merged with develop

splunk · Jul 24, 2024 · 4c0d7f4 · 4c0d7f4
1 parent b3f2bb4
commit 4c0d7f4
Show file tree

Hide file tree

Showing 11 changed files with 23 additions and 33 deletions.
diff --git a/data_sources/AWS_CloudWatchLogs_VPCflow.yml b/data_sources/AWS_CloudWatchLogs_VPCflow.yml
@@ -8,9 +8,9 @@ source: aws_cloudwatchlogs_vpcflow
 sourcetype: aws:cloudwatchlogs:vpcflow
 separator: eventName
 supported_TA:
-  name: Splunk Add-on for Amazon Web Services (AWS)
-  version: 7.4.1
-  url: https://splunkbase.splunk.com/app/1876
+  - name: Splunk Add-on for Amazon Web Services (AWS)
+    version: 7.4.1
+    url: https://splunkbase.splunk.com/app/1876
 fields:
 - _raw
 - _time

diff --git a/dist/api/detections.json b/dist/api/detections.json
diff --git a/dist/api/lookups.json b/dist/api/lookups.json
diff --git a/dist/api/macros.json b/dist/api/macros.json
diff --git a/dist/api/stories.json b/dist/api/stories.json
diff --git a/dist/api/version.json b/dist/api/version.json
@@ -1,5 +1 @@
-<<<<<<< HEAD
-{"version": {"name": "v4.35.0", "published_at": "2024-07-24T11:19:51Z"}}
-=======
-{"version": {"name": "v4.35.0", "published_at": "2024-07-17T00:25:05Z"}}
->>>>>>> develop
+{"version": {"name": "v4.35.0", "published_at": "2024-07-24T11:51:57Z"}}
diff --git a/dist/ssa/srs/ssa___create_local_admin_accounts_using_net_exe.yml b/dist/ssa/srs/ssa___create_local_admin_accounts_using_net_exe.yml
@@ -1,7 +1,7 @@
 name: Create Local Admin Accounts Using Net Exe
-id: 2dbdfc95-9c0f-433e-95f1-a376f1ae8bf7
+id: 890f0937-5a83-48fb-b793-68f792ded5db
 version: 3
-status: validation
+status: production
 detection_type: STREAMING
 description: The following analytic detects the creation of local administrator accounts
   using the net.exe command to mitigate the risks associated with unauthorized access
@@ -55,7 +55,7 @@ search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = me
     risk_level_id = 1,
     risk_score = 30,
     severity_id = 0,
-    rule = {"name": "Create Local Admin Accounts Using Net Exe", "uid": "2dbdfc95-9c0f-433e-95f1-a376f1ae8bf7", "type": "Streaming"},
+    rule = {"name": "Create Local Admin Accounts Using Net Exe", "uid": "890f0937-5a83-48fb-b793-68f792ded5db", "type": "Streaming"},
     metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()},
     type_uid = 10200101,
     start_time = timestamp,
@@ -84,7 +84,7 @@ tags:
   risk_score: 30
   security_domain: endpoint
   risk_severity: low
-  research_site_url: https://research.splunk.com/endpoint/2dbdfc95-9c0f-433e-95f1-a376f1ae8bf7/
+  research_site_url: https://research.splunk.com/endpoint/890f0937-5a83-48fb-b793-68f792ded5db/
   event_schema: ocsf
   mappings:
   - ocsf: process.pid

diff --git a/dist/ssa/srs/ssa___create_local_user_accounts_using_net_exe.yml b/dist/ssa/srs/ssa___create_local_user_accounts_using_net_exe.yml
@@ -1,7 +1,7 @@
 name: Create Local User Accounts Using Net Exe
-id: 1ee0fff0-9642-421b-8e13-9aa6fba4ace3
+id: 3e66edb4-b4dc-4b65-b57f-779a88d7d1d9
 version: 6
-status: validation
+status: production
 detection_type: STREAMING
 description: The following analytic detects the creation of local administrator accounts
   using the net.exe command to mitigate the risks associated with unauthorized access
@@ -51,7 +51,7 @@ search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = me
     risk_level_id = 0,
     risk_score = 9,
     severity_id = 0,
-    rule = {"name": "Create Local User Accounts Using Net Exe", "uid": "1ee0fff0-9642-421b-8e13-9aa6fba4ace3", "type": "Streaming"},
+    rule = {"name": "Create Local User Accounts Using Net Exe", "uid": "3e66edb4-b4dc-4b65-b57f-779a88d7d1d9", "type": "Streaming"},
     metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()},
     type_uid = 10200101,
     start_time = timestamp,
@@ -80,7 +80,7 @@ tags:
   risk_score: 9
   security_domain: endpoint
   risk_severity: low
-  research_site_url: https://research.splunk.com/endpoint/1ee0fff0-9642-421b-8e13-9aa6fba4ace3/
+  research_site_url: https://research.splunk.com/endpoint/3e66edb4-b4dc-4b65-b57f-779a88d7d1d9/
   event_schema: ocsf
   mappings:
   - ocsf: process.pid

diff --git a/dist/ssa/srs/ssa___deleting_shadow_copies.yml b/dist/ssa/srs/ssa___deleting_shadow_copies.yml
@@ -1,7 +1,7 @@
 name: Deleting Shadow Copies
-id: fd40c537-53d0-4c28-9b7e-77cfd28a49c8
+id: 19c85f5e-24a5-4355-a430-db9a58d1dc15
 version: 5
-status: validation
+status: production
 detection_type: STREAMING
 description: The vssadmin.exe utility is used to interact with the Volume Shadow Copy
   Service. Wmic is an interface to the Windows Management Instrumentation.  This search
@@ -38,7 +38,7 @@ search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = me
     risk_level_id = 3,
     risk_score = 64,
     severity_id = 0,
-    rule = {"name": "Deleting Shadow Copies", "uid": "fd40c537-53d0-4c28-9b7e-77cfd28a49c8", "type": "Streaming"},
+    rule = {"name": "Deleting Shadow Copies", "uid": "19c85f5e-24a5-4355-a430-db9a58d1dc15", "type": "Streaming"},
     metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()},
     type_uid = 10200101,
     start_time = timestamp,
@@ -71,7 +71,7 @@ tags:
   risk_score: 64
   security_domain: endpoint
   risk_severity: medium
-  research_site_url: https://research.splunk.com/endpoint/fd40c537-53d0-4c28-9b7e-77cfd28a49c8/
+  research_site_url: https://research.splunk.com/endpoint/19c85f5e-24a5-4355-a430-db9a58d1dc15/
   event_schema: ocsf
   mappings:
   - ocsf: process.pid

diff --git a/dist/ssa/srs/ssa___executable_file_written_in_administrative_smb_share.yml b/dist/ssa/srs/ssa___executable_file_written_in_administrative_smb_share.yml
@@ -21,7 +21,7 @@ search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = me
   "\\%\\admin$") AND access_mask=2 
   | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}],
     time = timestamp,
-    evidence = {, "sourceType": metadata.source_type, "source": metadata.source},
+    evidence = {"share": share, "file.type": file_type, "access_mask": access_mask, "actor.user.domain": actor_user_domain, "src_endpoint.ip": src_endpoint_ip, "access_result": access_result, "file.path": file_path, "src_endpoint.port": src_endpoint_port, "actor.user.name": actor_user_name, "actor.session.uid": actor_session_uid, "actor.user.uid": actor_user_uid, "access_list": access_list, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source},
     message = "Executable File Written in Administrative SMB Share has been triggered on " + device_hostname + " by " + actor_user_name + ".",
     users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}],
     activity_id = 1,

diff --git a/lookups/data_sources.csv b/lookups/data_sources.csv
@@ -47,6 +47,7 @@ AWS CloudTrail UpdateAccountPasswordPolicy,35a8cc97-3600-40e1-a5d1-1c2ad5060be0,
 AWS CloudTrail UpdateLoginProfile,1db79158-e5d3-4d35-9d3c-586e44e09f1c,"Patrick Bareiss, Splunk",aws_cloudtrail,aws:cloudtrail,eventName,Splunk Add-on for Amazon Web Services (AWS),7.4.1,https://splunkbase.splunk.com/app/1876,Data source object for AWS CloudTrail UpdateLoginProfile
 AWS CloudTrail UpdateSAMLProvider,e5eb628d-711e-499c-87d9-8fa5dee419ec,"Patrick Bareiss, Splunk",aws_cloudtrail,aws:cloudtrail,eventName,Splunk Add-on for Amazon Web Services (AWS),7.4.1,https://splunkbase.splunk.com/app/1876,Data source object for AWS CloudTrail UpdateSAMLProvider
 AWS CloudTrail UpdateTrail,d5b7a1eb-711a-4c96-aa93-235fe3c8a939,"Patrick Bareiss, Splunk",aws_cloudtrail,aws:cloudtrail,eventName,Splunk Add-on for Amazon Web Services (AWS),7.4.1,https://splunkbase.splunk.com/app/1876,Data source object for AWS CloudTrail UpdateTrail
+AWS CloudWatchLogs VPCflow,38a34fc4-e128-4478-a8f4-7835d51d5135,"Bhavin Patel, Splunk",aws_cloudwatchlogs_vpcflow,aws:cloudwatchlogs:vpcflow,eventName,Splunk Add-on for Amazon Web Services (AWS),7.4.1,https://splunkbase.splunk.com/app/1876,Data source object for AWS CloudWatchLogs VPCflow
 AWS Security Hub,b02bfbf3-294f-478e-99a1-e24b8c692d7e,"Patrick Bareiss, Splunk",aws_securityhub_finding,aws:securityhub:finding,,Splunk Add-on for Amazon Web Services (AWS),7.4.1,https://splunkbase.splunk.com/app/1876,Data source object for AWS Security Hub
 Azure Active Directory,51ca21e5-bda2-4652-bb29-27c7bc18a81c,"Patrick Bareiss, Splunk",Azure AD,azure:monitor:aad,operationName,Splunk Add-on for Microsoft Cloud Services,5.2.2,https://splunkbase.splunk.com/app/3110,Data source object for Azure Active Directory
 Azure Active Directory Add app role assignment to service principal,8b2e84cd-6db0-47e9-badc-75c17df1995f,"Patrick Bareiss, Splunk",Azure AD,azure:monitor:aad,operationName,Splunk Add-on for Microsoft Cloud Services,5.2.2,https://splunkbase.splunk.com/app/3110,Data source object for Azure Active Directory Add app role assignment to service principal
@@ -186,6 +187,7 @@ Windows Event Log Security 5141,eafb35fa-f034-4be3-8508-d9173a73c0a1,"Patrick Ba
 Windows Event Log Security 5145,0746479b-7b82-4d7e-8811-0b35da00f798,"Patrick Bareiss, Splunk",XmlWinEventLog:Security,xmlwineventlog,EventCode,Splunk Add-on for Microsoft Windows,8.8.0,https://splunkbase.splunk.com/app/742,Data source object for Windows Event Log Security 5145
 Windows Event Log System 4720,f01d4758-05c8-4ac4-a9a5-33500dd5eb6c,"Patrick Bareiss, Splunk",XmlWinEventLog:System,xmlwineventlog,EventCode,Splunk Add-on for Microsoft Windows,8.8.0,https://splunkbase.splunk.com/app/742,Data source object for Windows Event Log System 4720
 Windows Event Log System 4726,05e6b2df-b50e-441b-8ac8-565f2e80d62f,"Patrick Bareiss, Splunk",XmlWinEventLog:System,xmlwineventlog,EventCode,Splunk Add-on for Microsoft Windows,8.8.0,https://splunkbase.splunk.com/app/742,Data source object for Windows Event Log System 4726
+Windows Event Log System 4728,4549f0ac-3df9-4bfb-bea5-1459690c8040,"Patrick Bareiss, Splunk",XmlWinEventLog:System,xmlwineventlog,EventCode,Splunk Add-on for Microsoft Windows,8.8.0,https://splunkbase.splunk.com/app/742,Data source object for Windows Event Log System 4728
 Windows Event Log System 7036,a6e9b34f-1507-4fa1-a4ba-684d1b676a34,"Patrick Bareiss, Splunk",XmlWinEventLog:System,xmlwineventlog,EventCode,Splunk Add-on for Microsoft Windows,8.8.0,https://splunkbase.splunk.com/app/742,Data source object for Windows Event Log System 7036
 Windows Event Log System 7040,91738e9e-d112-41c9-b91b-e5868d8993d9,"Patrick Bareiss, Splunk",XmlWinEventLog:System,xmlwineventlog,EventCode,Splunk Add-on for Microsoft Windows,8.8.0,https://splunkbase.splunk.com/app/742,Data source object for Windows Event Log System 7040
 Windows Event Log System 7045,614dedc8-8a14-4393-ba9b-6f093cbcd293,"Patrick Bareiss, Splunk",XmlWinEventLog:System,xmlwineventlog,EventCode,Splunk Add-on for Microsoft Windows,8.8.0,https://splunkbase.splunk.com/app/742,Data source object for Windows Event Log System 7045