final final

splunk · Jul 9, 2024 · d18dcaa · d18dcaa
1 parent 8e577b3
commit d18dcaa
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 5 deletions.
diff --git a/.github/workflows/format_test_results.py b/.github/workflows/format_test_results.py
@@ -40,7 +40,7 @@ def main():
                 test_type = test['test_type'].strip()
                 exception = test.get('exception', 'N/A')  # Get exception if exists, else 'N/A'
                 if status == 'FAIL':
-                    print(f"{name:<80} | 🔴 {status:<6} | {test_type:<10} | {exception:<50}")
+                    print(f"{name:<80} | 🔴 {status:<6}  | {test_type:<10} | {exception:<50}")
                 else:
                     print(f"{name:<80} | 🟢  {status:<6} | {test_type:<10} | {'-':<50}")
     # Print table footer

diff --git a/detections/application/crushftp_server_side_template_injection.yml b/detections/application/crushftp_server_side_template_injection.yml
@@ -1,6 +1,6 @@
 name: CrushFTP Server Side Template Injection
 id: ccf6b7a3-bd39-4bc9-a949-143a8d640dbc
-version: 3
+version: 1
 date: '2024-05-16'
 author: Michael Haag, Splunk
 data_source: []

diff --git a/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml b/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml
@@ -15,7 +15,7 @@ description: The following analytic identifies DNS queries to domains associated
   malicious, this activity could allow attackers to establish a foothold in the network,
   exfiltrate sensitive data, or further propagate malware, leading to extensive damage
   and data breaches.
-search: 'x| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time)
+search: '| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time)
   as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)`
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup
   3cx_ioc_domains domain as query OUTPUT Description isIOC | search isIOC=true | `3cx_supply_chain_attack_network_indicators_filter`'

diff --git a/detections/endpoint/7zip_commandline_to_smb_share_path.yml b/detections/endpoint/7zip_commandline_to_smb_share_path.yml
@@ -1,6 +1,6 @@
 name: 7zip CommandLine To SMB Share Path
 id: 01d29b48-ff6f-11eb-b81e-acde48001123
-version: 3
+version: 2
 date: '2024-05-17'
 author: Teoderick Contreras, Splunk
 status: production
@@ -14,7 +14,7 @@ description: The following analytic detects the execution of 7z or 7za processes
   sensitive information and potentially aiding further attacks.
 data_source:
 - Sysmon EventID 1
-search: 'x| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name ="7z.exe"
   OR Processes.process_name = "7za.exe" OR Processes.original_file_name = "7z.exe"
   OR Processes.original_file_name =  "7za.exe") AND (Processes.process="*\\C$\\*"