Branch was auto-updated.

Author: srv-rr-gh-researchbt

contentctl

@@ -5,8 +5,8 @@ build:
   name: DA-ESS-ContentUpdate
   path_root: dist
   prefix: ESCU
-  build: 004161
-  version: 4.16.1
+  build: 004170
+  version: 4.17.0
   label: ES Content Updates
   author_name: Splunk Threat Research Team
   author_email: [email protected]
@@ -22,4 +22,4 @@ build_api:
 enrichments:
   attack_enrichment: true
   cve_enrichment: true
-  splunk_app_enrichment: false
+  splunk_app_enrichment: false

contentctl.yml

@@ -1,7 +1,7 @@
 name: AWS IAM Failure Group Deletion
 id: 723b861a-92eb-11eb-93b8-acde48001122
-version: 1
-date: '2021-04-01'
+version: 2
+date: '2023-11-07'
 author: Michael Haag, Splunk
 status: production
 type: Anomaly
@@ -32,8 +32,7 @@ tags:
   asset_type: AWS Account
   confidence: 50
   impact: 10
-  message: User $user_arn$ has had mulitple failures while attempting to delete groups
-    from $src$
+  message: User $user_arn$ has had mulitple failures while attempting to delete groups from $src$
   mitre_attack_id:
   - T1098
   observable:
@@ -45,10 +44,6 @@ tags:
     type: User
     role:
     - Victim
-  - name: group_name
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

detections/cloud/aws_iam_failure_group_deletion.yml

@@ -1,7 +1,7 @@
 name: AWS S3 Exfiltration Behavior Identified
 id: 85096389-a443-42df-b89d-200efbb1b560
-version: 1
-date: '2023-05-04'
+version: 2
+date: '2023-11-07'
 author: Bhavin Patel, Splunk
 status: production
 type: Correlation
@@ -24,7 +24,7 @@ tags:
   asset_type: AWS Account
   confidence: 90
   impact: 90
-  message: Multiple AWS Exfiltration detections $source$ and techniques $All_Risk.annotations.mitre_attack.mitre_tactic_id$ trigged for risk object $risk_object$
+  message: Multiple AWS Exfiltration detections $source$ and techniques $annotations.mitre_attack.mitre_tactic_id$ trigged for risk object $risk_object$
   mitre_attack_id:
   - T1537
   observable:

detections/cloud/aws_s3_exfiltration_behavior_identified.yml

@@ -1,7 +1,7 @@
 name: AWS Successful Console Authentication From Multiple IPs
 id: 395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb
-version: 1
-date: '2023-01-19'
+version: 2
+date: '2023-11-07'
 author: Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -12,8 +12,8 @@ description: The following analytic identifies an AWS account successfully authe
   time as a legitimate user. As users may behave differently across organizations,
   security teams should test and customize this detection to fit their environments.
 data_source: []
-search: ' `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent)
-  values(eventName) values(src_ip) dc(src_ip) as distinct_ip_count by _time user_arn
+search: ' `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) as userAgent
+  values(eventName) as eventName values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn
   | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter`'
 how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This
   search works when AWS CloudTrail events are normalized use the Authentication datamodel.
@@ -30,16 +30,16 @@ tags:
   confidence: 80
   impact: 90
   message: User $user_arn$ has successfully logged into the AWS Console from different
-    IP addresses $src$ within 5 mins
+    IP addresses $src_ip$ within 5 mins
   mitre_attack_id:
   - T1586
   - T1535
   observable:
-  - name: src
+  - name: src_ip
     type: IP Address
     role:
     - Attacker
-  - name: user
+  - name: user_arn
     type: User
     role:
     - Victim
@@ -49,12 +49,10 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - Authentication.src
-  - Authentication.user
-  - Authentication.signature
-  - Authentication.user_agent
-  - Authentication.action
-  - Authentication.user_type
+  - eventName
+  - userAgent
+  - src_ip
+  - user_arn
   risk_score: 72
   security_domain: threat
 tests:

detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml

@@ -1,7 +1,7 @@
 name: AWS Unusual Number of Failed Authentications From Ip
 id: 0b5c9c2b-e2cb-4831-b4f1-af125ceb1386
-version: 1
-date: '2022-09-26'
+version: 2
+date: '2023-11-07'
 author: Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -19,10 +19,10 @@ description: The following analytic identifies one source IP failing to authenti
   Multiple Users Failing To Authenticate From Ip`.
 data_source: []
 search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time
-  | stats  dc(_raw) AS unique_accounts values(user_name) as tried_accounts by _time,
-  src_ip | eventstats  avg(unique_accounts) as ip_avg , stdev(unique_accounts) as
-  ip_std by _time | eval  upperBound=(ip_avg+ip_std*3) | eval  isOutlier=if(unique_accounts
-  > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter`'
+  | stats  dc(_raw) AS distinct_attempts values(user_name) as tried_accounts by _time,
+  src_ip | eventstats  avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) as
+  ip_std by _time | eval  upperBound=(avg_attempts+ip_std*3) | eval  isOutlier=if(distinct_attempts
+  > 10 and distinct_attempts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter`'
 how_to_implement: You must install Splunk Add-on for AWS in order to ingest Cloudtrail.
   We recommend the users to try different combinations of the bucket span time and
   the calculation of the upperBound field to tune this search according to their environment

detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml

@@ -1,7 +1,7 @@
 name: Azure AD PIM Role Assigned
 id: fcd6dfeb-191c-46a0-a29c-c306382145ab
-version: 1
-date: '2023-04-26'
+version: 2
+date: '2023-11-07'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -15,7 +15,8 @@ description: The following analytic identifies the assignment of the Azure AD PI
 search: ' `azuread` operationName="Add eligible member to role in PIM completed*"
   | rename properties.* as * 
   | rename targetResources{}.userPrincipalName as userPrincipalName 
-  | stats values(userPrincipalName) values(targetResources{}.displayName) by _time, result, operationName, initiatedBy.user.displayName
+  | rename initiatedBy.user.userPrincipalName as initiatedBy
+  | stats values(userPrincipalName) as userPrincipalName values(targetResources{}.displayName) as target_display_name by _time, result, operationName, initiatedBy
   | `azure_ad_pim_role_assigned_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details).
@@ -33,12 +34,12 @@ tags:
   asset_type: Azure Active Directory
   confidence: 50
   impact: 70
-  message: An Azure AD PIM role assignment was assiged to $userPrincipalName$
+  message: An Azure AD PIM role assignment was assiged to $userPrincipalName$ by $initiatedBy$
   mitre_attack_id:
   - T1098
   - T1098.003
   observable:
-  - name: userPrincipalName
+  - name: initiatedBy
     type: User
     role:
     - Attacker

detections/cloud/azure_ad_pim_role_assigned.yml

@@ -1,7 +1,7 @@
 name: Azure AD PIM Role Assignment Activated
 id: 952e80d0-e343-439b-83f4-808c3e6fbf2e
-version: 1
-date: '2023-04-26'
+version: 2
+date: '2023-11-07'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -15,7 +15,7 @@ description: The following analytic identifies the assignment of the Azure AD PI
 search: ' `azuread` operationName="Add member to role completed (PIM activation)"
   | rename properties.* as * 
   | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy
-  | stats values(userPrincipalName) values(targetResources{}.displayName) by _time, initiatedBy, result, operationName,
+  | stats values(userPrincipalName) as userPrincipalName values(targetResources{}.displayName) as target_display_name by _time, initiatedBy, result, operationName,
   | `azure_ad_pim_role_assignment_activated_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details).
@@ -38,7 +38,7 @@ tags:
   - T1098
   - T1098.003
   observable:
-  - name: userPrincipalName
+  - name: initiatedBy
     type: User
     role:
     - Attacker

detections/cloud/azure_ad_pim_role_assignment_activated.yml

@@ -1,7 +1,7 @@
 name: Azure Automation Runbook Created
 id: 178d696d-6dc6-4ee8-9d25-93fee34eaf5b
-version: 1
-date: '2022-08-22'
+version: 2
+date: '2023-11-07'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -17,7 +17,7 @@ description: The following analytic identifies the creation of a new Azure Autom
 data_source: []
 search: ' `azure_audit` operationName.localizedValue="Create or Update an Azure Automation
   Runbook" object!=AzureAutomationTutorial* status.value=Succeeded | dedup object
-  | stats values(object) by _time, caller, claims.ipaddr, resourceGroupName, object_path
+  | stats values(object) as object by _time, caller, claims.ipaddr, resourceGroupName, object_path
   | `azure_automation_runbook_created_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).

detections/cloud/azure_automation_runbook_created.yml

@@ -1,7 +1,7 @@
 name: Azure Runbook Webhook Created
 id: e98944a9-92e4-443c-81b8-a322e33ce75a
-version: 1
-date: '2022-08-23'
+version: 2
+date: '2023-11-07'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -17,7 +17,7 @@ description: The following analytic identifies the creation of a new Automation
   on a VM. This provides a persistent foothold on the environment.
 data_source: []
 search: ' `azure_audit` operationName.localizedValue="Create or Update an Azure Automation
-  webhook" status.value=Succeeded | stats values(object) by _time, caller, claims.ipaddr,
+  webhook" status.value=Succeeded | stats values(object) as object by _time, caller, claims.ipaddr,
   resourceGroupName, object_path | `azure_runbook_webhook_created_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).

detections/cloud/azure_runbook_webhook_created.yml

@@ -1,29 +1,31 @@
 name: High Number of Login Failures from a single source
 id: 7f398cfb-918d-41f4-8db8-2e2474e02222
-version: 1
+version: 2
 date: '2020-12-16'
-author: Bhavin Patel, Splunk
-status: experimental
+author: Bhavin Patel, Mauricio Velazco, Splunk
+status: production
 type: Anomaly
-description: This search will detect more than 5 login failures in Office365 Azure
-  Active Directory from a single source IP address. Please adjust the threshold value
-  of 5 as suited for your environment.
+description: This analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. Specifically, it identifies scenarios where there are more than 10 unsuccessful login attempts within a short time frame. The detection leverages Office365 management activity logs, specifically the AzureActiveDirectoryStsLogon records from the AzureActiveDirectory workload. It aggregates these logs in 5-minute intervals to count the number of failed login attempts and associates them with the originating source IP address. Multiple failed login attempts from a single source can be indicative of brute-force attacks, password spraying, or other malicious authentication attempts. Identifying and responding to these patterns promptly can prevent unauthorized access and potential breaches. If this detection represents a true positive, an attacker might be attempting to gain unauthorized access to an Office365 account. Successful compromise could lead to unauthorized access to sensitive data, potential lateral movement within the organization, or further malicious activities using the compromised account.
 data_source: []
-search: '`o365_management_activity` Operation=UserLoginFailed  record_type=AzureActiveDirectoryStsLogon
-  app=AzureActiveDirectory | stats count dc(user) as accounts_locked values(user)
-  as user values(LogonError) as LogonError values(authentication_method) as authentication_method
-  values(signature) as signature values(UserAgent) as UserAgent by src_ip record_type
-  Operation app | search accounts_locked >= 5| `high_number_of_login_failures_from_a_single_source_filter`'
-how_to_implement: ''
-known_false_positives: unknown
-references: []
+search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon 
+  | bucket span=5m _time
+  | stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip
+  | where failed_attempts > 10
+  | `high_number_of_login_failures_from_a_single_source_filter`'
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Adjust the threshold value to suit the specific environment, as environments with naturally higher login failures might generate false positives at a lower threshold.
+known_false_positives: An Ip address with more than 10 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.
+references:
+- https://attack.mitre.org/techniques/T1110/001/
+- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
+- https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
+- https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
 tags:
   analytic_story:
-  - Office 365 Detections
+  - Office 365 Account Takeover
   asset_type: Office 365
   confidence: 50
   impact: 50
-  message: tbd
+  message: Ip address $src_ip$ failed to authenticate more than 10 times in a 5 minute
   mitre_attack_id:
   - T1110.001
   - T1110
@@ -32,6 +34,10 @@ tags:
     type: User
     role:
     - Victim
+  - name: src_ip
+    type: IP Address
+    role:
+    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -53,6 +59,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/high_number_of_login_failures_from_a_single_source.json
-    sourcetype: o365:management:activity
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log
     source: o365
+    sourcetype: o365:management:activity

detections/cloud/high_number_of_login_failures_from_a_single_source.yml

@@ -25,7 +25,7 @@ references:
 - https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
 tags:
   analytic_story:
-  - Office 365 Detections
+  - Office 365 Persistence Mechanisms
   - Cloud Federated Credential Abuse
   asset_type: Office 365
   confidence: 60

detections/cloud/o365_add_app_role_assignment_grant_user.yml

@@ -20,7 +20,7 @@ references:
 - https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en
 tags:
   analytic_story:
-  - Office 365 Detections
+  - Office 365 Persistence Mechanisms
   - Cloud Federated Credential Abuse
   asset_type: Office 365
   confidence: 60