diff --git a/data_sources/risk_analysis_datamodel.yml b/data_sources/risk_analysis_datamodel.yml new file mode 100644 index 0000000000..c0d4596021 --- /dev/null +++ b/data_sources/risk_analysis_datamodel.yml @@ -0,0 +1,71 @@ +name: Risk Analysis Datamodel +id: f10ca2c9-d9a0-4d58-a0bc-ee12224aa2e7 +version: 1 +date: '2025-10-15' +author: Bhavin Patel, Splunk +description: Summarizes risk events produced by Risk-Based Alerting (RBA) and normalized + into the Risk datamodel (All_Risk). Includes calculated risk scores, risk objects, + annotations (e.g., ATT&CK), and related metadata used for correlation and finding-based + detections. +source: not_applicable +sourcetype: stash +supported_TA: +- name: Splunk Enterprise Security + url: https://splunkbase.splunk.com/app/263 + version: 8.2.3 +fields: + - analyticstories + - annotations + - annotations._all + - annotations._frameworks + - annotations.cis20 + - annotations.kill_chain_phases + - annotations.mitre_attack + - annotations.mitre_attack.mitre_description + - annotations.mitre_attack.mitre_detection + - annotations.mitre_attack.mitre_tactic + - annotations.mitre_attack.mitre_tactic_id + - annotations.mitre_attack.mitre_technique + - annotations.mitre_attack.mitre_technique_id + - annotations.mitre_attack.mitre_threat_group_name + - annotations.nist + - cim_entity_zone + - control + - creator + - dest + - dest_bunit + - dest_category + - dest_priority + - governance + - risk_object_bunit + - risk_object_category + - risk_object_priority + - savedsearch_description + - source_event_id + - src + - src_bunit + - src_category + - src_priority + - tag + - threat_object + - user + - user_bunit + - user_category + - user_priority + - Calculated + - description + - risk_object + - risk_object_type + - risk_score + - threat_object_type + - risk_factor_add + - risk_factor_add_matched + - risk_factor_mult + - risk_factor_mult_matched + - calculated_risk_score + - risk_message + - normalized_risk_object +example_log: >- + 1759869356, search_name="ESCU - Windows Outlook Macro Security Modified - Rule", action="modified", analyticstories="NotDoor Malware", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"NotDoor Malware\", \"Windows Registry Abuse\"], \"cis20\": [\"CIS 10\"], \"data_source\": [\"Sysmon EventID 13\"], \"kill_chain_phases\": [\"Command and Control\", \"Installation\"], \"mitre_attack\": [\"T1137\", \"T1008\"], \"nist\": [\"DE.CM\"], \"type\": \"TTP\", \"type_list\": [\"TTP\"]}", annotations._all="NotDoor Malware", annotations._all="Windows Registry Abuse", annotations._all="CIS 10", annotations._all="Sysmon EventID 13", annotations._all="Command and Control", annotations._all="Installation", annotations._all="T1137", annotations._all="T1008", annotations._all="DE.CM", annotations._all="TTP", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="data_source", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations._frameworks="type", annotations._frameworks="type_list", annotations.analytic_story="NotDoor Malware", annotations.analytic_story="Windows Registry Abuse", annotations.cis20="CIS 10", annotations.data_source="Sysmon EventID 13", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1137", annotations.mitre_attack="T1008", annotations.nist="DE.CM", annotations.type="TTP", annotations.type_list="TTP", contributing_events_search="| savedsearch \"ESCU - Windows Outlook Macro Security Modified - Rule\" | search dest=\"WIN10-21H1.snapattack.labs\"", count="1", dest="WIN10-21H1.snapattack.labs", entity="WIN10-21H1.snapattack.labs", entity_type="system", info_max_time="1759868640.000000000", info_min_time="1704067200.000000000", info_search_time="1759869351.126955000", process_guid="F51F9151-CCF0-66AB-510B-000000000C00", process_id="9184", registry_hive="HKEY_CURRENT_USER", registry_key_name="HKU\\S-1-5-21-1538153195-943065003-848949206-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Security", registry_path="HKU\\S-1-5-21-1538153195-943065003-848949206-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Security\\Level", registry_value_data="0x00000001", registry_value_name="Level", registry_value_type="REG_DWORD", risk_message="Outlook Macro Security Level registry modified on WIN10-21H1.snapattack.labs", risk_object="WIN10-21H1.snapattack.labs", risk_object_type="system", risk_score="44.0", savedsearch_description="The following analytic detects the modification of the Windows Registry key \"Level\" under Outlook Security. This allows macros to execute without warning, which could allow malicious scripts to run without notice. This detection leverages data from the Endpoint.Registry datamodel, specifically looking for the registry value name \"Level\" with a value of \"0x00000001\". This activity is significant as it is commonly associated with some malware infections, indicating potential malicious intent to harvest email information.", source_event_id="429f304d-d3f0-40ac-a918-e5fa89b9c026@@risk@@429f304dd3f040aca918e5fa89b9c026", source_guid="429f304d-d3f0-40ac-a918-e5fa89b9c026", status="success", user="localuser", vendor_product="Microsoft Sysmon" + + diff --git a/deployments/escu_defaullt_configuration_finding_based_detection.yml b/deployments/escu_defaullt_configuration_finding_based_detection.yml new file mode 100644 index 0000000000..8429f2618a --- /dev/null +++ b/deployments/escu_defaullt_configuration_finding_based_detection.yml @@ -0,0 +1,40 @@ +name: ESCU Default Configuration Finding-based detection +id: dcc7964f-1003-4052-86b4-4508e156f4d5 +date: '2025-10-15' +author: Bhavin Patel +description: This configuration file applies to all detections of type Finding-based detection. + These detections will generate Finding Groups! +fbd: + max_append_time: 7d + reopen_finding_groups: 1 + search_on: + - int-finding + - finding + finding_group_lookback: + time: 1d + seconds: 86400 + finding_group_overlap: + percentage: 1 + time: 0.07d + seconds: 6048 +scheduling: + cron_schedule: 0 * * * * + earliest_time: -70m@m + latest_time: -10m@m + schedule_window: auto +alert_action: + notable: + rule_description: '%description%' + rule_title: '%name%' + # nes_fields: + # - user + # - dest + suppress: + fields: + - normalized_risk_object + - risk_object_type + - count_findings + - count_intermediate_findings + - earliest + period: 1d +type: Finding-based detection \ No newline at end of file diff --git a/detections/endpoint/entity_exceeded_threshold_with_multiple_findings.yml b/detections/endpoint/entity_exceeded_threshold_with_multiple_findings.yml new file mode 100644 index 0000000000..7ab6651e14 --- /dev/null +++ b/detections/endpoint/entity_exceeded_threshold_with_multiple_findings.yml @@ -0,0 +1,100 @@ +name: Entity Exceeded Threshold with Multiple Findings +id: d06b108c-2331-4276-9457-7b8b72f44ad7 +version: 1 +date: '2025-10-15' +author: Bhavin Patel, Splunk +status: production +type: Finding-based detection +description: The following analytic identifies entities (risk objects) that have more + than 10 findings or intermediate findings within the last 24 hours and promotes + them into a higher-level finding group for triage. +data_source: +- Risk Analysis Datamodel +search: | + | tstats `summariesonly` `common_fbd_fields` + values(All_Risk.threat_object) AS threat_object + from datamodel=Risk.All_Risk + ```replace the where clause with with | genratetimerange ``` + where earliest="-24h@h" latest="now" + by All_Risk.normalized_risk_object All_Risk.risk_object_type index + | `get_mitre_annotations` + | rename All_Risk.normalized_risk_object AS normalized_risk_object All_Risk.risk_object_type AS risk_object_type + | `generate_findings_summary` + | stats list(*) AS * limit=100 + sum(int_risk_score_sum) AS risk_score + by `fbd_grouping(normalized_risk_object, risk_object_type)` + | `dedup_and_compute_common_fbd_fields`, + annotations.mitre_attack = mvdedup('annotations.mitre_attack'), + annotations.mitre_attack.mitre_tactic = mvdedup('annotations.mitre_attack.mitre_tactic'), + mitre_tactic_id_count = mvcount('annotations.mitre_attack.mitre_tactic'), + mitre_technique_id_count = mvcount('annotations.mitre_attack'), + threat_object = mvdedup(threat_object) + | fillnull value=0 mitre_tactic_id_count mitre_technique_id_count + | fields - int_risk_score_sum int_findings_count contributing_event_ids + | `drop_dm_object_name("All_Risk")` + | where total_event_count > 10 + | table `common_fbd_fields_results`, mitre_tactic_id_count, mitre_technique_id_count + | `entity_exceeded_threshold_with_multiple_findings_filter` +how_to_implement: Ensure the your Splunk Enterprise Security environment is configured to create findings and intermedeicate findings and finding-based detections are enabled. This detection relies on summarization macros (e.g., common_fbd_fields, generate_findings_summary) and requires risk data from findings and intermediate findings. Adjust the threshold as needed for your environment; default is more than 10 in the last 24 hours. + enabled. +known_false_positives: Some of these finding groups have have benign findings and intermediate findings. Tune the threshold as needed for your environment and considering filtering by entity in your environment. +references: +- https://help.splunk.com/en/splunk-enterprise-security-8/administer/8.0/detections/create-finding-based-detections-in-splunk-enterprise-security +drilldown_searches: +- name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 24 hours for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") + starthoursago=24 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +fbd: + input_type: entity + tokens: + entity_count_comparator: ">" + entity_count: 10 +# preview_earliest_time: "-24h@h" # can be hardcoded in the detection +# preview_latest_time: "now" # can be hardcoded in the detection + +# Different input type from the FBD Editor Generates different tokens keys and values + +# input_type: mitre-attack +# tokens: +# mitre_count_comparator: ">" +# mitre_count: 5 +# mitre_type: "tactic" +# preview_earliest_time: "-24h@h" # can be hardcoded in the detection +# preview_latest_time: "now" # can be hardcoded in the detection + +# input_type: similar-findings +# tokens: +# similar_findings_count_comparator: ">" +# similar_findings_count: 10 +# similar_findings_detections: +# - detection1 +# - detection2 +# preview_earliest_time: "-24h@h" # can be hardcoded in the detection +# preview_latest_time: "now" # can be hardcoded in the detection +tags: + analytic_story: + - Finding Groups in Splunk Enterprise Security + asset_type: Endpoint + mitre_attack_id: [] + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/linux_risk/linuxrisk.log + source: linuxrisk + sourcetype: stash + diff --git a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml index 15ba268593..df79e7f6d8 100644 --- a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml +++ b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml @@ -4,7 +4,7 @@ version: 8 date: '2025-05-02' author: Michael Haag, Splunk status: production -type: Correlation +type: Finding-based detection description: The following analytic identifies potential Linux persistence and privilege escalation activities. It leverages risk scores and event counts from various Linux-related data sources, focusing on tactics associated with persistence and privilege escalation. @@ -13,21 +13,37 @@ description: The following analytic identifies potential Linux persistence and p If confirmed malicious, this activity could enable an attacker to execute code with higher privileges, persist in the environment, and potentially access sensitive information, posing a severe security risk. -data_source: [] -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) - as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) - as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as - annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) - as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) - as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) - as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, - dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories - IN ("Linux Privilege Escalation", "Linux Persistence Techniques") OR source = "*Linux*") - All_Risk.annotations.mitre_attack.mitre_tactic IN ("persistence", "privilege-escalation") - All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type - All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where - source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter`' +data_source: +- Risk Analysis Datamodel +search: | + | tstats `summariesonly` `common_fbd_fields` + values(All_Risk.threat_object) AS threat_object + from datamodel=Risk.All_Risk + ```replace the where clause with with | genratetimerange ``` + where earliest="-30d@d" latest="now" + (All_Risk.analyticstories IN ("Linux Privilege Escalation","Linux Persistence Techniques") OR source="*Linux*") + All_Risk.annotations.mitre_attack.mitre_tactic IN ("persistence","privilege-escalation") + All_Risk.risk_object_type="system" + by All_Risk.normalized_risk_object All_Risk.risk_object_type index + | `get_mitre_annotations` + | rename All_Risk.normalized_risk_object AS normalized_risk_object All_Risk.risk_object_type AS risk_object_type + | `generate_findings_summary` + | stats list(*) AS * limit=100 + sum(int_risk_score_sum) AS risk_score + by `fbd_grouping(normalized_risk_object, risk_object_type)` + | `dedup_and_compute_common_fbd_fields`, + annotations.mitre_attack = mvdedup('annotations.mitre_attack'), + annotations.mitre_attack.mitre_tactic = mvdedup('annotations.mitre_attack.mitre_tactic'), + mitre_tactic_id_count = mvcount('annotations.mitre_attack.mitre_tactic'), + annotations.mitre_attack.mitre_technique_id = mvdedup('annotations.mitre_attack.mitre_technique_id'), + mitre_technique_id_count = mvcount('annotations.mitre_attack.mitre_technique_id'), + threat_object = mvdedup(threat_object) + | fillnull value=0 mitre_tactic_id_count mitre_technique_id_count threat_object + | fields - int_risk_score_sum int_findings_count contributing_event_ids + | `drop_dm_object_name("All_Risk")` + | where source_count >= 4 + | table `common_fbd_fields_results`, mitre_tactic_id_count, mitre_technique_id_count, source_count + | `linux_persistence_and_privilege_escalation_risk_behavior_filter` how_to_implement: Ensure Linux anomaly and TTP analytics are enabled. TTP may be set to finding for point detections, anomaly should not be findings but risk generators. The correlation relies on more than x amount of distict detection names generated @@ -37,13 +53,14 @@ known_false_positives: False positives will be present based on many factors. Tu the correlation as needed to reduce too many triggers. references: - https://attack.mitre.org/tactics/TA0004/ +- https://help.splunk.com/en/splunk-enterprise-security-8/administer/8.0/detections/create-finding-based-detections-in-splunk-enterprise-security drilldown_searches: -- name: View the detection results for - "$risk_object$" - search: '%original_detection_search% | search risk_object = "$risk_object$"' +- name: View the detection results for - "$fbd_group_by$" + search: '%original_detection_search% | search fbd_group_by = "$fbd_group_by$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$risk_object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") +- name: View risk events for the last 7 days for - "$fbd_group_by$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$fbd_group_by$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -51,6 +68,8 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +fbd: + input_type: custom-fbd tags: analytic_story: - Linux Privilege Escalation