m
   schedule_window: auto
 alert_action:
   notable:

deployments/20_baseline_cache_hourly_updates.yml

@@ -0,0 +1,13 @@
+name: Baseline Cache Hourly Updates
+id: 1030c701-2acf-4b1a-9970-46c7145caf2d
+date: '2020-06-24'
+description: This configuration file applies to all baselines with tag deployments Hourly Cache Updates
+author: Bhavin Patel
+scheduling:
+  cron_schedule: '55 * * * *'
+  earliest_time: -70m@m
+  latest_time: -10m@m
+  schedule_window: auto
+tags:
+  deployments:
+    - Hourly Cache Updates

deployments/30_long_running_baseline_searches.yml

@@ -0,0 +1,13 @@
+name: Long Running Baseline Searches
+id: 6eac9f8b-a35d-4b64-b57f-e5ecde43be6b
+date: '2020-06-24'
+description: This configuration file applies to all baselines with tag deployments Long Running Baseline
+author: Bhavin Patel
+scheduling:
+  cron_schedule: '0 7 * * *'
+  earliest_time: -7d
+  latest_time: -now
+  schedule_window: auto
+tags:
+  deployments:
+    - Long Running Baseline

detections/abnormally_high_aws_instances_launched_by_user.yml

@@ -28,6 +28,8 @@ tags:
   - Suspicious AWS EC2 Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1078
   cis20:
   - CIS 13
   nist:

detections/abnormally_high_aws_instances_launched_by_user___mltk.yml

@@ -24,6 +24,8 @@ tags:
   - Suspicious AWS EC2 Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1078
   cis20:
   - CIS 13
   nist:

detections/abnormally_high_aws_instances_terminated_by_user.yml

@@ -28,6 +28,8 @@ tags:
   - Suspicious AWS EC2 Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1078
   cis20:
   - CIS 13
   nist:

detections/abnormally_high_aws_instances_terminated_by_user___mltk.yml

@@ -23,6 +23,8 @@ tags:
   - Suspicious AWS EC2 Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1078
   cis20:
   - CIS 13
   nist:

detections/aws_cloud_provisioning_from_previously_unseen_city.yml

@@ -37,6 +37,8 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal
 tags:
   analytics_story:
   - AWS Suspicious Provisioning Activities
+  mitre_attack_id:
+  - T1535
   cis20:
   - CIS 1
   nist:

detections/aws_cloud_provisioning_from_previously_unseen_country.yml

@@ -38,6 +38,8 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal
 tags:
   analytics_story:
   - AWS Suspicious Provisioning Activities
+  mitre_attack_id:
+  - T1535
   cis20:
   - CIS 1
   nist:

detections/aws_cloud_provisioning_from_previously_unseen_region.yml

@@ -37,6 +37,8 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal
 tags:
   analytics_story:
   - AWS Suspicious Provisioning Activities
+  mitre_attack_id:
+  - T1535
   cis20:
   - CIS 1
   nist:

detections/aws_cross_account_activity_from_previously_unseen_account.yml

@@ -15,8 +15,7 @@ author: David Dorsey, Splunk
 search: '`cloudtrail` eventName=AssumeRole | spath output=requestingAccountId path=userIdentity.accountId
   | spath output=requestedAccountId path=resources{}.accountId | search requestingAccountId=*
   | where requestingAccountId != requestedAccountId | inputlookup append=t previously_seen_aws_cross_account_activity
-  | multireport [| stats min(eval(coalesce(firstTime, _time)))
-  as firstTime max(eval(coalesce(lastTime, _time)))
+  | multireport [| stats min(eval(coalesce(firstTime, _time))) as firstTime max(eval(coalesce(lastTime, _time)))
   as lastTime by requestingAccountId, requestedAccountId | outputlookup previously_seen_aws_cross_account_activity
   | where fact=fiction] [| eventstats min(eval(coalesce(firstTime, _time))) as firstTime, 
   max(eval(coalesce(lastTime, _time))) as lastTime by requestingAccountId, requestedAccountId | where firstTime
@@ -35,6 +34,8 @@ tags:
   - AWS Cross Account Activity
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1078
   cis20:
   - CIS 16
   nist:

detections/cloud_compute_instance_created_by_previously_unseen_user.yml

@@ -28,6 +28,8 @@ tags:
   - Cloud Cryptomining
   cis20:
   - CIS 1
+  mitre_attack_id:
+  - T1078
   nist:
   - ID.AM
   security_domain: endpoint

detections/cloud_compute_instance_started_in_previously_unused_region.yml

@@ -29,6 +29,8 @@ tags:
   - Cloud Cryptomining
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1535
   cis20:
   - CIS 12
   nist:

detections/creation_of_shadow_copy_with_wmic_and_powershell.yml

@@ -4,20 +4,15 @@ version: 1
 date: '2019-12-10'
 description: This search detects the use of wmic and Powershell to create a shadow
   copy.
-how_to_implement: You must enable Powershell scriptblock logging in order to detect
-  this attack.This search uses an input macro named `sysmon`. We strongly recommend
-  that you specify your environment-specific configurations (index, source, sourcetype,
-  etc.) for Windows Sysmon logs. Replace the macro definition with configurations
-  for your Splunk environment. The search also uses a post-filter macro designed to
-  filter out known false positives.
 type: ESCU
 references:
 - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf
 author: Patrick Bareiss, Splunk
-search: '`sysmon` Message=*win32_shadowcopy* Message=*Create* | stats count min(_time)
-  as firstTime max(_time) as lastTime by dvc User EventCode Message | rename User
-  as user, dvc as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
-  | `creation_of_shadow_copy_with_wmic_and_powershell_filter` '
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
+  where Processes.process_name=wmic* OR Processes.process_name=powershell* Processes.process=*shadowcopy* Processes.process=*create*
+  by Processes.user Processes.process_name Processes.process Processes.dest
+  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
+  | `creation_of_shadow_copy_with_wmic_and_powershell_filter`'
 known_false_positives: Legtimate administrator usage of wmic to create a shadow copy.
 tags:
   analytics_story:

detections/detect_aws_api_activities_from_unapproved_accounts.yml

@@ -51,6 +51,8 @@ tags:
   - Actions on Objectives
   cis20:
   - CIS 16
+  mitre_attack_id:
+  - T1078
   nist:
   - DE.DP
   - DE.CM

detections/detect_aws_console_login_by_user_from_new_city.yml

@@ -30,8 +30,11 @@ known_false_positives: When a legitimate new user logins for the first time, thi
 tags:
   analytics_story:
   - Suspicious AWS Login Activities
+  - Suspicious Cloud Authentication Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1535
   cis20:
   - CIS 16
   nist:

detections/detect_aws_console_login_by_user_from_new_country.yml

@@ -30,8 +30,11 @@ known_false_positives: When a legitimate new user logins for the first time, thi
 tags:
   analytics_story:
   - Suspicious AWS Login Activities
+  - Suspicious Cloud Authentication Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1535
   cis20:
   - CIS 16
   nist:

detections/detect_aws_console_login_by_user_from_new_region.yml

@@ -30,8 +30,11 @@ known_false_positives: When a legitimate new user logins for the first time, thi
 tags:
   analytics_story:
   - Suspicious AWS Login Activities
+  - Suspicious Cloud Authentication Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1535
   cis20:
   - CIS 16
   nist:

detections/detect_new_api_calls_from_user_roles.yml

@@ -28,6 +28,9 @@ known_false_positives: It is possible that there are legitimate user roles makin
 tags:
   analytics_story:
   - AWS User Monitoring
+  mitre_attack_id:
+  - T1078
+  - T1098
   cis20:
   - CIS 1
   nist:

detections/detect_new_open_s3_buckets.yml

@@ -25,6 +25,8 @@ tags:
   - Suspicious AWS S3 Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1530
   cis20:
   - CIS 13
   nist: