From 704fdd68ae4f2bc7413b4562597b70892dcb662b Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 15 Oct 2025 13:56:36 -0700 Subject: [PATCH 1/7] adding skelatons --- .../escu_defaullt_configuration_fbd.yml | 0 ...eeded_threshold_with_multiple_findings.yml | 80 +++++++++++++++++++ ...and_privilege_escalation_risk_behavior.yml | 53 +++++++----- 3 files changed, 115 insertions(+), 18 deletions(-) create mode 100644 deployments/escu_defaullt_configuration_fbd.yml create mode 100644 detections/endpoint/entity_exceeded_threshold_with_multiple_findings.yml diff --git a/deployments/escu_defaullt_configuration_fbd.yml b/deployments/escu_defaullt_configuration_fbd.yml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/detections/endpoint/entity_exceeded_threshold_with_multiple_findings.yml b/detections/endpoint/entity_exceeded_threshold_with_multiple_findings.yml new file mode 100644 index 0000000000..a8edd52919 --- /dev/null +++ b/detections/endpoint/entity_exceeded_threshold_with_multiple_findings.yml @@ -0,0 +1,80 @@ +name: Entity Exceeded Threshold with Multiple Findings +id: 6a13f3e8-3ffc-4d1b-9a9d-9f4f2a9db25c +version: 1 +date: '2025-10-15' +author: Bhavin Patel, Splunk +status: production +type: Finding-based detection +description: The following analytic identifies entities (risk objects) that have more + than 10 findings or intermediate findings within the last 24 hours and promotes + them into a higher-level finding group for triage. +data_source: +- Risk +search: | + | tstats `summariesonly` `common_fbd_fields` + values(All_Risk.threat_object) AS threat_object + from datamodel=Risk.All_Risk + ```replace the where clause with with | genratetimerange ``` + where earliest="-24h@h" latest="now" + by All_Risk.normalized_risk_object All_Risk.risk_object_type index + | `get_mitre_annotations` + | rename All_Risk.normalized_risk_object AS normalized_risk_object All_Risk.risk_object_type AS risk_object_type + | `generate_findings_summary` + | stats list(*) AS * limit=100 + sum(int_risk_score_sum) AS risk_score + by `fbd_grouping(normalized_risk_object, risk_object_type)` + | `dedup_and_compute_common_fbd_fields`, + annotations.mitre_attack = mvdedup('annotations.mitre_attack'), + annotations.mitre_attack.mitre_tactic = mvdedup('annotations.mitre_attack.mitre_tactic'), + mitre_tactic_id_count = mvcount('annotations.mitre_attack.mitre_tactic'), + mitre_technique_id_count = mvcount('annotations.mitre_attack'), + threat_object = mvdedup(threat_object) + | fillnull value=0 mitre_tactic_id_count mitre_technique_id_count + | fields - int_risk_score_sum int_findings_count contributing_event_ids + | `drop_dm_object_name("All_Risk")` + | where total_event_count > 10 + | table `common_fbd_fields_results`, mitre_tactic_id_count, mitre_technique_id_count + | `entity_exceeded_threshold_with_multiple_findings_filter` +how_to_implement: Ensure the your Splunk Enterprise Security environment is configured to create findings and intermedeicate findings and finding-based detections are enabled. This detection relies on summarization macros (e.g., common_fbd_fields, generate_findings_summary) and requires risk data from findings and intermediate findings. Adjust the threshold as needed for your environment; default is more than 10 in the last 24 hours. + enabled. +known_false_positives: Some of these finding groups have have benign findings and intermediate findings. Tune the threshold as needed for your environment and considering filtering by entity in your environment. +references: [] +drilldown_searches: +- name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 24 hours for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") + starthoursago=24 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +fbd: + input_type: entity + tokens: + entity_count_comparator: ">" + entity_count: 10 + search_on: + - finding + - int-finding +tags: + analytic_story: + - Finding Groups in Splunk Enterprise Security + asset_type: Endpoint + mitre_attack_id: [] + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/linux_risk/linuxrisk.log + source: linuxrisk + sourcetype: stash + diff --git a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml index 15ba268593..3b8da35435 100644 --- a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml +++ b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml @@ -14,20 +14,35 @@ description: The following analytic identifies potential Linux persistence and p higher privileges, persist in the environment, and potentially access sensitive information, posing a severe security risk. data_source: [] -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) - as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) - as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as - annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) - as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) - as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) - as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, - dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories - IN ("Linux Privilege Escalation", "Linux Persistence Techniques") OR source = "*Linux*") - All_Risk.annotations.mitre_attack.mitre_tactic IN ("persistence", "privilege-escalation") - All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type - All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where - source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter`' +search: | + | tstats `summariesonly` `common_fbd_fields` + values(All_Risk.threat_object) AS threat_object + from datamodel=Risk.All_Risk + ```replace the where clause with with | genratetimerange ``` + where earliest="-30d@d" latest="now" + (All_Risk.analyticstories IN ("Linux Privilege Escalation","Linux Persistence Techniques") OR source="*Linux*") + All_Risk.annotations.mitre_attack.mitre_tactic IN ("persistence","privilege-escalation") + All_Risk.risk_object_type="system" + by All_Risk.normalized_risk_object All_Risk.risk_object_type index + | `get_mitre_annotations` + | rename All_Risk.normalized_risk_object AS normalized_risk_object All_Risk.risk_object_type AS risk_object_type + | `generate_findings_summary` + | stats list(*) AS * limit=100 + sum(int_risk_score_sum) AS risk_score + by `fbd_grouping(normalized_risk_object, risk_object_type)` + | `dedup_and_compute_common_fbd_fields`, + annotations.mitre_attack = mvdedup('annotations.mitre_attack'), + annotations.mitre_attack.mitre_tactic = mvdedup('annotations.mitre_attack.mitre_tactic'), + mitre_tactic_id_count = mvcount('annotations.mitre_attack.mitre_tactic'), + annotations.mitre_attack.mitre_technique_id = mvdedup('annotations.mitre_attack.mitre_technique_id'), + mitre_technique_id_count = mvcount('annotations.mitre_attack.mitre_technique_id'), + threat_object = mvdedup(threat_object) + | fillnull value=0 mitre_tactic_id_count mitre_technique_id_count threat_object + | fields - int_risk_score_sum int_findings_count contributing_event_ids + | `drop_dm_object_name("All_Risk")` + | where source_count >= 4 + | table `common_fbd_fields_results`, mitre_tactic_id_count, mitre_technique_id_count, source_count + | `linux_persistence_and_privilege_escalation_risk_behavior_filter` how_to_implement: Ensure Linux anomaly and TTP analytics are enabled. TTP may be set to finding for point detections, anomaly should not be findings but risk generators. The correlation relies on more than x amount of distict detection names generated @@ -38,12 +53,12 @@ known_false_positives: False positives will be present based on many factors. Tu references: - https://attack.mitre.org/tactics/TA0004/ drilldown_searches: -- name: View the detection results for - "$risk_object$" - search: '%original_detection_search% | search risk_object = "$risk_object$"' +- name: View the detection results for - "$fbd_group_by$" + search: '%original_detection_search% | search fbd_group_by = "$fbd_group_by$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$risk_object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") +- name: View risk events for the last 7 days for - "$fbd_group_by$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$fbd_group_by$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -51,6 +66,8 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +fbd: + input_type: custom-fbd tags: analytic_story: - Linux Privilege Escalation From f7526fa052e94af7f51336cad47a76776c50cee1 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 15 Oct 2025 13:56:41 -0700 Subject: [PATCH 2/7] adding skelatons --- ...linux_persistence_and_privilege_escalation_risk_behavior.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml index 3b8da35435..62259e0336 100644 --- a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml +++ b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml @@ -4,7 +4,7 @@ version: 8 date: '2025-05-02' author: Michael Haag, Splunk status: production -type: Correlation +type: Finding-based detection description: The following analytic identifies potential Linux persistence and privilege escalation activities. It leverages risk scores and event counts from various Linux-related data sources, focusing on tactics associated with persistence and privilege escalation. From 7356b396a527a4068e2b54905d37ed757c37aa57 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 15 Oct 2025 14:42:36 -0700 Subject: [PATCH 3/7] updating structure --- .../escu_defaullt_configuration_fbd.yml | 0 ..._configuration_finding_based_detection.yml | 40 +++++++++++++++++++ 2 files changed, 40 insertions(+) delete mode 100644 deployments/escu_defaullt_configuration_fbd.yml create mode 100644 deployments/escu_defaullt_configuration_finding_based_detection.yml diff --git a/deployments/escu_defaullt_configuration_fbd.yml b/deployments/escu_defaullt_configuration_fbd.yml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/deployments/escu_defaullt_configuration_finding_based_detection.yml b/deployments/escu_defaullt_configuration_finding_based_detection.yml new file mode 100644 index 0000000000..c188108b92 --- /dev/null +++ b/deployments/escu_defaullt_configuration_finding_based_detection.yml @@ -0,0 +1,40 @@ +name: ESCU Default Configuration Finding-based detection +id: 36ba498c-46e8-4b62-8bde-67e984a40fb4 +date: '2025-10-15' +author: Bhavin Patel +description: This configuration file applies to all detections of type Finding-based detection. + These detections will generate Finding Groups! +fbd: + max_append_time = 7d + reopen_finding_groups: 1 + search_on: + - int-finding + - finding + finding_group_lookback: + time: 1d + seconds: 86400 + finding_group_overlap: + percentage: 1 + time: 0.07d + seconds: 6048 +scheduling: + cron_schedule: 0 * * * * + earliest_time: -70m@m + latest_time: -10m@m + schedule_window: auto +alert_action: + notable: + rule_description: '%description%' + rule_title: '%name%' + # nes_fields: + # - user + # - dest + suppress: + fields: + - normalized_risk_object + - risk_object_type + - count_findings + - count_intermediate_findings + - earliest + period: 1d +type: Finding-based detection \ No newline at end of file From 5050291eeaacde284e72fa042086b9f9982748ac Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 15 Oct 2025 14:53:14 -0700 Subject: [PATCH 4/7] mionr --- .../escu_defaullt_configuration_finding_based_detection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/escu_defaullt_configuration_finding_based_detection.yml b/deployments/escu_defaullt_configuration_finding_based_detection.yml index c188108b92..3c2a4fc779 100644 --- a/deployments/escu_defaullt_configuration_finding_based_detection.yml +++ b/deployments/escu_defaullt_configuration_finding_based_detection.yml @@ -5,7 +5,7 @@ author: Bhavin Patel description: This configuration file applies to all detections of type Finding-based detection. These detections will generate Finding Groups! fbd: - max_append_time = 7d + max_append_time:7d reopen_finding_groups: 1 search_on: - int-finding From 8446045730ea02a87e723639bd79aebbcc1eaf84 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 15 Oct 2025 14:54:17 -0700 Subject: [PATCH 5/7] updating yaml --- .../escu_defaullt_configuration_finding_based_detection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/escu_defaullt_configuration_finding_based_detection.yml b/deployments/escu_defaullt_configuration_finding_based_detection.yml index 3c2a4fc779..ebe5091478 100644 --- a/deployments/escu_defaullt_configuration_finding_based_detection.yml +++ b/deployments/escu_defaullt_configuration_finding_based_detection.yml @@ -5,7 +5,7 @@ author: Bhavin Patel description: This configuration file applies to all detections of type Finding-based detection. These detections will generate Finding Groups! fbd: - max_append_time:7d + max_append_time: 7d reopen_finding_groups: 1 search_on: - int-finding From 89a9a1cc73e20f26997e909c5bdff1193b4dceb3 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 15 Oct 2025 18:58:17 -0700 Subject: [PATCH 6/7] updating various files and added commented sections for other detections --- data_sources/risk_analysis_datamodel.yml | 71 +++++++++++++++++++ ..._configuration_finding_based_detection.yml | 2 +- ...eeded_threshold_with_multiple_findings.yml | 44 ++++++++++-- ...and_privilege_escalation_risk_behavior.yml | 4 +- 4 files changed, 113 insertions(+), 8 deletions(-) create mode 100644 data_sources/risk_analysis_datamodel.yml diff --git a/data_sources/risk_analysis_datamodel.yml b/data_sources/risk_analysis_datamodel.yml new file mode 100644 index 0000000000..c0d4596021 --- /dev/null +++ b/data_sources/risk_analysis_datamodel.yml @@ -0,0 +1,71 @@ +name: Risk Analysis Datamodel +id: f10ca2c9-d9a0-4d58-a0bc-ee12224aa2e7 +version: 1 +date: '2025-10-15' +author: Bhavin Patel, Splunk +description: Summarizes risk events produced by Risk-Based Alerting (RBA) and normalized + into the Risk datamodel (All_Risk). Includes calculated risk scores, risk objects, + annotations (e.g., ATT&CK), and related metadata used for correlation and finding-based + detections. +source: not_applicable +sourcetype: stash +supported_TA: +- name: Splunk Enterprise Security + url: https://splunkbase.splunk.com/app/263 + version: 8.2.3 +fields: + - analyticstories + - annotations + - annotations._all + - annotations._frameworks + - annotations.cis20 + - annotations.kill_chain_phases + - annotations.mitre_attack + - annotations.mitre_attack.mitre_description + - annotations.mitre_attack.mitre_detection + - annotations.mitre_attack.mitre_tactic + - annotations.mitre_attack.mitre_tactic_id + - annotations.mitre_attack.mitre_technique + - annotations.mitre_attack.mitre_technique_id + - annotations.mitre_attack.mitre_threat_group_name + - annotations.nist + - cim_entity_zone + - control + - creator + - dest + - dest_bunit + - dest_category + - dest_priority + - governance + - risk_object_bunit + - risk_object_category + - risk_object_priority + - savedsearch_description + - source_event_id + - src + - src_bunit + - src_category + - src_priority + - tag + - threat_object + - user + - user_bunit + - user_category + - user_priority + - Calculated + - description + - risk_object + - risk_object_type + - risk_score + - threat_object_type + - risk_factor_add + - risk_factor_add_matched + - risk_factor_mult + - risk_factor_mult_matched + - calculated_risk_score + - risk_message + - normalized_risk_object +example_log: >- + 1759869356, search_name="ESCU - Windows Outlook Macro Security Modified - Rule", action="modified", analyticstories="NotDoor Malware", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"NotDoor Malware\", \"Windows Registry Abuse\"], \"cis20\": [\"CIS 10\"], \"data_source\": [\"Sysmon EventID 13\"], \"kill_chain_phases\": [\"Command and Control\", \"Installation\"], \"mitre_attack\": [\"T1137\", \"T1008\"], \"nist\": [\"DE.CM\"], \"type\": \"TTP\", \"type_list\": [\"TTP\"]}", annotations._all="NotDoor Malware", annotations._all="Windows Registry Abuse", annotations._all="CIS 10", annotations._all="Sysmon EventID 13", annotations._all="Command and Control", annotations._all="Installation", annotations._all="T1137", annotations._all="T1008", annotations._all="DE.CM", annotations._all="TTP", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="data_source", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations._frameworks="type", annotations._frameworks="type_list", annotations.analytic_story="NotDoor Malware", annotations.analytic_story="Windows Registry Abuse", annotations.cis20="CIS 10", annotations.data_source="Sysmon EventID 13", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1137", annotations.mitre_attack="T1008", annotations.nist="DE.CM", annotations.type="TTP", annotations.type_list="TTP", contributing_events_search="| savedsearch \"ESCU - Windows Outlook Macro Security Modified - Rule\" | search dest=\"WIN10-21H1.snapattack.labs\"", count="1", dest="WIN10-21H1.snapattack.labs", entity="WIN10-21H1.snapattack.labs", entity_type="system", info_max_time="1759868640.000000000", info_min_time="1704067200.000000000", info_search_time="1759869351.126955000", process_guid="F51F9151-CCF0-66AB-510B-000000000C00", process_id="9184", registry_hive="HKEY_CURRENT_USER", registry_key_name="HKU\\S-1-5-21-1538153195-943065003-848949206-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Security", registry_path="HKU\\S-1-5-21-1538153195-943065003-848949206-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Security\\Level", registry_value_data="0x00000001", registry_value_name="Level", registry_value_type="REG_DWORD", risk_message="Outlook Macro Security Level registry modified on WIN10-21H1.snapattack.labs", risk_object="WIN10-21H1.snapattack.labs", risk_object_type="system", risk_score="44.0", savedsearch_description="The following analytic detects the modification of the Windows Registry key \"Level\" under Outlook Security. This allows macros to execute without warning, which could allow malicious scripts to run without notice. This detection leverages data from the Endpoint.Registry datamodel, specifically looking for the registry value name \"Level\" with a value of \"0x00000001\". This activity is significant as it is commonly associated with some malware infections, indicating potential malicious intent to harvest email information.", source_event_id="429f304d-d3f0-40ac-a918-e5fa89b9c026@@risk@@429f304dd3f040aca918e5fa89b9c026", source_guid="429f304d-d3f0-40ac-a918-e5fa89b9c026", status="success", user="localuser", vendor_product="Microsoft Sysmon" + + diff --git a/deployments/escu_defaullt_configuration_finding_based_detection.yml b/deployments/escu_defaullt_configuration_finding_based_detection.yml index ebe5091478..8429f2618a 100644 --- a/deployments/escu_defaullt_configuration_finding_based_detection.yml +++ b/deployments/escu_defaullt_configuration_finding_based_detection.yml @@ -1,5 +1,5 @@ name: ESCU Default Configuration Finding-based detection -id: 36ba498c-46e8-4b62-8bde-67e984a40fb4 +id: dcc7964f-1003-4052-86b4-4508e156f4d5 date: '2025-10-15' author: Bhavin Patel description: This configuration file applies to all detections of type Finding-based detection. diff --git a/detections/endpoint/entity_exceeded_threshold_with_multiple_findings.yml b/detections/endpoint/entity_exceeded_threshold_with_multiple_findings.yml index a8edd52919..738eb8a0ec 100644 --- a/detections/endpoint/entity_exceeded_threshold_with_multiple_findings.yml +++ b/detections/endpoint/entity_exceeded_threshold_with_multiple_findings.yml @@ -1,5 +1,5 @@ name: Entity Exceeded Threshold with Multiple Findings -id: 6a13f3e8-3ffc-4d1b-9a9d-9f4f2a9db25c +id: d06b108c-2331-4276-9457-7b8b72f44ad7 version: 1 date: '2025-10-15' author: Bhavin Patel, Splunk @@ -9,7 +9,7 @@ description: The following analytic identifies entities (risk objects) that have than 10 findings or intermediate findings within the last 24 hours and promotes them into a higher-level finding group for triage. data_source: -- Risk +- Risk Analysis Datamodel search: | | tstats `summariesonly` `common_fbd_fields` values(All_Risk.threat_object) AS threat_object @@ -38,7 +38,8 @@ search: | how_to_implement: Ensure the your Splunk Enterprise Security environment is configured to create findings and intermedeicate findings and finding-based detections are enabled. This detection relies on summarization macros (e.g., common_fbd_fields, generate_findings_summary) and requires risk data from findings and intermediate findings. Adjust the threshold as needed for your environment; default is more than 10 in the last 24 hours. enabled. known_false_positives: Some of these finding groups have have benign findings and intermediate findings. Tune the threshold as needed for your environment and considering filtering by entity in your environment. -references: [] +references: +- https://help.splunk.com/en/splunk-enterprise-security-8/administer/8.0/detections/create-finding-based-detections-in-splunk-enterprise-security drilldown_searches: - name: View the detection results for - "$risk_object$" search: '%original_detection_search% | search risk_object = "$risk_object$"' @@ -58,9 +59,40 @@ fbd: tokens: entity_count_comparator: ">" entity_count: 10 - search_on: - - finding - - int-finding +# preview_earliest_time: "-24h@h" # can be hardcoded in the detection +# preview_latest_time: "now" # can be hardcoded in the detection + +# Different input type from the FBD Editor Generates different tokens keys and values + +# input_type: mitre-attack +# tokens: +# mitre_count_comparator: ">" +# mitre_count: 5 +# mitre_type: "tactic" +# preview_earliest_time: "-24h@h" # can be hardcoded in the detection +# preview_latest_time: "now" # can be hardcoded in the detection + +# input_type: similar-findings +# tokens: +# similar_findings_count_comparator: ">" +# similar_findings_count: 10 +# similar_findings_detections: +# - detection1 +# - detection2 +# preview_earliest_time: "-24h@h" # can be hardcoded in the detection +# preview_latest_time: "now" # can be hardcoded in the detection + +# input_type: similar-findings +# tokens: +# similar_findings_count_comparator: ">" +# similar_findings_count: 10 +# similar_findings_detections: +# - detection1 +# - detection2 +# - detection3 +# similar_findings_detections_parsed: +# preview_earliest_time: "-24h@h" # can be hardcoded in the detection +# preview_latest_time: "now" # can be hardcoded in the detection tags: analytic_story: - Finding Groups in Splunk Enterprise Security diff --git a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml index 62259e0336..df79e7f6d8 100644 --- a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml +++ b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml @@ -13,7 +13,8 @@ description: The following analytic identifies potential Linux persistence and p If confirmed malicious, this activity could enable an attacker to execute code with higher privileges, persist in the environment, and potentially access sensitive information, posing a severe security risk. -data_source: [] +data_source: +- Risk Analysis Datamodel search: | | tstats `summariesonly` `common_fbd_fields` values(All_Risk.threat_object) AS threat_object @@ -52,6 +53,7 @@ known_false_positives: False positives will be present based on many factors. Tu the correlation as needed to reduce too many triggers. references: - https://attack.mitre.org/tactics/TA0004/ +- https://help.splunk.com/en/splunk-enterprise-security-8/administer/8.0/detections/create-finding-based-detections-in-splunk-enterprise-security drilldown_searches: - name: View the detection results for - "$fbd_group_by$" search: '%original_detection_search% | search fbd_group_by = "$fbd_group_by$"' From 9ebe6474948fbda36e40f3b9f69c5636e8543946 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 15 Oct 2025 19:10:59 -0700 Subject: [PATCH 7/7] remove duplicate input type --- ...ity_exceeded_threshold_with_multiple_findings.yml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/detections/endpoint/entity_exceeded_threshold_with_multiple_findings.yml b/detections/endpoint/entity_exceeded_threshold_with_multiple_findings.yml index 738eb8a0ec..7ab6651e14 100644 --- a/detections/endpoint/entity_exceeded_threshold_with_multiple_findings.yml +++ b/detections/endpoint/entity_exceeded_threshold_with_multiple_findings.yml @@ -81,18 +81,6 @@ fbd: # - detection2 # preview_earliest_time: "-24h@h" # can be hardcoded in the detection # preview_latest_time: "now" # can be hardcoded in the detection - -# input_type: similar-findings -# tokens: -# similar_findings_count_comparator: ">" -# similar_findings_count: 10 -# similar_findings_detections: -# - detection1 -# - detection2 -# - detection3 -# similar_findings_detections_parsed: -# preview_earliest_time: "-24h@h" # can be hardcoded in the detection -# preview_latest_time: "now" # can be hardcoded in the detection tags: analytic_story: - Finding Groups in Splunk Enterprise Security