network detections initial translation

splunk · Nov 15, 2024 · f6587bd · f6587bd
1 parent 6089391
commit f6587bd
Show file tree

Hide file tree

Showing 43 changed files with 1,495 additions and 664 deletions.
diff --git a/detections/network/detect_arp_poisoning.yml b/detections/network/detect_arp_poisoning.yml
@@ -1,33 +1,53 @@
 name: Detect ARP Poisoning
 id: b44bebd6-bd39-467b-9321-73971bcd1aac
-version: 4
-date: '2024-10-17'
+version: 5
+date: '2024-11-15'
 author: Mikael Bjerkeland, Splunk
 status: experimental
 type: TTP
-description: The following analytic detects ARP Poisoning attacks by monitoring for Dynamic ARP Inspection (DAI) errors on Cisco network devices. It leverages logs from Cisco devices, specifically looking for events where the ARP inspection feature has disabled an interface due to suspicious activity. This activity is significant because ARP Poisoning can allow attackers to intercept, modify, or disrupt network traffic, leading to potential data breaches or denial of service. If confirmed malicious, this could enable attackers to perform man-in-the-middle attacks, compromising the integrity and confidentiality of network communications.
+description: The following analytic detects ARP Poisoning attacks by monitoring for
+  Dynamic ARP Inspection (DAI) errors on Cisco network devices. It leverages logs
+  from Cisco devices, specifically looking for events where the ARP inspection feature
+  has disabled an interface due to suspicious activity. This activity is significant
+  because ARP Poisoning can allow attackers to intercept, modify, or disrupt network
+  traffic, leading to potential data breaches or denial of service. If confirmed malicious,
+  this could enable attackers to perform man-in-the-middle attacks, compromising the
+  integrity and confidentiality of network communications.
 data_source: []
-search: '`cisco_networks` facility="PM" mnemonic="ERR_DISABLE" disable_cause="arp-inspection" | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime count BY host src_interface | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_arp_poisoning_filter`'
-how_to_implement: This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and Dynamic ARP Inspection (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.
-known_false_positives: This search might be prone to high false positives if DHCP Snooping or ARP inspection has been incorrectly configured, or if a device normally sends many ARP packets (unlikely).
+search: '`cisco_networks` facility="PM" mnemonic="ERR_DISABLE" disable_cause="arp-inspection"
+  | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime
+  max(_time) AS lastTime count BY host src_interface | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`|
+  `detect_arp_poisoning_filter`'
+how_to_implement: This search uses a standard SPL query on logs from Cisco Network
+  devices. The network devices must be configured with DHCP Snooping (see 
+  https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html)
+  and Dynamic ARP Inspection (see 
+  https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html)
+  and log with a severity level of minimum "5 - notification". The search also requires
+  that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467)
+  is used to parse the logs from the Cisco network devices.
+known_false_positives: This search might be prone to high false positives if DHCP
+  Snooping or ARP inspection has been incorrectly configured, or if a device normally
+  sends many ARP packets (unlikely).
 references: []
+rba:
+  message: tbd
+  risk_objects:
+  - field: dest
+    type: Other
+    risk_score: 25.0
+  threat_objects: []
 tags:
   analytic_story:
   - Router and Infrastructure Security
   asset_type: Infrastructure
   confidence: 50
   impact: 50
-  message: tbd
   mitre_attack_id:
   - T1200
   - T1498
   - T1557
   - T1557.002
-  observable:
-  - name: dest
-    type: Other
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml b/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml
@@ -1,35 +1,57 @@
 name: Detect DGA domains using pretrained model in DSDL
 id: 92e24f32-9b9a-4060-bba2-2a0eb31f3493
-version: 3
-date: '2024-10-17'
+version: 4
+date: '2024-11-15'
 author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk
 status: experimental
 type: Anomaly
-description: The following analytic identifies Domain Generation Algorithm (DGA) generated domains using a pre-trained deep learning model. It leverages the Network Resolution data model to analyze domain names and detect unusual character sequences indicative of DGA activity. This behavior is significant as adversaries often use DGAs to generate numerous domain names for command-and-control servers, making it harder to block malicious traffic. If confirmed malicious, this activity could enable attackers to maintain persistent communication with compromised systems, evade detection, and execute further malicious actions.
+description: The following analytic identifies Domain Generation Algorithm (DGA) generated
+  domains using a pre-trained deep learning model. It leverages the Network Resolution
+  data model to analyze domain names and detect unusual character sequences indicative
+  of DGA activity. This behavior is significant as adversaries often use DGAs to generate
+  numerous domain names for command-and-control servers, making it harder to block
+  malicious traffic. If confirmed malicious, this activity could enable attackers
+  to maintain persistent communication with compromised systems, evade detection,
+  and execute further malicious actions.
 data_source: []
-search: '| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime  max(_time) as lastTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | rename query AS domain | fields IPs, src, domain, firstTime, lastTime | apply pretrained_dga_model_dsdl | rename pred_dga_proba AS dga_score | where dga_score>0.5 | `security_content_ctime(firstTime)`  | `security_content_ctime(lastTime)` | table src, domain, IPs, firstTime, lastTime, dga_score | `detect_dga_domains_using_pretrained_model_in_dsdl_filter`'
-how_to_implement: 'Steps to deploy DGA detection model into Splunk App DSDL.\ This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU. * Download the artifacts .tar.gz file from the link  `https://seal.splunkresearch.com/pretrained_dga_model_dsdl.tar.gz`
-
-  * Download the pretrained_dga_model_dsdl.ipynb Jupyter notebook from `https://github.com/splunk/security_content/notebooks`
-
-  * Login to the Jupyter Lab for pretrained_dga_model_dsdl container. This container should be listed on Containers page for DSDL app.
-
-  * Below steps need to be followed inside Jupyter lab
-
-  * Upload the pretrained_dga_model_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook.
-
-  *  Untar the artifact `pretrained_dga_model_dsdl.tar.gz` using `tar -xf app/model/data/pretrained_dga_model_dsdl.tar.gz -C app/model/data`
-
-  * Upload `pretrained_dga_model_dsdl.pynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab
-
-  * Save the notebook using the save option in jupyter notebook.
-
-  * Upload `pretrained_dga_model_dsdl.json` into `notebooks/data` folder.'
-known_false_positives: False positives may be present if domain name is similar to dga generated domains.
+search: '| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time)
+  as firstTime  max(_time) as lastTime from datamodel=Network_Resolution by DNS.src,
+  DNS.query | `drop_dm_object_name(DNS)` | rename query AS domain | fields IPs, src,
+  domain, firstTime, lastTime | apply pretrained_dga_model_dsdl | rename pred_dga_proba
+  AS dga_score | where dga_score>0.5 | `security_content_ctime(firstTime)`  | `security_content_ctime(lastTime)`
+  | table src, domain, IPs, firstTime, lastTime, dga_score | `detect_dga_domains_using_pretrained_model_in_dsdl_filter`'
+how_to_implement: "Steps to deploy DGA detection model into Splunk App DSDL.\\ This
+  detection depends on the Splunk app for Data Science and Deep Learning which can
+  be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution
+  datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The
+  detection uses a pre-trained deep learning model that needs to be deployed in DSDL
+  app. Follow the steps for deployment here - https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU.
+  * Download the artifacts .tar.gz file from the link  `https://seal.splunkresearch.com/pretrained_dga_model_dsdl.tar.gz`\n
+  * Download the pretrained_dga_model_dsdl.ipynb Jupyter notebook from `https://github.com/splunk/security_content/notebooks`\n
+  * Login to the Jupyter Lab for pretrained_dga_model_dsdl container. This container
+  should be listed on Containers page for DSDL app.\n* Below steps need to be followed
+  inside Jupyter lab\n* Upload the pretrained_dga_model_dsdl.tar.gz file into `app/model/data`
+  path using the upload option in the jupyter notebook.\n*  Untar the artifact `pretrained_dga_model_dsdl.tar.gz`
+  using `tar -xf app/model/data/pretrained_dga_model_dsdl.tar.gz -C app/model/data`\n
+  * Upload `pretrained_dga_model_dsdl.pynb` into Jupyter lab notebooks folder using
+  the upload option in Jupyter lab\n* Save the notebook using the save option in jupyter
+  notebook.\n* Upload `pretrained_dga_model_dsdl.json` into `notebooks/data` folder."
+known_false_positives: False positives may be present if domain name is similar to
+  dga generated domains.
 references:
 - https://attack.mitre.org/techniques/T1568/002/
 - https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
 - https://en.wikipedia.org/wiki/Domain_generation_algorithm
+rba:
+  message: A potential connection to a DGA domain $domain$ was detected from host
+    $src$, kindly review.
+  risk_objects:
+  - field: src
+    type: Hostname
+    risk_score: 63.0
+  threat_objects:
+  - field: domain
+    type: URL String
 tags:
   analytic_story:
   - Data Exfiltration
@@ -40,18 +62,8 @@ tags:
   asset_type: Endpoint
   confidence: 90
   impact: 70
-  message: A potential connection to a DGA domain $domain$ was detected from host $src$, kindly review.
   mitre_attack_id:
   - T1568.002
-  observable:
-  - name: src
-    type: Hostname
-    role:
-    - Victim
-  - name: domain
-    type: URL String
-    role:
-    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

diff --git a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml b/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml
@@ -1,19 +1,61 @@
 name: Detect DNS Data Exfiltration using pretrained model in DSDL
 id: 92f65c3a-168c-11ed-71eb-0242ac120012
-version: 3
-date: '2024-10-17'
+version: 4
+date: '2024-11-15'
 status: experimental
 author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk
 type: Anomaly
 data_source: []
-description: The following analytic identifies potential DNS data exfiltration using a pre-trained deep learning model. It leverages DNS request data from the Network Resolution datamodel and computes features from past events between the same source and domain. The model generates a probability score (pred_is_exfiltration_proba) indicating the likelihood of data exfiltration. This activity is significant as DNS tunneling can be used by attackers to covertly exfiltrate sensitive data. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising the organization's security posture.
-search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.src _time DNS.query | `drop_dm_object_name("DNS")` | sort - _time,src, query | streamstats count as rank by src query | where rank < 10 | table src,query,rank,_time | apply detect_dns_data_exfiltration_using_pretrained_model_in_dsdl | table src,_time,query,rank,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration | where rank == 1 | rename pred_is_dns_data_exfiltration_proba as is_exfiltration_score | rename pred_is_dns_data_exfiltration as is_exfiltration | where is_exfiltration_score > 0.5 | `security_content_ctime(_time)` | table src, _time,query,is_exfiltration_score,is_exfiltration | `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter`'
-how_to_implement: "Steps to deploy detect DNS data exfiltration model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\n * Download the `artifacts .tar.gz` file from the link - https://seal.splunkresearch.com/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz Download the `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from https://github.com/splunk/security_content/notebooks\n* Login to the Jupyter Lab assigned for detect_dns_data_exfiltration_using_pretrained_model_in_dsdl container. This container should be listed on Containers page for DSDL app.\n* Below steps need to be followed inside Jupyter lab\n* Upload the detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook.\n * Untar the artifact detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`\n* Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb into Jupyter lab notebooks folder using the upload option in Jupyter lab\n* Save the notebook using the save option in jupyter notebook.\n* Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder."
-known_false_positives: False positives may be present if DNS data exfiltration request look very similar to benign DNS requests.
+description: The following analytic identifies potential DNS data exfiltration using
+  a pre-trained deep learning model. It leverages DNS request data from the Network
+  Resolution datamodel and computes features from past events between the same source
+  and domain. The model generates a probability score (pred_is_exfiltration_proba)
+  indicating the likelihood of data exfiltration. This activity is significant as
+  DNS tunneling can be used by attackers to covertly exfiltrate sensitive data. If
+  confirmed malicious, this could lead to unauthorized data access and potential data
+  breaches, compromising the organization's security posture.
+search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution
+  by DNS.src _time DNS.query | `drop_dm_object_name("DNS")` | sort - _time,src, query
+  | streamstats count as rank by src query | where rank < 10 | table src,query,rank,_time
+  | apply detect_dns_data_exfiltration_using_pretrained_model_in_dsdl | table src,_time,query,rank,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration
+  | where rank == 1 | rename pred_is_dns_data_exfiltration_proba as is_exfiltration_score
+  | rename pred_is_dns_data_exfiltration as is_exfiltration | where is_exfiltration_score
+  > 0.5 | `security_content_ctime(_time)` | table src, _time,query,is_exfiltration_score,is_exfiltration
+  | `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter`'
+how_to_implement: "Steps to deploy detect DNS data exfiltration model into Splunk
+  App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning
+  which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network
+  Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/.
+  The detection uses a pre-trained deep learning model that needs to be deployed in
+  DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\n
+  * Download the `artifacts .tar.gz` file from the link - https://seal.splunkresearch.com/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz
+  Download the `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb`
+  Jupyter notebook from https://github.com/splunk/security_content/notebooks\n* Login
+  to the Jupyter Lab assigned for detect_dns_data_exfiltration_using_pretrained_model_in_dsdl
+  container. This container should be listed on Containers page for DSDL app.\n* Below
+  steps need to be followed inside Jupyter lab\n* Upload the detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz
+  file into `app/model/data` path using the upload option in the jupyter notebook.\n
+  * Untar the artifact detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz
+  using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz
+  -C app/model/data`\n* Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb
+  into Jupyter lab notebooks folder using the upload option in Jupyter lab\n* Save
+  the notebook using the save option in jupyter notebook.\n* Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json`
+  into `notebooks/data` folder."
+known_false_positives: False positives may be present if DNS data exfiltration request
+  look very similar to benign DNS requests.
 references:
 - https://attack.mitre.org/techniques/T1048/003/
 - https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
 - https://en.wikipedia.org/wiki/Data_exfiltration
+rba:
+  message: A DNS data exfiltration request was sent by this host $src$ , kindly review.
+  risk_objects:
+  - field: src
+    type: Hostname
+    risk_score: 45.0
+  threat_objects:
+  - field: query
+    type: Other
 tags:
   analytic_story:
   - DNS Hijacking
@@ -22,18 +64,8 @@ tags:
   asset_type: Endpoint
   confidence: 90
   impact: 50
-  message: A DNS data exfiltration request was sent by this host $src$ , kindly review.
   mitre_attack_id:
   - T1048.003
-  observable:
-  - name: query
-    type: Other
-    role:
-    - Attacker
-  - name: src
-    type: Hostname
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security