Merge pull request #2848 from splunk/release_v4.12.0

Release 4.12.0

baselines/baseline_of_smb_traffic___mltk.yml

@@ -14,7 +14,7 @@ description: This search is used to build a Machine Learning Toolkit (MLTK) mode
   week.
 search: '| tstats `security_content_summariesonly` count from datamodel=Network_Traffic
   where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb
-  by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval
+  by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval
   DayOfWeek=strftime(_time, "%A") | `drop_dm_object_name("All_Traffic")` | fit DensityFunction
   count by "HourOfDay,DayOfWeek" into smb_pdfmodel'
 how_to_implement: You must be ingesting network traffic and populating the Network_Traffic

detections/application/splunk_edit_user_privilege_escalation.yml

@@ -20,7 +20,8 @@ tags:
   atomic_guid: []
   confidence: 80
   impact: 80
-  cve: []
+  cve:
+  - CVE-2023-32707
   message: Possible attempt to abuse edit_user function by $user$ 
   mitre_attack_id:
   - T1548

detections/application/web_servers_executing_suspicious_processes.yml

@@ -15,12 +15,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   OR Processes.process="*wget*" OR Processes.process="*service*" OR Processes.process="*curl*")
   by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)`
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`'
-how_to_implement: You must be ingesting data that records process activity from your
-  hosts to populate the Endpoint data model in the Processes node. You must also be
-  ingesting logs with both the process name and command line from your endpoints.
-  The command-line arguments are mapped to the "process" field in the Endpoint data
-  model. In addition, web servers will need to be identified in the Assets and Identity
-  Framework of Enterprise Security.
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
 known_false_positives: Some of these processes may be used legitimately on web servers
   during maintenance or other administrative tasks.
 references: []

detections/deprecated/execution_of_file_with_spaces_before_extension.yml

@@ -15,10 +15,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces
   where Processes.process = "*     .*" by Processes.dest Processes.user Processes.process
   Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
   | `drop_dm_object_name(Processes)` | `execution_of_file_with_spaces_before_extension_filter`'
-how_to_implement: To successfully implement this search, you must be ingesting data
-  that records process activity from your hosts to populate the endpoint data model
-  in the processes node. If you are using Sysmon, you must have at least version 6.0.4
-  of the Sysmon TA.
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
 known_false_positives: None identified.
 references: []
 tags:

detections/deprecated/first_time_seen_command_line_argument.yml

@@ -21,15 +21,15 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_
   previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(),
   "-70m@m"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter` '
-how_to_implement: You must be ingesting data that records process activity from your
-  hosts to populate the Endpoint data model in the Processes node. You must be ingesting
-  logs with both the process name and command line from your endpoints. The complete
-  process name with command-line arguments are mapped to the "process" field in the
-  Endpoint data model. Please make sure you run the support search "Previously seen
-  command line arguments,"—which creates a lookup file called `previously_seen_cmd_line_arguments.csv`—a
-  historical baseline of all command-line arguments. You must also validate this list.
-  For the search to do accurate calculation, ensure the search scheduling is the same
-  value as the `relative_time` evaluation function.
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
 known_false_positives: Legitimate programs can also use command-line arguments to
   execute. Please verify the command-line arguments to check what command/program
   is being executed. We recommend customizing the `first_time_seen_cmd_line_filter`

detections/deprecated/processes_created_by_netsh.yml

@@ -19,9 +19,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces
   where Processes.process_name=netsh.exe by Processes.user Processes.dest Processes.parent_process
   Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)`
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `processes_created_by_netsh_filter`'
-how_to_implement: To successfully implement this search, you must be ingesting logs
-  with the process name, command-line arguments, and parent processes from your endpoints.
-  If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
 known_false_positives: It is unusual for netsh.exe to have any child processes in
   most environments. It makes sense to investigate the child process and verify whether
   the process spawned is legitimate. We explicitely exclude "C:\Program Files\rempl\sedlauncher.exe"

detections/deprecated/prohibited_software_on_endpoint.yml

@@ -1,52 +1,48 @@
 name: Prohibited Software On Endpoint
 id: a51bfe1a-94f0-48cc-b4e4-b6ae50145893
 version: 2
-date: "2019-10-11"
+date: '2019-10-11'
 author: David Dorsey, Splunk
 status: deprecated
 type: Hunting
-description:
-  This search looks for applications on the endpoint that you have marked
+description: This search looks for applications on the endpoint that you have marked
   as prohibited.
 data_source:
-  - Sysmon Event ID 1
-search:
-  "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+- Sysmon Event ID 1
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name
   | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)`
-  | `prohibited_processes` | `prohibited_software_on_endpoint_filter`"
-how_to_implement:
-  To successfully implement this search, you must be ingesting data
-  that records process activity from your hosts to populate the endpoint data model
-  in the processes node. This is typically populated via endpoint detection-and-response
-  product, such as Carbon Black or endpoint data sources, such as Sysmon. The data
-  used for this search is usually generated via logs that report process tracking
-  in your Windows audit settings. In addition, you must also have only the `process_name`
-  (not the entire process path) marked as "prohibited" in the Enterprise Security
-  `interesting processes` table. To include the process names marked as "prohibited",
-  which is included with ES Content Updates, run the included search <code>Add Prohibited
-  Processes to Enterprise Security</code>.
+  | `prohibited_processes` | `prohibited_software_on_endpoint_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
 known_false_positives: None identified
 references: []
 tags:
   analytic_story:
-    - Monitor for Unauthorized Software
-    - "Emotet Malware  DHS Report TA18-201A "
-    - SamSam Ransomware
+  - Monitor for Unauthorized Software
+  - 'Emotet Malware  DHS Report TA18-201A '
+  - SamSam Ransomware
   asset_type: Endpoint
   confidence: 50
   impact: 50
   message: tbd
   observable:
-    - name: field
-      type: Unknown
-      role:
-        - Unknown
+  - name: field
+    type: Unknown
+    role:
+    - Unknown
   product:
-    - Splunk Enterprise
-    - Splunk Enterprise Security
-    - Splunk Cloud
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
   required_fields:
-    - _times
+  - _times
   risk_score: 25
   security_domain: endpoint

detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml

@@ -15,11 +15,15 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as
   Processes.process="*REG_DWORD*" by Processes.process_name Processes.parent_process_name
   Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
   |`security_content_ctime(lastTime)`| regex process = "(/d\s+2)" | `reg_exe_used_to_hide_files_directories_via_registry_keys_filter`'
-how_to_implement: You must be ingesting data that records process activity from your
-  hosts to populate the Endpoint data model in the Processes node. You must also be
-  ingesting logs with both the process name and command line from your endpoints.
-  The command-line arguments are mapped to the "process" field in the Endpoint data
-  model.
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
 known_false_positives: None at the moment
 references: []
 tags:

detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml

@@ -16,11 +16,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   "*delete*") by Processes.parent_process Processes.process_name Processes.user |
   `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`
   | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) | `scheduled_tasks_used_in_badrabbit_ransomware_filter`'
-how_to_implement: You must be ingesting data that records process activity from your
-  hosts to populate the Endpoint data model in the Processes node. You must also be
-  ingesting logs with both the process name and command line from your endpoints.
-  The command-line arguments are mapped to the "process" field in the Endpoint data
-  model.
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
 known_false_positives: No known false positives
 references: []
 tags:

detections/deprecated/suspicious_changes_to_file_associations.yml

@@ -19,10 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   as registry_path count from datamodel=Endpoint.Registry where Registry.registry_path=*\\Explorer\\FileExts*
   by Registry.process_id Registry.dest | `drop_dm_object_name("Registry")` | table
   process_id dest registry_path]| `suspicious_changes_to_file_associations_filter` '
-how_to_implement: To successfully implement this search you need to be ingesting information
-  on registry changes that include the name of the process responsible for the changes
-  from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry`
-  nodes.
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
 known_false_positives: There may be other processes in your environment that users
   may legitimately use to modify file associations. If this is the case and you are
   finding false positives, you can modify the search to add those processes as exceptions.

detections/deprecated/suspicious_powershell_command_line_arguments.yml

@@ -20,11 +20,15 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces
   by Processes.user Processes.process_name Processes.parent_process_name Processes.dest  |
   `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`|
   search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* | `suspicious_powershell_command_line_arguments_filter`'
-how_to_implement: You must be ingesting data that records process activity from your
-  hosts to populate the Endpoint data model in the Processes node. You must also be
-  ingesting logs with both the process name and command line from your endpoints.
-  The command-line arguments are mapped to the "process" field in the Endpoint data
-  model.
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
 known_false_positives: Legitimate process can have this combination of command-line
   options, but it's not common.
 references: []

detections/deprecated/suspicious_rundll32_rename.yml

@@ -19,11 +19,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
   Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `suspicious_rundll32_rename_filter`'
-how_to_implement: To successfully implement this search you need to be ingesting information
-  on process that include the name of the process responsible for the changes from
-  your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
-  confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
-  endpoint product.
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
 known_false_positives: Although unlikely, some legitimate applications may use a moved
   copy of rundll32, triggering a false positive.
 references: