Modified macro name for clarity, updated how to implements with details

ljstella · ljstella · commit a980709e4b77 · 2024-07-26T14:11:24.000-05:00
diff --git a/detections/endpoint/detect_remote_access_software_usage_file.yml b/detections/endpoint/detect_remote_access_software_usage_file.yml
@@ -21,15 +21,18 @@ search: '| tstats `security_content_summariesonly` count, min(_time) as firstTim
   | `security_content_ctime(lastTime)` | `drop_dm_object_name(Filesystem)` | lookup
   remote_access_software remote_utility AS file_name OUTPUT isutility, description
   as signature, comment_reference as desc, category | search isutility = TRUE 
-  | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_file_filter`'
+  | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_file_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
   you must ingest logs that contain the file path, file name, and the user that created
   the file. These logs must be processed using the appropriate Splunk Technology Add-ons
   that are specific to the EDR product. The logs must also be mapped to the `Filesystem`
   node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM)
-  to normalize the field names and speed up the data modeling process. 
+  to normalize the field names and speed up the data modeling process. The "exceptions" 
+  macro leverages both an Assets and Identities lookup, as well as a KVStore collection
+  called "remote_software_exceptions" that lets you track and maintain device-based 
+  exceptions for this set of detections. 
 known_false_positives: Known or approved applications used by the organization or
   usage of built-in functions. Known false positives can be added to the 
   remote_access_software_usage_exception.csv lookup to globally suppress these 
diff --git a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml
@@ -20,10 +20,12 @@ search: '`sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) a
   lastTime, values(Company) as Company values(Product) as Product by dest, user, parent_process_name,
   process_name, process | lookup remote_access_software remote_utility_fileinfo AS
   Product OUTPUT isutility, description as signature, comment_reference as desc, category
-  | search isutility = True | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_fileinfo_filter`'
+  | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_fileinfo_filter`'
 how_to_implement: This analytic relies on Sysmon to be properly installed and utilized
   in the environment. Ensure that proper logging is setup for Sysmon and data is being
-  ingested into Splunk.
+  ingested into Splunk. The "exceptions" macro leverages both an Assets and Identities 
+  lookup, as well as a KVStore collection named "remote_software_exceptions" 
+  that lets you track and maintain device-based exceptions for this set of detections.
 known_false_positives: Known or approved applications used by the organization or
   usage of built-in functions. Known false positives can be added to the remote_access_software_usage_exception.csv 
   lookup to globally suppress these situations across all remote access content
diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml
@@ -23,7 +23,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   Processes.process_name Processes.process | `security_content_ctime(firstTime)` |
   `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software
   remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference
-  as desc, category | search isutility = True | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_process_filter`'
+  as desc, category | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_process_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
@@ -32,7 +32,10 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   be processed using the appropriate Splunk Technology Add-ons that are specific to
   the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
-  names and speed up the data modeling process.
+  names and speed up the data modeling process. The "exceptions" macro leverages 
+  both an Assets and Identities lookup, as well as a KVStore collection called 
+  "remote_software_exceptions" that lets you track and maintain device-
+  based exceptions for this set of detections.
 known_false_positives: It is possible that legitimate remote access software is used
   within the environment. Ensure that the lookup is reviewed and updated with any
   additional remote access software that is used within the environment. 
diff --git a/detections/network/detect_remote_access_software_usage_dns.yml b/detections/network/detect_remote_access_software_usage_dns.yml
@@ -13,12 +13,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   DNS.query | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)` |
   `security_content_ctime(lastTime)` | lookup remote_access_software remote_domain
   AS query OUTPUT isutility, description as signature, comment_reference as desc,
-  category | eval dest = query | search isutility = True | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_dns_filter`'
+  category | eval dest = query | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_dns_filter`'
 how_to_implement: To implement this search, you must ingest logs that contain the
   DNS query and the source of the query. These logs must be processed using the appropriate
   Splunk Technology Add-ons that are specific to the DNS logs. The logs must also
   be mapped to the `Network_Resolution` data model. Use the Splunk Common Information
-  Model (CIM) to normalize the field names and speed up the data modeling process.
+  Model (CIM) to normalize the field names and speed up the data modeling process. The 
+  "exceptions" macro leverages both an Assets and Identities lookup, 
+  as well as a KVStore collection called "remote_software_exceptions" that lets 
+  you track and maintain device-based exceptions for this set of detections.
 known_false_positives: It is possible that legitimate remote access software is used
   within the environment. Ensure that the lookup is reviewed and updated with any
   additional remote access software that is used within the environment. 
diff --git a/detections/network/detect_remote_access_software_usage_traffic.yml b/detections/network/detect_remote_access_software_usage_traffic.yml
@@ -20,11 +20,14 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest, All_Traffic.app |
   `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | lookup remote_access_software remote_appid AS app OUTPUT isutility, description
-  as signature, comment_reference as desc, category | search isutility = True | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_traffic_filter`'
+  as signature, comment_reference as desc, category | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_traffic_filter`'
 how_to_implement: The following analytic was developed with Palo Alto traffic logs.
   Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
-  names and speed up the data modeling process.
+  names and speed up the data modeling process. The "exceptions" macro leverages 
+  both an Assets and Identities lookup, as well as a KVStore collection called 
+  "remote_software_exceptions" that lets you track and maintain device-
+  based exceptions for this set of detections.
 known_false_positives: It is possible that legitimate remote access software is used
   within the environment. Ensure that the lookup is reviewed and updated with any
   additional remote access software that is used within the environment.
diff --git a/detections/web/detect_remote_access_software_usage_url.yml b/detections/web/detect_remote_access_software_usage_url.yml
@@ -20,12 +20,15 @@ search: '| tstats count min(_time) as firstTime max(_time) as lastTime latest(We
   Web.src Web.category Web.url_domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `drop_dm_object_name("Web")` | lookup remote_access_software remote_domain AS
   url_domain OUTPUT isutility, description as signature, comment_reference as desc,
-  category | search isutility = True | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_url_filter`'
+  category | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_url_filter`'
 how_to_implement: The detection is based on data that originates from network logs.
   These logs must be processed using the appropriate Splunk Technology Add-ons that
   are specific to the network logs. The logs must also be mapped to the `Web` data
   model. Use the Splunk Common Information Model (CIM) to normalize the field names
-  and speed up the data modeling process.
+  and speed up the data modeling process. The "exceptions" macro leverages 
+  both an Assets and Identities lookup, as well as a KVStore collection called 
+  "remote_software_exceptions" that lets you track and maintain device-
+  based exceptions for this set of detections.
 known_false_positives: It is possible that legitimate remote access software is used
   within the environment. Ensure that the lookup is reviewed and updated with any
   additional remote access software that is used within the environment. 
diff --git a/macros/remote_access_software_usage_exceptions.yml b/macros/remote_access_software_usage_exceptions.yml
@@ -6,4 +6,4 @@ definition: 'eval exception_asset = CASE(isnotnull(src),src,isnotnull(dest),dest
   | search NOT (rmm_exception = TRUE AND rmm_exception_end IN ("FALSE","UNLIMITED"))
   | fields - asset_temp_field,exception_asset'
 description: Macro used with remote access monitoring content to define exception lookup and usage. Returns filtered results based on contents of remote_access_software_usage_exception.csv
-name: remote_access_software_usage_exception_filter
+name: remote_access_software_usage_exceptions
