From 84e26f3d029a61d6a851c3cc43d8df0a05af78ac Mon Sep 17 00:00:00 2001
From: Zachary Christensen <zchristensen@splunk.com>
Date: Wed, 6 Dec 2023 11:15:57 -0700
Subject: [PATCH] added formating and added to nav

Signed-off-by: Zachary Christensen <zchristensen@splunk.com>
---
 docs/searches/index.md                    |  8 ++++++++
 docs/searches/threat_object_prevalence.md | 15 ++++++++-------
 docs/searches/threat_object_types.md      | 22 ++++++++++++++--------
 mkdocs.yml                                |  9 +++++----
 4 files changed, 35 insertions(+), 19 deletions(-)

diff --git a/docs/searches/index.md b/docs/searches/index.md
index 10b0c8d..5b48908 100644
--- a/docs/searches/index.md
+++ b/docs/searches/index.md
@@ -43,3 +43,11 @@ ADDITIONALLY, this frees risk_message to be used as a short and sweet summary ra
 ## [Risk Notable History](./risk_notable_history.md)
 
 Tyler Younger from the RBA Slack contributed this handy method for including some useful history of risk notables for that risk object when it fires. I played with it a bit and created a version I might use in a dashboard for additional context. You should check with your analysts to see what would be most helpful for them.
+
+## [Threat Object Prevalence](./threat_object_prevalence.md)
+
+One of the great features in RBA is knowing how often something has occurred in an environment; generally, the more rare or anomalous something is, the more likely it is to be malicious. The threat object drilldown in the sample [Risk Investigation Dashboard](https://splunk.github.io/rba/dashboards/risk_investigation/){ target="blank" } is designed to offer an analyst that context, but with a simple saved search, we could use that context in our Risk Notables as well.
+
+## [Threat Object Types](./threat_object_types.md)
+
+Increasing the number of threat object types you track in Risk Rules can be really helpful for tuning noisy alerts, threat hunting on anomalous combinations, and automating SOAR enrichment to unique threat object types. Haylee and Stuart's [Threat Object Fun dashboards](https://splunkbase.splunk.com/app/6917){ target="blank" } can be helpful for all three.
\ No newline at end of file
diff --git a/docs/searches/threat_object_prevalence.md b/docs/searches/threat_object_prevalence.md
index 76bc611..6ceebf5 100644
--- a/docs/searches/threat_object_prevalence.md
+++ b/docs/searches/threat_object_prevalence.md
@@ -1,10 +1,10 @@
-  # Threat Object Prevalence
+# Threat Object Prevalence
 
-  One of my favorite features in RBA is knowing how often something has occurred in an environment; generally, the more rare or anomalous something is, the more likely it is to be malicious. The threat object drilldown in the sample [Risk Investigation Dashboard](https://splunk.github.io/rba/dashboards/risk_investigation/) is designed to offer an analyst that context, but with a simple saved search, we could use that context in our Risk Notables as well.
+One of my favorite features in RBA is knowing how often something has occurred in an environment; generally, the more rare or anomalous something is, the more likely it is to be malicious. The threat object drilldown in the sample [Risk Investigation Dashboard](https://splunk.github.io/rba/dashboards/risk_investigation/){ target="blank" } is designed to offer an analyst that context, but with a simple saved search, we could use that context in our Risk Notables as well.
 
-  ## Create a Saved Search
+## Create a Saved Search
 
-  You'll have to decide how often you want this information updated, but utilizing `tstats` against the Risk Index means this should be pretty snappy and could run pretty frequently over a long timeframe. Create a new saved search with this logic:
+You'll have to decide how often you want this information updated, but utilizing `tstats` against the Risk Index means this should be pretty snappy and could run pretty frequently over a long timeframe. Create a new saved search with this logic:
 
 ```shell linenums="1"
 | tstats summariesonly=t count dc(All_risk.risk_object) as dc_objects earliest(_time) as first_time latest(_time) as last_time from datamodel=Risk.All_Risk by All_Risk.threat_object
@@ -13,11 +13,11 @@
 | outputlookup threat_object_count.csv
 ```
 
-You might want to include more details here, like lists of searches that fired this threat object and so on.
+!!! note "You might want to include more details here, like lists of searches that fired this threat object and so on."
 
 ## Incorporating into Risk Notables
 
-Because of potential overlaps in multi-value fields for threat object, we need to change our initial `tstats` logic to keep them separate until after we enrich. I will use the base logic for the [limit score stacking](https://github.com/splunk/rba/blob/main/docs/searches/limit_score_stacking.md) Risk Incident Rule with some modifications:
+Because of potential overlaps in multi-value fields for threat object, we need to change our initial `tstats` logic to keep them separate until after we enrich. I will use the base logic for the [limit score stacking](https://github.com/splunk/rba/blob/main/docs/searches/limit_score_stacking.md){ target="blank" } Risk Incident Rule with some modifications:
 
 ```shell linenums="1"
 | tstats `summariesonly`
@@ -46,4 +46,5 @@ from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type,
 
 We have to keep in mind order of operations to ensure our logic continues working as intended. I took out the `values()` piece for threat_object, and add it to the `BY` clause so we keep things separate while we enrich with our lookup. Then I utilize that information to adjust the risk score of events which happen a lot, especially when observed on multiple machines. Finally I wrapped it back up with `stats` to utilize our score stacking logic again, now informed by our threat object prevalence adjustments.
 
-<<potentially an image here to show the adjusted scores after threat object changed them?>>
+<!-- TODO:
+potentially an image here to show the adjusted scores after threat object changed them? -->
diff --git a/docs/searches/threat_object_types.md b/docs/searches/threat_object_types.md
index 646525f..821ed48 100644
--- a/docs/searches/threat_object_types.md
+++ b/docs/searches/threat_object_types.md
@@ -1,10 +1,14 @@
 # Additional Threat Object Types
 
-Increasing the number of threat object types you track in Risk Rules can be really helpful for tuning noisy alerts, threat hunting on anomalous combinations, and automating SOAR enrichment to unique threat object types. Haylee and Stuart's [Threat Object Fun dashboards](https://splunkbase.splunk.com/app/6917) can be helpful for all three.
+Increasing the number of threat object types you track in Risk Rules can be really helpful for tuning noisy alerts, threat hunting on anomalous combinations, and automating SOAR enrichment to unique threat object types. Haylee and Stuart's [Threat Object Fun dashboards](https://splunkbase.splunk.com/app/6917){ target="blank" } can be helpful for all three.
+
+
+## Threat Object Types
 
 Some potential threat_object_types to keep in mind when creating risk rules:
 
 source | threat_object_type
+------ | ------------------
 email, endpoint, network, proxy | ip
 email, endpoint, proxy | src_user
 email, endpoint, proxy | user
@@ -34,11 +38,13 @@ proxy | certificate_unit
 proxy | http_referrer
 proxy | http_user_agent
 
-You could also use open-source server handshake hashing algorithms like [JA3](https://github.com/salesforce/ja3), [JA4](https://github.com/FoxIO-LLC/ja4), [JARM](https://github.com/salesforce/jarm), or [CYU](https://github.com/salesforce/GQUIC_Protocol_Analyzer) to identify anomalous server handshakes and potentially include:
+## Other Types
+
+You could also use open-source server handshake hashing algorithms like [JA3](https://github.com/salesforce/ja3){ target="blank" }, [JA4](https://github.com/FoxIO-LLC/ja4){ target="blank" }, [JARM](https://github.com/salesforce/jarm){ target="blank" }, or [CYU](https://github.com/salesforce/GQUIC_Protocol_Analyzer){ target="blank" } to identify anomalous server handshakes and potentially include:
 
-ja3_hash
-ja3s_hash
-ja4_hash
-jarm_hash
-cyu_hash
-asn
+- ja3_hash
+- ja3s_hash
+- ja4_hash
+- jarm_hash
+- cyu_hash
+- asn
diff --git a/mkdocs.yml b/mkdocs.yml
index 0e7fd3f..7b7b2e6 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -42,8 +42,8 @@ markdown_extensions:
   - pymdownx.critic
   - pymdownx.details
   - pymdownx.emoji:
-      emoji_index: !!python/name:materialx.emoji.twemoji
-      emoji_generator: !!python/name:materialx.emoji.to_svg
+      emoji_index: !!python/name:material.extensions.emoji.twemoji
+      emoji_generator: !!python/name:material.extensions.emoji.to_svg
   - pymdownx.highlight:
       anchor_linenums: true
       line_spans: __span
@@ -119,6 +119,8 @@ nav:
       - Risk Incident Rules: searches/risk_incident_rule_ideas.md
       - Risk info field: searches/risk_info_event_detail.md
       - Risk Notable History: searches/risk_notable_history.md
+      - Threat Object Prevalence: searches/threat_object_prevalence.md
+      - Threat Object Types: searches/threat_object_types.md
   - Dashboards:
       - dashboards/index.md
       - ATT&CK Matrix Risk: dashboards/attack_matrix_risk.md
@@ -129,5 +131,4 @@ nav:
       - Risk Notable Analysis: dashboards/risk_notable_analysis_dashboard.md
   - Contributing:
       - Contributing Guidelines: contributing/contributing-guidelines.md
-      - Contributors: contributing/contributors.md
-
+      - Contributors: contributing/contributors.md
\ No newline at end of file