deprecated: remove rba from hunting

splunk · Nov 15, 2024 · 9811512 · 9811512
1 parent 91e76c6
commit 9811512
Show file tree

Hide file tree

Showing 39 changed files with 0 additions and 294 deletions.
diff --git a/detections/deprecated/asl_aws_createaccesskey.yml b/detections/deprecated/asl_aws_createaccesskey.yml
@@ -43,15 +43,6 @@ known_false_positives: While this search has no known false positives, it is pos
 references:
 - https://bishopfox.com/blog/privilege-escalation-in-aws
 - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/
-rba:
-  message: User $responseElements.accessKey.userName$ is attempting to create access
-    keys for $responseElements.accessKey.userName$ from this IP $src_endpoint.ip$
-  risk_objects: []
-  threat_objects:
-  - field: src_endpoint.ip
-    type: ip_address
-  - field: identity.user.name
-    type: user
 tags:
   analytic_story:
   - AWS IAM Privilege Escalation

diff --git a/detections/deprecated/asl_aws_password_policy_changes.yml b/detections/deprecated/asl_aws_password_policy_changes.yml
@@ -27,15 +27,6 @@ known_false_positives: While this search has no known false positives, it is pos
   trigger this event.
 references:
 - https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html
-rba:
-  message: User $identity.user.name$ is attempting to $api.operation$ the password
-    policy for accounts
-  risk_objects: []
-  threat_objects:
-  - field: src_endpoint.ip
-    type: ip_address
-  - field: identity.user.name
-    type: user
 tags:
   analytic_story:
   - AWS IAM Privilege Escalation

diff --git a/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml b/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml
@@ -17,13 +17,6 @@ how_to_implement: You must install Splunk Add-on for Amazon Web Services and Spl
 known_false_positives: Sensitive object access is not necessarily malicious but user
   and object context can provide guidance for detection.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: user.username
-    type: user
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - Kubernetes Sensitive Object Access Activity

diff --git a/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml b/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml
@@ -23,17 +23,6 @@ how_to_implement: To successfully implement this search, you must ingest your Wi
 known_false_positives: Legitimate logon activity by authorized NTLM systems may be
   detected by this search. Please investigate as appropriate.
 references: []
-rba:
-  message: The following $EventCode$ occurred on $dest$ by $user$ with Logon Type
-    3, which may be indicative of the pass the hash technique.
-  risk_objects:
-  - field: user
-    type: user
-    score: 49
-  - field: dest
-    type: system
-    score: 49
-  threat_objects: []
 tags:
   analytic_story:
   - Active Directory Lateral Movement

diff --git a/detections/deprecated/detect_api_activity_from_users_without_mfa.yml b/detections/deprecated/detect_api_activity_from_users_without_mfa.yml
@@ -37,13 +37,6 @@ known_false_positives: Many service accounts configured within an AWS infrastruc
   the detection. It is also possible that the search detects users in your environment
   using Single Sign-On systems, since the MFA is not handled by AWS.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: user
-    type: user
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - AWS User Monitoring

diff --git a/detections/deprecated/detect_aws_api_activities_from_unapproved_accounts.yml b/detections/deprecated/detect_aws_api_activities_from_unapproved_accounts.yml
@@ -37,13 +37,6 @@ known_false_positives: It's likely that you'll find activity detected by users/s
   file. If the user is a legitimate service account, update the `aws_service_accounts.csv`
   table with that entry.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: user
-    type: user
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - AWS User Monitoring

diff --git a/detections/deprecated/detect_new_user_aws_console_login.yml b/detections/deprecated/detect_new_user_aws_console_login.yml
@@ -27,13 +27,6 @@ known_false_positives: When a legitimate new user logins for the first time, thi
   activity will be detected. Check how old the account is and verify that the user
   activity is legitimate.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: user
-    type: user
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - Suspicious AWS Login Activities

diff --git a/detections/deprecated/dump_lsass_via_procdump_rename.yml b/detections/deprecated/dump_lsass_via_procdump_rename.yml
@@ -27,18 +27,6 @@ references:
 - https://attack.mitre.org/techniques/T1003/001/
 - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2---dump-lsassexe-memory-using-procdump
-rba:
-  message: The following $process_name$ has been identified as renamed, spawning from
-    $parent_process_name$ on $dest$, attempting to dump lsass.exe.
-  risk_objects:
-  - field: dest
-    type: system
-    score: 80
-  threat_objects:
-  - field: parent_process_name
-    type: parent_process_name
-  - field: process_name
-    type: process_name
 tags:
   analytic_story:
   - Credential Dumping

diff --git a/detections/deprecated/extended_period_without_successful_netbackup_backups.yml b/detections/deprecated/extended_period_without_successful_netbackup_backups.yml
@@ -20,13 +20,6 @@ how_to_implement: To successfully implement this search you need to first obtain
   backup, other than the default of seven days.
 known_false_positives: None identified
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: dest
-    type: system
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - Monitor Backup Solution

diff --git a/detections/deprecated/first_time_seen_command_line_argument.yml b/detections/deprecated/first_time_seen_command_line_argument.yml
@@ -35,13 +35,6 @@ known_false_positives: Legitimate programs can also use command-line arguments t
   is being executed. We recommend customizing the `first_time_seen_cmd_line_filter`
   macro to exclude legitimate parent_process_name
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: dest
-    type: system
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - DHS Report TA18-074A

diff --git a/detections/deprecated/gcp_detect_accounts_with_high_risk_roles_by_project.yml b/detections/deprecated/gcp_detect_accounts_with_high_risk_roles_by_project.yml
@@ -25,13 +25,6 @@ references:
 - https://github.com/dxa4481/gcploit
 - https://www.youtube.com/watch?v=Ml09R38jpok
 - https://cloud.google.com/iam/docs/understanding-roles
-rba:
-  message: tbd
-  risk_objects:
-  - field: data.protoPayload.authenticationInfo.principalEmail
-    type: user
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - GCP Cross Account Activity

diff --git a/detections/deprecated/gcp_detect_high_risk_permissions_by_resource_and_account.yml b/detections/deprecated/gcp_detect_high_risk_permissions_by_resource_and_account.yml
@@ -24,13 +24,6 @@ references:
 - https://github.com/dxa4481/gcploit
 - https://www.youtube.com/watch?v=Ml09R38jpok
 - https://cloud.google.com/iam/docs/permissions-reference
-rba:
-  message: tbd
-  risk_objects:
-  - field: data.protoPayload.authenticationInfo.principalEmail
-    type: user
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - GCP Cross Account Activity

diff --git a/detections/deprecated/gcp_detect_oauth_token_abuse.yml b/detections/deprecated/gcp_detect_oauth_token_abuse.yml
@@ -20,13 +20,6 @@ known_false_positives: GCP Oauth token abuse detection will only work if there a
 references:
 - https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1
 - https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2
-rba:
-  message: tbd
-  risk_objects:
-  - field: protoPayload.status.details{}.violations{}.callerIp
-    type: system
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - GCP Cross Account Activity

diff --git a/detections/deprecated/identify_new_user_accounts.yml b/detections/deprecated/identify_new_user_accounts.yml
@@ -20,13 +20,6 @@ known_false_positives: If the Identity_Management data model is not updated regu
   this search could give you false positive alerts. Please consider this and investigate
   appropriately.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: identity
-    type: user
-    score: 25
-  threat_objects: []
 tags:
   analytic_story: []
   asset_type: Domain Server

diff --git a/detections/deprecated/kubernetes_aws_detect_most_active_service_accounts_by_pod.yml b/detections/deprecated/kubernetes_aws_detect_most_active_service_accounts_by_pod.yml
@@ -16,13 +16,6 @@ how_to_implement: You must install splunk AWS add on and Splunk App for AWS. Thi
 known_false_positives: Not all service accounts interactions are malicious. Analyst
   must consider IP, verb and decision context when trying to detect maliciousness.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: sourceIPs{}
-    type: system
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - Kubernetes Sensitive Role Activity

diff --git a/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml b/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml
@@ -18,13 +18,6 @@ how_to_implement: You must install splunk AWS add on and Splunk App for AWS. Thi
 known_false_positives: Not all RBAC Authorications are malicious. RBAC authorizations
   can uncover malicious activity specially if sensitive Roles have been granted.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: user.username
-    type: user
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - Kubernetes Sensitive Role Activity

diff --git a/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml b/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml
@@ -17,13 +17,6 @@ how_to_implement: You must install splunk AWS add on and Splunk App for AWS. Thi
 known_false_positives: Sensitive role resource access is necessary for cluster operation,
   however source IP, namespace and user group may indicate possible malicious use.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: user.username
-    type: user
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - Kubernetes Sensitive Role Activity

diff --git a/detections/deprecated/kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml b/detections/deprecated/kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml
@@ -18,13 +18,6 @@ how_to_implement: You must install splunk AWS add on and Splunk App for AWS. Thi
 known_false_positives: This search can give false positives as there might be inherent
   issues with authentications and permissions at cluster.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: sourceIPs{}
-    type: system
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - Kubernetes Sensitive Object Access Activity

diff --git a/detections/deprecated/kubernetes_azure_active_service_accounts_by_pod_namespace.yml b/detections/deprecated/kubernetes_azure_active_service_accounts_by_pod_namespace.yml
@@ -18,13 +18,6 @@ how_to_implement: You must install the Add-on for Microsoft Cloud Services and C
 known_false_positives: Not all service accounts interactions are malicious. Analyst
   must consider IP and verb context when trying to detect maliciousness.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: user.username
-    type: user
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - Kubernetes Sensitive Role Activity

diff --git a/detections/deprecated/kubernetes_azure_detect_rbac_authorization_by_account.yml b/detections/deprecated/kubernetes_azure_detect_rbac_authorization_by_account.yml
@@ -18,13 +18,6 @@ how_to_implement: You must install the Add-on for Microsoft Cloud Services and C
 known_false_positives: Not all RBAC Authorications are malicious. RBAC authorizations
   can uncover malicious activity specially if sensitive Roles have been granted.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: user.username
-    type: user
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - Kubernetes Sensitive Role Activity

diff --git a/detections/deprecated/kubernetes_azure_detect_sensitive_object_access.yml b/detections/deprecated/kubernetes_azure_detect_sensitive_object_access.yml
@@ -17,13 +17,6 @@ how_to_implement: You must install the Add-on for Microsoft Cloud Services and C
 known_false_positives: Sensitive object access is not necessarily malicious but user
   and object context can provide guidance for detection.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: user.username
-    type: user
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - Kubernetes Sensitive Object Access Activity

diff --git a/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml b/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml
@@ -17,13 +17,6 @@ how_to_implement: You must install the Add-on for Microsoft Cloud Services and C
 known_false_positives: Sensitive role resource access is necessary for cluster operation,
   however source IP, namespace and user group may indicate possible malicious use.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: user.username
-    type: user
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - Kubernetes Sensitive Role Activity

diff --git a/detections/deprecated/kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml b/detections/deprecated/kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml
@@ -17,13 +17,6 @@ how_to_implement: You must install the Add-on for Microsoft Cloud Services and C
 known_false_positives: This search can give false positives as there might be inherent
   issues with authentications and permissions at cluster.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: user.username
-    type: user
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - Kubernetes Sensitive Object Access Activity

diff --git a/detections/deprecated/kubernetes_azure_detect_suspicious_kubectl_calls.yml b/detections/deprecated/kubernetes_azure_detect_suspicious_kubectl_calls.yml
@@ -20,13 +20,6 @@ known_false_positives: Kubectl calls are not malicious by nature. However source
   verb and Object can reveal potential malicious activity, specially suspicious IPs
   and sensitive objects such as configmaps or secrets
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: sourceIPs{}
-    type: system
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - Kubernetes Sensitive Object Access Activity

diff --git a/detections/deprecated/kubernetes_azure_pod_scan_fingerprint.yml b/detections/deprecated/kubernetes_azure_pod_scan_fingerprint.yml
@@ -17,13 +17,6 @@ how_to_implement: You must install the Add-on for Microsoft Cloud Services and C
 known_false_positives: Not all unauthenticated requests are malicious, but source
   IPs, userAgent, verb, request URI and response status will provide context.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: sourceIPs{}
-    type: system
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - Kubernetes Scanning Activity

diff --git a/detections/deprecated/kubernetes_azure_scan_fingerprint.yml b/detections/deprecated/kubernetes_azure_scan_fingerprint.yml
@@ -17,13 +17,6 @@ how_to_implement: You must install the Add-on for Microsoft Cloud Services and C
 known_false_positives: Not all unauthenticated requests are malicious, but source
   IPs, userAgent, verb, request URI and response status will provide context.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: sourceIPs{}
-    type: system
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - Kubernetes Scanning Activity

diff --git a/detections/deprecated/kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml b/detections/deprecated/kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml
@@ -18,13 +18,6 @@ how_to_implement: You must install splunk GCP add on. This search works with pub
 known_false_positives: Not all service accounts interactions are malicious. Analyst
   must consider IP, verb and decision context when trying to detect maliciousness.
 references: []
-rba:
-  message: tbd
-  risk_objects:
-  - field: src_user
-    type: user
-    score: 25
-  threat_objects: []
 tags:
   analytic_story:
   - Kubernetes Sensitive Role Activity