Merge pull request #406 from splunk/CRL-1746

CRL-1746 macro ymls and detection update

detections/attrib_to_hide_files.yml

@@ -30,6 +30,8 @@ detect:
         risk_object_type:
           - system
         risk_score: 50
+      macros:
+        - attrib_to_hide_files_filter
       schedule:
         cron_schedule: 30 * * * *
         earliest_time: -70m@m
@@ -38,7 +40,7 @@ detect:
         as process max(_time) as lastTime from datamodel=Endpoint.Processes where
         Processes.process_name=attrib.exe (Processes.process=*+h*) by Processes.parent_process
         Processes.process_name Processes.user | `drop_dm_object_name("Processes")`
-        | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`'
+        | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `attrib_to_hide_files_filter`'
       suppress:
         suppress_fields: dest, process
         suppress_period: 86400s
@@ -93,7 +95,7 @@ mappings:
     - Persistence
   nist:
     - DE.CM
-modification_date: '2018-11-15'
+modification_date: '2020-03-16'
 name: Hiding Files And Directories With Attrib.exe
 original_authors:
   - company: Splunk
@@ -103,4 +105,4 @@ references: []
 security_domain: endpoint
 spec_version: 2
 type: splunk
-version: '2.0'
+version: '3.0'

detections/change_file_association.yml

@@ -27,6 +27,8 @@ detect:
         risk_object_type:
           - system
         risk_score: 40
+      macros:
+        - change_file_association_filter
       schedule:
         cron_schedule: 0 * * * *
         earliest_time: -70m@m
@@ -39,7 +41,7 @@ detect:
         | join [| tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path
         count  FROM datamodel=Endpoint.Registry where Registry.registry_path=*\\Explorer\\FileExts*
         by Registry.process_id Registry.dest | `drop_dm_object_name("Registry")` |
-        table process_id dest registry_path]'
+        table process_id dest registry_path]| `change_file_association_filter`'
       suppress:
         suppress_fields: dest,user
         suppress_period: 28800s
@@ -106,7 +108,7 @@ mappings:
     - DE.CM
     - PR.PT
     - PR.IP
-modification_date: '2018-01-26'
+modification_date: '2020-03-16'
 name: Suspicious Changes to File Associations
 original_authors:
   - company: Splunk
@@ -116,4 +118,4 @@ references: []
 security_domain: endpoint
 spec_version: 2
 type: splunk
-version: '2.0'
+version: '3.0'

detections/children_of_spoolsv.yml

@@ -28,6 +28,8 @@ detect:
         risk_object_type:
           - system
         risk_score: 60
+      macros:
+        - children_of_spoolsv_filter
       schedule:
         cron_schedule: 0 * * * *
         earliest_time: -70m@m
@@ -36,7 +38,7 @@ detect:
         values(Processes.process) as process min(_time) as firstTime max(_time) as
         lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe
         AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process
-        Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+        Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `children_of_spoolsv_filter`'
       suppress:
         suppress_fields: dest, parent_process_name
         suppress_period: 86400s
@@ -50,7 +52,7 @@ entities:
 how_to_implement: You must be ingesting endpoint data that tracks process activity,
   including parent-child relationships from your endpoints to populate the Endpoint
   data model in the Processes node. The command-line arguments are mapped to the "process"
-  field in the Endpoint data model.
+  field in the Endpoint data model. Update the `children_of_spoolsv_filter` macro to filter out legitimate child processes spawned by spoolsv.exe.
 id: aa0c4aeb-5b18-41c4-8c07-f1442d7599df
 investigations:
   - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
@@ -97,7 +99,7 @@ mappings:
     - PR.AC
     - PR.PT
     - DE.CM
-modification_date: '2018-12-03'
+modification_date: '2020-03-16'
 name: Child Processes of Spoolsv.exe
 original_authors:
   - company: Splunk
@@ -107,4 +109,4 @@ references: []
 security_domain: endpoint
 spec_version: 2
 type: splunk
-version: '2.0'
+version: '3.0'

detections/common_ransomware_extensions.yml

@@ -25,6 +25,8 @@ detect:
         risk_object_type:
           - system
         risk_score: 80
+      macros:
+        - common_ransomware_extensions_filter
       schedule:
         cron_schedule: 0 * * * *
         earliest_time: -70m@m
@@ -33,7 +35,7 @@ detect:
         lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path)
         as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name |
         `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`|
-        rex field=file_name "(?<file_extension>\.[^\.]+)$" | `ransomware_extensions`'
+        rex field=file_name "(?<file_extension>\.[^\.]+)$" | `ransomware_extensions` | `common_ransomware_extensions_filter`'
       suppress:
         suppress_fields: dest,file_name
         suppress_period: 14400s
@@ -108,7 +110,7 @@ mappings:
   nist:
     - PR.PT
     - DE.CM
-modification_date: '2018-11-15'
+modification_date: '2020-03-16'
 name: Common Ransomware Extensions
 original_authors:
   - company: Splunk
@@ -118,4 +120,4 @@ references: []
 security_domain: endpoint
 spec_version: 2
 type: splunk
-version: '2.0'
+version: '3.0'

detections/common_ransomware_notes.yml

@@ -25,14 +25,17 @@ detect:
         risk_object_type:
           - system
         risk_score: 80
+      macros:
+        - common_ransomware_notes_filter
+        - ransomware_notes
       schedule:
         cron_schedule: 0 * * * *
         earliest_time: -70m@m
         latest_time: -10m@m
       search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as
         lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path)
         as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name |
-        `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`|`ransomware_notes`'
+        `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`|`ransomware_notes`| `common_ransomware_notes_filter`'
       suppress:
         suppress_fields: dest,file_name
         suppress_period: 14400s
@@ -95,7 +98,7 @@ mappings:
   nist:
     - PR.PT
     - DE.CM
-modification_date: '2018-11-15'
+modification_date: '2020-03-16'
 name: Common Ransomware Notes
 original_authors:
   - company: Splunk
@@ -105,4 +108,4 @@ references: []
 security_domain: endpoint
 spec_version: 2
 type: splunk
-version: '2.0'
+version: '3.0'

detections/create_local_admin_via_net.yml

@@ -27,6 +27,8 @@ detect:
         risk_object_type:
           - system
         risk_score: 50
+      macros:
+        - create_local_admin_via_net_filter
       schedule:
         cron_schedule: 0 8 * * *
         earliest_time: -1440m@m
@@ -36,7 +38,7 @@ detect:
         where (Processs.process_name=net.exe OR Processes.process_name=net1.exe) by
         Processes.process Processes.process_name Processes.dest | `drop_dm_object_name(Processes)`
         | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`  | search (process=*localgroup* OR
-        process=*/add* OR process=*user*)'
+        process=*/add* OR process=*user*) |`create_local_admin_via_net_filter`'
       suppress:
         suppress_fields: dest
         suppress_period: 86400s
@@ -96,7 +98,7 @@ mappings:
   nist:
     - PR.PT
     - DE.CM
-modification_date: '2018-11-15'
+modification_date: '2020-03-16'
 name: Create local admin accounts using net.exe
 original_authors:
   - company: Splunk
@@ -106,4 +108,4 @@ references: []
 security_domain: endpoint
 spec_version: 2
 type: splunk
-version: '2.0'
+version: '3.0'

detections/dragonfly_schtasks.yml

@@ -29,6 +29,8 @@ detect:
         risk_object_type:
           - system
         risk_score: 80
+      macros:
+        - dragonfly_schtasks_filter
       schedule:
         cron_schedule: 0 * * * *
         earliest_time: -70m@m
@@ -38,7 +40,7 @@ detect:
         max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe  by
         Processes.user Processes.process_name Processes.parent_process_name Processes.dest  |
         `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |
-        search (process=*delete* OR process=*create*) process=*reset*'
+        search (process=*delete* OR process=*create*) process=*reset* | `dragonfly_schtasks_filter`'
       suppress:
         suppress_fields: dest, process_name, process
         suppress_period: 28800s
@@ -94,7 +96,7 @@ mappings:
     - Scheduled Task
   nist:
     - PR.IP
-modification_date: '2018-12-03'
+modification_date: '2020-03-16'
 name: Scheduled Task Name Used by Dragonfly Threat Actors
 original_authors:
   - company: Splunk
@@ -104,4 +106,4 @@ references: []
 security_domain: endpoint
 spec_version: 2
 type: splunk
-version: '2.0'
+version: '3.0'

detections/file_write_spikes.yml

@@ -26,6 +26,8 @@ detect:
         risk_object_type:
           - system
         risk_score: 30
+      macros:
+        - file_write_spikes_filter
       schedule:
         cron_schedule: 0 * * * *
         earliest_time: -7d@d
@@ -37,7 +39,7 @@ detect:
         "-1d@d"), count,null))) as avg stdev(eval(if(_time<relative_time(maxtime,
         "-1d@d"), count, null))) as stdev by "dest" | eval upperBound=(avg+stdev*4),
         isOutlier=if((count > upperBound) AND num_data_samples >=20, 1, 0) | search
-        isOutlier=1'
+        isOutlier=1 | `file_write_spikes_filter`'
       suppress:
         suppress_fields: dest
         suppress_period: 7200s
@@ -94,7 +96,7 @@ mappings:
     - Execution
   nist:
     - DE.CM
-modification_date: '2018-12-03'
+modification_date: '2020-03-16'
 name: Spike in File Writes
 original_authors:
   - company: Splunk
@@ -104,4 +106,4 @@ references: []
 security_domain: endpoint
 spec_version: 2
 type: splunk
-version: '2.0'
+version: '3.0'

detections/lnk_executing_a_process.yml

@@ -28,6 +28,8 @@ detect:
         risk_object_type:
           - system
         risk_score: 40
+      macros:
+        - lnk_executing_a_process_filter
       schedule:
         cron_schedule: 0 * * * *
         earliest_time: -70m@m
@@ -44,7 +46,7 @@ detect:
         | rename parent_process_id as lnk_pid | fields _time lnk_pid process_id dest
         process_name process_path process] | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
         | table firstTime, lastTime, lnk_pid, process_id, user, dest, file_name, file_path,
-        process_name, process, process_path, file_hash'
+        process_name, process, process_path, file_hash | `lnk_executing_a_process_filter`'
       suppress:
         suppress_fields: dest,file_name
         suppress_period: 86400s
@@ -79,7 +81,7 @@ mappings:
   nist:
     - ID.AM
     - PR.DS
-modification_date: '2019-04-29'
+modification_date: '2020-03-16'
 name: Suspicious LNK file launching a process
 original_authors:
   - company: Splunk
@@ -89,4 +91,4 @@ responses: []
 security_domain: network
 spec_version: 2
 type: splunk
-version: '1.0'
+version: '2.0'

detections/outlook_writing_zip.yml

@@ -27,6 +27,8 @@ detect:
         risk_object_type:
           - system
         risk_score: 20
+      macros:
+        - outlook_writing_zip_filter
       schedule:
         cron_schedule: 0 * * * *
         earliest_time: -70m@m
@@ -44,8 +46,9 @@ detect:
         Filesystem.file_hash Filesystem.dest  | `drop_dm_object_name(Filesystem)`
         | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id|
         fields malicious_id outlook_id dest file_path file_name file_hash count file_id]
-        | table firstTime lastTime user dest malicious_id outlook_id process_name parent_process_name
-        file_name  file_path | where file_name != ""'
+        | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name
+        file_name  file_path | where file_name != "" | `outlook_writing_zip_filter`'
+
       suppress:
         suppress_fields: dest,file_name
         suppress_period: 86400s
@@ -87,7 +90,7 @@ mappings:
   nist:
     - ID.AM
     - PR.DS
-modification_date: '2020-03-02'
+modification_date: '2020-03-16'
 name: Detect Oulook.exe writing a .zip file
 original_authors:
   - company: Splunk

detections/rare_executables_on_endpoint.yml

@@ -27,6 +27,8 @@ detect:
         risk_object_type:
           - system
         risk_score: 20
+      macros:
+        - rare_executables_on_endpoint_filter
       schedule:
         cron_schedule: 10 * * * *
         earliest_time: -70m@m
@@ -38,7 +40,7 @@ detect:
         `security_content_ctime(lastTime)`| search [| tstats count from datamodel=Endpoint.Processes
         by Processes.process_name | rare Processes.process_name limit=30 | rename
         Processes.process_name as process| `filter_rare_process_whitelist`| table
-        process ]'
+        process ] | `rare_executables_on_endpoint_filter`'
       suppress:
         suppress_fields: dest, process
         suppress_period: 86400s
@@ -109,7 +111,7 @@ mappings:
     - PR.PT
     - PR.DS
     - DE.CM
-modification_date: '2018-10-30'
+modification_date: '2020-03-16'
 name: Detect Rare Executables
 original_authors:
   - company: Splunk
@@ -119,4 +121,4 @@ references: []
 security_domain: endpoint
 spec_version: 2
 type: splunk
-version: '4.0'
+version: '5.0'