From d2edfa4aa94a1938588a8098bc0b8318249558ff Mon Sep 17 00:00:00 2001 From: ljstella Date: Wed, 27 Nov 2024 12:34:32 -0600 Subject: [PATCH] deprecated: cleanup TBD messages --- .../abnormally_high_aws_instances_launched_by_user.yml | 2 +- .../abnormally_high_aws_instances_launched_by_user___mltk.yml | 2 +- .../abnormally_high_aws_instances_terminated_by_user.yml | 2 +- ...bnormally_high_aws_instances_terminated_by_user___mltk.yml | 2 +- .../aws_cloud_provisioning_from_previously_unseen_city.yml | 2 +- .../aws_cloud_provisioning_from_previously_unseen_country.yml | 2 +- ...s_cloud_provisioning_from_previously_unseen_ip_address.yml | 2 +- .../aws_cloud_provisioning_from_previously_unseen_region.yml | 2 +- .../deprecated/clients_connecting_to_multiple_dns_servers.yml | 2 +- .../deprecated/cloud_network_access_control_list_deleted.yml | 2 +- ...ct_dns_requests_to_phishing_sites_leveraging_evilginx2.yml | 2 +- detections/deprecated/detect_long_dns_txt_record_response.yml | 2 +- .../detect_mimikatz_via_powershell_and_eventcode_4703.yml | 2 +- .../deprecated/detect_new_api_calls_from_user_roles.yml | 2 +- detections/deprecated/detect_spike_in_aws_api_activity.yml | 2 +- .../deprecated/detect_spike_in_network_acl_activity.yml | 2 +- .../deprecated/detect_spike_in_security_group_activity.yml | 2 +- detections/deprecated/detect_usb_device_insertion.yml | 2 +- .../detect_web_traffic_to_dynamic_domain_providers.yml | 2 +- detections/deprecated/detection_of_dns_tunnels.yml | 2 +- ...ns_query_requests_resolved_by_unauthorized_dns_servers.yml | 2 +- detections/deprecated/dns_record_changed.yml | 2 +- .../ec2_instance_modified_with_previously_unseen_user.yml | 2 +- .../ec2_instance_started_with_previously_unseen_ami.yml | 2 +- ..._instance_started_with_previously_unseen_instance_type.yml | 2 +- .../ec2_instance_started_with_previously_unseen_user.yml | 2 +- .../execution_of_file_with_spaces_before_extension.yml | 2 +- .../deprecated/gcp_kubernetes_cluster_scan_detection.yml | 2 +- detections/deprecated/monitor_dns_for_brand_abuse.yml | 2 +- detections/deprecated/osquery_pack___coldroot_detection.yml | 2 +- detections/deprecated/processes_created_by_netsh.yml | 2 +- ...g_exe_used_to_hide_files_directories_via_registry_keys.yml | 2 +- detections/deprecated/remote_registry_key_modifications.yml | 2 +- .../scheduled_tasks_used_in_badrabbit_ransomware.yml | 2 +- .../deprecated/spectre_and_meltdown_vulnerable_systems.yml | 2 +- .../deprecated/suspicious_changes_to_file_associations.yml | 2 +- detections/deprecated/suspicious_email___uba_anomaly.yml | 2 +- .../suspicious_powershell_command_line_arguments.yml | 2 +- detections/deprecated/unsigned_image_loaded_by_lsass.yml | 2 +- detections/deprecated/web_fraud___account_harvesting.yml | 2 +- .../deprecated/web_fraud___anomalous_user_clickspeed.yml | 4 ++-- .../web_fraud___password_sharing_across_accounts.yml | 2 +- .../deprecated/windows_connhost_exe_started_forcefully.yml | 2 +- detections/deprecated/windows_hosts_file_modification.yml | 2 +- 44 files changed, 45 insertions(+), 45 deletions(-) diff --git a/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml b/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml index ec72c38b4d..b6dbe6c25b 100644 --- a/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml +++ b/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml @@ -26,7 +26,7 @@ known_false_positives: Many service accounts configured within an AWS infrastruc human user. references: [] rba: - message: tbd + message: Abnormal number of instances launched by $userName$ risk_objects: - field: userName type: user diff --git a/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml b/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml index ccd297eed6..7037db4ecb 100644 --- a/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml +++ b/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml @@ -22,7 +22,7 @@ known_false_positives: Many service accounts configured within an AWS infrastruc human user. references: [] rba: - message: tbd + message: Abnormal number of instances launched by $src_user$ risk_objects: - field: src_user type: user diff --git a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml index 39a983c7d3..0be5d21777 100644 --- a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml +++ b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml @@ -27,7 +27,7 @@ known_false_positives: Many service accounts configured with your AWS infrastruc on a human user. references: [] rba: - message: tbd + message: Abnormal number of instances terminated by $userName$ risk_objects: - field: userName type: user diff --git a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml index 0c094aa43d..ee8c2e3c58 100644 --- a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml +++ b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml @@ -22,7 +22,7 @@ known_false_positives: Many service accounts configured within an AWS infrastruc human user. references: [] rba: - message: tbd + message: Abnormal number of instances terminated by $src_user$ risk_objects: - field: src_user type: user diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml index fdd716c5d9..c5a3165f1b 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml @@ -38,7 +38,7 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal to you." references: [] rba: - message: tbd + message: AWS provisioning from new city ($City$) risk_objects: - field: src_ip type: system diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml index 9817510ef3..84e96192ca 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml @@ -39,7 +39,7 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal much less valuable to you." references: [] rba: - message: tbd + message: AWS provisioning from new country ($Country$) risk_objects: - field: user type: user diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml index 645eebb7c9..7393509328 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml @@ -38,7 +38,7 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal to you." references: [] rba: - message: tbd + message: AWS provisioning from new IP Address ($src_ip$) risk_objects: - field: user type: user diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml index ead1be5893..75433b2a86 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml @@ -38,7 +38,7 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal to you." references: [] rba: - message: tbd + message: AWS provisioning from new Region ($Region$) risk_objects: - field: user type: user diff --git a/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml b/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml index 308a6f5cd9..d3982cb7bf 100644 --- a/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml +++ b/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml @@ -26,7 +26,7 @@ known_false_positives: It's possible that an enterprise has more than five DNS s that are configured in a round-robin rotation. Please customize the search, as appropriate. references: [] rba: - message: tbd + message: Device ($src$) observed utilizing multiple DNS Servers risk_objects: - field: src type: system diff --git a/detections/deprecated/cloud_network_access_control_list_deleted.yml b/detections/deprecated/cloud_network_access_control_list_deleted.yml index 16be4f5b3d..6cf2cc79d7 100644 --- a/detections/deprecated/cloud_network_access_control_list_deleted.yml +++ b/detections/deprecated/cloud_network_access_control_list_deleted.yml @@ -23,7 +23,7 @@ known_false_positives: It's possible that a user has legitimately deleted a netw ACL. references: [] rba: - message: tbd + message: AWS Network ACL Deleted by $userName$ risk_objects: - field: userName type: user diff --git a/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml b/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml index 8c08eab7c8..4eb45094a8 100644 --- a/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml +++ b/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml @@ -36,7 +36,7 @@ known_false_positives: If a known good domain is not listed in the legit_domains to filter out DNS requests to legitimate domains. references: [] rba: - message: tbd + message: DNS Request for EvilGinx2 Phishing Site risk_objects: - field: src type: system diff --git a/detections/deprecated/detect_long_dns_txt_record_response.yml b/detections/deprecated/detect_long_dns_txt_record_response.yml index 8a2840c3a9..3e7d898a6f 100644 --- a/detections/deprecated/detect_long_dns_txt_record_response.yml +++ b/detections/deprecated/detect_long_dns_txt_record_response.yml @@ -30,7 +30,7 @@ known_false_positives: It's possible that legitimate TXT record responses can be to help mitigate false positives. references: [] rba: - message: tbd + message: Long DNS TXT Response observed risk_objects: - field: Destination IP type: system diff --git a/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml b/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml index 4290165b9c..58d7827eba 100644 --- a/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml +++ b/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml @@ -27,7 +27,7 @@ known_false_positives: The activity may be legitimate. PowerShell is often used may need to tweak the search to eliminate noise. references: [] rba: - message: tbd + message: Potential Mimikatz usage on $dest$ risk_objects: - field: dest type: system diff --git a/detections/deprecated/detect_new_api_calls_from_user_roles.yml b/detections/deprecated/detect_new_api_calls_from_user_roles.yml index dcafd74d99..c5319b9c74 100644 --- a/detections/deprecated/detect_new_api_calls_from_user_roles.yml +++ b/detections/deprecated/detect_new_api_calls_from_user_roles.yml @@ -28,7 +28,7 @@ known_false_positives: It is possible that there are legitimate user roles makin trigger. references: [] rba: - message: tbd + message: Never Before Seen API Call from $user$ risk_objects: - field: user type: user diff --git a/detections/deprecated/detect_spike_in_aws_api_activity.yml b/detections/deprecated/detect_spike_in_aws_api_activity.yml index e2bd5b7ec8..8a32808181 100644 --- a/detections/deprecated/detect_spike_in_aws_api_activity.yml +++ b/detections/deprecated/detect_spike_in_aws_api_activity.yml @@ -43,7 +43,7 @@ how_to_implement: "You must install the AWS App for Splunk (version 5.1.0 or lat known_false_positives: None. references: [] rba: - message: tbd + message: Spike in AWS API Activity from $user$ risk_objects: - field: user type: user diff --git a/detections/deprecated/detect_spike_in_network_acl_activity.yml b/detections/deprecated/detect_spike_in_network_acl_activity.yml index 7cdfa40d8e..1bea1b5cc0 100644 --- a/detections/deprecated/detect_spike_in_network_acl_activity.yml +++ b/detections/deprecated/detect_spike_in_network_acl_activity.yml @@ -37,7 +37,7 @@ known_false_positives: The false-positive rate may vary based on the values of`d and `deviationThreshold`. Please modify this according the your environment. references: [] rba: - message: tbd + message: Spike in AWS API Activity related to Network ACLs from $user$ risk_objects: - field: user type: user diff --git a/detections/deprecated/detect_spike_in_security_group_activity.yml b/detections/deprecated/detect_spike_in_security_group_activity.yml index aa9c0330b0..85cacdcf18 100644 --- a/detections/deprecated/detect_spike_in_security_group_activity.yml +++ b/detections/deprecated/detect_spike_in_security_group_activity.yml @@ -38,7 +38,7 @@ known_false_positives: Based on the values of`dataPointThreshold` and `deviation the false positive rate may vary. Please modify this according the your environment. references: [] rba: - message: tbd + message: Spike in AWS API Activity related to Security Groups from $user$ risk_objects: - field: user type: user diff --git a/detections/deprecated/detect_usb_device_insertion.yml b/detections/deprecated/detect_usb_device_insertion.yml index 1f74de873e..6a0c2702b4 100644 --- a/detections/deprecated/detect_usb_device_insertion.yml +++ b/detections/deprecated/detect_usb_device_insertion.yml @@ -27,7 +27,7 @@ known_false_positives: Legitimate USB activity will also be detected. Please ver and investigate as appropriate. references: [] rba: - message: tbd + message: USB Device Activity detected on $dest$ risk_objects: - field: dest type: system diff --git a/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml b/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml index 36bef26585..7117f3475d 100644 --- a/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml +++ b/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml @@ -30,7 +30,7 @@ known_false_positives: It is possible that list of dynamic DNS providers is outd and/or that the URL being requested is legitimate. references: [] rba: - message: tbd + message: Web traffic to Dynamic DNS Provider detected risk_objects: - field: dest type: system diff --git a/detections/deprecated/detection_of_dns_tunnels.yml b/detections/deprecated/detection_of_dns_tunnels.yml index dfa73b56c9..16fd87e94e 100644 --- a/detections/deprecated/detection_of_dns_tunnels.yml +++ b/detections/deprecated/detection_of_dns_tunnels.yml @@ -43,7 +43,7 @@ known_false_positives: It's possible that normal DNS traffic will exhibit this b can also be modified to better suit your environment. references: [] rba: - message: tbd + message: Potential DNS Tunneling Detected risk_objects: - field: src type: system diff --git a/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml b/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml index 4b6c18dc2e..2f400dce8b 100644 --- a/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml +++ b/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml @@ -20,7 +20,7 @@ known_false_positives: Legitimate DNS activity can be detected in this search. I verify and update the list of authorized DNS servers as appropriate. references: [] rba: - message: tbd + message: DNS Resolution from Unauthorized DNS Server risk_objects: - field: dest type: system diff --git a/detections/deprecated/dns_record_changed.yml b/detections/deprecated/dns_record_changed.yml index 3fbea89b15..d8a2182478 100644 --- a/detections/deprecated/dns_record_changed.yml +++ b/detections/deprecated/dns_record_changed.yml @@ -34,7 +34,7 @@ known_false_positives: Legitimate DNS changes can be detected in this search. In as appropriate. references: [] rba: - message: tbd + message: DNS Record Changed risk_objects: - field: src type: system diff --git a/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml b/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml index 1558c04485..358ebe8306 100644 --- a/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml +++ b/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml @@ -27,7 +27,7 @@ known_false_positives: It's possible that a new user will start to modify EC2 in modifying instances that this is the intended behavior. references: [] rba: - message: tbd + message: EC2 Instance Modified for first time by $user$ risk_objects: - field: user type: user diff --git a/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml b/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml index 4e294da906..a7ffcbe42f 100644 --- a/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml +++ b/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml @@ -29,7 +29,7 @@ known_false_positives: After a new AMI is created, the first systems created wit by a legitimate user. references: [] rba: - message: tbd + message: EC2 Instance $dest$ launched with new AMI risk_objects: - field: dest type: system diff --git a/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml b/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml index 5910bcb0d7..d37b17a319 100644 --- a/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml +++ b/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml @@ -29,7 +29,7 @@ known_false_positives: It is possible that an admin will create a new system usi to create the system with the new instance type. references: [] rba: - message: tbd + message: EC2 Instance $dest$ launched with previously unseen instance type $instanceType$ risk_objects: - field: user type: user diff --git a/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml b/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml index cb638f9f90..83e5bff14a 100644 --- a/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml +++ b/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml @@ -27,7 +27,7 @@ known_false_positives: It's possible that a user will start to create EC2 instan launching instances that this is the intended behavior. references: [] rba: - message: tbd + message: EC2 Instance $dest$ started by previously unseen user $user$ risk_objects: - field: user type: user diff --git a/detections/deprecated/execution_of_file_with_spaces_before_extension.yml b/detections/deprecated/execution_of_file_with_spaces_before_extension.yml index 87159a49e5..232ab11add 100644 --- a/detections/deprecated/execution_of_file_with_spaces_before_extension.yml +++ b/detections/deprecated/execution_of_file_with_spaces_before_extension.yml @@ -27,7 +27,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: None identified. references: [] rba: - message: tbd + message: Execution of file with spaces before the extension on $dest$ risk_objects: - field: dest type: system diff --git a/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml b/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml index 29a7baa695..81a4946016 100644 --- a/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml +++ b/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml @@ -25,7 +25,7 @@ known_false_positives: Not all unauthenticated requests are malicious, but frequ User Agent and source IPs will provide context. references: [] rba: - message: tbd + message: Possible GKE Cluster Scan risk_objects: - field: src_ip type: system diff --git a/detections/deprecated/monitor_dns_for_brand_abuse.yml b/detections/deprecated/monitor_dns_for_brand_abuse.yml index 0307f050c2..af09c585e2 100644 --- a/detections/deprecated/monitor_dns_for_brand_abuse.yml +++ b/detections/deprecated/monitor_dns_for_brand_abuse.yml @@ -22,7 +22,7 @@ how_to_implement: You need to ingest data from your DNS logs. Specifically you m known_false_positives: None at this time references: [] rba: - message: tbd + message: Potential brand abuse risk_objects: - field: query type: other diff --git a/detections/deprecated/osquery_pack___coldroot_detection.yml b/detections/deprecated/osquery_pack___coldroot_detection.yml index 8df033a690..d159cd36ee 100644 --- a/detections/deprecated/osquery_pack___coldroot_detection.yml +++ b/detections/deprecated/osquery_pack___coldroot_detection.yml @@ -19,7 +19,7 @@ how_to_implement: In order to properly run this search, Splunk needs to ingest d known_false_positives: There are no known false positives. references: [] rba: - message: tbd + message: Potential ColdRoot detection on $host$ risk_objects: - field: host type: system diff --git a/detections/deprecated/processes_created_by_netsh.yml b/detections/deprecated/processes_created_by_netsh.yml index 07e9af0c59..4468f1ce24 100644 --- a/detections/deprecated/processes_created_by_netsh.yml +++ b/detections/deprecated/processes_created_by_netsh.yml @@ -34,7 +34,7 @@ known_false_positives: It is unusual for netsh.exe to have any child processes i process path since it is a legitimate process by Mircosoft. references: [] rba: - message: tbd + message: Proccesses created by netsh.exe on $dest$ risk_objects: - field: dest type: system diff --git a/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml b/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml index f7681fa282..731d041464 100644 --- a/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml +++ b/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml @@ -27,7 +27,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: None at the moment references: [] rba: - message: tbd + message: Reg.exe used to hide a file or directory on $dest$ risk_objects: - field: dest type: system diff --git a/detections/deprecated/remote_registry_key_modifications.yml b/detections/deprecated/remote_registry_key_modifications.yml index 5ca1730add..1ea19b3751 100644 --- a/detections/deprecated/remote_registry_key_modifications.yml +++ b/detections/deprecated/remote_registry_key_modifications.yml @@ -22,7 +22,7 @@ known_false_positives: This technique may be legitimately used by administrators modify remote registries, so it's important to filter these events out. references: [] rba: - message: tbd + message: Registry remotely modified on $dest$ risk_objects: - field: user type: user diff --git a/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml b/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml index 5d2b924766..e1f3ee0f3a 100644 --- a/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml +++ b/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml @@ -28,7 +28,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: No known false positives references: [] rba: - message: tbd + message: Tasks being scheduled with names indicative of BadRabbit ransomware on $dest$ risk_objects: - field: user type: user diff --git a/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml b/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml index 4931f8ca78..9960a35ff0 100644 --- a/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml +++ b/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml @@ -19,7 +19,7 @@ known_false_positives: It is possible that your vulnerability scanner is not det that the patches have been applied. references: [] rba: - message: tbd + message: $dest$ enumerated as a Spectre or Meltdown vulnerable system risk_objects: - field: dest type: system diff --git a/detections/deprecated/suspicious_changes_to_file_associations.yml b/detections/deprecated/suspicious_changes_to_file_associations.yml index 85a6effba3..4d63025a82 100644 --- a/detections/deprecated/suspicious_changes_to_file_associations.yml +++ b/detections/deprecated/suspicious_changes_to_file_associations.yml @@ -33,7 +33,7 @@ known_false_positives: There may be other processes in your environment that use finding false positives, you can modify the search to add those processes as exceptions. references: [] rba: - message: tbd + message: Suspicious changes to file association on $dest$ risk_objects: - field: dest type: system diff --git a/detections/deprecated/suspicious_email___uba_anomaly.yml b/detections/deprecated/suspicious_email___uba_anomaly.yml index 5481c97bb3..040b5236be 100644 --- a/detections/deprecated/suspicious_email___uba_anomaly.yml +++ b/detections/deprecated/suspicious_email___uba_anomaly.yml @@ -26,7 +26,7 @@ known_false_positives: This detection model will alert on any sender domain that legitimate sender. references: [] rba: - message: tbd + message: Suspicious Email as detected by UBA for $user$ risk_objects: - field: user type: user diff --git a/detections/deprecated/suspicious_powershell_command_line_arguments.yml b/detections/deprecated/suspicious_powershell_command_line_arguments.yml index b5fd793819..f8d3993171 100644 --- a/detections/deprecated/suspicious_powershell_command_line_arguments.yml +++ b/detections/deprecated/suspicious_powershell_command_line_arguments.yml @@ -33,7 +33,7 @@ known_false_positives: Legitimate process can have this combination of command-l options, but it's not common. references: [] rba: - message: tbd + message: Suspicious Powershell Command Line Arguments observed on $dest$ risk_objects: - field: dest type: system diff --git a/detections/deprecated/unsigned_image_loaded_by_lsass.yml b/detections/deprecated/unsigned_image_loaded_by_lsass.yml index a27f65bce6..6831aca33a 100644 --- a/detections/deprecated/unsigned_image_loaded_by_lsass.yml +++ b/detections/deprecated/unsigned_image_loaded_by_lsass.yml @@ -23,7 +23,7 @@ known_false_positives: Other tools could load images into LSASS for legitimate r references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf rba: - message: tbd + message: Unsigned image loaded by LSASS on $dest$ risk_objects: - field: dest type: system diff --git a/detections/deprecated/web_fraud___account_harvesting.yml b/detections/deprecated/web_fraud___account_harvesting.yml index f4efb31d2d..c32e6e8d6e 100644 --- a/detections/deprecated/web_fraud___account_harvesting.yml +++ b/detections/deprecated/web_fraud___account_harvesting.yml @@ -36,7 +36,7 @@ references: - https://splunkbase.splunk.com/app/2734/ - https://splunkbase.splunk.com/app/1809/ rba: - message: tbd + message: Multiple user accounts using the same email domain risk_objects: - field: src_user type: user diff --git a/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml b/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml index 5a426bc255..34eeae94e2 100644 --- a/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml +++ b/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml @@ -32,10 +32,10 @@ references: - https://en.wikipedia.org/wiki/HTTP_cookie - https://splunkbase.splunk.com/app/1809/ rba: - message: tbd + message: Web sessions exhibiting unauthentic characteristics risk_objects: - field: session_id - type: user + type: other score: 25 threat_objects: [] tags: diff --git a/detections/deprecated/web_fraud___password_sharing_across_accounts.yml b/detections/deprecated/web_fraud___password_sharing_across_accounts.yml index c3d69c725a..5004244bbb 100644 --- a/detections/deprecated/web_fraud___password_sharing_across_accounts.yml +++ b/detections/deprecated/web_fraud___password_sharing_across_accounts.yml @@ -27,7 +27,7 @@ references: - https://en.wikipedia.org/wiki/HTTP_cookie - https://splunkbase.splunk.com/app/1809/ rba: - message: tbd + message: Password sharing across accounts risk_objects: - field: user type: user diff --git a/detections/deprecated/windows_connhost_exe_started_forcefully.yml b/detections/deprecated/windows_connhost_exe_started_forcefully.yml index 265bf69e34..c690e9c943 100644 --- a/detections/deprecated/windows_connhost_exe_started_forcefully.yml +++ b/detections/deprecated/windows_connhost_exe_started_forcefully.yml @@ -30,7 +30,7 @@ known_false_positives: This process should not be ran forcefully, we have not se any false positives for this detection references: [] rba: - message: tbd + message: Potentially suspicious connhost.exe behavior on $dest$ risk_objects: - field: dest type: system diff --git a/detections/deprecated/windows_hosts_file_modification.yml b/detections/deprecated/windows_hosts_file_modification.yml index 12f945a0da..5a3edf09f7 100644 --- a/detections/deprecated/windows_hosts_file_modification.yml +++ b/detections/deprecated/windows_hosts_file_modification.yml @@ -24,7 +24,7 @@ known_false_positives: There may be legitimate reasons for system administrators add entries to this file. references: [] rba: - message: tbd + message: Host file modified on $dest$ risk_objects: - field: dest type: system