diff --git a/package/default/analytic_stories.conf b/package/default/analytic_stories.conf index ea0fdf641d..83d79f53ad 100644 --- a/package/default/analytic_stories.conf +++ b/package/default/analytic_stories.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security-content -# On Date: 2019-12-11T15:59:37 UTC +# On Date: 2019-12-16T21:48:18 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# @@ -744,7 +744,7 @@ creation_date = 2018-12-13 modification_date = 2018-12-13 id = c4b89506-fbcf-4cb7-bfd6-527e54789604 version = 1.0 -reference = ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf?cmp=26061"] +reference = ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", "https://thehackernews.com/2018/07/samsam-ransomware-attacks.html"] detection_searches = ["ESCU - Batch File Write to System32 - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule", "ESCU - File with Samsam Extension - Rule", "ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Samsam Test File Write - Rule", "ESCU - Spike in File Writes - Rule"] mappings = {"cis20": ["CIS 10", "CIS 12", "CIS 16", "CIS 18", "CIS 2", "CIS 3", "CIS 4", "CIS 8", "CIS 9"], "kill_chain_phases": ["Actions on Objectives", "Command and Control", "Delivery", "Installation", "Reconnaissance"], "mitre_attack": ["Command-Line Interface", "Commonly Used Port", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Exploitation of Vulnerability", "Lateral Movement", "Remote Desktop Protocol", "System Information Discovery"], "nist": ["DE.AE", "DE.CM", "ID.AM", "ID.RA", "PR.AC", "PR.DS", "PR.IP", "PR.MA", "PR.PT"]} investigative_searches = ["ESCU - Get Authentication Logs For Endpoint", "ESCU - Get Backup Logs For Endpoint", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Parent Process Info", "ESCU - Get Process Info", "ESCU - Get Process Information For Port Activity", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User", "ESCU - Get Update Logs For Endpoint", "ESCU - Get User Information from Identity Table", "ESCU - Get Vulnerability Logs For Endpoint", "ESCU - Investigate Successful Remote Desktop Authentications", "ESCU - Investigate Web Activity From Host"] diff --git a/package/default/macros.conf b/package/default/macros.conf index 1cb47d314a..8f99236a4c 100644 --- a/package/default/macros.conf +++ b/package/default/macros.conf @@ -1,14 +1,10 @@ ############# # Automatically generated by generator.py in splunk/security-content -# On Date: 2019-12-11T15:59:37 UTC +# On Date: 2019-12-16T21:48:18 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# -[NetworkACLEvents] -definition = (eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation) -description = This is a list of AWS event names that are associated with Network ACLs - [brand_abuse_dns] definition = lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true description = This macro limits the output to only domains that are in the brand monitoring lookup file @@ -29,18 +25,18 @@ description = This macro limits the output of the query field to dynamic dns dom definition = lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True description = This is a description -[ec2ModificationAPIs] -definition = (eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=GetConsoleOutput OR eventName=GetConsoleScreenshot OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances) -description = This is a list of AWS event names that have to do with modifying Amazon EC2 instances - [ec2_excessive_runinstances_mltk_input_filter] -definition = `comment(Use this macro to add additional filters for monitoring ec2 runinstances [eg - src_user != 'someUserNameExperiencingFalsePositives'].)` +definition = description = Use this macro to add additional filters for monitoring ec2 runinstances [eg - src_user != 'someUserNameExperiencingFalsePositives']. [ec2_excessive_terminateinstances_mltk_input_filter] -definition = `comment(Use this macro to add additional filters for monitoring ec2 terminateinstances [eg - src_user != 'someUserNameExperiencingFalsePositives'].)` +definition = description = Use this macro to add additional filters for monitoring ec2 terminateinstances [eg - src_user != 'someUserNameExperiencingFalsePositives']. +[ec2_modification_api_calls] +definition = (eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=GetConsoleOutput OR eventName=GetConsoleScreenshot OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances) +description = This is a list of AWS event names that have to do with modifying Amazon EC2 instances + [evilginx_phishlets_0365] definition = (query=login* AND query=www*) description = This limits the query fields to domains that are associated with evilginx masquerading as Office 365 @@ -74,23 +70,27 @@ definition = lookup update=true lookup_rare_process_whitelist_default process as description = This macro is intended to whitelist processes that have been definied as rare [investigate_cloud_compute_instance_activities_output_filter] -definition = `comment(Use this macro to add additional filters for investigating cloud compute activties)` +definition = description = Use this macro to add additional filters for investigating cloud compute activties [investigate_user_activities_in_all_cloud_region_output_filter] -definition = `comment(Use this macro to add additional filters for investigating a specific user's cloud infrastructure activties in all cloud regions)` +definition = description = Use this macro to add additional filters for investigating a specific user's cloud infrastructure activties in all cloud regions [investigate_user_activities_in_single_cloud_region_output_filter] -definition = `comment(Use this macro to add additional filters for investigating a specific user's cloud infrastructure activties in a specific cloud regions)` +definition = description = Use this macro to add additional filters for investigating a specific user's cloud infrastructure activties in a specific cloud regions -[isWindowsSystemFile] -definition = lookup update=true isWindowsSystemFile_lookup filename as process_name OUTPUT systemFile | search systemFile=true +[is_windows_system_file] +definition = lookup update=true is_windows_system_file_lookup filename as process_name OUTPUT systemFile | search systemFile=true description = This macro limits the output to process names that are in the Windows System directory +[network_acl_events] +definition = (eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation) +description = This is a list of AWS event names that are associated with Network ACLs + [previously_seen_cloud_compute_creations_by_user_input_filter] -definition = `comment(Use this macro to add additional filters for monitoring users that create cloud compute images)` +definition = description = Use this macro to add additional filters for monitoring users that create cloud compute images [previously_seen_cloud_compute_creations_by_user_search_window_begin_offset] @@ -98,7 +98,7 @@ definition = -70m@m description = Use this macro to determine how far into the past the window should be to determine if the user is new or not [previously_seen_cloud_compute_image_input_filter] -definition = `comment(Use this macro to add additional filters for monitoring cloud compute images)` +definition = description = Use this macro to add additional filters for monitoring cloud compute images [previously_seen_cloud_compute_image_search_window_begin_offset] @@ -106,7 +106,7 @@ definition = -70m@m description = Use this macro to determine how far into the past the window should be to determine if the image is new or not [previously_seen_cloud_compute_instance_types_input_filter] -definition = `comment(Use this macro to add additional filters for monitoring cloud compute instance types)` +definition = description = Use this macro to add additional filters for monitoring cloud compute instance types [previously_seen_cloud_compute_instance_types_search_window_begin_offset] @@ -114,7 +114,7 @@ definition = -70m@m description = Use this macro to determine how far into the past the window should be to determine if the instance type is new or not [previously_seen_cloud_regions_input_filter] -definition = `comment(Use this macro to add additional filters for monitoring your cloud regions)` +definition = description = Use this macro to add additional filters for monitoring your cloud regions [previously_seen_cloud_regions_search_window_begin_offset] @@ -141,17 +141,21 @@ description = This macro limits the output to files that have been identified as definition = eval domain=trim(domain,"*") | search NOT[| inputlookup domains] NOT[ |inputlookup cim_corporate_email_domain_lookup] NOT[inputlookup cim_corporate_web_domain_lookup] | eval domain="*"+domain+"*" description = This macro removes valid domains from the output -[runstory(1)] -args = story_name -definition = runstory story=$story_name$ | table name, num_search_results, description, kill_chain_phases, mitre_attack -description = This macro takes an analytic story name and runs it +[security_content_ctime(1)] +args = field +definition = `ctime($field$,"%m/%d/%Y %H:%M:%S")` +description = convert epoch time to string + +[security_content_summariesonly] +definition = summariesonly=true allow_old_summaries=true +description = search data model's summaries only -[securityGroupAPIs] +[security_group_api_calls] definition = (eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress) description = This macro is a list of AWS event names associated with security groups [suspicious_email_attachments] -definition = lookup update=true isSuspiciousFileExtension_lookup file_name OUTPUT suspicious | search suspicious=true +definition = lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true description = This macro limits the output to email attachments that have suspicious extensions [suspicious_writes] diff --git a/package/default/savedsearches.conf b/package/default/savedsearches.conf index e24644189f..c547f72b7c 100644 --- a/package/default/savedsearches.conf +++ b/package/default/savedsearches.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security-content -# On Date: 2019-12-11T15:59:36 UTC +# On Date: 2019-12-16T21:48:18 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# @@ -369,7 +369,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail eventName=DeleteNetworkAcl|rename userIdentity.arn as arn | stats count min(_time) as firstTime max(_time) as lastTime values(errorMessage) values(errorCode) values(userAgent) values(userIdentity.*) by src userName arn eventName | `ctime(lastTime)` | `ctime(firstTime)` +search = sourcetype=aws:cloudtrail eventName=DeleteNetworkAcl|rename userIdentity.arn as arn | stats count min(_time) as firstTime max(_time) as lastTime values(errorMessage) values(errorCode) values(userAgent) values(userIdentity.*) by src userName arn eventName | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` [ESCU - Abnormally High AWS Instances Launched by User - Rule] action.escu = 0 @@ -620,7 +620,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe (Processes.process=*-addstore* AND Processes.process=*disallowed* ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name("Processes")` | `ctime(firstTime)`|`ctime(lastTime)` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe (Processes.process=*-addstore* AND Processes.process=*disallowed* ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` [ESCU - Attempt To Set Default PowerShell Execution Policy To Unrestricted - Rule] action.escu = 0 @@ -671,7 +671,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)`| `ctime(lastTime)`| search (process=*add* process=*Software\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell* process=*ExecutionPolicy* process=*Unrestricted*) +search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*add* process=*Software\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell* process=*ExecutionPolicy* process=*Unrestricted*) [ESCU - Attempt To Stop Security Service - Rule] action.escu = 0 @@ -722,7 +722,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = net.exe OR Processes.process_name = sc.exe) Processes.process="* stop *" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `ctime(firstTime)` | `ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security +search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = net.exe OR Processes.process_name = sc.exe) Processes.process="* stop *" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security [ESCU - Attempted Credential Dump From Registry Via Reg.exe - Rule] action.escu = 0 @@ -773,7 +773,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg.exe by Processes.user Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)`| `ctime(lastTime)` | search process=*save* (process=*HKLM\\sam* OR process=*HKLM\\system*) +search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg.exe by Processes.user Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*save* (process=*HKLM\\sam* OR process=*HKLM\\system*) [ESCU - Batch File Write to System32 - Rule] action.escu = 0 @@ -824,7 +824,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name values(Filesystem.user) as user from datamodel=Endpoint.Filesystem by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `ctime(lastTime)` | `ctime(firstTime)`| rex field=file_name "(?\.[^\.]+)$" | search file_path=*system32* AND file_extension=.bat +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name values(Filesystem.user) as user from datamodel=Endpoint.Filesystem by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name "(?\.[^\.]+)$" | search file_path=*system32* AND file_extension=.bat [ESCU - Child Processes of Spoolsv.exe - Rule] action.escu = 0 @@ -875,7 +875,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `ctime(firstTime)` | `ctime(lastTime)` +search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Clients Connecting to Multiple DNS Servers - Rule] action.escu = 0 @@ -928,7 +928,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name("Network_Resolution")` |where dest_count > 5 +search = | tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name("Network_Resolution")` |where dest_count > 5 [ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule] action.escu = 0 @@ -981,7 +981,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest) as dest from datamodel=Cloud_Infrastructure.Compute where Compute.action=run by Compute.src_user | `drop_dm_object_name("Compute")` | inputlookup append=t previously_seen_cloud_compute_creations_by_user | stats min(firstTime) as firstTime max(lastTime) as lastTime, values(dest) as dest by src_user | multireport [| table src_user, firstTime, lastTime | outputlookup previously_seen_cloud_compute_creations_by_user | where fact=fiction][| eval new_user=if(firstTime >= relative_time(now(), `previously_seen_cloud_compute_creations_by_user_search_window_begin_offset`), 1, 0) | where new_user=1 | convert ctime(firstTime) ctime(lastTime)] | table src_user, dest, firstTime, lastTime +search = | tstats `security_content_summariesonly` earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest) as dest from datamodel=Cloud_Infrastructure.Compute where Compute.action=run by Compute.src_user | `drop_dm_object_name("Compute")` | inputlookup append=t previously_seen_cloud_compute_creations_by_user | stats min(firstTime) as firstTime max(lastTime) as lastTime, values(dest) as dest by src_user | multireport [| table src_user, firstTime, lastTime | outputlookup previously_seen_cloud_compute_creations_by_user | where fact=fiction][| eval new_user=if(firstTime >= relative_time(now(), `previously_seen_cloud_compute_creations_by_user_search_window_begin_offset`), 1, 0) | where new_user=1 | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`] | table src_user, dest, firstTime, lastTime [ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule] action.escu = 0 @@ -1034,7 +1034,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest) as dest from datamodel=Cloud_Infrastructure.Compute where Compute.action=run `previously_seen_cloud_compute_image_input_filter` by Compute.image_id, Compute.src_user | `drop_dm_object_name("Compute")` | inputlookup append=t previously_seen_cloud_compute_images | stats min(firstTime) as firstTime max(lastTime) as lastTime, values(dest) as dest by image_id, src_user | multireport [| table image_id, firstTime, lastTime | outputlookup previously_seen_cloud_compute_images | where fact=fiction][| eval new_image=if(firstTime >= relative_time(now(), `previously_seen_cloud_compute_image_search_window_begin_offset`), 1, 0) | where new_image=1 | convert ctime(firstTime) ctime(lastTime)] | table image_id, dest, src_user, firstTime, lastTime +search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest) as dest from datamodel=Cloud_Infrastructure.Compute where Compute.action=run `previously_seen_cloud_compute_image_input_filter` by Compute.image_id, Compute.src_user | `drop_dm_object_name("Compute")` | inputlookup append=t previously_seen_cloud_compute_images | stats min(firstTime) as firstTime max(lastTime) as lastTime, values(dest) as dest by image_id, src_user | multireport [| table image_id, firstTime, lastTime | outputlookup previously_seen_cloud_compute_images | where fact=fiction][| eval new_image=if(firstTime >= relative_time(now(), `previously_seen_cloud_compute_image_search_window_begin_offset`), 1, 0) | where new_image=1 | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`] | table image_id, dest, src_user, firstTime, lastTime [ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule] action.escu = 0 @@ -1087,7 +1087,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest) as dest from datamodel=Cloud_Infrastructure.Compute where Compute.event_name=RunInstances `previously_seen_cloud_compute_instance_types_input_filter` by Compute.instance_type, Compute.src_user | `drop_dm_object_name("Compute")` | inputlookup append=t previously_seen_cloud_compute_instance_types | stats min(firstTime) as firstTime max(lastTime) as lastTime, values(dest) as dest by instance_type, src_user | multireport [| table instance_type, firstTime, lastTime | outputlookup previously_seen_cloud_compute_instance_types | where fact=fiction][| eval new_type=if(firstTime >= relative_time(now(), `previously_seen_cloud_compute_instance_types_search_window_begin_offset`), 1, 0) | where new_type=1 | convert ctime(firstTime) ctime(lastTime)] | table instance_type, dest, src_user, firstTime, lastTime +search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest) as dest from datamodel=Cloud_Infrastructure.Compute where Compute.event_name=RunInstances `previously_seen_cloud_compute_instance_types_input_filter` by Compute.instance_type, Compute.src_user | `drop_dm_object_name("Compute")` | inputlookup append=t previously_seen_cloud_compute_instance_types | stats min(firstTime) as firstTime max(lastTime) as lastTime, values(dest) as dest by instance_type, src_user | multireport [| table instance_type, firstTime, lastTime | outputlookup previously_seen_cloud_compute_instance_types | where fact=fiction][| eval new_type=if(firstTime >= relative_time(now(), `previously_seen_cloud_compute_instance_types_search_window_begin_offset`), 1, 0) | where new_type=1 | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`] | table instance_type, dest, src_user, firstTime, lastTime [ESCU - Cloud Compute Instance Started In Previously Unused Region - Rule] action.escu = 0 @@ -1140,7 +1140,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest) as dest from datamodel=Cloud_Infrastructure.Compute where Compute.event_name=RunInstances `previously_seen_cloud_regions_input_filter` by Compute.region, Compute.src_user | `drop_dm_object_name("Compute")` | inputlookup append=t previously_seen_cloud_regions | stats min(firstTime) as firstTime max(lastTime) as lastTime, values(dest) as dest by region, src_user | multireport [| table region, firstTime, lastTime | outputlookup previously_seen_cloud_regions | where fact=fiction][| eval new_region=if(firstTime >= relative_time(now(), `previously_seen_cloud_regions_search_window_begin_offset`), 1, 0) | where new_region=1 | convert ctime(firstTime) ctime(lastTime)] | table region, dest, src_user, firstTime, lastTime +search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest) as dest from datamodel=Cloud_Infrastructure.Compute where Compute.event_name=RunInstances `previously_seen_cloud_regions_input_filter` by Compute.region, Compute.src_user | `drop_dm_object_name("Compute")` | inputlookup append=t previously_seen_cloud_regions | stats min(firstTime) as firstTime max(lastTime) as lastTime, values(dest) as dest by region, src_user | multireport [| table region, firstTime, lastTime | outputlookup previously_seen_cloud_regions | where fact=fiction][| eval new_region=if(firstTime >= relative_time(now(), `previously_seen_cloud_regions_search_window_begin_offset`), 1, 0) | where new_region=1 | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`] | table region, dest, src_user, firstTime, lastTime [ESCU - Common Ransomware Extensions - Rule] action.escu = 0 @@ -1195,7 +1195,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `ctime(lastTime)` | `ctime(firstTime)`| rex field=file_name "(?\.[^\.]+)$" | `ransomware_extensions` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name "(?\.[^\.]+)$" | `ransomware_extensions` [ESCU - Common Ransomware Notes - Rule] action.escu = 0 @@ -1246,7 +1246,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `ctime(lastTime)` | `ctime(firstTime)`|`ransomware_notes` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`|`ransomware_notes` [ESCU - Create local admin accounts using net.exe - Rule] action.escu = 0 @@ -1297,7 +1297,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processs.process_name=net.exe OR Processes.process_name=net1.exe) by Processes.process Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)`| `ctime(lastTime)` | search (process=*localgroup* OR process=*/add* OR process=*user*) +search = | tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processs.process_name=net.exe OR Processes.process_name=net1.exe) by Processes.process Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search (process=*localgroup* OR process=*/add* OR process=*user*) [ESCU - Create or delete hidden shares using net.exe - Rule] action.escu = 0 @@ -1348,7 +1348,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processs.process_name=net.exe OR Processes.process_name=net1.exe) by Processes.process Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)`| `ctime(lastTime)` | search (process=*share* OR process=*delete*)| regex process="\S+[$]" +search = | tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processs.process_name=net.exe OR Processes.process_name=net1.exe) by Processes.process Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search (process=*share* OR process=*delete*)| regex process="\S+[$]" [ESCU - DNS Query Length Outliers - MLTK - Rule] action.escu = 0 @@ -1405,7 +1405,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` | `ctime(firstTime)` | `ctime(lastTime)` | eval query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename "IsOutlier(query_length)" as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time query record_type count src dest query_length +search = | tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename "IsOutlier(query_length)" as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time query record_type count src dest query_length [ESCU - DNS Query Length With High Standard Deviation - Rule] action.escu = 0 @@ -1456,7 +1456,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type | `drop_dm_object_name("DNS")` | eval query_length = len(query) | table query query_length record_type count | eventstats stdev(query_length) AS stdev avg(query_length) AS avg p50(query_length) AS p50| where query_length>(avg+stdev*2) | eval z_score=(query_length-avg)/stdev +search = | tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type | `drop_dm_object_name("DNS")` | eval query_length = len(query) | table query query_length record_type count | eventstats stdev(query_length) AS stdev avg(query_length) AS avg p50(query_length) AS p50| where query_length>(avg+stdev*2) | eval z_score=(query_length-avg)/stdev [ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule] action.escu = 0 @@ -1507,7 +1507,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name("DNS")` +search = | tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name("DNS")` [ESCU - DNS record changed - Rule] action.escu = 0 @@ -1562,7 +1562,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | inputlookup discovered_dns_records.csv | rename answer as discovered_answer | join domain[|tstats summariesonly=true count values(DNS.record_type) as type, values(DNS.answer) as current_answer values(DNS.src) as src from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!="unknown" DNS.answer!="" by DNS.query | rename DNS.query as query | where query!="unknown" | rex field=query "(?\w+\.\w+?)(?:$|/)"] | makemv delim=" " answer | makemv delim=" " type | sort -count | table count,src,domain,type,query,current_answer,discovered_answer | makemv current_answer | mvexpand current_answer | makemv discovered_answer | eval n=mvfind(discovered_answer, current_answer) | where isnull(n) +search = | inputlookup discovered_dns_records.csv | rename answer as discovered_answer | join domain[|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as current_answer values(DNS.src) as src from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!="unknown" DNS.answer!="" by DNS.query | rename DNS.query as query | where query!="unknown" | rex field=query "(?\w+\.\w+?)(?:$|/)"] | makemv delim=" " answer | makemv delim=" " type | sort -count | table count,src,domain,type,query,current_answer,discovered_answer | makemv current_answer | mvexpand current_answer | makemv discovered_answer | eval n=mvfind(discovered_answer, current_answer) | where isnull(n) [ESCU - Deleting Shadow Copies - Rule] action.escu = 0 @@ -1613,7 +1613,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)`| `ctime(lastTime)` | search process=*delete* AND process=*shadow* +search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*delete* AND process=*shadow* [ESCU - Detect API activity from users without MFA - Rule] action.escu = 0 @@ -1669,7 +1669,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail userIdentity.sessionContext.attributes.mfaAuthenticated=false | search NOT [| inputlookup aws_service_accounts | fields identity | rename identity as user]| stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by userIdentity.arn userIdentity.type user | `ctime(firstTime)` | `ctime(lastTime)` +search = sourcetype=aws:cloudtrail userIdentity.sessionContext.attributes.mfaAuthenticated=false | search NOT [| inputlookup aws_service_accounts | fields identity | rename identity as user]| stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by userIdentity.arn userIdentity.type user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Detect AWS API Activities From Unapproved Accounts - Rule] action.escu = 0 @@ -1725,7 +1725,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail errorCode=success | rename userName as identity | search NOT [| inputlookup identity_lookup_expanded | fields identity] | search NOT [| inputlookup aws_service_accounts | fields identity] | rename identity as user | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by user | `ctime(firstTime)` | `ctime(lastTime)` +search = sourcetype=aws:cloudtrail errorCode=success | rename userName as identity | search NOT [| inputlookup identity_lookup_expanded | fields identity] | search NOT [| inputlookup aws_service_accounts | fields identity] | rename identity as user | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Detect AWS Console Login by User from New City - Rule] action.escu = 0 @@ -1775,7 +1775,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | inputlookup previously_seen_users_console_logins.csv | stats min(earliest) as earliest max(latest) as latest by user City | join user type=outer [| inputlookup previously_seen_users_console_logins.csv | stats min(earliest) AS earliestseen by user | fields earliestseen user] | eval userStatus=if(earliest >= relative_time(now(), "@d"), "New City","Previously Seen City") | eval UserData=if(earliestseen >= relative_time(now(), "@d") OR isnull(earliestseen), "New User","Old User") | where userStatus="New City" AND UserData="Old User" | convert ctime(earliest) ctime(latest) ctime(earliestseen) | table user City userStatus earliest latest earliestseen +search = | inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user City | join user type=outer [| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) AS earliestseen by user | fields earliestseen user] | eval userStatus=if(firstTime >= relative_time(now(), "@d"), "New City","Previously Seen City") | eval UserData=if(earliestseen >= relative_time(now(), "@d") OR isnull(earliestseen), "New User","Old User") | where userStatus="New City" AND UserData="Old User" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `security_content_ctime(earliestseen)` | table user City userStatus firstTime lastTime earliestseen [ESCU - Detect AWS Console Login by User from New Country - Rule] action.escu = 0 @@ -1825,7 +1825,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | inputlookup previously_seen_users_console_logins.csv | stats min(earliest) as earliest max(latest) as latest by user Country | join user type=outer [| inputlookup previously_seen_users_console_logins.csv | stats min(earliest) AS earliestseen by user | fields earliestseen user] | eval userStatus=if(earliest >= relative_time(now(), "@d"), "New Country","Previously Seen Country") | eval UserData=if(earliestseen >= relative_time(now(), "@d") OR isnull(earliestseen), "New User","Old User") | where userStatus="New Country" AND UserData="Old User" | convert ctime(earliest) ctime(latest) ctime(earliestseen) | table user Country userStatus earliest latest earliestseen +search = | inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user Country | join user type=outer [| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) AS earliestseen by user | fields earliestseen user] | eval userStatus=if(firstTime >= relative_time(now(), "@d"), "New Country","Previously Seen Country") | eval UserData=if(earliestseen >= relative_time(now(), "@d") OR isnull(earliestseen), "New User","Old User") | where userStatus="New Country" AND UserData="Old User" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`security_content_ctime(earliestseen)` | table user Country userStatus firstTime lastTime earliestseen [ESCU - Detect AWS Console Login by User from New Region - Rule] action.escu = 0 @@ -1875,7 +1875,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | inputlookup previously_seen_users_console_logins.csv | stats min(earliest) as earliest max(latest) as latest by user Region | join user type=outer [| inputlookup previously_seen_users_console_logins.csv | stats min(earliest) AS earliestseen by user | fields earliestseen user] | eval userStatus=if(earliest >= relative_time(now(), "@d"), "New Region","Previously Seen Region") | eval UserData=if(earliestseen >= relative_time(now(), "@d") OR isnull(earliestseen), "New User","Old User") | where userStatus="New Region" AND UserData="Old User" | convert ctime(earliest) ctime(latest) ctime(earliestseen) | table user Region userStatus earliest latest earliestseen +search = | inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user Region | join user type=outer [| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) AS earliestseen by user | fields earliestseen user] | eval userStatus=if(firstTime >= relative_time(now(), "@d"), "New Region","Previously Seen Region") | eval UserData=if(earliestseen >= relative_time(now(), "@d") OR isnull(earliestseen), "New User","Old User") | where userStatus="New Region" AND UserData="Old User" | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `security_content_ctime(earliestseen)` | table user Region userStatus firstTime lastTime earliestseen [ESCU - Detect Activity Related to Pass the Hash Attacks - Rule] action.escu = 0 @@ -1980,7 +1980,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats summariesonly=true allow_old_summaries=true count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host | `drop_dm_object_name(DNS)`| rex field=query ".*?(?[^./:]+\.(\S{2,3}|\S{2,3}.\S{2,3}))$" | stats count values(query) as query by domain dest src answer| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google` | search NOT [ inputlookup legit_domains.csv | fields domain]| join domain type=outer [| tstats count summariesonly=true allow_old_summaries=true values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site | rename "Web.*" as * | rex field=site ".*?(?[^./:]+\.(\S{2,3}|\S{2,3}.\S{2,3}))$" | table dest domain url] | table count src dest query answer domain url +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host | `drop_dm_object_name(DNS)`| rex field=query ".*?(?[^./:]+\.(\S{2,3}|\S{2,3}.\S{2,3}))$" | stats count values(query) as query by domain dest src answer| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google` | search NOT [ inputlookup legit_domains.csv | fields domain]| join domain type=outer [| tstats count `security_content_summariesonly` values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site | rename "Web.*" as * | rex field=site ".*?(?[^./:]+\.(\S{2,3}|\S{2,3}.\S{2,3}))$" | table dest domain url] | table count src dest query answer domain url [ESCU - Detect Excessive Account Lockouts From Endpoint - Rule] action.escu = 0 @@ -2035,7 +2035,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result="lockout" by All_Changes.dest All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")`| `ctime(firstTime)` | `ctime(lastTime)` | search count > 5 +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result="lockout" by All_Changes.dest All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 [ESCU - Detect Excessive User Account Lockouts - Rule] action.escu = 0 @@ -2086,7 +2086,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result="lockout" by All_Changes.user All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")`| `ctime(firstTime)` | `ctime(lastTime)` | search count > 5 +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result="lockout" by All_Changes.user All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 [ESCU - Detect Large Outbound ICMP Packets - Rule] action.escu = 0 @@ -2137,7 +2137,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count earliest(_time) as earliest latest(_time) as latest values(All_Traffic.action) values(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes > 1000 by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name("All_Traffic")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | convert ctime(earliest) ctime(latest) +search = | tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes > 1000 by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name("All_Traffic")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` [ESCU - Detect Long DNS TXT Record Response - Rule] action.escu = 0 @@ -2188,7 +2188,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name("DNS")` | eval anslen=len(answer) | search anslen>100 | `ctime(firstTime)` | `ctime(lastTime)` | rename src as "Source IP", dest as "Destination IP", answer as "DNS Answer" anslen as "Answer Length" record_type as "DNS Record Type" firstTime as "First Time" lastTime as "Last Time" count as Count | table "Source IP" "Destination IP" "DNS Answer" "DNS Record Type" "Answer Length" Count "First Time" "Last Time" +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name("DNS")` | eval anslen=len(answer) | search anslen>100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename src as "Source IP", dest as "Destination IP", answer as "DNS Answer" anslen as "Answer Length" record_type as "DNS Record Type" firstTime as "First Time" lastTime as "Last Time" count as Count | table "Source IP" "Destination IP" "DNS Answer" "DNS Record Type" "Answer Length" Count "First Time" "Last Time" [ESCU - Detect Mimikatz Via PowerShell And EventCode 4663 - Rule] action.escu = 0 @@ -2238,7 +2238,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = eventtype = wineventlog_security signature_id=4663 Process_Name=*powershell.exe Object_Name=*lsass.exe Access_Mask=0x10 | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, Process_ID, Message | rename Process_Name as process | `ctime(firstTime)`| `ctime(lastTime)` +search = eventtype = wineventlog_security signature_id=4663 Process_Name=*powershell.exe Object_Name=*lsass.exe Access_Mask=0x10 | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, Process_ID, Message | rename Process_Name as process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` [ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule] action.escu = 0 @@ -2288,7 +2288,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = eventtype=wineventlog_security signature_id=4703 Process_Name=*powershell.exe | rex field=Message "Enabled Privileges:\s+(?\w+)\s+Disabled Privileges:" | where privs="SeDebugPrivilege" | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, privs, Process_ID, Message | rename privs as "Enabled Privilege" | rename Process_Name as process | `ctime(firstTime)`| `ctime(lastTime)` +search = eventtype=wineventlog_security signature_id=4703 Process_Name=*powershell.exe | rex field=Message "Enabled Privileges:\s+(?\w+)\s+Disabled Privileges:" | where privs="SeDebugPrivilege" | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, privs, Process_ID, Message | rename privs as "Enabled Privilege" | rename Process_Name as process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` [ESCU - Detect New Local Admin account - Rule] action.escu = 0 @@ -2395,7 +2395,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), "-30d@d"), 1, 0) | where isOutlier=1| `ctime(earliest)`| `ctime(latest)` | `drop_dm_object_name("Authentication")` +search = | tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), "-30d@d"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `drop_dm_object_name("Authentication")` [ESCU - Detect New Open S3 buckets - Rule] action.escu = 0 @@ -2496,7 +2496,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe OR Processes.process_name=explorer.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `ctime(firstTime)` | `ctime(lastTime)` | rename process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id type=inner[| tstats `summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\Users* OR Filesystem.file_path=*Local\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest | `drop_dm_object_name(Filesystem)` | `ctime(firstTime)` | `ctime(lastTime)` | rename process_id as malicious_id| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path | where file_name != "" +search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe OR Processes.process_name=explorer.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id type=inner[| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\Users* OR Filesystem.file_path=*Local\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path | where file_name != "" [ESCU - Detect Outbound SMB Traffic - Rule] action.escu = 0 @@ -2547,7 +2547,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count earliest(_time) as earliest latest(_time) as latest values(All_Traffic.action) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb) by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name("All_Traffic")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | convert ctime(earliest) ctime(latest) +search = | tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest values(All_Traffic.action) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb) by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name("All_Traffic")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | `security_content_ctime(earliest)`| `security_content_ctime(latest)` [ESCU - Detect Path Interception By Creation Of program.exe - Rule] action.escu = 0 @@ -2598,7 +2598,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where Filesystem.file_path="C:\\program.exe" by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `ctime(lastTime)` | `ctime(firstTime)` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where Filesystem.file_path="C:\\program.exe" by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` [ESCU - Detect Prohibited Applications Spawning cmd.exe - Rule] action.escu = 0 @@ -2649,7 +2649,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.parent_process_name Processes.process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `ctime(firstTime)`| `ctime(lastTime)` |search [`prohibited_apps_launching_cmd`] +search = | tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.parent_process_name Processes.process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd`] [ESCU - Detect PsExec With accepteula Flag - Rule] action.escu = 0 @@ -2700,7 +2700,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = PsExec.exe Processes.process = "*accepteula*" by Processes.process_name Processes.dest Processes.parent_process_name | `drop_dm_object_name(Processes)`| `ctime(firstTime)`| `ctime(lastTime)` +search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = PsExec.exe Processes.process = "*accepteula*" by Processes.process_name Processes.dest Processes.parent_process_name | `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` [ESCU - Detect Rare Executables - Rule] action.escu = 0 @@ -2751,7 +2751,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | rename Processes.process_name as process | rex field=user "(?.*)\\\\(?.*)" | `ctime(firstTime)`| `ctime(lastTime)`| search [| tstats count from datamodel=Endpoint.Processes by Processes.process_name | rare Processes.process_name limit=30 | rename Processes.process_name as process| `filter_rare_process_whitelist`| table process ] +search = | tstats `security_content_summariesonly` count values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | rename Processes.process_name as process | rex field=user "(?.*)\\\\(?.*)" | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search [| tstats count from datamodel=Endpoint.Processes by Processes.process_name | rare Processes.process_name limit=30 | rename Processes.process_name as process| `filter_rare_process_whitelist`| table process ] [ESCU - Detect S3 access from a new IP - Rule] action.escu = 0 @@ -2801,7 +2801,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype=aws:s3:accesslogs http_status=200 [search sourcetype=aws:s3:accesslogs http_status=200 | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip | inputlookup append=t previously_seen_S3_access_from_remote_ip.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip.csv | eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newIP=1 | convert ctime(firstTime) ctime(lastTime) | table bucket_name remote_ip]| iplocation remote_ip |rename remote_ip as src_ip | table _time bucket_name src_ip City Country operation request_uri +search = sourcetype=aws:s3:accesslogs http_status=200 [search sourcetype=aws:s3:accesslogs http_status=200 | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip | inputlookup append=t previously_seen_S3_access_from_remote_ip.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip.csv | eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | table bucket_name remote_ip]| iplocation remote_ip |rename remote_ip as src_ip | table _time bucket_name src_ip City Country operation request_uri [ESCU - Detect Spike in AWS API Activity - Rule] action.escu = 0 @@ -2887,7 +2887,7 @@ action.escu.eli5 = This search and its corresponding subsearch run through the f 1. Set the minimum threshold for the number of data points and set the number of standard deviations away from the mean it must be to be considered a spike.\ 1. Make a determination regarding whether or not the current count is a spike by checking to see if the minimum data-point threshold has been met and the count is a sufficient number of standard deviations away from the average.\ 1. Filter out anything that it determines is not a spike and return the list of ARNs to the main search. The main search subsequently gets the names of all the API calls, the number of unique API calls, and the total number of API calls for each of these ARNs. Finally, it looks up the average and standard deviation and returns both the average and the number of standard deviations the spike is from the average. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Network ACL Activity by ARN" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `NetworkACLEvents`. +action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Network ACL Activity by ARN" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `network_acl_events`. action.escu.known_false_positives = The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Please modify this according the your environment. action.escu.creation_date = 2018-05-17 action.escu.modification_date = 2018-05-21 @@ -2929,7 +2929,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail `NetworkACLEvents` [search sourcetype=aws:cloudtrail `NetworkACLEvents` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup network_acl_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user +search = sourcetype=aws:cloudtrail `network_acl_events` [search sourcetype=aws:cloudtrail `network_acl_events` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup network_acl_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user [ESCU - Detect Spike in S3 Bucket deletion - Rule] action.escu = 0 @@ -3009,7 +3009,7 @@ action.escu.eli5 = This search and its corresponding subsearch run through the f 1. Sets the minimum threshold for the number of data points and sets the number of standard deviations away from the mean it must be to be considered a spike.\ 1. Makes a determination regarding whether or not the current count is a spike by checking to see if the minimum data-point threshold has been met and the count is a sufficient number of standard deviations away from the average.\ 1. Filters out anything that it determines is not a spike and returns the list of ARNs to the main search. The main search subsequently gets the names of all the API calls, the number of unique API calls, and the total number of API calls for each of these ARNs. Finally, it looks up the average and standard deviation and returns both the average and the number of standard deviations the spike is from the average. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the "Baseline of Security Group Activity by ARN" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `securityGroupAPIs`. +action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the "Baseline of Security Group Activity by ARN" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `security_group_api_calls`. action.escu.known_false_positives = Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment. action.escu.creation_date = 2018-04-17 action.escu.modification_date = 2018-04-18 @@ -3051,7 +3051,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail `securityGroupAPIs` [search sourcetype=aws:cloudtrail `securityGroupAPIs` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup security_group_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user +search = sourcetype=aws:cloudtrail `security_group_api_calls` [search sourcetype=aws:cloudtrail `security_group_api_calls` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup security_group_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user [ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule] action.escu = 0 @@ -3161,7 +3161,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count earliest(_time) AS earliest latest(_time) AS latest from datamodel=Change_Analysis where (nodename = All_Changes) All_Changes.result="Removable Storage device" (All_Changes.result_id=4663 OR All_Changes.result_id=4656) (All_Changes.src_priority=high) by All_Changes.dest | `drop_dm_object_name("All_Changes")`| `ctime(earliest)`| `ctime(latest)` +search = | tstats `security_content_summariesonly` count earliest(_time) AS earliest latest(_time) AS latest from datamodel=Change_Analysis where (nodename = All_Changes) All_Changes.result="Removable Storage device" (All_Changes.result_id=4663 OR All_Changes.result_id=4656) (All_Changes.src_priority=high) by All_Changes.dest | `drop_dm_object_name("All_Changes")`| `security_content_ctime(earliest)`| `security_content_ctime(latest)` [ESCU - Detect Unauthorized Assets by MAC address - Rule] action.escu = 0 @@ -3212,7 +3212,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.signature=DHCPREQUEST by All_Sessions.src_ip All_Sessions.src_mac | dedup All_Sessions.src_mac| `drop_dm_object_name("Network_Sessions")`|`drop_dm_object_name("All_Sessions")` | search NOT [| inputlookup asset_lookup_by_str |rename mac as src_mac | fields + src_mac] +search = | tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.signature=DHCPREQUEST by All_Sessions.src_ip All_Sessions.src_mac | dedup All_Sessions.src_mac| `drop_dm_object_name("Network_Sessions")`|`drop_dm_object_name("All_Sessions")` | search NOT [| inputlookup asset_lookup_by_str |rename mac as src_mac | fields + src_mac] [ESCU - Detect Use of cmd.exe to Launch Script Interpreters - Rule] action.escu = 0 @@ -3263,7 +3263,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*cmd.exe" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `ctime(firstTime)`|`ctime(lastTime)` +search = | tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*cmd.exe" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` [ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule] action.escu = 0 @@ -3314,7 +3314,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD") AND (Web.url="*/web-console/ServerInfo.jsp*" OR Web.url="*web-console*" OR Web.url="*jmx-console*" OR Web.url = "*invoker*") by Web.http_method, Web.url, Web.src, Web.dest | `drop_dm_object_name("Web")` | `ctime(firstTime)` | `ctime(lastTime)` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD") AND (Web.url="*/web-console/ServerInfo.jsp*" OR Web.url="*web-console*" OR Web.url="*jmx-console*" OR Web.url = "*invoker*") by Web.http_method, Web.url, Web.src, Web.dest | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Detect hosts connecting to dynamic domain providers - Rule] action.escu = 0 @@ -3371,7 +3371,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name("DNS")` | `ctime(firstTime)` | `dynamic_dns_providers` +search = | tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)` | `dynamic_dns_providers` [ESCU - Detect malicious requests to exploit JBoss servers - Rule] action.escu = 0 @@ -3422,7 +3422,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD") by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url="*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*" AND Web.url_length > 200 | `drop_dm_object_name("Web")` | `ctime(firstTime)` | `ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, lastTime +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD") by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url="*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*" AND Web.url_length > 200 | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, lastTime [ESCU - Detect mshta.exe running scripts in command-line arguments - Rule] action.escu = 0 @@ -3473,7 +3473,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mshta.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)`| `ctime(lastTime)`| search (process=*vbscript* OR process=*javascript*) +search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mshta.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*vbscript* OR process=*javascript*) [ESCU - Detect new API calls from user roles - Rule] action.escu = 0 @@ -3523,7 +3523,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole [search sourcetype=aws:cloudtrail eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | inputlookup append=t previously_seen_api_calls_from_user_roles | stats min(earliest) as earliest, max(latest) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles| eval newApiCallfromUserRole=if(earliest>=relative_time(now(), "-70m@m"), 1, 0) | where newApiCallfromUserRole=1 | `ctime(earliest)` | `ctime(latest)` | table eventName userName] |rename userName as user| stats values(eventName) earliest(_time) as earliest latest(_time) as latest by user | `ctime(earliest)` | `ctime(latest)` +search = sourcetype=aws:cloudtrail eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole [search sourcetype=aws:cloudtrail eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | inputlookup append=t previously_seen_api_calls_from_user_roles | stats min(earliest) as earliest, max(latest) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles| eval newApiCallfromUserRole=if(earliest>=relative_time(now(), "-70m@m"), 1, 0) | where newApiCallfromUserRole=1 | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | table eventName userName] |rename userName as user| stats values(eventName) earliest(_time) as earliest latest(_time) as latest by user | `security_content_ctime(earliest)` | `security_content_ctime(latest)` [ESCU - Detect new user AWS Console Login - Rule] action.escu = 0 @@ -3573,7 +3573,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail eventName=ConsoleLogin | rename userIdentity.arn as user |stats earliest(_time) as earliest latest(_time) as latest by user | inputlookup append=t previously_seen_users_console_logins.csv | stats min(earliest) as earliest max(latest) as latest by user | eval userStatus=if(earliest >= relative_time(now(), "-70m@m"), "First Time Logging into AWS Console","Previously Seen User") | convert ctime(earliest) ctime(latest) | where userStatus ="First Time Logging into AWS Console" +search = sourcetype=aws:cloudtrail eventName=ConsoleLogin | rename userIdentity.arn as user | stats earliest(_time) as firstTime latest(_time) as lastTime by user | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >= relative_time(now(), "-70m@m"), "First Time Logging into AWS Console","Previously Seen User") | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| where userStatus ="First Time Logging into AWS Console" [ESCU - Detect processes used for System Network Configuration Discovery - Rule] action.escu = 0 @@ -3624,7 +3624,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.process_name Processes.user _time | `ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process eventcount +search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process eventcount [ESCU - Detect web traffic to dynamic domain providers - Rule] action.escu = 0 @@ -3677,7 +3677,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats summariesonly=true allow_old_summaries=true count values(Web.url) as url min(_time) as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status | `drop_dm_object_name("Web")` | `ctime(firstTime)` | `dynamic_dns_web_traffic` +search = | tstats `security_content_summariesonly` count values(Web.url) as url min(_time) as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `dynamic_dns_web_traffic` [ESCU - Detection of DNS Tunnels - Rule] action.escu = 0 @@ -3728,7 +3728,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` dc("DNS.query") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" OR "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src","DNS.query" | rename "DNS.src" as src "DNS.query" as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `summariesonly` dc("DNS.answer") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" OR "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src","DNS.answer" | rename "DNS.src" as src "DNS.answer" as message | eval message=if(message=="unknown","", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 10000 +search = | tstats `security_content_summariesonly` dc("DNS.query") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" OR "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src","DNS.query" | rename "DNS.src" as src "DNS.query" as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `security_content_summariesonly` dc("DNS.answer") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" OR "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src","DNS.answer" | rename "DNS.src" as src "DNS.answer" as message | eval message=if(message=="unknown","", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 10000 [ESCU - Detection of tools built by NirSoft - Rule] action.escu = 0 @@ -3779,7 +3779,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="* /stext *" OR Processes.process="* /scomma *" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `ctime(firstTime)` |`ctime(lastTime)` +search = | tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="* /stext *" OR Processes.process="* /scomma *" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` [ESCU - Disabling Remote User Account Control - Rule] action.escu = 0 @@ -3830,15 +3830,15 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="*Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy" by Registry.dest, Registry.registry_key_name Registry.status Registry.user Registry.registry_path Registry.action | `drop_dm_object_name(Registry)` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="*Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy" by Registry.dest, Registry.registry_key_name Registry.status Registry.user Registry.registry_path Registry.action | `drop_dm_object_name(Registry)` [ESCU - EC2 Instance Modified With Previously Unseen User - Rule] action.escu = 0 action.escu.enabled = 1 description = This search looks for EC2 instances being modified by users who have not previously modified them. action.escu.mappings = {"cis20": ["CIS 1"], "nist": ["ID.AM"]} -action.escu.eli5 = The subsearch returns the ARNs of all successful EC2 instance modifications within the last hour and then appends the historical data in the lookup file to those results. EC2 modification APIs are defined by the macro `ec2ModificationAPIs`. The search then recalculates the `firstTime` and `lastTime` field for each ARN and returns only those ARNs that have first been seen in the past hour. This is combined with the main search to return the time, user, and instance ID of those systems. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2ModificationAPIs`. +action.escu.eli5 = The subsearch returns the ARNs of all successful EC2 instance modifications within the last hour and then appends the historical data in the lookup file to those results. EC2 modification APIs are defined by the macro `ec2_modification_api_calls`. The search then recalculates the `firstTime` and `lastTime` field for each ARN and returns only those ARNs that have first been seen in the past hour. This is combined with the main search to return the time, user, and instance ID of those systems. +action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`. action.escu.known_false_positives = It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior. action.escu.creation_date = 2018-04-09 action.escu.modification_date = 2018-04-09 @@ -3880,7 +3880,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail `ec2ModificationAPIs` [search sourcetype=aws:cloudtrail `ec2ModificationAPIs` errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_modifications_by_user | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | eval newUser=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newUser=1 | `ctime(firstTime)` | `ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=dest responseElements.instancesSet.items{}.instanceId | spath output=user userIdentity.arn | table _time, user, dest +search = sourcetype=aws:cloudtrail `ec2_modification_api_calls` [search sourcetype=aws:cloudtrail `ec2_modification_api_calls` errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_modifications_by_user | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | eval newUser=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=dest responseElements.instancesSet.items{}.instanceId | spath output=user userIdentity.arn | table _time, user, dest [ESCU - EC2 Instance Started In Previously Unseen Region - Rule] action.escu = 0 @@ -3930,7 +3930,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion| inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(), "-1d@d"), "Instance Started in a New Region","Previously Seen Region") | convert ctime(earliest) ctime(latest) | where regionStatus="Instance Started in a New Region" +search = sourcetype=aws:cloudtrail earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion| inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(), "-1d@d"), "Instance Started in a New Region","Previously Seen Region") | convert security_content_ctime(earliest) security_content_ctime(latest) | where regionStatus="Instance Started in a New Region" [ESCU - EC2 Instance Started With Previously Unseen AMI - Rule] action.escu = 0 @@ -3980,7 +3980,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail eventName=RunInstances [search sourcetype=aws:cloudtrail eventName=RunInstances errorCode=success | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instancesSet.items{}.imageId | rename requestParameters.instancesSet.items{}.imageId as amiID | inputlookup append=t previously_seen_ec2_amis.csv | stats min(earliest) as earliest max(latest) as latest by amiID | outputlookup previously_seen_ec2_amis.csv | eval newAMI=if(earliest >= relative_time(now(), "-70m@m"), 1, 0) | convert ctime(earliest) ctime(latest) | where newAMI=1 | rename amiID as requestParameters.instancesSet.items{}.imageId | table requestParameters.instancesSet.items{}.imageId] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as arn, requestParameters.instancesSet.items{}.imageId as amiID | table _time, arn, amiID, dest, instanceType +search = sourcetype=aws:cloudtrail eventName=RunInstances [search sourcetype=aws:cloudtrail eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by requestParameters.instancesSet.items{}.imageId | rename requestParameters.instancesSet.items{}.imageId as amiID | inputlookup append=t previously_seen_ec2_amis.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | eval newAMI=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | where newAMI=1 | rename amiID as requestParameters.instancesSet.items{}.imageId | table requestParameters.instancesSet.items{}.imageId] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as arn, requestParameters.instancesSet.items{}.imageId as amiID | table firstTime, lastTime, arn, amiID, dest, instanceType [ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule] action.escu = 0 @@ -4030,7 +4030,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail eventName=RunInstances [search sourcetype=aws:cloudtrail eventName=RunInstances errorCode=success | fillnull value="m1.small" requestParameters.instanceType | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types.csv | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | eval newType=if(earliest >= relative_time(now(), "-70m@m"), 1, 0) | convert ctime(earliest) ctime(latest) | where newType=1 | rename instanceType as requestParameters.instanceType | table requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest | table _time, user, dest, instanceType +search = sourcetype=aws:cloudtrail eventName=RunInstances [search sourcetype=aws:cloudtrail eventName=RunInstances errorCode=success | fillnull value="m1.small" requestParameters.instanceType | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types.csv | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | eval newType=if(earliest >= relative_time(now(), "-70m@m"), 1, 0) | convert security_content_ctime(earliest) security_content_ctime(latest) | where newType=1 | rename instanceType as requestParameters.instanceType | table requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest | table _time, user, dest, instanceType [ESCU - EC2 Instance Started With Previously Unseen User - Rule] action.escu = 0 @@ -4080,7 +4080,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail eventName=RunInstances [search sourcetype=aws:cloudtrail eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | eval newUser=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newUser=1 | `ctime(firstTime)` | `ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as user | table _time, user, dest, instanceType +search = sourcetype=aws:cloudtrail eventName=RunInstances [search sourcetype=aws:cloudtrail eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | eval newUser=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as user | table _time, user, dest, instanceType [ESCU - Email Attachments With Lots Of Spaces - Rule] action.escu = 0 @@ -4133,7 +4133,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name("All_Email")` | eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address "(?.*)@" +search = | tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address "(?.*)@" [ESCU - Email files written outside of the Outlook directory - Rule] action.escu = 0 @@ -4184,7 +4184,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.dll OR Filesystem.file_name=*.ost) Filesystem.file_path != "C:\\Users\\*\\My Documents\\Outlook Files\\*" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name("Filesystem")` | `ctime(firstTime)` | `ctime(lastTime)` +search = | tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.dll OR Filesystem.file_name=*.ost) Filesystem.file_path != "C:\\Users\\*\\My Documents\\Outlook Files\\*" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Email servers sending high volume traffic to hosts - Rule] action.escu = 0 @@ -4235,7 +4235,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_out) as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_avg_bytes_out stdev(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_stdev_bytes_out by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average +search = | tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_out) as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_avg_bytes_out stdev(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_stdev_bytes_out by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average [ESCU - Excessive DNS Failures - Rule] action.escu = 0 @@ -4286,7 +4286,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values("DNS.query") as queries from datamodel=Network_Resolution where nodename=DNS "DNS.reply_code"!="No Error" "DNS.reply_code"!="NoError" DNS.reply_code!="unknown" NOT "DNS.query"="*.arpa" "DNS.query"="*.*" by "DNS.src","DNS.query"| `drop_dm_object_name("DNS")`| lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain| where isnull(domain)| lookup update=true alexa_lookup_by_str domain as query OUTPUT rank| where isnull(rank)| stats sum(count) as count mode(queries) as queries by src| `get_asset(src)`| where count>50 +search = | tstats `security_content_summariesonly` count values("DNS.query") as queries from datamodel=Network_Resolution where nodename=DNS "DNS.reply_code"!="No Error" "DNS.reply_code"!="NoError" DNS.reply_code!="unknown" NOT "DNS.query"="*.arpa" "DNS.query"="*.*" by "DNS.src","DNS.query"| `drop_dm_object_name("DNS")`| lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain| where isnull(domain)| lookup update=true alexa_lookup_by_str domain as query OUTPUT rank| where isnull(rank)| stats sum(count) as count mode(queries) as queries by src| `get_asset(src)`| where count>50 [ESCU - Execution of File With Spaces Before Extension - Rule] action.escu = 0 @@ -4337,7 +4337,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process_path) as process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "* .*" by Processes.dest Processes.user Processes.process Processes.process_name | `ctime(firstTime)`| `ctime(lastTime)` | `drop_dm_object_name(Processes)` +search = | tstats `security_content_summariesonly` count values(Processes.process_path) as process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "* .*" by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` [ESCU - Execution of File with Multiple Extensions - Rule] action.escu = 0 @@ -4388,7 +4388,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = *.doc.exe OR Processes.process = *.htm.exe OR Processes.process = *.html.exe OR Processes.process = *.txt.exe OR Processes.process = *.pdf.exe OR Processes.process = *.doc.exe by Processes.dest Processes.user Processes.process Processes.parent_process | `ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name(Processes)` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = *.doc.exe OR Processes.process = *.htm.exe OR Processes.process = *.html.exe OR Processes.process = *.txt.exe OR Processes.process = *.pdf.exe OR Processes.process = *.doc.exe by Processes.dest Processes.user Processes.process Processes.parent_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` [ESCU - Extended Period Without Successful Netbackup Backups - Rule] action.escu = 0 @@ -4438,7 +4438,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype="netbackup_logs" MESSAGE="Disk/Partition backup completed successfully." | stats latest(_time) as latestTime by COMPUTERNAME | `ctime(latestTime)` | rename COMPUTERNAME as dest | eval isOutlier=if(latestTime <= relative_time(now(), "-7d@d"), 1, 0) | search isOutlier=1 | table latestTime, dest +search = sourcetype="netbackup_logs" MESSAGE="Disk/Partition backup completed successfully." | stats latest(_time) as latestTime by COMPUTERNAME | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest | eval isOutlier=if(latestTime <= relative_time(now(), "-7d@d"), 1, 0) | search isOutlier=1 | table latestTime, dest [ESCU - File with Samsam Extension - Rule] action.escu = 0 @@ -4489,7 +4489,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `ctime(lastTime)` | `ctime(firstTime)`| rex field=file_name "(?\.[^\.]+)$" | search file_extension=.stubbin OR file_extension=.berkshire OR file_extension=.satoshi OR file_extension=.sophos OR file_extension=.keyxml +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name "(?\.[^\.]+)$" | search file_extension=.stubbin OR file_extension=.berkshire OR file_extension=.satoshi OR file_extension=.sophos OR file_extension=.keyxml [ESCU - First Time Seen Running Windows Service - Rule] action.escu = 0 @@ -4590,7 +4590,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = "* /c *" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `ctime(firstTime)` | `ctime(lastTime)` | search [| tstats `summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = "* /c *" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newCmdLineArgument=1 | `ctime(firstTime)` | `ctime(lastTime)` | table process] +search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = "* /c *" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = "* /c *" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] [ESCU - Hiding Files And Directories With Attrib.exe - Rule] action.escu = 0 @@ -4641,7 +4641,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe (Processes.process=*+h*) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name("Processes")` | `ctime(firstTime)`|`ctime(lastTime)` +search = | tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe (Processes.process=*+h*) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` [ESCU - Hosts receiving high volume of network traffic from email server - Rule] action.escu = 0 @@ -4692,7 +4692,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` sum(All_Traffic.bytes_in) as bytes_in from datamodel=Network_Traffic where All_Traffic.dest_category=email_server by All_Traffic.src_ip _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_in) as avg_bytes_in stdev(bytes_in) as stdev_bytes_in | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), "@d"), bytes_in, null))) as per_source_avg_bytes_in stdev(eval(if(_time < relative_time(now(), "@d"), bytes_in, null))) as per_source_stdev_bytes_in by src_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_in > (avg_bytes_in + (deviation_threshold * stdev_bytes_in)) AND bytes_in > (per_source_avg_bytes_in + (deviation_threshold * per_source_stdev_bytes_in)) AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_in - avg_bytes_in) / stdev_bytes_in, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_in - per_source_avg_bytes_in) / per_source_stdev_bytes_in, 2) | table src_ip, _time, bytes_in, avg_bytes_in, per_source_avg_bytes_in, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average +search = | tstats `security_content_summariesonly` sum(All_Traffic.bytes_in) as bytes_in from datamodel=Network_Traffic where All_Traffic.dest_category=email_server by All_Traffic.src_ip _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_in) as avg_bytes_in stdev(bytes_in) as stdev_bytes_in | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), "@d"), bytes_in, null))) as per_source_avg_bytes_in stdev(eval(if(_time < relative_time(now(), "@d"), bytes_in, null))) as per_source_stdev_bytes_in by src_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_in > (avg_bytes_in + (deviation_threshold * stdev_bytes_in)) AND bytes_in > (per_source_avg_bytes_in + (deviation_threshold * per_source_stdev_bytes_in)) AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_in - avg_bytes_in) / stdev_bytes_in, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_in - per_source_avg_bytes_in) / per_source_stdev_bytes_in, 2) | table src_ip, _time, bytes_in, avg_bytes_in, per_source_avg_bytes_in, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average [ESCU - Identify New User Accounts - Rule] action.escu = 0 @@ -4743,7 +4743,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | from datamodel Identity_Management.All_Identities | eval empStatus=case((now()-startDate)<604800, "Accounts created in last week") | search empStatus="Accounts created in last week"| `ctime(endDate)` | `ctime(startDate)`| table identity empStatus endDate startDate +search = | from datamodel Identity_Management.All_Identities | eval empStatus=case((now()-startDate)<604800, "Accounts created in last week") | search empStatus="Accounts created in last week"| `security_content_ctime(endDate)` | `security_content_ctime(startDate)`| table identity empStatus endDate startDate [ESCU - Large Volume of DNS ANY Queries - Rule] action.escu = 0 @@ -4794,7 +4794,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" "DNS.record_type"="ANY" by "DNS.dest" | `drop_dm_object_name("DNS")` | where count>200 +search = | tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" "DNS.record_type"="ANY" by "DNS.dest" | `drop_dm_object_name("DNS")` | where count>200 [ESCU - Malicious PowerShell Process - Connect To Internet With Hidden Window - Rule] action.escu = 0 @@ -4845,7 +4845,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)`| `ctime(lastTime)` | search process="*-Exec*" process="*-WindowStyle*" process="*hidden*" process="*New-Object*" process="*System.Net.WebClient*" +search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process="*-Exec*" process="*-WindowStyle*" process="*hidden*" process="*New-Object*" process="*System.Net.WebClient*" [ESCU - Malicious PowerShell Process - Encoded Command - Rule] action.escu = 0 @@ -4896,7 +4896,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)`| `ctime(lastTime)` | search process=*-EncodedCommand* OR process=*-enc* +search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*-EncodedCommand* OR process=*-enc* [ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule] action.escu = 0 @@ -4949,7 +4949,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe AND (Processes.process="* -ex*" OR Processes.process="* bypass *") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)` | `ctime(lastTime)` +search = | tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe AND (Processes.process="* -ex*" OR Processes.process="* bypass *") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Malicious PowerShell Process - Multiple Suspicious Command-Line Arguments - Rule] action.escu = 0 @@ -5000,7 +5000,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)`| `ctime(lastTime)`| search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* AND process=*-NonI* +search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* AND process=*-NonI* [ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule] action.escu = 0 @@ -5051,7 +5051,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)`| `ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process, "`"))-1) + (mvcount(split(process, "^"))-1) | search num_obfuscation > 0 +search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process, "`"))-1) + (mvcount(split(process, "^"))-1) | search num_obfuscation > 0 [ESCU - Monitor DNS For Brand Abuse - Rule] action.escu = 0 @@ -5102,7 +5102,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name("DNS")` | `ctime(firstTime)`| `brand_abuse_dns` +search = | tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)`| `brand_abuse_dns` [ESCU - Monitor Email For Brand Abuse - Rule] action.escu = 0 @@ -5153,7 +5153,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name("All_Email")` | `ctime(firstTime)` | `ctime(lastTime)` | eval temp=split(src_user, "@") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime +search = | tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name("All_Email")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, "@") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime [ESCU - Monitor Registry Keys for Print Monitors - Rule] action.escu = 0 @@ -5204,7 +5204,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.action=modified AND Registry.registry_path="*CurrentControlSet\\Control\\Print\\Monitors*" by Registry.dest, Registry.registry_key_name Registry.status Registry.user Registry.registry_path Registry.action | `drop_dm_object_name(Registry)` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.action=modified AND Registry.registry_path="*CurrentControlSet\\Control\\Print\\Monitors*" by Registry.dest, Registry.registry_key_name Registry.status Registry.user Registry.registry_path Registry.action | `drop_dm_object_name(Registry)` [ESCU - Monitor Web Traffic For Brand Abuse - Rule] action.escu = 0 @@ -5255,7 +5255,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(Web.url) as urls min(_time) as firstTime from datamodel=Web by Web.src | `drop_dm_object_name("Web")` | `ctime(firstTime)` | `brand_abuse_web` +search = | tstats `security_content_summariesonly` values(Web.url) as urls min(_time) as firstTime from datamodel=Web by Web.src | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `brand_abuse_web` [ESCU - No Windows Updates in a time frame - Rule] action.escu = 0 @@ -5306,7 +5306,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats summariesonly=true allow_old_summaries=true latest(_time) as latestTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product="Microsoft Windows" by Updates.dest Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status as "Update Status" | rename Updates.vendor_product as Product | eval isOutlier=if(latestTime <= relative_time(now(), "-60d@d"), 1, 0) | `ctime(latestTime)` | search isOutlier=1 | rename latestTime as "Last Update Time", | table Host, "Update Status", Product, "Last Update Time" +search = | tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product="Microsoft Windows" by Updates.dest Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status as "Update Status" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0) | `security_content_ctime(lastTime)` | search isOutlier=1 | rename lastTime as "Last Update Time", | table Host, "Update Status", Product, "Last Update Time" [ESCU - Open Redirect in Splunk Web - Rule] action.escu = 0 @@ -5459,7 +5459,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\Windows\System32\sethc.exe* OR Filesystem.file_path=*\Windows\System32\utilman.exe* OR Filesystem.file_path=*\Windows\System32\osk.exe* OR Filesystem.file_path=*\Windows\System32\Magnify.exe* OR Filesystem.file_path=*\Windows\System32\Narrator.exe* OR Filesystem.file_path=*\Windows\System32\DisplaySwitch.exe* OR Filesystem.file_path=*\Windows\System32\AtBroker.exe*) by Filesystem.file_name Filesystem.dest | `drop_dm_object_name(Filesystem)` | `ctime(lastTime)` | `ctime(firstTime)` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\Windows\System32\sethc.exe* OR Filesystem.file_path=*\Windows\System32\utilman.exe* OR Filesystem.file_path=*\Windows\System32\osk.exe* OR Filesystem.file_path=*\Windows\System32\Magnify.exe* OR Filesystem.file_path=*\Windows\System32\Narrator.exe* OR Filesystem.file_path=*\Windows\System32\DisplaySwitch.exe* OR Filesystem.file_path=*\Windows\System32\AtBroker.exe*) by Filesystem.file_name Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` [ESCU - Process Execution via WMI - Rule] action.escu = 0 @@ -5510,7 +5510,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name = *WmiPrvSE.exe by Processes.user Processes.dest Processes.process_name | `drop_dm_object_name("Processes")` | `ctime(firstTime)`| `ctime(lastTime)` +search = | tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name = *WmiPrvSE.exe by Processes.user Processes.dest Processes.process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` [ESCU - Processes Tapping Keyboard Events - Rule] action.escu = 0 @@ -5613,8 +5613,8 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="C:\Windows\System32\ -etsh.exe" by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `ctime(firstTime)`|`ctime(lastTime)` +search = | tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="C:\Windows\System32\ +etsh.exe" by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` [ESCU - Processes launching netsh - Rule] action.escu = 0 @@ -5665,7 +5665,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=netsh.exe by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `ctime(firstTime)`|`ctime(lastTime)` +search = | tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=netsh.exe by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` [ESCU - Prohibited Network Traffic Allowed - Rule] action.escu = 0 @@ -5716,7 +5716,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport | search is_prohibited=true | `ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport | search is_prohibited=true | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` [ESCU - Prohibited Software On Endpoint - Rule] action.escu = 0 @@ -5767,7 +5767,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `ctime(firstTime)`| `ctime(lastTime)` | `drop_dm_object_name(Processes)` | `prohibited_softwares` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `prohibited_softwares` [ESCU - Protocol or Port Mismatch - Rule] action.escu = 0 @@ -5818,7 +5818,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port |`ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` [ESCU - Protocols passing authentication in cleartext - Rule] action.escu = 0 @@ -5869,7 +5869,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.protocol="tcp" AND (All_Traffic.dest_port="23" OR All_Traffic.dest_port="143" OR All_Traffic.dest_port="110" OR (All_Traffic.dest_port="21" AND All_Traffic.user != "anonymous")) groupby All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.protocol="tcp" AND (All_Traffic.dest_port="23" OR All_Traffic.dest_port="143" OR All_Traffic.dest_port="110" OR (All_Traffic.dest_port="21" AND All_Traffic.user != "anonymous")) groupby All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` [ESCU - Reg.exe Manipulating Windows Services Registry Keys - Rule] action.escu = 0 @@ -5920,7 +5920,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name = reg.exe by Processes.process_id Processes.dest | `drop_dm_object_name("Processes")` | `ctime(firstTime)` | `ctime(lastTime)` | join [| tstats `summariesonly` values(Registry.registry_path) as registry_path count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\services\\*" by Registry.process_id Registry.dest | `drop_dm_object_name("Registry")` | table process_id dest registry_path] +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name = reg.exe by Processes.process_id Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join [| tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\services\\*" by Registry.process_id Registry.dest | `drop_dm_object_name("Registry")` | table process_id dest registry_path] [ESCU - Reg.exe used to hide files/directories via registry keys - Rule] action.escu = 0 @@ -5971,7 +5971,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = reg.exe Processes.process="*add*" Processes.process="*Hidden*" Processes.process="*REG_DWORD*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `ctime(firstTime)` |`ctime(lastTime)`| regex process = "(/d\s+2)" +search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = reg.exe Processes.process="*add*" Processes.process="*Hidden*" Processes.process="*REG_DWORD*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`| regex process = "(/d\s+2)" [ESCU - Registry Keys Used For Persistence - Rule] action.escu = 0 @@ -6022,7 +6022,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*currentversion\\run* OR Registry.registry_path=*currentVersion\\Windows\\Appinit_Dlls* OR Registry.registry_path=CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*CurrentVersion\\Winlogon\\VmApplet* OR Registry.registry_path=*currentversion\\policies\\explorer\\run* OR Registry.registry_path=*currentversion\\runservices* OR Registry.registry_path=*\\CurrentControlSet\\Control\\Lsa\\* OR Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" OR Registry.registry_path=HKLM\\SOFTWARE\\Microsoft\\Netsh\\*) by Registry.dest , Registry.status, Registry.user | `ctime(lastTime)` | `ctime(firstTime)` | `drop_dm_object_name(Registry)` +search = | tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*currentversion\\run* OR Registry.registry_path=*currentVersion\\Windows\\Appinit_Dlls* OR Registry.registry_path=CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*CurrentVersion\\Winlogon\\VmApplet* OR Registry.registry_path=*currentversion\\policies\\explorer\\run* OR Registry.registry_path=*currentversion\\runservices* OR Registry.registry_path=*\\CurrentControlSet\\Control\\Lsa\\* OR Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" OR Registry.registry_path=HKLM\\SOFTWARE\\Microsoft\\Netsh\\*) by Registry.dest , Registry.status, Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` [ESCU - Registry Keys Used For Privilege Escalation - Rule] action.escu = 0 @@ -6073,7 +6073,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") by Registry.dest , Registry.status, Registry.user | `ctime(lastTime)` | `ctime(firstTime)` | `drop_dm_object_name(Registry)` +search = | tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") by Registry.dest , Registry.status, Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` [ESCU - Registry Keys for Creating SHIM Databases - Rule] action.escu = 0 @@ -6124,7 +6124,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change_Analysis.All_Changes where All_Changes.object_category=registry AND (All_Changes.object_path="*CurrentVersion\\AppCompatFlags\\Custom*" OR All_Changes.object_path="*CurrentVersion\\AppCompatFlags\\InstalledSDB*") by All_Changes.dest, All_Changes.command, All_Changes.user, All_Changes.object, All_Changes.object_path | `drop_dm_object_name("All_Changes")` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change_Analysis.All_Changes where All_Changes.object_category=registry AND (All_Changes.object_path="*CurrentVersion\\AppCompatFlags\\Custom*" OR All_Changes.object_path="*CurrentVersion\\AppCompatFlags\\InstalledSDB*") by All_Changes.dest, All_Changes.command, All_Changes.user, All_Changes.object, All_Changes.object_path | `drop_dm_object_name("All_Changes")` [ESCU - Remote Desktop Network Bruteforce - Rule] action.escu = 0 @@ -6175,7 +6175,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev [ESCU - Remote Desktop Network Traffic - Rule] action.escu = 0 @@ -6226,7 +6226,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` | `ctime(firstTime)`| `ctime(lastTime)` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` [ESCU - Remote Desktop Process Running On System - Rule] action.escu = 0 @@ -6277,7 +6277,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `ctime(firstTime)`| `ctime(lastTime)` | `drop_dm_object_name(Processes)` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` [ESCU - Remote Process Instantiation via WMI - Rule] action.escu = 0 @@ -6328,7 +6328,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = wmic.exe Processes.process="*/node*" Processes.process="*process*" Processes.process="*call*" Processes.process="*create*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `ctime(firstTime)` |`ctime(lastTime)` +search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = wmic.exe Processes.process="*/node*" Processes.process="*process*" Processes.process="*call*" Processes.process="*create*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` [ESCU - Remote Registry Key modifications - Rule] action.escu = 0 @@ -6379,7 +6379,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="\\\\*" by Registry.dest , Registry.status, Registry.user | `ctime(lastTime)` | `ctime(firstTime)` | `drop_dm_object_name(Registry)` +search = | tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="\\\\*" by Registry.dest , Registry.status, Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` [ESCU - Remote WMI Command Attempt - Rule] action.escu = 0 @@ -6430,7 +6430,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe AND Processes.process= */node* by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)`| `ctime(lastTime)` +search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe AND Processes.process= */node* by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` [ESCU - RunDLL Loading DLL By Ordinal - Rule] action.escu = 0 @@ -6481,7 +6481,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = rundll32.exe Processes.process="*AppData*" Processes.process="*,#2" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `ctime(firstTime)` | `ctime(lastTime)` +search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = rundll32.exe Processes.process="*AppData*" Processes.process="*,#2" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - SMB Traffic Spike - Rule] action.escu = 0 @@ -6532,7 +6532,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | `drop_dm_object_name("All_Traffic")` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, "-70m@m"), count, null))) as count avg(eval(if(_time upperBound AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count +search = | tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | `drop_dm_object_name("All_Traffic")` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, "-70m@m"), count, null))) as count avg(eval(if(_time upperBound AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count [ESCU - SMB Traffic Spike - MLTK - Rule] action.escu = 0 @@ -6586,7 +6586,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval DayOfWeek=strftime(_time, "%A") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename "IsOutlier(count)" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count +search = | tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval DayOfWeek=strftime(_time, "%A") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename "IsOutlier(count)" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count [ESCU - SQL Injection with Long URLs - Rule] action.escu = 0 @@ -6637,7 +6637,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count from datamodel=Web where Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name("Web")` | eval num_sql_cmds=mvcount(split(url, "alter%20table")) + mvcount(split(url, "between")) + mvcount(split(url, "create%20table")) + mvcount(split(url, "create%20database")) + mvcount(split(url, "create%20index")) + mvcount(split(url, "create%20view")) + mvcount(split(url, "delete")) + mvcount(split(url, "drop%20database")) + mvcount(split(url, "drop%20index")) + mvcount(split(url, "drop%20table")) + mvcount(split(url, "exists")) + mvcount(split(url, "exec")) + mvcount(split(url, "group%20by")) + mvcount(split(url, "having")) + mvcount(split(url, "insert%20into")) + mvcount(split(url, "inner%20join")) + mvcount(split(url, "left%20join")) + mvcount(split(url, "right%20join")) + mvcount(split(url, "full%20join")) + mvcount(split(url, "select")) + mvcount(split(url, "distinct")) + mvcount(split(url, "select%20top")) + mvcount(split(url, "union")) + mvcount(split(url, "xp_cmdshell")) - 24 | where num_sql_cmds > 3 +search = | tstats `security_content_summariesonly` count from datamodel=Web where Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name("Web")` | eval num_sql_cmds=mvcount(split(url, "alter%20table")) + mvcount(split(url, "between")) + mvcount(split(url, "create%20table")) + mvcount(split(url, "create%20database")) + mvcount(split(url, "create%20index")) + mvcount(split(url, "create%20view")) + mvcount(split(url, "delete")) + mvcount(split(url, "drop%20database")) + mvcount(split(url, "drop%20index")) + mvcount(split(url, "drop%20table")) + mvcount(split(url, "exists")) + mvcount(split(url, "exec")) + mvcount(split(url, "group%20by")) + mvcount(split(url, "having")) + mvcount(split(url, "insert%20into")) + mvcount(split(url, "inner%20join")) + mvcount(split(url, "left%20join")) + mvcount(split(url, "right%20join")) + mvcount(split(url, "full%20join")) + mvcount(split(url, "select")) + mvcount(split(url, "distinct")) + mvcount(split(url, "select%20top")) + mvcount(split(url, "union")) + mvcount(split(url, "xp_cmdshell")) - 24 | where num_sql_cmds > 3 [ESCU - Samsam Test File Write - Rule] action.escu = 0 @@ -6688,7 +6688,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\windows\\system32\\test.txt by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `ctime(lastTime)` | `ctime(firstTime)` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\windows\\system32\\test.txt by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` [ESCU - Sc.exe Manipulating Windows Services - Rule] action.escu = 0 @@ -6739,7 +6739,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process="* create *" OR Processes.process="* config *") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `ctime(firstTime)` | `ctime(lastTime)` +search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process="* create *" OR Processes.process="* config *") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Scheduled Task Name Used by Dragonfly Threat Actors - Rule] action.escu = 0 @@ -6790,7 +6790,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)`| `ctime(lastTime)` | search (process=*delete* OR process=*create*) process=*reset* +search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search (process=*delete* OR process=*create*) process=*reset* [ESCU - Scheduled tasks used in BadRabbit ransomware - Rule] action.escu = 0 @@ -6841,7 +6841,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= "*create*" OR Processes.process= "*delete*") by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name("Processes")` | `ctime(firstTime)`|`ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= "*create*" OR Processes.process= "*delete*") by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) [ESCU - Schtasks scheduling job on remote system - Rule] action.escu = 0 @@ -6892,7 +6892,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = schtasks.exe Processes.process="*/create*" Processes.process="* /s *" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `ctime(firstTime)` | `ctime(lastTime)` +search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = schtasks.exe Processes.process="*/create*" Processes.process="* /s *" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Schtasks used for forcing a reboot - Rule] action.escu = 0 @@ -6943,7 +6943,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = schtasks.exe Processes.process="*shutdown*" Processes.process="*/r*" Processes.process="*/f*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `ctime(firstTime)` | `ctime(lastTime)` +search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = schtasks.exe Processes.process="*shutdown*" Processes.process="*/r*" Processes.process="*/f*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Script Execution via WMI - Rule] action.escu = 0 @@ -6994,7 +6994,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name = "scrcons.exe" by Processes.user Processes.dest Processes.process_name | `drop_dm_object_name("Processes")` | `ctime(firstTime)`| `ctime(lastTime)` +search = | tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name = "scrcons.exe" by Processes.user Processes.dest Processes.process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` [ESCU - Shim Database File Creation - Rule] action.escu = 0 @@ -7045,7 +7045,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Filesystem.action) values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=*Windows\AppPatch\Custom* by Filesystem.file_name Filesystem.dest | `ctime(lastTime)` | `ctime(firstTime)` |`drop_dm_object_name(Filesystem)` +search = | tstats `security_content_summariesonly` count values(Filesystem.action) values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=*Windows\AppPatch\Custom* by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`drop_dm_object_name(Filesystem)` [ESCU - Shim Database Installation With Suspicious Parameters - Rule] action.escu = 0 @@ -7096,7 +7096,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe Processes.process="*-p*" Processes.process="*-q*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `ctime(firstTime)` | `ctime(lastTime)` +search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe Processes.process="*-p*" Processes.process="*-q*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Short Lived Windows Accounts - Rule] action.escu = 0 @@ -7147,7 +7147,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 OR All_Changes.result_id=4726 by _time span=4h All_Changes.user All_Changes.dest | `ctime(lastTime)` | `ctime(firstTime)` | `drop_dm_object_name("All_Changes")` | search result_id = 4720 result_id=4726 | transaction user connected=false maxspan=240m | table firstTime lastTime count user dest result_id +search = | tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 OR All_Changes.result_id=4726 by _time span=4h All_Changes.user All_Changes.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name("All_Changes")` | search result_id = 4720 result_id=4726 | transaction user connected=false maxspan=240m | table firstTime lastTime count user dest result_id [ESCU - Single Letter Process On Endpoint - Rule] action.escu = 0 @@ -7198,7 +7198,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest, Processes.user, Processes.process, Processes.process_name | `drop_dm_object_name(Processes)` | `ctime(lastTime)` | `ctime(firstTime)` | eval process_name_length = len(process_name), endExe = if(substr(process_name, -4) == ".exe", 1, 0) | search process_name_length=5 AND endExe=1 | table count, firstTime, lastTime, dest, user, process, process_name +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest, Processes.user, Processes.process, Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | eval process_name_length = len(process_name), endExe = if(substr(process_name, -4) == ".exe", 1, 0) | search process_name_length=5 AND endExe=1 | table count, firstTime, lastTime, dest, user, process, process_name [ESCU - Spectre and Meltdown Vulnerable Systems - Rule] action.escu = 0 @@ -7249,7 +7249,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities where Vulnerabilities.cve ="CVE-2017-5753" OR Vulnerabilities.cve ="CVE-2017-5715" OR Vulnerabilities.cve ="CVE-2017-5754" by Vulnerabilities.dest| `ctime(firstTime)` | `ctime(lastTime)` +search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities where Vulnerabilities.cve ="CVE-2017-5753" OR Vulnerabilities.cve ="CVE-2017-5715" OR Vulnerabilities.cve ="CVE-2017-5754" by Vulnerabilities.dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Spike in File Writes - Rule] action.escu = 0 @@ -7300,7 +7300,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, "-1d@d"), count, null))) as "count" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 +search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, "-1d@d"), count, null))) as "count" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 [ESCU - Splunk Enterprise Information Disclosure - Rule] action.escu = 0 @@ -7350,7 +7350,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = index=_internal sourcetype=splunkd_ui_access server-info | search clientip!=127.0.0.1 uri_path="*raw/services/server/info/server-info" | rename clientip as src_ip, splunk_server as dest | stats earliest(_time) as firstTime, latest(_time) as lastTime, values(uri) as uri, values(useragent) as http_user_agent, values(user) as user by src_ip, dest | convert ctime(firstTime) ctime(lastTime) +search = index=_internal sourcetype=splunkd_ui_access server-info | search clientip!=127.0.0.1 uri_path="*raw/services/server/info/server-info" | rename clientip as src_ip, splunk_server as dest | stats earliest(_time) as firstTime, latest(_time) as lastTime, values(uri) as uri, values(useragent) as http_user_agent, values(user) as user by src_ip, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Suspicious Changes to File Associations - Rule] action.escu = 0 @@ -7401,7 +7401,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name!=Explorer.exe AND Processes.process_name!=OpenWith.exe by Processes.process_id Processes.dest | `drop_dm_object_name("Processes")` | `ctime(firstTime)` | `ctime(lastTime)` | join [| tstats `summariesonly` values(Registry.registry_path) as registry_path count FROM datamodel=Endpoint.Registry where Registry.registry_path=*\\Explorer\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name("Registry")` | table process_id dest registry_path] +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name!=Explorer.exe AND Processes.process_name!=OpenWith.exe by Processes.process_id Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join [| tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path count FROM datamodel=Endpoint.Registry where Registry.registry_path=*\\Explorer\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name("Registry")` | table process_id dest registry_path] [ESCU - Suspicious Email - UBA Anomaly - Rule] action.escu = 0 @@ -7452,7 +7452,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = |tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_UEBA_Events.category) as category from datamodel=UEBA where nodename=All_UEBA_Events.UEBA_Anomalies All_UEBA_Events.UEBA_Anomalies.uba_model = "SuspiciousEmailDetectionModel" by All_UEBA_Events.description All_UEBA_Events.severity All_UEBA_Events.user All_UEBA_Events.uba_event_type All_UEBA_Events.link All_UEBA_Events.signature All_UEBA_Events.url All_UEBA_Events.UEBA_Anomalies.uba_model | `drop_dm_object_name(All_UEBA_Events)` | `drop_dm_object_name(UEBA_Anomalies)`| `ctime(firstTime)`| `ctime(lastTime)` +search = |tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_UEBA_Events.category) as category from datamodel=UEBA where nodename=All_UEBA_Events.UEBA_Anomalies All_UEBA_Events.UEBA_Anomalies.uba_model = "SuspiciousEmailDetectionModel" by All_UEBA_Events.description All_UEBA_Events.severity All_UEBA_Events.user All_UEBA_Events.uba_event_type All_UEBA_Events.link All_UEBA_Events.signature All_UEBA_Events.url All_UEBA_Events.UEBA_Anomalies.uba_model | `drop_dm_object_name(All_UEBA_Events)` | `drop_dm_object_name(UEBA_Anomalies)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` [ESCU - Suspicious Email Attachment Extensions - Rule] action.escu = 0 @@ -7505,7 +7505,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name("All_Email")` | `suspicious_email_attachments` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | `suspicious_email_attachments` [ESCU - Suspicious File Write - Rule] action.escu = 0 @@ -7556,7 +7556,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Filesystem.action) as action values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest | `ctime(lastTime)` | `ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `suspicious_writes` +search = | tstats `security_content_summariesonly` count values(Filesystem.action) as action values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `suspicious_writes` [ESCU - Suspicious Java Classes - Rule] action.escu = 0 @@ -7606,7 +7606,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype="stream:http" http_method=POST http_content_length>1 | regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | convert ctime(firstTime) ctime(lastTime) +search = sourcetype="stream:http" http_method=POST http_content_length>1 | regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Suspicious LNK file launching a process - Rule] action.escu = 0 @@ -7657,7 +7657,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.lnk" AND (Filesystem.file_path="C:\\Users*" OR Filesystem.file_path="*Local\\Temp*") by _time span=1h Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.user | `drop_dm_object_name(Filesystem)` | rename process_id as lnk_pid | join lnk_pid, _time [| tstats `summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.parent_process_id Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process | `drop_dm_object_name(Processes)` | rename parent_process_id as lnk_pid | fields _time lnk_pid process_id dest process_name process_path process] | `ctime(firstTime)` | `ctime(lastTime)` | table firstTime, lastTime, lnk_pid, process_id, user, dest, file_name, file_path, process_name, process, process_path, file_hash +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.lnk" AND (Filesystem.file_path="C:\\Users*" OR Filesystem.file_path="*Local\\Temp*") by _time span=1h Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.user | `drop_dm_object_name(Filesystem)` | rename process_id as lnk_pid | join lnk_pid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.parent_process_id Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process | `drop_dm_object_name(Processes)` | rename parent_process_id as lnk_pid | fields _time lnk_pid process_id dest process_name process_path process] | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime, lnk_pid, process_id, user, dest, file_name, file_path, process_name, process, process_path, file_hash [ESCU - Suspicious Reg.exe Process - Rule] action.escu = 0 @@ -7708,7 +7708,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` | `ctime(firstTime)` | `ctime(lastTime)` | search [| tstats `summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name("Processes")` | `ctime(firstTime)` | `ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] [ESCU - Suspicious wevtutil Usage - Rule] action.escu = 0 @@ -7761,7 +7761,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = wevtutil.exe Processes.process="*cl*" (Processes.process="*System*" OR Processes.process="*Security*" OR Processes.process="*Setup*" OR Processes.process="*Application*") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `ctime(firstTime)` |`ctime(lastTime)` +search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = wevtutil.exe Processes.process="*cl*" (Processes.process="*System*" OR Processes.process="*Security*" OR Processes.process="*Setup*" OR Processes.process="*Application*") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` [ESCU - Suspicious writes to System Volume Information - Rule] action.escu = 0 @@ -7811,7 +7811,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = (sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR tag=process) EventCode=11 process_id!=4 file_path=*System\ Volume\ Information* | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, file_path | `ctime(firstTime)`| `ctime(lastTime)` +search = (sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR tag=process) EventCode=11 process_id!=4 file_path=*System\ Volume\ Information* | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, file_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` [ESCU - Suspicious writes to windows Recycle Bin - Rule] action.escu = 0 @@ -7862,7 +7862,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.filepath = "*$Recycle.Bin*" by Filesystem.process_id Filesystem.dest | `drop_dm_object_name("Filesystem")`| search [| tstats `summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != "explorer.exe" by Processes.process_id Processes.dest| `drop_dm_object_name("Processes")` | table process_id dest] +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.filepath = "*$Recycle.Bin*" by Filesystem.process_id Filesystem.dest | `drop_dm_object_name("Filesystem")`| search [| tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != "explorer.exe" by Processes.process_id Processes.dest| `drop_dm_object_name("Processes")` | table process_id dest] [ESCU - System Processes Run From Unexpected Locations - Rule] action.escu = 0 @@ -7913,7 +7913,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !="C:\\Windows\\System32*" Processes.process_path !="C:\\Windows\\SysWOW64*" by Processes.user Processes.dest Processes.process_name Processes.process_path Processes.process_id | `drop_dm_object_name("Processes")` | `ctime(firstTime)`| `ctime(lastTime)`| `isWindowsSystemFile` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !="C:\\Windows\\System32*" Processes.process_path !="C:\\Windows\\SysWOW64*" by Processes.user Processes.dest Processes.process_name Processes.process_path Processes.process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file` [ESCU - TOR Traffic - Rule] action.escu = 0 @@ -7964,7 +7964,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` [ESCU - USN Journal Deletion - Rule] action.escu = 0 @@ -8015,7 +8015,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)`| `ctime(lastTime)` | search process="*deletejournal*" AND process="*usn*" +search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process="*deletejournal*" AND process="*usn*" [ESCU - Uncommon Processes On Endpoint - Rule] action.escu = 0 @@ -8066,7 +8066,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name | `ctime(firstTime)`| `ctime(lastTime)` | `drop_dm_object_name(Processes)` | `uncommon_processes` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `uncommon_processes` [ESCU - Unsuccessful Netbackup backups - Rule] action.escu = 0 @@ -8116,7 +8116,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype="netbackup_logs" | stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE | search MESSAGE="An error occurred, failed to backup." | `ctime(latestTime)` | rename COMPUTERNAME as dest, MESSAGE as signature | table latestTime, dest, signature +search = sourcetype="netbackup_logs" | stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE | search MESSAGE="An error occurred, failed to backup." | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest, MESSAGE as signature | table latestTime, dest, signature [ESCU - Unusually Long Command Line - Rule] action.escu = 0 @@ -8167,7 +8167,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name("Processes")` | `ctime(firstTime)`| `ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process| eval threshold = 10 | where maxlen > ((threshold*stdevperhost) + avgperhost) +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process| eval threshold = 10 | where maxlen > ((threshold*stdevperhost) + avgperhost) [ESCU - Unusually Long Command Line - MLTK - Rule] action.escu = 0 @@ -8218,7 +8218,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `ctime(firstTime)`| `ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename "IsOutlier(processlen)" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename "IsOutlier(processlen)" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count [ESCU - Unusually Long Content-Type Length - Rule] action.escu = 0 @@ -8318,7 +8318,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype="wineventlog:microsoft-windows-wmi-activity/operational" EventCode=5861 Binding | rex field=Message "Consumer =\s+(?[^;|^$]+)" | search consumer!="NTEventLogEventConsumer=\"SCM Event Log Consumer\"" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, Message | `ctime(firstTime)`| `ctime(lastTime)` | rename ComputerName as dest +search = sourcetype="wineventlog:microsoft-windows-wmi-activity/operational" EventCode=5861 Binding | rex field=Message "Consumer =\s+(?[^;|^$]+)" | search consumer!="NTEventLogEventConsumer=\"SCM Event Log Consumer\"" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, Message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | rename ComputerName as dest [ESCU - WMI Permanent Event Subscription - Sysmon - Rule] action.escu = 0 @@ -8418,7 +8418,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = sourcetype="wineventlog:microsoft-windows-wmi-activity/operational" EventCode=5860 Temporary | rex field=Message "NotificationQuery =\s+(?[^;|^$]+)" | search query!="SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'" AND query!="SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, query | `ctime(firstTime)`| `ctime(lastTime)` +search = sourcetype="wineventlog:microsoft-windows-wmi-activity/operational" EventCode=5860 Temporary | rex field=Message "NotificationQuery =\s+(?[^;|^$]+)" | search query!="SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'" AND query!="SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, query | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` [ESCU - Web Fraud - Account Harvesting - Rule] action.escu = 0 @@ -8619,7 +8619,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest_category="web_server" AND (Processes.process="*whoami*" OR Processes.process="*ping*" OR Processes.process="*iptables*" OR Processes.process="*wget*" OR Processes.process="*service*" OR Processes.process="*curl*") by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `ctime(firstTime)` | `ctime(lastTime)` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest_category="web_server" AND (Processes.process="*whoami*" OR Processes.process="*ping*" OR Processes.process="*iptables*" OR Processes.process="*wget*" OR Processes.process="*service*" OR Processes.process="*curl*") by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Windows Event Log Cleared - Rule] action.escu = 0 @@ -8669,7 +8669,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = ((eventtype=wineventlog_security) AND (signature_id=1102 OR signature_id=1100)) OR ((eventtype=wineventlog_system) AND signature_id=104) | stats count min(_time) as firstTime max(_time) as lastTime by signature_id dest user| `ctime(firstTime)` | `ctime(lastTime)` +search = ((eventtype=wineventlog_security) AND (signature_id=1102 OR signature_id=1100)) OR ((eventtype=wineventlog_system) AND signature_id=104) | stats count min(_time) as firstTime max(_time) as lastTime by signature_id dest user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Windows hosts file modification - Rule] action.escu = 0 @@ -8720,7 +8720,7 @@ quantity = 0 realtime_schedule = 0 schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.file_path Filesystem.dest | `ctime(lastTime)` | `ctime(firstTime)` | search Filesystem.file_name=hosts AND Filesystem.file_path=*Windows\\System32\\* | `drop_dm_object_name(Filesystem)` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.file_path Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | search Filesystem.file_name=hosts AND Filesystem.file_path=*Windows\\System32\\* | `drop_dm_object_name(Filesystem)` ### END ESCU DETECTIONS ### @@ -9034,7 +9034,7 @@ action.escu.entities = ["domain"] disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Certificates.All_Certificates where All_Certificates.SSL.ssl_subject_common_name=*{domain} by All_Certificates.dest All_Certificates.src All_Certificates.SSL.ssl_issuer_common_name All_Certificates.SSL.ssl_subject_common_name All_Certificates.SSL.ssl_hash | `drop_dm_object_name(All_Certificates)` | `drop_dm_object_name(SSL)` | rename ssl_subject_common_name as domain | `ctime(firstTime)` | `ctime(lastTime)` +search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Certificates.All_Certificates where All_Certificates.SSL.ssl_subject_common_name=*{domain} by All_Certificates.dest All_Certificates.src All_Certificates.SSL.ssl_issuer_common_name All_Certificates.SSL.ssl_subject_common_name All_Certificates.SSL.ssl_hash | `drop_dm_object_name(All_Certificates)` | `drop_dm_object_name(SSL)` | rename ssl_subject_common_name as domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Get DNS Server History for a host] action.escu = 0 @@ -9192,7 +9192,7 @@ action.escu.entities = ["src_mac"] disabled = true schedule_window = auto is_visible = false -search = | tstats allow_old_summaries=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.signature=DHCPREQUEST All_Sessions.All_Sessions.src_mac= {src_mac} by All_Sessions.src_ip All_Sessions.user | `ctime(lastTime)` | `ctime(firstTime)` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.signature=DHCPREQUEST All_Sessions.All_Sessions.src_mac= {src_mac} by All_Sessions.src_ip All_Sessions.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` [ESCU - Get History Of Email Sources] action.escu = 0 @@ -9215,7 +9215,7 @@ action.escu.entities = ["src"] disabled = true schedule_window = auto is_visible = false -search = |tstats `summariesonly` values(All_Email.dest) as dest values(All_Email.recipient) as recepient min(_time) as firstTime max(_time) as lastTime count from datamodel=Email.All_Email by All_Email.src |`drop_dm_object_name(All_Email)` | `ctime(firstTime)` | `ctime(lastTime)` +search = |tstats `security_content_summariesonly` values(All_Email.dest) as dest values(All_Email.recipient) as recepient min(_time) as firstTime max(_time) as lastTime count from datamodel=Email.All_Email by All_Email.src |`drop_dm_object_name(All_Email)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Get Logon Rights Modifications For Endpoint] action.escu = 0 @@ -9326,7 +9326,7 @@ action.escu.entities = ["src_user", "recipient"] disabled = true schedule_window = auto is_visible = false -search = | from datamodel Email.All_Email | search recipient=misswang8107@gmail.com OR src_user=redhat@gmail.com | stats count earliest(_time) as firstTime, latest(_time) as lastTime values(dest) values(src) by src_user recipient | `ctime(firstTime)` | `ctime(lastTime)` +search = | from datamodel Email.All_Email | search recipient=misswang8107@gmail.com OR src_user=redhat@gmail.com | stats count earliest(_time) as firstTime, latest(_time) as lastTime values(dest) values(src) by src_user recipient | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Get Parent Process Info] action.escu = 0 @@ -9349,7 +9349,7 @@ action.escu.entities = ["process_name", "dest"] disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name = {process_name} Processes.dest = {dest} by Processes.user Processes.parent_process_name Processes.process_name | `drop_dm_object_name("Processes")` | `ctime(firstTime)`| `ctime(lastTime)` +search = | tstats `summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name = {process_name} Processes.dest = {dest} by Processes.user Processes.parent_process_name Processes.process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` [ESCU - Get Process File Activity] action.escu = 0 @@ -9372,7 +9372,7 @@ action.escu.entities = ["process_id", "dest"] disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(Filesystem.file_name) as file_name values(Filesystem.dest) as dest, values(Filesystem.process_id) as process_id from datamodel=Endpoint.Filesystem where Filesystem.dest={dest} Filesystem.process_id={process_id} by Filesystem.file_path, Filesystem.action, _time | `drop_dm_object_name(Filesystem)` | sort _time | table _time, process_id, dest, action, file_name, file_path +search = | tstats `security_content_summariesonly` values(Filesystem.file_name) as file_name values(Filesystem.dest) as dest, values(Filesystem.process_id) as process_id from datamodel=Endpoint.Filesystem where Filesystem.dest={dest} Filesystem.process_id={process_id} by Filesystem.file_path, Filesystem.action, _time | `drop_dm_object_name(Filesystem)` | sort _time | table _time, process_id, dest, action, file_name, file_path [ESCU - Get Process Info] action.escu = 0 @@ -9395,7 +9395,7 @@ action.escu.entities = ["process_name", "dest"] disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) max(_time) as lastTime from datamodel=Endpoint.Processes where Proceses.dest={dest} Proceses.process_name={process_name} by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(Processes)` | `ctime(firstTime)`|`ctime(lastTime)` +search = | tstats `security_content_summariesonly` count min(_time) max(_time) as lastTime from datamodel=Endpoint.Processes where Proceses.dest={dest} Proceses.process_name={process_name} by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` [ESCU - Get Process Information For Port Activity] action.escu = 0 @@ -9418,7 +9418,7 @@ action.escu.entities = ["dest_port", "dest"] disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest = {dest} by Processes.process_name Processes.user Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `ctime(firstTime)`|`ctime(lastTime)` | search [| tstats `summariesonly` count from datamodel=Endpoint.Ports where Ports.dest_port={dest_port} by Ports.process_id Ports.src | `drop_dm_object_name(Ports)` | rename src as dest] +search = | tstats `security_content_summariesonly` count min(_time) max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest = {dest} by Processes.process_name Processes.user Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Ports where Ports.dest_port={dest_port} by Ports.process_id Ports.src | `drop_dm_object_name(Ports)` | rename src as dest] [ESCU - Get Process Registry Activity] action.escu = 0 @@ -9441,7 +9441,7 @@ action.escu.entities = ["process_id", "dest"] disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(Registry.registry_key_name) as registry_key_name, values(Registry.dest) as dest, values(Registry.process_id) as process_id from datamodel=Endpoint.Registry where Registry.process_id={process_id} AND Registry.dest={dest} by Registry.registry_path, Registry.action, _time | `drop_dm_object_name(Registry)` | sort _time | table _time, process_id, dest, action, registry_key_name, registry_path +search = | tstats `security_content_summariesonly` values(Registry.registry_key_name) as registry_key_name, values(Registry.dest) as dest, values(Registry.process_id) as process_id from datamodel=Endpoint.Registry where Registry.process_id={process_id} AND Registry.dest={dest} by Registry.registry_path, Registry.action, _time | `drop_dm_object_name(Registry)` | sort _time | table _time, process_id, dest, action, registry_key_name, registry_path [ESCU - Get Process Responsible For The DNS Traffic] action.escu = 0 @@ -9464,7 +9464,7 @@ action.escu.entities = ["dest"] disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest = {dest} by Processes.parent_process Processes.process_name Processes.user Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `ctime(firstTime)`|`ctime(lastTime)` | search [| tstats `summariesonly` count from datamodel=Endpoint.Ports where Ports.dest_port=53 by Ports.process_id Ports.src | `drop_dm_object_name(Ports)` | rename src as dest] +search = | tstats `security_content_summariesonly` count min(_time) max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest = {dest} by Processes.parent_process Processes.process_name Processes.user Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Ports where Ports.dest_port=53 by Ports.process_id Ports.src | `drop_dm_object_name(Ports)` | rename src as dest] [ESCU - Get Registry Activities] action.escu = 0 @@ -9487,7 +9487,7 @@ action.escu.entities = ["dest"] disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(Registry.registry_path) as registry_path values(Registry.registry_key_name) as registry_key_name count FROM datamodel=Endpoint.Registry where Registry.dest = "{dest}" by Registry.process_id Registry.dest | `drop_dm_object_name("Registry")` | join [| tstats `summariesonly` count values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name = reg.exe by Processes.process_id | `drop_dm_object_name("Processes")`] +search = | tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path values(Registry.registry_key_name) as registry_key_name count FROM datamodel=Endpoint.Registry where Registry.dest = "{dest}" by Registry.process_id Registry.dest | `drop_dm_object_name("Registry")` | join [| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name = reg.exe by Processes.process_id | `drop_dm_object_name("Processes")`] [ESCU - Get Risk Modifiers For Endpoint] action.escu = 0 @@ -9510,7 +9510,7 @@ action.escu.entities = ["dest"] disabled = true schedule_window = auto is_visible = false -search = | from datamodel:Risk.All_Risk | search risk_object_type=system risk_object={dest} | stats count sum(risk_score) as risk_score values(search_name) min(_time) as firstTime max(_time) as lastTime by risk_object | `ctime(firstTime)` | `ctime(lastTime)` +search = | from datamodel:Risk.All_Risk | search risk_object_type=system risk_object={dest} | stats count sum(risk_score) as risk_score values(search_name) min(_time) as firstTime max(_time) as lastTime by risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` [ESCU - Get Risk Modifiers For User] action.escu = 0 @@ -9533,7 +9533,7 @@ action.escu.entities = ["user"] disabled = true schedule_window = auto is_visible = false -search = | from datamodel:Risk.All_Risk | search risk_object_type=user risk_object={user} | stats count sum(risk_score) as risk_score values(search_name) min(_time) as firstTime max(_time) as lastTime by risk_object |`ctime(firstTime)` |`ctime(lastTime)` +search = | from datamodel:Risk.All_Risk | search risk_object_type=user risk_object={user} | stats count sum(risk_score) as risk_score values(search_name) min(_time) as firstTime max(_time) as lastTime by risk_object |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` [ESCU - Get Sysmon WMI Activity for Host] action.escu = 0 @@ -9758,7 +9758,7 @@ action.escu.entities = ["dest"] disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature_id=4624 Authentication.app=win:remote by Authentication.src Authentication.dest Authentication.app Authentication.user Authentication.signature Authentication.src_nt_domain | `ctime(lastTime)` | `ctime(firstTime)` | `drop_dm_object_name("Authentication")`| table firstTime lastTime src src_nt_domain dest user app count | sort count +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature_id=4624 Authentication.app=win:remote by Authentication.src Authentication.dest Authentication.app Authentication.user Authentication.signature Authentication.src_nt_domain | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name("Authentication")`| table firstTime lastTime src src_nt_domain dest user app count | sort count [ESCU - Investigate Suspicious Strings in HTTP Header] action.escu = 0 @@ -9895,7 +9895,7 @@ action.escu.entities = ["src"] disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` values(Web.url) as url from datamodel=Web by Web.src,Web.http_user_agent,Web.http_method | `drop_dm_object_name("Web")`| where like(src, "{src}") and like(http_method, "POST") +search = | tstats `security_content_summariesonly` values(Web.url) as url from datamodel=Web by Web.src,Web.http_user_agent,Web.http_method | `drop_dm_object_name("Web")`| where like(src, "{src}") and like(http_method, "POST") ### END ESCU INVESTIGATIONS ### @@ -9963,7 +9963,7 @@ action.escu.known_false_positives = disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as start_time max(_time) as end_time FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | search user!=unknown | `ctime(start_time)`| `ctime(end_time)`| eval processlen=len(process) | fit DensityFunction processlen by user into cmdline_pdfmodel +search = | tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | search user!=unknown | `security_content_ctime(start_time)`| `security_content_ctime(end_time)`| eval processlen=len(process) | fit DensityFunction processlen by user into cmdline_pdfmodel [ESCU - Baseline of DNS Query Length - MLTK] action.escu = 0 @@ -9984,7 +9984,7 @@ action.escu.known_false_positives = disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name("DNS")` | eval query_length = len(query) | fit DensityFunction query_length by record_type into dns_query_pdfmodel +search = | tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name("DNS")` | eval query_length = len(query) | fit DensityFunction query_length by record_type into dns_query_pdfmodel [ESCU - Baseline of Excessive AWS Instances Launched by User - MLTK] action.escu = 0 @@ -10043,12 +10043,12 @@ dispatch.earliest_time = -30d@d dispatch.latest_time = -10m@m action.escu.providing_technologies = ["AWS"] action.escu.eli5 = Use this search to create a baseline for API calls related to network ACLs for the users who initiated this activity. It returns all logged API calls for network activity, pulls out the ARN that initiated each call, and collects the `eventNames` in one-hour groupings. Next, it calculates the number of API calls made per ARN per-hour. For each ARN, it calculates the average and standard deviation of this count on a per-hour basis. It also includes the number of data points for each ARN. This table is stored in a lookup file. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for network ACLs, edit the macro `NetworkACLEvents`. +action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for network ACLs, edit the macro `network_acl_events`. action.escu.known_false_positives = disabled = true schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail `NetworkACLEvents` | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | stats count +search = sourcetype=aws:cloudtrail `network_acl_events` | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | stats count [ESCU - Baseline of S3 Bucket deletion activity by ARN] action.escu = 0 @@ -10089,7 +10089,7 @@ action.escu.known_false_positives = disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval DayOfWeek=strftime(_time, "%A") | `drop_dm_object_name("All_Traffic")` | fit DensityFunction count by "HourOfDay,DayOfWeek" into smb_pdfmodel +search = | tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval DayOfWeek=strftime(_time, "%A") | `drop_dm_object_name("All_Traffic")` | fit DensityFunction count by "HourOfDay,DayOfWeek" into smb_pdfmodel [ESCU - Baseline of Security Group Activity by ARN] action.escu = 0 @@ -10104,12 +10104,12 @@ dispatch.earliest_time = -90d@d dispatch.latest_time = -10m@m action.escu.providing_technologies = ["AWS"] action.escu.eli5 = Use this search to create a baseline for API calls related to security groups by the users who initiated this activity. It returns all logged API calls for all security-group-related activity, pulls out the ARN that initiated each call, and collects the `eventNames` in one-hour groupings. Next, it calculates the number of API calls made per ARN per hour. For each ARN, it calculates the average and standard deviation of this count on a per-hour basis. It also includes the number of data points for each ARN. This table is stored in a lookup file. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for security groups, edit the macro `securityGroupAPIs`. +action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for security groups, edit the macro `security_group_api_calls`. action.escu.known_false_positives = disabled = true schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail `securityGroupAPIs` | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | stats count +search = sourcetype=aws:cloudtrail `security_group_api_calls` | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | stats count [ESCU - Baseline of blocked outbound traffic from AWS] action.escu = 0 @@ -10150,7 +10150,7 @@ action.escu.known_false_positives = disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` count dc(All_Traffic.src) as numberOfUniqueHosts from datamodel=Network_Traffic by All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` | sort - count +search = | tstats `security_content_summariesonly` count dc(All_Traffic.src) as numberOfUniqueHosts from datamodel=Network_Traffic by All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` | sort - count [ESCU - Count of assets by category] action.escu = 0 @@ -10234,7 +10234,7 @@ action.escu.entities = ["query", "answer"] disabled = true schedule_window = auto is_visible = false -search = | inputlookup cim_corporate_email_domains.csv | inputlookup append=T cim_corporate_web_domains.csv | inputlookup append=T cim_cloud_domains.csv | eval domain = trim(replace(domain, "\*", "")) | join domain [|tstats summariesonly=true count values(DNS.record_type) as type, values(DNS.answer) as answer from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!="unknown" DNS.answer!="" by DNS.query | rename DNS.query as query | where query!="unknown" | rex field=query "(?\w+\.\w+?)(?:$|/)"] | makemv delim=" " answer | makemv delim=" " type | sort -count | table count,domain,type,query,answer | outputlookup createinapp=true discovered_dns_records.csv +search = | inputlookup cim_corporate_email_domains.csv | inputlookup append=T cim_corporate_web_domains.csv | inputlookup append=T cim_cloud_domains.csv | eval domain = trim(replace(domain, "\*", "")) | join domain [|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as answer from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!="unknown" DNS.answer!="" by DNS.query | rename DNS.query as query | where query!="unknown" | rex field=query "(?\w+\.\w+?)(?:$|/)"] | makemv delim=" " answer | makemv delim=" " type | sort -count | table count,domain,type,query,answer | outputlookup createinapp=true discovered_dns_records.csv [ESCU - Identify Systems Creating Remote Desktop Traffic] action.escu = 0 @@ -10255,7 +10255,7 @@ action.escu.known_false_positives = disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=3389 by All_Traffic.src | `drop_dm_object_name("All_Traffic")` | sort - count +search = | tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=3389 by All_Traffic.src | `drop_dm_object_name("All_Traffic")` | sort - count [ESCU - Identify Systems Receiving Remote Desktop Traffic] action.escu = 0 @@ -10276,7 +10276,7 @@ action.escu.known_false_positives = disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=3389 by All_Traffic.dest | `drop_dm_object_name("All_Traffic")` | sort - count +search = | tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=3389 by All_Traffic.dest | `drop_dm_object_name("All_Traffic")` | sort - count [ESCU - Identify Systems Using Remote Desktop] action.escu = 0 @@ -10297,7 +10297,7 @@ action.escu.known_false_positives = disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name="*mstsc.exe*" by Processes.dest Processes.process_name | `drop_dm_object_name(Processes)` | sort - count +search = | tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name="*mstsc.exe*" by Processes.dest Processes.process_name | `drop_dm_object_name(Processes)` | sort - count [ESCU - Monitor Successful Backups] action.escu = 0 @@ -10501,7 +10501,7 @@ action.escu.known_false_positives = disabled = true schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail eventName=RunInstances errorCode=success | rename requestParameters.instancesSet.items{}.imageId as amiID | stats earliest(_time) as earliest latest(_time) as latest by amiID | outputlookup previously_seen_ec2_amis.csv | stats count +search = sourcetype=aws:cloudtrail eventName=RunInstances errorCode=success | rename requestParameters.instancesSet.items{}.imageId as amiID | stats earliest(_time) as firstTime latest(_time) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | stats count [ESCU - Previously Seen EC2 Instance Types] action.escu = 0 @@ -10555,13 +10555,13 @@ action.escu.analytic_story = ["Unusual AWS EC2 Modifications"] dispatch.earliest_time = -90d@d dispatch.latest_time = -10m@m action.escu.providing_technologies = ["AWS"] -action.escu.eli5 = In this support search, we create a table of the earliest and latest times that an ARN has modified a EC2 instance. The list of APIs that modify an EC2 are defined in the `ec2ModificationAPIs` macro for ease of use. This table is then outputted to a file. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2ModificationAPIs`. +action.escu.eli5 = In this support search, we create a table of the earliest and latest times that an ARN has modified a EC2 instance. The list of APIs that modify an EC2 are defined in the `ec2_modification_api_calls` macro for ease of use. This table is then outputted to a file. +action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`. action.escu.known_false_positives = disabled = true schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail `ec2ModificationAPIs` errorCode=success | spath output=arn userIdentity.arn | stats earliest(_time) as firstTime latest(_time) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | stats count +search = sourcetype=aws:cloudtrail `ec2_modification_api_calls` errorCode=success | spath output=arn userIdentity.arn | stats earliest(_time) as firstTime latest(_time) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | stats count [ESCU - Previously Seen Running Windows Services] action.escu = 0 @@ -10642,7 +10642,7 @@ action.escu.known_false_positives = disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe AND Processes.process="* /c *" by Processes.process | `drop_dm_object_name(Processes)` +search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe AND Processes.process="* /c *" by Processes.process | `drop_dm_object_name(Processes)` [ESCU - Previously seen users in CloudTrail] action.escu = 0 @@ -10664,7 +10664,7 @@ action.escu.entities = ["user", "src"] disabled = true schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE "",src,City),Region=if(Region LIKE "",src,Region) | stats earliest(_time) as earliest latest(_time) as latest by user src City Region Country | outputlookup previously_seen_users_console_logins.csv | stats count +search = sourcetype=aws:cloudtrail eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE "",src,City),Region=if(Region LIKE "",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv | stats count [ESCU - Systems Ready for Spectre-Meltdown Windows Patch] action.escu = 0 @@ -10685,7 +10685,7 @@ action.escu.known_false_positives = disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change_Analysis.All_Changes where All_Changes.object_category=registry AND (All_Changes.object_path="HKLM\Software\Microsoft\Windows\CurrentVersion\QualityCompat*") by All_Changes.dest, All_Changes.command, All_Changes.user, All_Changes.object, All_Changes.object_path | `ctime(lastTime)` | `ctime(firstTime)` | `drop_dm_object_name("All_Changes")` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change_Analysis.All_Changes where All_Changes.object_category=registry AND (All_Changes.object_path="HKLM\Software\Microsoft\Windows\CurrentVersion\QualityCompat*") by All_Changes.dest, All_Changes.command, All_Changes.user, All_Changes.object, All_Changes.object_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name("All_Changes")` [ESCU - Update previously seen users in CloudTrail] action.escu = 0 @@ -10707,7 +10707,7 @@ action.escu.entities = ["user", "src"] disabled = true schedule_window = auto is_visible = false -search = sourcetype=aws:cloudtrail eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE "",src,City),Region=if(Region LIKE "",src,Region) | stats earliest(_time) AS earliest latest(_time) AS latest by user src City Region Country | inputlookup append=t previously_seen_users_console_logins.csv | stats min(earliest) as earliest max(latest) as latest by user src City Region Country | outputlookup previously_seen_users_console_logins.csv +search = sourcetype=aws:cloudtrail eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE "",src,City),Region=if(Region LIKE "",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS firstTime by user src City Region Country | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(firstTime) as firstTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv [ESCU - Windows Updates Install Failures] action.escu = 0 @@ -10728,7 +10728,7 @@ action.escu.known_false_positives = disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` dc(Updates.dest) as count FROM datamodel=Updates where Updates.vendor_product="Microsoft Windows" AND Updates.status=failure by _time span=1d +search = | tstats `security_content_summariesonly` dc(Updates.dest) as count FROM datamodel=Updates where Updates.vendor_product="Microsoft Windows" AND Updates.status=failure by _time span=1d [ESCU - Windows Updates Install Successes] action.escu = 0 @@ -10749,7 +10749,7 @@ action.escu.known_false_positives = disabled = true schedule_window = auto is_visible = false -search = | tstats `summariesonly` dc(Updates.dest) as count FROM datamodel=Updates where Updates.vendor_product="Microsoft Windows" AND Updates.status=installed by _time span=1d +search = | tstats `security_content_summariesonly` dc(Updates.dest) as count FROM datamodel=Updates where Updates.vendor_product="Microsoft Windows" AND Updates.status=installed by _time span=1d ### USAGE DASHBOARD CONFIGURATIONS ### diff --git a/package/default/transforms.conf b/package/default/transforms.conf index 2d36807860..27e55cfea8 100644 --- a/package/default/transforms.conf +++ b/package/default/transforms.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security-content -# On Date: 2019-12-11T15:59:36 UTC +# On Date: 2019-12-16T21:48:18 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# @@ -49,12 +49,12 @@ match_type = WILDCARD(dynamic_dns_domains) filename = escu_search_id.csv # description = A placeholder lookup file to hold information for ESCU Usage dashboard -[isSuspiciousFileExtension_lookup] +[is_suspicious_file_extension_lookup] filename = suspicious_email_attachments.csv # description = A list of suspicious extensions for email attachments match_type = WILDCARD(file_name) -[isWindowsSystemFile_lookup] +[is_windows_system_file_lookup] filename = system32_executables.csv default_match = false # description = A list of executable files in Windows\System32 diff --git a/package/default/use_case_library.conf b/package/default/use_case_library.conf index 032ce4e104..d68f79054a 100644 --- a/package/default/use_case_library.conf +++ b/package/default/use_case_library.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security-content -# On Date: 2019-12-11T15:59:37 UTC +# On Date: 2019-12-16T21:48:18 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# @@ -552,7 +552,7 @@ This Analytic Story contains a search designed to identify attempts by attackers category = Malware last_updated = 2018-12-13 version = 1.0 -references = ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf?cmp=26061"] +references = ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", "https://thehackernews.com/2018/07/samsam-ransomware-attacks.html"] maintainers = [{"company": "Splunk", "email": "rvaldez@splunk.com", "name": "Rico Valdez"}] spec_version = 2 searches = ["ESCU - Batch File Write to System32 - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule", "ESCU - File with Samsam Extension - Rule", "ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Samsam Test File Write - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Get Authentication Logs For Endpoint", "ESCU - Get Backup Logs For Endpoint", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Parent Process Info", "ESCU - Get Process Info", "ESCU - Get Process Information For Port Activity", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User", "ESCU - Get Update Logs For Endpoint", "ESCU - Get User Information from Identity Table", "ESCU - Get Vulnerability Logs For Endpoint", "ESCU - Investigate Successful Remote Desktop Authentications", "ESCU - Investigate Web Activity From Host", "ESCU - Add Prohibited Processes to Enterprise Security", "ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop"] @@ -1499,7 +1499,7 @@ explanation = This search and its corresponding subsearch run through the follow 1. Set the minimum threshold for the number of data points and set the number of standard deviations away from the mean it must be to be considered a spike.\ 1. Make a determination regarding whether or not the current count is a spike by checking to see if the minimum data-point threshold has been met and the count is a sufficient number of standard deviations away from the average.\ 1. Filter out anything that it determines is not a spike and return the list of ARNs to the main search. The main search subsequently gets the names of all the API calls, the number of unique API calls, and the total number of API calls for each of these ARNs. Finally, it looks up the average and standard deviation and returns both the average and the number of standard deviations the spike is from the average. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Network ACL Activity by ARN" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `NetworkACLEvents`. +how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Network ACL Activity by ARN" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `network_acl_events`. annotations = {"cis20": ["CIS 12", "CIS 11"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["Persistence", "Exfiltration"], "nist": ["DE.DP", "DE.CM", "PR.AC"]} known_false_positives = The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Please modify this according the your environment. providing_technologies = ["AWS"] @@ -1541,7 +1541,7 @@ explanation = This search and its corresponding subsearch run through the follow 1. Sets the minimum threshold for the number of data points and sets the number of standard deviations away from the mean it must be to be considered a spike.\ 1. Makes a determination regarding whether or not the current count is a spike by checking to see if the minimum data-point threshold has been met and the count is a sufficient number of standard deviations away from the average.\ 1. Filters out anything that it determines is not a spike and returns the list of ARNs to the main search. The main search subsequently gets the names of all the API calls, the number of unique API calls, and the total number of API calls for each of these ARNs. Finally, it looks up the average and standard deviation and returns both the average and the number of standard deviations the spike is from the average. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the "Baseline of Security Group Activity by ARN" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `securityGroupAPIs`. +how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the "Baseline of Security Group Activity by ARN" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `security_group_api_calls`. annotations = {"cis20": ["CIS 16"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["Credential Access", "Execution"], "nist": ["DE.DP", "DE.CM", "PR.AC"]} known_false_positives = Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment. providing_technologies = ["AWS"] @@ -1717,8 +1717,8 @@ providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Sysmon type = detection asset_type = AWS Instance confidence = medium -explanation = The subsearch returns the ARNs of all successful EC2 instance modifications within the last hour and then appends the historical data in the lookup file to those results. EC2 modification APIs are defined by the macro `ec2ModificationAPIs`. The search then recalculates the `firstTime` and `lastTime` field for each ARN and returns only those ARNs that have first been seen in the past hour. This is combined with the main search to return the time, user, and instance ID of those systems. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2ModificationAPIs`. +explanation = The subsearch returns the ARNs of all successful EC2 instance modifications within the last hour and then appends the historical data in the lookup file to those results. EC2 modification APIs are defined by the macro `ec2_modification_api_calls`. The search then recalculates the `firstTime` and `lastTime` field for each ARN and returns only those ARNs that have first been seen in the past hour. This is combined with the main search to return the time, user, and instance ID of those systems. +how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`. annotations = {"cis20": ["CIS 1"], "nist": ["ID.AM"]} known_false_positives = It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior. providing_technologies = ["AWS"] @@ -2690,8 +2690,8 @@ type = investigation explanation = none how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. known_false_positives = None at this time -earliest_time_offset = -70m@m -latest_time_offset = -10m@m +earliest_time_offset = 72000 +latest_time_offset = 36000 [savedsearch://ESCU - AWS Investigate User Activities By AccessKeyId] type = investigation @@ -2748,8 +2748,8 @@ how_to_implement = If Splunk>Phantom is also configured in your environment, a P (Playbook Link:`https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/`).\ known_false_positives = None at this time -earliest_time_offset = -70m@m -latest_time_offset = -10m@m +earliest_time_offset = 7200 +latest_time_offset = 0 [savedsearch://ESCU - Domain Certificate Investigation] type = investigation @@ -2820,8 +2820,8 @@ type = investigation explanation = none how_to_implement = You must be ingesting your certificates or SSL logs from your network traffic into your Certificates datamodel. Please note the wildcard(*) before domain in the search syntax, we use to match for all domain and subdomain combinations known_false_positives = None at this time -earliest_time_offset = -70m@m -latest_time_offset = -10m@m +earliest_time_offset = 36000 +latest_time_offset = 0 [savedsearch://ESCU - Get DNS Server History for a host] type = investigation @@ -2932,8 +2932,8 @@ type = investigation explanation = none how_to_implement = You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model. known_false_positives = None at this time -earliest_time_offset = 0 -latest_time_offset = 86400 +earliest_time_offset = 86400 +latest_time_offset = 0 [savedsearch://ESCU - Get Process File Activity] type = investigation @@ -3092,16 +3092,16 @@ type = investigation explanation = none how_to_implement = You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed. known_false_positives = None at this time -earliest_time_offset = -70m@m -latest_time_offset = -10m@m +earliest_time_offset = 86400 +latest_time_offset = 14400 [savedsearch://ESCU - Investigate User Activities In Single Cloud Region] type = investigation explanation = none how_to_implement = You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed. known_false_positives = None at this time -earliest_time_offset = -70m@m -latest_time_offset = -10m@m +earliest_time_offset = 86400 +latest_time_offset = 14400 [savedsearch://ESCU - Investigate Web Activity From Host] type = investigation @@ -3187,7 +3187,7 @@ providing_technologies = ["AWS"] [savedsearch://ESCU - Baseline of Network ACL Activity by ARN] type = support explanation = Use this search to create a baseline for API calls related to network ACLs for the users who initiated this activity. It returns all logged API calls for network activity, pulls out the ARN that initiated each call, and collects the `eventNames` in one-hour groupings. Next, it calculates the number of API calls made per ARN per-hour. For each ARN, it calculates the average and standard deviation of this count on a per-hour basis. It also includes the number of data points for each ARN. This table is stored in a lookup file. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for network ACLs, edit the macro `NetworkACLEvents`. +how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for network ACLs, edit the macro `network_acl_events`. known_false_positives = providing_technologies = ["AWS"] @@ -3208,7 +3208,7 @@ providing_technologies = ["Splunk Stream", "Bro"] [savedsearch://ESCU - Baseline of Security Group Activity by ARN] type = support explanation = Use this search to create a baseline for API calls related to security groups by the users who initiated this activity. It returns all logged API calls for all security-group-related activity, pulls out the ARN that initiated each call, and collects the `eventNames` in one-hour groupings. Next, it calculates the number of API calls made per ARN per hour. For each ARN, it calculates the average and standard deviation of this count on a per-hour basis. It also includes the number of data points for each ARN. This table is stored in a lookup file. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for security groups, edit the macro `securityGroupAPIs`. +how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for security groups, edit the macro `security_group_api_calls`. known_false_positives = providing_technologies = ["AWS"] @@ -3361,8 +3361,8 @@ providing_technologies = ["AWS"] [savedsearch://ESCU - Previously Seen EC2 Modifications By User] type = support -explanation = In this support search, we create a table of the earliest and latest times that an ARN has modified a EC2 instance. The list of APIs that modify an EC2 are defined in the `ec2ModificationAPIs` macro for ease of use. This table is then outputted to a file. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2ModificationAPIs`. +explanation = In this support search, we create a table of the earliest and latest times that an ARN has modified a EC2 instance. The list of APIs that modify an EC2 are defined in the `ec2_modification_api_calls` macro for ease of use. This table is then outputted to a file. +how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`. known_false_positives = providing_technologies = ["AWS"]