merged with develop

README.md

@@ -99,4 +99,5 @@ Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
-limitations under the License.
+limitations under the License.
+

data_sources/AWS_CloudWatchLogs_VPCflow.yml

@@ -0,0 +1,68 @@
+name: AWS CloudWatchLogs VPCflow
+id: 38a34fc4-e128-4478-a8f4-7835d51d5135
+version: 1
+author: Bhavin Patel, Splunk
+date: '2024-07-18'
+description: Data source object for AWS CloudWatchLogs VPCflow
+source: aws_cloudwatchlogs_vpcflow
+sourcetype: aws:cloudwatchlogs:vpcflow
+separator: eventName
+supported_TA:
+  name: Splunk Add-on for Amazon Web Services (AWS)
+  version: 7.4.1
+  url: https://splunkbase.splunk.com/app/1876
+fields:
+- _raw
+- _time
+- account_id
+- action
+- app
+- aws_account_id
+- bytes
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_ip
+- dest_port
+- duration
+- dvc
+- end_time
+- eventtype
+- host
+- index
+- interface_id
+- linecount
+- log_status
+- packets
+- protocol
+- protocol_code
+- protocol_full_name
+- protocol_version
+- punct
+- region
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_ip
+- src_port
+- start_time
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- transport
+- user_id
+- vendor_account
+- vendor_product
+- version
+- vpcflow_action
+example_log: '2 123397614277 eni-0b0f9f261f45e6489 10.0.1.30 10.0.1.1 47254 22 17 2 98 1697608042 1697608070 ACCEPT OK'

data_sources/Windows_Event_Log_System_4728.yml

@@ -0,0 +1,99 @@
+name: Windows Event Log System 4728
+id: 4549f0ac-3df9-4bfb-bea5-1459690c8040
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log System 4728
+source: XmlWinEventLog:System
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Account_Domain
+- Account_Name
+- CategoryString
+- ComputerName
+- Error_Code
+- EventCode
+- EventType
+- Keywords
+- LogName
+- Logon_ID
+- Message
+- OpCode
+- RecordNumber
+- Security_ID
+- SourceName
+- Subject_Account_Domain
+- Subject_Account_Name
+- Subject_Logon_ID
+- Subject_Security_ID
+- Target_Account_Domain
+- Target_Account_Name
+- Target_Security_ID
+- TaskCategory
+- Type
+- action
+- app
+- body
+- category
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dest_nt_host
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- member_dn
+- member_id
+- member_nt_domain
+- msad_action
+- name
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- punct
+- result
+- session_id
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- src_user_name
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- user_name
+- vendor
+- vendor_product

detections/application/detect_distributed_password_spray_attempts.yml

@@ -0,0 +1,81 @@
+name: Detect Distributed Password Spray Attempts
+id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57
+version: 1
+date: '2023-11-01'
+author: Dean Luxton
+status: production
+type: Hunting
+data_source:
+- Azure Active Directory Sign-in activity
+description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A 
+  distributed password spray attack is a type of brute force attack where the attacker attempts a few 
+  common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. 
+  By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication 
+  events, providing comprehensive coverage and enhancing security against these attacks.
+search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time  span=2m
+  | `drop_dm_object_name("Authentication")`
+  ```fill out time buckets for 0-count events during entire search length```
+  | appendpipe [| timechart limit=0 span=5m count | table _time]
+  | fillnull value=0 unique_accounts, unique_src
+  ``` remove duplicate & empty time buckets```
+  | sort - total_failures
+  | dedup _time
+  ``` Create aggregation field & apply to all null events```
+  | eval counter=sourcetype+"__"+signature_id
+  | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter)
+  ``` 3-sigma detection logic ```
+  | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter
+  | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3)
+  | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0)
+  | replace "::ffff:*" with * in src
+  | where isOutlier=1
+  | foreach * 
+      [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] 
+  | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id
+  | sort - total_failures | `detect_distributed_password_spray_attempts_filter`'
+how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM)
+  and that the src field is populated with the source device information. Additionally, ensure that 
+  fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from 
+  log sources that do not feature the signature_id field in the results.
+known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings.
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+tags:
+  analytic_story:
+  - Compromised User Account
+  - Active Directory Password Spraying
+  asset_type: Endpoint
+  atomic_guid:
+  - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
+  confidence: 70
+  impact: 70
+  message: Distributed Password Spray Attempt Detected from $src$
+  mitre_attack_id:
+  - T1110.003
+  - T1110
+  observable:
+  - name: src
+    type: IP Address
+    role:
+    - Attacker
+  - name: unique_accounts
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 49
+  required_fields:
+  - Authentication.action
+  - Authentication.user
+  - Authentication.src
+  security_domain: access
+  manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion. 
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log
+    source: azure:monitor:aad
+    sourcetype: azure:monitor:aad

detections/application/detect_password_spray_attempts.yml

@@ -0,0 +1,75 @@
+name: Detect Password Spray Attempts
+id: 086ab581-8877-42b3-9aee-4a7ecb0923af
+version: 1
+date: '2023-11-01'
+author: Dean Luxton
+status: production
+type: TTP
+data_source:
+- Windows Event Log Security 4625
+description: This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts
+  from a single source. A password spray attack is a type of brute force attack where an attacker tries a few
+  common passwords across many different accounts to avoid detection and account lockouts. By utilizing the
+  Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing
+  comprehensive coverage and enhancing security against these attacks.
+search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time  span=2m
+  | `drop_dm_object_name("Authentication")`
+  ```fill out time buckets for 0-count events during entire search length```
+  | appendpipe [| timechart limit=0 span=5m count | table _time]
+  | fillnull value=0 unique_accounts, unique_src
+  ``` remove duplicate & empty time buckets```
+  | sort - total_failures
+  | dedup _time
+  ``` Create aggregation field & apply to all null events```
+  | eval counter=src+"__"+sourcetype+"__"+signature_id
+  | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter)
+  | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by counter
+  | eval upperBound=(comp_avg+comp_std*3)
+  | eval isOutlier=if(unique_accounts > 30 and unique_accounts >= upperBound, 1, 0)
+  | replace "::ffff:*" with * in src
+  | where isOutlier=1
+  | foreach * [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] 
+  | table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id
+  | `detect_password_spray_attempts_filter`'
+how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. 
+known_false_positives: Unknown
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+tags:
+  analytic_story:
+  - Compromised User Account
+  - Active Directory Password Spraying
+  asset_type: Endpoint
+  atomic_guid:
+  - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
+  confidence: 70
+  impact: 70
+  message: Potential Password Spraying attack from $src$ targeting $unique_accounts$ unique accounts. 
+  mitre_attack_id:
+  - T1110.003
+  - T1110
+  observable:
+  - name: src
+    type: Endpoint
+    role:
+    - Attacker
+  - name: sourcetype
+    type: Other
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 49
+  required_fields:
+  - Authentication.action
+  - Authentication.user
+  - Authentication.src
+  security_domain: access
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log
+    source: XmlWinEventLog:Security
+    sourcetype: XmlWinEventLog

detections/application/windows_ad_add_self_to_group.yml

@@ -0,0 +1,54 @@
+name: Windows AD add Self to Group
+id: 065f2701-b7ea-42f5-9ec4-fbc2261165f9
+version: 1
+date: '2023-12-18'
+author: Dean Luxton
+status: production
+type: TTP
+data_source:
+- Windows Event Log Security 4728
+description: This analytic detects instances where a user adds themselves to an Active Directory (AD) group. This activity
+  is a common indicator of privilege escalation, where a user attempts to gain unauthorized access to higher
+  privileges or sensitive resources. By monitoring AD logs, this detection identifies such suspicious behavior,
+  which could be part of a larger attack strategy aimed at compromising critical systems and data. 
+search: '`wineventlog_security` EventCode IN (4728) 
+  | where user=src_user 
+  | stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name, src_user 
+  | `windows_ad_add_self_to_group_filter`'
+how_to_implement: This analytic requires eventCode 4728 to be ingested.
+known_false_positives: Unknown
+references: []
+tags:
+  analytic_story:
+  - Active Directory Privilege Escalation
+  - Sneaky Active Directory Persistence Tricks
+  asset_type: Endpoint
+  confidence: 100
+  impact: 50
+  message: $user$ added themselves to AD Group $Group_Name$
+  mitre_attack_id:
+  - T1098
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 50
+  required_fields:
+  - EventCode
+  - user
+  - src_user
+  - signature
+  - Group_Name
+  security_domain: audit
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log
+    source: XmlWinEventLog:Security
+    sourcetype: XmlWinEventLog
+    update_timestamp: true