updating detections

splunk · Oct 31, 2023 · 54ac01b · 54ac01b
1 parent ed19ae9
commit 54ac01b
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 9 deletions.
diff --git a/detections/application/okta_risk_threshold_exceeded.yml b/detections/application/okta_risk_threshold_exceeded.yml
@@ -21,7 +21,7 @@ search:
   as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source,
   dc(source) as source_count from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type
   All_Risk.analyticstories | `drop_dm_object_name("All_Risk")` | eval "annotations.mitre_attack"="annotations.mitre_attack.mitre_technique_id",
-  risk_threshold=100 | where All_Risk.analyticstories IN ("Suspicious Okta Activity",
+  risk_threshold=100 | where analyticstories IN ("Suspicious Okta Activity",
   "Okta MFA Exhaustion")  risk_score > risk_threshold | `get_risk_severity(risk_score)`
   | `okta_risk_threshold_exceeded_filter`'
 how_to_implement:

diff --git a/detections/application/user_added_to_privileged_group.yml b/detections/application/user_added_to_privileged_group.yml
@@ -3,7 +3,7 @@ id: 187bf937-c436-4c65-bbcb-7539ffe02da1
 version: 1
 date: '2023-09-27'
 author: Dean Luxton
-status: production
+status: experimental
 type: TTP
 data_source:
 - XmlWinEventLog:Security

diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml
@@ -14,10 +14,7 @@ description: The following analytic utilises a known list of vulnerable Windows
   therefore it is up to the defender to identify version and signing info and confirm
   it is a vulnerable driver.
   This detection is a winventlog copy of the Sysmon driver loaded detection written by Michael Haag. 
-search: '`wineventlog_system` EventCode=7045 ServiceType="kernel mode driver"
-  | table _time dest EventCode ImagePath ServiceName ServiceType
-  | lookup loldrivers driver_name AS ImagePath OUTPUT is_driver driver_description
-  | search is_driver = TRUE  | `windows_vulnerable_driver_installed`'
+search: '`wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" | table _time dest EventCode ImagePath ServiceName ServiceType | lookup loldrivers driver_name AS ImagePath OUTPUT is_driver driver_description | search is_driver = TRUE  | `windows_vulnerable_driver_installed_filter`'
 how_to_implement: Ensure the Splunk is collecting XmlWinEventLog:System events and the EventCode 7045 is being ingested. 
 known_false_positives: False positives may be present. Drill down into the driver
   further by version number and cross reference by signer. Review the reference material

diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml
@@ -16,10 +16,10 @@ search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as
   as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone)
   as dest_zone values(src_zone) as src_zone by src_ip dest_port gtime transport |
   where totalDestIPCount>=250 | eval dest_port=transport + "/" + dest_port | stats
-  min(_time) as _time values(action) as action dc(totalDestIPCount) as totalDestIPCount
+  min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount
   values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone)
   as dest_zone values(src_zone) as src_zone by src_ip gtime | fields - gtime | `internal_horizontal_port_scan_filter`'
-how_to_implement: You must ensure that your network traffic data is populating the Network_Traffic data model.
+how_to_implement: Ensure your network traffic data is populating the Network_Traffic data model.
 known_false_positives: Unknown
 references: []
 tags:

diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml
@@ -21,7 +21,7 @@ search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as
   dest_ip transport gtime | eval totalDestPortCount=totalDestUdpPortCount+totalDestTcpPortCount,
   privilegedDestPortCount=privilegedDestTcpPortCount+privilegedDestUdpPortCount| where
   (totalDestPortCount>=500 AND privilegedDestPortCount>=20) | fields - gtime | `internal_vertical_port_scan_filter`'
-how_to_implement: You must ensure that your network traffic data is populating the Network_Traffic data model.
+how_to_implement: Ensure your network traffic data is populating the Network_Traffic data model.
 known_false_positives: Unknown
 references: []
 tags:
@@ -54,4 +54,6 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/vertical.log
+    source: aws:cloudwatchlogs:vpcflow
     sourcetype: aws:cloudwatchlogs:vpcflow
+    update_timestamp: true
diff --git a/detections/network/internal_vulnerability_scan.yml b/detections/network/internal_vulnerability_scan.yml
@@ -0,0 +1,56 @@
+name: Internal Vulnerability Scan
+id: 46f946ed-1c78-4e96-9906-c7a4be15e39b
+version: 1
+date: '2023-10-27'
+author: Dean Luxton
+status: Experimental
+type: TTP
+data_source: []
+description: This analytic detects internal hosts triggering multiple IDS signatures (either more than 25 signatures against a single host, or a single signature across over 25 destinations), which can be indicative of active vulnerability scanning performed within the network.
+search: '| tstats `security_content_summariesonly` values(IDS_Attacks.action) as action
+  values(IDS_Attacks.src_category) as src_category values(IDS_Attacks.dest_category)
+  as dest_category count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.src
+  IN (10.0.0.0/8,192.168.0.0/16,172.16.0.0/12) IDS_Attacks.severity IN (critical,
+  high, medium) by IDS_Attacks.src IDS_Attacks.severity IDS_Attacks.signature IDS_Attacks.dest
+  IDS_Attacks.dest_port IDS_Attacks.transport span=1s _time | `drop_dm_object_name("IDS_Attacks")`
+  | eval gtime=_time | bin span=1h gtime | eventstats count as sevCount by severity
+  src | eventstats count as sigCount by signature src | eval severity=severity +"("+sevCount+")"
+  | eval signature=signature +"("+sigCount+")" | eval dest_port=transport + "/" +
+  dest_port | stats min(_time) as _time values(action) as action dc(dest) as destCount
+  dc(signature) as sigCount values(signature) values(src_category) as src_category
+  values(dest_category) as dest_category values(severity) as severity values(dest_port)
+  as dest_ports by src gtime | fields - gtime | where destCount>25 OR sigCount>25
+  | `internal_vulnerability_scan_filter`'
+how_to_implement: CIM mapped IDS/IPS logs are a required to drive this detection.
+known_false_positives: Vulnerability Scanners and informational / low severity signatures. 
+references: []
+tags:
+  analytic_story:
+  - Network Discovery
+  asset_type: Endpoint
+  confidence: 80
+  impact: 80
+  message: Large volume of IDS signatures triggered by $src$
+  mitre_attack_id:
+  - T1595.002
+  - T1046
+  observable:
+  - name: src_ip
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 64
+  required_fields:
+  - _time
+  - IDS_Attacks.action
+  - IDS_Attacks.src
+  - IDS_Attacks.dest
+  - IDS_Attacks.dest_port
+  - IDS_Attacks.severity
+  - IDS_Attacks.signature
+  - IDS_Attacks.transport
+  security_domain: network