Updating detections and adding a new one

detections/network/detect_large_outbound_icmp_packets.yml

@@ -14,13 +14,14 @@ description: The following analytic identifies outbound ICMP packets with a size
   maintain covert communication channels, exfiltrate sensitive data, or further compromise
   the network.
 data_source: []
-search: '| tstats `security_content_summariesonly` count earliest(_time) as firstTime
-  latest(_time) as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from
+search: >- 
+  | tstats `security_content_summariesonly` count earliest(_time) as firstTime
+  latest(_time) as lastTime values(All_Traffic.action) as action values(All_Traffic.bytes) as bytes from
   datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category
   !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes
-  > 1000 by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name("All_Traffic")`
-  | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16)
-  | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter`'
+  > 1000 AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name("All_Traffic")`
+  | iplocation dest_ip
+  | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter`
 how_to_implement: 'In order to run this search effectively, we highly recommend that
   you leverage the Assets and Identity framework. It is important that you have a
   good understanding of how your network segments are designed and that you are able
@@ -44,11 +45,15 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: tbd
+  message: Detect Large Outbound ICMP Packets Detected from $src_ip$ to $dest_ip$
   mitre_attack_id:
   - T1095
   observable:
-  - name: dest
+  - name: dest_ip
+    type: Hostname
+    role:
+    - Victim
+  - name: src_ip
     type: Hostname
     role:
     - Victim

detections/network/detect_outbound_smb_traffic.yml

@@ -14,16 +14,13 @@ description: The following analytic detects outbound SMB (Server Message Block)
   this activity could lead to unauthorized access to sensitive data and potential
   full system compromise.
 data_source: []
-search: '| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time)
-  as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app
-  values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dest_port) as dest_port
-  values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed
-  All_Traffic.direction=outbound All_Traffic.dest_port=139 OR All_Traffic.dest_port=445
-  OR All_Traffic.app="smb") by All_Traffic.src_ip | `drop_dm_object_name("All_Traffic")`
-  | eval match=case( cidrmatch("10.0.0.0/8" ,dest_ip) ,"1", cidrmatch("172.16.0.0/12"
-  ,dest_ip) ,"1", cidrmatch("192.168.0.0/16" ,dest_ip) ,"1", cidrmatch("100.64.0.0/10"
-  ,dest_ip) ,"1", 1=1,"0") | search match=0 | fields -  match | `security_content_ctime(start_time)`
-  | `security_content_ctime(end_time)` | `detect_outbound_smb_traffic_filter`'
+search: >-
+  | tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb") AND All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10") by All_Traffic.src_ip  All_Traffic.dest_ip All_Traffic.dest_port
+  | `drop_dm_object_name("All_Traffic")` 
+  | `security_content_ctime(start_time)` 
+  | `security_content_ctime(end_time)` 
+  | iplocation dest_ip
+  | `detect_outbound_smb_traffic_filter`
 how_to_implement: 'This search also requires you to be ingesting your network traffic
   and populating the Network_Traffic data model'
 known_false_positives: It is likely that the outbound Server Message Block (SMB) traffic

detections/network/internal_horizontal_port_scan_nmap_top_20.yml

@@ -0,0 +1,64 @@
+name: Internal Horizontal Port Scan NMAP Top 20
+id: 3141a041-4f57-4277-9faa-9305ca1f8e5b
+version: 1
+date: '2024-09-25'
+author: Dean Luxton
+status: production
+type: TTP
+data_source:
+- AWS CloudWatchLogs VPCflow
+description: This analytic identifies instances where an internal host has attempted to communicate
+  with 250 or more destination IP addresses using on of the NMAP top 20 ports. Horizontal
+  port scans from internal hosts can indicate reconnaissance or scanning activities,
+  potentially signaling malicious intent or misconfiguration. By monitoring network
+  traffic logs, this detection helps detect and respond to such behavior promptly,
+  enhancing network security and preventing potential threats.
+search: >-
+  | tstats summariesonly=true fillnull_value=null values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND All_Traffic.dest_port IN (21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5900, 8080) by All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip span=1s _time All_Traffic.transport 
+  | `drop_dm_object_name("All_Traffic")` 
+  | eval gtime=_time 
+  | bin span=1h gtime 
+  | stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip dest_port gtime transport 
+  | where totalDestIPCount>=250 
+  | eval dest_port=transport + "/" + dest_port 
+  | stats min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip gtime 
+  | fields - gtime 
+  | `internal_horizontal_port_scan_nmap_top_20_filter`
+how_to_implement: To properly run this search, Splunk needs to ingest data from networking telemetry sources such as 
+  firewalls, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to 
+  enable this search effectively.
+known_false_positives: Unknown
+references: []
+tags:
+  analytic_story:
+  - Network Discovery
+  asset_type: Endpoint
+  confidence: 80
+  impact: 90
+  message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination IPs
+  mitre_attack_id:
+  - T1046
+  observable:
+  - name: src_ip
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 72
+  required_fields:
+  - _time
+  - All_Traffic.action
+  - All_Traffic.src_ip
+  - All_Traffic.dest_ip
+  - All_Traffic.dest_port
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log
+    source: aws:cloudwatchlogs:vpcflow
+    sourcetype: aws:cloudwatchlogs:vpcflow
+    update_timestamp: true

detections/network/remote_desktop_network_bruteforce.yml

@@ -14,12 +14,13 @@ description: The following analytic identifies potential Remote Desktop Protocol
   to gain unauthorized access to systems via RDP. If confirmed malicious, this could
   lead to unauthorized access, data exfiltration, or further network compromise.
 data_source: []
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src
-  All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count)
-  AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src
-  AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50
-  stdev | `remote_desktop_network_bruteforce_filter`'
+search: >-
+  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=rdp OR All_Traffic.dest_port=3389) AND All_Traffic.action=allowed by All_Traffic.src All_Traffic.dest All_Traffic.dest_port 
+  | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 
+  | where count>(avg + stdev*2) 
+  | rename All_Traffic.src AS src All_Traffic.dest AS dest 
+  | table firstTime lastTime src dest count avg p50 stdev 
+  | `remote_desktop_network_bruteforce_filter`
 how_to_implement: You must ensure that your network traffic data is populating the
   Network_Traffic data model.
 known_false_positives: RDP gateways may have unusually high amounts of traffic from
@@ -41,6 +42,10 @@ tags:
     type: Hostname
     role:
     - Victim
+  - name: src
+    type: Hostname
+    role:
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

detections/network/remote_desktop_network_traffic.yml

@@ -40,7 +40,7 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: tbd
+  message: Remote Desktop Network Traffic Anomaly Detected from $src$ to $dest$
   mitre_attack_id:
   - T1021.001
   - T1021

detections/network/smb_traffic_spike.yml

@@ -30,12 +30,12 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: tbd
+  message: Anomalous splike of SMB traffic sent from $src$
   mitre_attack_id:
   - T1021.002
   - T1021
   observable:
-  - name: dest
+  - name: src
     type: Hostname
     role:
     - Victim

detections/network/unusually_long_content_type_length.yml → detections/web/unusually_long_content_type_length.yml

@@ -14,9 +14,15 @@ description: The following analytic identifies unusually long strings in the Con
   or bypass security controls, potentially leading to unauthorized access or data
   breaches.
 data_source: []
-search: '`stream_http` | eval cs_content_type_length = len(cs_content_type) | where
-  cs_content_type_length > 100 | table endtime src_ip dest_ip cs_content_type_length
-  cs_content_type url | `unusually_long_content_type_length_filter`'
+search: >-
+  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web by Web.src Web.dest Web.url Web.http_user_agent Web.http_content_type
+  | `drop_dm_object_name("Web")` 
+  | eval http_content_type_length = len(http_content_type) 
+  | where http_content_type_length > 100
+  | table firstTime lastTime src dest http_content_type_length http_content_type url http_user_agent
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `unusually_long_content_type_length_filter`
 how_to_implement: This particular search leverages data extracted from Stream:HTTP.
   You must configure the http stream using the Splunk Stream App on your Splunk Stream
   deployment server to extract the cs_content_type field.
@@ -29,12 +35,16 @@ tags:
   asset_type: Web Server
   confidence: 50
   impact: 50
-  message: tbd
+  message: Unusually Long Content-Type Length ($http_content_type_length$ characters) In Web Request from $src$
   observable:
   - name: dest
     type: Hostname
     role:
     - Victim
+  - name: src
+    type: Hostname
+    role:
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security