splunk
diff --git a/‎detections/application/detect_html_help_spawn_child_process.yml
+7-8 b/‎detections/application/detect_html_help_spawn_child_process.yml
+7-8
diff --git a/‎detections/application/detect_password_spray_attempts.yml
+30-38 b/‎detections/application/detect_password_spray_attempts.yml
+30-38
diff --git a/‎detections/application/email_files_written_outside_of_the_outlook_directory.yml
+6-6 b/‎detections/application/email_files_written_outside_of_the_outlook_directory.yml
+6-6
diff --git a/‎detections/application/okta_multi_factor_authentication_disabled.yml
+5-6 b/‎detections/application/okta_multi_factor_authentication_disabled.yml
+5-6
diff --git a/‎detections/application/okta_multiple_accounts_locked_out.yml
+4-5 b/‎detections/application/okta_multiple_accounts_locked_out.yml
+4-5
diff --git a/‎detections/application/okta_multiple_failed_mfa_requests_for_user.yml
+4-5 b/‎detections/application/okta_multiple_failed_mfa_requests_for_user.yml
+4-5
diff --git a/‎detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml
+6-6 b/‎detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml
+6-6
diff --git a/‎detections/application/okta_new_api_token_created.yml
+5-5 b/‎detections/application/okta_new_api_token_created.yml
+5-5
@@ -1,6 +1,6 @@
 name: Detect HTML Help Spawn Child Process
 id: 723716de-ee55-4cd4-9759-c44e7e55ba4b
-version: 9
+version: 10
 date: '2025-02-10'
 author: Michael Haag, Splunk
 status: production
@@ -19,11 +19,11 @@ data_source:
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=hh.exe
-  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec 
-  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name 
-  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash 
-  Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path 
-  Processes.user Processes.user_id Processes.vendor_product 
+  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
+  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
+  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
+  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
+  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
   | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `detect_html_help_spawn_child_process_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
@@ -90,7 +90,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog
@@ -1,6 +1,6 @@
 name: Detect Password Spray Attempts
 id: 086ab581-8877-42b3-9aee-4a7ecb0923af
-version: 6
+version: 7
 date: '2025-02-10'
 author: Dean Luxton
 status: production
@@ -13,41 +13,34 @@ description: This analytic employs the 3-sigma approach to detect an unusual vol
   many different accounts to avoid detection and account lockouts. By utilizing the
   Authentication Data Model, this detection is effective for all CIM-mapped authentication
   events, providing comprehensive coverage and enhancing security against these attacks.
-search: >-
-  | tstats `security_content_summariesonly` values(Authentication.user) AS unique_user_names
-  dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user)
-  as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure"
-  NOT Authentication.src IN ("-","unknown") by Authentication.action Authentication.app Authentication.authentication_method Authentication.dest 
-    Authentication.signature Authentication.signature_id Authentication.src sourcetype _time span=5m  
-  | `drop_dm_object_name("Authentication")`
-      ```fill out time buckets for 0-count events during entire search length```
-  | appendpipe [| timechart limit=0 span=5m count | table _time]
-  | fillnull value=0 unique_accounts
-    ``` Create aggregation field & apply to all null events```
-  | eval counter=src+"__"+sourcetype+"__"+signature_id  | eventstats values(counter)
-  as fnscounter  | eval counter=coalesce(counter,fnscounter) 
-    ``` stats version of mvexpand ```
-  | stats values(app) as app values(unique_user_names) as unique_user_names values(total_failures)
-  as total_failures values(src) as src values(signature_id) as signature_id values(sourcetype)
-  as sourcetype count by counter unique_accounts _time
-      ``` remove duplicate time buckets for each unique source```
-  | sort - _time unique_accounts
-  | dedup _time counter
-      ```Find the outliers```
-  | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std
-  by counter
-  | eval upperBound=(comp_avg+comp_std*3)
-  | eval isOutlier=if(unique_accounts > 30 and unique_accounts >= upperBound, 1, 0)
-  | replace "::ffff:*" with * in src  | where isOutlier=1  | foreach * 
-      [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] 
-  | table _time, src, action, app, unique_accounts, unique_user_names, total_failures,
-  sourcetype, signature_id, counter
-  | `detect_password_spray_attempts_filter`
-how_to_implement: >-
-  Ensure in-scope authentication data is CIM mapped and the src field is populated
-  with the source device.  Also ensure fill_nullvalue is set within the macro security_content_summariesonly.
-  This search opporates best on a 5 minute schedule, looking back over the past 70
-  minutes.  Configure 70 minute throttling on the two fields _time and counter. 
+search: "| tstats `security_content_summariesonly` values(Authentication.user) AS\
+  \ unique_user_names dc(Authentication.user) AS unique_accounts values(Authentication.app)\
+  \ as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication\
+  \ where Authentication.action=\"failure\" NOT Authentication.src IN (\"-\",\"unknown\"\
+  ) by Authentication.action Authentication.app Authentication.authentication_method\
+  \ Authentication.dest \n  Authentication.signature Authentication.signature_id Authentication.src\
+  \ sourcetype _time span=5m  \n| `drop_dm_object_name(\"Authentication\")`\n    ```fill\
+  \ out time buckets for 0-count events during entire search length```\n| appendpipe\
+  \ [| timechart limit=0 span=5m count | table _time] | fillnull value=0 unique_accounts\n\
+  \  ``` Create aggregation field & apply to all null events```\n| eval counter=src+\"\
+  __\"+sourcetype+\"__\"+signature_id  | eventstats values(counter) as fnscounter\
+  \  | eval counter=coalesce(counter,fnscounter) \n  ``` stats version of mvexpand\
+  \ ```\n| stats values(app) as app values(unique_user_names) as unique_user_names\
+  \ values(total_failures) as total_failures values(src) as src values(signature_id)\
+  \ as signature_id values(sourcetype) as sourcetype count by counter unique_accounts\
+  \ _time\n    ``` remove duplicate time buckets for each unique source```\n| sort\
+  \ - _time unique_accounts | dedup _time counter\n    ```Find the outliers```\n|\
+  \ eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std\
+  \ by counter | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts\
+  \ > 30 and unique_accounts >= upperBound, 1, 0) | replace \"::ffff:*\" with * in\
+  \ src  | where isOutlier=1  | foreach * \n    [ eval <<FIELD>> = if(<<FIELD>>=\"\
+  null\",null(),<<FIELD>>)] \n| table _time, src, action, app, unique_accounts, unique_user_names,\
+  \ total_failures, sourcetype, signature_id, counter | `detect_password_spray_attempts_filter`"
+how_to_implement: 'Ensure in-scope authentication data is CIM mapped and the src field
+  is populated with the source device.  Also ensure fill_nullvalue is set within the
+  macro security_content_summariesonly. This search opporates best on a 5 minute schedule,
+  looking back over the past 70 minutes.  Configure 70 minute throttling on the two
+  fields _time and counter. '
 known_false_positives: Unknown
 references:
 - https://attack.mitre.org/techniques/T1110/003/
@@ -92,7 +85,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log
     source: XmlWinEventLog:Security
     sourcetype: XmlWinEventLog
@@ -1,6 +1,6 @@
 name: Email files written outside of the Outlook directory
 id: 8d52cf03-ba25-4101-aa78-07994aed4f74
-version: 7
+version: 8
 date: '2025-02-10'
 author: Bhavin Patel, Splunk
 status: experimental
@@ -19,11 +19,11 @@ search: '| tstats `security_content_summariesonly` count values(Filesystem.file_
   as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
   where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path
   != "C:\\Users\\*\\My Documents\\Outlook Files\\*"  Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*"
-  by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time 
-  Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id 
-  Filesystem.user Filesystem.vendor_product 
-  | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|
-  `email_files_written_outside_of_the_outlook_directory_filter`'
+  by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
+  Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path
+  Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id
+  Filesystem.user Filesystem.vendor_product | `drop_dm_object_name("Filesystem")`
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `email_files_written_outside_of_the_outlook_directory_filter`'
 how_to_implement: To successfully implement this search, you must be ingesting data
   that records the file-system activity from your hosts to populate the Endpoint.Filesystem
   data model node. This is typically populated via endpoint detection-and-response
 
@@ -1,6 +1,6 @@
 name: Okta Multi-Factor Authentication Disabled
 id: 7c0348ce-bdf9-45f6-8a57-c18b5976f00a
-version: 6
+version: 7
 date: '2025-02-10'
 author: Mauricio Velazco, Splunk
 data_source:
@@ -18,9 +18,9 @@ description: The following analytic identifies an attempt to disable multi-facto
 search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time)
   as firstTime from datamodel=Change where sourcetype="OktaIM2:log" All_Changes.object_category=User
   AND All_Changes.action=modified All_Changes.command=user.mfa.factor.deactivate by
-  All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.dest
-  | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `okta_multi_factor_authentication_disabled_filter`'
+  All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src
+  All_Changes.dest | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` | `okta_multi_factor_authentication_disabled_filter`'
 how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the
   Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
 known_false_positives: Legitimate use case may require for users to disable MFA. Filter
@@ -66,7 +66,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.log
     source: Okta
     sourcetype: OktaIM2:log
@@ -1,6 +1,6 @@
 name: Okta Multiple Accounts Locked Out
 id: a511426e-184f-4de6-8711-cfd2af29d1e1
-version: 4
+version: 5
 date: '2025-01-21'
 author: Michael Haag, Mauricio Velazco, Splunk
 data_source:
@@ -17,8 +17,8 @@ description: The following analytic detects multiple Okta accounts being locked
 search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time)
   as firstTime values(All_Changes.user) as user from datamodel=Change where All_Changes.change_type=AAA
   All_Changes.object_category=User AND All_Changes.action=lockout AND All_Changes.command=user.account.lock
-  by _time span=5m All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.dest
-  | where count > 5 | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)`
+  by _time span=5m All_Changes.result All_Changes.command sourcetype All_Changes.src
+  All_Changes.dest | where count > 5 | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `okta_multiple_accounts_locked_out_filter`'
 how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the
   Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
@@ -65,7 +65,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log
     source: Okta
     sourcetype: OktaIM2:log
@@ -1,6 +1,6 @@
 name: Okta Multiple Failed MFA Requests For User
 id: 826dbaae-a1e6-4c8c-b384-d16898956e73
-version: 5
+version: 6
 date: '2025-01-21'
 author: Mauricio Velazco, Splunk
 data_source:
@@ -17,8 +17,8 @@ description: The following analytic identifies multiple failed multi-factor auth
 search: '`okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE
   debugContext.debugData.factor!=PASSWORD_AS_FACTOR | bucket _time span=5m | stats
   count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip)
-  as src_ip values(debugContext.debugData.factor) values(dest) as dest by _time src_user | where count
-  >= 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  as src_ip values(debugContext.debugData.factor) values(dest) as dest by _time src_user
+  | where count >= 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `okta_multiple_failed_mfa_requests_for_user_filter`'
 how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the
   Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
@@ -63,7 +63,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.log
     source: Okta
     sourcetype: OktaIM2:log
@@ -1,6 +1,6 @@
 name: Okta Multiple Users Failing To Authenticate From Ip
 id: de365ffa-42f5-46b5-b43f-fa72290b8218
-version: 5
+version: 6
 date: '2025-01-21'
 author: Michael Haag, Mauricio Velazco, Splunk
 data_source:
@@ -18,9 +18,10 @@ description: The following analytic identifies instances where more than 10 uniq
 search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time)
   as firstTime dc(Authentication.user) as unique_accounts values(Authentication.signature)
   as signature values(Authentication.user) as user values(Authentication.app) as app
-  values(Authentication.authentication_method) as authentication_method values(Authentication.dest) as dest from datamodel=Authentication
-  where Authentication.action="failure" AND Authentication.signature=user.session.start
-  by _time span=5m Authentication.src sourcetype | where unique_accounts > 9 | `drop_dm_object_name("Authentication")`
+  values(Authentication.authentication_method) as authentication_method values(Authentication.dest)
+  as dest from datamodel=Authentication where Authentication.action="failure" AND
+  Authentication.signature=user.session.start by _time span=5m Authentication.src
+  sourcetype | where unique_accounts > 9 | `drop_dm_object_name("Authentication")`
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_users_failing_to_authenticate_from_ip_filter`'
 how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the
   Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
@@ -67,7 +68,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.log
     source: Okta
     sourcetype: OktaIM2:log
@@ -1,6 +1,6 @@
 name: Okta New API Token Created
 id: c3d22720-35d3-4da4-bd0a-740d37192bd4
-version: 7
+version: 8
 date: '2025-02-10'
 author: Michael Haag, Mauricio Velazco, Splunk
 status: production
@@ -18,8 +18,9 @@ data_source:
 search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time)
   as firstTime from datamodel=Change where All_Changes.action=created AND All_Changes.command=system.api_token.create
   by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype
-  All_Changes.src All_Changes.action All_Changes.object_category All_Changes.dest | `drop_dm_object_name("All_Changes")`
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_api_token_created_filter`'
+  All_Changes.src All_Changes.action All_Changes.object_category All_Changes.dest
+  | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `okta_new_api_token_created_filter`'
 how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the
   Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
 known_false_positives: False positives may be present. Tune Okta and tune the analytic
@@ -63,7 +64,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.log
     source: Okta
     sourcetype: OktaIM2:log