diff --git a/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml b/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml index 6aa827b83b..045d81112c 100644 --- a/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml +++ b/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml @@ -20,7 +20,6 @@ tags: - Emotet Malware DHS Report TA18-201A - Monitor for Unauthorized Software - SamSam Ransomware - asset_type: Endpoint detections: - Prohibited Software On Endpoint product: @@ -29,17 +28,4 @@ tags: - Splunk Cloud required_fields: - _time - security_domain: endpoint - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: endpoint \ No newline at end of file diff --git a/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml b/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml index 02874c9c4a..ba5dd7e652 100644 --- a/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml +++ b/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml @@ -32,17 +32,4 @@ tags: - _time - eventType - userIdentity.arn - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml b/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml index d1dcf15f47..57eff79029 100644 --- a/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml +++ b/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml @@ -44,17 +44,4 @@ tags: - eventName - errorCode - src_user - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml b/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml index 1643566a67..ab4f8d7034 100644 --- a/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml +++ b/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml @@ -44,17 +44,4 @@ tags: - eventName - errorCode - src_user - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml b/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml index cfb61398a8..f8b4361464 100644 --- a/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml +++ b/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml @@ -35,17 +35,4 @@ tags: - userIdentity.type - userName - eventName - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml b/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml index 9c977eb85c..7f31d39d82 100644 --- a/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml +++ b/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml @@ -33,17 +33,4 @@ tags: - _time - eventName - sourceIPAddress - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/previously_seen_ec2_amis.yml b/baselines/deprecated/previously_seen_ec2_amis.yml index 7c07f5b16c..adc1b0bfe4 100644 --- a/baselines/deprecated/previously_seen_ec2_amis.yml +++ b/baselines/deprecated/previously_seen_ec2_amis.yml @@ -29,17 +29,4 @@ tags: - eventName - errorCode - requestParameters.instancesSet.items{}.imageId - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/previously_seen_ec2_instance_types.yml b/baselines/deprecated/previously_seen_ec2_instance_types.yml index caa4874b07..ad702b1b8d 100644 --- a/baselines/deprecated/previously_seen_ec2_instance_types.yml +++ b/baselines/deprecated/previously_seen_ec2_instance_types.yml @@ -29,17 +29,4 @@ tags: - eventName - errorCode - requestParameters.instanceType - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/previously_seen_ec2_launches_by_user.yml b/baselines/deprecated/previously_seen_ec2_launches_by_user.yml index b9055ec06d..aca991c9b3 100644 --- a/baselines/deprecated/previously_seen_ec2_launches_by_user.yml +++ b/baselines/deprecated/previously_seen_ec2_launches_by_user.yml @@ -30,17 +30,4 @@ tags: - eventName - errorCode - requestParameters.instanceType - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/previously_seen_users_in_cloudtrail.yml b/baselines/deprecated/previously_seen_users_in_cloudtrail.yml index c10e6be865..3b6c389848 100644 --- a/baselines/deprecated/previously_seen_users_in_cloudtrail.yml +++ b/baselines/deprecated/previously_seen_users_in_cloudtrail.yml @@ -37,17 +37,4 @@ tags: - eventName - userIdentity.arn - src - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml b/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml index f7672203b6..703754631e 100644 --- a/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml +++ b/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml @@ -39,17 +39,4 @@ tags: - eventName - userIdentity.arn - src - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/dnstwist_domain_names.yml b/baselines/dnstwist_domain_names.yml index 56d143e729..c213db75ac 100644 --- a/baselines/dnstwist_domain_names.yml +++ b/baselines/dnstwist_domain_names.yml @@ -19,7 +19,6 @@ tags: analytic_story: - Brand Monitoring - Suspicious Emails - asset_type: Endpoint detections: - Monitor Email For Brand Abuse - Monitor DNS For Brand Abuse @@ -28,19 +27,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - kill_chain_phases: - - Exploitation required_fields: - _time - security_domain: network - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: dest - type: Other - role: - - Other + security_domain: network \ No newline at end of file diff --git a/contentctl.yml b/contentctl.yml index 35ff7c0e0f..8014d0a2ae 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -13,10 +13,10 @@ app: enrichments: false build_app: true build_api: true -build_ssa: false build_path: dist -test_instance: - splunk_app_username: admin +test_instances: +- splunk_app_username: admin + instance_name: test_instance instance_address: localhost hec_port: 8088 web_ui_port: 8000 @@ -32,9 +32,9 @@ apps: # - uid: 263 # title: Splunk Enterprise Security # appid: SplunkEnterpriseSecuritySuite -# version: 7.3.1 +# version: 7.3.2 # description: description of app -# hardcoded_path: apps/splunk-enterprise-security_731.spl +# hardcoded_path: apps/splunk-enterprise-security_7312.spl - uid: 1621 title: Splunk Common Information Model (CIM) appid: Splunk_SA_CIM @@ -194,5 +194,3 @@ apps: version: 3.2.1 description: description of app hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/crowdstrike-falcon-event-streams-technical-add-on_321.tgz - -githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd diff --git a/detections/application/crushftp_server_side_template_injection.yml b/detections/application/crushftp_server_side_template_injection.yml index 6794bec15a..8a1ffb705b 100644 --- a/detections/application/crushftp_server_side_template_injection.yml +++ b/detections/application/crushftp_server_side_template_injection.yml @@ -52,7 +52,6 @@ tags: - user - action - message - risk_score: 64 security_domain: network cve: - CVE-2024-4040 diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml index 518b80d315..8983ddbd90 100644 --- a/detections/application/detect_distributed_password_spray_attempts.yml +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -66,7 +66,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - Authentication.action - Authentication.user diff --git a/detections/application/detect_new_login_attempts_to_routers.yml b/detections/application/detect_new_login_attempts_to_routers.yml index da1110bdb6..70bceec972 100644 --- a/detections/application/detect_new_login_attempts_to_routers.yml +++ b/detections/application/detect_new_login_attempts_to_routers.yml @@ -49,5 +49,4 @@ tags: - Authentication.dest_category - Authentication.dest - Authentication.user - risk_score: 25 security_domain: network diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml index 6a90bbebdc..636044499e 100644 --- a/detections/application/detect_password_spray_attempts.yml +++ b/detections/application/detect_password_spray_attempts.yml @@ -61,7 +61,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - Authentication.action - Authentication.user diff --git a/detections/application/email_attachments_with_lots_of_spaces.yml b/detections/application/email_attachments_with_lots_of_spaces.yml index 976223f493..9b1e593689 100644 --- a/detections/application/email_attachments_with_lots_of_spaces.yml +++ b/detections/application/email_attachments_with_lots_of_spaces.yml @@ -64,5 +64,4 @@ tags: - All_Email.src_user - All_Email.file_name - All_Email.message_id - risk_score: 25 security_domain: network diff --git a/detections/application/email_files_written_outside_of_the_outlook_directory.yml b/detections/application/email_files_written_outside_of_the_outlook_directory.yml index f37061e330..e6ffc5ed1d 100644 --- a/detections/application/email_files_written_outside_of_the_outlook_directory.yml +++ b/detections/application/email_files_written_outside_of_the_outlook_directory.yml @@ -58,5 +58,4 @@ tags: - Filesystem.action - Filesystem.process_id - Filesystem.dest - risk_score: 25 security_domain: endpoint diff --git a/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml b/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml index 1ab995f9d1..2a064ea69f 100644 --- a/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml +++ b/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml @@ -63,5 +63,4 @@ tags: - All_Traffic.bytes_out - All_Traffic.src_category - All_Traffic.dest_ip - risk_score: 25 security_domain: network diff --git a/detections/application/monitor_email_for_brand_abuse.yml b/detections/application/monitor_email_for_brand_abuse.yml index cc2471bbca..2edadcb52f 100644 --- a/detections/application/monitor_email_for_brand_abuse.yml +++ b/detections/application/monitor_email_for_brand_abuse.yml @@ -48,5 +48,4 @@ tags: - All_Email.recipient - All_Email.src_user - All_Email.message_id - risk_score: 25 security_domain: network diff --git a/detections/application/no_windows_updates_in_a_time_frame.yml b/detections/application/no_windows_updates_in_a_time_frame.yml index 5eeafa902c..5297323688 100644 --- a/detections/application/no_windows_updates_in_a_time_frame.yml +++ b/detections/application/no_windows_updates_in_a_time_frame.yml @@ -50,5 +50,4 @@ tags: - Updates.status - Updates.vendor_product - Updates.dest - risk_score: 25 security_domain: endpoint diff --git a/detections/application/okta_authentication_failed_during_mfa_challenge.yml b/detections/application/okta_authentication_failed_during_mfa_challenge.yml index 489b0178cb..ec98495ce6 100644 --- a/detections/application/okta_authentication_failed_during_mfa_challenge.yml +++ b/detections/application/okta_authentication_failed_during_mfa_challenge.yml @@ -67,7 +67,6 @@ tags: - Authentication.signature - Authentication.method - Authentication.src - risk_score: 48 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_idp_lifecycle_modifications.yml b/detections/application/okta_idp_lifecycle_modifications.yml index a9052093c0..3a2f073752 100644 --- a/detections/application/okta_idp_lifecycle_modifications.yml +++ b/detections/application/okta_idp_lifecycle_modifications.yml @@ -64,7 +64,6 @@ tags: - user_agent - command - description - risk_score: 81 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_mfa_exhaustion_hunt.yml b/detections/application/okta_mfa_exhaustion_hunt.yml index e17f3aee26..d9f09b420f 100644 --- a/detections/application/okta_mfa_exhaustion_hunt.yml +++ b/detections/application/okta_mfa_exhaustion_hunt.yml @@ -61,7 +61,6 @@ tags: - src_ip - eventType - status - risk_score: 18 security_domain: access tests: - name: True Positive Test diff --git a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml index 03a6a1aa0e..ade4869839 100644 --- a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml +++ b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml @@ -74,5 +74,4 @@ tags: - client.userAgent.rawUserAgent - debugContext.debugData.behaviors - group_push_time - risk_score: 64 security_domain: access diff --git a/detections/application/okta_multi_factor_authentication_disabled.yml b/detections/application/okta_multi_factor_authentication_disabled.yml index 478f4dbbac..34a17fd17d 100644 --- a/detections/application/okta_multi_factor_authentication_disabled.yml +++ b/detections/application/okta_multi_factor_authentication_disabled.yml @@ -61,7 +61,6 @@ tags: - All_Changes.result - All_Changes.src - sourcetype - risk_score: 30 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_multiple_accounts_locked_out.yml b/detections/application/okta_multiple_accounts_locked_out.yml index daf67758d4..d1c27964d8 100644 --- a/detections/application/okta_multiple_accounts_locked_out.yml +++ b/detections/application/okta_multiple_accounts_locked_out.yml @@ -59,7 +59,6 @@ tags: - All_Changes.result - All_Changes.src - sourcetype - risk_score: 49 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml index bf761654d3..d01914f83a 100644 --- a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml +++ b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml @@ -56,7 +56,6 @@ tags: - displayMessage - src_user - src_ip - risk_score: 42 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_multiple_failed_requests_to_access_applications.yml b/detections/application/okta_multiple_failed_requests_to_access_applications.yml index 2211b8fb5d..e079af5e38 100644 --- a/detections/application/okta_multiple_failed_requests_to_access_applications.yml +++ b/detections/application/okta_multiple_failed_requests_to_access_applications.yml @@ -63,5 +63,4 @@ tags: - actor.alternateId - client.ipAddress - eventType - risk_score: 56 security_domain: access diff --git a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml index 4f1af7ca0b..c76bec0af3 100644 --- a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml @@ -61,7 +61,6 @@ tags: - Authentication.authentication_method - Authentication.action - Authentication.src - risk_score: 54 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_new_api_token_created.yml b/detections/application/okta_new_api_token_created.yml index 4c4200cccb..af863e51ee 100644 --- a/detections/application/okta_new_api_token_created.yml +++ b/detections/application/okta_new_api_token_created.yml @@ -61,7 +61,6 @@ tags: - outcome.reason - outcome.result - severity - risk_score: 64 security_domain: access tests: - name: True Positive Test diff --git a/detections/application/okta_new_device_enrolled_on_account.yml b/detections/application/okta_new_device_enrolled_on_account.yml index 76288f15e1..43ce4b45b4 100644 --- a/detections/application/okta_new_device_enrolled_on_account.yml +++ b/detections/application/okta_new_device_enrolled_on_account.yml @@ -56,7 +56,6 @@ tags: - client.userAgent.browser - client.geographicalContext.city - client.geographicalContext.country - risk_score: 24 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml b/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml index 8fad808cf6..61f7b7ecb8 100644 --- a/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml +++ b/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml @@ -53,5 +53,4 @@ tags: - client.userAgent.browser - outcome.reason - displayMessage - risk_score: 100 security_domain: access diff --git a/detections/application/okta_risk_threshold_exceeded.yml b/detections/application/okta_risk_threshold_exceeded.yml index 8a6cb4a408..0286be39a2 100644 --- a/detections/application/okta_risk_threshold_exceeded.yml +++ b/detections/application/okta_risk_threshold_exceeded.yml @@ -68,7 +68,6 @@ tags: - All_Risk.annotations.mitre_attack.mitre_technique_id - All_Risk.tag - _time - risk_score: 56 security_domain: access tests: - name: True Positive Test diff --git a/detections/application/okta_successful_single_factor_authentication.yml b/detections/application/okta_successful_single_factor_authentication.yml index 85bf673cbe..6f8d121e5b 100644 --- a/detections/application/okta_successful_single_factor_authentication.yml +++ b/detections/application/okta_successful_single_factor_authentication.yml @@ -62,7 +62,6 @@ tags: - src_ip - user - _time - risk_score: 48 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_suspicious_activity_reported.yml b/detections/application/okta_suspicious_activity_reported.yml index 447b104ac5..91543fadd1 100644 --- a/detections/application/okta_suspicious_activity_reported.yml +++ b/detections/application/okta_suspicious_activity_reported.yml @@ -57,7 +57,6 @@ tags: - client.userAgent.browser - client.geographicalContext.city - client.geographicalContext.country - risk_score: 25 security_domain: access tests: - name: True Positive Test diff --git a/detections/application/okta_suspicious_use_of_a_session_cookie.yml b/detections/application/okta_suspicious_use_of_a_session_cookie.yml index 769fd797ab..983f4c54ea 100644 --- a/detections/application/okta_suspicious_use_of_a_session_cookie.yml +++ b/detections/application/okta_suspicious_use_of_a_session_cookie.yml @@ -60,7 +60,6 @@ tags: - device.os_platform - debugContext.debugData.dtHash - actor.alternateId - risk_score: 56 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_threatinsight_threat_detected.yml b/detections/application/okta_threatinsight_threat_detected.yml index 510f83e8df..ddb2be420e 100644 --- a/detections/application/okta_threatinsight_threat_detected.yml +++ b/detections/application/okta_threatinsight_threat_detected.yml @@ -64,7 +64,6 @@ tags: - outcome.reason - outcome.result - severity - risk_score: 25 security_domain: access tests: - name: True Positive Test diff --git a/detections/application/okta_unauthorized_access_to_application.yml b/detections/application/okta_unauthorized_access_to_application.yml index e7a0ad8897..3fd13107f4 100644 --- a/detections/application/okta_unauthorized_access_to_application.yml +++ b/detections/application/okta_unauthorized_access_to_application.yml @@ -61,7 +61,6 @@ tags: - Authentication.signature - Authentication.method - Authentication.src - risk_score: 81 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_user_logins_from_multiple_cities.yml b/detections/application/okta_user_logins_from_multiple_cities.yml index 9834d29bd2..1a83fae1f0 100644 --- a/detections/application/okta_user_logins_from_multiple_cities.yml +++ b/detections/application/okta_user_logins_from_multiple_cities.yml @@ -65,7 +65,6 @@ tags: - Authentication.signature - Authentication.method - Authentication.src - risk_score: 81 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml index 19b718cce0..9cd7a79de5 100644 --- a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml +++ b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml @@ -79,7 +79,6 @@ tags: - resources{}.devicemodel - result.status - resources{}.websession - risk_score: 25 security_domain: access tests: - name: True Positive Test @@ -88,4 +87,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log source: PINGID sourcetype: _json - update_timestamp: true diff --git a/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml b/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml index 495f695cde..da9ee85ed8 100644 --- a/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml +++ b/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml @@ -59,7 +59,6 @@ tags: - result.message - resources{}.devicemodel - result.status - risk_score: 50 security_domain: access tests: - name: True Positive Test diff --git a/detections/application/pingid_new_mfa_method_after_credential_reset.yml b/detections/application/pingid_new_mfa_method_after_credential_reset.yml index 58957a5efe..eb0aa0b38d 100644 --- a/detections/application/pingid_new_mfa_method_after_credential_reset.yml +++ b/detections/application/pingid_new_mfa_method_after_credential_reset.yml @@ -75,7 +75,6 @@ tags: - actors{}.name - result.message - resources{}.devicemodel - risk_score: 50 security_domain: access tests: - name: True Positive Test diff --git a/detections/application/pingid_new_mfa_method_registered_for_user.yml b/detections/application/pingid_new_mfa_method_registered_for_user.yml index a298ba2b1a..318d798159 100644 --- a/detections/application/pingid_new_mfa_method_registered_for_user.yml +++ b/detections/application/pingid_new_mfa_method_registered_for_user.yml @@ -71,7 +71,6 @@ tags: - result.message - resources{}.devicemodel - result.status - risk_score: 10 security_domain: access tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log source: PINGID sourcetype: _json - update_timestamp: true diff --git a/detections/application/suspicious_email_attachment_extensions.yml b/detections/application/suspicious_email_attachment_extensions.yml index 964deb407c..c61c8454ec 100644 --- a/detections/application/suspicious_email_attachment_extensions.yml +++ b/detections/application/suspicious_email_attachment_extensions.yml @@ -58,5 +58,4 @@ tags: - All_Email.file_name - All_Email.src_user - All_Email.message_id - risk_score: 25 security_domain: network diff --git a/detections/application/suspicious_java_classes.yml b/detections/application/suspicious_java_classes.yml index 8244305477..d0ec442488 100644 --- a/detections/application/suspicious_java_classes.yml +++ b/detections/application/suspicious_java_classes.yml @@ -55,5 +55,4 @@ tags: - http_user_agent - src - dest - risk_score: 25 security_domain: threat diff --git a/detections/application/web_servers_executing_suspicious_processes.yml b/detections/application/web_servers_executing_suspicious_processes.yml index 86b21aef43..293147c0aa 100644 --- a/detections/application/web_servers_executing_suspicious_processes.yml +++ b/detections/application/web_servers_executing_suspicious_processes.yml @@ -56,5 +56,4 @@ tags: - Processes.process_name - Processes.dest - Processes.user - risk_score: 25 security_domain: endpoint diff --git a/detections/application/windows_ad_add_self_to_group.yml b/detections/application/windows_ad_add_self_to_group.yml index d01cf4389e..41658a907a 100644 --- a/detections/application/windows_ad_add_self_to_group.yml +++ b/detections/application/windows_ad_add_self_to_group.yml @@ -37,7 +37,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 required_fields: - EventCode - user @@ -50,5 +49,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog - update_timestamp: true \ No newline at end of file + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/application/windows_ad_dangerous_deny_acl_modification.yml b/detections/application/windows_ad_dangerous_deny_acl_modification.yml index b7f6bee2cc..6a3fe6582f 100644 --- a/detections/application/windows_ad_dangerous_deny_acl_modification.yml +++ b/detections/application/windows_ad_dangerous_deny_acl_modification.yml @@ -63,7 +63,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_dangerous_group_acl_modification.yml b/detections/application/windows_ad_dangerous_group_acl_modification.yml index ae125e8c7d..aa248e0a6f 100644 --- a/detections/application/windows_ad_dangerous_group_acl_modification.yml +++ b/detections/application/windows_ad_dangerous_group_acl_modification.yml @@ -67,7 +67,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_dangerous_user_acl_modification.yml b/detections/application/windows_ad_dangerous_user_acl_modification.yml index 8cfdbceb4c..f0436e385e 100644 --- a/detections/application/windows_ad_dangerous_user_acl_modification.yml +++ b/detections/application/windows_ad_dangerous_user_acl_modification.yml @@ -67,7 +67,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml b/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml index 07654823a8..af9845bb0f 100644 --- a/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml +++ b/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml @@ -64,7 +64,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_domain_root_acl_deletion.yml b/detections/application/windows_ad_domain_root_acl_deletion.yml index 3d117d3d82..b3b96164cd 100644 --- a/detections/application/windows_ad_domain_root_acl_deletion.yml +++ b/detections/application/windows_ad_domain_root_acl_deletion.yml @@ -63,7 +63,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_domain_root_acl_modification.yml b/detections/application/windows_ad_domain_root_acl_modification.yml index b6e2a09041..c5c2f12d7f 100644 --- a/detections/application/windows_ad_domain_root_acl_modification.yml +++ b/detections/application/windows_ad_domain_root_acl_modification.yml @@ -63,7 +63,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_gpo_deleted.yml b/detections/application/windows_ad_gpo_deleted.yml index 7caec33736..ff3095af20 100644 --- a/detections/application/windows_ad_gpo_deleted.yml +++ b/detections/application/windows_ad_gpo_deleted.yml @@ -43,7 +43,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_gpo_disabled.yml b/detections/application/windows_ad_gpo_disabled.yml index d7b122d2bd..f2043b249b 100644 --- a/detections/application/windows_ad_gpo_disabled.yml +++ b/detections/application/windows_ad_gpo_disabled.yml @@ -38,7 +38,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_gpo_new_cse_addition.yml b/detections/application/windows_ad_gpo_new_cse_addition.yml index 7404ec85a7..b84decafc7 100644 --- a/detections/application/windows_ad_gpo_new_cse_addition.yml +++ b/detections/application/windows_ad_gpo_new_cse_addition.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_hidden_ou_creation.yml b/detections/application/windows_ad_hidden_ou_creation.yml index edc4f97dc3..c9baf63cc6 100644 --- a/detections/application/windows_ad_hidden_ou_creation.yml +++ b/detections/application/windows_ad_hidden_ou_creation.yml @@ -62,7 +62,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_object_owner_updated.yml b/detections/application/windows_ad_object_owner_updated.yml index 3aca7ad031..09fbc7a42a 100644 --- a/detections/application/windows_ad_object_owner_updated.yml +++ b/detections/application/windows_ad_object_owner_updated.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_privileged_group_modification.yml b/detections/application/windows_ad_privileged_group_modification.yml index 82aaff088d..9c6de39b08 100644 --- a/detections/application/windows_ad_privileged_group_modification.yml +++ b/detections/application/windows_ad_privileged_group_modification.yml @@ -36,7 +36,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 required_fields: - EventCode - user diff --git a/detections/application/windows_ad_self_dacl_assignment.yml b/detections/application/windows_ad_self_dacl_assignment.yml index 25e3e509fa..ebd8c23a18 100644 --- a/detections/application/windows_ad_self_dacl_assignment.yml +++ b/detections/application/windows_ad_self_dacl_assignment.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 80 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_suspicious_attribute_modification.yml b/detections/application/windows_ad_suspicious_attribute_modification.yml index f006dae853..9e538a5b50 100644 --- a/detections/application/windows_ad_suspicious_attribute_modification.yml +++ b/detections/application/windows_ad_suspicious_attribute_modification.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_suspicious_gpo_modification.yml b/detections/application/windows_ad_suspicious_gpo_modification.yml index 7abeb092eb..42c54bb574 100644 --- a/detections/application/windows_ad_suspicious_gpo_modification.yml +++ b/detections/application/windows_ad_suspicious_gpo_modification.yml @@ -68,7 +68,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 80 required_fields: - _time - OperationType diff --git a/detections/application/windows_increase_in_group_or_object_modification_activity.yml b/detections/application/windows_increase_in_group_or_object_modification_activity.yml index e3099cbb2a..8d6f826ed0 100644 --- a/detections/application/windows_increase_in_group_or_object_modification_activity.yml +++ b/detections/application/windows_increase_in_group_or_object_modification_activity.yml @@ -43,7 +43,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 required_fields: - EventCode - src_user diff --git a/detections/application/windows_increase_in_user_modification_activity.yml b/detections/application/windows_increase_in_user_modification_activity.yml index 2f6baf93a7..d188ec5e6a 100644 --- a/detections/application/windows_increase_in_user_modification_activity.yml +++ b/detections/application/windows_increase_in_user_modification_activity.yml @@ -44,7 +44,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 required_fields: - EventCode - src_user diff --git a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml index 93ac6661bd..09ec44065b 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml @@ -57,7 +57,6 @@ tags: - All_Changes.command - All_Changes.user - All_Changes.status - risk_score: 15 security_domain: network tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml index a7e7e2e048..1503f40ca1 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml @@ -65,5 +65,4 @@ tags: - All_Changes.status - All_Changes.object_category - All_Changes.user - risk_score: 25 security_domain: cloud diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml index 5dde904f38..b4efaee13e 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml @@ -61,5 +61,4 @@ tags: - All_Changes.status - All_Changes.object_category - All_Changes.user - risk_score: 25 security_domain: cloud diff --git a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml index 50908a289d..9fa0e08b33 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml @@ -58,7 +58,6 @@ tags: - All_Changes.object_category - All_Changes.status - All_Changes.user - risk_score: 15 security_domain: network tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml b/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml index f9ea6826ae..2900497568 100644 --- a/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml +++ b/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml @@ -55,5 +55,4 @@ tags: - requestURI - src_ip - user.groups{} - risk_score: 25 security_domain: threat diff --git a/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml b/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml index fade7ab0fe..b5bce47615 100644 --- a/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml +++ b/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml @@ -52,5 +52,4 @@ tags: - userAgent - src_ip - user.groups{} - risk_score: 25 security_domain: threat diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index 2edc3ae569..8eec72b3bf 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -67,7 +67,6 @@ tags: - src_endpoint.ip - src_endpoint.domain - cloud.region - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index 4b958baf05..41551ee4f0 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -60,7 +60,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 90 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index c9b279013a..fdef1fa90f 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -61,7 +61,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 90 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index 5dd6005f28..ccf02cba52 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -65,7 +65,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index 387645fba2..c1b9563204 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -58,7 +58,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 90 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index ec7ec60f93..dd3d3d2de3 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -57,7 +57,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 90 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index 731dd5a167..6379d744df 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -55,7 +55,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index a9eba13166..6e1f57eb40 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -55,7 +55,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index 102a00c7cf..b13602482d 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -62,7 +62,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 10 security_domain: access tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index e3395a75e4..9f650e84cd 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -59,7 +59,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 5 security_domain: cloud tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index cb8780a39b..92d21ca2d3 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -57,7 +57,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 5 security_domain: cloud tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index eb58b23a3a..c6aa70c42e 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -65,7 +65,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 64 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 526f66fd1c..65668d9b03 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -64,7 +64,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 64 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml index 6737f239da..a61777aeda 100644 --- a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml +++ b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml @@ -68,7 +68,6 @@ tags: - vendor_region - user_agent - userIdentity.principalId - risk_score: 80 security_domain: threat tests: - name: True Positive Test @@ -77,4 +76,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml index 7ba859e18e..1f638b9f22 100644 --- a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml @@ -60,7 +60,6 @@ tags: - user_arn - aws_account_id - src_ip - risk_score: 42 security_domain: threat tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml index 49099d57ac..b31d1ffa8d 100644 --- a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml +++ b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml @@ -65,7 +65,6 @@ tags: - awsRegion - user_name - userIdentity.arn - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml index e769fabfc5..40d1c99286 100644 --- a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml @@ -61,7 +61,6 @@ tags: - aws_account_id - awsRegion - eventID - risk_score: 49 security_domain: network tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_createaccesskey.yml b/detections/cloud/aws_createaccesskey.yml index f9bc4065ea..d9b671ddae 100644 --- a/detections/cloud/aws_createaccesskey.yml +++ b/detections/cloud/aws_createaccesskey.yml @@ -57,7 +57,6 @@ tags: - userAgent - errorCode - requestParameters.userName - risk_score: 63 security_domain: network tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_createloginprofile.yml b/detections/cloud/aws_createloginprofile.yml index d63313a420..19b0e3fb92 100644 --- a/detections/cloud/aws_createloginprofile.yml +++ b/detections/cloud/aws_createloginprofile.yml @@ -59,7 +59,6 @@ tags: - userAgent - errorCode - requestParameters.userName - risk_score: 72 security_domain: network tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createloginprofile/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_credential_access_failed_login.yml b/detections/cloud/aws_credential_access_failed_login.yml index 502061bce0..61164cc426 100644 --- a/detections/cloud/aws_credential_access_failed_login.yml +++ b/detections/cloud/aws_credential_access_failed_login.yml @@ -60,7 +60,6 @@ tags: - dest - user - user_id - risk_score: 49 security_domain: threat tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_credential_access_getpassworddata.yml b/detections/cloud/aws_credential_access_getpassworddata.yml index 2e0929ead7..2b1f50c62d 100644 --- a/detections/cloud/aws_credential_access_getpassworddata.yml +++ b/detections/cloud/aws_credential_access_getpassworddata.yml @@ -63,7 +63,6 @@ tags: - userIdentity.accountId - sourceIPAddress - awsRegion - risk_score: 49 security_domain: threat tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/aws_getpassworddata/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_credential_access_rds_password_reset.yml b/detections/cloud/aws_credential_access_rds_password_reset.yml index 542a8622a7..1cb6100db9 100644 --- a/detections/cloud/aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/aws_credential_access_rds_password_reset.yml @@ -56,7 +56,6 @@ tags: - userAgent - sourceIPAddress - awsRegion - risk_score: 49 security_domain: threat tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml b/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml index 9e71e4ecdd..e7097afb5f 100644 --- a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml +++ b/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml @@ -64,7 +64,6 @@ tags: - Authentication.user - Authentication.user_role - Authentication.src - risk_score: 15 security_domain: network tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml index e06a095bef..3305f00009 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml @@ -59,7 +59,6 @@ tags: - aws_account_id - src - region - risk_score: 90 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml index 3867484e20..c0cb25f209 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -59,7 +59,6 @@ tags: - aws_account_id - src - region - risk_score: 90 security_domain: threat tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_impair_security_services.yml b/detections/cloud/aws_defense_evasion_impair_security_services.yml index df7ea110b8..46c32bb7d7 100644 --- a/detections/cloud/aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/aws_defense_evasion_impair_security_services.yml @@ -70,7 +70,6 @@ tags: - src - region - errorCode - risk_score: 42 security_domain: threat tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml index acb04a8e34..531b1774a4 100644 --- a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml @@ -63,7 +63,6 @@ tags: - region - requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days - requestParameters{}.bucketName - risk_score: 20 security_domain: threat tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml index 67ff658ff1..bcda86866c 100644 --- a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml @@ -59,7 +59,6 @@ tags: - aws_account_id - src - region - risk_score: 90 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml index 98568672ed..560d2c6156 100644 --- a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml @@ -59,7 +59,6 @@ tags: - aws_account_id - src - region - risk_score: 90 security_domain: threat tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/update_cloudtrail/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_detect_attach_to_role_policy.yml b/detections/cloud/aws_detect_attach_to_role_policy.yml index 4d13f690fb..a96a84b413 100644 --- a/detections/cloud/aws_detect_attach_to_role_policy.yml +++ b/detections/cloud/aws_detect_attach_to_role_policy.yml @@ -45,5 +45,4 @@ tags: required_fields: - _time - requestParameters.policyArn - risk_score: 25 security_domain: threat diff --git a/detections/cloud/aws_detect_permanent_key_creation.yml b/detections/cloud/aws_detect_permanent_key_creation.yml index 005a731001..0c2c051aac 100644 --- a/detections/cloud/aws_detect_permanent_key_creation.yml +++ b/detections/cloud/aws_detect_permanent_key_creation.yml @@ -51,5 +51,4 @@ tags: - responseElements.accessKey.createDate - esponseElements.accessKey.status - responseElements.accessKey.accessKeyId - risk_score: 25 security_domain: threat diff --git a/detections/cloud/aws_detect_role_creation.yml b/detections/cloud/aws_detect_role_creation.yml index 7e70f272a7..d6d1279b3e 100644 --- a/detections/cloud/aws_detect_role_creation.yml +++ b/detections/cloud/aws_detect_role_creation.yml @@ -60,5 +60,4 @@ tags: - requestParameters.description - responseElements.role.arn - responseElements.role.createDate - risk_score: 25 security_domain: threat diff --git a/detections/cloud/aws_detect_sts_assume_role_abuse.yml b/detections/cloud/aws_detect_sts_assume_role_abuse.yml index 6403001fd3..1a1985d747 100644 --- a/detections/cloud/aws_detect_sts_assume_role_abuse.yml +++ b/detections/cloud/aws_detect_sts_assume_role_abuse.yml @@ -55,5 +55,4 @@ tags: - requestParameters.roleName - esponseElements.role.roleName - esponseElements.role.createDate - risk_score: 25 security_domain: threat diff --git a/detections/cloud/aws_detect_sts_get_session_token_abuse.yml b/detections/cloud/aws_detect_sts_get_session_token_abuse.yml index 397db53297..f7df6ebd57 100644 --- a/detections/cloud/aws_detect_sts_get_session_token_abuse.yml +++ b/detections/cloud/aws_detect_sts_get_session_token_abuse.yml @@ -53,5 +53,4 @@ tags: - user_type - status - region - risk_score: 25 security_domain: threat diff --git a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index ffdd1b1caa..e40131925b 100644 --- a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -59,7 +59,6 @@ tags: - awsRegion - requestParameters.policy - userIdentity.principalId - risk_score: 25 security_domain: threat tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml index 75dbada08b..5460320eeb 100644 --- a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml +++ b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml @@ -56,7 +56,6 @@ tags: - requestParameters.key - userAgent - region - risk_score: 15 security_domain: threat tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/s3_file_encryption/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_disable_bucket_versioning.yml b/detections/cloud/aws_disable_bucket_versioning.yml index a130e3a2ab..9d52285cc2 100644 --- a/detections/cloud/aws_disable_bucket_versioning.yml +++ b/detections/cloud/aws_disable_bucket_versioning.yml @@ -64,7 +64,6 @@ tags: - sourceLocationArn - userAgent - userIdentity.principalId - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/aws_bucket_version/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_ec2_snapshot_shared_externally.yml b/detections/cloud/aws_ec2_snapshot_shared_externally.yml index e87c9dcd55..228f6ed9a7 100644 --- a/detections/cloud/aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/aws_ec2_snapshot_shared_externally.yml @@ -66,7 +66,6 @@ tags: - vendor_region - user_agent - userIdentity.principalId - risk_score: 48 security_domain: threat tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_ecr_container_scanning_findings_high.yml b/detections/cloud/aws_ecr_container_scanning_findings_high.yml index 3b0b605b0b..927f89e412 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_high.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_high.yml @@ -64,7 +64,6 @@ tags: - user - userName - src_ip - risk_score: 70 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml index 2a14d2d741..47bc8e570e 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml @@ -63,7 +63,6 @@ tags: - user - userName - src_ip - risk_score: 5 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml index ea803e9fe5..5a46746f89 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml @@ -62,7 +62,6 @@ tags: - user - userName - src_ip - risk_score: 21 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml index a716f748f7..e3406ce5d1 100644 --- a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml @@ -60,7 +60,6 @@ tags: - user - userName - src_ip - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/aws_ecr_container_upload_unknown_user.yml b/detections/cloud/aws_ecr_container_upload_unknown_user.yml index 3f9a5c86ae..14373cfa95 100644 --- a/detections/cloud/aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/aws_ecr_container_upload_unknown_user.yml @@ -58,7 +58,6 @@ tags: - user - userName - src_ip - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/aws_excessive_security_scanning.yml b/detections/cloud/aws_excessive_security_scanning.yml index 7484b37d82..5597dbd8ba 100644 --- a/detections/cloud/aws_excessive_security_scanning.yml +++ b/detections/cloud/aws_excessive_security_scanning.yml @@ -54,7 +54,6 @@ tags: - userAgent - user - userIdentity.arn - risk_score: 18 security_domain: network tests: - name: True Positive Test @@ -63,4 +62,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml index 3124872c30..d10f69884b 100644 --- a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml +++ b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml @@ -61,7 +61,6 @@ tags: - aws_account_id - userAgent - userIdentity.principalId - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_batch_service.yml b/detections/cloud/aws_exfiltration_via_batch_service.yml index 5bbdcec9a0..d3b35c9da1 100644 --- a/detections/cloud/aws_exfiltration_via_batch_service.yml +++ b/detections/cloud/aws_exfiltration_via_batch_service.yml @@ -56,7 +56,6 @@ tags: - src_ip - aws_account_id - userAgent - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_bucket_replication.yml b/detections/cloud/aws_exfiltration_via_bucket_replication.yml index aa548db71f..cc2de2adca 100644 --- a/detections/cloud/aws_exfiltration_via_bucket_replication.yml +++ b/detections/cloud/aws_exfiltration_via_bucket_replication.yml @@ -63,7 +63,6 @@ tags: - vendor_region - user_agent - userIdentity.principalId - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_datasync_task.yml b/detections/cloud/aws_exfiltration_via_datasync_task.yml index 1de0cebcc1..5d6dfa47e6 100644 --- a/detections/cloud/aws_exfiltration_via_datasync_task.yml +++ b/detections/cloud/aws_exfiltration_via_datasync_task.yml @@ -65,7 +65,6 @@ tags: - sourceLocationArn - userAgent - userIdentity.principalId - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml index 376e9183dd..219dfc8c3f 100644 --- a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml +++ b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml @@ -75,7 +75,6 @@ tags: - user_agent - userIdentity.principalId - requestParameters.createVolumePermission.add.items{}.userId - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -84,4 +83,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml index 5069058793..c6e172f3e2 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml @@ -54,7 +54,6 @@ tags: - user_arn - aws_account_id - src_ip - risk_score: 35 security_domain: threat tests: - name: True Positive Test @@ -63,4 +62,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml index 91eb702c21..5144655778 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml @@ -55,7 +55,6 @@ tags: - action - eventName - src_ip - risk_score: 54 security_domain: threat tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_iam_accessdenied_discovery_events.yml b/detections/cloud/aws_iam_accessdenied_discovery_events.yml index 774352e523..fd4b523a09 100644 --- a/detections/cloud/aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/aws_iam_accessdenied_discovery_events.yml @@ -56,7 +56,6 @@ tags: - userAgent - errorCode - userIdentity.type - risk_score: 10 security_domain: access tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/aws_iam_accessdenied_discovery_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml index 63ae1f0062..f1ca3ce424 100644 --- a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml @@ -61,7 +61,6 @@ tags: - userAgent - errorCode - requestParameters.policyName - risk_score: 28 security_domain: access tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/aws_iam_assume_role_policy_brute_force.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_iam_delete_policy.yml b/detections/cloud/aws_iam_delete_policy.yml index c65260764b..84741dd149 100644 --- a/detections/cloud/aws_iam_delete_policy.yml +++ b/detections/cloud/aws_iam_delete_policy.yml @@ -59,7 +59,6 @@ tags: - userAgent - errorCode - requestParameters.policyArn - risk_score: 10 security_domain: access tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/aws_iam_delete_policy.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_iam_failure_group_deletion.yml b/detections/cloud/aws_iam_failure_group_deletion.yml index 1897919347..27bca23a6c 100644 --- a/detections/cloud/aws_iam_failure_group_deletion.yml +++ b/detections/cloud/aws_iam_failure_group_deletion.yml @@ -59,7 +59,6 @@ tags: - userAgent - errorCode - requestParameters.groupName - risk_score: 5 security_domain: cloud tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/aws_iam_failure_group_deletion.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_iam_successful_group_deletion.yml b/detections/cloud/aws_iam_successful_group_deletion.yml index 4f2f102188..fb9f836dab 100644 --- a/detections/cloud/aws_iam_successful_group_deletion.yml +++ b/detections/cloud/aws_iam_successful_group_deletion.yml @@ -64,7 +64,6 @@ tags: - userAgent - errorCode - requestParameters.groupName - risk_score: 5 security_domain: cloud tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_lambda_updatefunctioncode.yml b/detections/cloud/aws_lambda_updatefunctioncode.yml index 978dc2da1c..b782c29880 100644 --- a/detections/cloud/aws_lambda_updatefunctioncode.yml +++ b/detections/cloud/aws_lambda_updatefunctioncode.yml @@ -53,7 +53,6 @@ tags: - eventName - userAgent - errorCode - risk_score: 63 security_domain: cloud tests: - name: True Positive Test @@ -62,4 +61,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_multi_factor_authentication_disabled.yml b/detections/cloud/aws_multi_factor_authentication_disabled.yml index ca298fb049..8845dbcedb 100644 --- a/detections/cloud/aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/aws_multi_factor_authentication_disabled.yml @@ -69,7 +69,6 @@ tags: - awsRegion - user_name - userIdentity.arn - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml index 9252883794..0b043dea5c 100644 --- a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml @@ -62,7 +62,6 @@ tags: - awsRegion - user_name - userIdentity.arn - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml index 4073132f6f..5d0289df26 100644 --- a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml @@ -59,7 +59,6 @@ tags: - action - eventName - src_ip - risk_score: 54 security_domain: threat manual_test: This search needs a specific number of events in a time window for the alert to trigger and events split up in CI testing while updating timestamp. diff --git a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml index 9ff1aab050..9d34389a75 100644 --- a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml @@ -69,7 +69,6 @@ tags: - userName - userIdentity.principalId - userAgent - risk_score: 48 security_domain: network tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_create_acl/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_network_access_control_list_deleted.yml b/detections/cloud/aws_network_access_control_list_deleted.yml index f0c511b5a3..2f022a8fe8 100644 --- a/detections/cloud/aws_network_access_control_list_deleted.yml +++ b/detections/cloud/aws_network_access_control_list_deleted.yml @@ -56,7 +56,6 @@ tags: - userIdentity.principalId - src - userAgent - risk_score: 5 security_domain: network tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_new_mfa_method_registered_for_user.yml b/detections/cloud/aws_new_mfa_method_registered_for_user.yml index 2abb607440..c5b037ffdd 100644 --- a/detections/cloud/aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/aws_new_mfa_method_registered_for_user.yml @@ -63,7 +63,6 @@ tags: - user_name - userIdentity.arn - _time - risk_score: 64 security_domain: identity tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_password_policy_changes.yml b/detections/cloud/aws_password_policy_changes.yml index 913ce9b858..68579b64ba 100644 --- a/detections/cloud/aws_password_policy_changes.yml +++ b/detections/cloud/aws_password_policy_changes.yml @@ -63,7 +63,6 @@ tags: - user_arn - aws_account_id - src_ip - risk_score: 72 security_domain: threat tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/aws_password_policy/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml index 9c7d68f30e..3e5782d377 100644 --- a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml +++ b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml @@ -61,7 +61,6 @@ tags: - All_Risk.annotations.mitre_attack.mitre_tactic - All_Risk.calculated_risk_score - source - risk_score: 81 security_domain: threat tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_risk.log sourcetype: stash source: aws_exfil - update_timestamp: true diff --git a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml b/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml index 949c17ac09..01dedc6789 100644 --- a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml +++ b/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml @@ -66,7 +66,6 @@ tags: - responseElements.issuer - sourceIPAddress - userAgent - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/assume_role_with_saml/assume_role_with_saml.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_saml_update_identity_provider.yml b/detections/cloud/aws_saml_update_identity_provider.yml index 6fd98c9bb6..33de80e1b6 100644 --- a/detections/cloud/aws_saml_update_identity_provider.yml +++ b/detections/cloud/aws_saml_update_identity_provider.yml @@ -61,7 +61,6 @@ tags: - sourceIPAddress - userIdentity.accessKeyId - userIdentity.principalId - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_setdefaultpolicyversion.yml b/detections/cloud/aws_setdefaultpolicyversion.yml index fd4ef5cde3..d8d101bbd1 100644 --- a/detections/cloud/aws_setdefaultpolicyversion.yml +++ b/detections/cloud/aws_setdefaultpolicyversion.yml @@ -59,7 +59,6 @@ tags: - errorCode - requestParameters.userName - eventSource - risk_score: 30 security_domain: threat tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml index 7e324252e3..4a26ea582e 100644 --- a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml +++ b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml @@ -55,7 +55,6 @@ tags: - userAgent - src_ip - user_arn - risk_score: 72 security_domain: threat tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_successful_single_factor_authentication.yml b/detections/cloud/aws_successful_single_factor_authentication.yml index 762f71e260..c0e6a2ec1b 100644 --- a/detections/cloud/aws_successful_single_factor_authentication.yml +++ b/detections/cloud/aws_successful_single_factor_authentication.yml @@ -65,7 +65,6 @@ tags: - awsRegion - user_name - userIdentity.arn - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/aws_login_sfa/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml index f7fb8db8f0..99a6d33862 100644 --- a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml @@ -61,7 +61,6 @@ tags: - action - eventName - src_ip - risk_score: 54 security_domain: threat tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_updateloginprofile.yml b/detections/cloud/aws_updateloginprofile.yml index 1ff20b3915..ed5d453f81 100644 --- a/detections/cloud/aws_updateloginprofile.yml +++ b/detections/cloud/aws_updateloginprofile.yml @@ -59,7 +59,6 @@ tags: - userAgent - errorCode - requestParameters.userName - risk_score: 30 security_domain: threat tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/azure_active_directory_high_risk_sign_in.yml b/detections/cloud/azure_active_directory_high_risk_sign_in.yml index 7f07462ef4..7dd09b3ece 100644 --- a/detections/cloud/azure_active_directory_high_risk_sign_in.yml +++ b/detections/cloud/azure_active_directory_high_risk_sign_in.yml @@ -64,7 +64,6 @@ tags: - properties.activity - properties.riskEventType - properties.additionalInfo - risk_score: 54 security_domain: identity tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azuread_highrisk/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml index 9080e4aaef..8f39a0a0da 100644 --- a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml +++ b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml @@ -65,7 +65,6 @@ tags: - operationName - targetResources{}.modifiedProperties{}.newValue - targetResources{}.id - risk_score: 54 security_domain: identity tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_application_administrator_role_assigned.yml b/detections/cloud/azure_ad_application_administrator_role_assigned.yml index f527f11123..059b4988bc 100644 --- a/detections/cloud/azure_ad_application_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_application_administrator_role_assigned.yml @@ -64,7 +64,6 @@ tags: - properties.targetResources{}.type - properties.initiatedBy.user.userPrincipalName - properties.result - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml index 86627df216..56e8e559a4 100644 --- a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml @@ -64,7 +64,6 @@ tags: - properties.status.additionalDetails - properties.appDisplayName - properties.userAgent - risk_score: 54 security_domain: identity tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azuread/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml b/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml index 75171daea3..82e75d5f1a 100644 --- a/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml +++ b/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 required_fields: - _time - operationName diff --git a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml index 2c5ac52377..2bf54f3fd2 100644 --- a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml @@ -64,7 +64,6 @@ tags: - properties.authenticationDetails - user - src_ip - risk_score: 42 security_domain: threat tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azuread.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_device_code_authentication.yml b/detections/cloud/azure_ad_device_code_authentication.yml index 9bf37ac615..042b5a76fc 100644 --- a/detections/cloud/azure_ad_device_code_authentication.yml +++ b/detections/cloud/azure_ad_device_code_authentication.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 35 required_fields: - _time - category diff --git a/detections/cloud/azure_ad_external_guest_user_invited.yml b/detections/cloud/azure_ad_external_guest_user_invited.yml index ccd54623f8..8753183675 100644 --- a/detections/cloud/azure_ad_external_guest_user_invited.yml +++ b/detections/cloud/azure_ad_external_guest_user_invited.yml @@ -58,7 +58,6 @@ tags: - properties.targetResources{}.type - properties.initiatedBy.user.userPrincipalName - properties.result - risk_score: 45 security_domain: threat tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml b/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml index 74b8cac346..ac5bd5e880 100644 --- a/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml +++ b/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml @@ -59,7 +59,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 48 security_domain: threat tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_global_administrator_role_assigned.yml b/detections/cloud/azure_ad_global_administrator_role_assigned.yml index b4acf713d2..0087a419ec 100644 --- a/detections/cloud/azure_ad_global_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_global_administrator_role_assigned.yml @@ -63,7 +63,6 @@ tags: - properties.targetResources{}.type - properties.initiatedBy.user.userPrincipalName - properties.result - risk_score: 72 security_domain: threat tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml index 98b05d1f52..877844db3f 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml @@ -58,7 +58,6 @@ tags: - properties.authenticationDetails - user - properties.ipAddress - risk_score: 35 security_domain: identity tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml index b30ace6fc6..a7eb3eeea5 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml @@ -65,7 +65,6 @@ tags: - properties.authenticationDetails - user - src_ip - risk_score: 35 security_domain: identity tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml index d02e86cbd9..55ae31e93c 100644 --- a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml +++ b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml @@ -62,7 +62,6 @@ tags: - properties.targetResources{}.type - properties.initiatedBy.user.userPrincipalName - properties.result - risk_score: 45 security_domain: identity tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/azuread/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml index e96759611d..2cba7733d1 100644 --- a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml +++ b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml @@ -70,7 +70,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 42 required_fields: - _time - category diff --git a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml index 4c973afffd..9908e8cc25 100644 --- a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 48 required_fields: - _time - category diff --git a/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml index 6889ecefd9..df92b2a1ab 100644 --- a/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 54 required_fields: - _time - category diff --git a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml index e56b196c40..ca0abf45a0 100644 --- a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml @@ -66,7 +66,6 @@ tags: - user - user_agent - operationName - risk_score: 54 security_domain: identity tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml index 407709ae8c..2c77987d52 100644 --- a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml +++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml @@ -53,7 +53,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 42 security_domain: identity tests: - name: True Positive Test @@ -62,5 +61,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml index bb71615da5..98570ba0e2 100644 --- a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml +++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml @@ -56,7 +56,6 @@ tags: - properties.initiatedBy.user.id - targetResources{}.displayName - src_user - risk_score: 42 security_domain: identity tests: - name: True Positive Test @@ -65,5 +64,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml index 3b4582fc2e..4afb700009 100644 --- a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml @@ -65,7 +65,6 @@ tags: - properties.authenticationDetails - user - user_agent - risk_score: 63 security_domain: identity tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_new_custom_domain_added.yml b/detections/cloud/azure_ad_new_custom_domain_added.yml index 9699b2bed5..aebb58f86c 100644 --- a/detections/cloud/azure_ad_new_custom_domain_added.yml +++ b/detections/cloud/azure_ad_new_custom_domain_added.yml @@ -60,7 +60,6 @@ tags: - src_ip - properties.targetResources{}.displayName - user - risk_score: 54 security_domain: threat tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_new_federated_domain_added.yml b/detections/cloud/azure_ad_new_federated_domain_added.yml index a0b3cad525..78c64b864e 100644 --- a/detections/cloud/azure_ad_new_federated_domain_added.yml +++ b/detections/cloud/azure_ad_new_federated_domain_added.yml @@ -58,7 +58,6 @@ tags: - src_ip - properties.targetResources{}.displayName - user - risk_score: 81 security_domain: threat tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_new_mfa_method_registered.yml b/detections/cloud/azure_ad_new_mfa_method_registered.yml index 601fed445a..90e70aad4a 100644 --- a/detections/cloud/azure_ad_new_mfa_method_registered.yml +++ b/detections/cloud/azure_ad_new_mfa_method_registered.yml @@ -61,7 +61,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 required_fields: - _time - operationName diff --git a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml index e0e0bd3bc5..9c92bb87ea 100644 --- a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml @@ -64,7 +64,6 @@ tags: - resultDescription - result - src_ip - risk_score: 64 security_domain: identity tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azuread.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml b/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml index 3e4b3baed2..9203a06f43 100644 --- a/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml +++ b/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml @@ -61,7 +61,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - operationName diff --git a/detections/cloud/azure_ad_pim_role_assigned.yml b/detections/cloud/azure_ad_pim_role_assigned.yml index 6d4ea20cdb..d78188c720 100644 --- a/detections/cloud/azure_ad_pim_role_assigned.yml +++ b/detections/cloud/azure_ad_pim_role_assigned.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 35 required_fields: - _time - properties diff --git a/detections/cloud/azure_ad_pim_role_assignment_activated.yml b/detections/cloud/azure_ad_pim_role_assignment_activated.yml index e87d24a8b2..4411920a46 100644 --- a/detections/cloud/azure_ad_pim_role_assignment_activated.yml +++ b/detections/cloud/azure_ad_pim_role_assignment_activated.yml @@ -58,7 +58,6 @@ tags: - user - initiatedBy.user.userPrincipalName - result - risk_score: 35 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml index f0c6deb71a..0b2b00423e 100644 --- a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml @@ -60,7 +60,6 @@ tags: - properties.targetResources{}.type - properties.initiatedBy.user.userPrincipalName - properties.result - risk_score: 50 security_domain: identity tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml b/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml index 36832caf61..754ad5e279 100644 --- a/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml +++ b/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 54 required_fields: - _time - category @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml index 841b4c60f5..66c7bc0675 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned.yml @@ -68,7 +68,6 @@ tags: - properties.targetResources{}.type - properties.initiatedBy.user.userPrincipalName - properties.result - risk_score: 63 security_domain: audit tests: - name: True Positive Test @@ -77,4 +76,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml index 3022a4b9fd..11462a4cb3 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml @@ -59,7 +59,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 35 required_fields: - _time - properties.targetResources{}.type @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_authentication.yml b/detections/cloud/azure_ad_service_principal_authentication.yml index e357d5d3cb..19a93a6747 100644 --- a/detections/cloud/azure_ad_service_principal_authentication.yml +++ b/detections/cloud/azure_ad_service_principal_authentication.yml @@ -64,7 +64,6 @@ tags: - user - src_ip - user_id - risk_score: 25 security_domain: identity tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_created.yml b/detections/cloud/azure_ad_service_principal_created.yml index 174a84df04..b2a819b2b5 100644 --- a/detections/cloud/azure_ad_service_principal_created.yml +++ b/detections/cloud/azure_ad_service_principal_created.yml @@ -58,7 +58,6 @@ tags: - properties.targetResources{}.type - user - properties.result - risk_score: 45 security_domain: threat tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml index 99e48bd36c..b63404b9d0 100644 --- a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml +++ b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml @@ -63,7 +63,6 @@ tags: - properties.targetResources{}.displayName - properties.targetResources{}.modifiedProperties{}.newValue - src_ip - risk_score: 35 security_domain: threat tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_owner_added.yml b/detections/cloud/azure_ad_service_principal_owner_added.yml index 104b919d26..ce597802df 100644 --- a/detections/cloud/azure_ad_service_principal_owner_added.yml +++ b/detections/cloud/azure_ad_service_principal_owner_added.yml @@ -62,7 +62,6 @@ tags: - properties.targetResources{}.userPrincipalName - properties.targetResources{}.modifiedProperties{}.newValue - properties.result - risk_score: 54 security_domain: audit tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml index 01ce2310b9..e5e5e8bab1 100644 --- a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml +++ b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml @@ -65,7 +65,6 @@ tags: - user - src_ip - properties.appDisplayName - risk_score: 56 security_domain: identity tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azuread.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_successful_powershell_authentication.yml b/detections/cloud/azure_ad_successful_powershell_authentication.yml index eeb37fcfc7..c1dc2a7b9d 100644 --- a/detections/cloud/azure_ad_successful_powershell_authentication.yml +++ b/detections/cloud/azure_ad_successful_powershell_authentication.yml @@ -65,7 +65,6 @@ tags: - src_ip - properties.appDisplayName - properties.userAgent - risk_score: 54 security_domain: identity tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread_pws/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_successful_single_factor_authentication.yml b/detections/cloud/azure_ad_successful_single_factor_authentication.yml index dd84988f4c..f04609ce4e 100644 --- a/detections/cloud/azure_ad_successful_single_factor_authentication.yml +++ b/detections/cloud/azure_ad_successful_single_factor_authentication.yml @@ -62,7 +62,6 @@ tags: - user - src_ip - properties.appDisplayName - risk_score: 45 security_domain: identity tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml b/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml index e84950d54b..0a29744d22 100644 --- a/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml +++ b/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - _time - operationName diff --git a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml index c6061000f6..bdbd0ce9b8 100644 --- a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml @@ -67,7 +67,6 @@ tags: - properties.authenticationDetails - properties.userPrincipalName - properties.ipAddress - risk_score: 54 security_domain: access tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml b/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml index 188c0831f2..10a07b7a7c 100644 --- a/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml +++ b/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml @@ -65,7 +65,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 required_fields: - _time - operationName diff --git a/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml b/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml index 3d0fd1b1a6..7181d5453e 100644 --- a/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml +++ b/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - operationName diff --git a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml index 6827fe05be..95d9465812 100644 --- a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml +++ b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml @@ -61,7 +61,6 @@ tags: - user - properties.initiatedBy.user.userPrincipalName - properties.result - risk_score: 45 security_domain: identity tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml index 4d389d1b08..7f27ec8994 100644 --- a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml +++ b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml @@ -61,7 +61,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 45 security_domain: threat tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_automation_account_created.yml b/detections/cloud/azure_automation_account_created.yml index af5fb1430f..9b4adcdbdf 100644 --- a/detections/cloud/azure_automation_account_created.yml +++ b/detections/cloud/azure_automation_account_created.yml @@ -62,7 +62,6 @@ tags: - claims.ipaddr - resourceGroupName - object_path - risk_score: 63 security_domain: audit tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_automation_account/azure-activity.log source: mscs:azure:audit sourcetype: mscs:azure:audit - update_timestamp: true diff --git a/detections/cloud/azure_automation_runbook_created.yml b/detections/cloud/azure_automation_runbook_created.yml index 3c1cfeb265..c376d40b18 100644 --- a/detections/cloud/azure_automation_runbook_created.yml +++ b/detections/cloud/azure_automation_runbook_created.yml @@ -62,7 +62,6 @@ tags: - claims.ipaddr - resourceGroupName - object_path - risk_score: 63 security_domain: audit tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure-activity.log source: mscs:azure:audit sourcetype: mscs:azure:audit - update_timestamp: true diff --git a/detections/cloud/azure_runbook_webhook_created.yml b/detections/cloud/azure_runbook_webhook_created.yml index 28fc9c5694..6f9fd6e0d1 100644 --- a/detections/cloud/azure_runbook_webhook_created.yml +++ b/detections/cloud/azure_runbook_webhook_created.yml @@ -62,7 +62,6 @@ tags: - claims.ipaddr - resourceGroupName - object_path - risk_score: 63 security_domain: threat tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure-activity.log source: mscs:azure:audit sourcetype: mscs:azure:audit - update_timestamp: true diff --git a/detections/cloud/circle_ci_disable_security_job.yml b/detections/cloud/circle_ci_disable_security_job.yml index 455ff6f326..b397385b5b 100644 --- a/detections/cloud/circle_ci_disable_security_job.yml +++ b/detections/cloud/circle_ci_disable_security_job.yml @@ -40,7 +40,6 @@ tags: - Splunk Cloud required_fields: - _times - risk_score: 72 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/circle_ci_disable_security_step.yml b/detections/cloud/circle_ci_disable_security_step.yml index 4c7c333edd..77747dc5be 100644 --- a/detections/cloud/circle_ci_disable_security_step.yml +++ b/detections/cloud/circle_ci_disable_security_step.yml @@ -40,7 +40,6 @@ tags: - Splunk Cloud required_fields: - _times - risk_score: 72 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml index f34a186296..aaea4dc435 100644 --- a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml +++ b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml @@ -54,7 +54,6 @@ tags: - All_Changes.status - All_Changes.command - All_Changes.object - risk_score: 36 security_domain: threat tests: - name: True Positive Test @@ -63,4 +62,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml index 3222e4c2d7..91e2c7c1b6 100644 --- a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml +++ b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml @@ -59,7 +59,6 @@ tags: - All_Changes.action - All_Changes.user - All_Changes.vendor_region - risk_score: 18 security_domain: threat tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml index e7b1e13efb..1302591e5f 100644 --- a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml +++ b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml @@ -62,7 +62,6 @@ tags: - All_Changes.action - All_Changes.vendor_region - All_Changes.user - risk_score: 42 security_domain: threat tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml index 59875c8683..82ab4f07d2 100644 --- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml +++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml @@ -55,7 +55,6 @@ tags: - All_Changes.action - All_Changes.Instance_Changes.image_id - All_Changes.user - risk_score: 36 security_domain: threat tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml index 85af9797fc..4d832722fe 100644 --- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml +++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml @@ -62,7 +62,6 @@ tags: - All_Changes.action - All_Changes.Instance_Changes.instance_type - All_Changes.user - risk_score: 30 security_domain: threat tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml index 6053083aca..9df0e8873d 100644 --- a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml +++ b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml @@ -58,7 +58,6 @@ tags: - All_Changes.change_type - All_Changes.status - All_Changes.user - risk_score: 42 security_domain: threat tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml index b9d62ef08b..f9be88b8f8 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml @@ -82,7 +82,6 @@ tags: - All_Changes.user - All_Changes.object - All_Changes.command - risk_score: 18 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup tests: @@ -92,4 +91,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml index 15ebf020a3..d763c17cf7 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml @@ -82,7 +82,6 @@ tags: - All_Changes.user - All_Changes.object - All_Changes.command - risk_score: 42 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup tests: @@ -92,4 +91,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml index 7698432f62..1e07fdb9a6 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml @@ -81,7 +81,6 @@ tags: - All_Changes.src - All_Changes.user - All_Changes.command - risk_score: 42 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup tests: @@ -91,4 +90,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml index 779605e1eb..268c32116a 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml @@ -82,7 +82,6 @@ tags: - All_Changes.user - All_Changes.object - All_Changes.command - risk_score: 42 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup tests: @@ -92,4 +91,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_security_groups_modifications_by_user.yml b/detections/cloud/cloud_security_groups_modifications_by_user.yml index 1ce26bf6ec..a4967bef84 100644 --- a/detections/cloud/cloud_security_groups_modifications_by_user.yml +++ b/detections/cloud/cloud_security_groups_modifications_by_user.yml @@ -57,7 +57,6 @@ tags: - All_Changes.status - All_Changes.object_category - All_Changes.user - risk_score: 35 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/detect_aws_console_login_by_new_user.yml b/detections/cloud/detect_aws_console_login_by_new_user.yml index 523d3cb63b..d9764336c8 100644 --- a/detections/cloud/detect_aws_console_login_by_new_user.yml +++ b/detections/cloud/detect_aws_console_login_by_new_user.yml @@ -57,7 +57,6 @@ tags: - _time - Authentication.signature - Authentication.user - risk_score: 30 security_domain: threat tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml index 9488c17d39..b1ca5f4b17 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml @@ -66,7 +66,6 @@ tags: - Authentication.signature - Authentication.user - Authentication.src - risk_score: 18 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup. It also requires that the timestamps in the dataset be updated. @@ -77,4 +76,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml index 7cd18c04e7..e5035b813b 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml @@ -66,7 +66,6 @@ tags: - Authentication.signature - Authentication.user - Authentication.src - risk_score: 42 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup. It also requires that the timestamps in the dataset be updated. @@ -77,4 +76,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml index 69cda1c583..1ea23f4a46 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml @@ -67,7 +67,6 @@ tags: - Authentication.signature - Authentication.user - Authentication.src - risk_score: 36 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup. It also requires that the timestamps in the dataset be updated. @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml b/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml index 9d477d8143..340f638403 100644 --- a/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml +++ b/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml @@ -65,5 +65,4 @@ tags: - c_ip_ - cs_uri_ - cs_method_ - risk_score: 25 security_domain: network diff --git a/detections/cloud/detect_new_open_gcp_storage_buckets.yml b/detections/cloud/detect_new_open_gcp_storage_buckets.yml index 9f8eb5cae6..17e3a2b942 100644 --- a/detections/cloud/detect_new_open_gcp_storage_buckets.yml +++ b/detections/cloud/detect_new_open_gcp_storage_buckets.yml @@ -59,5 +59,4 @@ tags: - data.protoPayload.resourceName - data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role - data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member - risk_score: 25 security_domain: network diff --git a/detections/cloud/detect_new_open_s3_buckets.yml b/detections/cloud/detect_new_open_s3_buckets.yml index c4198c281d..20500c9663 100644 --- a/detections/cloud/detect_new_open_s3_buckets.yml +++ b/detections/cloud/detect_new_open_s3_buckets.yml @@ -62,7 +62,6 @@ tags: - userAgent - uri - permission - risk_score: 48 security_domain: threat tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml b/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml index 91cabf7138..d7f1d1e6fd 100644 --- a/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml +++ b/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml @@ -66,7 +66,6 @@ tags: - userIdentity.principalId - userAgent - bucketName - risk_score: 48 security_domain: threat tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_s3_access_from_a_new_ip.yml b/detections/cloud/detect_s3_access_from_a_new_ip.yml index 4b860bc4b6..9d37d952f3 100644 --- a/detections/cloud/detect_s3_access_from_a_new_ip.yml +++ b/detections/cloud/detect_s3_access_from_a_new_ip.yml @@ -58,5 +58,4 @@ tags: - http_status - bucket_name - remote_ip - risk_score: 25.0 security_domain: network diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml index 131d791a79..636f5756b2 100644 --- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml +++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml @@ -53,7 +53,6 @@ tags: - vendor_region - severity - dest - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml index 14a717bb9a..d95dcc01d2 100644 --- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml +++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml @@ -46,5 +46,4 @@ tags: - findings{}.Resources{}.Type - indings{}.Resources{}.Id - user - risk_score: 25 security_domain: network diff --git a/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml b/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml index 41844dd805..95f9ea317f 100644 --- a/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml +++ b/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml @@ -67,5 +67,4 @@ tags: - action - src_ip - dest_ip - risk_score: 25.0 security_domain: network diff --git a/detections/cloud/detect_spike_in_s3_bucket_deletion.yml b/detections/cloud/detect_spike_in_s3_bucket_deletion.yml index 88ed86c86e..3deeb6b513 100644 --- a/detections/cloud/detect_spike_in_s3_bucket_deletion.yml +++ b/detections/cloud/detect_spike_in_s3_bucket_deletion.yml @@ -63,5 +63,4 @@ tags: - _time - eventName - userIdentity.arn - risk_score: 25 security_domain: network diff --git a/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml b/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml index 2b04cfc1b8..2fe94ce9d8 100644 --- a/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml @@ -59,7 +59,6 @@ tags: - src_ip - login_challenge_method - event.parameters{}.multiValue{} - risk_score: 54 security_domain: identity tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/gcp_failed_mfa/gws_login.log source: gws:reports:login sourcetype: gws:reports:login - update_timestamp: true diff --git a/detections/cloud/gcp_detect_gcploit_framework.yml b/detections/cloud/gcp_detect_gcploit_framework.yml index 6ddb2bebce..bf4553b902 100644 --- a/detections/cloud/gcp_detect_gcploit_framework.yml +++ b/detections/cloud/gcp_detect_gcploit_framework.yml @@ -54,5 +54,4 @@ tags: - data.protoPayload.authorizationInfo{}.permission - data.protoPayload.request.location - http_user_agent - risk_score: 25 security_domain: threat diff --git a/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml b/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml index 56623ce73b..6f747f2170 100644 --- a/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml +++ b/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml @@ -50,5 +50,4 @@ tags: - requestURI - responseStatus.reason - properties.pod - risk_score: 25 security_domain: threat diff --git a/detections/cloud/gcp_multi_factor_authentication_disabled.yml b/detections/cloud/gcp_multi_factor_authentication_disabled.yml index 8acdae5d35..82bc9d3d1a 100644 --- a/detections/cloud/gcp_multi_factor_authentication_disabled.yml +++ b/detections/cloud/gcp_multi_factor_authentication_disabled.yml @@ -60,7 +60,6 @@ tags: - user - command - status - risk_score: 45 security_domain: identity tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/gcp_disable_mfa/gws_admin.log source: gws:reports:admin sourcetype: gws:reports:admin - update_timestamp: true diff --git a/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml index 501ca6414b..45384e06e3 100644 --- a/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml @@ -60,7 +60,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 54 security_domain: identity tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/gws_login.log source: gws:reports:login sourcetype: gws:reports:login - update_timestamp: true diff --git a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml index f4f9aceee7..1514c9be03 100644 --- a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml @@ -67,7 +67,6 @@ tags: - app - id.applicationName - src - risk_score: 54 security_domain: threat tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json source: gws_login sourcetype: gws:reports:login - update_timestamp: true diff --git a/detections/cloud/gcp_successful_single_factor_authentication.yml b/detections/cloud/gcp_successful_single_factor_authentication.yml index 7edda663ec..25cf8a2805 100644 --- a/detections/cloud/gcp_successful_single_factor_authentication.yml +++ b/detections/cloud/gcp_successful_single_factor_authentication.yml @@ -61,7 +61,6 @@ tags: - user - src_ip - login_challenge_method - risk_score: 45 security_domain: identity tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gws_login.log source: gws:reports:login sourcetype: gws:reports:login - update_timestamp: true diff --git a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml index 007e7b649a..b39de2523b 100644 --- a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml @@ -67,7 +67,6 @@ tags: - src - event.type - user_name - risk_score: 54 security_domain: threat tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json source: gws_login sourcetype: gws:reports:login - update_timestamp: true diff --git a/detections/cloud/gdrive_suspicious_file_sharing.yml b/detections/cloud/gdrive_suspicious_file_sharing.yml index 6a2d2fbd04..4783e23114 100644 --- a/detections/cloud/gdrive_suspicious_file_sharing.yml +++ b/detections/cloud/gdrive_suspicious_file_sharing.yml @@ -54,5 +54,4 @@ tags: - parameters.target_user - parameters.doc_title - parameters.doc_type - risk_score: 25 security_domain: threat diff --git a/detections/cloud/github_actions_disable_security_workflow.yml b/detections/cloud/github_actions_disable_security_workflow.yml index 4581f7344a..25a5c310b4 100644 --- a/detections/cloud/github_actions_disable_security_workflow.yml +++ b/detections/cloud/github_actions_disable_security_workflow.yml @@ -62,7 +62,6 @@ tags: - workflow_run.head_repository.owner.id - workflow_run.head_repository.owner.login - workflow_run.head_repository.owner.type - risk_score: 27 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/github_commit_changes_in_master.yml b/detections/cloud/github_commit_changes_in_master.yml index 0a4052114b..711eb2ea40 100644 --- a/detections/cloud/github_commit_changes_in_master.yml +++ b/detections/cloud/github_commit_changes_in_master.yml @@ -45,7 +45,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/github_commit_in_develop.yml b/detections/cloud/github_commit_in_develop.yml index 1346e0f952..9f0d727acc 100644 --- a/detections/cloud/github_commit_in_develop.yml +++ b/detections/cloud/github_commit_in_develop.yml @@ -45,7 +45,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/github_dependabot_alert.yml b/detections/cloud/github_dependabot_alert.yml index da4f09cdc9..00b3e88a2b 100644 --- a/detections/cloud/github_dependabot_alert.yml +++ b/detections/cloud/github_dependabot_alert.yml @@ -58,7 +58,6 @@ tags: - alert.external_reference - alert.fixed_in - alert.severity - risk_score: 27 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/github_pull_request_from_unknown_user.yml b/detections/cloud/github_pull_request_from_unknown_user.yml index 7ab0f9565a..fe8af8cc3b 100644 --- a/detections/cloud/github_pull_request_from_unknown_user.yml +++ b/detections/cloud/github_pull_request_from_unknown_user.yml @@ -58,7 +58,6 @@ tags: - alert.external_reference - alert.fixed_in - alert.severity - risk_score: 27 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/gsuite_drive_share_in_external_email.yml b/detections/cloud/gsuite_drive_share_in_external_email.yml index a6e197b24e..567ed9e49e 100644 --- a/detections/cloud/gsuite_drive_share_in_external_email.yml +++ b/detections/cloud/gsuite_drive_share_in_external_email.yml @@ -65,7 +65,6 @@ tags: - parameters.visibility - parameters.owner - parameters.doc_type - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/gsuite_email_suspicious_attachment.yml b/detections/cloud/gsuite_email_suspicious_attachment.yml index 5c9abfa33c..ad0fbff594 100644 --- a/detections/cloud/gsuite_email_suspicious_attachment.yml +++ b/detections/cloud/gsuite_email_suspicious_attachment.yml @@ -63,7 +63,6 @@ tags: - subject - destination{}.address - source.address - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml b/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml index ff370ee6bb..4d571b720d 100644 --- a/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml +++ b/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml @@ -60,7 +60,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml b/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml index f3b12b02de..ec9499f745 100644 --- a/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml +++ b/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml @@ -54,7 +54,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml b/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml index 8a4a5f238e..8baec88d03 100644 --- a/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml +++ b/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml @@ -62,7 +62,6 @@ tags: - dest_domain - phase - severity - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/gsuite_suspicious_calendar_invite.yml b/detections/cloud/gsuite_suspicious_calendar_invite.yml index 5c36602f3f..96759b5257 100644 --- a/detections/cloud/gsuite_suspicious_calendar_invite.yml +++ b/detections/cloud/gsuite_suspicious_calendar_invite.yml @@ -54,5 +54,4 @@ tags: - parameters.event_title - parameters.target_calendar_id - parameters.event_title - risk_score: 25 security_domain: threat diff --git a/detections/cloud/gsuite_suspicious_shared_file_name.yml b/detections/cloud/gsuite_suspicious_shared_file_name.yml index 00d9aecf1a..d349313072 100644 --- a/detections/cloud/gsuite_suspicious_shared_file_name.yml +++ b/detections/cloud/gsuite_suspicious_shared_file_name.yml @@ -67,7 +67,6 @@ tags: - parameters.visibility - parameters.owner - parameters.doc_type - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml index ed4ccbb777..922415f00e 100644 --- a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml +++ b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml @@ -66,7 +66,6 @@ tags: - UserAgent - src_ip - record_type - risk_score: 25 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml index d012c1e6ef..483e247644 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml @@ -67,7 +67,6 @@ tags: - user.username - userAgent - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml index e26121f0c5..38a4f911ee 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml @@ -66,7 +66,6 @@ tags: - user.username - userAgent - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml index 6d81b53ba3..89bb21c89b 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml @@ -65,7 +65,6 @@ tags: - user.username - userAgent - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml index 5b44d1e7f8..ebc6cdbc67 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml @@ -65,7 +65,6 @@ tags: - user.username - userAgent - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_access_scanning.yml b/detections/cloud/kubernetes_access_scanning.yml index 55e2362f32..f64fbfd0ca 100644 --- a/detections/cloud/kubernetes_access_scanning.yml +++ b/detections/cloud/kubernetes_access_scanning.yml @@ -63,7 +63,6 @@ tags: - verb - responseStatus.reason - responseStatus.status - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml b/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml index 678f392e81..bbaefffc05 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml @@ -73,5 +73,4 @@ tags: - k8s.cluster.name - dest.process.name - dest.workload.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml b/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml index 36e40b25e4..521575f054 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml @@ -92,5 +92,4 @@ tags: - k8s.cluster.name - k8s.node.name - k8s.pod.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml b/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml index a115c50b9f..96035c6dce 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml @@ -96,5 +96,4 @@ tags: - k8s.cluster.name - k8s.node.name - k8s.pod.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml b/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml index bfc7974b65..9c3f437974 100644 --- a/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml +++ b/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml @@ -74,5 +74,4 @@ tags: - source.workload.name - dest.workload.name - udp.packets - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml b/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml index 8d7a99c3bd..25ab088d8a 100644 --- a/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml +++ b/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml @@ -74,5 +74,4 @@ tags: - source.workload.name - dest.workload.name - udp.packets - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml b/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml index 2c4d27b19c..8f996fcf56 100644 --- a/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml +++ b/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml @@ -56,5 +56,4 @@ tags: - user.username - userAgent - verb - risk_score: 25 security_domain: threat diff --git a/detections/cloud/kubernetes_create_or_update_privileged_pod.yml b/detections/cloud/kubernetes_create_or_update_privileged_pod.yml index b9f1be1cba..ab18d322bd 100644 --- a/detections/cloud/kubernetes_create_or_update_privileged_pod.yml +++ b/detections/cloud/kubernetes_create_or_update_privileged_pod.yml @@ -64,7 +64,6 @@ tags: - userAgent - verb - requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_cron_job_creation.yml b/detections/cloud/kubernetes_cron_job_creation.yml index fd414326bb..254e41bf0b 100644 --- a/detections/cloud/kubernetes_cron_job_creation.yml +++ b/detections/cloud/kubernetes_cron_job_creation.yml @@ -64,7 +64,6 @@ tags: - user.username - userAgent - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_daemonset_deployed.yml b/detections/cloud/kubernetes_daemonset_deployed.yml index 059055675a..405d57cca2 100644 --- a/detections/cloud/kubernetes_daemonset_deployed.yml +++ b/detections/cloud/kubernetes_daemonset_deployed.yml @@ -62,7 +62,6 @@ tags: - user.username - userAgent - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_falco_shell_spawned.yml b/detections/cloud/kubernetes_falco_shell_spawned.yml index 71c85b1554..051afb8baf 100644 --- a/detections/cloud/kubernetes_falco_shell_spawned.yml +++ b/detections/cloud/kubernetes_falco_shell_spawned.yml @@ -53,7 +53,6 @@ tags: - proc_exepath - process - user - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_newly_seen_tcp_edge.yml b/detections/cloud/kubernetes_newly_seen_tcp_edge.yml index 2425eaa829..ad7f3c7be4 100644 --- a/detections/cloud/kubernetes_newly_seen_tcp_edge.yml +++ b/detections/cloud/kubernetes_newly_seen_tcp_edge.yml @@ -61,5 +61,4 @@ tags: - source.workload.name - dest.workload.name - tcp.packets - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_newly_seen_udp_edge.yml b/detections/cloud/kubernetes_newly_seen_udp_edge.yml index a264bff40e..e38ffe0b61 100644 --- a/detections/cloud/kubernetes_newly_seen_udp_edge.yml +++ b/detections/cloud/kubernetes_newly_seen_udp_edge.yml @@ -61,5 +61,4 @@ tags: - source.workload.name - dest.workload.name - udp.packets - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_nginx_ingress_lfi.yml b/detections/cloud/kubernetes_nginx_ingress_lfi.yml index ef247a2341..35755b97bd 100644 --- a/detections/cloud/kubernetes_nginx_ingress_lfi.yml +++ b/detections/cloud/kubernetes_nginx_ingress_lfi.yml @@ -50,7 +50,6 @@ tags: - Splunk Cloud required_fields: - raw - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_nginx_ingress_rfi.yml b/detections/cloud/kubernetes_nginx_ingress_rfi.yml index 5823d53346..5e06dd87c2 100644 --- a/detections/cloud/kubernetes_nginx_ingress_rfi.yml +++ b/detections/cloud/kubernetes_nginx_ingress_rfi.yml @@ -49,7 +49,6 @@ tags: - Splunk Cloud required_fields: - raw - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_node_port_creation.yml b/detections/cloud/kubernetes_node_port_creation.yml index 513e043486..12776caac0 100644 --- a/detections/cloud/kubernetes_node_port_creation.yml +++ b/detections/cloud/kubernetes_node_port_creation.yml @@ -63,7 +63,6 @@ tags: - user.username - userAgent - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_pod_created_in_default_namespace.yml b/detections/cloud/kubernetes_pod_created_in_default_namespace.yml index c5b94b6782..7ef67668ec 100644 --- a/detections/cloud/kubernetes_pod_created_in_default_namespace.yml +++ b/detections/cloud/kubernetes_pod_created_in_default_namespace.yml @@ -63,7 +63,6 @@ tags: - user.username - userAgent - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_pod_with_host_network_attachment.yml b/detections/cloud/kubernetes_pod_with_host_network_attachment.yml index 763299bf0c..11f4ea4e51 100644 --- a/detections/cloud/kubernetes_pod_with_host_network_attachment.yml +++ b/detections/cloud/kubernetes_pod_with_host_network_attachment.yml @@ -64,7 +64,6 @@ tags: - userAgent - verb - requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_previously_unseen_container_image_name.yml b/detections/cloud/kubernetes_previously_unseen_container_image_name.yml index 893fa07fce..c01c76ec7c 100644 --- a/detections/cloud/kubernetes_previously_unseen_container_image_name.yml +++ b/detections/cloud/kubernetes_previously_unseen_container_image_name.yml @@ -81,5 +81,4 @@ tags: - host.name - k8s.cluster.name - k8s.node.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_previously_unseen_process.yml b/detections/cloud/kubernetes_previously_unseen_process.yml index 605ca069bb..cb788693e9 100644 --- a/detections/cloud/kubernetes_previously_unseen_process.yml +++ b/detections/cloud/kubernetes_previously_unseen_process.yml @@ -81,5 +81,4 @@ tags: - k8s.cluster.name - k8s.node.name - process.executable.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_process_running_from_new_path.yml b/detections/cloud/kubernetes_process_running_from_new_path.yml index 41b969d36b..b79f385b14 100644 --- a/detections/cloud/kubernetes_process_running_from_new_path.yml +++ b/detections/cloud/kubernetes_process_running_from_new_path.yml @@ -82,5 +82,4 @@ tags: - k8s.cluster.name - k8s.node.name - process.executable.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml b/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml index 44d9d3dce9..a38ba1dfea 100644 --- a/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml +++ b/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml @@ -90,5 +90,4 @@ tags: - k8s.cluster.name - k8s.node.name - process.executable.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml b/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml index 870ba66146..26dae707d4 100644 --- a/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml +++ b/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml @@ -89,5 +89,4 @@ tags: - k8s.cluster.name - k8s.node.name - process.executable.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_scanner_image_pulling.yml b/detections/cloud/kubernetes_scanner_image_pulling.yml index c4984bd78c..65481845e4 100644 --- a/detections/cloud/kubernetes_scanner_image_pulling.yml +++ b/detections/cloud/kubernetes_scanner_image_pulling.yml @@ -50,7 +50,6 @@ tags: - object.involvedObject.kind - object.message - object.reason - risk_score: 81 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml b/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml index a94b5cf3fe..3ca9703eb0 100644 --- a/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml +++ b/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml @@ -60,7 +60,6 @@ tags: - verb - responseStatus.reason - responseStatus.status - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_shell_running_on_worker_node.yml b/detections/cloud/kubernetes_shell_running_on_worker_node.yml index 53ba59cfd2..6e9c24afd4 100644 --- a/detections/cloud/kubernetes_shell_running_on_worker_node.yml +++ b/detections/cloud/kubernetes_shell_running_on_worker_node.yml @@ -81,5 +81,4 @@ tags: - k8s.cluster.name - k8s.node.name - process.pid - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml b/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml index 7440e985c8..322dd887f7 100644 --- a/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml +++ b/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml @@ -82,5 +82,4 @@ tags: - k8s.cluster.name - k8s.node.name - process.pid - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_suspicious_image_pulling.yml b/detections/cloud/kubernetes_suspicious_image_pulling.yml index 4eeaa70812..5b96f12f92 100644 --- a/detections/cloud/kubernetes_suspicious_image_pulling.yml +++ b/detections/cloud/kubernetes_suspicious_image_pulling.yml @@ -63,7 +63,6 @@ tags: - verb - responseStatus.reason - responseStatus.status - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_unauthorized_access.yml b/detections/cloud/kubernetes_unauthorized_access.yml index 893a445494..213c518089 100644 --- a/detections/cloud/kubernetes_unauthorized_access.yml +++ b/detections/cloud/kubernetes_unauthorized_access.yml @@ -61,7 +61,6 @@ tags: - verb - responseStatus.reason - responseStatus.status - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/o365_add_app_role_assignment_grant_user.yml b/detections/cloud/o365_add_app_role_assignment_grant_user.yml index bfa016ef7e..ac530301fc 100644 --- a/detections/cloud/o365_add_app_role_assignment_grant_user.yml +++ b/detections/cloud/o365_add_app_role_assignment_grant_user.yml @@ -61,7 +61,6 @@ tags: - UserId - dest - ResultStatus - risk_score: 18 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_added_service_principal.yml b/detections/cloud/o365_added_service_principal.yml index 751bf096e0..1e5c484acc 100644 --- a/detections/cloud/o365_added_service_principal.yml +++ b/detections/cloud/o365_added_service_principal.yml @@ -60,7 +60,6 @@ tags: - action - Operation - authentication_service - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml index 01cee46fbe..3ba876cbfc 100644 --- a/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml +++ b/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml @@ -68,7 +68,6 @@ tags: - ModifiedProperties{}.NewValue - src_user - dest_user - risk_score: 54 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/o365_advanced_audit_disabled.yml b/detections/cloud/o365_advanced_audit_disabled.yml index 196993ba67..326fa27468 100644 --- a/detections/cloud/o365_advanced_audit_disabled.yml +++ b/detections/cloud/o365_advanced_audit_disabled.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 32 required_fields: - _time - Operation diff --git a/detections/cloud/o365_application_available_to_other_tenants.yml b/detections/cloud/o365_application_available_to_other_tenants.yml index afe0f18efd..df615c42e9 100644 --- a/detections/cloud/o365_application_available_to_other_tenants.yml +++ b/detections/cloud/o365_application_available_to_other_tenants.yml @@ -55,7 +55,6 @@ tags: - UserId - Workload - Target{}.ID - risk_score: 50 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_application_registration_owner_added.yml b/detections/cloud/o365_application_registration_owner_added.yml index 732e63150c..808db9c4fc 100644 --- a/detections/cloud/o365_application_registration_owner_added.yml +++ b/detections/cloud/o365_application_registration_owner_added.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 required_fields: - time - Workload diff --git a/detections/cloud/o365_applicationimpersonation_role_assigned.yml b/detections/cloud/o365_applicationimpersonation_role_assigned.yml index 4fdc9c751e..d74ce5e179 100644 --- a/detections/cloud/o365_applicationimpersonation_role_assigned.yml +++ b/detections/cloud/o365_applicationimpersonation_role_assigned.yml @@ -51,7 +51,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 56 required_fields: - _time - Workload diff --git a/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml b/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml index 447f87e2d5..c58f178527 100644 --- a/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml +++ b/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 required_fields: - _time - Workload diff --git a/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml b/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml index a33d96cb85..277afb842e 100644 --- a/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml +++ b/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml @@ -68,7 +68,6 @@ tags: - status - user_id - action - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_compliance_content_search_exported.yml b/detections/cloud/o365_compliance_content_search_exported.yml index 2103c7707a..aa0bed4bcb 100644 --- a/detections/cloud/o365_compliance_content_search_exported.yml +++ b/detections/cloud/o365_compliance_content_search_exported.yml @@ -54,7 +54,6 @@ tags: - ExchangeLocations - Query - user_id - risk_score: 42 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/o365_compliance_content_search_started.yml b/detections/cloud/o365_compliance_content_search_started.yml index 28eeaca71b..0a6c8c18bb 100644 --- a/detections/cloud/o365_compliance_content_search_started.yml +++ b/detections/cloud/o365_compliance_content_search_started.yml @@ -54,7 +54,6 @@ tags: - ExchangeLocations - Query - user_id - risk_score: 42 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml index 94efdef9cd..80d29ef480 100644 --- a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml @@ -56,7 +56,6 @@ tags: - src_ip - user - user_agent - risk_score: 42 security_domain: threat tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.log sourcetype: o365:management:activity source: o365 - update_timestamp: true diff --git a/detections/cloud/o365_cross_tenant_access_change.yml b/detections/cloud/o365_cross_tenant_access_change.yml index 6f6cb2f0e1..334222de18 100644 --- a/detections/cloud/o365_cross_tenant_access_change.yml +++ b/detections/cloud/o365_cross_tenant_access_change.yml @@ -52,7 +52,6 @@ tags: - ModifiedProperties{}.Name - UserId - Workload - risk_score: 75 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_disable_mfa.yml b/detections/cloud/o365_disable_mfa.yml index 9b85e10668..a32e2f8da2 100644 --- a/detections/cloud/o365_disable_mfa.yml +++ b/detections/cloud/o365_disable_mfa.yml @@ -54,7 +54,6 @@ tags: - signature - dest - ResultStatus - risk_score: 64 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_elevated_mailbox_permission_assigned.yml b/detections/cloud/o365_elevated_mailbox_permission_assigned.yml index b2c1c243e6..656a6351ff 100644 --- a/detections/cloud/o365_elevated_mailbox_permission_assigned.yml +++ b/detections/cloud/o365_elevated_mailbox_permission_assigned.yml @@ -54,7 +54,6 @@ tags: - user - src_user - dest_user - risk_score: 42 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/o365_excessive_authentication_failures_alert.yml b/detections/cloud/o365_excessive_authentication_failures_alert.yml index 08ed28b052..c1f6a95766 100644 --- a/detections/cloud/o365_excessive_authentication_failures_alert.yml +++ b/detections/cloud/o365_excessive_authentication_failures_alert.yml @@ -56,7 +56,6 @@ tags: - UserAgent - src_ip - user - risk_score: 64 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_excessive_sso_logon_errors.yml b/detections/cloud/o365_excessive_sso_logon_errors.yml index faef098f21..7b8ce5c60a 100644 --- a/detections/cloud/o365_excessive_sso_logon_errors.yml +++ b/detections/cloud/o365_excessive_sso_logon_errors.yml @@ -60,7 +60,6 @@ tags: - authentication_service - authentication_method - Operation - risk_score: 64 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_external_guest_user_invited.yml b/detections/cloud/o365_external_guest_user_invited.yml index a00581e3d9..fa4cbdad35 100644 --- a/detections/cloud/o365_external_guest_user_invited.yml +++ b/detections/cloud/o365_external_guest_user_invited.yml @@ -54,7 +54,6 @@ tags: - UserId - Id - Workload - risk_score: 25 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/o365_external_identity_policy_changed.yml b/detections/cloud/o365_external_identity_policy_changed.yml index a9dbb3c6f0..ed2a067e44 100644 --- a/detections/cloud/o365_external_identity_policy_changed.yml +++ b/detections/cloud/o365_external_identity_policy_changed.yml @@ -54,7 +54,6 @@ tags: - ModifiedProperties{}.Name - UserId - Workload - risk_score: 75 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml b/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml index f0fbd80d5d..045760fec9 100644 --- a/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml +++ b/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 40 required_fields: - _time - Workload diff --git a/detections/cloud/o365_fullaccessasapp_permission_assigned.yml b/detections/cloud/o365_fullaccessasapp_permission_assigned.yml index c6f2706e01..daa303e4d3 100644 --- a/detections/cloud/o365_fullaccessasapp_permission_assigned.yml +++ b/detections/cloud/o365_fullaccessasapp_permission_assigned.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 48 required_fields: - _time - Workload diff --git a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml index e684d23e4c..0af3b63e60 100644 --- a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml @@ -49,7 +49,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 35 required_fields: - _time - src_ip diff --git a/detections/cloud/o365_high_privilege_role_granted.yml b/detections/cloud/o365_high_privilege_role_granted.yml index da3e718fb0..6762bd755a 100644 --- a/detections/cloud/o365_high_privilege_role_granted.yml +++ b/detections/cloud/o365_high_privilege_role_granted.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 48 required_fields: - _time - Operation diff --git a/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml b/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml index 41b81db2a0..7c38b73593 100644 --- a/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml +++ b/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 40 required_fields: - _time - Workload diff --git a/detections/cloud/o365_mailbox_email_forwarding_enabled.yml b/detections/cloud/o365_mailbox_email_forwarding_enabled.yml index feb85ab074..be9655d26c 100644 --- a/detections/cloud/o365_mailbox_email_forwarding_enabled.yml +++ b/detections/cloud/o365_mailbox_email_forwarding_enabled.yml @@ -58,7 +58,6 @@ tags: - src_user - DeliverToMailboxAndForward - ObjectId - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml b/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml index 49bbeb8296..eb462d2af7 100644 --- a/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml +++ b/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml @@ -58,7 +58,6 @@ tags: - UserId - object - Item.ParentFolder.MemberRights - risk_score: 42 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/o365_mailbox_folder_read_permission_granted.yml b/detections/cloud/o365_mailbox_folder_read_permission_granted.yml index 7d13aaa76c..ca03cca05d 100644 --- a/detections/cloud/o365_mailbox_folder_read_permission_granted.yml +++ b/detections/cloud/o365_mailbox_folder_read_permission_granted.yml @@ -54,7 +54,6 @@ tags: - UserId - Identity - User - risk_score: 42 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml b/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml index a47d64ad76..de310a8e44 100644 --- a/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml +++ b/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 56 required_fields: - _time - Operation diff --git a/detections/cloud/o365_mailbox_read_access_granted_to_application.yml b/detections/cloud/o365_mailbox_read_access_granted_to_application.yml index d8a3f346dc..15c67eee83 100644 --- a/detections/cloud/o365_mailbox_read_access_granted_to_application.yml +++ b/detections/cloud/o365_mailbox_read_access_granted_to_application.yml @@ -59,7 +59,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - Operation - _time diff --git a/detections/cloud/o365_multi_source_failed_authentications_spike.yml b/detections/cloud/o365_multi_source_failed_authentications_spike.yml index 2972dea980..002a5ac27b 100644 --- a/detections/cloud/o365_multi_source_failed_authentications_spike.yml +++ b/detections/cloud/o365_multi_source_failed_authentications_spike.yml @@ -62,7 +62,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 42 required_fields: - _time - Workload diff --git a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml index 6dac7c57d2..fb35d46dfb 100644 --- a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 48 required_fields: - _time - Workload diff --git a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml index 778080e17c..33db530afd 100644 --- a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml @@ -44,7 +44,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 48 required_fields: - _time - Workload diff --git a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml index 4ade3a6007..e23a4a0a1f 100644 --- a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml +++ b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml @@ -62,7 +62,6 @@ tags: - ClientInfoString - ClientIPAddress - user - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_multiple_service_principals_created_by_sp.yml b/detections/cloud/o365_multiple_service_principals_created_by_sp.yml index 89a32250e8..a353b8109a 100644 --- a/detections/cloud/o365_multiple_service_principals_created_by_sp.yml +++ b/detections/cloud/o365_multiple_service_principals_created_by_sp.yml @@ -62,7 +62,6 @@ tags: - Actor{}.ID - src_user - object - risk_score: 42 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/o365_multiple_service_principals_created_by_user.yml b/detections/cloud/o365_multiple_service_principals_created_by_user.yml index f726e973c7..7c20e503ab 100644 --- a/detections/cloud/o365_multiple_service_principals_created_by_user.yml +++ b/detections/cloud/o365_multiple_service_principals_created_by_user.yml @@ -62,7 +62,6 @@ tags: - Actor{}.ID - src_user - object - risk_score: 42 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml index b8f4cbcd51..0e53e9feda 100644 --- a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 63 required_fields: - _time - Workload diff --git a/detections/cloud/o365_new_email_forwarding_rule_created.yml b/detections/cloud/o365_new_email_forwarding_rule_created.yml index eb75fa4a3e..5192abd63c 100644 --- a/detections/cloud/o365_new_email_forwarding_rule_created.yml +++ b/detections/cloud/o365_new_email_forwarding_rule_created.yml @@ -58,7 +58,6 @@ tags: - Name - user - UserId - risk_score: 42 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/o365_new_email_forwarding_rule_enabled.yml b/detections/cloud/o365_new_email_forwarding_rule_enabled.yml index d11d1a2f55..9a8ccb88a9 100644 --- a/detections/cloud/o365_new_email_forwarding_rule_enabled.yml +++ b/detections/cloud/o365_new_email_forwarding_rule_enabled.yml @@ -64,7 +64,6 @@ tags: - Actions - Name - user - risk_score: 42 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/o365_new_federated_domain_added.yml b/detections/cloud/o365_new_federated_domain_added.yml index f52ee289bb..4b42a27037 100644 --- a/detections/cloud/o365_new_federated_domain_added.yml +++ b/detections/cloud/o365_new_federated_domain_added.yml @@ -59,7 +59,6 @@ tags: - user - user_agent - action - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_add_federated_domain.log sourcetype: o365:management:activity source: o365 - update_timestamp: true diff --git a/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml b/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml index 3abb02e02f..578cc69d36 100644 --- a/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml +++ b/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml @@ -55,7 +55,6 @@ tags: - Parameters{}.Name - user - Name - risk_score: 42 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/o365_new_mfa_method_registered.yml b/detections/cloud/o365_new_mfa_method_registered.yml index 29478235b8..b94580a57d 100644 --- a/detections/cloud/o365_new_mfa_method_registered.yml +++ b/detections/cloud/o365_new_mfa_method_registered.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 required_fields: - _time - Workload diff --git a/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml b/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml index 7f866b4325..ca74422f58 100644 --- a/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml +++ b/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml @@ -55,7 +55,6 @@ tags: - AppId - ClientAppId - OperationCount - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml b/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml index bd66c03848..dd5c594abb 100644 --- a/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml +++ b/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml @@ -54,7 +54,6 @@ tags: - AppId - ClientAppId - OperationCount - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_privileged_graph_api_permission_assigned.yml b/detections/cloud/o365_privileged_graph_api_permission_assigned.yml index b122535a63..5bd64d2997 100644 --- a/detections/cloud/o365_privileged_graph_api_permission_assigned.yml +++ b/detections/cloud/o365_privileged_graph_api_permission_assigned.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 54 required_fields: - _time - Workload diff --git a/detections/cloud/o365_privileged_role_assigned.yml b/detections/cloud/o365_privileged_role_assigned.yml index f5f626d370..c8b165e024 100644 --- a/detections/cloud/o365_privileged_role_assigned.yml +++ b/detections/cloud/o365_privileged_role_assigned.yml @@ -54,7 +54,6 @@ tags: - UserId - ObjectId - Workload - risk_score: 75 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml index ebbe154331..adc44893ce 100644 --- a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml +++ b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml @@ -55,7 +55,6 @@ tags: - UserId - ObjectId - Workload - risk_score: 75 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/o365_pst_export_alert.yml b/detections/cloud/o365_pst_export_alert.yml index d6aa52da7a..47c329eb0d 100644 --- a/detections/cloud/o365_pst_export_alert.yml +++ b/detections/cloud/o365_pst_export_alert.yml @@ -54,7 +54,6 @@ tags: - Severity - AlertEntityId - Operation - risk_score: 48 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_security_and_compliance_alert_triggered.yml b/detections/cloud/o365_security_and_compliance_alert_triggered.yml index 814038f5f3..ebe6514af7 100644 --- a/detections/cloud/o365_security_and_compliance_alert_triggered.yml +++ b/detections/cloud/o365_security_and_compliance_alert_triggered.yml @@ -58,7 +58,6 @@ tags: - Operation - Name - Data - risk_score: 48 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/o365_service_principal_new_client_credentials.yml b/detections/cloud/o365_service_principal_new_client_credentials.yml index 4dd03b4f3c..d6e06c2e3b 100644 --- a/detections/cloud/o365_service_principal_new_client_credentials.yml +++ b/detections/cloud/o365_service_principal_new_client_credentials.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 35 required_fields: - _time - Workload diff --git a/detections/cloud/o365_tenant_wide_admin_consent_granted.yml b/detections/cloud/o365_tenant_wide_admin_consent_granted.yml index 8b5a9bc611..08799f4835 100644 --- a/detections/cloud/o365_tenant_wide_admin_consent_granted.yml +++ b/detections/cloud/o365_tenant_wide_admin_consent_granted.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - _time - Operation diff --git a/detections/cloud/o365_user_consent_blocked_for_risky_application.yml b/detections/cloud/o365_user_consent_blocked_for_risky_application.yml index 5ff69a0f26..faacf0e924 100644 --- a/detections/cloud/o365_user_consent_blocked_for_risky_application.yml +++ b/detections/cloud/o365_user_consent_blocked_for_risky_application.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 required_fields: - _time - Workload diff --git a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml index f38efad892..77768e7381 100644 --- a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml +++ b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 required_fields: - _time - status.errorCode diff --git a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml index e1746bf9b1..abc6997d3f 100644 --- a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml +++ b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml @@ -42,7 +42,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 70 security_domain: cloud tests: - name: True Positive Test diff --git a/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml b/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml index 2edc8786fb..7b299b5648 100644 --- a/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml +++ b/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml @@ -49,5 +49,4 @@ tags: - eventName - errorCode - userName - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml b/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml index ce796ea01f..92f4c248d7 100644 --- a/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml +++ b/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml @@ -45,5 +45,4 @@ tags: - eventName - errorCode - src_user - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml index e0ed38a017..66c3424535 100644 --- a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml +++ b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml @@ -49,5 +49,4 @@ tags: - eventName - errorCode - userName - risk_score: 25 security_domain: network diff --git a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml index 24d38d557b..a24ce890cb 100644 --- a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml +++ b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml @@ -44,5 +44,4 @@ tags: - eventName - errorCode - src_user - risk_score: 25 security_domain: network diff --git a/detections/deprecated/asl_aws_createaccesskey.yml b/detections/deprecated/asl_aws_createaccesskey.yml index c7e3ceeccc..9144a370a6 100644 --- a/detections/deprecated/asl_aws_createaccesskey.yml +++ b/detections/deprecated/asl_aws_createaccesskey.yml @@ -75,7 +75,6 @@ tags: - src_endpoint.ip - unmapped{}.key - unmapped{}.value - risk_score: 63 security_domain: threat tests: - name: True Positive Test @@ -83,5 +82,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/amazon_security_lake.json sourcetype: aws:asl source: aws_asl - update_timestamp: true diff --git a/detections/deprecated/asl_aws_excessive_security_scanning.yml b/detections/deprecated/asl_aws_excessive_security_scanning.yml index 31ad8c1727..6ea9b0df31 100644 --- a/detections/deprecated/asl_aws_excessive_security_scanning.yml +++ b/detections/deprecated/asl_aws_excessive_security_scanning.yml @@ -46,5 +46,4 @@ tags: - identity.user.name - http_request.user_agent - src_endpoint.ip - risk_score: 18 security_domain: network \ No newline at end of file diff --git a/detections/deprecated/asl_aws_password_policy_changes.yml b/detections/deprecated/asl_aws_password_policy_changes.yml index 91d7e5659a..d27cc137fe 100644 --- a/detections/deprecated/asl_aws_password_policy_changes.yml +++ b/detections/deprecated/asl_aws_password_policy_changes.yml @@ -58,12 +58,10 @@ tags: - identity.user.uuid - http_request.user_agent - src_endpoint.ip - risk_score: 72 security_domain: threat tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/aws_password_policy/amazon_security_lake.json sourcetype: aws:asl - source: aws_asl - update_timestamp: true \ No newline at end of file + source: aws_asl \ No newline at end of file diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml index 0d5eb040d0..eb6631654b 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml @@ -60,5 +60,4 @@ tags: - _time - eventName - sourceIPAddress - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml index 364b9ab482..a3f22ab255 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml @@ -61,5 +61,4 @@ tags: - _time - eventName - sourceIPAddress - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml index fd2b906142..60417e937f 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml @@ -58,5 +58,4 @@ tags: - _time - eventName - sourceIPAddress - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml index 17c217ab38..0e05859e1f 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml @@ -64,5 +64,4 @@ tags: - _time - eventName - sourceIPAddress - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml b/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml index d2251fcf56..5e30e4d5c2 100644 --- a/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml +++ b/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml b/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml index 1e0cf56b4a..3cb995be1d 100644 --- a/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml +++ b/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml @@ -55,5 +55,4 @@ tags: - DNS.dest - DNS.message_type - DNS.src - risk_score: 25 security_domain: network diff --git a/detections/deprecated/cloud_network_access_control_list_deleted.yml b/detections/deprecated/cloud_network_access_control_list_deleted.yml index 97bfd5318c..fed8e84545 100644 --- a/detections/deprecated/cloud_network_access_control_list_deleted.yml +++ b/detections/deprecated/cloud_network_access_control_list_deleted.yml @@ -48,5 +48,4 @@ tags: - src - userName - arn - risk_score: 25 security_domain: network diff --git a/detections/deprecated/correlation_by_repository_and_risk.yml b/detections/deprecated/correlation_by_repository_and_risk.yml index e08e6b053a..55c383cd62 100644 --- a/detections/deprecated/correlation_by_repository_and_risk.yml +++ b/detections/deprecated/correlation_by_repository_and_risk.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 70 security_domain: network diff --git a/detections/deprecated/correlation_by_user_and_risk.yml b/detections/deprecated/correlation_by_user_and_risk.yml index 690d2834df..d2e41e8e8f 100644 --- a/detections/deprecated/correlation_by_user_and_risk.yml +++ b/detections/deprecated/correlation_by_user_and_risk.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 70 security_domain: network diff --git a/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml b/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml index 9b8abca9a6..6789f9c495 100644 --- a/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml +++ b/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml @@ -52,7 +52,6 @@ tags: - WorkstationName - user - dest - risk_score: 49 security_domain: access tests: - name: True Positive Test @@ -60,4 +59,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.002/atomic_red_team/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - update_timestamp: true diff --git a/detections/deprecated/detect_api_activity_from_users_without_mfa.yml b/detections/deprecated/detect_api_activity_from_users_without_mfa.yml index 6c3fe88e02..6088ce4a13 100644 --- a/detections/deprecated/detect_api_activity_from_users_without_mfa.yml +++ b/detections/deprecated/detect_api_activity_from_users_without_mfa.yml @@ -65,5 +65,4 @@ tags: - userIdentity.arn - userIdentity.type - user - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/detect_aws_api_activities_from_unapproved_accounts.yml b/detections/deprecated/detect_aws_api_activities_from_unapproved_accounts.yml index 81446134ca..8747d5e32c 100644 --- a/detections/deprecated/detect_aws_api_activities_from_unapproved_accounts.yml +++ b/detections/deprecated/detect_aws_api_activities_from_unapproved_accounts.yml @@ -69,5 +69,4 @@ tags: - userName - eventName - user - risk_score: 25.0 security_domain: access diff --git a/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml b/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml index a9790d8d06..f7e58b758b 100644 --- a/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml +++ b/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml @@ -65,5 +65,4 @@ tags: - DNS.src - DNS.query - host - risk_score: 25 security_domain: network diff --git a/detections/deprecated/detect_long_dns_txt_record_response.yml b/detections/deprecated/detect_long_dns_txt_record_response.yml index e25c45c902..028c0f219a 100644 --- a/detections/deprecated/detect_long_dns_txt_record_response.yml +++ b/detections/deprecated/detect_long_dns_txt_record_response.yml @@ -55,5 +55,4 @@ tags: - DNS.src - DNS.dest - DNS.answer - risk_score: 25 security_domain: network diff --git a/detections/deprecated/detect_mimikatz_using_loaded_images.yml b/detections/deprecated/detect_mimikatz_using_loaded_images.yml index 3d89d50c5d..27d7b0844d 100644 --- a/detections/deprecated/detect_mimikatz_using_loaded_images.yml +++ b/detections/deprecated/detect_mimikatz_using_loaded_images.yml @@ -62,7 +62,6 @@ tags: - ProcessId - dest - Image - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml b/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml index 42f4e7c4f8..ee2c6ada0e 100644 --- a/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml +++ b/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml @@ -51,5 +51,4 @@ tags: - Message - dest - Process_ID - risk_score: 25 security_domain: access diff --git a/detections/deprecated/detect_new_api_calls_from_user_roles.yml b/detections/deprecated/detect_new_api_calls_from_user_roles.yml index 3c5e740357..8804dcf987 100644 --- a/detections/deprecated/detect_new_api_calls_from_user_roles.yml +++ b/detections/deprecated/detect_new_api_calls_from_user_roles.yml @@ -52,5 +52,4 @@ tags: - userIdentity.type - userName - eventName - risk_score: 25.0 security_domain: endpoint diff --git a/detections/deprecated/detect_new_user_aws_console_login.yml b/detections/deprecated/detect_new_user_aws_console_login.yml index 885f105987..3298ab9e81 100644 --- a/detections/deprecated/detect_new_user_aws_console_login.yml +++ b/detections/deprecated/detect_new_user_aws_console_login.yml @@ -49,5 +49,4 @@ tags: - _time - eventName - userIdentity.arn - risk_score: 25 security_domain: network diff --git a/detections/deprecated/detect_spike_in_aws_api_activity.yml b/detections/deprecated/detect_spike_in_aws_api_activity.yml index 719d463311..8a7c3df79f 100644 --- a/detections/deprecated/detect_spike_in_aws_api_activity.yml +++ b/detections/deprecated/detect_spike_in_aws_api_activity.yml @@ -71,5 +71,4 @@ tags: - _time - eventType - userIdentity.arn - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/detect_spike_in_network_acl_activity.yml b/detections/deprecated/detect_spike_in_network_acl_activity.yml index 8d1b7f6256..de528d6039 100644 --- a/detections/deprecated/detect_spike_in_network_acl_activity.yml +++ b/detections/deprecated/detect_spike_in_network_acl_activity.yml @@ -57,5 +57,4 @@ tags: required_fields: - _time - userIdentity.arn - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/detect_spike_in_security_group_activity.yml b/detections/deprecated/detect_spike_in_security_group_activity.yml index cd711e32c0..9b1a176e1b 100644 --- a/detections/deprecated/detect_spike_in_security_group_activity.yml +++ b/detections/deprecated/detect_spike_in_security_group_activity.yml @@ -58,5 +58,4 @@ tags: required_fields: - _time - serIdentity.arn - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/detect_usb_device_insertion.yml b/detections/deprecated/detect_usb_device_insertion.yml index 57d3fcfd25..3c4aec67d6 100644 --- a/detections/deprecated/detect_usb_device_insertion.yml +++ b/detections/deprecated/detect_usb_device_insertion.yml @@ -48,5 +48,4 @@ tags: - All_Changes.result_id - All_Changes.src_priority - All_Changes.dest - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml b/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml index 0c292e1500..095fa3a405 100644 --- a/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml +++ b/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml @@ -57,5 +57,4 @@ tags: - Web.status - Web.src - Web.dest - risk_score: 25 security_domain: network diff --git a/detections/deprecated/detection_of_dns_tunnels.yml b/detections/deprecated/detection_of_dns_tunnels.yml index 3a2068935d..26192acb37 100644 --- a/detections/deprecated/detection_of_dns_tunnels.yml +++ b/detections/deprecated/detection_of_dns_tunnels.yml @@ -70,5 +70,4 @@ tags: - DNS.message_type - DNS.src_category - DNS.src - risk_score: 25 security_domain: network diff --git a/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml b/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml index ec1b5aa5f3..74a1c21dce 100644 --- a/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml +++ b/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml @@ -46,5 +46,4 @@ tags: - DNS.src_category - DNS.src - DNS.dest - risk_score: 25 security_domain: network diff --git a/detections/deprecated/dns_record_changed.yml b/detections/deprecated/dns_record_changed.yml index 74f197f983..d08ac3ebd2 100644 --- a/detections/deprecated/dns_record_changed.yml +++ b/detections/deprecated/dns_record_changed.yml @@ -63,5 +63,4 @@ tags: - DNS.src - DNS.message_type - DNS.query - risk_score: 25 security_domain: network diff --git a/detections/deprecated/dump_lsass_via_procdump_rename.yml b/detections/deprecated/dump_lsass_via_procdump_rename.yml index 0c02f1f35d..e0a6e8caed 100644 --- a/detections/deprecated/dump_lsass_via_procdump_rename.yml +++ b/detections/deprecated/dump_lsass_via_procdump_rename.yml @@ -65,5 +65,4 @@ tags: - CommandLine - dest - parent_process_name - risk_score: 80 security_domain: endpoint diff --git a/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml b/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml index a112b4aeb5..8d68609f09 100644 --- a/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml +++ b/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml @@ -48,5 +48,4 @@ tags: - _time - errorCode - userIdentity.arn - risk_score: 25.0 security_domain: endpoint diff --git a/detections/deprecated/ec2_instance_started_in_previously_unseen_region.yml b/detections/deprecated/ec2_instance_started_in_previously_unseen_region.yml index 5e6b7cbd2c..1fefa28d6b 100644 --- a/detections/deprecated/ec2_instance_started_in_previously_unseen_region.yml +++ b/detections/deprecated/ec2_instance_started_in_previously_unseen_region.yml @@ -46,5 +46,4 @@ tags: required_fields: - _time - awsRegion - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml b/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml index 2da8ac4c33..45126cc09b 100644 --- a/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml +++ b/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml @@ -49,5 +49,4 @@ tags: - eventName - errorCode - requestParameters.instancesSet.items{}.imageId - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml b/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml index b9c50ca772..95dbd4c60d 100644 --- a/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml +++ b/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml @@ -49,5 +49,4 @@ tags: - eventName - errorCode - requestParameters.instanceType - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml b/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml index 4f84ff4173..f1c4fbb0dc 100644 --- a/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml +++ b/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml @@ -50,5 +50,4 @@ tags: - eventName - errorCode - userIdentity.arn - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/execution_of_file_with_spaces_before_extension.yml b/detections/deprecated/execution_of_file_with_spaces_before_extension.yml index 94e32b07f4..b1a199684a 100644 --- a/detections/deprecated/execution_of_file_with_spaces_before_extension.yml +++ b/detections/deprecated/execution_of_file_with_spaces_before_extension.yml @@ -52,5 +52,4 @@ tags: - Processes.dest - Processes.user - Processes.process_name - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/extended_period_without_successful_netbackup_backups.yml b/detections/deprecated/extended_period_without_successful_netbackup_backups.yml index 2714384690..b2694ce6e1 100644 --- a/detections/deprecated/extended_period_without_successful_netbackup_backups.yml +++ b/detections/deprecated/extended_period_without_successful_netbackup_backups.yml @@ -40,5 +40,4 @@ tags: - _time - MESSAGE - COMPUTERNAME - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/first_time_seen_command_line_argument.yml b/detections/deprecated/first_time_seen_command_line_argument.yml index be5547908f..dfed617f11 100644 --- a/detections/deprecated/first_time_seen_command_line_argument.yml +++ b/detections/deprecated/first_time_seen_command_line_argument.yml @@ -64,5 +64,4 @@ tags: - Processes.process - Processes.parent_process_name - Processes.dest - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/gcp_detect_accounts_with_high_risk_roles_by_project.yml b/detections/deprecated/gcp_detect_accounts_with_high_risk_roles_by_project.yml index 5ff224c42d..d2d27e9db2 100644 --- a/detections/deprecated/gcp_detect_accounts_with_high_risk_roles_by_project.yml +++ b/detections/deprecated/gcp_detect_accounts_with_high_risk_roles_by_project.yml @@ -51,5 +51,4 @@ tags: - data.protoPayload.authorizationInfo{}.resource - data.protoPayload.response.bindings{}.role - data.protoPayload.response.bindings{}.members{} - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/gcp_detect_high_risk_permissions_by_resource_and_account.yml b/detections/deprecated/gcp_detect_high_risk_permissions_by_resource_and_account.yml index d6296abe00..60d0070565 100644 --- a/detections/deprecated/gcp_detect_high_risk_permissions_by_resource_and_account.yml +++ b/detections/deprecated/gcp_detect_high_risk_permissions_by_resource_and_account.yml @@ -50,5 +50,4 @@ tags: - data.protoPayload.authorizationInfo{}.permission - data.protoPayload.response.bindings{}.members{} - data.resource.labels.project_id - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/gcp_detect_oauth_token_abuse.yml b/detections/deprecated/gcp_detect_oauth_token_abuse.yml index 7f4f9ace51..552c79d526 100644 --- a/detections/deprecated/gcp_detect_oauth_token_abuse.yml +++ b/detections/deprecated/gcp_detect_oauth_token_abuse.yml @@ -40,5 +40,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml b/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml index a8438aaf43..4941553261 100644 --- a/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml +++ b/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml @@ -44,5 +44,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/identify_new_user_accounts.yml b/detections/deprecated/identify_new_user_accounts.yml index b15a6ad266..7d1ebeaec2 100644 --- a/detections/deprecated/identify_new_user_accounts.yml +++ b/detections/deprecated/identify_new_user_accounts.yml @@ -39,5 +39,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: access diff --git a/detections/deprecated/kubernetes_aws_detect_most_active_service_accounts_by_pod.yml b/detections/deprecated/kubernetes_aws_detect_most_active_service_accounts_by_pod.yml index e1f373342f..c9b2455a51 100644 --- a/detections/deprecated/kubernetes_aws_detect_most_active_service_accounts_by_pod.yml +++ b/detections/deprecated/kubernetes_aws_detect_most_active_service_accounts_by_pod.yml @@ -34,5 +34,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml b/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml index 88588c2b68..1706749202 100644 --- a/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml +++ b/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat \ No newline at end of file diff --git a/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml b/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml index 7d39a1e05b..259e1a0308 100644 --- a/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml +++ b/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml b/detections/deprecated/kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml index 3c8de81590..491c023d51 100644 --- a/detections/deprecated/kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml +++ b/detections/deprecated/kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_active_service_accounts_by_pod_namespace.yml b/detections/deprecated/kubernetes_azure_active_service_accounts_by_pod_namespace.yml index a47c5faaa9..3eac7b96a2 100644 --- a/detections/deprecated/kubernetes_azure_active_service_accounts_by_pod_namespace.yml +++ b/detections/deprecated/kubernetes_azure_active_service_accounts_by_pod_namespace.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_detect_rbac_authorization_by_account.yml b/detections/deprecated/kubernetes_azure_detect_rbac_authorization_by_account.yml index e32599cc0f..1f327bc972 100644 --- a/detections/deprecated/kubernetes_azure_detect_rbac_authorization_by_account.yml +++ b/detections/deprecated/kubernetes_azure_detect_rbac_authorization_by_account.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_detect_sensitive_object_access.yml b/detections/deprecated/kubernetes_azure_detect_sensitive_object_access.yml index ec893ba9e6..6f04bec605 100644 --- a/detections/deprecated/kubernetes_azure_detect_sensitive_object_access.yml +++ b/detections/deprecated/kubernetes_azure_detect_sensitive_object_access.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml b/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml index 6534ebeab7..7205a7b32c 100644 --- a/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml +++ b/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml b/detections/deprecated/kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml index 10f8580344..c606f131ce 100644 --- a/detections/deprecated/kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml +++ b/detections/deprecated/kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_detect_suspicious_kubectl_calls.yml b/detections/deprecated/kubernetes_azure_detect_suspicious_kubectl_calls.yml index 290d6a258e..30559a8e54 100644 --- a/detections/deprecated/kubernetes_azure_detect_suspicious_kubectl_calls.yml +++ b/detections/deprecated/kubernetes_azure_detect_suspicious_kubectl_calls.yml @@ -38,5 +38,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_pod_scan_fingerprint.yml b/detections/deprecated/kubernetes_azure_pod_scan_fingerprint.yml index ef66c8e12a..4ddd7a4b87 100644 --- a/detections/deprecated/kubernetes_azure_pod_scan_fingerprint.yml +++ b/detections/deprecated/kubernetes_azure_pod_scan_fingerprint.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_scan_fingerprint.yml b/detections/deprecated/kubernetes_azure_scan_fingerprint.yml index 9d501762dd..b6bc27ae53 100644 --- a/detections/deprecated/kubernetes_azure_scan_fingerprint.yml +++ b/detections/deprecated/kubernetes_azure_scan_fingerprint.yml @@ -37,5 +37,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml b/detections/deprecated/kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml index 41fc0d44e2..210988ef2b 100644 --- a/detections/deprecated/kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml +++ b/detections/deprecated/kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_rbac_authorizations_by_account.yml b/detections/deprecated/kubernetes_gcp_detect_rbac_authorizations_by_account.yml index c944e6a2c8..2a016c11c2 100644 --- a/detections/deprecated/kubernetes_gcp_detect_rbac_authorizations_by_account.yml +++ b/detections/deprecated/kubernetes_gcp_detect_rbac_authorizations_by_account.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_sensitive_object_access.yml b/detections/deprecated/kubernetes_gcp_detect_sensitive_object_access.yml index c32a2b9b1a..f8af20f5ce 100644 --- a/detections/deprecated/kubernetes_gcp_detect_sensitive_object_access.yml +++ b/detections/deprecated/kubernetes_gcp_detect_sensitive_object_access.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml b/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml index dde0aacc73..73fdf94b3d 100644 --- a/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml +++ b/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml b/detections/deprecated/kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml index a13963dfde..0835be2f88 100644 --- a/detections/deprecated/kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml +++ b/detections/deprecated/kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml @@ -38,5 +38,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_suspicious_kubectl_calls.yml b/detections/deprecated/kubernetes_gcp_detect_suspicious_kubectl_calls.yml index 7b369dd41f..5670a72df0 100644 --- a/detections/deprecated/kubernetes_gcp_detect_suspicious_kubectl_calls.yml +++ b/detections/deprecated/kubernetes_gcp_detect_suspicious_kubectl_calls.yml @@ -37,5 +37,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/monitor_dns_for_brand_abuse.yml b/detections/deprecated/monitor_dns_for_brand_abuse.yml index 9f351633a1..6eb83a8c31 100644 --- a/detections/deprecated/monitor_dns_for_brand_abuse.yml +++ b/detections/deprecated/monitor_dns_for_brand_abuse.yml @@ -43,5 +43,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: network diff --git a/detections/deprecated/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml b/detections/deprecated/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml index 26d54ddf4c..ab54b90ee0 100644 --- a/detections/deprecated/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml +++ b/detections/deprecated/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml @@ -59,7 +59,6 @@ tags: - displayMessage - eventType - outcome.result - risk_score: 9 security_domain: access tests: - name: True Positive Test diff --git a/detections/deprecated/o365_suspicious_admin_email_forwarding.yml b/detections/deprecated/o365_suspicious_admin_email_forwarding.yml index 28373c5a4b..95ebe3698a 100644 --- a/detections/deprecated/o365_suspicious_admin_email_forwarding.yml +++ b/detections/deprecated/o365_suspicious_admin_email_forwarding.yml @@ -44,7 +44,6 @@ tags: - _time - Operation - Parameters - risk_score: 48 security_domain: threat tests: - name: True Positive Test diff --git a/detections/deprecated/o365_suspicious_rights_delegation.yml b/detections/deprecated/o365_suspicious_rights_delegation.yml index 92d7ea1cb0..311b0ad671 100644 --- a/detections/deprecated/o365_suspicious_rights_delegation.yml +++ b/detections/deprecated/o365_suspicious_rights_delegation.yml @@ -45,7 +45,6 @@ tags: - _time - Operation - Parameters - risk_score: 48 security_domain: threat tests: - name: True Positive Test diff --git a/detections/deprecated/o365_suspicious_user_email_forwarding.yml b/detections/deprecated/o365_suspicious_user_email_forwarding.yml index 69cc73978f..b436cb51d4 100644 --- a/detections/deprecated/o365_suspicious_user_email_forwarding.yml +++ b/detections/deprecated/o365_suspicious_user_email_forwarding.yml @@ -47,7 +47,6 @@ tags: - _time - Operation - Parameters - risk_score: 48 security_domain: threat tests: - name: True Positive Test diff --git a/detections/deprecated/okta_account_locked_out.yml b/detections/deprecated/okta_account_locked_out.yml index 1c40467302..862d9d1179 100644 --- a/detections/deprecated/okta_account_locked_out.yml +++ b/detections/deprecated/okta_account_locked_out.yml @@ -46,7 +46,6 @@ tags: - src_ip - eventType - status - risk_score: 64 security_domain: access tests: - name: True Positive Test diff --git a/detections/deprecated/okta_account_lockout_events.yml b/detections/deprecated/okta_account_lockout_events.yml index 589d968df0..c8df6c5e9d 100644 --- a/detections/deprecated/okta_account_lockout_events.yml +++ b/detections/deprecated/okta_account_lockout_events.yml @@ -56,7 +56,6 @@ tags: - client.geographicalContext.city - src_ip - src_user - risk_score: 25 security_domain: access tests: - name: True Positive Test diff --git a/detections/deprecated/okta_failed_sso_attempts.yml b/detections/deprecated/okta_failed_sso_attempts.yml index 22f2a00260..cba99c304a 100644 --- a/detections/deprecated/okta_failed_sso_attempts.yml +++ b/detections/deprecated/okta_failed_sso_attempts.yml @@ -43,5 +43,4 @@ tags: - src_user - result - src_ip - risk_score: 16 security_domain: access diff --git a/detections/deprecated/okta_threatinsight_login_failure_with_high_unknown_users.yml b/detections/deprecated/okta_threatinsight_login_failure_with_high_unknown_users.yml index 48d89eacb2..cd85995570 100644 --- a/detections/deprecated/okta_threatinsight_login_failure_with_high_unknown_users.yml +++ b/detections/deprecated/okta_threatinsight_login_failure_with_high_unknown_users.yml @@ -45,5 +45,4 @@ tags: - client.userAgent.browser - outcome.reason - displayMessage - risk_score: 50 security_domain: access diff --git a/detections/deprecated/okta_threatinsight_suspected_passwordspray_attack.yml b/detections/deprecated/okta_threatinsight_suspected_passwordspray_attack.yml index d830554197..6b35d8d7f2 100644 --- a/detections/deprecated/okta_threatinsight_suspected_passwordspray_attack.yml +++ b/detections/deprecated/okta_threatinsight_suspected_passwordspray_attack.yml @@ -46,5 +46,4 @@ tags: - client.userAgent.browser - outcome.reason - displayMessage - risk_score: 60 security_domain: access diff --git a/detections/deprecated/okta_two_or_more_rejected_okta_pushes.yml b/detections/deprecated/okta_two_or_more_rejected_okta_pushes.yml index b93d300b5d..350d8000c3 100644 --- a/detections/deprecated/okta_two_or_more_rejected_okta_pushes.yml +++ b/detections/deprecated/okta_two_or_more_rejected_okta_pushes.yml @@ -53,5 +53,4 @@ tags: - src_ip - eventType - status - risk_score: 64 security_domain: access diff --git a/detections/deprecated/osquery_pack___coldroot_detection.yml b/detections/deprecated/osquery_pack___coldroot_detection.yml index cacc2e6048..ca09456990 100644 --- a/detections/deprecated/osquery_pack___coldroot_detection.yml +++ b/detections/deprecated/osquery_pack___coldroot_detection.yml @@ -39,5 +39,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/processes_created_by_netsh.yml b/detections/deprecated/processes_created_by_netsh.yml index 53d46eb369..7a7d7d0297 100644 --- a/detections/deprecated/processes_created_by_netsh.yml +++ b/detections/deprecated/processes_created_by_netsh.yml @@ -57,5 +57,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/prohibited_software_on_endpoint.yml b/detections/deprecated/prohibited_software_on_endpoint.yml index 49935603d1..9271abe7e7 100644 --- a/detections/deprecated/prohibited_software_on_endpoint.yml +++ b/detections/deprecated/prohibited_software_on_endpoint.yml @@ -48,5 +48,4 @@ tags: - Splunk Cloud required_fields: - _times - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml b/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml index 5b575ca1db..321741d2f4 100644 --- a/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml +++ b/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml @@ -52,5 +52,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/remote_registry_key_modifications.yml b/detections/deprecated/remote_registry_key_modifications.yml index ded756a184..31414be5c0 100644 --- a/detections/deprecated/remote_registry_key_modifications.yml +++ b/detections/deprecated/remote_registry_key_modifications.yml @@ -45,5 +45,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml b/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml index ea81ef6de4..a76f190878 100644 --- a/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml +++ b/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml @@ -51,5 +51,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml b/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml index b8a24e348b..acf9e30b92 100644 --- a/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml +++ b/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml @@ -38,5 +38,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/suspicious_changes_to_file_associations.yml b/detections/deprecated/suspicious_changes_to_file_associations.yml index a19f6078fd..ff7f47875b 100644 --- a/detections/deprecated/suspicious_changes_to_file_associations.yml +++ b/detections/deprecated/suspicious_changes_to_file_associations.yml @@ -53,5 +53,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/suspicious_email___uba_anomaly.yml b/detections/deprecated/suspicious_email___uba_anomaly.yml index 4b38e9f961..7bfb1771fa 100644 --- a/detections/deprecated/suspicious_email___uba_anomaly.yml +++ b/detections/deprecated/suspicious_email___uba_anomaly.yml @@ -45,5 +45,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/suspicious_file_write.yml b/detections/deprecated/suspicious_file_write.yml index ea13940470..5a7cc6bfe8 100644 --- a/detections/deprecated/suspicious_file_write.yml +++ b/detections/deprecated/suspicious_file_write.yml @@ -47,5 +47,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/suspicious_powershell_command_line_arguments.yml b/detections/deprecated/suspicious_powershell_command_line_arguments.yml index 1d02ccddfa..dac08116bd 100644 --- a/detections/deprecated/suspicious_powershell_command_line_arguments.yml +++ b/detections/deprecated/suspicious_powershell_command_line_arguments.yml @@ -58,5 +58,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/suspicious_rundll32_rename.yml b/detections/deprecated/suspicious_rundll32_rename.yml index 015dddaa02..3eeec3e17b 100644 --- a/detections/deprecated/suspicious_rundll32_rename.yml +++ b/detections/deprecated/suspicious_rundll32_rename.yml @@ -73,5 +73,4 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint diff --git a/detections/deprecated/suspicious_writes_to_system_volume_information.yml b/detections/deprecated/suspicious_writes_to_system_volume_information.yml index 6ef978bb17..3be191df09 100644 --- a/detections/deprecated/suspicious_writes_to_system_volume_information.yml +++ b/detections/deprecated/suspicious_writes_to_system_volume_information.yml @@ -40,5 +40,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/uncommon_processes_on_endpoint.yml b/detections/deprecated/uncommon_processes_on_endpoint.yml index 0a55effb55..d86124889f 100644 --- a/detections/deprecated/uncommon_processes_on_endpoint.yml +++ b/detections/deprecated/uncommon_processes_on_endpoint.yml @@ -46,5 +46,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/unsigned_image_loaded_by_lsass.yml b/detections/deprecated/unsigned_image_loaded_by_lsass.yml index 226b011c06..a321232565 100644 --- a/detections/deprecated/unsigned_image_loaded_by_lsass.yml +++ b/detections/deprecated/unsigned_image_loaded_by_lsass.yml @@ -43,5 +43,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/unsuccessful_netbackup_backups.yml b/detections/deprecated/unsuccessful_netbackup_backups.yml index 60af44671d..de4abf771a 100644 --- a/detections/deprecated/unsuccessful_netbackup_backups.yml +++ b/detections/deprecated/unsuccessful_netbackup_backups.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/web_fraud___account_harvesting.yml b/detections/deprecated/web_fraud___account_harvesting.yml index 18acd9b5dc..da68ba7455 100644 --- a/detections/deprecated/web_fraud___account_harvesting.yml +++ b/detections/deprecated/web_fraud___account_harvesting.yml @@ -58,5 +58,4 @@ tags: - http_content_type - uri - cookie - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml b/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml index 6404ea2744..5a41ac8575 100644 --- a/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml +++ b/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml @@ -53,5 +53,4 @@ tags: - _time - http_content_type - cookie - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/web_fraud___password_sharing_across_accounts.yml b/detections/deprecated/web_fraud___password_sharing_across_accounts.yml index 9c212c0df9..e4d4067892 100644 --- a/detections/deprecated/web_fraud___password_sharing_across_accounts.yml +++ b/detections/deprecated/web_fraud___password_sharing_across_accounts.yml @@ -46,5 +46,4 @@ tags: - _time - http_content_type - uri - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/windows_connhost_exe_started_forcefully.yml b/detections/deprecated/windows_connhost_exe_started_forcefully.yml index 8f3fcab9fe..ba21175a21 100644 --- a/detections/deprecated/windows_connhost_exe_started_forcefully.yml +++ b/detections/deprecated/windows_connhost_exe_started_forcefully.yml @@ -49,5 +49,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml b/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml index d81b9ab21e..d2310c8a78 100644 --- a/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml +++ b/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_name - Processes.process_name - Processes.process_path - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/deprecated/windows_hosts_file_modification.yml b/detections/deprecated/windows_hosts_file_modification.yml index aa710401cf..0572ec412e 100644 --- a/detections/deprecated/windows_hosts_file_modification.yml +++ b/detections/deprecated/windows_hosts_file_modification.yml @@ -41,5 +41,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml b/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml index e14aa34e3d..05be074205 100644 --- a/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml +++ b/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml @@ -58,7 +58,6 @@ tags: - DNS.src - DNS.query - _time - risk_score: 100 security_domain: network tests: - name: True Positive Test diff --git a/detections/endpoint/7zip_commandline_to_smb_share_path.yml b/detections/endpoint/7zip_commandline_to_smb_share_path.yml index b065f64bc2..6741287c13 100644 --- a/detections/endpoint/7zip_commandline_to_smb_share_path.yml +++ b/detections/endpoint/7zip_commandline_to_smb_share_path.yml @@ -71,7 +71,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/access_lsass_memory_for_dump_creation.yml b/detections/endpoint/access_lsass_memory_for_dump_creation.yml index 0c282ff14a..122c00d275 100644 --- a/detections/endpoint/access_lsass_memory_for_dump_creation.yml +++ b/detections/endpoint/access_lsass_memory_for_dump_creation.yml @@ -64,7 +64,6 @@ tags: - TargetProcessId - SourceImage - SourceProcessId - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/account_discovery_with_net_app.yml b/detections/endpoint/account_discovery_with_net_app.yml index bf8e536cbc..2786b7c9cf 100644 --- a/detections/endpoint/account_discovery_with_net_app.yml +++ b/detections/endpoint/account_discovery_with_net_app.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/active_directory_lateral_movement_identified.yml b/detections/endpoint/active_directory_lateral_movement_identified.yml index 461d0227f5..d3dd117cb7 100644 --- a/detections/endpoint/active_directory_lateral_movement_identified.yml +++ b/detections/endpoint/active_directory_lateral_movement_identified.yml @@ -68,7 +68,6 @@ tags: - All_Risk.risk_object_type - All_Risk.risk_object - All_Risk.annotations.mitre_attack.mitre_tactic - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/active_directory_privilege_escalation_identified.yml b/detections/endpoint/active_directory_privilege_escalation_identified.yml index f22fc57f3e..96375d5456 100644 --- a/detections/endpoint/active_directory_privilege_escalation_identified.yml +++ b/detections/endpoint/active_directory_privilege_escalation_identified.yml @@ -68,7 +68,6 @@ tags: - All_Risk.risk_object_type - All_Risk.risk_object - All_Risk.annotations.mitre_attack.mitre_tactic - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/active_setup_registry_autostart.yml b/detections/endpoint/active_setup_registry_autostart.yml index 35414f35ac..205a5a7a18 100644 --- a/detections/endpoint/active_setup_registry_autostart.yml +++ b/detections/endpoint/active_setup_registry_autostart.yml @@ -64,7 +64,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/add_defaultuser_and_password_in_registry.yml b/detections/endpoint/add_defaultuser_and_password_in_registry.yml index 549e04b2db..2e08f8e72f 100644 --- a/detections/endpoint/add_defaultuser_and_password_in_registry.yml +++ b/detections/endpoint/add_defaultuser_and_password_in_registry.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/add_or_set_windows_defender_exclusion.yml b/detections/endpoint/add_or_set_windows_defender_exclusion.yml index 82a65ac702..0a84529841 100644 --- a/detections/endpoint/add_or_set_windows_defender_exclusion.yml +++ b/detections/endpoint/add_or_set_windows_defender_exclusion.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/adsisearcher_account_discovery.yml b/detections/endpoint/adsisearcher_account_discovery.yml index caeba199f2..369c6e0291 100644 --- a/detections/endpoint/adsisearcher_account_discovery.yml +++ b/detections/endpoint/adsisearcher_account_discovery.yml @@ -61,7 +61,6 @@ tags: - Message - ComputerName - User - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml index 5a2ac8f40d..f2bce14910 100644 --- a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml +++ b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml index 7ad7cf43f9..02cbe89c7e 100644 --- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml +++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml @@ -67,7 +67,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml b/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml index e5c93cfb36..fc76e03e28 100644 --- a/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml +++ b/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml @@ -55,7 +55,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 3 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/allow_network_discovery_in_firewall.yml b/detections/endpoint/allow_network_discovery_in_firewall.yml index e56d04a430..4755148e18 100644 --- a/detections/endpoint/allow_network_discovery_in_firewall.yml +++ b/detections/endpoint/allow_network_discovery_in_firewall.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/allow_operation_with_consent_admin.yml b/detections/endpoint/allow_operation_with_consent_admin.yml index d8e68c1d61..698fe10833 100644 --- a/detections/endpoint/allow_operation_with_consent_admin.yml +++ b/detections/endpoint/allow_operation_with_consent_admin.yml @@ -66,7 +66,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml index 8244563d1b..3661f40f1d 100644 --- a/detections/endpoint/anomalous_usage_of_7zip.yml +++ b/detections/endpoint/anomalous_usage_of_7zip.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml index c76c357157..d65908f210 100644 --- a/detections/endpoint/any_powershell_downloadfile.yml +++ b/detections/endpoint/any_powershell_downloadfile.yml @@ -94,7 +94,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/any_powershell_downloadstring.yml b/detections/endpoint/any_powershell_downloadstring.yml index 56a372e004..d9d211e5a7 100644 --- a/detections/endpoint/any_powershell_downloadstring.yml +++ b/detections/endpoint/any_powershell_downloadstring.yml @@ -95,7 +95,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/attacker_tools_on_endpoint.yml b/detections/endpoint/attacker_tools_on_endpoint.yml index 8a7e564e20..8a49beb9b1 100644 --- a/detections/endpoint/attacker_tools_on_endpoint.yml +++ b/detections/endpoint/attacker_tools_on_endpoint.yml @@ -69,7 +69,6 @@ tags: - Processes.user - Processes.process_name - Processes.parent_process - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml index 945ee8c019..b99b40d5d3 100644 --- a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml +++ b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process - Processes.process_id - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/attempt_to_stop_security_service.yml b/detections/endpoint/attempt_to_stop_security_service.yml index 247d5e8c65..974eab3c73 100644 --- a/detections/endpoint/attempt_to_stop_security_service.yml +++ b/detections/endpoint/attempt_to_stop_security_service.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml index 8a14856d49..0f7fb7fbb7 100644 --- a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml +++ b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml @@ -88,7 +88,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/auto_admin_logon_registry_entry.yml b/detections/endpoint/auto_admin_logon_registry_entry.yml index 45f2adea93..b86f904b90 100644 --- a/detections/endpoint/auto_admin_logon_registry_entry.yml +++ b/detections/endpoint/auto_admin_logon_registry_entry.yml @@ -60,7 +60,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/batch_file_write_to_system32.yml b/detections/endpoint/batch_file_write_to_system32.yml index 6f0cad7956..6f0e12887d 100644 --- a/detections/endpoint/batch_file_write_to_system32.yml +++ b/detections/endpoint/batch_file_write_to_system32.yml @@ -79,7 +79,6 @@ tags: - Processes.process_guid - Processes.dest - Processes.process_name - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml index adaef8948f..0c2224bf46 100644 --- a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml +++ b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process - Processes.dest - Processes.user - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/bcdedit_failure_recovery_modification.yml b/detections/endpoint/bcdedit_failure_recovery_modification.yml index 32a3673216..979c25e75f 100644 --- a/detections/endpoint/bcdedit_failure_recovery_modification.yml +++ b/detections/endpoint/bcdedit_failure_recovery_modification.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test @@ -84,4 +83,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/bits_job_persistence.yml b/detections/endpoint/bits_job_persistence.yml index 4379bb93ab..bacc6e0f54 100644 --- a/detections/endpoint/bits_job_persistence.yml +++ b/detections/endpoint/bits_job_persistence.yml @@ -86,7 +86,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml index 33f0bd5274..2a921fa3c4 100644 --- a/detections/endpoint/bitsadmin_download_file.yml +++ b/detections/endpoint/bitsadmin_download_file.yml @@ -90,7 +90,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml index 89e47268a2..f836f39503 100644 --- a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml @@ -89,7 +89,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml index 57af0886fa..9d54d18ac2 100644 --- a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml @@ -86,7 +86,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/certutil_exe_certificate_extraction.yml b/detections/endpoint/certutil_exe_certificate_extraction.yml index f84a08cd1c..8866f31f3f 100644 --- a/detections/endpoint/certutil_exe_certificate_extraction.yml +++ b/detections/endpoint/certutil_exe_certificate_extraction.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/certutil_with_decode_argument.yml b/detections/endpoint/certutil_with_decode_argument.yml index b5efcb0b87..18fd0c0e4e 100644 --- a/detections/endpoint/certutil_with_decode_argument.yml +++ b/detections/endpoint/certutil_with_decode_argument.yml @@ -91,7 +91,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/change_default_file_association.yml b/detections/endpoint/change_default_file_association.yml index 7dd89984e1..d97d417e64 100644 --- a/detections/endpoint/change_default_file_association.yml +++ b/detections/endpoint/change_default_file_association.yml @@ -66,7 +66,6 @@ tags: - Registry.registry_path - Registry.registry_key_name - Registry.registry_value_name - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/change_to_safe_mode_with_network_config.yml b/detections/endpoint/change_to_safe_mode_with_network_config.yml index ccf84c1fe2..b0b960c817 100644 --- a/detections/endpoint/change_to_safe_mode_with_network_config.yml +++ b/detections/endpoint/change_to_safe_mode_with_network_config.yml @@ -65,7 +65,6 @@ tags: - Processes.parent_process - Processes.dest - Processes.user - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/endpoint/chcp_command_execution.yml index fb247f8443..9ec8753d8b 100644 --- a/detections/endpoint/chcp_command_execution.yml +++ b/detections/endpoint/chcp_command_execution.yml @@ -73,7 +73,6 @@ tags: - parent_process_id - dest - user - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/check_elevated_cmd_using_whoami.yml b/detections/endpoint/check_elevated_cmd_using_whoami.yml index f9d98c1330..507e1cc1d2 100644 --- a/detections/endpoint/check_elevated_cmd_using_whoami.yml +++ b/detections/endpoint/check_elevated_cmd_using_whoami.yml @@ -64,7 +64,6 @@ tags: - Processes.process - Processes.dest - Processes.user - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/child_processes_of_spoolsv_exe.yml b/detections/endpoint/child_processes_of_spoolsv_exe.yml index af335b10da..136356289c 100644 --- a/detections/endpoint/child_processes_of_spoolsv_exe.yml +++ b/detections/endpoint/child_processes_of_spoolsv_exe.yml @@ -71,5 +71,4 @@ tags: - Processes.dest - Processes.parent_process - Processes.user - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml index 33233fc057..8a87a67997 100644 --- a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml +++ b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/clop_common_exec_parameter.yml b/detections/endpoint/clop_common_exec_parameter.yml index e01280c1e6..1b77bb7b38 100644 --- a/detections/endpoint/clop_common_exec_parameter.yml +++ b/detections/endpoint/clop_common_exec_parameter.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/clop_ransomware_known_service_name.yml b/detections/endpoint/clop_ransomware_known_service_name.yml index 29ccc9225f..5f652878cd 100644 --- a/detections/endpoint/clop_ransomware_known_service_name.yml +++ b/detections/endpoint/clop_ransomware_known_service_name.yml @@ -52,7 +52,6 @@ tags: - process_name - OriginalFileName - process_path - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index 4566f7c623..3d16af5029 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -59,7 +59,6 @@ tags: - CISA AA23-347A - Data Destruction asset_type: Endpoint - automated_detection_testing: passed confidence: 50 cve: - CVE-2021-44228 @@ -93,7 +92,6 @@ tags: - Processes.user - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/cmd_echo_pipe___escalation.yml b/detections/endpoint/cmd_echo_pipe___escalation.yml index d2531d3245..0ba1c02bb1 100644 --- a/detections/endpoint/cmd_echo_pipe___escalation.yml +++ b/detections/endpoint/cmd_echo_pipe___escalation.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml index 4a0cdfcd86..5153aeaf41 100644 --- a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml +++ b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml @@ -97,7 +97,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index e578c0bcd9..fa5fdbd6fa 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -58,7 +58,6 @@ tags: - EventCode - Signed - ProcessId - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/cobalt_strike_named_pipes.yml b/detections/endpoint/cobalt_strike_named_pipes.yml index 3a60b52502..358600bb32 100644 --- a/detections/endpoint/cobalt_strike_named_pipes.yml +++ b/detections/endpoint/cobalt_strike_named_pipes.yml @@ -72,7 +72,6 @@ tags: - process_name - process_path - process_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/common_ransomware_extensions.yml b/detections/endpoint/common_ransomware_extensions.yml index 0aded4d1e3..013702c156 100644 --- a/detections/endpoint/common_ransomware_extensions.yml +++ b/detections/endpoint/common_ransomware_extensions.yml @@ -70,7 +70,6 @@ tags: - Filesystem.dest - Filesystem.file_path - Filesystem.file_name - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/common_ransomware_notes.yml b/detections/endpoint/common_ransomware_notes.yml index 289ec69c0a..98de55d4e8 100644 --- a/detections/endpoint/common_ransomware_notes.yml +++ b/detections/endpoint/common_ransomware_notes.yml @@ -66,7 +66,6 @@ tags: - Filesystem.dest - Filesystem.file_path - Filesystem.file_name - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/connectwise_screenconnect_path_traversal.yml b/detections/endpoint/connectwise_screenconnect_path_traversal.yml index e8c22ba833..d831b9f66e 100644 --- a/detections/endpoint/connectwise_screenconnect_path_traversal.yml +++ b/detections/endpoint/connectwise_screenconnect_path_traversal.yml @@ -60,7 +60,6 @@ tags: - Filesystem.file_name - Filesystem.file_path - Filesystem.dest - risk_score: 100 security_domain: endpoint cve: - CVE-2024-1708 diff --git a/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml b/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml index 8dfdb15d92..263ffbe61f 100644 --- a/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml +++ b/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml @@ -59,7 +59,6 @@ tags: - EventCode - Computer - Caller_User_Name - risk_score: 100 security_domain: endpoint cve: - CVE-2024-1708 diff --git a/detections/endpoint/conti_common_exec_parameter.yml b/detections/endpoint/conti_common_exec_parameter.yml index 1eee21b88d..396678c308 100644 --- a/detections/endpoint/conti_common_exec_parameter.yml +++ b/detections/endpoint/conti_common_exec_parameter.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/control_loading_from_world_writable_directory.yml b/detections/endpoint/control_loading_from_world_writable_directory.yml index ba1397c567..dd27fa5e19 100644 --- a/detections/endpoint/control_loading_from_world_writable_directory.yml +++ b/detections/endpoint/control_loading_from_world_writable_directory.yml @@ -89,7 +89,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/create_local_admin_accounts_using_net_exe.yml b/detections/endpoint/create_local_admin_accounts_using_net_exe.yml index ba8cbe5360..0d8d9ed2ad 100644 --- a/detections/endpoint/create_local_admin_accounts_using_net_exe.yml +++ b/detections/endpoint/create_local_admin_accounts_using_net_exe.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml index 035e064567..c16bff0e5a 100644 --- a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml +++ b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/create_remote_thread_in_shell_application.yml b/detections/endpoint/create_remote_thread_in_shell_application.yml index 5266ae0b5d..d57f11b5cd 100644 --- a/detections/endpoint/create_remote_thread_in_shell_application.yml +++ b/detections/endpoint/create_remote_thread_in_shell_application.yml @@ -61,7 +61,6 @@ tags: - StartAddress - EventCode - dest - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/create_remote_thread_into_lsass.yml b/detections/endpoint/create_remote_thread_into_lsass.yml index ea1084f575..ddf0e5b492 100644 --- a/detections/endpoint/create_remote_thread_into_lsass.yml +++ b/detections/endpoint/create_remote_thread_into_lsass.yml @@ -61,7 +61,6 @@ tags: - TargetImage - TargetProcessId - dest - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml index b1c933f75b..c67f3cc46e 100644 --- a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml +++ b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml @@ -58,7 +58,6 @@ tags: - TargetFilename - dest - object_category - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/creation_of_shadow_copy.yml b/detections/endpoint/creation_of_shadow_copy.yml index 8f8a9ba2d2..3e44cc5e16 100644 --- a/detections/endpoint/creation_of_shadow_copy.yml +++ b/detections/endpoint/creation_of_shadow_copy.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml index 70575f4245..e4b04158e0 100644 --- a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml +++ b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml index 52246deb24..6c5ee73835 100644 --- a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml +++ b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml index dbb443f677..dd820ba24e 100644 --- a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml +++ b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml @@ -67,7 +67,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/crowdstrike_admin_weak_password_policy.yml b/detections/endpoint/crowdstrike_admin_weak_password_policy.yml index d06b56996c..b38d75adad 100644 --- a/detections/endpoint/crowdstrike_admin_weak_password_policy.yml +++ b/detections/endpoint/crowdstrike_admin_weak_password_policy.yml @@ -49,7 +49,6 @@ tags: - accounts{}.domain - accounts{}.dn - accounts{}.samAccountName - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml b/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml index c0280b56b7..710c76ff7d 100644 --- a/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml +++ b/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml @@ -48,7 +48,6 @@ tags: - accounts{}.domain - accounts{}.dn - accounts{}.samAccountName - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/crowdstrike_high_identity_risk_severity.yml b/detections/endpoint/crowdstrike_high_identity_risk_severity.yml index 31137e1d61..65061e6cf5 100644 --- a/detections/endpoint/crowdstrike_high_identity_risk_severity.yml +++ b/detections/endpoint/crowdstrike_high_identity_risk_severity.yml @@ -48,7 +48,6 @@ tags: - accounts{}.domain - accounts{}.dn - accounts{}.samAccountName - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml b/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml index d07b0f86aa..97a67e1ba8 100644 --- a/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml +++ b/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml @@ -48,7 +48,6 @@ tags: - accounts{}.domain - accounts{}.dn - accounts{}.samAccountName - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/crowdstrike_medium_severity_alert.yml b/detections/endpoint/crowdstrike_medium_severity_alert.yml index c71c3192db..e73f2a4353 100644 --- a/detections/endpoint/crowdstrike_medium_severity_alert.yml +++ b/detections/endpoint/crowdstrike_medium_severity_alert.yml @@ -50,7 +50,6 @@ tags: - event.IncidentType - event.NumbersOfAlerts - event.SeverityName - risk_score: 49 security_domain: endpoint manual_test: This detection is marked manual test because the attack_data file and TA do not provide the event.EndpointIp and event.EndpointName fields. event.EndpointName diff --git a/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml b/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml index dd22106a7f..4b6965ba20 100644 --- a/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml +++ b/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml @@ -52,7 +52,6 @@ tags: - event.IncidentType - event.NumbersOfAlerts - event.SeverityName - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml b/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml index b02ac4a1ad..1966cf57ea 100644 --- a/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml +++ b/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml @@ -50,7 +50,6 @@ tags: - event.IncidentType - event.NumbersOfAlerts - event.SeverityName - risk_score: 49 security_domain: endpoint manual_test: This detection is marked manual test because the attack_data file and TA do not provide the event.EndpointIp and event.EndpointName fields. event.EndpointName diff --git a/detections/endpoint/crowdstrike_user_weak_password_policy.yml b/detections/endpoint/crowdstrike_user_weak_password_policy.yml index c2b09d2c12..d0c58be96f 100644 --- a/detections/endpoint/crowdstrike_user_weak_password_policy.yml +++ b/detections/endpoint/crowdstrike_user_weak_password_policy.yml @@ -50,7 +50,6 @@ tags: - accounts{}.domain - accounts{}.dn - accounts{}.samAccountName - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/crowdstrike_user_with_duplicate_password.yml b/detections/endpoint/crowdstrike_user_with_duplicate_password.yml index b7ae4192aa..895fbfa9f5 100644 --- a/detections/endpoint/crowdstrike_user_with_duplicate_password.yml +++ b/detections/endpoint/crowdstrike_user_with_duplicate_password.yml @@ -49,7 +49,6 @@ tags: - accounts{}.domain - accounts{}.dn - accounts{}.samAccountName - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/csc_net_on_the_fly_compilation.yml b/detections/endpoint/csc_net_on_the_fly_compilation.yml index c768549ae9..541e65c30d 100644 --- a/detections/endpoint/csc_net_on_the_fly_compilation.yml +++ b/detections/endpoint/csc_net_on_the_fly_compilation.yml @@ -68,7 +68,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/curl_download_and_bash_execution.yml b/detections/endpoint/curl_download_and_bash_execution.yml index 233013ef6c..35a738cb78 100644 --- a/detections/endpoint/curl_download_and_bash_execution.yml +++ b/detections/endpoint/curl_download_and_bash_execution.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/delete_shadowcopy_with_powershell.yml b/detections/endpoint/delete_shadowcopy_with_powershell.yml index 4e9538f69c..088f1608db 100644 --- a/detections/endpoint/delete_shadowcopy_with_powershell.yml +++ b/detections/endpoint/delete_shadowcopy_with_powershell.yml @@ -59,7 +59,6 @@ tags: - Computer - UserID - EventCode - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/deleting_of_net_users.yml b/detections/endpoint/deleting_of_net_users.yml index c995182dc3..ef95a7c1af 100644 --- a/detections/endpoint/deleting_of_net_users.yml +++ b/detections/endpoint/deleting_of_net_users.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/deleting_shadow_copies.yml b/detections/endpoint/deleting_shadow_copies.yml index 73b759ca68..1a8bcd3951 100644 --- a/detections/endpoint/deleting_shadow_copies.yml +++ b/detections/endpoint/deleting_shadow_copies.yml @@ -91,7 +91,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_azurehound_command_line_arguments.yml b/detections/endpoint/detect_azurehound_command_line_arguments.yml index a828f071f7..fbb340d540 100644 --- a/detections/endpoint/detect_azurehound_command_line_arguments.yml +++ b/detections/endpoint/detect_azurehound_command_line_arguments.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_azurehound_file_modifications.yml b/detections/endpoint/detect_azurehound_file_modifications.yml index e65d2bf826..8d849607a3 100644 --- a/detections/endpoint/detect_azurehound_file_modifications.yml +++ b/detections/endpoint/detect_azurehound_file_modifications.yml @@ -70,7 +70,6 @@ tags: - file_name - process_id - file_create_time - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml index 678bd5d60b..0df62b19e1 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml @@ -37,5 +37,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml index 1fa46b7c0d..5ec98dcb13 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml @@ -41,5 +41,4 @@ tags: required_fields: - _time - host - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml index 1158e312ba..02c9ddba55 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml @@ -44,5 +44,4 @@ tags: required_fields: - _time - columns.cmdline - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/detect_certify_command_line_arguments.yml b/detections/endpoint/detect_certify_command_line_arguments.yml index 54c5cf2e88..db9483e27c 100644 --- a/detections/endpoint/detect_certify_command_line_arguments.yml +++ b/detections/endpoint/detect_certify_command_line_arguments.yml @@ -76,7 +76,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -85,4 +84,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml index 6255204005..4125bde3a0 100644 --- a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml @@ -65,7 +65,6 @@ tags: - user - Computer - EventCode - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/detect_certipy_file_modifications.yml b/detections/endpoint/detect_certipy_file_modifications.yml index 7b19537648..39fb3b7bbb 100644 --- a/detections/endpoint/detect_certipy_file_modifications.yml +++ b/detections/endpoint/detect_certipy_file_modifications.yml @@ -86,7 +86,6 @@ tags: - Filesystem.file_name - Filesystem.file_path - Filesystem.dest - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test @@ -95,4 +94,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/detect_computer_changed_with_anonymous_account.yml b/detections/endpoint/detect_computer_changed_with_anonymous_account.yml index df11ec6e4e..edf904eabc 100644 --- a/detections/endpoint/detect_computer_changed_with_anonymous_account.yml +++ b/detections/endpoint/detect_computer_changed_with_anonymous_account.yml @@ -60,5 +60,4 @@ tags: - LogonType - TargetDomainName - user - risk_score: 49 security_domain: endpoint diff --git a/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml b/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml index 123f62d901..3ce67feceb 100644 --- a/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml +++ b/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml @@ -61,7 +61,6 @@ tags: - Computer - UserID - EventCode - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml index 77f0b0e806..550d7f32ca 100644 --- a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml +++ b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml @@ -66,7 +66,6 @@ tags: - SourceProcessId - TargetImage - TargetProcessId - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml b/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml index 51deda2276..f2d7f91fa2 100644 --- a/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml @@ -65,7 +65,6 @@ tags: - Computer - UserID - EventCode - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml b/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml index 5c139a563b..993ab28825 100644 --- a/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml +++ b/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml @@ -65,7 +65,6 @@ tags: - nodename - All_Changes.result - All_Changes.dest - risk_score: 36 security_domain: access tests: - name: True Positive Test @@ -74,14 +73,11 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - update_timestamp: true - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-system.log source: WinEventLog:System sourcetype: WinEventLog - update_timestamp: true - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/detect_excessive_user_account_lockouts.yml b/detections/endpoint/detect_excessive_user_account_lockouts.yml index fb18194ac8..85d4d99300 100644 --- a/detections/endpoint/detect_excessive_user_account_lockouts.yml +++ b/detections/endpoint/detect_excessive_user_account_lockouts.yml @@ -49,7 +49,6 @@ tags: - All_Changes.result - nodename - All_Changes.user - risk_score: 36 security_domain: access tests: - name: True Positive Test diff --git a/detections/endpoint/detect_exchange_web_shell.yml b/detections/endpoint/detect_exchange_web_shell.yml index 940893d70b..2fed3023af 100644 --- a/detections/endpoint/detect_exchange_web_shell.yml +++ b/detections/endpoint/detect_exchange_web_shell.yml @@ -80,7 +80,6 @@ tags: - Filesystem.file_name - Filesystem.file_hash - Filesystem.user - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_html_help_renamed.yml b/detections/endpoint/detect_html_help_renamed.yml index 1fcfd47894..2ca6df6bee 100644 --- a/detections/endpoint/detect_html_help_renamed.yml +++ b/detections/endpoint/detect_html_help_renamed.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_html_help_spawn_child_process.yml b/detections/endpoint/detect_html_help_spawn_child_process.yml index 113cf71403..2ea94fac20 100644 --- a/detections/endpoint/detect_html_help_spawn_child_process.yml +++ b/detections/endpoint/detect_html_help_spawn_child_process.yml @@ -88,7 +88,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_html_help_url_in_command_line.yml b/detections/endpoint/detect_html_help_url_in_command_line.yml index bd17fc086d..11641294f5 100644 --- a/detections/endpoint/detect_html_help_url_in_command_line.yml +++ b/detections/endpoint/detect_html_help_url_in_command_line.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml index f40540b70d..2be6eda1ca 100644 --- a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml +++ b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml b/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml index 5e546a2561..72eb8586e4 100644 --- a/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml @@ -67,7 +67,6 @@ tags: - Computer - UserID - EventCode - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml index 834eaca9cf..e6e2e18db3 100644 --- a/detections/endpoint/detect_mshta_inline_hta_execution.yml +++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_mshta_renamed.yml b/detections/endpoint/detect_mshta_renamed.yml index 591b2e1d27..02aabf21c7 100644 --- a/detections/endpoint/detect_mshta_renamed.yml +++ b/detections/endpoint/detect_mshta_renamed.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_mshta_url_in_command_line.yml b/detections/endpoint/detect_mshta_url_in_command_line.yml index c78fdcfa1b..352cbaa1c5 100644 --- a/detections/endpoint/detect_mshta_url_in_command_line.yml +++ b/detections/endpoint/detect_mshta_url_in_command_line.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_new_local_admin_account.yml b/detections/endpoint/detect_new_local_admin_account.yml index 3713d9963f..be1698b2c3 100644 --- a/detections/endpoint/detect_new_local_admin_account.yml +++ b/detections/endpoint/detect_new_local_admin_account.yml @@ -54,7 +54,6 @@ tags: - member_id - dest - user - risk_score: 42 security_domain: access tests: - name: True Positive Test diff --git a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml index 54570dfcff..e7272622c9 100644 --- a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml +++ b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml @@ -69,5 +69,4 @@ tags: - Processes.dest - Processes.parent_process_name - Processes.user - risk_score: 25 security_domain: network diff --git a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml index d2778235e2..da15be33ba 100644 --- a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml +++ b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml b/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml index 7e95149565..11dad32c29 100644 --- a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml +++ b/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml index d172a73497..2db877c2ae 100644 --- a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml +++ b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_psexec_with_accepteula_flag.yml b/detections/endpoint/detect_psexec_with_accepteula_flag.yml index 12b4ccafa8..5fccbca115 100644 --- a/detections/endpoint/detect_psexec_with_accepteula_flag.yml +++ b/detections/endpoint/detect_psexec_with_accepteula_flag.yml @@ -94,7 +94,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rare_executables.yml b/detections/endpoint/detect_rare_executables.yml index f57cfa9c70..0312aa4ff2 100644 --- a/detections/endpoint/detect_rare_executables.yml +++ b/detections/endpoint/detect_rare_executables.yml @@ -59,7 +59,6 @@ tags: - Processes.dest - Processes.user - Processes.process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml index 1d4f8d0d66..6d98fc7402 100644 --- a/detections/endpoint/detect_rclone_command_line_usage.yml +++ b/detections/endpoint/detect_rclone_command_line_usage.yml @@ -84,7 +84,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.original_file_name - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_regasm_spawning_a_process.yml b/detections/endpoint/detect_regasm_spawning_a_process.yml index 4bc1491bfd..b8a6482ce3 100644 --- a/detections/endpoint/detect_regasm_spawning_a_process.yml +++ b/detections/endpoint/detect_regasm_spawning_a_process.yml @@ -87,7 +87,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_regasm_with_network_connection.yml b/detections/endpoint/detect_regasm_with_network_connection.yml index 231770a635..dfcaf2c4a4 100644 --- a/detections/endpoint/detect_regasm_with_network_connection.yml +++ b/detections/endpoint/detect_regasm_with_network_connection.yml @@ -69,7 +69,6 @@ tags: - src_ip - dest_host - dest_ip - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml index 9501aa1fcb..893072d5bb 100644 --- a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml @@ -86,7 +86,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_regsvcs_spawning_a_process.yml b/detections/endpoint/detect_regsvcs_spawning_a_process.yml index c2fb510964..1253991c0c 100644 --- a/detections/endpoint/detect_regsvcs_spawning_a_process.yml +++ b/detections/endpoint/detect_regsvcs_spawning_a_process.yml @@ -83,7 +83,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_regsvcs_with_network_connection.yml b/detections/endpoint/detect_regsvcs_with_network_connection.yml index fb7b596429..bed378b886 100644 --- a/detections/endpoint/detect_regsvcs_with_network_connection.yml +++ b/detections/endpoint/detect_regsvcs_with_network_connection.yml @@ -68,7 +68,6 @@ tags: - user - src_ip - dest_host - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml index 0454c0a987..8f72d9f656 100644 --- a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_regsvr32_application_control_bypass.yml b/detections/endpoint/detect_regsvr32_application_control_bypass.yml index d42ce4f9f0..9d2da4becd 100644 --- a/detections/endpoint/detect_regsvr32_application_control_bypass.yml +++ b/detections/endpoint/detect_regsvr32_application_control_bypass.yml @@ -89,7 +89,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_remote_access_software_usage_file.yml b/detections/endpoint/detect_remote_access_software_usage_file.yml index aaf1b8c515..d1317ae659 100644 --- a/detections/endpoint/detect_remote_access_software_usage_file.yml +++ b/detections/endpoint/detect_remote_access_software_usage_file.yml @@ -76,7 +76,6 @@ tags: - Filesystem.dest - Filesystem.user - Filesystem.file_name - risk_score: 25 security_domain: endpoint manual_test: This detection uses A&I lookups from Enterprise Security. tests: diff --git a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml index 61e05f0745..ace8416481 100644 --- a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml +++ b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml @@ -69,7 +69,6 @@ tags: - parent_process_name - process_name - process - risk_score: 25 security_domain: endpoint manual_test: This detection uses A&I lookups from Enterprise Security. tests: diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml index 0ce8bcbe32..c7028c52a1 100644 --- a/detections/endpoint/detect_remote_access_software_usage_process.yml +++ b/detections/endpoint/detect_remote_access_software_usage_process.yml @@ -83,7 +83,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_name - risk_score: 25 security_domain: endpoint manual_test: This detection uses A&I lookups from Enterprise Security. tests: diff --git a/detections/endpoint/detect_renamed_7_zip.yml b/detections/endpoint/detect_renamed_7_zip.yml index e5c8ad816f..4fe6b07dd4 100644 --- a/detections/endpoint/detect_renamed_7_zip.yml +++ b/detections/endpoint/detect_renamed_7_zip.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_renamed_psexec.yml b/detections/endpoint/detect_renamed_psexec.yml index a9236778b2..c8f5d7c7a5 100644 --- a/detections/endpoint/detect_renamed_psexec.yml +++ b/detections/endpoint/detect_renamed_psexec.yml @@ -91,7 +91,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_renamed_rclone.yml b/detections/endpoint/detect_renamed_rclone.yml index d6032f2c99..37d2df4d06 100644 --- a/detections/endpoint/detect_renamed_rclone.yml +++ b/detections/endpoint/detect_renamed_rclone.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_renamed_winrar.yml b/detections/endpoint/detect_renamed_winrar.yml index 1926d1a1ec..ec83172b62 100644 --- a/detections/endpoint/detect_renamed_winrar.yml +++ b/detections/endpoint/detect_renamed_winrar.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rtlo_in_file_name.yml b/detections/endpoint/detect_rtlo_in_file_name.yml index 0f65d1d91a..50f54b57f8 100644 --- a/detections/endpoint/detect_rtlo_in_file_name.yml +++ b/detections/endpoint/detect_rtlo_in_file_name.yml @@ -67,7 +67,6 @@ tags: - Filesystem.file_name - Filesystem.file_path - Filesystem.process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rtlo_in_process.yml b/detections/endpoint/detect_rtlo_in_process.yml index 518c423119..4e77ce338f 100644 --- a/detections/endpoint/detect_rtlo_in_process.yml +++ b/detections/endpoint/detect_rtlo_in_process.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_name - Processes.parent_process - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml index 71b09f18ff..fe26d159d9 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml index 6f39892922..7dd9eb4900 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml index f41c2113db..b079466b7c 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rundll32_inline_hta_execution.yml b/detections/endpoint/detect_rundll32_inline_hta_execution.yml index 2e59eba9ae..74ef870d19 100644 --- a/detections/endpoint/detect_rundll32_inline_hta_execution.yml +++ b/detections/endpoint/detect_rundll32_inline_hta_execution.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_sharphound_command_line_arguments.yml b/detections/endpoint/detect_sharphound_command_line_arguments.yml index 51d16a6f89..b83494f7b9 100644 --- a/detections/endpoint/detect_sharphound_command_line_arguments.yml +++ b/detections/endpoint/detect_sharphound_command_line_arguments.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_sharphound_file_modifications.yml b/detections/endpoint/detect_sharphound_file_modifications.yml index 718559e461..2c5e665b17 100644 --- a/detections/endpoint/detect_sharphound_file_modifications.yml +++ b/detections/endpoint/detect_sharphound_file_modifications.yml @@ -69,7 +69,6 @@ tags: - file_name - process_id - file_create_time - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_sharphound_usage.yml b/detections/endpoint/detect_sharphound_usage.yml index cf04812b7a..a51f2b4007 100644 --- a/detections/endpoint/detect_sharphound_usage.yml +++ b/detections/endpoint/detect_sharphound_usage.yml @@ -78,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml index 1aeb9d8929..2f9773a445 100644 --- a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml +++ b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml @@ -71,5 +71,4 @@ tags: - Processes.parent_process - Processes.user - Processes.dest - risk_score: 45 security_domain: endpoint diff --git a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml index 2f836cb956..d5a9cc22c4 100644 --- a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml +++ b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process - Processes.user - Processes.dest - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_webshell_exploit_behavior.yml b/detections/endpoint/detect_webshell_exploit_behavior.yml index 42de72b989..439f1343e8 100644 --- a/detections/endpoint/detect_webshell_exploit_behavior.yml +++ b/detections/endpoint/detect_webshell_exploit_behavior.yml @@ -90,10 +90,7 @@ tags: - Processes.parent_process_name - Processes.process - Processes.process_name - risk_score: 80 security_domain: endpoint - supported_tas: - - Splunk_TA_microsoft_sysmon tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/detect_wmi_event_subscription_persistence.yml b/detections/endpoint/detect_wmi_event_subscription_persistence.yml index ffc30d9f99..d120c520c3 100644 --- a/detections/endpoint/detect_wmi_event_subscription_persistence.yml +++ b/detections/endpoint/detect_wmi_event_subscription_persistence.yml @@ -54,7 +54,6 @@ tags: - Destination - dest - User - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml index f12a51960e..e3448a67da 100644 --- a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml +++ b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml @@ -58,5 +58,4 @@ tags: - Processes.parent_process - Processes.process_name - Processes.user - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/disable_amsi_through_registry.yml b/detections/endpoint/disable_amsi_through_registry.yml index ef574c1785..a8b07389f5 100644 --- a/detections/endpoint/disable_amsi_through_registry.yml +++ b/detections/endpoint/disable_amsi_through_registry.yml @@ -62,7 +62,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml index 9ed2c7f702..cdc0c899fd 100644 --- a/detections/endpoint/disable_defender_antivirus_registry.yml +++ b/detections/endpoint/disable_defender_antivirus_registry.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml index 2fd43e341e..da53bb95f2 100644 --- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml +++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml @@ -64,7 +64,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_defender_enhanced_notification.yml b/detections/endpoint/disable_defender_enhanced_notification.yml index 060054c957..efa23e41c3 100644 --- a/detections/endpoint/disable_defender_enhanced_notification.yml +++ b/detections/endpoint/disable_defender_enhanced_notification.yml @@ -85,7 +85,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_defender_mpengine_registry.yml b/detections/endpoint/disable_defender_mpengine_registry.yml index f722cb1842..fc510a38c0 100644 --- a/detections/endpoint/disable_defender_mpengine_registry.yml +++ b/detections/endpoint/disable_defender_mpengine_registry.yml @@ -62,7 +62,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_defender_spynet_reporting.yml b/detections/endpoint/disable_defender_spynet_reporting.yml index 05b46452a9..d8ff25a885 100644 --- a/detections/endpoint/disable_defender_spynet_reporting.yml +++ b/detections/endpoint/disable_defender_spynet_reporting.yml @@ -65,7 +65,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml index d75edf1bfb..30abdcef23 100644 --- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml +++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml @@ -64,7 +64,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml index 4f8881e579..fcbddb814e 100644 --- a/detections/endpoint/disable_etw_through_registry.yml +++ b/detections/endpoint/disable_etw_through_registry.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_logs_using_wevtutil.yml b/detections/endpoint/disable_logs_using_wevtutil.yml index 775e2ce23f..c9cea30cf8 100644 --- a/detections/endpoint/disable_logs_using_wevtutil.yml +++ b/detections/endpoint/disable_logs_using_wevtutil.yml @@ -66,7 +66,6 @@ tags: - Processes.user - Processes.process_id - Processes.process_guid - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_registry_tool.yml b/detections/endpoint/disable_registry_tool.yml index 0af25ed655..d58dba0de5 100644 --- a/detections/endpoint/disable_registry_tool.yml +++ b/detections/endpoint/disable_registry_tool.yml @@ -60,7 +60,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_schedule_task.yml b/detections/endpoint/disable_schedule_task.yml index 7196040a3c..b8c18cb465 100644 --- a/detections/endpoint/disable_schedule_task.yml +++ b/detections/endpoint/disable_schedule_task.yml @@ -62,7 +62,6 @@ tags: - Processes.process_name - Processes.parent_process_name - Processes.dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_security_logs_using_minint_registry.yml b/detections/endpoint/disable_security_logs_using_minint_registry.yml index 7e7b26e8f2..d559bbad1b 100644 --- a/detections/endpoint/disable_security_logs_using_minint_registry.yml +++ b/detections/endpoint/disable_security_logs_using_minint_registry.yml @@ -61,7 +61,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_show_hidden_files.yml b/detections/endpoint/disable_show_hidden_files.yml index 9a64a34bc3..d63fea3943 100644 --- a/detections/endpoint/disable_show_hidden_files.yml +++ b/detections/endpoint/disable_show_hidden_files.yml @@ -62,7 +62,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_uac_remote_restriction.yml b/detections/endpoint/disable_uac_remote_restriction.yml index be01d67a03..31de046593 100644 --- a/detections/endpoint/disable_uac_remote_restriction.yml +++ b/detections/endpoint/disable_uac_remote_restriction.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_windows_app_hotkeys.yml b/detections/endpoint/disable_windows_app_hotkeys.yml index 85e4112bf5..ff4870fca7 100644 --- a/detections/endpoint/disable_windows_app_hotkeys.yml +++ b/detections/endpoint/disable_windows_app_hotkeys.yml @@ -58,7 +58,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guidr - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 6c8d9b60f5..39c49d2573 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -69,7 +69,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_windows_smartscreen_protection.yml b/detections/endpoint/disable_windows_smartscreen_protection.yml index f4eac676b8..9c44d60a1b 100644 --- a/detections/endpoint/disable_windows_smartscreen_protection.yml +++ b/detections/endpoint/disable_windows_smartscreen_protection.yml @@ -64,7 +64,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml index fc69094941..683c6dcfab 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml @@ -55,7 +55,6 @@ tags: - Computer - UserID - EventCode - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml index ffc44e5bce..ebb8cb7c69 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml @@ -53,7 +53,6 @@ tags: - Computer - UserID - EventCode - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_cmd_application.yml b/detections/endpoint/disabling_cmd_application.yml index 6dee1757b5..c38f149225 100644 --- a/detections/endpoint/disabling_cmd_application.yml +++ b/detections/endpoint/disabling_cmd_application.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_controlpanel.yml b/detections/endpoint/disabling_controlpanel.yml index 19c156b161..00b1fdc160 100644 --- a/detections/endpoint/disabling_controlpanel.yml +++ b/detections/endpoint/disabling_controlpanel.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test (XML) diff --git a/detections/endpoint/disabling_defender_services.yml b/detections/endpoint/disabling_defender_services.yml index 2b6483c299..6225a9d1ce 100644 --- a/detections/endpoint/disabling_defender_services.yml +++ b/detections/endpoint/disabling_defender_services.yml @@ -64,7 +64,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_firewall_with_netsh.yml b/detections/endpoint/disabling_firewall_with_netsh.yml index bb022e6e77..32ceaa3375 100644 --- a/detections/endpoint/disabling_firewall_with_netsh.yml +++ b/detections/endpoint/disabling_firewall_with_netsh.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_folderoptions_windows_feature.yml b/detections/endpoint/disabling_folderoptions_windows_feature.yml index 22f362cb21..2229a73d01 100644 --- a/detections/endpoint/disabling_folderoptions_windows_feature.yml +++ b/detections/endpoint/disabling_folderoptions_windows_feature.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_net_user_account.yml b/detections/endpoint/disabling_net_user_account.yml index 30f988413b..7856dc35a4 100644 --- a/detections/endpoint/disabling_net_user_account.yml +++ b/detections/endpoint/disabling_net_user_account.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_norun_windows_app.yml b/detections/endpoint/disabling_norun_windows_app.yml index 2654bf65a0..46d5dcb667 100644 --- a/detections/endpoint/disabling_norun_windows_app.yml +++ b/detections/endpoint/disabling_norun_windows_app.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_remote_user_account_control.yml b/detections/endpoint/disabling_remote_user_account_control.yml index f6ea7faffd..ff7703aa9a 100644 --- a/detections/endpoint/disabling_remote_user_account_control.yml +++ b/detections/endpoint/disabling_remote_user_account_control.yml @@ -67,7 +67,6 @@ tags: - Registry.registry_key_name - Registry.user - Registry.action - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_systemrestore_in_registry.yml b/detections/endpoint/disabling_systemrestore_in_registry.yml index a3cc1f29a0..8684df0352 100644 --- a/detections/endpoint/disabling_systemrestore_in_registry.yml +++ b/detections/endpoint/disabling_systemrestore_in_registry.yml @@ -65,7 +65,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_task_manager.yml b/detections/endpoint/disabling_task_manager.yml index 382f4a93e3..8f278a1180 100644 --- a/detections/endpoint/disabling_task_manager.yml +++ b/detections/endpoint/disabling_task_manager.yml @@ -62,7 +62,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml index 0903cfcc9d..118bf1fa71 100644 --- a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml +++ b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml @@ -69,7 +69,6 @@ tags: - Registry.registry_path - Registry.dest - Registry.user - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml index fd13045f93..55156b55b2 100644 --- a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml @@ -80,7 +80,6 @@ tags: - parent_process_name - dest_port - process_path - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml index 731d77825d..71867e8c3a 100644 --- a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml +++ b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml @@ -86,7 +86,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_account_discovery_with_dsquery.yml b/detections/endpoint/domain_account_discovery_with_dsquery.yml index 75239be94a..ca105ad2e9 100644 --- a/detections/endpoint/domain_account_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_account_discovery_with_dsquery.yml @@ -73,7 +73,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_account_discovery_with_net_app.yml b/detections/endpoint/domain_account_discovery_with_net_app.yml index 3e76b9972f..97da2a8c6d 100644 --- a/detections/endpoint/domain_account_discovery_with_net_app.yml +++ b/detections/endpoint/domain_account_discovery_with_net_app.yml @@ -74,7 +74,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_account_discovery_with_wmic.yml b/detections/endpoint/domain_account_discovery_with_wmic.yml index 00a62ab62b..c35f221e6e 100644 --- a/detections/endpoint/domain_account_discovery_with_wmic.yml +++ b/detections/endpoint/domain_account_discovery_with_wmic.yml @@ -73,7 +73,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_controller_discovery_with_nltest.yml b/detections/endpoint/domain_controller_discovery_with_nltest.yml index 6a1dd7d0e5..61be1a6aa0 100644 --- a/detections/endpoint/domain_controller_discovery_with_nltest.yml +++ b/detections/endpoint/domain_controller_discovery_with_nltest.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_controller_discovery_with_wmic.yml b/detections/endpoint/domain_controller_discovery_with_wmic.yml index eb4c6682fc..d1c11c0161 100644 --- a/detections/endpoint/domain_controller_discovery_with_wmic.yml +++ b/detections/endpoint/domain_controller_discovery_with_wmic.yml @@ -65,7 +65,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_group_discovery_with_adsisearcher.yml b/detections/endpoint/domain_group_discovery_with_adsisearcher.yml index 9627870eb9..88abd7390d 100644 --- a/detections/endpoint/domain_group_discovery_with_adsisearcher.yml +++ b/detections/endpoint/domain_group_discovery_with_adsisearcher.yml @@ -52,7 +52,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 18 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_group_discovery_with_dsquery.yml b/detections/endpoint/domain_group_discovery_with_dsquery.yml index eb8f5e3edc..a93252c518 100644 --- a/detections/endpoint/domain_group_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_group_discovery_with_dsquery.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_group_discovery_with_net.yml b/detections/endpoint/domain_group_discovery_with_net.yml index 640a60b233..07427b11dd 100644 --- a/detections/endpoint/domain_group_discovery_with_net.yml +++ b/detections/endpoint/domain_group_discovery_with_net.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_group_discovery_with_wmic.yml b/detections/endpoint/domain_group_discovery_with_wmic.yml index 4878ea0088..564265eeeb 100644 --- a/detections/endpoint/domain_group_discovery_with_wmic.yml +++ b/detections/endpoint/domain_group_discovery_with_wmic.yml @@ -67,7 +67,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/download_files_using_telegram.yml b/detections/endpoint/download_files_using_telegram.yml index b8ebf9ba8b..d14ba24643 100644 --- a/detections/endpoint/download_files_using_telegram.yml +++ b/detections/endpoint/download_files_using_telegram.yml @@ -55,7 +55,6 @@ tags: - process_id - TargetFilename - Hash - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/drop_icedid_license_dat.yml b/detections/endpoint/drop_icedid_license_dat.yml index 8414b775e6..78219669ef 100644 --- a/detections/endpoint/drop_icedid_license_dat.yml +++ b/detections/endpoint/drop_icedid_license_dat.yml @@ -51,7 +51,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/dsquery_domain_discovery.yml b/detections/endpoint/dsquery_domain_discovery.yml index 23b7ff6d42..fe81d12cf9 100644 --- a/detections/endpoint/dsquery_domain_discovery.yml +++ b/detections/endpoint/dsquery_domain_discovery.yml @@ -80,7 +80,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml index 9a57399487..769800b3e9 100644 --- a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml +++ b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/dump_lsass_via_procdump.yml b/detections/endpoint/dump_lsass_via_procdump.yml index 6f132ed1b3..182511df40 100644 --- a/detections/endpoint/dump_lsass_via_procdump.yml +++ b/detections/endpoint/dump_lsass_via_procdump.yml @@ -81,7 +81,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/elevated_group_discovery_with_net.yml b/detections/endpoint/elevated_group_discovery_with_net.yml index f667778adf..00dd378b5a 100644 --- a/detections/endpoint/elevated_group_discovery_with_net.yml +++ b/detections/endpoint/elevated_group_discovery_with_net.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/elevated_group_discovery_with_powerview.yml b/detections/endpoint/elevated_group_discovery_with_powerview.yml index 8d4663dd5b..f638831279 100644 --- a/detections/endpoint/elevated_group_discovery_with_powerview.yml +++ b/detections/endpoint/elevated_group_discovery_with_powerview.yml @@ -54,7 +54,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/elevated_group_discovery_with_wmic.yml b/detections/endpoint/elevated_group_discovery_with_wmic.yml index c13ce10927..69938ec18d 100644 --- a/detections/endpoint/elevated_group_discovery_with_wmic.yml +++ b/detections/endpoint/elevated_group_discovery_with_wmic.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/enable_rdp_in_other_port_number.yml b/detections/endpoint/enable_rdp_in_other_port_number.yml index 29c3736edc..cd00432dc8 100644 --- a/detections/endpoint/enable_rdp_in_other_port_number.yml +++ b/detections/endpoint/enable_rdp_in_other_port_number.yml @@ -61,7 +61,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml index d32c39f50f..48966a7dea 100644 --- a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml +++ b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/enumerate_users_local_group_using_telegram.yml b/detections/endpoint/enumerate_users_local_group_using_telegram.yml index ae1cf9dc5c..2d21655d63 100644 --- a/detections/endpoint/enumerate_users_local_group_using_telegram.yml +++ b/detections/endpoint/enumerate_users_local_group_using_telegram.yml @@ -61,7 +61,6 @@ tags: - Logon_ID - Security_ID - Message - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/esentutl_sam_copy.yml b/detections/endpoint/esentutl_sam_copy.yml index 8f9cfe3e28..6de86da8c7 100644 --- a/detections/endpoint/esentutl_sam_copy.yml +++ b/detections/endpoint/esentutl_sam_copy.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/etw_registry_disabled.yml b/detections/endpoint/etw_registry_disabled.yml index 1dd5816a6e..c280d1041e 100644 --- a/detections/endpoint/etw_registry_disabled.yml +++ b/detections/endpoint/etw_registry_disabled.yml @@ -67,7 +67,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/eventvwr_uac_bypass.yml b/detections/endpoint/eventvwr_uac_bypass.yml index 1fa34580aa..0649e84756 100644 --- a/detections/endpoint/eventvwr_uac_bypass.yml +++ b/detections/endpoint/eventvwr_uac_bypass.yml @@ -87,7 +87,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excel_spawning_powershell.yml b/detections/endpoint/excel_spawning_powershell.yml index c6f1b400cd..c46009bbf2 100644 --- a/detections/endpoint/excel_spawning_powershell.yml +++ b/detections/endpoint/excel_spawning_powershell.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excel_spawning_windows_script_host.yml b/detections/endpoint/excel_spawning_windows_script_host.yml index 8b05de1a31..f2f9a50f07 100644 --- a/detections/endpoint/excel_spawning_windows_script_host.yml +++ b/detections/endpoint/excel_spawning_windows_script_host.yml @@ -78,7 +78,6 @@ tags: - dest - user - parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_attempt_to_disable_services.yml b/detections/endpoint/excessive_attempt_to_disable_services.yml index 495f558e24..410188427f 100644 --- a/detections/endpoint/excessive_attempt_to_disable_services.yml +++ b/detections/endpoint/excessive_attempt_to_disable_services.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml index 0988a0f3b1..e7be0e276f 100644 --- a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml +++ b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml @@ -60,7 +60,6 @@ tags: - Processes.process - Processes.dest - Processes.user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml index 482a141d0d..4a0d3dfa8a 100644 --- a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml +++ b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml @@ -67,7 +67,6 @@ tags: - process_name - process_path - process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml index a6aa5f7d1e..6f3fdfc3d1 100644 --- a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml +++ b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/sc_service_start_disabled/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/excessive_number_of_taskhost_processes.yml b/detections/endpoint/excessive_number_of_taskhost_processes.yml index 673e2ab90b..6909f224a5 100644 --- a/detections/endpoint/excessive_number_of_taskhost_processes.yml +++ b/detections/endpoint/excessive_number_of_taskhost_processes.yml @@ -65,7 +65,6 @@ tags: - Processes.process_name - Processes.dest - Processes.user - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_service_stop_attempt.yml b/detections/endpoint/excessive_service_stop_attempt.yml index ffdff1ffd8..9560550ee7 100644 --- a/detections/endpoint/excessive_service_stop_attempt.yml +++ b/detections/endpoint/excessive_service_stop_attempt.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_usage_of_cacls_app.yml b/detections/endpoint/excessive_usage_of_cacls_app.yml index 17b22ae2dd..52ef8285ca 100644 --- a/detections/endpoint/excessive_usage_of_cacls_app.yml +++ b/detections/endpoint/excessive_usage_of_cacls_app.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_usage_of_net_app.yml b/detections/endpoint/excessive_usage_of_net_app.yml index 3fd324c5c1..203918acee 100644 --- a/detections/endpoint/excessive_usage_of_net_app.yml +++ b/detections/endpoint/excessive_usage_of_net_app.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_usage_of_nslookup_app.yml b/detections/endpoint/excessive_usage_of_nslookup_app.yml index 85204a4ab8..b98a3dc27f 100644 --- a/detections/endpoint/excessive_usage_of_nslookup_app.yml +++ b/detections/endpoint/excessive_usage_of_nslookup_app.yml @@ -59,7 +59,6 @@ tags: - dest - process_name - EventCode - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_usage_of_sc_service_utility.yml b/detections/endpoint/excessive_usage_of_sc_service_utility.yml index 41194d4c27..a73abc493a 100644 --- a/detections/endpoint/excessive_usage_of_sc_service_utility.yml +++ b/detections/endpoint/excessive_usage_of_sc_service_utility.yml @@ -56,7 +56,6 @@ tags: - EventCode - process_name - process - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_usage_of_taskkill.yml b/detections/endpoint/excessive_usage_of_taskkill.yml index 06abc48814..75938c2bfc 100644 --- a/detections/endpoint/excessive_usage_of_taskkill.yml +++ b/detections/endpoint/excessive_usage_of_taskkill.yml @@ -77,7 +77,6 @@ tags: - Processes.user - Processes.process - Processes.process_id - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml index 46ee0fee33..1948b1b832 100644 --- a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml +++ b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml @@ -54,5 +54,4 @@ tags: - cs_uri_query - cs_method - c_uri - risk_score: 80 security_domain: endpoint diff --git a/detections/endpoint/exchange_powershell_module_usage.yml b/detections/endpoint/exchange_powershell_module_usage.yml index cc3fa2cf81..1c5934bb20 100644 --- a/detections/endpoint/exchange_powershell_module_usage.yml +++ b/detections/endpoint/exchange_powershell_module_usage.yml @@ -66,7 +66,6 @@ tags: - Computer - UserID - EventCode - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml index ac28c68fd7..862daade3c 100644 --- a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml +++ b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml @@ -69,7 +69,6 @@ tags: - user - src_port - Source_Address - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 50cad7d63d..dca5fe543e 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -102,7 +102,6 @@ tags: - Filesystem.process_id - Filesystem.file_name - Filesystem.user - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml index 2d4425be5e..4489480cb5 100644 --- a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml +++ b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml @@ -73,7 +73,6 @@ tags: - Processes.process_id - Processes.dest - Processes.user - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/execution_of_file_with_multiple_extensions.yml b/detections/endpoint/execution_of_file_with_multiple_extensions.yml index 00114026b3..3cf289d682 100644 --- a/detections/endpoint/execution_of_file_with_multiple_extensions.yml +++ b/detections/endpoint/execution_of_file_with_multiple_extensions.yml @@ -73,7 +73,6 @@ tags: - Processes.dest - Processes.user - Processes.parent_process - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/extraction_of_registry_hives.yml b/detections/endpoint/extraction_of_registry_hives.yml index 9154c3ea89..9403fb41c8 100644 --- a/detections/endpoint/extraction_of_registry_hives.yml +++ b/detections/endpoint/extraction_of_registry_hives.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/file_with_samsam_extension.yml b/detections/endpoint/file_with_samsam_extension.yml index a0d5fabec5..34485da54b 100644 --- a/detections/endpoint/file_with_samsam_extension.yml +++ b/detections/endpoint/file_with_samsam_extension.yml @@ -56,7 +56,6 @@ tags: - Filesystem.dest - Filesystem.file_path - Filesystem.file_name - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/firewall_allowed_program_enable.yml b/detections/endpoint/firewall_allowed_program_enable.yml index fd941db74c..f1b24d718d 100644 --- a/detections/endpoint/firewall_allowed_program_enable.yml +++ b/detections/endpoint/firewall_allowed_program_enable.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/first_time_seen_child_process_of_zoom.yml b/detections/endpoint/first_time_seen_child_process_of_zoom.yml index a76f94fe85..24ea94c0a1 100644 --- a/detections/endpoint/first_time_seen_child_process_of_zoom.yml +++ b/detections/endpoint/first_time_seen_child_process_of_zoom.yml @@ -75,5 +75,4 @@ tags: - Processes.parent_process_name - Processes.process_id - Processes.dest - risk_score: 64 security_domain: endpoint diff --git a/detections/endpoint/first_time_seen_running_windows_service.yml b/detections/endpoint/first_time_seen_running_windows_service.yml index 99367df419..16c0b60629 100644 --- a/detections/endpoint/first_time_seen_running_windows_service.yml +++ b/detections/endpoint/first_time_seen_running_windows_service.yml @@ -58,5 +58,4 @@ tags: - EventCode - Message - dest - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/fodhelper_uac_bypass.yml b/detections/endpoint/fodhelper_uac_bypass.yml index 036d21325a..eae0a852c0 100644 --- a/detections/endpoint/fodhelper_uac_bypass.yml +++ b/detections/endpoint/fodhelper_uac_bypass.yml @@ -78,7 +78,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/fsutil_zeroing_file.yml b/detections/endpoint/fsutil_zeroing_file.yml index 2258c46943..f373657bdd 100644 --- a/detections/endpoint/fsutil_zeroing_file.yml +++ b/detections/endpoint/fsutil_zeroing_file.yml @@ -63,7 +63,6 @@ tags: - Processes.dest - Processes.process - Processes.parent_process - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml index a324c534cf..16c91042f2 100644 --- a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml +++ b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml @@ -74,7 +74,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml index 8933daddbf..fe843973dd 100644 --- a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml @@ -56,7 +56,6 @@ tags: - Message - ComputerName - User - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_aduser_with_powershell.yml b/detections/endpoint/get_aduser_with_powershell.yml index d09a8cae5e..0b885a0926 100644 --- a/detections/endpoint/get_aduser_with_powershell.yml +++ b/detections/endpoint/get_aduser_with_powershell.yml @@ -76,7 +76,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_aduser_with_powershell_script_block.yml b/detections/endpoint/get_aduser_with_powershell_script_block.yml index 20c59c72ef..3520b397e5 100644 --- a/detections/endpoint/get_aduser_with_powershell_script_block.yml +++ b/detections/endpoint/get_aduser_with_powershell_script_block.yml @@ -58,7 +58,6 @@ tags: - Message - ComputerName - User - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml index ac5343f902..d7e5470bca 100644 --- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml +++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml @@ -75,7 +75,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml index 0b54225dd0..fb30d5b39a 100644 --- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml @@ -58,7 +58,6 @@ tags: - Computer - UserID - EventCode - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_domainpolicy_with_powershell.yml b/detections/endpoint/get_domainpolicy_with_powershell.yml index 44c3c76536..39b6f55c0b 100644 --- a/detections/endpoint/get_domainpolicy_with_powershell.yml +++ b/detections/endpoint/get_domainpolicy_with_powershell.yml @@ -74,7 +74,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml index 59b8d1e7b7..91c49df767 100644 --- a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml @@ -57,7 +57,6 @@ tags: - Computer - UserID - EventCode - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_domaintrust_with_powershell.yml b/detections/endpoint/get_domaintrust_with_powershell.yml index bda69be0e0..1374b1a593 100644 --- a/detections/endpoint/get_domaintrust_with_powershell.yml +++ b/detections/endpoint/get_domaintrust_with_powershell.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_domaintrust_with_powershell_script_block.yml b/detections/endpoint/get_domaintrust_with_powershell_script_block.yml index 1e54882d05..19efd5f5fc 100644 --- a/detections/endpoint/get_domaintrust_with_powershell_script_block.yml +++ b/detections/endpoint/get_domaintrust_with_powershell_script_block.yml @@ -60,7 +60,6 @@ tags: - Computer - UserID - EventCode - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_domainuser_with_powershell.yml b/detections/endpoint/get_domainuser_with_powershell.yml index c19b3d9d3d..698a38bd10 100644 --- a/detections/endpoint/get_domainuser_with_powershell.yml +++ b/detections/endpoint/get_domainuser_with_powershell.yml @@ -75,7 +75,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_domainuser_with_powershell_script_block.yml b/detections/endpoint/get_domainuser_with_powershell_script_block.yml index e05a37c3ba..8d3989f594 100644 --- a/detections/endpoint/get_domainuser_with_powershell_script_block.yml +++ b/detections/endpoint/get_domainuser_with_powershell_script_block.yml @@ -56,7 +56,6 @@ tags: - Message - ComputerName - User - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_foresttrust_with_powershell.yml b/detections/endpoint/get_foresttrust_with_powershell.yml index 0bd85b5a93..d79e0a5bef 100644 --- a/detections/endpoint/get_foresttrust_with_powershell.yml +++ b/detections/endpoint/get_foresttrust_with_powershell.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_foresttrust_with_powershell_script_block.yml b/detections/endpoint/get_foresttrust_with_powershell_script_block.yml index 553b45eccc..920d5b13a9 100644 --- a/detections/endpoint/get_foresttrust_with_powershell_script_block.yml +++ b/detections/endpoint/get_foresttrust_with_powershell_script_block.yml @@ -58,7 +58,6 @@ tags: - Opcode - Computer - UserID - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_wmiobject_group_discovery.yml b/detections/endpoint/get_wmiobject_group_discovery.yml index 2e98a4c861..c22c9e0559 100644 --- a/detections/endpoint/get_wmiobject_group_discovery.yml +++ b/detections/endpoint/get_wmiobject_group_discovery.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml b/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml index 7d41986854..586a379ada 100644 --- a/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml +++ b/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml @@ -58,7 +58,6 @@ tags: - Message - ComputerName - User - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getadcomputer_with_powershell.yml b/detections/endpoint/getadcomputer_with_powershell.yml index abc814c1b9..22e76f5e12 100644 --- a/detections/endpoint/getadcomputer_with_powershell.yml +++ b/detections/endpoint/getadcomputer_with_powershell.yml @@ -65,7 +65,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getadcomputer_with_powershell_script_block.yml b/detections/endpoint/getadcomputer_with_powershell_script_block.yml index 42af01c411..3a23d64c01 100644 --- a/detections/endpoint/getadcomputer_with_powershell_script_block.yml +++ b/detections/endpoint/getadcomputer_with_powershell_script_block.yml @@ -53,7 +53,6 @@ tags: - Computer - UserID - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getadgroup_with_powershell.yml b/detections/endpoint/getadgroup_with_powershell.yml index 78cbf49c22..6f079b4ab8 100644 --- a/detections/endpoint/getadgroup_with_powershell.yml +++ b/detections/endpoint/getadgroup_with_powershell.yml @@ -67,7 +67,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getadgroup_with_powershell_script_block.yml b/detections/endpoint/getadgroup_with_powershell_script_block.yml index efa6aa9cd5..e2af4a8a0d 100644 --- a/detections/endpoint/getadgroup_with_powershell_script_block.yml +++ b/detections/endpoint/getadgroup_with_powershell_script_block.yml @@ -51,7 +51,6 @@ tags: - Message - Computer - UserID - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getcurrent_user_with_powershell.yml b/detections/endpoint/getcurrent_user_with_powershell.yml index 063bf16ec7..1c3fbf0b8a 100644 --- a/detections/endpoint/getcurrent_user_with_powershell.yml +++ b/detections/endpoint/getcurrent_user_with_powershell.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getcurrent_user_with_powershell_script_block.yml b/detections/endpoint/getcurrent_user_with_powershell_script_block.yml index acd52a9f63..d984b70e07 100644 --- a/detections/endpoint/getcurrent_user_with_powershell_script_block.yml +++ b/detections/endpoint/getcurrent_user_with_powershell_script_block.yml @@ -54,7 +54,6 @@ tags: - ComputerName - User - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getdomaincomputer_with_powershell.yml b/detections/endpoint/getdomaincomputer_with_powershell.yml index 20beca8a43..424668eded 100644 --- a/detections/endpoint/getdomaincomputer_with_powershell.yml +++ b/detections/endpoint/getdomaincomputer_with_powershell.yml @@ -65,7 +65,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml b/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml index 592155e6e4..87be9d00bc 100644 --- a/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml @@ -51,7 +51,6 @@ tags: - Computer - UserID - EventCode - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getdomaincontroller_with_powershell.yml b/detections/endpoint/getdomaincontroller_with_powershell.yml index a2b4dab869..70c61a97c3 100644 --- a/detections/endpoint/getdomaincontroller_with_powershell.yml +++ b/detections/endpoint/getdomaincontroller_with_powershell.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml b/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml index 47f1e5591c..801a115ff9 100644 --- a/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml @@ -51,7 +51,6 @@ tags: - Computer - UserID - EventCode - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getdomaingroup_with_powershell.yml b/detections/endpoint/getdomaingroup_with_powershell.yml index 0c8f9512fd..86d0fc51a6 100644 --- a/detections/endpoint/getdomaingroup_with_powershell.yml +++ b/detections/endpoint/getdomaingroup_with_powershell.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getdomaingroup_with_powershell_script_block.yml b/detections/endpoint/getdomaingroup_with_powershell_script_block.yml index d8c35b4d1d..b5e3a15cb8 100644 --- a/detections/endpoint/getdomaingroup_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaingroup_with_powershell_script_block.yml @@ -52,7 +52,6 @@ tags: - Computer - UserID - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getlocaluser_with_powershell.yml b/detections/endpoint/getlocaluser_with_powershell.yml index c68191a45e..53ef05a08d 100644 --- a/detections/endpoint/getlocaluser_with_powershell.yml +++ b/detections/endpoint/getlocaluser_with_powershell.yml @@ -57,7 +57,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getlocaluser_with_powershell_script_block.yml b/detections/endpoint/getlocaluser_with_powershell_script_block.yml index 68d2f1f35c..d394df3909 100644 --- a/detections/endpoint/getlocaluser_with_powershell_script_block.yml +++ b/detections/endpoint/getlocaluser_with_powershell_script_block.yml @@ -54,7 +54,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getnettcpconnection_with_powershell.yml b/detections/endpoint/getnettcpconnection_with_powershell.yml index 3eb51f64e7..539bad3098 100644 --- a/detections/endpoint/getnettcpconnection_with_powershell.yml +++ b/detections/endpoint/getnettcpconnection_with_powershell.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml b/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml index 1c27f7acfd..1e24f393f1 100644 --- a/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml +++ b/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml @@ -51,7 +51,6 @@ tags: - Computer - UserID - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml index 296d8e1db3..5e4509412b 100644 --- a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml @@ -67,7 +67,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml index 831c8bacc4..bb50364351 100644 --- a/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml @@ -51,7 +51,6 @@ tags: - Computer - UserID - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml index bc8d730680..5ab73fc84f 100644 --- a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml index 534309df72..60b2177e0d 100644 --- a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml @@ -53,7 +53,6 @@ tags: - Computer - UserID - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml index 8a5e541ed3..005ed6ba22 100644 --- a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml @@ -74,7 +74,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml index fbecd4cc1c..c42a06a561 100644 --- a/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml @@ -58,7 +58,6 @@ tags: - Computer - UserID - EventCode - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getwmiobject_user_account_with_powershell.yml b/detections/endpoint/getwmiobject_user_account_with_powershell.yml index a9d593662c..9fdaf6eece 100644 --- a/detections/endpoint/getwmiobject_user_account_with_powershell.yml +++ b/detections/endpoint/getwmiobject_user_account_with_powershell.yml @@ -58,7 +58,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml index f2d0eeb8bd..c5c771af09 100644 --- a/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml @@ -53,7 +53,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml index b9ea5e0814..fdf1af1579 100644 --- a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml @@ -82,7 +82,6 @@ tags: - parent_process_name - dest_port - process_path - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml index 0ffc7a1d57..c825401771 100644 --- a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml +++ b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 56 required_fields: - Processes.dest - Processes.user diff --git a/detections/endpoint/headless_browser_usage.yml b/detections/endpoint/headless_browser_usage.yml index bf3b7080c1..f2b250f090 100644 --- a/detections/endpoint/headless_browser_usage.yml +++ b/detections/endpoint/headless_browser_usage.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 required_fields: - Processes.dest - Processes.user diff --git a/detections/endpoint/hide_user_account_from_sign_in_screen.yml b/detections/endpoint/hide_user_account_from_sign_in_screen.yml index d5316561c5..5b21945ff0 100644 --- a/detections/endpoint/hide_user_account_from_sign_in_screen.yml +++ b/detections/endpoint/hide_user_account_from_sign_in_screen.yml @@ -70,7 +70,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml index 7602cac895..5178c72106 100644 --- a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml +++ b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process - Processes.user - Processes.dest - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml b/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml index 0918d8df50..88586fee46 100644 --- a/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml +++ b/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml @@ -64,7 +64,6 @@ tags: - user - src_port - Source_Address - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/high_frequency_copy_of_files_in_network_share/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/high_process_termination_frequency.yml b/detections/endpoint/high_process_termination_frequency.yml index 1dabbbbd44..7229193709 100644 --- a/detections/endpoint/high_process_termination_frequency.yml +++ b/detections/endpoint/high_process_termination_frequency.yml @@ -58,7 +58,6 @@ tags: - dest - _time - ProcessID - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/hunting_3cxdesktopapp_software.yml b/detections/endpoint/hunting_3cxdesktopapp_software.yml index c29c644b5a..b50b113044 100644 --- a/detections/endpoint/hunting_3cxdesktopapp_software.yml +++ b/detections/endpoint/hunting_3cxdesktopapp_software.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/icacls_deny_command.yml b/detections/endpoint/icacls_deny_command.yml index a6158bdba3..7159997255 100644 --- a/detections/endpoint/icacls_deny_command.yml +++ b/detections/endpoint/icacls_deny_command.yml @@ -69,7 +69,6 @@ tags: - Processes.user - Processes.process_id - Processes.process - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/icacls_grant_command.yml b/detections/endpoint/icacls_grant_command.yml index 82e167f054..f66227fa28 100644 --- a/detections/endpoint/icacls_grant_command.yml +++ b/detections/endpoint/icacls_grant_command.yml @@ -67,7 +67,6 @@ tags: - Processes.user - Processes.process_id - Processes.process - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml index 6998dd405f..47f0c8d49a 100644 --- a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml +++ b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml @@ -58,7 +58,6 @@ tags: - process_id - process_name - dest - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml index c968848ce4..2cdf1c132d 100644 --- a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml @@ -90,7 +90,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml index efcc0dd700..108681a495 100644 --- a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml @@ -86,7 +86,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml index 74c957958b..795803b526 100644 --- a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml @@ -86,7 +86,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml b/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml index ef6c6e6352..db8701c5e4 100644 --- a/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml +++ b/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml @@ -54,7 +54,6 @@ tags: - Message - ComputerName - User - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/java_class_file_download_by_java_user_agent.yml b/detections/endpoint/java_class_file_download_by_java_user_agent.yml index 45d6b599b1..6e0e4f7ad5 100644 --- a/detections/endpoint/java_class_file_download_by_java_user_agent.yml +++ b/detections/endpoint/java_class_file_download_by_java_user_agent.yml @@ -58,7 +58,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 40 security_domain: network tests: - name: True Positive Test diff --git a/detections/endpoint/java_writing_jsp_file.yml b/detections/endpoint/java_writing_jsp_file.yml index 07a2d74c85..2ae4077302 100644 --- a/detections/endpoint/java_writing_jsp_file.yml +++ b/detections/endpoint/java_writing_jsp_file.yml @@ -83,7 +83,6 @@ tags: - Filesystem.file_path - Filesystem.process_guid - Filesystem.user - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/jscript_execution_using_cscript_app.yml b/detections/endpoint/jscript_execution_using_cscript_app.yml index 4e6cb61b70..1c3d8358bd 100644 --- a/detections/endpoint/jscript_execution_using_cscript_app.yml +++ b/detections/endpoint/jscript_execution_using_cscript_app.yml @@ -70,7 +70,6 @@ tags: - Processes.process - Processes.dest - Processes.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml index 206a89180c..6b8def8701 100644 --- a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml +++ b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml @@ -58,7 +58,6 @@ tags: - Computer - service - service_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml index 43385ce72c..68b0bd1292 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml @@ -51,7 +51,6 @@ tags: - Account_Name - Security_ID - MSADChangedAttributes - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test @@ -60,4 +59,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - update_timestamp: true diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml index 22119be938..355d61f0e3 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml @@ -54,7 +54,6 @@ tags: - ScriptBlockText - Computer - user_id - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test @@ -63,4 +62,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml index f361a4b6fc..5b9b4f6d99 100644 --- a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml +++ b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml @@ -63,7 +63,6 @@ tags: - dest - service - service_id - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml index 31815fd33b..5a307f2d5b 100644 --- a/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml +++ b/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml @@ -52,7 +52,6 @@ tags: - EventCode - TicketEncryptionType - ServiceName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/kerberos_user_enumeration.yml b/detections/endpoint/kerberos_user_enumeration.yml index 9fd94aa879..c9a571ecd1 100644 --- a/detections/endpoint/kerberos_user_enumeration.yml +++ b/detections/endpoint/kerberos_user_enumeration.yml @@ -54,7 +54,6 @@ tags: - Result_Code - Account_Name - Client_Address - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/known_services_killed_by_ransomware.yml b/detections/endpoint/known_services_killed_by_ransomware.yml index 978c922db2..b51953ef4e 100644 --- a/detections/endpoint/known_services_killed_by_ransomware.yml +++ b/detections/endpoint/known_services_killed_by_ransomware.yml @@ -63,7 +63,6 @@ tags: - Message - dest - Type - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml index 0f3add9bba..4ba4891c31 100644 --- a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml +++ b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml @@ -57,7 +57,6 @@ tags: - Filesystem.process_guid - Filesystem.file_path - Filesystem.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml index 606c573d9a..6417011fd2 100644 --- a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml +++ b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml @@ -57,7 +57,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_add_user_account.yml b/detections/endpoint/linux_add_user_account.yml index dd614a81d2..6038c30794 100644 --- a/detections/endpoint/linux_add_user_account.yml +++ b/detections/endpoint/linux_add_user_account.yml @@ -62,7 +62,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml index 2350c26f3d..8630bb08ee 100644 --- a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml +++ b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml @@ -69,7 +69,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_apt_get_privilege_escalation.yml b/detections/endpoint/linux_apt_get_privilege_escalation.yml index 349a242d94..2905f5b4e6 100644 --- a/detections/endpoint/linux_apt_get_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_get_privilege_escalation.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt_get/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_apt_privilege_escalation.yml b/detections/endpoint/linux_apt_privilege_escalation.yml index 0057162ea8..e195c32da3 100644 --- a/detections/endpoint/linux_apt_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_privilege_escalation.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_at_allow_config_file_creation.yml b/detections/endpoint/linux_at_allow_config_file_creation.yml index 25996012bd..e95a619b89 100644 --- a/detections/endpoint/linux_at_allow_config_file_creation.yml +++ b/detections/endpoint/linux_at_allow_config_file_creation.yml @@ -57,7 +57,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index 05649e4cff..4a3a5ad183 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -67,7 +67,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_awk_privilege_escalation.yml b/detections/endpoint/linux_awk_privilege_escalation.yml index d4bcae6333..7d2f4a553d 100644 --- a/detections/endpoint/linux_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_awk_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/awk/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_busybox_privilege_escalation.yml b/detections/endpoint/linux_busybox_privilege_escalation.yml index 16b0477dff..cd8c22d0bd 100644 --- a/detections/endpoint/linux_busybox_privilege_escalation.yml +++ b/detections/endpoint/linux_busybox_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/busybox/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_c89_privilege_escalation.yml b/detections/endpoint/linux_c89_privilege_escalation.yml index c9f84f4d5f..6fc1ed179a 100644 --- a/detections/endpoint/linux_c89_privilege_escalation.yml +++ b/detections/endpoint/linux_c89_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c89/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_c99_privilege_escalation.yml b/detections/endpoint/linux_c99_privilege_escalation.yml index 0abf08917e..c43558974e 100644 --- a/detections/endpoint/linux_c99_privilege_escalation.yml +++ b/detections/endpoint/linux_c99_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c99/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_change_file_owner_to_root.yml b/detections/endpoint/linux_change_file_owner_to_root.yml index ac42f0748a..0e792c8330 100644 --- a/detections/endpoint/linux_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_change_file_owner_to_root.yml @@ -64,7 +64,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_clipboard_data_copy.yml b/detections/endpoint/linux_clipboard_data_copy.yml index 0ce6bfdb93..47740888c3 100644 --- a/detections/endpoint/linux_clipboard_data_copy.yml +++ b/detections/endpoint/linux_clipboard_data_copy.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 16 security_domain: endpoint tests: - name: True Positive Test @@ -83,4 +82,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_common_process_for_elevation_control.yml b/detections/endpoint/linux_common_process_for_elevation_control.yml index f36c6826fd..531e783958 100644 --- a/detections/endpoint/linux_common_process_for_elevation_control.yml +++ b/detections/endpoint/linux_common_process_for_elevation_control.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_composer_privilege_escalation.yml b/detections/endpoint/linux_composer_privilege_escalation.yml index 73261c22e1..a46b04cc67 100644 --- a/detections/endpoint/linux_composer_privilege_escalation.yml +++ b/detections/endpoint/linux_composer_privilege_escalation.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/composer/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_cpulimit_privilege_escalation.yml b/detections/endpoint/linux_cpulimit_privilege_escalation.yml index 285fcddf69..318d04c99e 100644 --- a/detections/endpoint/linux_cpulimit_privilege_escalation.yml +++ b/detections/endpoint/linux_cpulimit_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/cpulimit/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_csvtool_privilege_escalation.yml b/detections/endpoint/linux_csvtool_privilege_escalation.yml index 82f295b13b..684fe710c6 100644 --- a/detections/endpoint/linux_csvtool_privilege_escalation.yml +++ b/detections/endpoint/linux_csvtool_privilege_escalation.yml @@ -71,7 +71,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/csvtool/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_curl_upload_file.yml b/detections/endpoint/linux_curl_upload_file.yml index 0ace0a70ea..0dc249cf9f 100644 --- a/detections/endpoint/linux_curl_upload_file.yml +++ b/detections/endpoint/linux_curl_upload_file.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_data_destruction_command.yml b/detections/endpoint/linux_data_destruction_command.yml index 7716d9c8e6..a9141b0705 100644 --- a/detections/endpoint/linux_data_destruction_command.yml +++ b/detections/endpoint/linux_data_destruction_command.yml @@ -67,7 +67,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_dd_file_overwrite.yml b/detections/endpoint/linux_dd_file_overwrite.yml index a948daa321..ed18331ba8 100644 --- a/detections/endpoint/linux_dd_file_overwrite.yml +++ b/detections/endpoint/linux_dd_file_overwrite.yml @@ -62,7 +62,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_decode_base64_to_shell.yml b/detections/endpoint/linux_decode_base64_to_shell.yml index 1bacea6b8c..2fbd5569e2 100644 --- a/detections/endpoint/linux_decode_base64_to_shell.yml +++ b/detections/endpoint/linux_decode_base64_to_shell.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -83,4 +82,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml index 5ed033e710..1ffa8abf5d 100644 --- a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml +++ b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml @@ -66,7 +66,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_deletion_of_cron_jobs.yml b/detections/endpoint/linux_deletion_of_cron_jobs.yml index 1c601fcce1..c2fbe0ed1b 100644 --- a/detections/endpoint/linux_deletion_of_cron_jobs.yml +++ b/detections/endpoint/linux_deletion_of_cron_jobs.yml @@ -61,7 +61,6 @@ tags: - Filesystem.process_guid - Filesystem.file_path - Filesystem.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_deletion_of_init_daemon_script.yml b/detections/endpoint/linux_deletion_of_init_daemon_script.yml index 5e8ebdc99b..7edd97cbc3 100644 --- a/detections/endpoint/linux_deletion_of_init_daemon_script.yml +++ b/detections/endpoint/linux_deletion_of_init_daemon_script.yml @@ -61,7 +61,6 @@ tags: - Filesystem.process_guid - Filesystem.file_path - Filesystem.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_deletion_of_services.yml b/detections/endpoint/linux_deletion_of_services.yml index 3d34d9e14e..bd9261ad9e 100644 --- a/detections/endpoint/linux_deletion_of_services.yml +++ b/detections/endpoint/linux_deletion_of_services.yml @@ -66,7 +66,6 @@ tags: - Filesystem.process_guid - Filesystem.file_path - Filesystem.action - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_deletion_of_ssl_certificate.yml b/detections/endpoint/linux_deletion_of_ssl_certificate.yml index d8b3954336..0b7523bc43 100644 --- a/detections/endpoint/linux_deletion_of_ssl_certificate.yml +++ b/detections/endpoint/linux_deletion_of_ssl_certificate.yml @@ -62,7 +62,6 @@ tags: - Filesystem.process_guid - Filesystem.file_path - Filesystem.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_disable_services.yml b/detections/endpoint/linux_disable_services.yml index 9c16ea6bf1..bbfebd6f34 100644 --- a/detections/endpoint/linux_disable_services.yml +++ b/detections/endpoint/linux_disable_services.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_doas_conf_file_creation.yml b/detections/endpoint/linux_doas_conf_file_creation.yml index b17c9253c8..ab34597608 100644 --- a/detections/endpoint/linux_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_doas_conf_file_creation.yml @@ -55,7 +55,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_doas_tool_execution.yml b/detections/endpoint/linux_doas_tool_execution.yml index 7b3ac542c7..eb0ae981df 100644 --- a/detections/endpoint/linux_doas_tool_execution.yml +++ b/detections/endpoint/linux_doas_tool_execution.yml @@ -63,7 +63,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_docker_privilege_escalation.yml b/detections/endpoint/linux_docker_privilege_escalation.yml index 62b6368e66..673ed63179 100644 --- a/detections/endpoint/linux_docker_privilege_escalation.yml +++ b/detections/endpoint/linux_docker_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_edit_cron_table_parameter.yml b/detections/endpoint/linux_edit_cron_table_parameter.yml index fd1845cafb..4e4b88989a 100644 --- a/detections/endpoint/linux_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_edit_cron_table_parameter.yml @@ -64,7 +64,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_emacs_privilege_escalation.yml b/detections/endpoint/linux_emacs_privilege_escalation.yml index 526bdbbba8..1fdf59be90 100644 --- a/detections/endpoint/linux_emacs_privilege_escalation.yml +++ b/detections/endpoint/linux_emacs_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/emacs/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml b/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml index a1abd5c193..d003c3b852 100644 --- a/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml +++ b/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml @@ -55,7 +55,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml index 4f2897be3f..21da802f92 100644 --- a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml +++ b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml @@ -53,7 +53,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_file_creation_in_profile_directory.yml b/detections/endpoint/linux_file_creation_in_profile_directory.yml index 3a9a11e994..47239fe3b1 100644 --- a/detections/endpoint/linux_file_creation_in_profile_directory.yml +++ b/detections/endpoint/linux_file_creation_in_profile_directory.yml @@ -55,7 +55,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_find_privilege_escalation.yml b/detections/endpoint/linux_find_privilege_escalation.yml index 8520191741..12d2312667 100644 --- a/detections/endpoint/linux_find_privilege_escalation.yml +++ b/detections/endpoint/linux_find_privilege_escalation.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/find/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_gdb_privilege_escalation.yml b/detections/endpoint/linux_gdb_privilege_escalation.yml index bcbb89d7bf..1656c88bca 100644 --- a/detections/endpoint/linux_gdb_privilege_escalation.yml +++ b/detections/endpoint/linux_gdb_privilege_escalation.yml @@ -71,7 +71,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gdb/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_gem_privilege_escalation.yml b/detections/endpoint/linux_gem_privilege_escalation.yml index dbf9ac3d32..f8210cddf4 100644 --- a/detections/endpoint/linux_gem_privilege_escalation.yml +++ b/detections/endpoint/linux_gem_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gem/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml index 62d55ecc65..3a7baaa4fc 100644 --- a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml @@ -71,7 +71,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gawk/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_hardware_addition_swapoff.yml b/detections/endpoint/linux_hardware_addition_swapoff.yml index 25501520b6..1092c9ca1e 100644 --- a/detections/endpoint/linux_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_hardware_addition_swapoff.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml index af5360497c..7289d8c493 100644 --- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml +++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml @@ -60,7 +60,6 @@ tags: - Filesystem.process_guid - Filesystem.file_path - Filesystem.action - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml index 5ee59ba96b..6bec314b46 100644 --- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml +++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml @@ -58,7 +58,6 @@ tags: - Filesystem.process_guid - Filesystem.file_path - Filesystem.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_impair_defenses_process_kill.yml b/detections/endpoint/linux_impair_defenses_process_kill.yml index 2780fcd8c0..e13c94a18a 100644 --- a/detections/endpoint/linux_impair_defenses_process_kill.yml +++ b/detections/endpoint/linux_impair_defenses_process_kill.yml @@ -69,7 +69,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_indicator_removal_clear_cache.yml b/detections/endpoint/linux_indicator_removal_clear_cache.yml index 11e72cdef5..c9cd899de6 100644 --- a/detections/endpoint/linux_indicator_removal_clear_cache.yml +++ b/detections/endpoint/linux_indicator_removal_clear_cache.yml @@ -67,7 +67,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test3/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml index bfe37dea46..6054b55ce8 100644 --- a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml +++ b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml @@ -69,7 +69,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml index 2ee962a3c8..3d10b50935 100644 --- a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml +++ b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml @@ -78,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test @@ -87,4 +86,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml index 9403068447..b8ba33a5d8 100644 --- a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml +++ b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test @@ -86,4 +85,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml index 41d35b04ca..eb66625214 100644 --- a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml @@ -66,7 +66,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml index 9049b9a000..e4acdaa4e9 100644 --- a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml @@ -66,7 +66,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_iptables_firewall_modification.yml b/detections/endpoint/linux_iptables_firewall_modification.yml index 7a97f54ae9..097b8bc8be 100644 --- a/detections/endpoint/linux_iptables_firewall_modification.yml +++ b/detections/endpoint/linux_iptables_firewall_modification.yml @@ -5,8 +5,6 @@ date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: Anomaly -datamodel: -- Endpoint description: The following analytic detects suspicious command-line activity that modifies the iptables firewall settings on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command patterns @@ -74,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_java_spawning_shell.yml b/detections/endpoint/linux_java_spawning_shell.yml index 6aacf7ab9e..2b734d5c66 100644 --- a/detections/endpoint/linux_java_spawning_shell.yml +++ b/detections/endpoint/linux_java_spawning_shell.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_kernel_module_enumeration.yml b/detections/endpoint/linux_kernel_module_enumeration.yml index 5491a9a081..bc1f498498 100644 --- a/detections/endpoint/linux_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_kernel_module_enumeration.yml @@ -78,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test @@ -87,4 +86,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_kworker_process_in_writable_process_path.yml b/detections/endpoint/linux_kworker_process_in_writable_process_path.yml index e3ff726822..1e2466aafd 100644 --- a/detections/endpoint/linux_kworker_process_in_writable_process_path.yml +++ b/detections/endpoint/linux_kworker_process_in_writable_process_path.yml @@ -5,8 +5,6 @@ date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: Hunting -datamodel: -- Endpoint description: The following analytic detects the execution of a kworker process with a command line in writable directories such as /home/, /var/log, and /tmp on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing @@ -69,7 +67,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_path - Processes.process_path - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_make_privilege_escalation.yml b/detections/endpoint/linux_make_privilege_escalation.yml index 3b2489e761..cb91566d69 100644 --- a/detections/endpoint/linux_make_privilege_escalation.yml +++ b/detections/endpoint/linux_make_privilege_escalation.yml @@ -71,7 +71,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/make/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_mysql_privilege_escalation.yml b/detections/endpoint/linux_mysql_privilege_escalation.yml index 8534760d6b..020063ec54 100644 --- a/detections/endpoint/linux_mysql_privilege_escalation.yml +++ b/detections/endpoint/linux_mysql_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/mysql/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml index 4fccf989cf..f30a1eac2a 100644 --- a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/ngrok_linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_node_privilege_escalation.yml b/detections/endpoint/linux_node_privilege_escalation.yml index 611f5d8740..e501def05d 100644 --- a/detections/endpoint/linux_node_privilege_escalation.yml +++ b/detections/endpoint/linux_node_privilege_escalation.yml @@ -74,7 +74,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test @@ -83,4 +82,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/node/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml index 0eb96a8627..1265d9ed4b 100644 --- a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml @@ -64,7 +64,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml index 89f4a9e397..06c0ebac34 100644 --- a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml +++ b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test @@ -85,4 +84,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_octave_privilege_escalation.yml b/detections/endpoint/linux_octave_privilege_escalation.yml index 22932b779b..dd5feaa814 100644 --- a/detections/endpoint/linux_octave_privilege_escalation.yml +++ b/detections/endpoint/linux_octave_privilege_escalation.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/octave/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_openvpn_privilege_escalation.yml b/detections/endpoint/linux_openvpn_privilege_escalation.yml index 31b31ab770..1e4b9aa4da 100644 --- a/detections/endpoint/linux_openvpn_privilege_escalation.yml +++ b/detections/endpoint/linux_openvpn_privilege_escalation.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/openvpn/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml index c9db51e233..60608b4e6f 100644 --- a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml +++ b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml @@ -64,7 +64,6 @@ tags: - All_Risk.risk_object - All_Risk.annotations.mitre_attack.mitre_tactic - source - risk_score: 56 security_domain: audit tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/linux_risk/linuxrisk.log source: linuxrisk sourcetype: stash - update_timestamp: true diff --git a/detections/endpoint/linux_php_privilege_escalation.yml b/detections/endpoint/linux_php_privilege_escalation.yml index 0baf905554..56e8c2f50f 100644 --- a/detections/endpoint/linux_php_privilege_escalation.yml +++ b/detections/endpoint/linux_php_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/php/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_pkexec_privilege_escalation.yml b/detections/endpoint/linux_pkexec_privilege_escalation.yml index 72b1f908d6..c94794f0d0 100644 --- a/detections/endpoint/linux_pkexec_privilege_escalation.yml +++ b/detections/endpoint/linux_pkexec_privilege_escalation.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml index 1795a873f8..3fd189ceb9 100644 --- a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_access_to_credential_files.yml b/detections/endpoint/linux_possible_access_to_credential_files.yml index 81a283e83d..24bce0b0e6 100644 --- a/detections/endpoint/linux_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_possible_access_to_credential_files.yml @@ -63,7 +63,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_possible_access_to_sudoers_file.yml index 814f5dfe46..226c60bade 100644 --- a/detections/endpoint/linux_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_possible_access_to_sudoers_file.yml @@ -63,7 +63,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml index 009ff74a40..b6925f2c2b 100644 --- a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml index f907aa375e..ae3bbaf2de 100644 --- a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml index a221d86e38..cb9d4928a0 100644 --- a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -68,7 +68,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml index 7ad33cf314..772f7002ff 100644 --- a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml +++ b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 6 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_ssh_key_file_creation.yml b/detections/endpoint/linux_possible_ssh_key_file_creation.yml index 9b2bd11807..6f11234d95 100644 --- a/detections/endpoint/linux_possible_ssh_key_file_creation.yml +++ b/detections/endpoint/linux_possible_ssh_key_file_creation.yml @@ -55,7 +55,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_preload_hijack_library_calls.yml b/detections/endpoint/linux_preload_hijack_library_calls.yml index d9e8cd45eb..8706ef3570 100644 --- a/detections/endpoint/linux_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_preload_hijack_library_calls.yml @@ -63,7 +63,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_proxy_socks_curl.yml b/detections/endpoint/linux_proxy_socks_curl.yml index 8f2f949595..10746d7d30 100644 --- a/detections/endpoint/linux_proxy_socks_curl.yml +++ b/detections/endpoint/linux_proxy_socks_curl.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test @@ -91,4 +90,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_puppet_privilege_escalation.yml b/detections/endpoint/linux_puppet_privilege_escalation.yml index 7dded91053..a32061a156 100644 --- a/detections/endpoint/linux_puppet_privilege_escalation.yml +++ b/detections/endpoint/linux_puppet_privilege_escalation.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/puppet/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_rpm_privilege_escalation.yml b/detections/endpoint/linux_rpm_privilege_escalation.yml index e005b053c8..e506b49aa3 100644 --- a/detections/endpoint/linux_rpm_privilege_escalation.yml +++ b/detections/endpoint/linux_rpm_privilege_escalation.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/rpm/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ruby_privilege_escalation.yml b/detections/endpoint/linux_ruby_privilege_escalation.yml index 1e6029b481..7e500e6231 100644 --- a/detections/endpoint/linux_ruby_privilege_escalation.yml +++ b/detections/endpoint/linux_ruby_privilege_escalation.yml @@ -71,7 +71,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/ruby/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml index 4c165ae904..1b9a39161c 100644 --- a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml +++ b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml @@ -65,7 +65,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_service_restarted.yml b/detections/endpoint/linux_service_restarted.yml index 6926755af4..6c5503bc61 100644 --- a/detections/endpoint/linux_service_restarted.yml +++ b/detections/endpoint/linux_service_restarted.yml @@ -69,7 +69,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_service_started_or_enabled.yml b/detections/endpoint/linux_service_started_or_enabled.yml index 72eebc0fce..3b6e7bea05 100644 --- a/detections/endpoint/linux_service_started_or_enabled.yml +++ b/detections/endpoint/linux_service_started_or_enabled.yml @@ -68,7 +68,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_setuid_using_chmod_utility.yml b/detections/endpoint/linux_setuid_using_chmod_utility.yml index 661c9931e7..b580823976 100644 --- a/detections/endpoint/linux_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_setuid_using_chmod_utility.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_setuid_using_setcap_utility.yml b/detections/endpoint/linux_setuid_using_setcap_utility.yml index a6478eb949..0a26c7d150 100644 --- a/detections/endpoint/linux_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_setuid_using_setcap_utility.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_shred_overwrite_command.yml b/detections/endpoint/linux_shred_overwrite_command.yml index d6af5c9e88..ec5a894575 100644 --- a/detections/endpoint/linux_shred_overwrite_command.yml +++ b/detections/endpoint/linux_shred_overwrite_command.yml @@ -66,7 +66,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_sqlite3_privilege_escalation.yml b/detections/endpoint/linux_sqlite3_privilege_escalation.yml index cba1176f0a..d20dd2e65f 100644 --- a/detections/endpoint/linux_sqlite3_privilege_escalation.yml +++ b/detections/endpoint/linux_sqlite3_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/sqlite3/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ssh_authorized_keys_modification.yml b/detections/endpoint/linux_ssh_authorized_keys_modification.yml index 4279e16534..c0f3ff443e 100644 --- a/detections/endpoint/linux_ssh_authorized_keys_modification.yml +++ b/detections/endpoint/linux_ssh_authorized_keys_modification.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test @@ -88,4 +87,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/authkey_linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ssh_remote_services_script_execute.yml b/detections/endpoint/linux_ssh_remote_services_script_execute.yml index 842b3c1fc8..d4b94ac3ec 100644 --- a/detections/endpoint/linux_ssh_remote_services_script_execute.yml +++ b/detections/endpoint/linux_ssh_remote_services_script_execute.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test @@ -83,4 +82,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.004/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml index 4fe80ecb18..ea918daf6e 100644 --- a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml +++ b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml @@ -64,7 +64,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_stop_services.yml b/detections/endpoint/linux_stop_services.yml index 28b9aee7f8..c38c09262f 100644 --- a/detections/endpoint/linux_stop_services.yml +++ b/detections/endpoint/linux_stop_services.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_sudo_or_su_execution.yml b/detections/endpoint/linux_sudo_or_su_execution.yml index 323969cbee..d40b6be95c 100644 --- a/detections/endpoint/linux_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_sudo_or_su_execution.yml @@ -63,7 +63,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_sudoers_tmp_file_creation.yml b/detections/endpoint/linux_sudoers_tmp_file_creation.yml index 8e3da22f96..8cd85b56ef 100644 --- a/detections/endpoint/linux_sudoers_tmp_file_creation.yml +++ b/detections/endpoint/linux_sudoers_tmp_file_creation.yml @@ -55,7 +55,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_system_network_discovery.yml b/detections/endpoint/linux_system_network_discovery.yml index 6247fc97d8..17a3a3e7e0 100644 --- a/detections/endpoint/linux_system_network_discovery.yml +++ b/detections/endpoint/linux_system_network_discovery.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_system_reboot_via_system_request_key.yml b/detections/endpoint/linux_system_reboot_via_system_request_key.yml index 6351f75b97..de9bdb4214 100644 --- a/detections/endpoint/linux_system_reboot_via_system_request_key.yml +++ b/detections/endpoint/linux_system_reboot_via_system_request_key.yml @@ -64,7 +64,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml index 6f248fd7e4..fc7e72254e 100644 --- a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml +++ b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml @@ -67,7 +67,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_visudo_utility_execution.yml b/detections/endpoint/linux_visudo_utility_execution.yml index 106f4f8587..644007f0ba 100644 --- a/detections/endpoint/linux_visudo_utility_execution.yml +++ b/detections/endpoint/linux_visudo_utility_execution.yml @@ -63,7 +63,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 16 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/living_off_the_land_detection.yml b/detections/endpoint/living_off_the_land_detection.yml index 26f3ab58e1..c6319256bb 100644 --- a/detections/endpoint/living_off_the_land_detection.yml +++ b/detections/endpoint/living_off_the_land_detection.yml @@ -66,7 +66,6 @@ tags: - All_Risk.risk_object - All_Risk.annotations.mitre_attack.mitre_tactic - source - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/loading_of_dynwrapx_module.yml b/detections/endpoint/loading_of_dynwrapx_module.yml index 2e3c85aa3e..6d207d1335 100644 --- a/detections/endpoint/loading_of_dynwrapx_module.yml +++ b/detections/endpoint/loading_of_dynwrapx_module.yml @@ -67,7 +67,6 @@ tags: - EventCode - Signed - ProcessId - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/local_account_discovery_with_net.yml b/detections/endpoint/local_account_discovery_with_net.yml index 8af1029345..9688dc29a5 100644 --- a/detections/endpoint/local_account_discovery_with_net.yml +++ b/detections/endpoint/local_account_discovery_with_net.yml @@ -57,7 +57,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/local_account_discovery_with_wmic.yml b/detections/endpoint/local_account_discovery_with_wmic.yml index dc3b012ed7..6273f199a7 100644 --- a/detections/endpoint/local_account_discovery_with_wmic.yml +++ b/detections/endpoint/local_account_discovery_with_wmic.yml @@ -55,7 +55,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml index d58be5a40a..d0f6247c99 100644 --- a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml +++ b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml @@ -66,7 +66,6 @@ tags: - All_Risk.risk_object - All_Risk.annotations.mitre_attack.mitre_tactic - source - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/logon_script_event_trigger_execution.yml b/detections/endpoint/logon_script_event_trigger_execution.yml index 91c271f74f..0deadc018c 100644 --- a/detections/endpoint/logon_script_event_trigger_execution.yml +++ b/detections/endpoint/logon_script_event_trigger_execution.yml @@ -62,7 +62,6 @@ tags: - Registry.registry_path - Registry.registry_key_name - Registry.registry_value_name - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml index d60a07c41e..4419e4aa38 100644 --- a/detections/endpoint/lolbas_with_network_traffic.yml +++ b/detections/endpoint/lolbas_with_network_traffic.yml @@ -83,7 +83,6 @@ tags: - All_Traffic.dest - All_Traffic.dest_ip - All_Traffic.process_id - risk_score: 25 security_domain: network tests: - name: True Positive Test @@ -92,4 +91,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/macos___re_opened_applications.yml b/detections/endpoint/macos___re_opened_applications.yml index 0a7e2b4bec..92db18d882 100644 --- a/detections/endpoint/macos___re_opened_applications.yml +++ b/detections/endpoint/macos___re_opened_applications.yml @@ -66,5 +66,4 @@ tags: - Processes.process_name - Processes.parent_process_name - Processes.dest - risk_score: 25 security_domain: threat diff --git a/detections/endpoint/macos_lolbin.yml b/detections/endpoint/macos_lolbin.yml index eb2f4574d6..b941534493 100644 --- a/detections/endpoint/macos_lolbin.yml +++ b/detections/endpoint/macos_lolbin.yml @@ -60,7 +60,6 @@ tags: - columns.signing_id - columns.username - host - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/macos_plutil.yml b/detections/endpoint/macos_plutil.yml index 5052388030..5ecc56d90d 100644 --- a/detections/endpoint/macos_plutil.yml +++ b/detections/endpoint/macos_plutil.yml @@ -57,7 +57,6 @@ tags: - columns.signing_id - columns.username - host - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/mailsniper_invoke_functions.yml b/detections/endpoint/mailsniper_invoke_functions.yml index 63b03ef528..08e747519e 100644 --- a/detections/endpoint/mailsniper_invoke_functions.yml +++ b/detections/endpoint/mailsniper_invoke_functions.yml @@ -57,7 +57,6 @@ tags: - Computer - UserID - EventCode - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/malicious_inprocserver32_modification.yml b/detections/endpoint/malicious_inprocserver32_modification.yml index f5585eb2ae..4c7f1d0176 100644 --- a/detections/endpoint/malicious_inprocserver32_modification.yml +++ b/detections/endpoint/malicious_inprocserver32_modification.yml @@ -76,7 +76,6 @@ tags: - registry_key_name - registry_value_name - user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/malicious_powershell_executed_as_a_service.yml b/detections/endpoint/malicious_powershell_executed_as_a_service.yml index 57a0c7f994..0841477821 100644 --- a/detections/endpoint/malicious_powershell_executed_as_a_service.yml +++ b/detections/endpoint/malicious_powershell_executed_as_a_service.yml @@ -64,7 +64,6 @@ tags: - Service_Start_Type - Service_Account - user - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml index 2361965649..68633c8b4c 100644 --- a/detections/endpoint/malicious_powershell_process___encoded_command.yml +++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index 07111d4bc2..b1f4e1e599 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml index 38e345f8f3..3103d1e8e9 100644 --- a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml +++ b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml index 22b4bbc9a1..d72586dae5 100644 --- a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml +++ b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml @@ -78,7 +78,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml index b07f02f030..05bb9b3a26 100644 --- a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/modification_of_wallpaper.yml b/detections/endpoint/modification_of_wallpaper.yml index d82dc62ae6..5b529f7e91 100644 --- a/detections/endpoint/modification_of_wallpaper.yml +++ b/detections/endpoint/modification_of_wallpaper.yml @@ -65,7 +65,6 @@ tags: - process_guid - process_id - user_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml index 98c03804bc..09343457b0 100644 --- a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml +++ b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml @@ -62,7 +62,6 @@ tags: - Processes.user - Processes.process - Processes.process_id - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml index ea1a640407..0598d8d007 100644 --- a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml +++ b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml @@ -57,7 +57,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/moveit_certificate_store_access_failure.yml b/detections/endpoint/moveit_certificate_store_access_failure.yml index 78f9a718ff..aa1ea95a5d 100644 --- a/detections/endpoint/moveit_certificate_store_access_failure.yml +++ b/detections/endpoint/moveit_certificate_store_access_failure.yml @@ -33,7 +33,6 @@ tags: required_fields: - source - _raw - risk_score: 9 security_domain: endpoint cve: - CVE-2024-5806 diff --git a/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml b/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml index 4be4c33ed8..b82a8da6b7 100644 --- a/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml +++ b/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml @@ -33,7 +33,6 @@ tags: required_fields: - source - _raw - risk_score: 9 security_domain: endpoint cve: - CVE-2024-5806 diff --git a/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml b/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml index 41c700af5e..0f7fe9dbfb 100644 --- a/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml +++ b/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml @@ -80,5 +80,4 @@ tags: - Processes.process_id - Processes.process_name - Processes.process_guid - risk_score: 81 security_domain: endpoint diff --git a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml index 750a86f48a..97f896b0dd 100644 --- a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml @@ -56,7 +56,6 @@ tags: - ProcessGuid - dest - ImageLoaded - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml index 719ef1f264..e6304044f9 100644 --- a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml @@ -58,7 +58,6 @@ tags: - ProcessGuid - dest - ImageLoaded - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml index 46d80c1e16..5ede50eacd 100644 --- a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml +++ b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml @@ -70,7 +70,6 @@ tags: - Processes.process_name - Processes.original_file_name - Processes.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml index ba8a54b183..3418910066 100644 --- a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml +++ b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/mshtml_module_load_in_office_product.yml b/detections/endpoint/mshtml_module_load_in_office_product.yml index b54ab9b15c..d54429dbd0 100644 --- a/detections/endpoint/mshtml_module_load_in_office_product.yml +++ b/detections/endpoint/mshtml_module_load_in_office_product.yml @@ -65,7 +65,6 @@ tags: - OriginalFileName - process_id - dest - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml index 83fec4ebc4..6a9b863aff 100644 --- a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml +++ b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml @@ -63,7 +63,6 @@ tags: - dest - EventCode - ProcessId - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/msmpeng_application_dll_side_loading.yml b/detections/endpoint/msmpeng_application_dll_side_loading.yml index 7418bfde83..80541a9028 100644 --- a/detections/endpoint/msmpeng_application_dll_side_loading.yml +++ b/detections/endpoint/msmpeng_application_dll_side_loading.yml @@ -57,7 +57,6 @@ tags: - Filesystem.file_name - Filesystem.user - Filesystem.file_path - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/net_localgroup_discovery.yml b/detections/endpoint/net_localgroup_discovery.yml index bd88ee31cc..fdd9252662 100644 --- a/detections/endpoint/net_localgroup_discovery.yml +++ b/detections/endpoint/net_localgroup_discovery.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/net_profiler_uac_bypass.yml b/detections/endpoint/net_profiler_uac_bypass.yml index 4efe979c66..0b59705aef 100644 --- a/detections/endpoint/net_profiler_uac_bypass.yml +++ b/detections/endpoint/net_profiler_uac_bypass.yml @@ -55,7 +55,6 @@ tags: - Registry.registry_key_name - Registry.registry_value_name - Registry.dest - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/network_connection_discovery_with_arp.yml b/detections/endpoint/network_connection_discovery_with_arp.yml index ab79da0570..dddb0f8d1a 100644 --- a/detections/endpoint/network_connection_discovery_with_arp.yml +++ b/detections/endpoint/network_connection_discovery_with_arp.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/network_connection_discovery_with_net.yml b/detections/endpoint/network_connection_discovery_with_net.yml index 35b00a4faa..3b9a2810f1 100644 --- a/detections/endpoint/network_connection_discovery_with_net.yml +++ b/detections/endpoint/network_connection_discovery_with_net.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/network_connection_discovery_with_netstat.yml b/detections/endpoint/network_connection_discovery_with_netstat.yml index fe95b08f33..412b6861bc 100644 --- a/detections/endpoint/network_connection_discovery_with_netstat.yml +++ b/detections/endpoint/network_connection_discovery_with_netstat.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/network_discovery_using_route_windows_app.yml b/detections/endpoint/network_discovery_using_route_windows_app.yml index f5b53520ce..41667f7de6 100644 --- a/detections/endpoint/network_discovery_using_route_windows_app.yml +++ b/detections/endpoint/network_discovery_using_route_windows_app.yml @@ -69,7 +69,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/network_share_discovery_via_dir_command.yml b/detections/endpoint/network_share_discovery_via_dir_command.yml index 7be5739254..e1e794feb0 100644 --- a/detections/endpoint/network_share_discovery_via_dir_command.yml +++ b/detections/endpoint/network_share_discovery_via_dir_command.yml @@ -49,7 +49,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - _time - ShareName diff --git a/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml b/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml index f3dc6a139b..ec1a819d45 100644 --- a/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml +++ b/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml @@ -61,7 +61,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 10 required_fields: - All_Traffic.src_ip - All_Traffic.dest_ip diff --git a/detections/endpoint/nishang_powershelltcponeline.yml b/detections/endpoint/nishang_powershelltcponeline.yml index 6959615fe3..2d243ab0f2 100644 --- a/detections/endpoint/nishang_powershelltcponeline.yml +++ b/detections/endpoint/nishang_powershelltcponeline.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/nltest_domain_trust_discovery.yml b/detections/endpoint/nltest_domain_trust_discovery.yml index f7fe8fdc4b..9ffd40386e 100644 --- a/detections/endpoint/nltest_domain_trust_discovery.yml +++ b/detections/endpoint/nltest_domain_trust_discovery.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process - Processes.process_id - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index f1e940a766..534667c07b 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -66,7 +66,6 @@ tags: - EventCode - dest - user - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index 0bf0bb5353..5f8679c668 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -66,7 +66,6 @@ tags: - EventCode - dest - user - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/notepad_with_no_command_line_arguments.yml b/detections/endpoint/notepad_with_no_command_line_arguments.yml index cd4bda96bc..6314566e7a 100644 --- a/detections/endpoint/notepad_with_no_command_line_arguments.yml +++ b/detections/endpoint/notepad_with_no_command_line_arguments.yml @@ -78,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/ntdsutil_export_ntds.yml b/detections/endpoint/ntdsutil_export_ntds.yml index 19227bf537..801e4c2ac1 100644 --- a/detections/endpoint/ntdsutil_export_ntds.yml +++ b/detections/endpoint/ntdsutil_export_ntds.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process - Processes.process_id - Processes.parent_process_id - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_application_drop_executable.yml b/detections/endpoint/office_application_drop_executable.yml index 3d99783b40..2e9df563de 100644 --- a/detections/endpoint/office_application_drop_executable.yml +++ b/detections/endpoint/office_application_drop_executable.yml @@ -70,7 +70,6 @@ tags: - process_guid - dest - user_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_application_spawn_regsvr32_process.yml b/detections/endpoint/office_application_spawn_regsvr32_process.yml index 7c7186e554..af1bfec5b0 100644 --- a/detections/endpoint/office_application_spawn_regsvr32_process.yml +++ b/detections/endpoint/office_application_spawn_regsvr32_process.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_application_spawn_rundll32_process.yml b/detections/endpoint/office_application_spawn_rundll32_process.yml index d233706b21..f2149fa0e0 100644 --- a/detections/endpoint/office_application_spawn_rundll32_process.yml +++ b/detections/endpoint/office_application_spawn_rundll32_process.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_document_creating_schedule_task.yml b/detections/endpoint/office_document_creating_schedule_task.yml index bf7281830a..1f042c2d18 100644 --- a/detections/endpoint/office_document_creating_schedule_task.yml +++ b/detections/endpoint/office_document_creating_schedule_task.yml @@ -61,7 +61,6 @@ tags: - ProcessId - ProcessGuid - _time - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_document_executing_macro_code.yml b/detections/endpoint/office_document_executing_macro_code.yml index 41a3287902..548e400721 100644 --- a/detections/endpoint/office_document_executing_macro_code.yml +++ b/detections/endpoint/office_document_executing_macro_code.yml @@ -72,7 +72,6 @@ tags: - ProcessId - ProcessGuid - _time - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_document_spawned_child_process_to_download.yml b/detections/endpoint/office_document_spawned_child_process_to_download.yml index 01534f5b1a..53925a8e21 100644 --- a/detections/endpoint/office_document_spawned_child_process_to_download.yml +++ b/detections/endpoint/office_document_spawned_child_process_to_download.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_product_spawn_cmd_process.yml b/detections/endpoint/office_product_spawn_cmd_process.yml index fe08d92687..5636a9d265 100644 --- a/detections/endpoint/office_product_spawn_cmd_process.yml +++ b/detections/endpoint/office_product_spawn_cmd_process.yml @@ -91,7 +91,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_product_spawning_bitsadmin.yml b/detections/endpoint/office_product_spawning_bitsadmin.yml index b3e2d4d3ad..80c023da73 100644 --- a/detections/endpoint/office_product_spawning_bitsadmin.yml +++ b/detections/endpoint/office_product_spawning_bitsadmin.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_product_spawning_certutil.yml b/detections/endpoint/office_product_spawning_certutil.yml index 16a928f462..b48cc125c1 100644 --- a/detections/endpoint/office_product_spawning_certutil.yml +++ b/detections/endpoint/office_product_spawning_certutil.yml @@ -78,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_product_spawning_mshta.yml b/detections/endpoint/office_product_spawning_mshta.yml index 8c0cf83a9b..446f88f6d3 100644 --- a/detections/endpoint/office_product_spawning_mshta.yml +++ b/detections/endpoint/office_product_spawning_mshta.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml b/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml index c2bf3c1353..a6c4e01549 100644 --- a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml +++ b/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_product_spawning_windows_script_host.yml b/detections/endpoint/office_product_spawning_windows_script_host.yml index 4da6dc2d1f..7f4512b911 100644 --- a/detections/endpoint/office_product_spawning_windows_script_host.yml +++ b/detections/endpoint/office_product_spawning_windows_script_host.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test @@ -91,4 +90,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/office_product_spawning_wmic.yml b/detections/endpoint/office_product_spawning_wmic.yml index a2fdc495a4..33a16c3607 100644 --- a/detections/endpoint/office_product_spawning_wmic.yml +++ b/detections/endpoint/office_product_spawning_wmic.yml @@ -78,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_product_writing_cab_or_inf.yml b/detections/endpoint/office_product_writing_cab_or_inf.yml index 0615efc972..2ae0fd1f13 100644 --- a/detections/endpoint/office_product_writing_cab_or_inf.yml +++ b/detections/endpoint/office_product_writing_cab_or_inf.yml @@ -77,7 +77,6 @@ tags: - file_create_time - file_name - file_path - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_spawning_control.yml b/detections/endpoint/office_spawning_control.yml index 4e0e9e35d7..07656ba36a 100644 --- a/detections/endpoint/office_spawning_control.yml +++ b/detections/endpoint/office_spawning_control.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml index 0e8f8fe2c2..5c68aa98a2 100644 --- a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml +++ b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml @@ -72,7 +72,6 @@ tags: - All_Traffic.process_id - All_Traffic.dest - All_Traffic.dest_port - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/overwriting_accessibility_binaries.yml b/detections/endpoint/overwriting_accessibility_binaries.yml index ce700f1d5c..3ee7c774fa 100644 --- a/detections/endpoint/overwriting_accessibility_binaries.yml +++ b/detections/endpoint/overwriting_accessibility_binaries.yml @@ -62,7 +62,6 @@ tags: - Filesystem.file_path - Filesystem.file_name - Filesystem.dest - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml b/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml index 3419aa89a2..40af3ebc3d 100644 --- a/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml +++ b/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - uri_match - ip_match diff --git a/detections/endpoint/password_policy_discovery_with_net.yml b/detections/endpoint/password_policy_discovery_with_net.yml index fee7a23d00..a21cb538b0 100644 --- a/detections/endpoint/password_policy_discovery_with_net.yml +++ b/detections/endpoint/password_policy_discovery_with_net.yml @@ -73,7 +73,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/permission_modification_using_takeown_app.yml b/detections/endpoint/permission_modification_using_takeown_app.yml index 45039ce8d3..e6c8013334 100644 --- a/detections/endpoint/permission_modification_using_takeown_app.yml +++ b/detections/endpoint/permission_modification_using_takeown_app.yml @@ -70,7 +70,6 @@ tags: - Processes.user - Processes.process_id - Processes.process_guid - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/petitpotam_network_share_access_request.yml b/detections/endpoint/petitpotam_network_share_access_request.yml index 2e05e72116..07d8a01ef3 100644 --- a/detections/endpoint/petitpotam_network_share_access_request.yml +++ b/detections/endpoint/petitpotam_network_share_access_request.yml @@ -56,7 +56,6 @@ tags: - src - AccessMask - AccessReason - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml b/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml index c8508e737c..158ee6d6dc 100644 --- a/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml +++ b/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml @@ -55,7 +55,6 @@ tags: - Client_Address - action - Message - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml index a0e7829645..6a11d62012 100644 --- a/detections/endpoint/ping_sleep_batch_command.yml +++ b/detections/endpoint/ping_sleep_batch_command.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/possible_browser_pass_view_parameter.yml b/detections/endpoint/possible_browser_pass_view_parameter.yml index 8af97a9021..0258d39396 100644 --- a/detections/endpoint/possible_browser_pass_view_parameter.yml +++ b/detections/endpoint/possible_browser_pass_view_parameter.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 16 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index ffa2ba48c5..ed00f2f198 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -86,7 +86,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/potential_password_in_username.yml b/detections/endpoint/potential_password_in_username.yml index e9ec637a72..af6187adf9 100644 --- a/detections/endpoint/potential_password_in_username.yml +++ b/detections/endpoint/potential_password_in_username.yml @@ -71,7 +71,6 @@ tags: - Authentication.src - Authentication.dest - sourcetype - risk_score: 21 security_domain: access tests: - name: True Positive Test diff --git a/detections/endpoint/potentially_malicious_code_on_commandline.yml b/detections/endpoint/potentially_malicious_code_on_commandline.yml index cc2bb36f5b..a521d7bb46 100644 --- a/detections/endpoint/potentially_malicious_code_on_commandline.yml +++ b/detections/endpoint/potentially_malicious_code_on_commandline.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process - Processes.user - Processes.dest - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index e02d365720..e9580204c7 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -94,7 +94,6 @@ tags: - Computer - UserID - EventCode - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml index 410de1915b..484938d16b 100644 --- a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml +++ b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml @@ -85,7 +85,6 @@ tags: - Processes.user - Processes.parent_process_name - Processes.dest - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml index a0a31fea09..2669da982f 100644 --- a/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml +++ b/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml @@ -57,7 +57,6 @@ tags: - Computer - UserID - EventCode - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/powershell_creating_thread_mutex.yml b/detections/endpoint/powershell_creating_thread_mutex.yml index a8d2094a2c..4185779064 100644 --- a/detections/endpoint/powershell_creating_thread_mutex.yml +++ b/detections/endpoint/powershell_creating_thread_mutex.yml @@ -60,7 +60,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_disable_security_monitoring.yml b/detections/endpoint/powershell_disable_security_monitoring.yml index 1cf9ea9210..882964dae9 100644 --- a/detections/endpoint/powershell_disable_security_monitoring.yml +++ b/detections/endpoint/powershell_disable_security_monitoring.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_domain_enumeration.yml b/detections/endpoint/powershell_domain_enumeration.yml index a1aff99a00..c40784a39c 100644 --- a/detections/endpoint/powershell_domain_enumeration.yml +++ b/detections/endpoint/powershell_domain_enumeration.yml @@ -64,7 +64,6 @@ tags: - Computer - UserID - EventCode - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_enable_powershell_remoting.yml b/detections/endpoint/powershell_enable_powershell_remoting.yml index 1fc3db9be9..b716ec303b 100644 --- a/detections/endpoint/powershell_enable_powershell_remoting.yml +++ b/detections/endpoint/powershell_enable_powershell_remoting.yml @@ -50,7 +50,6 @@ tags: - EventCode - ScriptBlockText - Computer - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_enable_smb1protocol_feature.yml b/detections/endpoint/powershell_enable_smb1protocol_feature.yml index 21aa4a6bf1..54fea95e1f 100644 --- a/detections/endpoint/powershell_enable_smb1protocol_feature.yml +++ b/detections/endpoint/powershell_enable_smb1protocol_feature.yml @@ -53,7 +53,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_execute_com_object.yml b/detections/endpoint/powershell_execute_com_object.yml index 97984f444a..10a7a1b1a3 100644 --- a/detections/endpoint/powershell_execute_com_object.yml +++ b/detections/endpoint/powershell_execute_com_object.yml @@ -54,7 +54,6 @@ tags: - ScriptBlockText - Computer - EventCode - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml b/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml index e6c8b33ec8..da64f5ea5d 100644 --- a/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml +++ b/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml @@ -58,7 +58,6 @@ tags: - Computer - UserID - EventCode - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml index cc9b1ab5e6..8e9d9f733f 100644 --- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml +++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml @@ -61,7 +61,6 @@ tags: - Computer - UserID - EventCode - risk_score: 56 security_domain: endpoint asset_type: Endpoint tests: diff --git a/detections/endpoint/powershell_get_localgroup_discovery.yml b/detections/endpoint/powershell_get_localgroup_discovery.yml index 233a46805d..e13fca7bb8 100644 --- a/detections/endpoint/powershell_get_localgroup_discovery.yml +++ b/detections/endpoint/powershell_get_localgroup_discovery.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml b/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml index 549f09229e..81b6592c69 100644 --- a/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml +++ b/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml @@ -60,7 +60,6 @@ tags: - Computer - UserID - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml b/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml index cf32efd7e0..66bd403b06 100644 --- a/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml +++ b/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml @@ -51,7 +51,6 @@ tags: - EventCode - ScriptBlockText - Computer - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_invoke_wmiexec_usage.yml b/detections/endpoint/powershell_invoke_wmiexec_usage.yml index e7f329da66..859a4b6ec9 100644 --- a/detections/endpoint/powershell_invoke_wmiexec_usage.yml +++ b/detections/endpoint/powershell_invoke_wmiexec_usage.yml @@ -48,7 +48,6 @@ tags: - EventCode - ScriptBlockText - Computer - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_load_module_in_meterpreter.yml b/detections/endpoint/powershell_load_module_in_meterpreter.yml index 68dedb6a49..7d2926c864 100644 --- a/detections/endpoint/powershell_load_module_in_meterpreter.yml +++ b/detections/endpoint/powershell_load_module_in_meterpreter.yml @@ -56,7 +56,6 @@ tags: - ScriptBlockText - Computer - User_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/msf.powershell.powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml index 29948081ed..1e8d7ed54d 100644 --- a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml +++ b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml @@ -67,7 +67,6 @@ tags: - Computer - UserID - EventCode - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_processing_stream_of_data.yml b/detections/endpoint/powershell_processing_stream_of_data.yml index 6d990382d2..f71d73cd0c 100644 --- a/detections/endpoint/powershell_processing_stream_of_data.yml +++ b/detections/endpoint/powershell_processing_stream_of_data.yml @@ -67,7 +67,6 @@ tags: - Computer - UserID - Score - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_remote_services_add_trustedhost.yml b/detections/endpoint/powershell_remote_services_add_trustedhost.yml index c8f4b8d880..52221ef6ca 100644 --- a/detections/endpoint/powershell_remote_services_add_trustedhost.yml +++ b/detections/endpoint/powershell_remote_services_add_trustedhost.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - EventCode diff --git a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml index 292b8a1164..56884b6893 100644 --- a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml +++ b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml @@ -63,7 +63,6 @@ tags: - StartAddress - dest - EventCode - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_remove_windows_defender_directory.yml b/detections/endpoint/powershell_remove_windows_defender_directory.yml index eda9198315..5f44a21bde 100644 --- a/detections/endpoint/powershell_remove_windows_defender_directory.yml +++ b/detections/endpoint/powershell_remove_windows_defender_directory.yml @@ -55,7 +55,6 @@ tags: - Computer - UserID - EventCode - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_script_block_with_url_chain.yml b/detections/endpoint/powershell_script_block_with_url_chain.yml index 66e0a38616..35e59dae87 100644 --- a/detections/endpoint/powershell_script_block_with_url_chain.yml +++ b/detections/endpoint/powershell_script_block_with_url_chain.yml @@ -69,7 +69,6 @@ tags: - ActivityID - Computer - ScriptBlockText - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_start_bitstransfer.yml b/detections/endpoint/powershell_start_bitstransfer.yml index 43d3b3a09e..d5fc98ee1b 100644 --- a/detections/endpoint/powershell_start_bitstransfer.yml +++ b/detections/endpoint/powershell_start_bitstransfer.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_start_or_stop_service.yml b/detections/endpoint/powershell_start_or_stop_service.yml index abd5ec0598..57cccf65b8 100644 --- a/detections/endpoint/powershell_start_or_stop_service.yml +++ b/detections/endpoint/powershell_start_or_stop_service.yml @@ -52,7 +52,6 @@ tags: - EventCode - ScriptBlockText - Computer - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_using_memory_as_backing_store.yml b/detections/endpoint/powershell_using_memory_as_backing_store.yml index eb20c93a1b..07b0eb5b86 100644 --- a/detections/endpoint/powershell_using_memory_as_backing_store.yml +++ b/detections/endpoint/powershell_using_memory_as_backing_store.yml @@ -65,7 +65,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_webrequest_using_memory_stream.yml b/detections/endpoint/powershell_webrequest_using_memory_stream.yml index 05b9a8b6cd..823d2e8ffe 100644 --- a/detections/endpoint/powershell_webrequest_using_memory_stream.yml +++ b/detections/endpoint/powershell_webrequest_using_memory_stream.yml @@ -65,7 +65,6 @@ tags: - ActivityID - Computer - ScriptBlockText - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml index b96044cb8f..e9919b97c1 100644 --- a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml +++ b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml @@ -63,7 +63,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml index f88b6c2c0a..576a34d102 100644 --- a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml +++ b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml @@ -71,7 +71,6 @@ tags: - Processes.user - Processes.process_id - Processes.process_guid - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/print_processor_registry_autostart.yml b/detections/endpoint/print_processor_registry_autostart.yml index 489f58f2e0..3580c0cbfc 100644 --- a/detections/endpoint/print_processor_registry_autostart.yml +++ b/detections/endpoint/print_processor_registry_autostart.yml @@ -65,7 +65,6 @@ tags: - Registry.registry_path - Registry.registry_key_name - Registry.registry_value_name - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/print_spooler_adding_a_printer_driver.yml b/detections/endpoint/print_spooler_adding_a_printer_driver.yml index 3952fd8e68..14fe00448b 100644 --- a/detections/endpoint/print_spooler_adding_a_printer_driver.yml +++ b/detections/endpoint/print_spooler_adding_a_printer_driver.yml @@ -56,7 +56,6 @@ tags: - EventCode - ComputerName - Message - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml index 335ac79e6e..b1fa389c15 100644 --- a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml +++ b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml @@ -57,7 +57,6 @@ tags: - EventCode - ComputerName - Message - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml index b5fa6e5d7f..d6cfe87c99 100644 --- a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml +++ b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml @@ -73,7 +73,6 @@ tags: - Filesystem.file_path - Filesystem.file_hash - Filesystem.user - risk_score: 63 security_domain: network tests: - name: True Positive Test diff --git a/detections/endpoint/process_deleting_its_process_file_path.yml b/detections/endpoint/process_deleting_its_process_file_path.yml index afd82714e3..646d736c6a 100644 --- a/detections/endpoint/process_deleting_its_process_file_path.yml +++ b/detections/endpoint/process_deleting_its_process_file_path.yml @@ -74,7 +74,6 @@ tags: - ProcessID - result - _time - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/process_execution_via_wmi.yml b/detections/endpoint/process_execution_via_wmi.yml index 3fe30bde40..b87ede5896 100644 --- a/detections/endpoint/process_execution_via_wmi.yml +++ b/detections/endpoint/process_execution_via_wmi.yml @@ -67,7 +67,6 @@ tags: - Processes.user - Processes.dest - Processes.process_name - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/process_kill_base_on_file_path.yml b/detections/endpoint/process_kill_base_on_file_path.yml index 21e767e52b..d583224114 100644 --- a/detections/endpoint/process_kill_base_on_file_path.yml +++ b/detections/endpoint/process_kill_base_on_file_path.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/process_writing_dynamicwrapperx.yml b/detections/endpoint/process_writing_dynamicwrapperx.yml index 67f8b817d5..dadce3cd5e 100644 --- a/detections/endpoint/process_writing_dynamicwrapperx.yml +++ b/detections/endpoint/process_writing_dynamicwrapperx.yml @@ -77,7 +77,6 @@ tags: - file_name - file_path - file_create_time user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/processes_launching_netsh.yml b/detections/endpoint/processes_launching_netsh.yml index 863babfa24..5bb2d775df 100644 --- a/detections/endpoint/processes_launching_netsh.yml +++ b/detections/endpoint/processes_launching_netsh.yml @@ -75,7 +75,6 @@ tags: - Processes.process_name - Processes.user - Processes.dest - risk_score: 14 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/processes_tapping_keyboard_events.yml b/detections/endpoint/processes_tapping_keyboard_events.yml index 99652a9203..00f03e7186 100644 --- a/detections/endpoint/processes_tapping_keyboard_events.yml +++ b/detections/endpoint/processes_tapping_keyboard_events.yml @@ -52,5 +52,4 @@ tags: - columns.name - columns.pid - host - risk_score: 25 security_domain: threat diff --git a/detections/endpoint/randomly_generated_scheduled_task_name.yml b/detections/endpoint/randomly_generated_scheduled_task_name.yml index ecb46d821e..357a81e0d4 100644 --- a/detections/endpoint/randomly_generated_scheduled_task_name.yml +++ b/detections/endpoint/randomly_generated_scheduled_task_name.yml @@ -53,5 +53,4 @@ tags: - Task_Name - Description - Command - risk_score: 45 security_domain: endpoint diff --git a/detections/endpoint/randomly_generated_windows_service_name.yml b/detections/endpoint/randomly_generated_windows_service_name.yml index 386eae5efc..6e5b57e721 100644 --- a/detections/endpoint/randomly_generated_windows_service_name.yml +++ b/detections/endpoint/randomly_generated_windows_service_name.yml @@ -51,5 +51,4 @@ tags: - Service_Type - Service_Name - Service_Start_Type - risk_score: 45 security_domain: endpoint diff --git a/detections/endpoint/ransomware_notes_bulk_creation.yml b/detections/endpoint/ransomware_notes_bulk_creation.yml index 662f35efe9..dc1a9e35fd 100644 --- a/detections/endpoint/ransomware_notes_bulk_creation.yml +++ b/detections/endpoint/ransomware_notes_bulk_creation.yml @@ -59,7 +59,6 @@ tags: - dest - Image - user - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml index a4eec16c81..141b5f62f0 100644 --- a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml +++ b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml @@ -66,7 +66,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/recon_using_wmi_class.yml b/detections/endpoint/recon_using_wmi_class.yml index 212af33b5a..b261e09b05 100644 --- a/detections/endpoint/recon_using_wmi_class.yml +++ b/detections/endpoint/recon_using_wmi_class.yml @@ -73,7 +73,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml index d54e914328..688c84d832 100644 --- a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml +++ b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml index 4a899f456e..5d6caa93d0 100644 --- a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml +++ b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml @@ -70,7 +70,6 @@ tags: - Processes.process - Processes.process_id - Processes.dest - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/registry_keys_for_creating_shim_databases.yml b/detections/endpoint/registry_keys_for_creating_shim_databases.yml index 8fcb18edc5..968b8dddf4 100644 --- a/detections/endpoint/registry_keys_for_creating_shim_databases.yml +++ b/detections/endpoint/registry_keys_for_creating_shim_databases.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index c1bfa0cf48..c72980c915 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -103,7 +103,6 @@ tags: - Registry.registry_path - Registry.dest - Registry.user - risk_score: 76 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml index f040e11561..db8f0588d9 100644 --- a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml +++ b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml @@ -68,7 +68,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 76 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml index ce1d72e2d6..beab997f6d 100644 --- a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml +++ b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml index 494b6839b9..4ed0ce5fc5 100644 --- a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml +++ b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remcos_client_registry_install_entry.yml b/detections/endpoint/remcos_client_registry_install_entry.yml index 284c4f7e56..94de2277f9 100644 --- a/detections/endpoint/remcos_client_registry_install_entry.yml +++ b/detections/endpoint/remcos_client_registry_install_entry.yml @@ -73,7 +73,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml b/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml index ad7ea90bde..f1f9d703a0 100644 --- a/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml +++ b/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml @@ -51,7 +51,6 @@ tags: - file_create_time - file_name - file_path - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_desktop_process_running_on_system.yml b/detections/endpoint/remote_desktop_process_running_on_system.yml index 0811121698..9678f3ec79 100644 --- a/detections/endpoint/remote_desktop_process_running_on_system.yml +++ b/detections/endpoint/remote_desktop_process_running_on_system.yml @@ -63,5 +63,4 @@ tags: - Processes.dest_category - Processes.dest - Processes.user - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml index 14db3eb4de..7b993c60d9 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml index 555aea074b..597498d946 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml @@ -53,7 +53,6 @@ tags: - ScriptBlockText - Computer - user_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml index ee7a0dbcfc..11b4016637 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml index 1feea35a2e..8a5d23c8e7 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml @@ -56,7 +56,6 @@ tags: - Computer - UserID - EventCode - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml index 28bf4680c7..f883a09820 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_process_instantiation_via_wmi.yml b/detections/endpoint/remote_process_instantiation_via_wmi.yml index f2a87b8c6a..6804a1562c 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml index ca63658762..684063ea3a 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml index 110e6db09a..f575f0947b 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml @@ -55,7 +55,6 @@ tags: - Message - Computer - UserID - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_system_discovery_with_adsisearcher.yml b/detections/endpoint/remote_system_discovery_with_adsisearcher.yml index 5887b1fb3b..bfb3eca4fa 100644 --- a/detections/endpoint/remote_system_discovery_with_adsisearcher.yml +++ b/detections/endpoint/remote_system_discovery_with_adsisearcher.yml @@ -51,7 +51,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_system_discovery_with_dsquery.yml b/detections/endpoint/remote_system_discovery_with_dsquery.yml index 6c05bd96af..44b5cd6286 100644 --- a/detections/endpoint/remote_system_discovery_with_dsquery.yml +++ b/detections/endpoint/remote_system_discovery_with_dsquery.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_system_discovery_with_net.yml b/detections/endpoint/remote_system_discovery_with_net.yml index fe77a7dcf4..edf519f413 100644 --- a/detections/endpoint/remote_system_discovery_with_net.yml +++ b/detections/endpoint/remote_system_discovery_with_net.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_system_discovery_with_wmic.yml b/detections/endpoint/remote_system_discovery_with_wmic.yml index 6f0debeedd..6bae27d884 100644 --- a/detections/endpoint/remote_system_discovery_with_wmic.yml +++ b/detections/endpoint/remote_system_discovery_with_wmic.yml @@ -67,7 +67,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_wmi_command_attempt.yml b/detections/endpoint/remote_wmi_command_attempt.yml index ad4cc1dc12..d009ba16b7 100644 --- a/detections/endpoint/remote_wmi_command_attempt.yml +++ b/detections/endpoint/remote_wmi_command_attempt.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process - Processes.parent_process_id - Processes.process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/resize_shadowstorage_volume.yml b/detections/endpoint/resize_shadowstorage_volume.yml index 07215402da..edb4adbcf7 100644 --- a/detections/endpoint/resize_shadowstorage_volume.yml +++ b/detections/endpoint/resize_shadowstorage_volume.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process - Processes.dest - Processes.user - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/revil_common_exec_parameter.yml b/detections/endpoint/revil_common_exec_parameter.yml index 0c6bc248ad..ddbca1619d 100644 --- a/detections/endpoint/revil_common_exec_parameter.yml +++ b/detections/endpoint/revil_common_exec_parameter.yml @@ -72,7 +72,6 @@ tags: - Processes.user - Processes.process_id - Processes.process_guid - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/revil_registry_entry.yml b/detections/endpoint/revil_registry_entry.yml index 21ccf24d35..f66c848af8 100644 --- a/detections/endpoint/revil_registry_entry.yml +++ b/detections/endpoint/revil_registry_entry.yml @@ -88,7 +88,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rubeus_command_line_parameters.yml b/detections/endpoint/rubeus_command_line_parameters.yml index 73c9ac3726..39575aefde 100644 --- a/detections/endpoint/rubeus_command_line_parameters.yml +++ b/detections/endpoint/rubeus_command_line_parameters.yml @@ -86,7 +86,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml index 9f2a73434f..85bc6a1382 100644 --- a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml +++ b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml @@ -66,7 +66,6 @@ tags: - TargetProcessId - SourceImage - SourceProcessId - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/runas_execution_in_commandline.yml b/detections/endpoint/runas_execution_in_commandline.yml index 59fcb501df..d8ac914651 100644 --- a/detections/endpoint/runas_execution_in_commandline.yml +++ b/detections/endpoint/runas_execution_in_commandline.yml @@ -68,7 +68,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_control_rundll_hunt.yml b/detections/endpoint/rundll32_control_rundll_hunt.yml index d5b4d68298..8cc369ed73 100644 --- a/detections/endpoint/rundll32_control_rundll_hunt.yml +++ b/detections/endpoint/rundll32_control_rundll_hunt.yml @@ -89,7 +89,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml index 10726ecac2..fe23d81ea8 100644 --- a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml +++ b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml @@ -90,7 +90,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml index cfc70b8712..3a99f544b5 100644 --- a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml +++ b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml @@ -58,7 +58,6 @@ tags: - StartAddress - EventCode - dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_createremotethread_in_browser.yml b/detections/endpoint/rundll32_createremotethread_in_browser.yml index dd4d0665e3..af0fd40025 100644 --- a/detections/endpoint/rundll32_createremotethread_in_browser.yml +++ b/detections/endpoint/rundll32_createremotethread_in_browser.yml @@ -60,7 +60,6 @@ tags: - StartAddress - EventCode - dest - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_dnsquery.yml b/detections/endpoint/rundll32_dnsquery.yml index e0b2bb34a2..299e4444bd 100644 --- a/detections/endpoint/rundll32_dnsquery.yml +++ b/detections/endpoint/rundll32_dnsquery.yml @@ -59,7 +59,6 @@ tags: - QueryStatus - ProcessId - dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_lockworkstation.yml b/detections/endpoint/rundll32_lockworkstation.yml index a4330ce22e..e8c2b15558 100644 --- a/detections/endpoint/rundll32_lockworkstation.yml +++ b/detections/endpoint/rundll32_lockworkstation.yml @@ -67,7 +67,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml index 57f71e63ee..2f36dc6d0b 100644 --- a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml +++ b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml @@ -56,7 +56,6 @@ tags: - process_guid - dest - user_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_shimcache_flush.yml b/detections/endpoint/rundll32_shimcache_flush.yml index 205e9c912e..4e9521bcda 100644 --- a/detections/endpoint/rundll32_shimcache_flush.yml +++ b/detections/endpoint/rundll32_shimcache_flush.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml index f1fe25961f..c2de5067ed 100644 --- a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll_loading_dll_by_ordinal.yml b/detections/endpoint/rundll_loading_dll_by_ordinal.yml index d74d961b49..9a4bbf7367 100644 --- a/detections/endpoint/rundll_loading_dll_by_ordinal.yml +++ b/detections/endpoint/rundll_loading_dll_by_ordinal.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/ryuk_test_files_detected.yml b/detections/endpoint/ryuk_test_files_detected.yml index 1d514bba77..068d55576f 100644 --- a/detections/endpoint/ryuk_test_files_detected.yml +++ b/detections/endpoint/ryuk_test_files_detected.yml @@ -53,7 +53,6 @@ tags: - Filesystem.file_path - Filesystem.dest - Filesystem.user - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/ryuk_wake_on_lan_command.yml b/detections/endpoint/ryuk_wake_on_lan_command.yml index 5b33f29853..737a414fdc 100644 --- a/detections/endpoint/ryuk_wake_on_lan_command.yml +++ b/detections/endpoint/ryuk_wake_on_lan_command.yml @@ -71,7 +71,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/sam_database_file_access_attempt.yml b/detections/endpoint/sam_database_file_access_attempt.yml index 5f3e2f16c2..417cb102f2 100644 --- a/detections/endpoint/sam_database_file_access_attempt.yml +++ b/detections/endpoint/sam_database_file_access_attempt.yml @@ -74,7 +74,6 @@ tags: - Object_Name - dest - user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/samsam_test_file_write.yml b/detections/endpoint/samsam_test_file_write.yml index f530b5add9..2840ab3587 100644 --- a/detections/endpoint/samsam_test_file_write.yml +++ b/detections/endpoint/samsam_test_file_write.yml @@ -54,7 +54,6 @@ tags: - Filesystem.dest - Filesystem.file_name - Filesystem.file_path - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/sc_exe_manipulating_windows_services.yml b/detections/endpoint/sc_exe_manipulating_windows_services.yml index 38342ca70c..961fe9bfbf 100644 --- a/detections/endpoint/sc_exe_manipulating_windows_services.yml +++ b/detections/endpoint/sc_exe_manipulating_windows_services.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml index 3f1fd31caf..24f5ad2341 100644 --- a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml +++ b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml @@ -56,7 +56,6 @@ tags: - process_id - process_name - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/schedule_task_with_http_command_arguments.yml b/detections/endpoint/schedule_task_with_http_command_arguments.yml index aaded3e025..7b2bed1cbc 100644 --- a/detections/endpoint/schedule_task_with_http_command_arguments.yml +++ b/detections/endpoint/schedule_task_with_http_command_arguments.yml @@ -56,7 +56,6 @@ tags: - Enabled - Hidden - Arguments - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml index a399bddb7a..b48d4cdf90 100644 --- a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml +++ b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml @@ -58,7 +58,6 @@ tags: - Enabled - Hidden - Arguments - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml index 37493db23d..73b8cccfbf 100644 --- a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml +++ b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index d54251bb8d..054f2eca54 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -93,7 +93,6 @@ tags: - Processes.user - Processes.parent_process_name - Processes.dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml index f33cbf68fa..d40d3bb21b 100644 --- a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/schtasks_run_task_on_demand.yml b/detections/endpoint/schtasks_run_task_on_demand.yml index cb789f9f01..ca5217746b 100644 --- a/detections/endpoint/schtasks_run_task_on_demand.yml +++ b/detections/endpoint/schtasks_run_task_on_demand.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml index 3c4010fe40..723d47dc3a 100644 --- a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml +++ b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml index d1920c9677..2267e641bf 100644 --- a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml +++ b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/screensaver_event_trigger_execution.yml b/detections/endpoint/screensaver_event_trigger_execution.yml index 2def2d3f72..14d44605a4 100644 --- a/detections/endpoint/screensaver_event_trigger_execution.yml +++ b/detections/endpoint/screensaver_event_trigger_execution.yml @@ -65,7 +65,6 @@ tags: - Registry.registry_path - Registry.registry_key_name - Registry.registry_value_name - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/script_execution_via_wmi.yml b/detections/endpoint/script_execution_via_wmi.yml index 7fc4cc0b69..5b1a003ab8 100644 --- a/detections/endpoint/script_execution_via_wmi.yml +++ b/detections/endpoint/script_execution_via_wmi.yml @@ -56,7 +56,6 @@ tags: - Processes.process_name - Processes.user - Processes.dest - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/sdclt_uac_bypass.yml b/detections/endpoint/sdclt_uac_bypass.yml index 01964f6054..b3308ecbbc 100644 --- a/detections/endpoint/sdclt_uac_bypass.yml +++ b/detections/endpoint/sdclt_uac_bypass.yml @@ -84,7 +84,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/sdelete_application_execution.yml b/detections/endpoint/sdelete_application_execution.yml index 9cdfa0fa42..b7fa53576a 100644 --- a/detections/endpoint/sdelete_application_execution.yml +++ b/detections/endpoint/sdelete_application_execution.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml index 7b62a8a795..3bd60ecc9d 100644 --- a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml +++ b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml @@ -69,7 +69,6 @@ tags: - parent_process_name - dest_port - process_path - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml index 2ab87de25b..0996a0bf40 100644 --- a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml +++ b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml @@ -73,7 +73,6 @@ tags: - Processes.user - Processes.process_id - Processes.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml b/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml index 95cce99f66..0bc9794226 100644 --- a/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml +++ b/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml @@ -70,7 +70,6 @@ tags: - Computer - UserID - EventCode - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml index f69973f58e..27b62c8fea 100644 --- a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml +++ b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml @@ -90,7 +90,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/services_escalate_exe.yml b/detections/endpoint/services_escalate_exe.yml index 5ff12df1af..847e2cb1bf 100644 --- a/detections/endpoint/services_escalate_exe.yml +++ b/detections/endpoint/services_escalate_exe.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 76 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/services_lolbas_execution_process_spawn.yml b/detections/endpoint/services_lolbas_execution_process_spawn.yml index e1402493f6..56984faac6 100644 --- a/detections/endpoint/services_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/services_lolbas_execution_process_spawn.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml index 1fed0f08be..369e3b4c09 100644 --- a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml +++ b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml @@ -91,7 +91,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/shim_database_file_creation.yml b/detections/endpoint/shim_database_file_creation.yml index b9507ba4ae..a1f48f4f13 100644 --- a/detections/endpoint/shim_database_file_creation.yml +++ b/detections/endpoint/shim_database_file_creation.yml @@ -56,7 +56,6 @@ tags: - Filesystem.file_path - Filesystem.file_name - Filesystem.dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml index 44ae46e3bf..2c391c314a 100644 --- a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml +++ b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml @@ -63,7 +63,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/short_lived_scheduled_task.yml b/detections/endpoint/short_lived_scheduled_task.yml index 59415847fe..84dee8bc4d 100644 --- a/detections/endpoint/short_lived_scheduled_task.yml +++ b/detections/endpoint/short_lived_scheduled_task.yml @@ -58,7 +58,6 @@ tags: - Task_Name - Description - Command - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/short_lived_windows_accounts.yml b/detections/endpoint/short_lived_windows_accounts.yml index 211e0ef1ec..7af1799761 100644 --- a/detections/endpoint/short_lived_windows_accounts.yml +++ b/detections/endpoint/short_lived_windows_accounts.yml @@ -51,7 +51,6 @@ tags: - All_Changes.result_id - All_Changes.user - All_Changes.dest - risk_score: 63 security_domain: access tests: - name: True Positive Test @@ -60,12 +59,10 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - update_timestamp: true - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log source: WinEventLog:System sourcetype: WinEventLog - update_timestamp: true - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/silentcleanup_uac_bypass.yml b/detections/endpoint/silentcleanup_uac_bypass.yml index d6d7e2066d..62a4a9513c 100644 --- a/detections/endpoint/silentcleanup_uac_bypass.yml +++ b/detections/endpoint/silentcleanup_uac_bypass.yml @@ -83,7 +83,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/single_letter_process_on_endpoint.yml b/detections/endpoint/single_letter_process_on_endpoint.yml index bf6039c9e6..b7ace5c1c1 100644 --- a/detections/endpoint/single_letter_process_on_endpoint.yml +++ b/detections/endpoint/single_letter_process_on_endpoint.yml @@ -59,7 +59,6 @@ tags: - Processes.user - Processes.process - Processes.process_name - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/slui_runas_elevated.yml b/detections/endpoint/slui_runas_elevated.yml index 9067232703..dfb88a2367 100644 --- a/detections/endpoint/slui_runas_elevated.yml +++ b/detections/endpoint/slui_runas_elevated.yml @@ -74,7 +74,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/slui_spawning_a_process.yml b/detections/endpoint/slui_spawning_a_process.yml index 8ae1396e04..f07ae1406a 100644 --- a/detections/endpoint/slui_spawning_a_process.yml +++ b/detections/endpoint/slui_spawning_a_process.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/spike_in_file_writes.yml b/detections/endpoint/spike_in_file_writes.yml index b7c38733cb..529c0dbf4c 100644 --- a/detections/endpoint/spike_in_file_writes.yml +++ b/detections/endpoint/spike_in_file_writes.yml @@ -53,5 +53,4 @@ tags: - _time - Filesystem.action - Filesystem.dest - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/spoolsv_spawning_rundll32.yml b/detections/endpoint/spoolsv_spawning_rundll32.yml index 3fb7053870..3179b6f007 100644 --- a/detections/endpoint/spoolsv_spawning_rundll32.yml +++ b/detections/endpoint/spoolsv_spawning_rundll32.yml @@ -78,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml index 7e743e28c8..256f633bbf 100644 --- a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml +++ b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml @@ -53,7 +53,6 @@ tags: - dest - EventCode - ImageLoaded - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/spoolsv_suspicious_process_access.yml b/detections/endpoint/spoolsv_suspicious_process_access.yml index bed8fff9a4..e1ad585315 100644 --- a/detections/endpoint/spoolsv_suspicious_process_access.yml +++ b/detections/endpoint/spoolsv_suspicious_process_access.yml @@ -66,7 +66,6 @@ tags: - GrantedAccess - CallTrace - EventCode - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/spoolsv_writing_a_dll.yml b/detections/endpoint/spoolsv_writing_a_dll.yml index 476e83b162..6f3e6c0f0c 100644 --- a/detections/endpoint/spoolsv_writing_a_dll.yml +++ b/detections/endpoint/spoolsv_writing_a_dll.yml @@ -73,7 +73,6 @@ tags: - Processes.process_id - Processes.process_name - Processes.dest - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml index e65673de82..4df8a70f29 100644 --- a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml +++ b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml @@ -67,7 +67,6 @@ tags: - file_path - file_name - TargetFilename - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/sqlite_module_in_temp_folder.yml b/detections/endpoint/sqlite_module_in_temp_folder.yml index dc4abc1eed..2ae11aaf9d 100644 --- a/detections/endpoint/sqlite_module_in_temp_folder.yml +++ b/detections/endpoint/sqlite_module_in_temp_folder.yml @@ -55,7 +55,6 @@ tags: - EventCode - ProcessId - Image - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml b/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml index 05f3834ed9..bc5425735a 100644 --- a/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml +++ b/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - All_Risk.analyticstories - All_Risk.risk_object_type diff --git a/detections/endpoint/sunburst_correlation_dll_and_network_event.yml b/detections/endpoint/sunburst_correlation_dll_and_network_event.yml index 227e15f570..405b62ebda 100644 --- a/detections/endpoint/sunburst_correlation_dll_and_network_event.yml +++ b/detections/endpoint/sunburst_correlation_dll_and_network_event.yml @@ -51,5 +51,4 @@ tags: - EventCode - ImageLoaded - QueryName - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/suspicious_computer_account_name_change.yml b/detections/endpoint/suspicious_computer_account_name_change.yml index 84d32e4c57..88839bd7f6 100644 --- a/detections/endpoint/suspicious_computer_account_name_change.yml +++ b/detections/endpoint/suspicious_computer_account_name_change.yml @@ -60,7 +60,6 @@ tags: - Caller_User_Name - OldTargetUserName - NewTargetUserName - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/suspicious_computer_account_name_change/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml index 0bf17e0415..ab752da475 100644 --- a/detections/endpoint/suspicious_copy_on_system32.yml +++ b/detections/endpoint/suspicious_copy_on_system32.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_curl_network_connection.yml b/detections/endpoint/suspicious_curl_network_connection.yml index bb7ade140e..4d7b3d1802 100644 --- a/detections/endpoint/suspicious_curl_network_connection.yml +++ b/detections/endpoint/suspicious_curl_network_connection.yml @@ -69,5 +69,4 @@ tags: - Processes.parent_process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml index b8135a973c..c4452eb704 100644 --- a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_driver_loaded_path.yml b/detections/endpoint/suspicious_driver_loaded_path.yml index 0b866e2df3..fd09f7789e 100644 --- a/detections/endpoint/suspicious_driver_loaded_path.yml +++ b/detections/endpoint/suspicious_driver_loaded_path.yml @@ -63,7 +63,6 @@ tags: - IMPHASH - Signature - Signed - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_event_log_service_behavior.yml b/detections/endpoint/suspicious_event_log_service_behavior.yml index 28ca08176e..e5ba788306 100644 --- a/detections/endpoint/suspicious_event_log_service_behavior.yml +++ b/detections/endpoint/suspicious_event_log_service_behavior.yml @@ -51,7 +51,6 @@ tags: - _time - EventCode - dest - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml index e65674f175..7ee70252ea 100644 --- a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml index 2d5cb01f68..29941f1da7 100644 --- a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml +++ b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml index fe52632afb..235b1d0319 100644 --- a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml +++ b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml @@ -65,7 +65,6 @@ tags: - process_name - process_path - process - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml index e1a1d54d94..1525d671f2 100644 --- a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml +++ b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml @@ -61,7 +61,6 @@ tags: - Account_Name - Client_Address - Failure_Code - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_linux_discovery_commands.yml b/detections/endpoint/suspicious_linux_discovery_commands.yml index c71814a399..5ec4f52a74 100644 --- a/detections/endpoint/suspicious_linux_discovery_commands.yml +++ b/detections/endpoint/suspicious_linux_discovery_commands.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_name - Processes.user - Processes.process_name - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml index 31643cf1fe..4140f1592f 100644 --- a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml +++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml index efc1b7bd41..4ac56e580c 100644 --- a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml +++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_msbuild_path.yml b/detections/endpoint/suspicious_msbuild_path.yml index cbf33a061c..0381ccf5ab 100644 --- a/detections/endpoint/suspicious_msbuild_path.yml +++ b/detections/endpoint/suspicious_msbuild_path.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/suspicious_msbuild_rename.yml b/detections/endpoint/suspicious_msbuild_rename.yml index 3151e43ca5..233030b0b4 100644 --- a/detections/endpoint/suspicious_msbuild_rename.yml +++ b/detections/endpoint/suspicious_msbuild_rename.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/suspicious_msbuild_spawn.yml b/detections/endpoint/suspicious_msbuild_spawn.yml index b5f7878d19..efbbdc2cfb 100644 --- a/detections/endpoint/suspicious_msbuild_spawn.yml +++ b/detections/endpoint/suspicious_msbuild_spawn.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test @@ -83,4 +82,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/suspicious_mshta_child_process.yml b/detections/endpoint/suspicious_mshta_child_process.yml index c392117799..0f2cde2c76 100644 --- a/detections/endpoint/suspicious_mshta_child_process.yml +++ b/detections/endpoint/suspicious_mshta_child_process.yml @@ -77,7 +77,6 @@ tags: - Processes.dest - Processes.parent_process - Processes.user - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test @@ -86,4 +85,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/suspicious_mshta_spawn.yml b/detections/endpoint/suspicious_mshta_spawn.yml index 4bcdb845fa..57b5a9eb95 100644 --- a/detections/endpoint/suspicious_mshta_spawn.yml +++ b/detections/endpoint/suspicious_mshta_spawn.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_plistbuddy_usage.yml b/detections/endpoint/suspicious_plistbuddy_usage.yml index 096d7654b2..282062dab8 100644 --- a/detections/endpoint/suspicious_plistbuddy_usage.yml +++ b/detections/endpoint/suspicious_plistbuddy_usage.yml @@ -69,5 +69,4 @@ tags: - Processes.parent_process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml b/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml index 8fdbbf11ed..4805de46f3 100644 --- a/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml +++ b/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml @@ -46,5 +46,4 @@ tags: required_fields: - _time - columns.cmdline - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml index a743b438b9..def4e38496 100644 --- a/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml +++ b/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml @@ -64,7 +64,6 @@ tags: - process_name - QueryResults - dest - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_process_executed_from_container_file.yml b/detections/endpoint/suspicious_process_executed_from_container_file.yml index 2b223dad30..5ccda7c372 100644 --- a/detections/endpoint/suspicious_process_executed_from_container_file.yml +++ b/detections/endpoint/suspicious_process_executed_from_container_file.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process - Processes.process - Processes.user - risk_score: 16 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml index 980e515d27..4158f45b75 100644 --- a/detections/endpoint/suspicious_process_file_path.yml +++ b/detections/endpoint/suspicious_process_file_path.yml @@ -109,7 +109,6 @@ tags: - Processes.process_path - Processes.dest - Processes.user - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_process_with_discord_dns_query.yml b/detections/endpoint/suspicious_process_with_discord_dns_query.yml index a307238a63..7539217685 100644 --- a/detections/endpoint/suspicious_process_with_discord_dns_query.yml +++ b/detections/endpoint/suspicious_process_with_discord_dns_query.yml @@ -59,7 +59,6 @@ tags: - process_name - QueryResults - dest - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_reg_exe_process.yml b/detections/endpoint/suspicious_reg_exe_process.yml index f93da73ead..d3ceefb6f5 100644 --- a/detections/endpoint/suspicious_reg_exe_process.yml +++ b/detections/endpoint/suspicious_reg_exe_process.yml @@ -84,7 +84,6 @@ tags: - Processes.dest - Processes.process_id - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml index 97f7dd0d06..114e2284ce 100644 --- a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml +++ b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml @@ -90,7 +90,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml index 032ddb8847..24d8f31c9d 100644 --- a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml +++ b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml @@ -89,7 +89,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml index 2e6f02d75c..f46c48bf36 100644 --- a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_rundll32_plugininit.yml b/detections/endpoint/suspicious_rundll32_plugininit.yml index 5aead75ded..3020de1735 100644 --- a/detections/endpoint/suspicious_rundll32_plugininit.yml +++ b/detections/endpoint/suspicious_rundll32_plugininit.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_rundll32_startw.yml b/detections/endpoint/suspicious_rundll32_startw.yml index 51d99dfeca..8e6d5904fd 100644 --- a/detections/endpoint/suspicious_rundll32_startw.yml +++ b/detections/endpoint/suspicious_rundll32_startw.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 46b3ca408b..7ae7bdd334 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -80,7 +80,6 @@ tags: - Processes.process_name - Processes.process_id - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml index 22de13f058..116ff48c85 100644 --- a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml b/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml index d5317a10ef..617bad5ac5 100644 --- a/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml +++ b/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml @@ -67,5 +67,4 @@ tags: - Processes.parent_process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/suspicious_ticket_granting_ticket_request.yml b/detections/endpoint/suspicious_ticket_granting_ticket_request.yml index db115afd9d..f9f2aee92d 100644 --- a/detections/endpoint/suspicious_ticket_granting_ticket_request.yml +++ b/detections/endpoint/suspicious_ticket_granting_ticket_request.yml @@ -60,7 +60,6 @@ tags: - New_Account_Name - Account_Name - ComputerName - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml index c760f75277..ebd25270d9 100644 --- a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml +++ b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml @@ -68,7 +68,6 @@ tags: - process_name - process_path - process - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_wevtutil_usage.yml b/detections/endpoint/suspicious_wevtutil_usage.yml index 1206f7b71a..969c8984f2 100644 --- a/detections/endpoint/suspicious_wevtutil_usage.yml +++ b/detections/endpoint/suspicious_wevtutil_usage.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml index a7eaa48cd9..476a9170cf 100644 --- a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml +++ b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml @@ -59,7 +59,6 @@ tags: - Processes.parent_process_name - Processes.process_id - Processes.dest - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml index 233f1b41a3..b96f241ee2 100644 --- a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml index 6ac1bc2106..bba37b4aa4 100644 --- a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml +++ b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index d2fcf549d3..1fd5392009 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -66,7 +66,6 @@ tags: - Processes.user - Processes.process_name - Processes.dest - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/system_processes_run_from_unexpected_locations.yml b/detections/endpoint/system_processes_run_from_unexpected_locations.yml index a9c8c5d032..321a90ee1f 100644 --- a/detections/endpoint/system_processes_run_from_unexpected_locations.yml +++ b/detections/endpoint/system_processes_run_from_unexpected_locations.yml @@ -76,7 +76,6 @@ tags: - Processes.process_id - Processes.parent_process_name - Processes.process_hash - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/system_user_discovery_with_query.yml b/detections/endpoint/system_user_discovery_with_query.yml index 14ae5099f4..fbd9da0afd 100644 --- a/detections/endpoint/system_user_discovery_with_query.yml +++ b/detections/endpoint/system_user_discovery_with_query.yml @@ -65,7 +65,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/system_user_discovery_with_whoami.yml b/detections/endpoint/system_user_discovery_with_whoami.yml index 23ac3bf748..4ed22d0921 100644 --- a/detections/endpoint/system_user_discovery_with_whoami.yml +++ b/detections/endpoint/system_user_discovery_with_whoami.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/time_provider_persistence_registry.yml b/detections/endpoint/time_provider_persistence_registry.yml index 08637f9b05..d78b29ae45 100644 --- a/detections/endpoint/time_provider_persistence_registry.yml +++ b/detections/endpoint/time_provider_persistence_registry.yml @@ -65,7 +65,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/trickbot_named_pipe.yml b/detections/endpoint/trickbot_named_pipe.yml index 927054df22..61067bb843 100644 --- a/detections/endpoint/trickbot_named_pipe.yml +++ b/detections/endpoint/trickbot_named_pipe.yml @@ -57,7 +57,6 @@ tags: - signature - Image - process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml index 92ba9a187a..4b3fc1b8e0 100644 --- a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml +++ b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml @@ -59,7 +59,6 @@ tags: - dest - EventCode - Company - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/uac_bypass_with_colorui_com_object.yml b/detections/endpoint/uac_bypass_with_colorui_com_object.yml index 4969619c08..aef40b4640 100644 --- a/detections/endpoint/uac_bypass_with_colorui_com_object.yml +++ b/detections/endpoint/uac_bypass_with_colorui_com_object.yml @@ -60,7 +60,6 @@ tags: - EventCode - Signed - ProcessId - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/uninstall_app_using_msiexec.yml b/detections/endpoint/uninstall_app_using_msiexec.yml index 9477ed70f1..0a5969cf53 100644 --- a/detections/endpoint/uninstall_app_using_msiexec.yml +++ b/detections/endpoint/uninstall_app_using_msiexec.yml @@ -68,7 +68,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml index edc7472aa2..de8b445eda 100644 --- a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml +++ b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml @@ -67,7 +67,6 @@ tags: - Processes.process_path - Processes.process - Processes.parent_process_name - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/unload_sysmon_filter_driver.yml b/detections/endpoint/unload_sysmon_filter_driver.yml index c3d901f658..e5cf4b0e0d 100644 --- a/detections/endpoint/unload_sysmon_filter_driver.yml +++ b/detections/endpoint/unload_sysmon_filter_driver.yml @@ -63,7 +63,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/unloading_amsi_via_reflection.yml b/detections/endpoint/unloading_amsi_via_reflection.yml index a96829949e..b5123f65cb 100644 --- a/detections/endpoint/unloading_amsi_via_reflection.yml +++ b/detections/endpoint/unloading_amsi_via_reflection.yml @@ -58,7 +58,6 @@ tags: - Computer - UserID - EventCode - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml index 4f9f960d7e..102a4468f3 100644 --- a/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml @@ -58,5 +58,4 @@ tags: - dest - service - service_id - risk_score: 42 security_domain: endpoint diff --git a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml index 066ee5a7f2..5270ec1b7d 100644 --- a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml @@ -58,7 +58,6 @@ tags: - Service_Name - service_id - Client_Address - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml b/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml index 1d25cdb3b5..5ce87b9f9d 100644 --- a/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml +++ b/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml @@ -57,5 +57,4 @@ tags: - Security_ID - Account_Name - ComputerName - risk_score: 42 security_domain: endpoint diff --git a/detections/endpoint/unusually_long_command_line.yml b/detections/endpoint/unusually_long_command_line.yml index 6db35490b6..90fcea1dcb 100644 --- a/detections/endpoint/unusually_long_command_line.yml +++ b/detections/endpoint/unusually_long_command_line.yml @@ -59,5 +59,4 @@ tags: - Processes.dest - Processes.process_name - Processes.process - risk_score: 42 security_domain: endpoint diff --git a/detections/endpoint/unusually_long_command_line___mltk.yml b/detections/endpoint/unusually_long_command_line___mltk.yml index 0581f36735..9008b115ec 100644 --- a/detections/endpoint/unusually_long_command_line___mltk.yml +++ b/detections/endpoint/unusually_long_command_line___mltk.yml @@ -70,5 +70,4 @@ tags: - Processes.dest - Processes.process_name - Processes.process - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/user_discovery_with_env_vars_powershell.yml b/detections/endpoint/user_discovery_with_env_vars_powershell.yml index 82bcb5d5f3..cb09bda707 100644 --- a/detections/endpoint/user_discovery_with_env_vars_powershell.yml +++ b/detections/endpoint/user_discovery_with_env_vars_powershell.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml b/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml index 1c031185cc..f0ced8b76c 100644 --- a/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml +++ b/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml @@ -57,7 +57,6 @@ tags: - ComputerName - User - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/usn_journal_deletion.yml b/detections/endpoint/usn_journal_deletion.yml index 8c07f82226..1aa261c75b 100644 --- a/detections/endpoint/usn_journal_deletion.yml +++ b/detections/endpoint/usn_journal_deletion.yml @@ -61,7 +61,6 @@ tags: - Processes.user - Processes.parent_process_name - Processes.dest - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/vbscript_execution_using_wscript_app.yml b/detections/endpoint/vbscript_execution_using_wscript_app.yml index edf4a61aaf..11454e9f2e 100644 --- a/detections/endpoint/vbscript_execution_using_wscript_app.yml +++ b/detections/endpoint/vbscript_execution_using_wscript_app.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/verclsid_clsid_execution.yml b/detections/endpoint/verclsid_clsid_execution.yml index f13a64bca5..a94b5fdee5 100644 --- a/detections/endpoint/verclsid_clsid_execution.yml +++ b/detections/endpoint/verclsid_clsid_execution.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/w3wp_spawning_shell.yml b/detections/endpoint/w3wp_spawning_shell.yml index 5ca141c849..c7b4cfc55d 100644 --- a/detections/endpoint/w3wp_spawning_shell.yml +++ b/detections/endpoint/w3wp_spawning_shell.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wbadmin_delete_system_backups.yml b/detections/endpoint/wbadmin_delete_system_backups.yml index 1650bd43c0..b2c6a34c92 100644 --- a/detections/endpoint/wbadmin_delete_system_backups.yml +++ b/detections/endpoint/wbadmin_delete_system_backups.yml @@ -65,7 +65,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wbemprox_com_object_execution.yml b/detections/endpoint/wbemprox_com_object_execution.yml index b9cf151cb4..b83dbc207a 100644 --- a/detections/endpoint/wbemprox_com_object_execution.yml +++ b/detections/endpoint/wbemprox_com_object_execution.yml @@ -61,7 +61,6 @@ tags: - ProcessId - Hashes - IMPHASH - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml b/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml index 3d0107a0a5..701121f0a4 100644 --- a/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml +++ b/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml @@ -59,7 +59,6 @@ tags: - QueryResults - dest - EventCode - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wermgr_process_create_executable_file.yml b/detections/endpoint/wermgr_process_create_executable_file.yml index 231e40d92a..a12701ab26 100644 --- a/detections/endpoint/wermgr_process_create_executable_file.yml +++ b/detections/endpoint/wermgr_process_create_executable_file.yml @@ -52,7 +52,6 @@ tags: - dest - EventCode - ProcessId - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml index 1309486162..2428c75345 100644 --- a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml +++ b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wget_download_and_bash_execution.yml b/detections/endpoint/wget_download_and_bash_execution.yml index 5205985b00..816ae3e4f6 100644 --- a/detections/endpoint/wget_download_and_bash_execution.yml +++ b/detections/endpoint/wget_download_and_bash_execution.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_abused_web_services.yml b/detections/endpoint/windows_abused_web_services.yml index 1095d267ba..c098b6e9b8 100644 --- a/detections/endpoint/windows_abused_web_services.yml +++ b/detections/endpoint/windows_abused_web_services.yml @@ -48,7 +48,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - Image diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml index 36a82e515d..2af4f43e05 100644 --- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml +++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml @@ -67,7 +67,6 @@ tags: - member_dn - ComputerName - user - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/sedebugprivilege_token/security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml b/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml index 08d32a3110..6f1bbded21 100644 --- a/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml +++ b/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml @@ -65,7 +65,6 @@ tags: - CallTrace - dest - user_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml index 3530133e93..b130e057f4 100644 --- a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml +++ b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml @@ -66,7 +66,6 @@ tags: - CallTrace - dest - user_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml b/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml index c4aadd207c..4615db61f9 100644 --- a/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml +++ b/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 required_fields: - _time - ScriptBlockText diff --git a/detections/endpoint/windows_account_discovery_for_sam_account_name.yml b/detections/endpoint/windows_account_discovery_for_sam_account_name.yml index 2701339e68..0238479db9 100644 --- a/detections/endpoint/windows_account_discovery_for_sam_account_name.yml +++ b/detections/endpoint/windows_account_discovery_for_sam_account_name.yml @@ -45,7 +45,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 required_fields: - _time - ScriptBlockText diff --git a/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml b/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml index 6545581668..a8de3917a2 100644 --- a/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml +++ b/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml @@ -45,7 +45,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 required_fields: - _time - ScriptBlockText diff --git a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml index af65815e95..60f7427785 100644 --- a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml +++ b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml @@ -58,7 +58,6 @@ tags: - ObjectName - EventCode - SubjectUserName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/4662_ad_enum/4662_priv_events.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml index f4d2072016..23f809843c 100644 --- a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml +++ b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml @@ -84,7 +84,6 @@ tags: - Computer - SubjectUserName - AttributeValue - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml index d5a0b0fbd1..1f46595a81 100644 --- a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml @@ -63,7 +63,6 @@ tags: - user - src_user - Logon_ID - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml b/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml index 10b933d2aa..b69f70baba 100644 --- a/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml +++ b/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml @@ -53,7 +53,6 @@ tags: - EventCode - AuditPolicyChanges - SubcategoryGuid - risk_score: 60 security_domain: endpoint manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested diff --git a/detections/endpoint/windows_ad_domain_controller_promotion.yml b/detections/endpoint/windows_ad_domain_controller_promotion.yml index 43fd9e1f94..eb9d0416f3 100644 --- a/detections/endpoint/windows_ad_domain_controller_promotion.yml +++ b/detections/endpoint/windows_ad_domain_controller_promotion.yml @@ -58,7 +58,6 @@ tags: - user - Logon_ID - dvc - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml index a7e217a4ce..ceab1cb122 100644 --- a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml +++ b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml @@ -84,7 +84,6 @@ tags: - AttributeLDAPDisplayName - AttributeValue - ObjectClass - risk_score: 80 security_domain: endpoint manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested. diff --git a/detections/endpoint/windows_ad_dsrm_account_changes.yml b/detections/endpoint/windows_ad_dsrm_account_changes.yml index 2e7df399df..e18e81e416 100644 --- a/detections/endpoint/windows_ad_dsrm_account_changes.yml +++ b/detections/endpoint/windows_ad_dsrm_account_changes.yml @@ -68,7 +68,6 @@ tags: - Registry.registry_path - Registry.dest - Registry.user - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_dsrm_password_reset.yml b/detections/endpoint/windows_ad_dsrm_password_reset.yml index 6afb115e79..e3387c2a70 100644 --- a/detections/endpoint/windows_ad_dsrm_password_reset.yml +++ b/detections/endpoint/windows_ad_dsrm_password_reset.yml @@ -57,7 +57,6 @@ tags: - All_Changes.dest - All_Changes.src - All_Changes.user - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml b/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml index 471e1d7456..141c37e5cc 100644 --- a/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml @@ -58,7 +58,6 @@ tags: - user - src_user - Logon_ID - risk_score: 90 security_domain: endpoint manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested. diff --git a/detections/endpoint/windows_ad_privileged_object_access_activity.yml b/detections/endpoint/windows_ad_privileged_object_access_activity.yml index fde48019ed..3655d47aa6 100644 --- a/detections/endpoint/windows_ad_privileged_object_access_activity.yml +++ b/detections/endpoint/windows_ad_privileged_object_access_activity.yml @@ -67,7 +67,6 @@ tags: - EventCode - Computer - SubjectUserName - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/4662_ad_enum/4662_priv_events.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml index 09293b4370..b21bd983d0 100644 --- a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml +++ b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml @@ -82,7 +82,6 @@ tags: - ObjectType - OperationType - status - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml index 2edcc972e0..f3abff9a3d 100644 --- a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml +++ b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml @@ -86,7 +86,6 @@ tags: - ObjectType - OperationType - status - risk_score: 100 security_domain: endpoint manual_test: This detection runs correctly when run manually and given some time is given for data to settle in the splunk index. tests: diff --git a/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml index 8aa08c4d09..bc7428f3b7 100644 --- a/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml @@ -64,7 +64,6 @@ tags: - user - src_user - Logon_ID - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml index e22a02f6f0..07f90c8633 100644 --- a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml +++ b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml @@ -59,7 +59,6 @@ tags: - signature - SubjectUserName - Computer - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml index 8d1a3b2fe9..6d71d0a18d 100644 --- a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml +++ b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml @@ -56,7 +56,6 @@ tags: - signature - SubjectUserName - Computer - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml b/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml index aaa5800936..5cd763a448 100644 --- a/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml +++ b/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml @@ -67,7 +67,6 @@ tags: - ObjectDN - Logon_ID - signature - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_short_lived_server_object.yml b/detections/endpoint/windows_ad_short_lived_server_object.yml index 1aefbcaed6..6b3a268a79 100644 --- a/detections/endpoint/windows_ad_short_lived_server_object.yml +++ b/detections/endpoint/windows_ad_short_lived_server_object.yml @@ -62,7 +62,6 @@ tags: - signature - SubjectUserName - Computer - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_sid_history_attribute_modified.yml b/detections/endpoint/windows_ad_sid_history_attribute_modified.yml index c855fcc1d1..eba224b951 100644 --- a/detections/endpoint/windows_ad_sid_history_attribute_modified.yml +++ b/detections/endpoint/windows_ad_sid_history_attribute_modified.yml @@ -58,7 +58,6 @@ tags: - Computer - SubjectUserName - AttributeValue - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_adfind_exe.yml b/detections/endpoint/windows_adfind_exe.yml index 396269cb15..8d28f8530d 100644 --- a/detections/endpoint/windows_adfind_exe.yml +++ b/detections/endpoint/windows_adfind_exe.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process - Processes.process_id - Processes.parent_process_id - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_admin_permission_discovery.yml b/detections/endpoint/windows_admin_permission_discovery.yml index 5bb5a9d541..cfb4e54498 100644 --- a/detections/endpoint/windows_admin_permission_discovery.yml +++ b/detections/endpoint/windows_admin_permission_discovery.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - _time - Filesystem.file_path @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/njrat_admin_check/win_dat.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml b/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml index fc8331a2e3..4de5bf9bd8 100644 --- a/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml +++ b/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml @@ -64,7 +64,6 @@ tags: - Computer - IpAddress - SubjectUserName - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml index a7d737f541..5cf1f5a316 100644 --- a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml @@ -58,7 +58,6 @@ tags: - displayName - gPCFileSysPath - dcName - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_admon_group_policy_object_created.yml b/detections/endpoint/windows_admon_group_policy_object_created.yml index c09e970738..f49f41caea 100644 --- a/detections/endpoint/windows_admon_group_policy_object_created.yml +++ b/detections/endpoint/windows_admon_group_policy_object_created.yml @@ -56,7 +56,6 @@ tags: - displayName - gPCFileSysPath - dcName - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_alternate_datastream___base64_content.yml b/detections/endpoint/windows_alternate_datastream___base64_content.yml index 5367f1dac7..399604279b 100644 --- a/detections/endpoint/windows_alternate_datastream___base64_content.yml +++ b/detections/endpoint/windows_alternate_datastream___base64_content.yml @@ -67,7 +67,6 @@ tags: - Contents - file_hash - process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_alternate_datastream___executable_content.yml b/detections/endpoint/windows_alternate_datastream___executable_content.yml index fe8f8306b1..a2848227e1 100644 --- a/detections/endpoint/windows_alternate_datastream___executable_content.yml +++ b/detections/endpoint/windows_alternate_datastream___executable_content.yml @@ -69,7 +69,6 @@ tags: - file_hash - process_guid - IMPHASH - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_alternate_datastream___process_execution.yml b/detections/endpoint/windows_alternate_datastream___process_execution.yml index 87fb3f1bde..0083f3a4d7 100644 --- a/detections/endpoint/windows_alternate_datastream___process_execution.yml +++ b/detections/endpoint/windows_alternate_datastream___process_execution.yml @@ -69,7 +69,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_apache_benchmark_binary.yml b/detections/endpoint/windows_apache_benchmark_binary.yml index 319ee15262..1277fd92f2 100644 --- a/detections/endpoint/windows_apache_benchmark_binary.yml +++ b/detections/endpoint/windows_apache_benchmark_binary.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test @@ -89,4 +88,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/apachebench_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml b/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml index f515b71eb6..76735f68da 100644 --- a/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml +++ b/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml @@ -59,7 +59,6 @@ tags: - dest - UserID - SecurityID - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml b/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml index 66902e8b36..cbbca7c496 100644 --- a/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml +++ b/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml @@ -56,7 +56,6 @@ tags: - dest - UserID - SecurityID - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml b/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml index 8c42bfe2c6..21be615ada 100644 --- a/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml +++ b/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml @@ -56,7 +56,6 @@ tags: - PipeName - dest - UserID - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_applocker_block_events.yml b/detections/endpoint/windows_applocker_block_events.yml index c2f0a7c99c..0831c69b2c 100644 --- a/detections/endpoint/windows_applocker_block_events.yml +++ b/detections/endpoint/windows_applocker_block_events.yml @@ -52,7 +52,6 @@ tags: - TargetProcessId - FilePath - FullFilePath - risk_score: 16 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml b/detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml index b9459e4c05..962760c956 100644 --- a/detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml +++ b/detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml @@ -56,7 +56,6 @@ tags: - FullFilePath - dest - user - risk_score: 49 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml b/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml index 0dc0da18b9..2ae3cffd8b 100644 --- a/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml +++ b/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml @@ -41,7 +41,6 @@ tags: - Computer - FullFilePath - TargetUser - risk_score: 64 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_applocker_rare_application_launch_detection.yml b/detections/endpoint/windows_applocker_rare_application_launch_detection.yml index 3e97153c5e..5184ee6262 100644 --- a/detections/endpoint/windows_applocker_rare_application_launch_detection.yml +++ b/detections/endpoint/windows_applocker_rare_application_launch_detection.yml @@ -54,7 +54,6 @@ tags: - FullFilePath - dest - user - risk_score: 15 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_archive_collected_data_via_powershell.yml b/detections/endpoint/windows_archive_collected_data_via_powershell.yml index 6e45ec66b2..846fad6845 100644 --- a/detections/endpoint/windows_archive_collected_data_via_powershell.yml +++ b/detections/endpoint/windows_archive_collected_data_via_powershell.yml @@ -42,7 +42,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - EventCode diff --git a/detections/endpoint/windows_archive_collected_data_via_rar.yml b/detections/endpoint/windows_archive_collected_data_via_rar.yml index 7372166416..ee464377c2 100644 --- a/detections/endpoint/windows_archive_collected_data_via_rar.yml +++ b/detections/endpoint/windows_archive_collected_data_via_rar.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_autoit3_execution.yml b/detections/endpoint/windows_autoit3_execution.yml index a4f67fc31b..d3ba5c595f 100644 --- a/detections/endpoint/windows_autoit3_execution.yml +++ b/detections/endpoint/windows_autoit3_execution.yml @@ -69,7 +69,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 required_fields: - Processes.dest - Processes.user diff --git a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml index 16e498f509..6146af5985 100644 --- a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml +++ b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml @@ -61,7 +61,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.008/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml index 8c47e4ee19..578fde923e 100644 --- a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml +++ b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -92,4 +91,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.013/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index 8a4c0901bd..048af75813 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -63,7 +63,6 @@ tags: - Filesystem.file_path - Filesystem.process_guid - Filesystem.dest - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_bootloader_inventory.yml b/detections/endpoint/windows_bootloader_inventory.yml index a3c6ac2f68..45ee1bf0ff 100644 --- a/detections/endpoint/windows_bootloader_inventory.yml +++ b/detections/endpoint/windows_bootloader_inventory.yml @@ -49,5 +49,4 @@ tags: required_fields: - _time - _raw - risk_score: 81 security_domain: endpoint diff --git a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml index 3fc287e4ba..b143cdfb59 100644 --- a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml +++ b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml @@ -64,7 +64,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 9 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_cab_file_on_disk.yml b/detections/endpoint/windows_cab_file_on_disk.yml index be9ec1dbfa..4a33585706 100644 --- a/detections/endpoint/windows_cab_file_on_disk.yml +++ b/detections/endpoint/windows_cab_file_on_disk.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 5 required_fields: - Filesystem.dest - Filesystem.action diff --git a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml index 7978a53dcf..de5b99eeff 100644 --- a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml +++ b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -84,4 +83,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml index b2183ba46f..def6739d9f 100644 --- a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml +++ b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml index 4d38dd0681..468c6ad384 100644 --- a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml +++ b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml @@ -57,7 +57,6 @@ tags: - Computer - UserID - EventCode - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/powershell/windows-powershell-xml2.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml index 0fda311f6a..ea337d8c82 100644 --- a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml +++ b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml @@ -71,7 +71,6 @@ tags: - Splunk Cloud required_fields: - UPDATE - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml index 80cf509cd0..24be426582 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml index 0fc8280bc9..f16ff9ba56 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml index e8e2f0e169..d66693afb4 100644 --- a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml +++ b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test @@ -84,4 +83,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_forkbomb/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_command_shell_fetch_env_variables.yml b/detections/endpoint/windows_command_shell_fetch_env_variables.yml index 5dba1abde8..b5c6f89aea 100644 --- a/detections/endpoint/windows_command_shell_fetch_env_variables.yml +++ b/detections/endpoint/windows_command_shell_fetch_env_variables.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml index 2e491afdbf..d3beb41fef 100644 --- a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml +++ b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml @@ -76,7 +76,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - All_Risk.analyticstories diff --git a/detections/endpoint/windows_computer_account_created_by_computer_account.yml b/detections/endpoint/windows_computer_account_created_by_computer_account.yml index 1d2617f73f..b130748e62 100644 --- a/detections/endpoint/windows_computer_account_created_by_computer_account.yml +++ b/detections/endpoint/windows_computer_account_created_by_computer_account.yml @@ -58,7 +58,6 @@ tags: - Account_Name - Subject_Account_Name - Subject_Account_Domain - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml b/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml index e5c67a084e..92dffb86bc 100644 --- a/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml +++ b/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml @@ -55,7 +55,6 @@ tags: - user - Account_Name - src_ip - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_computer_account_with_spn.yml b/detections/endpoint/windows_computer_account_with_spn.yml index 54e3819a2e..a7694a9322 100644 --- a/detections/endpoint/windows_computer_account_with_spn.yml +++ b/detections/endpoint/windows_computer_account_with_spn.yml @@ -59,7 +59,6 @@ tags: - SAM_Account_Name - DNS_Host_Name - Logon_Id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_conhost_with_headless_argument.yml b/detections/endpoint/windows_conhost_with_headless_argument.yml index cc79f44408..5af3a2fb84 100644 --- a/detections/endpoint/windows_conhost_with_headless_argument.yml +++ b/detections/endpoint/windows_conhost_with_headless_argument.yml @@ -62,7 +62,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 70 required_fields: - Processes.dest - Processes.user diff --git a/detections/endpoint/windows_create_local_account.yml b/detections/endpoint/windows_create_local_account.yml index c50b25d2b5..b1aefed9aa 100644 --- a/detections/endpoint/windows_create_local_account.yml +++ b/detections/endpoint/windows_create_local_account.yml @@ -55,7 +55,6 @@ tags: - All_Changes.dest - All_Changes.result - All_Changes.action - risk_score: 18 security_domain: endpoint tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/4720.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index 8ea72e0b43..f5d2671391 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -62,7 +62,6 @@ tags: - process_id - EventCode - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml index e4d6f40cb9..adc5b3a0e5 100644 --- a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml +++ b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/createdump_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index 2231bf6cc5..7190cfd54e 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -61,7 +61,6 @@ tags: - process_id - EventCode - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index 4600477107..caa76c0aae 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -62,7 +62,6 @@ tags: - process_id - EventCode - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 98e4cefe66..38231ee7f4 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -63,7 +63,6 @@ tags: - process_id - EventCode - dest - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_credentials_from_password_stores_creation.yml b/detections/endpoint/windows_credentials_from_password_stores_creation.yml index ecef8bec4a..7bfbde5e58 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_creation.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_creation.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml index 8a95cf7a02..22449b7b46 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_credentials_from_password_stores_query.yml b/detections/endpoint/windows_credentials_from_password_stores_query.yml index 03147e0096..296919ca50 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_query.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_query.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -83,4 +82,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_credentials_in_registry_reg_query.yml b/detections/endpoint/windows_credentials_in_registry_reg_query.yml index f2d7b84ded..16e32575e5 100644 --- a/detections/endpoint/windows_credentials_in_registry_reg_query.yml +++ b/detections/endpoint/windows_credentials_in_registry_reg_query.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -85,4 +84,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd/query-putty-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml index 141b071dd4..e4ae0e2c5e 100644 --- a/detections/endpoint/windows_curl_download_to_suspicious_path.yml +++ b/detections/endpoint/windows_curl_download_to_suspicious_path.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_curl_upload_to_remote_destination.yml b/detections/endpoint/windows_curl_upload_to_remote_destination.yml index 7f7b3d7d16..d4c546aea5 100644 --- a/detections/endpoint/windows_curl_upload_to_remote_destination.yml +++ b/detections/endpoint/windows_curl_upload_to_remote_destination.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml index 7d4029dfa4..25adc8092c 100644 --- a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml +++ b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml @@ -67,7 +67,6 @@ tags: - signature_id - process_name - process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_debugger_tool_execution.yml b/detections/endpoint/windows_debugger_tool_execution.yml index 48e3b65ec4..0d91af3643 100644 --- a/detections/endpoint/windows_debugger_tool_execution.yml +++ b/detections/endpoint/windows_debugger_tool_execution.yml @@ -64,7 +64,6 @@ tags: - Processes.user - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml index ab05fafed6..0e02a738bb 100644 --- a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml +++ b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml @@ -69,7 +69,6 @@ tags: - process_name - process_path - process - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_default_group_policy_object_modified.yml b/detections/endpoint/windows_default_group_policy_object_modified.yml index 712adb5d73..3f438913cd 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified.yml @@ -67,7 +67,6 @@ tags: - DSName - AttributeValue - SubjectUserSid - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml index e97b09e011..5bb909d84d 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_defender_asr_audit_events.yml b/detections/endpoint/windows_defender_asr_audit_events.yml index 5548f7f00e..bb792c24c9 100644 --- a/detections/endpoint/windows_defender_asr_audit_events.yml +++ b/detections/endpoint/windows_defender_asr_audit_events.yml @@ -42,7 +42,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 5 required_fields: - host - Process_Name diff --git a/detections/endpoint/windows_defender_asr_block_events.yml b/detections/endpoint/windows_defender_asr_block_events.yml index 9705f2c5af..3b88de8732 100644 --- a/detections/endpoint/windows_defender_asr_block_events.yml +++ b/detections/endpoint/windows_defender_asr_block_events.yml @@ -46,7 +46,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - host - Process_Name diff --git a/detections/endpoint/windows_defender_asr_registry_modification.yml b/detections/endpoint/windows_defender_asr_registry_modification.yml index 0b8c3221d8..46511dcedf 100644 --- a/detections/endpoint/windows_defender_asr_registry_modification.yml +++ b/detections/endpoint/windows_defender_asr_registry_modification.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 required_fields: - host - New_Value diff --git a/detections/endpoint/windows_defender_asr_rule_disabled.yml b/detections/endpoint/windows_defender_asr_rule_disabled.yml index 0668079d54..0a720201ba 100644 --- a/detections/endpoint/windows_defender_asr_rule_disabled.yml +++ b/detections/endpoint/windows_defender_asr_rule_disabled.yml @@ -45,7 +45,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - host - New_Value diff --git a/detections/endpoint/windows_defender_asr_rules_stacking.yml b/detections/endpoint/windows_defender_asr_rules_stacking.yml index 0ae518c4a0..6cfecf862c 100644 --- a/detections/endpoint/windows_defender_asr_rules_stacking.yml +++ b/detections/endpoint/windows_defender_asr_rules_stacking.yml @@ -70,7 +70,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 required_fields: - host - Parent_Commandline diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index f2c43428c9..b45a9e6314 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -65,7 +65,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_delete_or_modify_system_firewall.yml b/detections/endpoint/windows_delete_or_modify_system_firewall.yml index 5cde83838b..1b2573244b 100644 --- a/detections/endpoint/windows_delete_or_modify_system_firewall.yml +++ b/detections/endpoint/windows_delete_or_modify_system_firewall.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml index 1cb171f835..bd44d003c7 100644 --- a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml +++ b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml @@ -75,7 +75,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_disable_change_password_through_registry.yml b/detections/endpoint/windows_disable_change_password_through_registry.yml index 76ee500f88..430c42fa46 100644 --- a/detections/endpoint/windows_disable_change_password_through_registry.yml +++ b/detections/endpoint/windows_disable_change_password_through_registry.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml index b74c266c1f..aa27e9b22e 100644 --- a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml +++ b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_disable_logoff_button_through_registry.yml b/detections/endpoint/windows_disable_logoff_button_through_registry.yml index c1fb076d93..856d094f37 100644 --- a/detections/endpoint/windows_disable_logoff_button_through_registry.yml +++ b/detections/endpoint/windows_disable_logoff_button_through_registry.yml @@ -61,7 +61,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_disable_memory_crash_dump.yml b/detections/endpoint/windows_disable_memory_crash_dump.yml index 1a51b92dff..9d711e8ffc 100644 --- a/detections/endpoint/windows_disable_memory_crash_dump.yml +++ b/detections/endpoint/windows_disable_memory_crash_dump.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_disable_notification_center.yml b/detections/endpoint/windows_disable_notification_center.yml index d0cdee55a5..d28524f3f3 100644 --- a/detections/endpoint/windows_disable_notification_center.yml +++ b/detections/endpoint/windows_disable_notification_center.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml index daf4791997..652f13b11e 100644 --- a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml +++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml @@ -64,7 +64,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml index e81ee734ce..fa007f1d93 100644 --- a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml +++ b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml index ed9b58057a..bfa1d9c64b 100644 --- a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml +++ b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml @@ -89,7 +89,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -98,4 +97,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/disable_http_logging_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml index 48c54a01a2..c89cb3ad0c 100644 --- a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml +++ b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml @@ -64,7 +64,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_disableantispyware_registry.yml b/detections/endpoint/windows_disableantispyware_registry.yml index 22c91d7e31..37882a3923 100644 --- a/detections/endpoint/windows_disableantispyware_registry.yml +++ b/detections/endpoint/windows_disableantispyware_registry.yml @@ -63,7 +63,6 @@ tags: - Registry.dest - Registry.user - Registry.registry_path - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_diskcryptor_usage.yml b/detections/endpoint/windows_diskcryptor_usage.yml index dcadcdcc98..f6cb818809 100644 --- a/detections/endpoint/windows_diskcryptor_usage.yml +++ b/detections/endpoint/windows_diskcryptor_usage.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_diskshadow_proxy_execution.yml b/detections/endpoint/windows_diskshadow_proxy_execution.yml index 7202c0a229..15e269f533 100644 --- a/detections/endpoint/windows_diskshadow_proxy_execution.yml +++ b/detections/endpoint/windows_diskshadow_proxy_execution.yml @@ -64,7 +64,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.original_file_name - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_dism_remove_defender.yml b/detections/endpoint/windows_dism_remove_defender.yml index 758e250e73..090be40e0b 100644 --- a/detections/endpoint/windows_dism_remove_defender.yml +++ b/detections/endpoint/windows_dism_remove_defender.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: access tests: - name: True Positive Test diff --git a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml index d023af11cf..01969f9935 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml @@ -53,7 +53,6 @@ tags: - dest - ImageLoaded - Module_Path - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test @@ -62,4 +61,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml index b226d17b6a..47999368c8 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -91,4 +90,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_dll_side_loading_in_calc.yml b/detections/endpoint/windows_dll_side_loading_in_calc.yml index 358f90443f..4d7264d283 100644 --- a/detections/endpoint/windows_dll_side_loading_in_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_in_calc.yml @@ -60,7 +60,6 @@ tags: - EventCode - Signed - ProcessId - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml index 7ac8024482..596a65b9e2 100644 --- a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml @@ -67,7 +67,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_dns_gather_network_info.yml b/detections/endpoint/windows_dns_gather_network_info.yml index f14d1e23fa..612d7bde4a 100644 --- a/detections/endpoint/windows_dns_gather_network_info.yml +++ b/detections/endpoint/windows_dns_gather_network_info.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_dnsadmins_new_member_added.yml b/detections/endpoint/windows_dnsadmins_new_member_added.yml index a4559e7d79..90bab28f20 100644 --- a/detections/endpoint/windows_dnsadmins_new_member_added.yml +++ b/detections/endpoint/windows_dnsadmins_new_member_added.yml @@ -55,7 +55,6 @@ tags: - Computer - MemberSid - TargetUserName - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml b/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml index ad82cbcb87..1654ef1a3a 100644 --- a/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml +++ b/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml @@ -46,7 +46,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 required_fields: - _time - ScriptBlockText diff --git a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml index 3f2f25103c..f9f2a482d4 100644 --- a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml +++ b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml @@ -42,7 +42,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 80 required_fields: - _time, - EventCode diff --git a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml index 8907b999ea..2e4fb4dc72 100644 --- a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml +++ b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml @@ -95,7 +95,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_driver_inventory.yml b/detections/endpoint/windows_driver_inventory.yml index 4998c8378d..8de5358808 100644 --- a/detections/endpoint/windows_driver_inventory.yml +++ b/detections/endpoint/windows_driver_inventory.yml @@ -44,7 +44,6 @@ tags: - Path - host - DriverType - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test @@ -53,4 +52,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/driver_inventory.log source: PwSh:DriverInventory sourcetype: PwSh:DriverInventory - update_timestamp: true diff --git a/detections/endpoint/windows_driver_load_non_standard_path.yml b/detections/endpoint/windows_driver_load_non_standard_path.yml index 9dd0aacff0..24c59fb384 100644 --- a/detections/endpoint/windows_driver_load_non_standard_path.yml +++ b/detections/endpoint/windows_driver_load_non_standard_path.yml @@ -58,7 +58,6 @@ tags: - ImagePath - ServiceName - ServiceType - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_drivers_loaded_by_signature.yml b/detections/endpoint/windows_drivers_loaded_by_signature.yml index 1f813a27d6..6043357a30 100644 --- a/detections/endpoint/windows_drivers_loaded_by_signature.yml +++ b/detections/endpoint/windows_drivers_loaded_by_signature.yml @@ -60,7 +60,6 @@ tags: - service_signature_verified - service_signature_exists - Hashes - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml index 97ace872e1..003e2d5e41 100644 --- a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml +++ b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml @@ -69,7 +69,6 @@ tags: - Registry.user - Registry.registry_value_name - Registry.registry_value_type - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml index 631c86f244..34d1a4677f 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml @@ -59,7 +59,6 @@ tags: - SubjectUserName - SubjectDomainName - Computer - risk_score: 25 security_domain: endpoint cve: - CVE-2024-37085 diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml index 17a42c082d..bc36efeb16 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml @@ -59,7 +59,6 @@ tags: - Processes.process - Processes.process_id - Processes.original_file_name - risk_score: 56 security_domain: endpoint cve: - CVE-2024-37085 diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml index 04869a9d40..dd74a21ced 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml @@ -52,7 +52,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_event_for_service_disabled.yml b/detections/endpoint/windows_event_for_service_disabled.yml index 400e0541d9..069dec6555 100644 --- a/detections/endpoint/windows_event_for_service_disabled.yml +++ b/detections/endpoint/windows_event_for_service_disabled.yml @@ -52,7 +52,6 @@ tags: - Message - User - Sid - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_event_log_cleared.yml b/detections/endpoint/windows_event_log_cleared.yml index deb8a1e7c0..8e74b04bb6 100644 --- a/detections/endpoint/windows_event_log_cleared.yml +++ b/detections/endpoint/windows_event_log_cleared.yml @@ -54,7 +54,6 @@ tags: - _time - EventCode - dest - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml b/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml index 66c6eae42d..bb618964fb 100644 --- a/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml +++ b/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml @@ -51,7 +51,6 @@ tags: - Exit_Code - dest - EventCode - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -60,4 +59,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log source: XmlWinEventLog:Application sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_excessive_disabled_services_event.yml b/detections/endpoint/windows_excessive_disabled_services_event.yml index 3ec5426f6f..0910ddcf09 100644 --- a/detections/endpoint/windows_excessive_disabled_services_event.yml +++ b/detections/endpoint/windows_excessive_disabled_services_event.yml @@ -55,7 +55,6 @@ tags: - Message - User - Sid - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_executable_in_loaded_modules.yml b/detections/endpoint/windows_executable_in_loaded_modules.yml index d50c4786ac..9f32777961 100644 --- a/detections/endpoint/windows_executable_in_loaded_modules.yml +++ b/detections/endpoint/windows_executable_in_loaded_modules.yml @@ -43,7 +43,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Image diff --git a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml index e974c464d9..9eabc1a47c 100644 --- a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml +++ b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml @@ -89,7 +89,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test @@ -98,4 +97,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml index bbdf5110a0..d781ff316e 100644 --- a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml +++ b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml @@ -52,7 +52,6 @@ tags: - Computer - UserID - EventCode - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml index cf10e3a8e9..dead80abb2 100644 --- a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml +++ b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml @@ -51,7 +51,6 @@ tags: - Computer - UserID - EventCode - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_export_certificate.yml b/detections/endpoint/windows_export_certificate.yml index 7b7b8813e6..4b8d0adf97 100644 --- a/detections/endpoint/windows_export_certificate.yml +++ b/detections/endpoint/windows_export_certificate.yml @@ -49,7 +49,6 @@ tags: - dest - SubjectName - UserData_Xml - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -59,4 +58,3 @@ tests: source: XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_file_share_discovery_with_powerview.yml b/detections/endpoint/windows_file_share_discovery_with_powerview.yml index 6300157fa4..3f0df176c7 100644 --- a/detections/endpoint/windows_file_share_discovery_with_powerview.yml +++ b/detections/endpoint/windows_file_share_discovery_with_powerview.yml @@ -61,7 +61,6 @@ tags: - Opcode - Computer - UserID - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml index fc788f5756..4806bd2e8e 100644 --- a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml @@ -62,7 +62,6 @@ tags: - DestinationIp - dest - user - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_ftp/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml index 635c1167de..537e56c542 100644 --- a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml +++ b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml @@ -62,7 +62,6 @@ tags: - Processes.dest - Processes.process_guid - Processes.user - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml index 3b1379adc0..c8d87bedff 100644 --- a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml +++ b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml @@ -64,7 +64,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Processes.parent_process_name diff --git a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml index 28a1e72c69..57d35e686d 100644 --- a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml +++ b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml @@ -58,7 +58,6 @@ tags: - Message - Computer - UserID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml index 5cf2bf2017..6a2f6f806c 100644 --- a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml +++ b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml @@ -57,7 +57,6 @@ tags: - Message - Computer - UserID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_findstr_gpp_discovery.yml b/detections/endpoint/windows_findstr_gpp_discovery.yml index c2d420d05b..f8dc210f24 100644 --- a/detections/endpoint/windows_findstr_gpp_discovery.yml +++ b/detections/endpoint/windows_findstr_gpp_discovery.yml @@ -77,7 +77,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.original_file_name - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml index 625c6836f4..2fbd11a77a 100644 --- a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml +++ b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml @@ -57,7 +57,6 @@ tags: - Message - Computer - UserID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_gather_victim_host_information_camera.yml b/detections/endpoint/windows_gather_victim_host_information_camera.yml index 0db4ac23ef..61a4308a81 100644 --- a/detections/endpoint/windows_gather_victim_host_information_camera.yml +++ b/detections/endpoint/windows_gather_victim_host_information_camera.yml @@ -57,7 +57,6 @@ tags: - ScriptBlockText - Computer - EventCode - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_enum_camera/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_gather_victim_identity_sam_info.yml b/detections/endpoint/windows_gather_victim_identity_sam_info.yml index 98025e0495..9519dd6382 100644 --- a/detections/endpoint/windows_gather_victim_identity_sam_info.yml +++ b/detections/endpoint/windows_gather_victim_identity_sam_info.yml @@ -56,7 +56,6 @@ tags: - EventCode - Signed - ProcessId - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/loading_samlib/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml index 40f1a0810d..5212911e3c 100644 --- a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml +++ b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml @@ -62,7 +62,6 @@ tags: - QueryResults - dest - EventCode - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml b/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml index 872b578c88..afe6d12442 100644 --- a/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml +++ b/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml @@ -59,7 +59,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml index d77f2be686..4e4350e925 100644 --- a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml +++ b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml @@ -58,7 +58,6 @@ tags: - Message - Computer - UserID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_group_policy_object_created.yml b/detections/endpoint/windows_group_policy_object_created.yml index 16771eae70..aff63fed72 100644 --- a/detections/endpoint/windows_group_policy_object_created.yml +++ b/detections/endpoint/windows_group_policy_object_created.yml @@ -65,7 +65,6 @@ tags: - ObjectDN - ObjectGUID - Computer - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_hidden_schedule_task_settings.yml b/detections/endpoint/windows_hidden_schedule_task_settings.yml index ba483a22a0..001437e45a 100644 --- a/detections/endpoint/windows_hidden_schedule_task_settings.yml +++ b/detections/endpoint/windows_hidden_schedule_task_settings.yml @@ -57,7 +57,6 @@ tags: - Enabled - Hidden - Arguments - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_hide_notification_features_through_registry.yml b/detections/endpoint/windows_hide_notification_features_through_registry.yml index 71c42cefd0..fdb1ed52d0 100644 --- a/detections/endpoint/windows_hide_notification_features_through_registry.yml +++ b/detections/endpoint/windows_hide_notification_features_through_registry.yml @@ -58,7 +58,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_high_file_deletion_frequency.yml b/detections/endpoint/windows_high_file_deletion_frequency.yml index 3276eab31b..7d66f854dd 100644 --- a/detections/endpoint/windows_high_file_deletion_frequency.yml +++ b/detections/endpoint/windows_high_file_deletion_frequency.yml @@ -79,7 +79,6 @@ tags: - Image - ProcessID - _time - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml index c65837e084..d8848a2bd1 100644 --- a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml +++ b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml @@ -54,7 +54,6 @@ tags: - EventCode - Signed - ProcessId - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test @@ -63,4 +62,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml index e5cc8a7df9..2dcec6c7f9 100644 --- a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml @@ -65,7 +65,6 @@ tags: - SourceProcessId - SourceUser - TargetUser - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_identify_protocol_handlers.yml b/detections/endpoint/windows_identify_protocol_handlers.yml index 0d48f21a1b..5d57c22a15 100644 --- a/detections/endpoint/windows_identify_protocol_handlers.yml +++ b/detections/endpoint/windows_identify_protocol_handlers.yml @@ -88,7 +88,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 6 security_domain: endpoint tests: - name: True Positive Test @@ -97,4 +96,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/protocol_handlers/protocolhandlers.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_add_new_module.yml b/detections/endpoint/windows_iis_components_add_new_module.yml index 7821c6f36a..6d2d4aa3bc 100644 --- a/detections/endpoint/windows_iis_components_add_new_module.yml +++ b/detections/endpoint/windows_iis_components_add_new_module.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -96,4 +95,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/appcmd_install-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml b/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml index 5133121c97..d58ea362ef 100644 --- a/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml +++ b/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml @@ -51,7 +51,6 @@ tags: - host - name - image - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test @@ -60,4 +59,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_installediismodules.log source: powershell://AppCmdModules sourcetype: Pwsh:InstalledIISModules - update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_module_failed_to_load.yml b/detections/endpoint/windows_iis_components_module_failed_to_load.yml index bf64fbbb77..5e8feaea40 100644 --- a/detections/endpoint/windows_iis_components_module_failed_to_load.yml +++ b/detections/endpoint/windows_iis_components_module_failed_to_load.yml @@ -55,7 +55,6 @@ tags: - EventCode - ComputerName - Message - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/2282_windows-application.log source: XmlWinEventLog:Application sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_new_module_added.yml b/detections/endpoint/windows_iis_components_new_module_added.yml index 753d10b9bf..3eea9b2717 100644 --- a/detections/endpoint/windows_iis_components_new_module_added.yml +++ b/detections/endpoint/windows_iis_components_new_module_added.yml @@ -55,7 +55,6 @@ tags: - EventCode - ComputerName - Message - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/IIS-Configuration-Operational.log source: IIS:Configuration:Operational sourcetype: IIS:Configuration:Operational - update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml index 277edfbd68..5b5cb3a526 100644 --- a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml +++ b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml @@ -64,7 +64,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml index c7b169a004..bf7c268d6c 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml index 8e1009bac9..ff9930cc8e 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml @@ -51,7 +51,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml index e513ac0774..5c0bf25346 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml index 0ae92aa3fc..7265891f71 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml index 39802aae08..d8829e2ced 100644 --- a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml +++ b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml index e60f169f61..e859b4e690 100644 --- a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml +++ b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml index 36d8922ff8..a3da03fa90 100644 --- a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml +++ b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml @@ -60,7 +60,6 @@ tags: - Registry.user - Registry.registry_path - Registry.action - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml index 15d50803ee..19763d91da 100644 --- a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml +++ b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml @@ -60,7 +60,6 @@ tags: - Registry.user - Registry.registry_path - Registry.action - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml index cd90b0102d..ed8393b0e4 100644 --- a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml +++ b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml index 0ef27735e7..0447d014ea 100644 --- a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml +++ b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml index c5f35b7a7d..3e2a6e2395 100644 --- a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml +++ b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml index 87916a6e12..041af6781d 100644 --- a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml +++ b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml index 7801a8da16..72fd45e199 100644 --- a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml index be20e163d4..344c4635bd 100644 --- a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml +++ b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml index 8b4b40941b..fb0f9bdde8 100644 --- a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml +++ b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml index 44e4b0824b..bfbccb3d56 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml index 2718885ddc..afdc15c08f 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml index f9ba1e6b7a..32f0fcbd34 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml index 2e972eba4f..8903891b9b 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml index 3451fb7079..5a94fcc354 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml index fb4aeb7f7e..7f2512c945 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml @@ -51,7 +51,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml index 103c913657..06c6c89519 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml index bd97134d0a..def2dcca91 100644 --- a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml +++ b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml index 1eaf1df99c..71651da77e 100644 --- a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml +++ b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml index f56729718e..ed761ef748 100644 --- a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml +++ b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defenses_disable_hvci.yml b/detections/endpoint/windows_impair_defenses_disable_hvci.yml index 47402295cb..e25980a40b 100644 --- a/detections/endpoint/windows_impair_defenses_disable_hvci.yml +++ b/detections/endpoint/windows_impair_defenses_disable_hvci.yml @@ -61,7 +61,6 @@ tags: - Registry.action - Registry.user - Registry.dest - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml index 5c325b9018..a5c51dd91e 100644 --- a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml +++ b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml @@ -61,7 +61,6 @@ tags: - Registry.user - Registry.registry_path - Registry.action - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_indicator_removal_via_rmdir.yml b/detections/endpoint/windows_indicator_removal_via_rmdir.yml index 63df9d0661..e4dc882a91 100644 --- a/detections/endpoint/windows_indicator_removal_via_rmdir.yml +++ b/detections/endpoint/windows_indicator_removal_via_rmdir.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml index 489dbe3794..86c1bd2aa9 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml @@ -70,7 +70,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.process_path - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml index 85a3095433..5d45e4710c 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml @@ -68,7 +68,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.process_path - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml index 219b7ab5a9..7e4dfc5e41 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_information_discovery_fsutil.yml b/detections/endpoint/windows_information_discovery_fsutil.yml index 9955f3ce9d..aa848d21b2 100644 --- a/detections/endpoint/windows_information_discovery_fsutil.yml +++ b/detections/endpoint/windows_information_discovery_fsutil.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_fsutil/fsutil-fsinfo-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml index 1a08e38d1d..e3903ee458 100644 --- a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml +++ b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -91,4 +90,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_explorer_url/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml index c2a3773cf5..d11dc6b879 100644 --- a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml +++ b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml @@ -58,7 +58,6 @@ tags: - Registry.dest - Registry.process_guid - Registry.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml index 638b2a7d98..6884c32fde 100644 --- a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml +++ b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml @@ -56,7 +56,6 @@ tags: - EventCode - Signed - ProcessId - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_installutil_credential_theft.yml b/detections/endpoint/windows_installutil_credential_theft.yml index 5445ac16f5..82eab08395 100644 --- a/detections/endpoint/windows_installutil_credential_theft.yml +++ b/detections/endpoint/windows_installutil_credential_theft.yml @@ -63,7 +63,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_installutil_in_non_standard_path.yml b/detections/endpoint/windows_installutil_in_non_standard_path.yml index a3df44896c..8a7ccd2ab2 100644 --- a/detections/endpoint/windows_installutil_in_non_standard_path.yml +++ b/detections/endpoint/windows_installutil_in_non_standard_path.yml @@ -94,7 +94,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_installutil_remote_network_connection.yml b/detections/endpoint/windows_installutil_remote_network_connection.yml index dd895a5ad7..d7df00c57a 100644 --- a/detections/endpoint/windows_installutil_remote_network_connection.yml +++ b/detections/endpoint/windows_installutil_remote_network_connection.yml @@ -88,7 +88,6 @@ tags: - Ports.process_guid - Ports.dest - Ports.dest_port - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_installutil_uninstall_option.yml b/detections/endpoint/windows_installutil_uninstall_option.yml index c3ac1b0646..0af1b6b6d3 100644 --- a/detections/endpoint/windows_installutil_uninstall_option.yml +++ b/detections/endpoint/windows_installutil_uninstall_option.yml @@ -86,7 +86,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml index 072ce865db..4241a4e49d 100644 --- a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml +++ b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml @@ -90,7 +90,6 @@ tags: - Ports.process_guid - Ports.dest - Ports.dest_port - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_installutil_url_in_command_line.yml b/detections/endpoint/windows_installutil_url_in_command_line.yml index 23f88c226c..16543f86f2 100644 --- a/detections/endpoint/windows_installutil_url_in_command_line.yml +++ b/detections/endpoint/windows_installutil_url_in_command_line.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_iso_lnk_file_creation.yml b/detections/endpoint/windows_iso_lnk_file_creation.yml index c0c866145d..aa55077a53 100644 --- a/detections/endpoint/windows_iso_lnk_file_creation.yml +++ b/detections/endpoint/windows_iso_lnk_file_creation.yml @@ -70,7 +70,6 @@ tags: - Filesystem.file_name - Filesystem.file_path - Filesystem.dest - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_java_spawning_shells.yml b/detections/endpoint/windows_java_spawning_shells.yml index 69b1f0160b..6815096088 100644 --- a/detections/endpoint/windows_java_spawning_shells.yml +++ b/detections/endpoint/windows_java_spawning_shells.yml @@ -85,5 +85,4 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 40 security_domain: endpoint diff --git a/detections/endpoint/windows_kerberos_local_successful_logon.yml b/detections/endpoint/windows_kerberos_local_successful_logon.yml index 5b28939ffb..84b5eafcb4 100644 --- a/detections/endpoint/windows_kerberos_local_successful_logon.yml +++ b/detections/endpoint/windows_kerberos_local_successful_logon.yml @@ -55,7 +55,6 @@ tags: - user - TargetUserName - src_ip - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_known_abused_dll_created.yml b/detections/endpoint/windows_known_abused_dll_created.yml index def54ea110..e6a9475fba 100644 --- a/detections/endpoint/windows_known_abused_dll_created.yml +++ b/detections/endpoint/windows_known_abused_dll_created.yml @@ -98,7 +98,6 @@ tags: - Filesystem.file_name - Filesystem.file_path - Filesystem.process_guid - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml index b7c0d61ace..0fcb238f57 100644 --- a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml +++ b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml @@ -61,7 +61,6 @@ tags: - ImageLoaded - Computer - ProcessGuid - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml index ab871bc23d..f6ef4140e7 100644 --- a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml +++ b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml @@ -48,7 +48,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - Image diff --git a/detections/endpoint/windows_krbrelayup_service_creation.yml b/detections/endpoint/windows_krbrelayup_service_creation.yml index 8686afb672..5b055a6ea1 100644 --- a/detections/endpoint/windows_krbrelayup_service_creation.yml +++ b/detections/endpoint/windows_krbrelayup_service_creation.yml @@ -48,7 +48,6 @@ tags: - Service_Name - Service_Start_Type - Service_Type - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml index cb6ced8840..e72d764b62 100644 --- a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml +++ b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml @@ -57,7 +57,6 @@ tags: - ServiceName - TargetUserName - IpAddress - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_lateral_tool_transfer_remcom.yml b/detections/endpoint/windows_lateral_tool_transfer_remcom.yml index 801d049f3d..491b8e7cd8 100644 --- a/detections/endpoint/windows_lateral_tool_transfer_remcom.yml +++ b/detections/endpoint/windows_lateral_tool_transfer_remcom.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ldifde_directory_object_behavior.yml b/detections/endpoint/windows_ldifde_directory_object_behavior.yml index ff581645d5..88beea1a49 100644 --- a/detections/endpoint/windows_ldifde_directory_object_behavior.yml +++ b/detections/endpoint/windows_ldifde_directory_object_behavior.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml index 881d251a75..bfc52261da 100644 --- a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml +++ b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml @@ -54,7 +54,6 @@ tags: - ScriptBlockText - Computer - user_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_local_administrator_credential_stuffing.yml b/detections/endpoint/windows_local_administrator_credential_stuffing.yml index 87560c5f9e..76ff75cbb5 100644 --- a/detections/endpoint/windows_local_administrator_credential_stuffing.yml +++ b/detections/endpoint/windows_local_administrator_credential_stuffing.yml @@ -64,7 +64,6 @@ tags: - TargetUserName - Computer - IpAddress - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml b/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml index 0ec5b1aa5f..cafa2417a3 100644 --- a/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml +++ b/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml @@ -68,7 +68,6 @@ tags: - Processes.process_name - Processes.original_file_name - Processes.process_path - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml index 2702505025..21277b6036 100644 --- a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml +++ b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml @@ -59,7 +59,6 @@ tags: - Processes.process_name - Processes.original_file_name - Processes.process_path - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml index e63a6b0aae..a554b9808d 100644 --- a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml +++ b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Registry.registry_path diff --git a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml index c56ab5a29f..18cfb81c2c 100644 --- a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml @@ -62,7 +62,6 @@ tags: - DestinationIp - dest - user - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_smtp/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_mark_of_the_web_bypass.yml b/detections/endpoint/windows_mark_of_the_web_bypass.yml index fd2f47ba7b..53e32405cd 100644 --- a/detections/endpoint/windows_mark_of_the_web_bypass.yml +++ b/detections/endpoint/windows_mark_of_the_web_bypass.yml @@ -47,7 +47,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - EventCode - TargetFilename diff --git a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml index 5450d746e5..162a507888 100644 --- a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml +++ b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_masquerading_msdtc_process.yml b/detections/endpoint/windows_masquerading_msdtc_process.yml index 3331347e54..a121dd5a7e 100644 --- a/detections/endpoint/windows_masquerading_msdtc_process.yml +++ b/detections/endpoint/windows_masquerading_msdtc_process.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_mimikatz_binary_execution.yml b/detections/endpoint/windows_mimikatz_binary_execution.yml index 12474f92ad..3548222a42 100644 --- a/detections/endpoint/windows_mimikatz_binary_execution.yml +++ b/detections/endpoint/windows_mimikatz_binary_execution.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test @@ -96,4 +95,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/mimikatzwindows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml b/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml index 046014d798..cf59fd8422 100644 --- a/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml +++ b/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml @@ -56,7 +56,6 @@ tags: - Filesystem.file_create_time - Filesystem.file_name - Filesystem.file_path - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certwrite_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml index 69b3cf513b..1854e24abb 100644 --- a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml +++ b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml @@ -48,7 +48,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml index f7134f4fb3..f1c6357d1e 100644 --- a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml +++ b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml @@ -57,7 +57,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_auto_update_notif.yml b/detections/endpoint/windows_modify_registry_auto_update_notif.yml index d0c1d43e7a..7937b02503 100644 --- a/detections/endpoint/windows_modify_registry_auto_update_notif.yml +++ b/detections/endpoint/windows_modify_registry_auto_update_notif.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_configure_bitlocker.yml b/detections/endpoint/windows_modify_registry_configure_bitlocker.yml index 8560a49471..c02ecee139 100644 --- a/detections/endpoint/windows_modify_registry_configure_bitlocker.yml +++ b/detections/endpoint/windows_modify_registry_configure_bitlocker.yml @@ -57,7 +57,6 @@ tags: - Registry.action - Registry.registry_value_data - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_default_icon_setting.yml b/detections/endpoint/windows_modify_registry_default_icon_setting.yml index 034a6152ca..c829ff39d9 100644 --- a/detections/endpoint/windows_modify_registry_default_icon_setting.yml +++ b/detections/endpoint/windows_modify_registry_default_icon_setting.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_key_name - Registry.registry_value_name - Registry.action - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/lockbit_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml index 6cd4fdb20c..6eacfc1beb 100644 --- a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml +++ b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml @@ -55,7 +55,6 @@ tags: - Image - user - dest - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_disable_rdp.yml b/detections/endpoint/windows_modify_registry_disable_rdp.yml index c37f229460..53412fefcb 100644 --- a/detections/endpoint/windows_modify_registry_disable_rdp.yml +++ b/detections/endpoint/windows_modify_registry_disable_rdp.yml @@ -25,7 +25,7 @@ how_to_implement: To successfully implement this search you need to be ingesting endpoint product. known_false_positives: administrators may enable or disable this feature that may cause some false positive. -eferences: +references: - https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ tags: analytic_story: @@ -56,7 +56,6 @@ tags: - Registry.action - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml index 649ccc3627..4760cff557 100644 --- a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml +++ b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Registry.registry_path diff --git a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml index 7b6a0c6bfc..a710953721 100644 --- a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml @@ -58,7 +58,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml index a168702d5e..6cf0e8f2a2 100644 --- a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml +++ b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml @@ -60,7 +60,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml index 9d55f54208..a27cced870 100644 --- a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml @@ -61,7 +61,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml index 6a7e5cf8f8..1886716c8c 100644 --- a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml +++ b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml @@ -60,7 +60,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml index 6ec37a2410..0a8c1f099b 100644 --- a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml +++ b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml @@ -49,7 +49,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml index df7bd7bf55..808ef11a98 100644 --- a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml +++ b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml index b3d1d4f59c..e5b7daf126 100644 --- a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml +++ b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml @@ -57,7 +57,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml index 22d3783127..b1a2530054 100644 --- a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml +++ b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml @@ -56,7 +56,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml index 71bd681e79..16676350a7 100644 --- a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml +++ b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml @@ -61,7 +61,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_dontshowui.yml b/detections/endpoint/windows_modify_registry_dontshowui.yml index 5264f4251f..841959cba4 100644 --- a/detections/endpoint/windows_modify_registry_dontshowui.yml +++ b/detections/endpoint/windows_modify_registry_dontshowui.yml @@ -48,7 +48,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml index 49e5c60bf6..c74aa0274f 100644 --- a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml +++ b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_longpathsenabled.yml b/detections/endpoint/windows_modify_registry_longpathsenabled.yml index be3d23dcb8..e855c04c9f 100644 --- a/detections/endpoint/windows_modify_registry_longpathsenabled.yml +++ b/detections/endpoint/windows_modify_registry_longpathsenabled.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 16 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml index 3da3cb3c99..a1c2c5420e 100644 --- a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml +++ b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml index e961a39544..d77676b108 100644 --- a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml +++ b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_no_auto_update.yml b/detections/endpoint/windows_modify_registry_no_auto_update.yml index f4edf71299..4ab73021b3 100644 --- a/detections/endpoint/windows_modify_registry_no_auto_update.yml +++ b/detections/endpoint/windows_modify_registry_no_auto_update.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml index 0004e9f3de..0c3552d802 100644 --- a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml +++ b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml @@ -48,7 +48,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml index f58b2852bd..5a0ff810b7 100644 --- a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml +++ b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml @@ -25,7 +25,7 @@ how_to_implement: To successfully implement this search you need to be ingesting endpoint product. known_false_positives: administrators may enable or disable this feature that may cause some false positive. -eferences: +references: - https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ tags: analytic_story: @@ -56,7 +56,6 @@ tags: - Registry.action - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_proxyenable.yml b/detections/endpoint/windows_modify_registry_proxyenable.yml index 60f720e50c..72be1284d1 100644 --- a/detections/endpoint/windows_modify_registry_proxyenable.yml +++ b/detections/endpoint/windows_modify_registry_proxyenable.yml @@ -48,7 +48,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_proxyserver.yml b/detections/endpoint/windows_modify_registry_proxyserver.yml index 5870318cda..d57570f307 100644 --- a/detections/endpoint/windows_modify_registry_proxyserver.yml +++ b/detections/endpoint/windows_modify_registry_proxyserver.yml @@ -47,7 +47,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml index a91ab6e4ea..4dfe07d651 100644 --- a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml +++ b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml @@ -80,7 +80,6 @@ tags: - registry_key_name - registry_key_name_len - registry_value_name_len - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -89,4 +88,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_reg_restore.yml b/detections/endpoint/windows_modify_registry_reg_restore.yml index 961ae033b1..956bf9f4ef 100644 --- a/detections/endpoint/windows_modify_registry_reg_restore.yml +++ b/detections/endpoint/windows_modify_registry_reg_restore.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -85,4 +84,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml index 6bcd169e25..d7c43b976d 100644 --- a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml +++ b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_risk_behavior.yml b/detections/endpoint/windows_modify_registry_risk_behavior.yml index f44605d7f1..3bbc413b30 100644 --- a/detections/endpoint/windows_modify_registry_risk_behavior.yml +++ b/detections/endpoint/windows_modify_registry_risk_behavior.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - All_Risk.analyticstories diff --git a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml index f3317d9729..5ef66f542d 100644 --- a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml +++ b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml @@ -59,7 +59,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_tamper_protection.yml b/detections/endpoint/windows_modify_registry_tamper_protection.yml index 260fd5ba85..e14fd08cca 100644 --- a/detections/endpoint/windows_modify_registry_tamper_protection.yml +++ b/detections/endpoint/windows_modify_registry_tamper_protection.yml @@ -60,7 +60,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml index e55a319353..fdbaa8d90c 100644 --- a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml +++ b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml @@ -60,7 +60,6 @@ tags: - Registry.registry_value_data - Registry.process_guid - Registry.action - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml index e9d8f22e58..bbf26108c8 100644 --- a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml +++ b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml @@ -57,7 +57,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_usewuserver.yml b/detections/endpoint/windows_modify_registry_usewuserver.yml index 5b4c591d67..032a595cdd 100644 --- a/detections/endpoint/windows_modify_registry_usewuserver.yml +++ b/detections/endpoint/windows_modify_registry_usewuserver.yml @@ -57,7 +57,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml index 14a104ee88..9fbb37af90 100644 --- a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml +++ b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml @@ -51,7 +51,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_wuserver.yml b/detections/endpoint/windows_modify_registry_wuserver.yml index c67ea368a9..7bcc7aca6d 100644 --- a/detections/endpoint/windows_modify_registry_wuserver.yml +++ b/detections/endpoint/windows_modify_registry_wuserver.yml @@ -57,7 +57,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_wustatusserver.yml b/detections/endpoint/windows_modify_registry_wustatusserver.yml index c347ac54e5..fe0de2fc81 100644 --- a/detections/endpoint/windows_modify_registry_wustatusserver.yml +++ b/detections/endpoint/windows_modify_registry_wustatusserver.yml @@ -57,7 +57,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml index 80738ab935..10b30e54b7 100644 --- a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml +++ b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml index 6e4a52b436..e8bc03205d 100644 --- a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml +++ b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml @@ -70,7 +70,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml index c8e0c16ff1..9e625f9916 100644 --- a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml +++ b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -94,4 +93,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/mofcomp.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_moveit_transfer_writing_aspx.yml b/detections/endpoint/windows_moveit_transfer_writing_aspx.yml index afa42c67af..8fab557073 100644 --- a/detections/endpoint/windows_moveit_transfer_writing_aspx.yml +++ b/detections/endpoint/windows_moveit_transfer_writing_aspx.yml @@ -59,7 +59,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - Filesystem.file_path diff --git a/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml b/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml index 707a655921..262f5d0c8d 100644 --- a/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml +++ b/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml @@ -55,7 +55,6 @@ tags: - _time - Message - dest - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/msexchangemanagement.log source: WinEventLog:MSExchange Management sourcetype: MSExchange:management - update_timestamp: true diff --git a/detections/endpoint/windows_mshta_execution_in_registry.yml b/detections/endpoint/windows_mshta_execution_in_registry.yml index 4100435773..155333ba27 100644 --- a/detections/endpoint/windows_mshta_execution_in_registry.yml +++ b/detections/endpoint/windows_mshta_execution_in_registry.yml @@ -62,7 +62,6 @@ tags: - Registry.dest - Registry.registry_value_data - Registry.action - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon3.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml index cbe89e7960..ba687cea1d 100644 --- a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml +++ b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml @@ -74,7 +74,6 @@ tags: - user - Image - TargetFilename - risk_score: 64 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_msiexec_dllregisterserver.yml b/detections/endpoint/windows_msiexec_dllregisterserver.yml index 8a08f701ef..4959f18675 100644 --- a/detections/endpoint/windows_msiexec_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_dllregisterserver.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml index 2e2a73f927..3b80ae5f9b 100644 --- a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml +++ b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml index 43d1b173e6..b6b48d504f 100644 --- a/detections/endpoint/windows_msiexec_remote_download.yml +++ b/detections/endpoint/windows_msiexec_remote_download.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test @@ -89,4 +88,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml index e94f334bf6..a68c85b66c 100644 --- a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml +++ b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test @@ -92,4 +91,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_msiexec_spawn_windbg.yml b/detections/endpoint/windows_msiexec_spawn_windbg.yml index 45e68c3f07..ff09caefb6 100644 --- a/detections/endpoint/windows_msiexec_spawn_windbg.yml +++ b/detections/endpoint/windows_msiexec_spawn_windbg.yml @@ -68,7 +68,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - Processes.dest - Processes.user diff --git a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml index f1f5bee19e..edcb14a800 100644 --- a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_msiexec_with_network_connections.yml b/detections/endpoint/windows_msiexec_with_network_connections.yml index 2163fc7787..e1cade6ca1 100644 --- a/detections/endpoint/windows_msiexec_with_network_connections.yml +++ b/detections/endpoint/windows_msiexec_with_network_connections.yml @@ -80,7 +80,6 @@ tags: - All_Traffic.dest - All_Traffic.dest_port - All_Traffic.dest_ip - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test @@ -89,4 +88,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml b/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml index ac04567ed7..822158559a 100644 --- a/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml +++ b/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml @@ -54,7 +54,6 @@ tags: - QueryStatus - ProcessId - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -63,4 +62,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_multiple_account_passwords_changed.yml b/detections/endpoint/windows_multiple_account_passwords_changed.yml index a699fadee2..7a6642ea93 100644 --- a/detections/endpoint/windows_multiple_account_passwords_changed.yml +++ b/detections/endpoint/windows_multiple_account_passwords_changed.yml @@ -58,7 +58,6 @@ tags: - TargetDomainName - Logon_ID - user - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_multiple_accounts_deleted.yml b/detections/endpoint/windows_multiple_accounts_deleted.yml index 9b49d44623..e1550523f2 100644 --- a/detections/endpoint/windows_multiple_accounts_deleted.yml +++ b/detections/endpoint/windows_multiple_accounts_deleted.yml @@ -56,7 +56,6 @@ tags: - TargetDomainName - Logon_ID - user - risk_score: 18 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_multiple_accounts_disabled.yml b/detections/endpoint/windows_multiple_accounts_disabled.yml index 38cc7c019c..c2cf63c120 100644 --- a/detections/endpoint/windows_multiple_accounts_disabled.yml +++ b/detections/endpoint/windows_multiple_accounts_disabled.yml @@ -57,7 +57,6 @@ tags: - TargetDomainName - Logon_ID - user - risk_score: 18 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml b/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml index 0fc83fc237..69f65e9e43 100644 --- a/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml +++ b/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml @@ -56,7 +56,6 @@ tags: - Status - TargetUserName - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml b/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml index a369d3a1f0..2bbf94d985 100644 --- a/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml +++ b/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml @@ -56,7 +56,6 @@ tags: - Status - TargetUserName - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml index 4a0d9fefbf..d0519d1f00 100644 --- a/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml +++ b/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml @@ -54,7 +54,6 @@ tags: - TargetUserName - Workstation - Status - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml index c33eb07a00..0158642e0e 100644 --- a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml +++ b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml @@ -53,7 +53,6 @@ tags: - DomainName - Security - WorkstationName - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml b/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml index 2c0916a271..3eb2c6fcb1 100644 --- a/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml +++ b/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml @@ -57,7 +57,6 @@ tags: - Target_User_Name - Caller_User_Name - Computer - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml index 1ca6318c8d..8eb8c4159a 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml @@ -53,7 +53,6 @@ tags: - Status - TargetUserName - Workstation - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml index 596020b269..068e59d9ff 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml @@ -57,7 +57,6 @@ tags: - SubjectUserName - TargetUserName - Computer - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml index 3b007a7059..ce8802344f 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml @@ -58,7 +58,6 @@ tags: - Status - TargetUserName - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml index 8084bdfb50..92f76ac6f7 100644 --- a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml +++ b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml @@ -56,7 +56,6 @@ tags: - TargetUserName - Computer - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_network_share_interaction_with_net.yml b/detections/endpoint/windows_network_share_interaction_with_net.yml index 638661e1ca..dde31c70b2 100644 --- a/detections/endpoint/windows_network_share_interaction_with_net.yml +++ b/detections/endpoint/windows_network_share_interaction_with_net.yml @@ -61,7 +61,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_new_inprocserver32_added.yml b/detections/endpoint/windows_new_inprocserver32_added.yml index 9d0e9c77fb..e2c1c6494b 100644 --- a/detections/endpoint/windows_new_inprocserver32_added.yml +++ b/detections/endpoint/windows_new_inprocserver32_added.yml @@ -54,7 +54,6 @@ tags: - Registry.dest - Registry.process_guid - Registry.user - risk_score: 2 security_domain: endpoint cve: - CVE-2024-21378 diff --git a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml index 8b541cebe7..429cadb814 100644 --- a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test @@ -91,4 +90,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_nirsoft_advancedrun.yml b/detections/endpoint/windows_nirsoft_advancedrun.yml index 46f49b6889..89aa3dedf8 100644 --- a/detections/endpoint/windows_nirsoft_advancedrun.yml +++ b/detections/endpoint/windows_nirsoft_advancedrun.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_nirsoft_utilities.yml b/detections/endpoint/windows_nirsoft_utilities.yml index b2c35896a2..0f589a7eab 100644 --- a/detections/endpoint/windows_nirsoft_utilities.yml +++ b/detections/endpoint/windows_nirsoft_utilities.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml index 75586bd532..8d49de6dbd 100644 --- a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml +++ b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml @@ -49,7 +49,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml index d4bd14b414..050d2c262b 100644 --- a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml +++ b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml @@ -54,7 +54,6 @@ tags: - process_id - EventCode - dest - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_non_system_account_targeting_lsass.yml b/detections/endpoint/windows_non_system_account_targeting_lsass.yml index a205a4dda6..0703dcb0d1 100644 --- a/detections/endpoint/windows_non_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_non_system_account_targeting_lsass.yml @@ -70,7 +70,6 @@ tags: - SourceProcessId - SourceUser - TargetUser - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_odbcconf_hunting.yml b/detections/endpoint/windows_odbcconf_hunting.yml index 90d0735436..5a5d30ab07 100644 --- a/detections/endpoint/windows_odbcconf_hunting.yml +++ b/detections/endpoint/windows_odbcconf_hunting.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 6 security_domain: endpoint tests: - name: True Positive Test @@ -89,4 +88,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_odbcconf_load_dll.yml b/detections/endpoint/windows_odbcconf_load_dll.yml index 6f1ff3d2ce..f13c12b1b8 100644 --- a/detections/endpoint/windows_odbcconf_load_dll.yml +++ b/detections/endpoint/windows_odbcconf_load_dll.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_odbcconf_load_response_file.yml b/detections/endpoint/windows_odbcconf_load_response_file.yml index bc17b96232..4adcd722f5 100644 --- a/detections/endpoint/windows_odbcconf_load_response_file.yml +++ b/detections/endpoint/windows_odbcconf_load_response_file.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-rsp.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_office_product_spawning_msdt.yml b/detections/endpoint/windows_office_product_spawning_msdt.yml index c4a46fe00d..b40d173268 100644 --- a/detections/endpoint/windows_office_product_spawning_msdt.yml +++ b/detections/endpoint/windows_office_product_spawning_msdt.yml @@ -90,7 +90,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test @@ -99,4 +98,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_outlook_webview_registry_modification.yml b/detections/endpoint/windows_outlook_webview_registry_modification.yml index c60975a5c7..2d9a39add9 100644 --- a/detections/endpoint/windows_outlook_webview_registry_modification.yml +++ b/detections/endpoint/windows_outlook_webview_registry_modification.yml @@ -54,7 +54,6 @@ tags: - Registry.registry_path - Registry.registry_value_name - Registry.registry_value_data - risk_score: 100 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_papercut_ng_spawn_shell.yml b/detections/endpoint/windows_papercut_ng_spawn_shell.yml index 0b96f3b03f..6659579c2b 100644 --- a/detections/endpoint/windows_papercut_ng_spawn_shell.yml +++ b/detections/endpoint/windows_papercut_ng_spawn_shell.yml @@ -67,7 +67,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 90 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml index 145c0623b7..5645c6f629 100644 --- a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml +++ b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_password_managers_discovery.yml b/detections/endpoint/windows_password_managers_discovery.yml index a3bdf3b310..246956f6bc 100644 --- a/detections/endpoint/windows_password_managers_discovery.yml +++ b/detections/endpoint/windows_password_managers_discovery.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -84,4 +83,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd_db/dir-db-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml b/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml index 67dc39b952..4b4ad4743f 100644 --- a/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml +++ b/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml @@ -58,7 +58,6 @@ tags: - process_name - process_path - process - risk_score: 49 security_domain: endpoint cve: - CVE-2024-21378 diff --git a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml index 96e4214e77..da95896abb 100644 --- a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml +++ b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/phishing_pdf_uri/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml index 78e39062d7..68ebd181a4 100644 --- a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml +++ b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml @@ -70,7 +70,6 @@ tags: - Registry.registry_value_data - Registry.action - Registry.dest - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_possible_credential_dumping.yml b/detections/endpoint/windows_possible_credential_dumping.yml index e3603fa322..63491b75ef 100644 --- a/detections/endpoint/windows_possible_credential_dumping.yml +++ b/detections/endpoint/windows_possible_credential_dumping.yml @@ -78,7 +78,6 @@ tags: - SourceProcessId - SourceUser - TargetUser - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_post_exploitation_risk_behavior.yml b/detections/endpoint/windows_post_exploitation_risk_behavior.yml index 8c5248c6d0..a5a5ae1e30 100644 --- a/detections/endpoint/windows_post_exploitation_risk_behavior.yml +++ b/detections/endpoint/windows_post_exploitation_risk_behavior.yml @@ -61,7 +61,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - All_Risk.analyticstories diff --git a/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml b/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml index 156612b04f..9148f10fcf 100644 --- a/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml +++ b/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml @@ -52,7 +52,6 @@ tags: - ScriptBlockText - Computer - EventCode - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -61,4 +60,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_publish_powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_cryptography_namespace.yml b/detections/endpoint/windows_powershell_cryptography_namespace.yml index e3dee7cefc..058040deed 100644 --- a/detections/endpoint/windows_powershell_cryptography_namespace.yml +++ b/detections/endpoint/windows_powershell_cryptography_namespace.yml @@ -58,7 +58,6 @@ tags: - Computer - UserID - EventCodes - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_disable_http_logging.yml b/detections/endpoint/windows_powershell_disable_http_logging.yml index 040423703e..15643ba7e6 100644 --- a/detections/endpoint/windows_powershell_disable_http_logging.yml +++ b/detections/endpoint/windows_powershell_disable_http_logging.yml @@ -58,7 +58,6 @@ tags: - ScriptBlockText - Computer - EventCode - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_disable_http_logging_windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_export_certificate.yml b/detections/endpoint/windows_powershell_export_certificate.yml index bfe5693087..e477e9c845 100644 --- a/detections/endpoint/windows_powershell_export_certificate.yml +++ b/detections/endpoint/windows_powershell_export_certificate.yml @@ -53,7 +53,6 @@ tags: - ScriptBlockText - dest - EventCode - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_powershell_export_pfxcertificate.yml b/detections/endpoint/windows_powershell_export_pfxcertificate.yml index 0fd15df427..f6a57a8842 100644 --- a/detections/endpoint/windows_powershell_export_pfxcertificate.yml +++ b/detections/endpoint/windows_powershell_export_pfxcertificate.yml @@ -52,7 +52,6 @@ tags: - ScriptBlockText - dest - EventCode - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -61,4 +60,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4104_export_pfxcertificate.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml b/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml index 08cd5b08aa..0f607bdd8d 100644 --- a/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml +++ b/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml @@ -50,7 +50,6 @@ tags: - ScriptBlockText - Computer - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml index 6414336358..45c973203d 100644 --- a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml +++ b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml @@ -56,7 +56,6 @@ tags: - ScriptBlockText - Computer - EventCode - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_import_applocker_policy.yml b/detections/endpoint/windows_powershell_import_applocker_policy.yml index bab67f0b21..9510b0ef8b 100644 --- a/detections/endpoint/windows_powershell_import_applocker_policy.yml +++ b/detections/endpoint/windows_powershell_import_applocker_policy.yml @@ -58,7 +58,6 @@ tags: - ScriptBlockText - Computer - EventCode - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_remotesigned_file.yml b/detections/endpoint/windows_powershell_remotesigned_file.yml index 82ee57dd4a..e50b1c97d2 100644 --- a/detections/endpoint/windows_powershell_remotesigned_file.yml +++ b/detections/endpoint/windows_powershell_remotesigned_file.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_powershell_scheduletask.yml b/detections/endpoint/windows_powershell_scheduletask.yml index aefdb37203..9b32948272 100644 --- a/detections/endpoint/windows_powershell_scheduletask.yml +++ b/detections/endpoint/windows_powershell_scheduletask.yml @@ -63,7 +63,6 @@ tags: - Computer - EventCode security_domain: endpoint - risk_score: 25 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml b/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml index eda87ec83a..48a7d054ed 100644 --- a/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml +++ b/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml @@ -55,7 +55,6 @@ tags: - ScriptBlockText - dest - EventCode - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/win32_scheduledjob_windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_powersploit_gpp_discovery.yml b/detections/endpoint/windows_powersploit_gpp_discovery.yml index 6fb35c4eaf..cd05f0e81b 100644 --- a/detections/endpoint/windows_powersploit_gpp_discovery.yml +++ b/detections/endpoint/windows_powersploit_gpp_discovery.yml @@ -60,7 +60,6 @@ tags: - Opcode - Computer - UserID - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml b/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml index 4b9c329ff4..4c75207f43 100644 --- a/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml +++ b/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml @@ -56,7 +56,6 @@ tags: - ScriptBlockText - Opcode - UserID - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml b/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml index cac12014b8..11e8845b35 100644 --- a/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml +++ b/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml @@ -62,7 +62,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml b/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml index fd8f21bf0a..6ee7c928fb 100644 --- a/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml +++ b/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml @@ -56,7 +56,6 @@ tags: - EventCode - Computer - ScriptBlockText - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_powerview_spn_discovery.yml b/detections/endpoint/windows_powerview_spn_discovery.yml index d4542f0745..ee7e2b8f41 100644 --- a/detections/endpoint/windows_powerview_spn_discovery.yml +++ b/detections/endpoint/windows_powerview_spn_discovery.yml @@ -56,7 +56,6 @@ tags: - EventCode - Computer - ScriptBlockText - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml b/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml index 8480b2bcdc..a450ea5423 100644 --- a/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml +++ b/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml @@ -61,7 +61,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_private_keys_discovery.yml b/detections/endpoint/windows_private_keys_discovery.yml index 5ec5ce937b..3ee8bc8e19 100644 --- a/detections/endpoint/windows_private_keys_discovery.yml +++ b/detections/endpoint/windows_private_keys_discovery.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -86,4 +85,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_private_key/dir-private-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml index 8320268295..32c9b6b0a4 100644 --- a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml +++ b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml @@ -99,7 +99,6 @@ tags: - Processes.process_guid - Processes.process_integrity_level - Processes.process_current_directory - risk_score: 40 security_domain: endpoint tests: - attack_data: @@ -107,5 +106,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true name: True Positive Test diff --git a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml index a879e325d8..ec27565591 100644 --- a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml +++ b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml @@ -69,7 +69,6 @@ tags: - parent_process_name - parent_process_guid - IntegrityLevel - risk_score: 80 security_domain: endpoint tests: - attack_data: @@ -77,5 +76,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true name: True Positive Test diff --git a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml index 801c75f46e..6fc03daff5 100644 --- a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml +++ b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml @@ -84,7 +84,6 @@ tags: - parent_process_name - parent_process_guid - IntegrityLevel - risk_score: 80 security_domain: endpoint tests: - attack_data: @@ -92,5 +91,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true name: True Positive Test diff --git a/detections/endpoint/windows_privileged_group_modification.yml b/detections/endpoint/windows_privileged_group_modification.yml index 5a848d9651..69c880fc15 100644 --- a/detections/endpoint/windows_privileged_group_modification.yml +++ b/detections/endpoint/windows_privileged_group_modification.yml @@ -3,7 +3,7 @@ id: b8cbef2c-2cc3-4550-b0fc-9715b7852df9 version: 2 date: '2024-08-15' author: Brandon Sternfield, Optiv + ClearShark -data_sources: +data_source: - Windows Event Log Security 4727 - Windows Event Log Security 4731 - Windows Event Log Security 4744 @@ -67,7 +67,6 @@ tags: - result - status - _time - risk_score: 80 security_domain: endpoint cve: - CVE-2024-37085 diff --git a/detections/endpoint/windows_process_commandline_discovery.yml b/detections/endpoint/windows_process_commandline_discovery.yml index 7f43b2812b..68b4cf7aa2 100644 --- a/detections/endpoint/windows_process_commandline_discovery.yml +++ b/detections/endpoint/windows_process_commandline_discovery.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml index d8485edfd8..fa25e0421a 100644 --- a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml +++ b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_process_injection_into_notepad.yml b/detections/endpoint/windows_process_injection_into_notepad.yml index 275042523c..bfb7426188 100644 --- a/detections/endpoint/windows_process_injection_into_notepad.yml +++ b/detections/endpoint/windows_process_injection_into_notepad.yml @@ -65,7 +65,6 @@ tags: - TargetImage - GrantedAccess - CallTrace - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/T1055_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml index 0079c49fc0..1fca315388 100644 --- a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml +++ b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml @@ -61,7 +61,6 @@ tags: - TargetProcessId - EventCode - dest - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/remote_thread/sysmon_wermgr_remote.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_remote_thread.yml b/detections/endpoint/windows_process_injection_remote_thread.yml index 8435afb15e..e46a55f1b2 100644 --- a/detections/endpoint/windows_process_injection_remote_thread.yml +++ b/detections/endpoint/windows_process_injection_remote_thread.yml @@ -69,7 +69,6 @@ tags: - TargetProcessGuid - SourceProcessGuid - StartAddress - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_wermgr_child_process.yml b/detections/endpoint/windows_process_injection_wermgr_child_process.yml index 05db4a79a4..ade6c7d80d 100644 --- a/detections/endpoint/windows_process_injection_wermgr_child_process.yml +++ b/detections/endpoint/windows_process_injection_wermgr_child_process.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test @@ -77,4 +76,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_with_public_source_path.yml b/detections/endpoint/windows_process_injection_with_public_source_path.yml index 6337781de7..815ecb4ae7 100644 --- a/detections/endpoint/windows_process_injection_with_public_source_path.yml +++ b/detections/endpoint/windows_process_injection_with_public_source_path.yml @@ -69,7 +69,6 @@ tags: - TargetProcessGuid - SourceProcessGuid - StartAddress - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/create_remote_thread/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_process_with_namedpipe_commandline.yml b/detections/endpoint/windows_process_with_namedpipe_commandline.yml index 82887100fe..af3ff614e3 100644 --- a/detections/endpoint/windows_process_with_namedpipe_commandline.yml +++ b/detections/endpoint/windows_process_with_namedpipe_commandline.yml @@ -69,7 +69,6 @@ tags: - Processes.process_path - Processes.parent_process_id - Processes.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml b/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml index 5b80780b15..75878da94d 100644 --- a/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml +++ b/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml @@ -72,7 +72,6 @@ tags: - user - file_name - file_path - risk_score: 25 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml index e0a30efa52..af341fedf9 100644 --- a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml +++ b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml @@ -60,7 +60,6 @@ tags: - Processes.process_path - Processes.parent_process_id - Processes.process_guid - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_protocol_tunneling_with_plink.yml b/detections/endpoint/windows_protocol_tunneling_with_plink.yml index b95a79c2d1..d44fc3c2ef 100644 --- a/detections/endpoint/windows_protocol_tunneling_with_plink.yml +++ b/detections/endpoint/windows_protocol_tunneling_with_plink.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test @@ -95,5 +94,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog - update_timestamp: true \ No newline at end of file + sourcetype: xmlwineventlog \ No newline at end of file diff --git a/detections/endpoint/windows_proxy_via_netsh.yml b/detections/endpoint/windows_proxy_via_netsh.yml index f72b9963f7..9fe23b451d 100644 --- a/detections/endpoint/windows_proxy_via_netsh.yml +++ b/detections/endpoint/windows_proxy_via_netsh.yml @@ -64,7 +64,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Processes.process diff --git a/detections/endpoint/windows_proxy_via_registry.yml b/detections/endpoint/windows_proxy_via_registry.yml index 54f12e54e0..bd53881019 100644 --- a/detections/endpoint/windows_proxy_via_registry.yml +++ b/detections/endpoint/windows_proxy_via_registry.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_query_registry_browser_list_application.yml b/detections/endpoint/windows_query_registry_browser_list_application.yml index 0d91467a1e..2e0f971744 100644 --- a/detections/endpoint/windows_query_registry_browser_list_application.yml +++ b/detections/endpoint/windows_query_registry_browser_list_application.yml @@ -55,7 +55,6 @@ tags: - process_id - EventCode - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_query_registry_reg_save.yml b/detections/endpoint/windows_query_registry_reg_save.yml index 65375b15c8..ccded787c3 100644 --- a/detections/endpoint/windows_query_registry_reg_save.yml +++ b/detections/endpoint/windows_query_registry_reg_save.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -85,4 +84,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_query_registry_uninstall_program_list.yml b/detections/endpoint/windows_query_registry_uninstall_program_list.yml index b6d63d8d56..1b082fd300 100644 --- a/detections/endpoint/windows_query_registry_uninstall_program_list.yml +++ b/detections/endpoint/windows_query_registry_uninstall_program_list.yml @@ -52,7 +52,6 @@ tags: - process_id - EventCode - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml index d9bdfe14fd..9d40cc013f 100644 --- a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml +++ b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml b/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml index 745a615e16..ee8fb929a3 100644 --- a/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml +++ b/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml @@ -59,7 +59,6 @@ tags: - TargetUserName - Computer - IpAddress - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_rasautou_dll_execution.yml b/detections/endpoint/windows_rasautou_dll_execution.yml index 2559fa1a50..0e217b46de 100644 --- a/detections/endpoint/windows_rasautou_dll_execution.yml +++ b/detections/endpoint/windows_rasautou_dll_execution.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml index 7f86e6ccc8..1a0d27c815 100644 --- a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml +++ b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml @@ -64,7 +64,6 @@ tags: - Device - EventCode - Image - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml index 11751c9edc..baf20aa462 100644 --- a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml +++ b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml @@ -65,7 +65,6 @@ tags: - ProcessId - EventDescription - EventCode - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_rdp_connection_successful.yml b/detections/endpoint/windows_rdp_connection_successful.yml index 8733534473..da3114f7c9 100644 --- a/detections/endpoint/windows_rdp_connection_successful.yml +++ b/detections/endpoint/windows_rdp_connection_successful.yml @@ -51,7 +51,6 @@ tags: - Source_Network_Address - User - Message - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_registry_bootexecute_modification.yml b/detections/endpoint/windows_registry_bootexecute_modification.yml index 546d7f54b7..49b42552a3 100644 --- a/detections/endpoint/windows_registry_bootexecute_modification.yml +++ b/detections/endpoint/windows_registry_bootexecute_modification.yml @@ -51,7 +51,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - Registry.dest diff --git a/detections/endpoint/windows_registry_certificate_added.yml b/detections/endpoint/windows_registry_certificate_added.yml index 1166aab216..08012025e0 100644 --- a/detections/endpoint/windows_registry_certificate_added.yml +++ b/detections/endpoint/windows_registry_certificate_added.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_key_name - Registry.registry_value_name - Registry.dest - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_registry_delete_task_sd.yml b/detections/endpoint/windows_registry_delete_task_sd.yml index 2b76652237..21b1ac6c60 100644 --- a/detections/endpoint/windows_registry_delete_task_sd.yml +++ b/detections/endpoint/windows_registry_delete_task_sd.yml @@ -67,7 +67,6 @@ tags: - Processes.process - Processes.dest - Processes.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml index 8f49937bed..677758dbed 100644 --- a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml +++ b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_key_name - Registry.registry_value_name - Registry.dest - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_registry_payload_injection.yml b/detections/endpoint/windows_registry_payload_injection.yml index 7268cbf11f..b152411ac6 100644 --- a/detections/endpoint/windows_registry_payload_injection.yml +++ b/detections/endpoint/windows_registry_payload_injection.yml @@ -90,7 +90,6 @@ tags: - registry_value_name - registry_value_data - registry_key_name - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_registry_sip_provider_modification.yml b/detections/endpoint/windows_registry_sip_provider_modification.yml index e32c501a70..1443f67561 100644 --- a/detections/endpoint/windows_registry_sip_provider_modification.yml +++ b/detections/endpoint/windows_registry_sip_provider_modification.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - Registry.dest - Registry.user diff --git a/detections/endpoint/windows_regsvr32_renamed_binary.yml b/detections/endpoint/windows_regsvr32_renamed_binary.yml index 756589cc02..9c6dc071e7 100644 --- a/detections/endpoint/windows_regsvr32_renamed_binary.yml +++ b/detections/endpoint/windows_regsvr32_renamed_binary.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_3/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml index 8a7d263fbc..2def4fb1a3 100644 --- a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml +++ b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml @@ -66,7 +66,6 @@ tags: - EventCode - Signed - ProcessId - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_access_software_hunt.yml b/detections/endpoint/windows_remote_access_software_hunt.yml index 6e947b4a52..e088f08e00 100644 --- a/detections/endpoint/windows_remote_access_software_hunt.yml +++ b/detections/endpoint/windows_remote_access_software_hunt.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test @@ -84,4 +83,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_access_software_rms_registry.yml b/detections/endpoint/windows_remote_access_software_rms_registry.yml index e883290d69..44a7a4f9e2 100644 --- a/detections/endpoint/windows_remote_access_software_rms_registry.yml +++ b/detections/endpoint/windows_remote_access_software_rms_registry.yml @@ -56,7 +56,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_assistance_spawning_process.yml b/detections/endpoint/windows_remote_assistance_spawning_process.yml index 7a0a45264a..31ebe81851 100644 --- a/detections/endpoint/windows_remote_assistance_spawning_process.yml +++ b/detections/endpoint/windows_remote_assistance_spawning_process.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_remote_create_service.yml b/detections/endpoint/windows_remote_create_service.yml index 7df5ea8be0..1216431b12 100644 --- a/detections/endpoint/windows_remote_create_service.yml +++ b/detections/endpoint/windows_remote_create_service.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -91,4 +90,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remote_service_create_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml index 9102087879..c01dd9cf17 100644 --- a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml +++ b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml index 6bda4a9dc6..85295ccb48 100644 --- a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml +++ b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_id - Processes.dest - Processes.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -77,4 +76,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml index 390f815024..4fa16934ce 100644 --- a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml +++ b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml @@ -58,7 +58,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_services_rdp_enable.yml b/detections/endpoint/windows_remote_services_rdp_enable.yml index 4d62b4d31a..084cb45aa1 100644 --- a/detections/endpoint/windows_remote_services_rdp_enable.yml +++ b/detections/endpoint/windows_remote_services_rdp_enable.yml @@ -57,7 +57,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml index a22f38ca07..e0f08d805f 100644 --- a/detections/endpoint/windows_replication_through_removable_media.yml +++ b/detections/endpoint/windows_replication_through_removable_media.yml @@ -66,7 +66,6 @@ tags: - Filesystem.process_id - Filesystem.file_name - Filesystem.user - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/spread_in_root_drives/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml index c1fd6ba784..9fd3f3cb29 100644 --- a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml +++ b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml @@ -54,7 +54,6 @@ tags: - ScriptBlockText - Computer - user_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml index ec22b31589..36e64c1694 100644 --- a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml +++ b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml @@ -69,7 +69,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_rundll32_webdav_request.yml b/detections/endpoint/windows_rundll32_webdav_request.yml index 691cb191fa..98d7b5bb3e 100644 --- a/detections/endpoint/windows_rundll32_webdav_request.yml +++ b/detections/endpoint/windows_rundll32_webdav_request.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml index 31c97f1ff0..e0055fd289 100644 --- a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml +++ b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml @@ -91,7 +91,6 @@ tags: - All_Traffic.dest_port - All_Traffic.dest_ip - All_Traffic.dest - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml index 2b0f5602f7..bc0892065b 100644 --- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml +++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml @@ -45,8 +45,6 @@ tags: - MoonPeak asset_type: Endpoint confidence: 70 - dataset: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log impact: 70 message: A scheduled task process, $process_name$, with 'create' or 'delete' commands present in the command line. @@ -77,7 +75,6 @@ tags: - Processes.user - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -86,4 +83,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml index 613baa3846..955a7fde3c 100644 --- a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml +++ b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml @@ -79,7 +79,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index 422b8186f5..0127d15d32 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml index 77058c44f2..de43bcef3f 100644 --- a/detections/endpoint/windows_schtasks_create_run_as_system.yml +++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml @@ -78,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_screen_capture_via_powershell.yml b/detections/endpoint/windows_screen_capture_via_powershell.yml index 3a7e848183..01a7874543 100644 --- a/detections/endpoint/windows_screen_capture_via_powershell.yml +++ b/detections/endpoint/windows_screen_capture_via_powershell.yml @@ -34,8 +34,6 @@ tags: context: - Source:Endpoint - Stage:Collection - dataset: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log impact: 70 message: A PowerShell script was identified possibly performing screen captures on $Computer$. @@ -56,7 +54,6 @@ tags: - Computer - UserID - EventCode - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +62,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_security_account_manager_stopped.yml b/detections/endpoint/windows_security_account_manager_stopped.yml index ea67e8ab1a..90756d5d9a 100644 --- a/detections/endpoint/windows_security_account_manager_stopped.yml +++ b/detections/endpoint/windows_security_account_manager_stopped.yml @@ -64,7 +64,6 @@ tags: - Processes.process - Processes.dest - Processes.user - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_security_support_provider_reg_query.yml b/detections/endpoint/windows_security_support_provider_reg_query.yml index a411a590b5..aba8b0fb1e 100644 --- a/detections/endpoint/windows_security_support_provider_reg_query.yml +++ b/detections/endpoint/windows_security_support_provider_reg_query.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -85,4 +84,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml index b5170471e8..4b149d0410 100644 --- a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml +++ b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -93,4 +92,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/gacutil_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_service_create_kernel_mode_driver.yml b/detections/endpoint/windows_service_create_kernel_mode_driver.yml index 707c7296c2..69bc4923a6 100644 --- a/detections/endpoint/windows_service_create_kernel_mode_driver.yml +++ b/detections/endpoint/windows_service_create_kernel_mode_driver.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sc_kernel.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_service_create_remcomsvc.yml b/detections/endpoint/windows_service_create_remcomsvc.yml index 0d71be6da5..184e18358d 100644 --- a/detections/endpoint/windows_service_create_remcomsvc.yml +++ b/detections/endpoint/windows_service_create_remcomsvc.yml @@ -52,7 +52,6 @@ tags: - ImagePath - ServiceName - ServiceType - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test @@ -61,4 +60,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remcom_windows-system.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_service_create_sliverc2.yml b/detections/endpoint/windows_service_create_sliverc2.yml index f328e79128..fdd06e5b92 100644 --- a/detections/endpoint/windows_service_create_sliverc2.yml +++ b/detections/endpoint/windows_service_create_sliverc2.yml @@ -51,7 +51,6 @@ tags: - ServiceName - ImagePath - ServiceType - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_service_create_with_tscon.yml b/detections/endpoint/windows_service_create_with_tscon.yml index 8e9da84759..7894a4d9db 100644 --- a/detections/endpoint/windows_service_create_with_tscon.yml +++ b/detections/endpoint/windows_service_create_with_tscon.yml @@ -92,7 +92,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml index b3f638846a..a2b8103e07 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml @@ -67,7 +67,6 @@ tags: - Service_Name - Service_Start_Type - dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_service_created_within_public_path.yml b/detections/endpoint/windows_service_created_within_public_path.yml index f9922d09b1..3b71a259d3 100644 --- a/detections/endpoint/windows_service_created_within_public_path.yml +++ b/detections/endpoint/windows_service_created_within_public_path.yml @@ -59,7 +59,6 @@ tags: - _time - Service_Name - Service_Start_Type - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml index 7b95893fb1..9b31b95216 100644 --- a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index 3815ab0278..d6708f12ac 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -62,7 +62,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_service_deletion_in_registry.yml b/detections/endpoint/windows_service_deletion_in_registry.yml index c7b30db767..cc848fb0b1 100644 --- a/detections/endpoint/windows_service_deletion_in_registry.yml +++ b/detections/endpoint/windows_service_deletion_in_registry.yml @@ -65,7 +65,6 @@ tags: - Processes.parent_process_name - Processes.parent_process - Processes.process_guid - risk_score: 18 security_domain: endpoint tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/service_deletion/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml index 4eb50b66c0..c4f0ac78d6 100644 --- a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_service_stop_by_deletion.yml b/detections/endpoint/windows_service_stop_by_deletion.yml index e03a0339d1..2d97d4dbe3 100644 --- a/detections/endpoint/windows_service_stop_by_deletion.yml +++ b/detections/endpoint/windows_service_stop_by_deletion.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_id - Processes.dest - Processes.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml index 8bee80e860..a9ee2a4285 100644 --- a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml +++ b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -77,4 +76,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_service_stop_win_updates.yml b/detections/endpoint/windows_service_stop_win_updates.yml index e8ec84f55b..c16943e3ef 100644 --- a/detections/endpoint/windows_service_stop_win_updates.yml +++ b/detections/endpoint/windows_service_stop_win_updates.yml @@ -58,7 +58,6 @@ tags: - param2 - param3 - param4 - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_sip_provider_inventory.yml b/detections/endpoint/windows_sip_provider_inventory.yml index 95fd394161..82975d46e9 100644 --- a/detections/endpoint/windows_sip_provider_inventory.yml +++ b/detections/endpoint/windows_sip_provider_inventory.yml @@ -43,7 +43,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - Path - Dll diff --git a/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml b/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml index 274d7a84c2..d54a1dc164 100644 --- a/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml +++ b/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml @@ -49,7 +49,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Computer diff --git a/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml b/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml index 554d342ca8..fdaf508aed 100644 --- a/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml +++ b/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - _time - Filesystem.file_create_time diff --git a/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml b/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml index 346e20826c..ddf753e35b 100644 --- a/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml +++ b/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml @@ -49,7 +49,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 56 required_fields: - _time - Filesystem.file_create_time diff --git a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml index 0b1a4bd6af..62ae4062bd 100644 --- a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml +++ b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - _time - Registry.dest diff --git a/detections/endpoint/windows_snake_malware_service_create.yml b/detections/endpoint/windows_snake_malware_service_create.yml index a256f60b75..93f2387e66 100644 --- a/detections/endpoint/windows_snake_malware_service_create.yml +++ b/detections/endpoint/windows_snake_malware_service_create.yml @@ -47,7 +47,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - EventCode - Service_File_Name diff --git a/detections/endpoint/windows_soaphound_binary_execution.yml b/detections/endpoint/windows_soaphound_binary_execution.yml index ab9a4a5e1d..ac4066717d 100644 --- a/detections/endpoint/windows_soaphound_binary_execution.yml +++ b/detections/endpoint/windows_soaphound_binary_execution.yml @@ -69,7 +69,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 80 required_fields: - Processes.process - Processes.dest diff --git a/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml b/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml index ce4cd751bd..26160f8863 100644 --- a/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml +++ b/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml @@ -57,7 +57,6 @@ tags: - QueryResults - QueryStatus - dest - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml index 049d921724..e7bd20fd2f 100644 --- a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml +++ b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test @@ -83,4 +82,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/onenote_spear_phishing/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml b/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml index ebdfcb4170..abd4f8bb9b 100644 --- a/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml +++ b/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml @@ -58,7 +58,6 @@ tags: - Caller_User_Name - Computer - PrivilegeList - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_sql_spawning_certutil.yml b/detections/endpoint/windows_sql_spawning_certutil.yml index 6af4dd15b9..04edc93abc 100644 --- a/detections/endpoint/windows_sql_spawning_certutil.yml +++ b/detections/endpoint/windows_sql_spawning_certutil.yml @@ -66,7 +66,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 90 required_fields: - Processes.dest - Processes.user diff --git a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml index e2e505f872..678bf23fd6 100644 --- a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml +++ b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml @@ -67,7 +67,6 @@ tags: - user - Computer - EventCode - risk_score: 64 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml index be6c246e52..27c86c6c70 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml @@ -79,7 +79,6 @@ tags: - EventCode - Requester - RequestId - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test @@ -88,4 +87,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_winsecurity.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml index dd46987277..9cd6a2d0d5 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml @@ -103,7 +103,6 @@ tags: - TargetUserName - Computer - IpAddress - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -112,4 +111,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_winsecurity.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml b/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml index 73de2f92b3..e5f0a29457 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml @@ -50,7 +50,6 @@ tags: - Requester - action - Attributes - risk_score: 8 security_domain: endpoint tests: - name: True Positive Test @@ -59,4 +58,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4887_windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml b/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml index 5b5fac3a21..cb00e0ac4b 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml @@ -50,7 +50,6 @@ tags: - Requester - action - Attributes - risk_score: 8 security_domain: endpoint tests: - name: True Positive Test @@ -59,4 +58,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4886_windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml index 118687ddf0..babd1c3add 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/backupdb_certutil_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml b/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml index ebeefc9216..641c4fdfd9 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml @@ -48,7 +48,6 @@ tags: - _time - Computer - UserData_Xml - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test @@ -57,4 +56,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/capi2-operational.log source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml index 4af79337fa..76326bdfa0 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml @@ -51,7 +51,6 @@ tags: - action - Caller_Domain - Caller_User_Name - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test @@ -60,4 +59,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4876_windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml index 1a1658cfd7..fa0ee1b9a0 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_certificate_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml index cde812b2ba..9b9c2c98c1 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_pfxcertificate_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml index c757ae6f36..b80ffafc51 100644 --- a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml +++ b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml index 3529b53f4f..a417837dad 100644 --- a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml +++ b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml @@ -79,7 +79,6 @@ tags: - All_Traffic.dest - All_Traffic.dest_ip - All_Traffic.dest_port - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -88,4 +87,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml index 88756ad625..4e8eaff6fc 100644 --- a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml +++ b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -88,4 +87,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/hh_decom_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml index b121af2adf..1c48eb3d3a 100644 --- a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml +++ b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_discovery_using_qwinsta.yml b/detections/endpoint/windows_system_discovery_using_qwinsta.yml index cad6db4e70..ef1193b25a 100644 --- a/detections/endpoint/windows_system_discovery_using_qwinsta.yml +++ b/detections/endpoint/windows_system_discovery_using_qwinsta.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_file_on_disk.yml b/detections/endpoint/windows_system_file_on_disk.yml index 0b7236e303..3e82f7cca9 100644 --- a/detections/endpoint/windows_system_file_on_disk.yml +++ b/detections/endpoint/windows_system_file_on_disk.yml @@ -58,7 +58,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_logoff_commandline.yml b/detections/endpoint/windows_system_logoff_commandline.yml index 47df27c902..0055a8a82b 100644 --- a/detections/endpoint/windows_system_logoff_commandline.yml +++ b/detections/endpoint/windows_system_logoff_commandline.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml index 819e644fb7..b8b67bbc00 100644 --- a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml +++ b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml index 30bb8b9341..68449a0b7c 100644 --- a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml +++ b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index cfe7e66b64..4d4aad5d7a 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml index 7e48bc0de1..86301320b8 100644 --- a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml +++ b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -93,4 +92,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1216/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml index b864d2a59b..fb6966628c 100644 --- a/detections/endpoint/windows_system_shutdown_commandline.yml +++ b/detections/endpoint/windows_system_shutdown_commandline.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/shutdown_commandline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml index 8112d779b7..223c96973b 100644 --- a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml +++ b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_delay_execution/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_user_discovery_via_quser.yml b/detections/endpoint/windows_system_user_discovery_via_quser.yml index 6615b6fd5c..86e11b1b32 100644 --- a/detections/endpoint/windows_system_user_discovery_via_quser.yml +++ b/detections/endpoint/windows_system_user_discovery_via_quser.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_user_privilege_discovery.yml b/detections/endpoint/windows_system_user_privilege_discovery.yml index 7133161692..3cecc237cc 100644 --- a/detections/endpoint/windows_system_user_privilege_discovery.yml +++ b/detections/endpoint/windows_system_user_privilege_discovery.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_terminating_lsass_process.yml b/detections/endpoint/windows_terminating_lsass_process.yml index 665870bc25..38b1fc4f7c 100644 --- a/detections/endpoint/windows_terminating_lsass_process.yml +++ b/detections/endpoint/windows_terminating_lsass_process.yml @@ -63,7 +63,6 @@ tags: - SourceImage - SourceProcessId - GrantedAccess - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_time_based_evasion.yml b/detections/endpoint/windows_time_based_evasion.yml index 652ad00ac9..008485c922 100644 --- a/detections/endpoint/windows_time_based_evasion.yml +++ b/detections/endpoint/windows_time_based_evasion.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml index 824ee4ec3e..69cf41ff9a 100644 --- a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml +++ b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml index 043391f020..99a8e016fa 100644 --- a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml +++ b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml @@ -75,7 +75,6 @@ tags: - Processes.process_path - Processes.process_integrity_level - Processes.process_current_directory - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test @@ -84,4 +83,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml index e52844bd6f..24f5582e0b 100644 --- a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml +++ b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml @@ -95,7 +95,6 @@ tags: - Processes.process_path - Processes.process_integrity_level - Processes.process_current_directory - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -104,4 +103,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml index c482f4cee1..bddbf5568b 100644 --- a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml +++ b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml @@ -47,7 +47,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - object_file_name diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml index 0217eacff5..2116748bb1 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading.yml @@ -47,7 +47,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Image diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml index 1265f51ed7..1e58e86183 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml @@ -46,7 +46,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Image diff --git a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml index 3145bf094b..04fa0d6a6c 100644 --- a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml @@ -72,7 +72,6 @@ tags: - user - Computer - EventCode - risk_score: 9 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml index c35ac5aff3..05c0ad54bd 100644 --- a/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml @@ -59,7 +59,6 @@ tags: - Status - TargetUserName - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml index 73c8ec95b0..cb649a3dcf 100644 --- a/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml @@ -59,7 +59,6 @@ tags: - Status - TargetUserName - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml index 7a5203e123..5219c921e3 100644 --- a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml @@ -61,7 +61,6 @@ tags: - TargetUserName - Workstation - Status - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml index 458d7d8f5f..b1d112342c 100644 --- a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml +++ b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml @@ -62,7 +62,6 @@ tags: - Target_User_Name - Caller_User_Name - Computer - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml index 32184389f6..25129b6542 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml @@ -60,7 +60,6 @@ tags: - Status - TargetUserName - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml index b9a9ff7198..bb4d9277e2 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml @@ -64,7 +64,6 @@ tags: - SubjectUserName - TargetUserName - Computer - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml index 48afd2bdfe..a65c4ea2c6 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml @@ -57,7 +57,6 @@ tags: - Status - TargetUserName - Workstation - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml index 8c07be7abd..387f9141de 100644 --- a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml +++ b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml @@ -58,7 +58,6 @@ tags: - TargetUserName - Computer - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml index d4fae926ee..52471f9949 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml @@ -53,7 +53,6 @@ tags: - DomainName - Security - WorkstationName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml index c2042d89bc..08462eed62 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml @@ -53,7 +53,6 @@ tags: - DomainName - Security - WorkstationName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml index 089daddfbc..cada877503 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml @@ -53,7 +53,6 @@ tags: - DomainName - Security - WorkstationName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml index 9bc1940f8c..70d3781ff6 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml @@ -53,7 +53,6 @@ tags: - DomainName - Security - WorkstationName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml index 819ed666d4..db950808e6 100644 --- a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml +++ b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml @@ -62,7 +62,6 @@ tags: - Filesystem.file_path - Filesystem.process_guid - Filesystem.dest - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_valid_account_with_never_expires_password.yml b/detections/endpoint/windows_valid_account_with_never_expires_password.yml index bbd1bc14bf..37798d710c 100644 --- a/detections/endpoint/windows_valid_account_with_never_expires_password.yml +++ b/detections/endpoint/windows_valid_account_with_never_expires_password.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_vulnerable_3cx_software.yml b/detections/endpoint/windows_vulnerable_3cx_software.yml index 7baa6e71e6..387986ebaa 100644 --- a/detections/endpoint/windows_vulnerable_3cx_software.yml +++ b/detections/endpoint/windows_vulnerable_3cx_software.yml @@ -65,7 +65,6 @@ tags: - CommandLine - dest - parent_process_name - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml index 9d314d0e0e..c8606ab87d 100644 --- a/detections/endpoint/windows_vulnerable_driver_installed.yml +++ b/detections/endpoint/windows_vulnerable_driver_installed.yml @@ -46,7 +46,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 required_fields: - ServiceType - driver_name @@ -56,5 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-system.log source: XmlWinEventLog:System - sourcetype: XmlWinEventLog - update_timestamp: true \ No newline at end of file + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_vulnerable_driver_loaded.yml b/detections/endpoint/windows_vulnerable_driver_loaded.yml index c85fdcc548..c65d21d923 100644 --- a/detections/endpoint/windows_vulnerable_driver_loaded.yml +++ b/detections/endpoint/windows_vulnerable_driver_loaded.yml @@ -65,7 +65,6 @@ tags: - _time - dest - ImageLoaded - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_windbg_spawning_autoit3.yml b/detections/endpoint/windows_windbg_spawning_autoit3.yml index 6221e937a6..6bba613d02 100644 --- a/detections/endpoint/windows_windbg_spawning_autoit3.yml +++ b/detections/endpoint/windows_windbg_spawning_autoit3.yml @@ -70,7 +70,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - Processes.dest - Processes.user diff --git a/detections/endpoint/windows_winlogon_with_public_network_connection.yml b/detections/endpoint/windows_winlogon_with_public_network_connection.yml index 2f9a4cf7c8..f1f66edb2b 100644 --- a/detections/endpoint/windows_winlogon_with_public_network_connection.yml +++ b/detections/endpoint/windows_winlogon_with_public_network_connection.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - dest - parent_process_name diff --git a/detections/endpoint/windows_wmi_impersonate_token.yml b/detections/endpoint/windows_wmi_impersonate_token.yml index f6cb1a1bf1..169fb10ab1 100644 --- a/detections/endpoint/windows_wmi_impersonate_token.yml +++ b/detections/endpoint/windows_wmi_impersonate_token.yml @@ -60,7 +60,6 @@ tags: - GrantedAccess - CallTrace - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_wmi_process_and_service_list.yml b/detections/endpoint/windows_wmi_process_and_service_list.yml index 66318b4a45..55bf94ff0b 100644 --- a/detections/endpoint/windows_wmi_process_and_service_list.yml +++ b/detections/endpoint/windows_wmi_process_and_service_list.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 4 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_wmi_process_call_create.yml b/detections/endpoint/windows_wmi_process_call_create.yml index 4b25361044..6adb5f8f1f 100644 --- a/detections/endpoint/windows_wmi_process_call_create.yml +++ b/detections/endpoint/windows_wmi_process_call_create.yml @@ -80,7 +80,6 @@ tags: - Processes.process_path - Processes.parent_process_id - Processes.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml index cf1a395650..d517247458 100644 --- a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml +++ b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml @@ -5,7 +5,6 @@ date: '2024-05-18' author: Michael Haag, Splunk status: production type: TTP -datamodel: [] description: The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks @@ -63,7 +62,6 @@ tags: - Task_Name - Description - Command - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index c53101d242..384d9c2176 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -5,7 +5,6 @@ date: '2024-05-16' author: Michael Haag, Splunk status: production type: TTP -datamodel: [] description: 'The following analytic detects the creation of scheduled tasks within user-writable paths using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService that execute commands from directories like Public, @@ -69,7 +68,6 @@ tags: - Task_Name - Description - Command - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index a30da724a5..5c3be3a5fc 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -66,7 +66,6 @@ tags: - EventID - dest - ProcessID - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winhlp32_spawning_a_process.yml b/detections/endpoint/winhlp32_spawning_a_process.yml index 88e88f7d07..ef9b735f47 100644 --- a/detections/endpoint/winhlp32_spawning_a_process.yml +++ b/detections/endpoint/winhlp32_spawning_a_process.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winrar_spawning_shell_application.yml b/detections/endpoint/winrar_spawning_shell_application.yml index b697ecd4e7..6ac18fe27a 100644 --- a/detections/endpoint/winrar_spawning_shell_application.yml +++ b/detections/endpoint/winrar_spawning_shell_application.yml @@ -77,7 +77,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 70 required_fields: - Processes.dest - Processes.user diff --git a/detections/endpoint/winrm_spawning_a_process.yml b/detections/endpoint/winrm_spawning_a_process.yml index f264bee32b..fc16fe1b5e 100644 --- a/detections/endpoint/winrm_spawning_a_process.yml +++ b/detections/endpoint/winrm_spawning_a_process.yml @@ -72,5 +72,4 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/winword_spawning_cmd.yml b/detections/endpoint/winword_spawning_cmd.yml index 1ca542505a..9a31a631bc 100644 --- a/detections/endpoint/winword_spawning_cmd.yml +++ b/detections/endpoint/winword_spawning_cmd.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winword_spawning_powershell.yml b/detections/endpoint/winword_spawning_powershell.yml index afb32417bc..1f0a1f819b 100644 --- a/detections/endpoint/winword_spawning_powershell.yml +++ b/detections/endpoint/winword_spawning_powershell.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winword_spawning_windows_script_host.yml b/detections/endpoint/winword_spawning_windows_script_host.yml index 8d3c66a9c2..64f62e82f6 100644 --- a/detections/endpoint/winword_spawning_windows_script_host.yml +++ b/detections/endpoint/winword_spawning_windows_script_host.yml @@ -72,7 +72,6 @@ tags: - dest - user - parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wmi_permanent_event_subscription.yml b/detections/endpoint/wmi_permanent_event_subscription.yml index 66c5755a09..1029e0ca3a 100644 --- a/detections/endpoint/wmi_permanent_event_subscription.yml +++ b/detections/endpoint/wmi_permanent_event_subscription.yml @@ -43,5 +43,4 @@ tags: - Message - consumer - ComputerName - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml b/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml index 754d36939a..1b2bc09b0b 100644 --- a/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml +++ b/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml @@ -61,7 +61,6 @@ tags: - Query - Consumer - Filter - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wmi_recon_running_process_or_services.yml b/detections/endpoint/wmi_recon_running_process_or_services.yml index bd3d1d259a..6e85c0635e 100644 --- a/detections/endpoint/wmi_recon_running_process_or_services.yml +++ b/detections/endpoint/wmi_recon_running_process_or_services.yml @@ -62,7 +62,6 @@ tags: - Computer - UserID - EventCode - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wmi_temporary_event_subscription.yml b/detections/endpoint/wmi_temporary_event_subscription.yml index 5a17650fa8..fb7678b6c2 100644 --- a/detections/endpoint/wmi_temporary_event_subscription.yml +++ b/detections/endpoint/wmi_temporary_event_subscription.yml @@ -51,5 +51,4 @@ tags: - EventCode - Message - query - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/wmic_group_discovery.yml b/detections/endpoint/wmic_group_discovery.yml index 716380a511..d6aad37b3e 100644 --- a/detections/endpoint/wmic_group_discovery.yml +++ b/detections/endpoint/wmic_group_discovery.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml index 984b67f296..6aee062f33 100644 --- a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml +++ b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wmic_xsl_execution_via_url.yml b/detections/endpoint/wmic_xsl_execution_via_url.yml index 67778e2ab7..d69d55e893 100644 --- a/detections/endpoint/wmic_xsl_execution_via_url.yml +++ b/detections/endpoint/wmic_xsl_execution_via_url.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml index f8d610725e..76e09d7739 100644 --- a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml index d66f48a080..e16d234297 100644 --- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml +++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml index 2d595d3285..21b6c960b9 100644 --- a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wsreset_uac_bypass.yml b/detections/endpoint/wsreset_uac_bypass.yml index fc148ac12c..0203431996 100644 --- a/detections/endpoint/wsreset_uac_bypass.yml +++ b/detections/endpoint/wsreset_uac_bypass.yml @@ -82,7 +82,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/xmrig_driver_loaded.yml b/detections/endpoint/xmrig_driver_loaded.yml index e68eb7e1b4..958c636dac 100644 --- a/detections/endpoint/xmrig_driver_loaded.yml +++ b/detections/endpoint/xmrig_driver_loaded.yml @@ -53,7 +53,6 @@ tags: - IMPHASH - Signature - Signed - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/xsl_script_execution_with_wmic.yml b/detections/endpoint/xsl_script_execution_with_wmic.yml index 7a322158db..c38332ef01 100644 --- a/detections/endpoint/xsl_script_execution_with_wmic.yml +++ b/detections/endpoint/xsl_script_execution_with_wmic.yml @@ -79,7 +79,6 @@ tags: - Processes.process - Processes.dest - Processes.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/network/detect_arp_poisoning.yml b/detections/network/detect_arp_poisoning.yml index 38f16d21b7..c777b5208c 100644 --- a/detections/network/detect_arp_poisoning.yml +++ b/detections/network/detect_arp_poisoning.yml @@ -60,5 +60,4 @@ tags: - src_int_suffix - host - src_interface - risk_score: 25 security_domain: network diff --git a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml b/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml index 9b33d3d609..795ce57e9c 100644 --- a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml @@ -86,5 +86,4 @@ tags: - domain - firstTime - lastTime - risk_score: 63 security_domain: network diff --git a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml b/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml index 2b626e75f4..28f3953b25 100644 --- a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml @@ -78,5 +78,4 @@ tags: - DNS.src - DNS.dest - DNS.answer - risk_score: 45 security_domain: network diff --git a/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml b/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml index 390d41a9a6..e371310f36 100644 --- a/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml +++ b/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml @@ -74,7 +74,6 @@ tags: - DNS.answer - DNS.query - host - risk_score: 56 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/detect_ipv6_network_infrastructure_threats.yml b/detections/network/detect_ipv6_network_infrastructure_threats.yml index 3a50bf7804..ca9570246c 100644 --- a/detections/network/detect_ipv6_network_infrastructure_threats.yml +++ b/detections/network/detect_ipv6_network_infrastructure_threats.yml @@ -71,5 +71,4 @@ tags: - src_vlan - vendor_explanation - action - risk_score: 25 security_domain: network diff --git a/detections/network/detect_large_outbound_icmp_packets.yml b/detections/network/detect_large_outbound_icmp_packets.yml index c4dc8a9563..8b2d892e02 100644 --- a/detections/network/detect_large_outbound_icmp_packets.yml +++ b/detections/network/detect_large_outbound_icmp_packets.yml @@ -65,5 +65,4 @@ tags: - All_Traffic.transport - All_Traffic.src_ip - All_Traffic.dest_ip - risk_score: 25 security_domain: network diff --git a/detections/network/detect_outbound_ldap_traffic.yml b/detections/network/detect_outbound_ldap_traffic.yml index ea8dfaf973..f5147ed679 100644 --- a/detections/network/detect_outbound_ldap_traffic.yml +++ b/detections/network/detect_outbound_ldap_traffic.yml @@ -58,7 +58,6 @@ tags: - All_Traffic.dest_ip - All_Traffic.dest_port - All_Traffic.src_ip - risk_score: 56 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/detect_outbound_smb_traffic.yml b/detections/network/detect_outbound_smb_traffic.yml index 67643b492d..ae5f1f504a 100644 --- a/detections/network/detect_outbound_smb_traffic.yml +++ b/detections/network/detect_outbound_smb_traffic.yml @@ -69,7 +69,6 @@ tags: - sourcetype - All_Traffic.src_ip - All_Traffic.direction - risk_score: 25 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/detect_port_security_violation.yml b/detections/network/detect_port_security_violation.yml index 7899791e48..52528678cc 100644 --- a/detections/network/detect_port_security_violation.yml +++ b/detections/network/detect_port_security_violation.yml @@ -63,5 +63,4 @@ tags: - action - host - src_interface - risk_score: 25 security_domain: network diff --git a/detections/network/detect_remote_access_software_usage_dns.yml b/detections/network/detect_remote_access_software_usage_dns.yml index a48285b7ee..de94a9d4c3 100644 --- a/detections/network/detect_remote_access_software_usage_dns.yml +++ b/detections/network/detect_remote_access_software_usage_dns.yml @@ -60,7 +60,6 @@ tags: - DNS.src - DNS.query - DNS.answer - risk_score: 4 security_domain: endpoint manual_test: This detection uses A&I lookups from Enterprise Security. tests: diff --git a/detections/network/detect_remote_access_software_usage_traffic.yml b/detections/network/detect_remote_access_software_usage_traffic.yml index a5dcf1b690..d6cc81a15c 100644 --- a/detections/network/detect_remote_access_software_usage_traffic.yml +++ b/detections/network/detect_remote_access_software_usage_traffic.yml @@ -66,7 +66,6 @@ tags: - All_Traffic.app - All_Traffic.dest_port - user - risk_score: 25 security_domain: network manual_test: This detection uses A&I lookups from Enterprise Security. tests: diff --git a/detections/network/detect_rogue_dhcp_server.yml b/detections/network/detect_rogue_dhcp_server.yml index c89cfe41fe..6b3129e3b8 100644 --- a/detections/network/detect_rogue_dhcp_server.yml +++ b/detections/network/detect_rogue_dhcp_server.yml @@ -54,5 +54,4 @@ tags: - message_type - src_mac - host - risk_score: 25 security_domain: network diff --git a/detections/network/detect_snicat_sni_exfiltration.yml b/detections/network/detect_snicat_sni_exfiltration.yml index 6f67469d31..7499c113c2 100644 --- a/detections/network/detect_snicat_sni_exfiltration.yml +++ b/detections/network/detect_snicat_sni_exfiltration.yml @@ -50,5 +50,4 @@ tags: - server_name - src_ip - dest_ip - risk_score: 25 security_domain: network diff --git a/detections/network/detect_software_download_to_network_device.yml b/detections/network/detect_software_download_to_network_device.yml index 50d3f0b30c..a02fecff79 100644 --- a/detections/network/detect_software_download_to_network_device.yml +++ b/detections/network/detect_software_download_to_network_device.yml @@ -58,5 +58,4 @@ tags: - All_Traffic.src_category - All_Traffic.src - All_Traffic.dest - risk_score: 25 security_domain: network diff --git a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml b/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml index 093cf15ce4..7358f15cf6 100644 --- a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml @@ -89,5 +89,4 @@ tags: - DNS.src - DNS.dest - DNS.answer - risk_score: 45 security_domain: network diff --git a/detections/network/detect_traffic_mirroring.yml b/detections/network/detect_traffic_mirroring.yml index 2b83def6ef..70cbf47413 100644 --- a/detections/network/detect_traffic_mirroring.yml +++ b/detections/network/detect_traffic_mirroring.yml @@ -55,5 +55,4 @@ tags: - facility - mnemonic - host - risk_score: 25 security_domain: network diff --git a/detections/network/detect_unauthorized_assets_by_mac_address.yml b/detections/network/detect_unauthorized_assets_by_mac_address.yml index dd1bed53cc..f66a124ba2 100644 --- a/detections/network/detect_unauthorized_assets_by_mac_address.yml +++ b/detections/network/detect_unauthorized_assets_by_mac_address.yml @@ -51,5 +51,4 @@ tags: - All_Sessions.signature - All_Sessions.src_ip - All_Sessions.dest_mac - risk_score: 25 security_domain: network diff --git a/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml b/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml index 2a0c5b23b1..da2425fdf7 100644 --- a/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml +++ b/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml @@ -46,5 +46,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: network diff --git a/detections/network/detect_windows_dns_sigred_via_zeek.yml b/detections/network/detect_windows_dns_sigred_via_zeek.yml index 1290d1c7be..a3eb36ae33 100644 --- a/detections/network/detect_windows_dns_sigred_via_zeek.yml +++ b/detections/network/detect_windows_dns_sigred_via_zeek.yml @@ -46,5 +46,4 @@ tags: - DNS.flow_id - All_Traffic.bytes_in - All_Traffic.flow_id - risk_score: 25 security_domain: endpoint diff --git a/detections/network/detect_zerologon_via_zeek.yml b/detections/network/detect_zerologon_via_zeek.yml index d7885eff30..0c04fb447b 100644 --- a/detections/network/detect_zerologon_via_zeek.yml +++ b/detections/network/detect_zerologon_via_zeek.yml @@ -47,5 +47,4 @@ tags: required_fields: - _time - operation - risk_score: 25 security_domain: network diff --git a/detections/network/dns_query_length_outliers___mltk.yml b/detections/network/dns_query_length_outliers___mltk.yml index 30677e8872..60707a618b 100644 --- a/detections/network/dns_query_length_outliers___mltk.yml +++ b/detections/network/dns_query_length_outliers___mltk.yml @@ -69,5 +69,4 @@ tags: - DNS.dest - DNS.query - DNS.record_type - risk_score: 25 security_domain: network diff --git a/detections/network/dns_query_length_with_high_standard_deviation.yml b/detections/network/dns_query_length_with_high_standard_deviation.yml index db3f32e5c8..450e082c48 100644 --- a/detections/network/dns_query_length_with_high_standard_deviation.yml +++ b/detections/network/dns_query_length_with_high_standard_deviation.yml @@ -51,7 +51,6 @@ tags: required_fields: - _time - DNS.query - risk_score: 56 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/excessive_dns_failures.yml b/detections/network/excessive_dns_failures.yml index 81820f3276..c0f412d2c4 100644 --- a/detections/network/excessive_dns_failures.yml +++ b/detections/network/excessive_dns_failures.yml @@ -54,5 +54,4 @@ tags: - DNS.query - DNS.reply_code - DNS.src - risk_score: 25 security_domain: network diff --git a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml index 2cb77c3b2f..5fba2b185f 100644 --- a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml +++ b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml @@ -60,7 +60,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 70 security_domain: network tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/f5/f5.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/network/high_volume_of_bytes_out_to_url.yml b/detections/network/high_volume_of_bytes_out_to_url.yml index 44ca220d6a..f6488bac3a 100644 --- a/detections/network/high_volume_of_bytes_out_to_url.yml +++ b/detections/network/high_volume_of_bytes_out_to_url.yml @@ -62,7 +62,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 9 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml b/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml index be65e76829..1b296278f8 100644 --- a/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml +++ b/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml @@ -62,5 +62,4 @@ tags: - All_Traffic.bytes_in - All_Traffic.dest_category - All_Traffic.src_ip - risk_score: 25 security_domain: network diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml index 3898508f32..ae760f1f12 100644 --- a/detections/network/internal_horizontal_port_scan.yml +++ b/detections/network/internal_horizontal_port_scan.yml @@ -48,7 +48,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - All_Traffic.action @@ -61,5 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log source: aws:cloudwatchlogs:vpcflow - sourcetype: aws:cloudwatchlogs:vpcflow - update_timestamp: true \ No newline at end of file + sourcetype: aws:cloudwatchlogs:vpcflow \ No newline at end of file diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml index d322a38390..e03ad110ab 100644 --- a/detections/network/internal_vertical_port_scan.yml +++ b/detections/network/internal_vertical_port_scan.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - All_Traffic.action @@ -63,5 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/vertical.log source: aws:cloudwatchlogs:vpcflow - sourcetype: aws:cloudwatchlogs:vpcflow - update_timestamp: trues \ No newline at end of file + sourcetype: aws:cloudwatchlogs:vpcflow \ No newline at end of file diff --git a/detections/network/internal_vulnerability_scan.yml b/detections/network/internal_vulnerability_scan.yml index 342cb164d1..14d917f75a 100644 --- a/detections/network/internal_vulnerability_scan.yml +++ b/detections/network/internal_vulnerability_scan.yml @@ -49,7 +49,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - IDS_Attacks.action diff --git a/detections/network/large_volume_of_dns_any_queries.yml b/detections/network/large_volume_of_dns_any_queries.yml index 22007a1cfa..fb927fcdb8 100644 --- a/detections/network/large_volume_of_dns_any_queries.yml +++ b/detections/network/large_volume_of_dns_any_queries.yml @@ -47,5 +47,4 @@ tags: - DNS.message_type - DNS.record_type - DNS.dest - risk_score: 25 security_domain: network diff --git a/detections/network/multiple_archive_files_http_post_traffic.yml b/detections/network/multiple_archive_files_http_post_traffic.yml index 9120c894ba..7573a3ed8f 100644 --- a/detections/network/multiple_archive_files_http_post_traffic.yml +++ b/detections/network/multiple_archive_files_http_post_traffic.yml @@ -60,7 +60,6 @@ tags: - archive_hdr1 - archive_hdr2 - form_data - risk_score: 25 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/ngrok_reverse_proxy_on_network.yml b/detections/network/ngrok_reverse_proxy_on_network.yml index d1b33bc26b..4a2c7f3fc0 100644 --- a/detections/network/ngrok_reverse_proxy_on_network.yml +++ b/detections/network/ngrok_reverse_proxy_on_network.yml @@ -50,7 +50,6 @@ tags: - DNS.src - DNS.query - DNS.answer - risk_score: 50 security_domain: network tests: - name: True Positive Test @@ -59,4 +58,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/network/plain_http_post_exfiltrated_data.yml b/detections/network/plain_http_post_exfiltrated_data.yml index d44da6f3e8..190006f5ed 100644 --- a/detections/network/plain_http_post_exfiltrated_data.yml +++ b/detections/network/plain_http_post_exfiltrated_data.yml @@ -55,7 +55,6 @@ tags: - url - bytes_in - bytes_out - risk_score: 63 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/prohibited_network_traffic_allowed.yml b/detections/network/prohibited_network_traffic_allowed.yml index 4c1c265a7e..62207b492e 100644 --- a/detections/network/prohibited_network_traffic_allowed.yml +++ b/detections/network/prohibited_network_traffic_allowed.yml @@ -57,7 +57,6 @@ tags: - All_Traffic.src_ip - All_Traffic.dest_ip - All_Traffic.dest_port - risk_score: 25 security_domain: network manual_test: This detection uses builtin lookup from Enterprise Security. tests: diff --git a/detections/network/protocol_or_port_mismatch.yml b/detections/network/protocol_or_port_mismatch.yml index 7651f15b0c..4aa30cc2dd 100644 --- a/detections/network/protocol_or_port_mismatch.yml +++ b/detections/network/protocol_or_port_mismatch.yml @@ -54,5 +54,4 @@ tags: - All_Traffic.dest_port - All_Traffic.src_ip - All_Traffic.dest_ip - risk_score: 25 security_domain: network diff --git a/detections/network/protocols_passing_authentication_in_cleartext.yml b/detections/network/protocols_passing_authentication_in_cleartext.yml index b46553a399..2ce2e34862 100644 --- a/detections/network/protocols_passing_authentication_in_cleartext.yml +++ b/detections/network/protocols_passing_authentication_in_cleartext.yml @@ -58,5 +58,4 @@ tags: - All_Traffic.src - All_Traffic.dest - All_Traffic.action - risk_score: 25 security_domain: network diff --git a/detections/network/remote_desktop_network_bruteforce.yml b/detections/network/remote_desktop_network_bruteforce.yml index 44de7180fa..21bfad9f41 100644 --- a/detections/network/remote_desktop_network_bruteforce.yml +++ b/detections/network/remote_desktop_network_bruteforce.yml @@ -51,5 +51,4 @@ tags: - All_Traffic.src - All_Traffic.dest - All_Traffic.dest_port - risk_score: 25 security_domain: network diff --git a/detections/network/remote_desktop_network_traffic.yml b/detections/network/remote_desktop_network_traffic.yml index 90269189f7..c6928c5cb0 100644 --- a/detections/network/remote_desktop_network_traffic.yml +++ b/detections/network/remote_desktop_network_traffic.yml @@ -65,7 +65,6 @@ tags: - All_Traffic.src - All_Traffic.dest - All_Traffic.dest_port - risk_score: 25 security_domain: network manual_test: This detection uses builtin lookup from Enterprise Security. tests: diff --git a/detections/network/smb_traffic_spike.yml b/detections/network/smb_traffic_spike.yml index ab999aa0dc..3c4d54eaab 100644 --- a/detections/network/smb_traffic_spike.yml +++ b/detections/network/smb_traffic_spike.yml @@ -48,5 +48,4 @@ tags: - All_Traffic.dest_port - All_Traffic.app - All_Traffic.src - risk_score: 25 security_domain: network diff --git a/detections/network/smb_traffic_spike___mltk.yml b/detections/network/smb_traffic_spike___mltk.yml index 5f2317f4e6..31a76e709f 100644 --- a/detections/network/smb_traffic_spike___mltk.yml +++ b/detections/network/smb_traffic_spike___mltk.yml @@ -70,5 +70,4 @@ tags: - All_Traffic.dest_port - All_Traffic.app - All_Traffic.src - risk_score: 25 security_domain: network diff --git a/detections/network/ssl_certificates_with_punycode.yml b/detections/network/ssl_certificates_with_punycode.yml index 15f10eb50a..ec2158d107 100644 --- a/detections/network/ssl_certificates_with_punycode.yml +++ b/detections/network/ssl_certificates_with_punycode.yml @@ -58,5 +58,4 @@ tags: - All_Certificates.SSL.src - All_Certificates.SSL.sourcetype - All_Certificates.SSL.ssl_subject_email_domain - risk_score: 15 security_domain: network diff --git a/detections/network/tor_traffic.yml b/detections/network/tor_traffic.yml index 200eddc4f1..70f3e0732b 100644 --- a/detections/network/tor_traffic.yml +++ b/detections/network/tor_traffic.yml @@ -59,7 +59,6 @@ tags: - All_Traffic.src_ip - All_Traffic.dest_ip - All_Traffic.dest_port - risk_score: 80 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/unusually_long_content_type_length.yml b/detections/network/unusually_long_content_type_length.yml index 2d6ecb1b3c..695ad46ac1 100644 --- a/detections/network/unusually_long_content_type_length.yml +++ b/detections/network/unusually_long_content_type_length.yml @@ -46,5 +46,4 @@ tags: - src_ip - dest_ip - url - risk_score: 25 security_domain: network diff --git a/detections/network/windows_ad_replication_service_traffic.yml b/detections/network/windows_ad_replication_service_traffic.yml index 4d254d24ea..792922311f 100644 --- a/detections/network/windows_ad_replication_service_traffic.yml +++ b/detections/network/windows_ad_replication_service_traffic.yml @@ -56,5 +56,4 @@ tags: - All_Traffic.src - All_Traffic.dest - All_Traffic.app - risk_score: 100 security_domain: network diff --git a/detections/network/windows_ad_rogue_domain_controller_network_activity.yml b/detections/network/windows_ad_rogue_domain_controller_network_activity.yml index e4678ee492..70c200e8d8 100644 --- a/detections/network/windows_ad_rogue_domain_controller_network_activity.yml +++ b/detections/network/windows_ad_rogue_domain_controller_network_activity.yml @@ -49,5 +49,4 @@ tags: - _time - src - dest - risk_score: 100 security_domain: network diff --git a/detections/network/zeek_x509_certificate_with_punycode.yml b/detections/network/zeek_x509_certificate_with_punycode.yml index 5fddaf6167..4701b1c898 100644 --- a/detections/network/zeek_x509_certificate_with_punycode.yml +++ b/detections/network/zeek_x509_certificate_with_punycode.yml @@ -55,5 +55,4 @@ tags: - basic_constraints.ca - source - host - risk_score: 15 security_domain: network diff --git a/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml b/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml index 2ee10a8f52..b317bf515b 100644 --- a/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml +++ b/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - Web.src - Web.dest diff --git a/detections/web/adobe_coldfusion_access_control_bypass.yml b/detections/web/adobe_coldfusion_access_control_bypass.yml index 5828ebffb2..bc1b9fe9c0 100644 --- a/detections/web/adobe_coldfusion_access_control_bypass.yml +++ b/detections/web/adobe_coldfusion_access_control_bypass.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - _time - Web.http_method diff --git a/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml b/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml index 76a708daf5..4fba5c1b5d 100644 --- a/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml +++ b/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - _time - Web.http_method diff --git a/detections/web/cisco_ios_xe_implant_access.yml b/detections/web/cisco_ios_xe_implant_access.yml index 790ff1f9fd..d36774e9bb 100644 --- a/detections/web/cisco_ios_xe_implant_access.yml +++ b/detections/web/cisco_ios_xe_implant_access.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 required_fields: - _time - Web.http_method diff --git a/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml b/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml index 3e08a9a9b5..c299ee6c83 100644 --- a/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml +++ b/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 90 required_fields: - Web.http_user_agent - Web.status diff --git a/detections/web/citrix_adc_exploitation_cve_2023_3519.yml b/detections/web/citrix_adc_exploitation_cve_2023_3519.yml index a7bdea2439..5823ed0d5f 100644 --- a/detections/web/citrix_adc_exploitation_cve_2023_3519.yml +++ b/detections/web/citrix_adc_exploitation_cve_2023_3519.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - _time - Web.http_method diff --git a/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml b/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml index 92cfe69c6f..6da27c8e48 100644 --- a/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml +++ b/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - _time - Web.http_method diff --git a/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml b/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml index 00769b851c..41b4151d99 100644 --- a/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml +++ b/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - _time - Web.http_method diff --git a/detections/web/confluence_data_center_and_server_privilege_escalation.yml b/detections/web/confluence_data_center_and_server_privilege_escalation.yml index 778fd3c8cd..966077321f 100644 --- a/detections/web/confluence_data_center_and_server_privilege_escalation.yml +++ b/detections/web/confluence_data_center_and_server_privilege_escalation.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - _time - Web.http_method diff --git a/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml b/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml index 11fa43ee4b..c783f21372 100644 --- a/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml +++ b/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 required_fields: - Web.src - Web.dest diff --git a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml index 99ce8e6a16..f0af0fd912 100644 --- a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml +++ b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml @@ -70,7 +70,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 100 security_domain: network tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/confluence.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/web/connectwise_screenconnect_authentication_bypass.yml b/detections/web/connectwise_screenconnect_authentication_bypass.yml index 53cb0b4819..eec83e0af6 100644 --- a/detections/web/connectwise_screenconnect_authentication_bypass.yml +++ b/detections/web/connectwise_screenconnect_authentication_bypass.yml @@ -62,7 +62,6 @@ tags: - Web.url - Web.status - Web.http_method - risk_score: 100 security_domain: network cve: - CVE-2024-1708 diff --git a/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml b/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml index fe8f6db42c..0d7c148ce4 100644 --- a/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml +++ b/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml @@ -50,5 +50,4 @@ tags: - Web.url - Web.src - Web.dest - risk_score: 25 security_domain: network diff --git a/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml b/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml index 4c23f542fd..7a60dfc963 100644 --- a/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml +++ b/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml @@ -48,5 +48,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: network diff --git a/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml b/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml index ffa0658783..0fd9c504be 100644 --- a/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml +++ b/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml @@ -49,5 +49,4 @@ tags: - Web.url_length - Web.src - Web.dest - risk_score: 25 security_domain: network diff --git a/detections/web/detect_remote_access_software_usage_url.yml b/detections/web/detect_remote_access_software_usage_url.yml index 9e20cc85a2..8998a08911 100644 --- a/detections/web/detect_remote_access_software_usage_url.yml +++ b/detections/web/detect_remote_access_software_usage_url.yml @@ -73,7 +73,6 @@ tags: - Web.src - Web.category - Web.url_domain - risk_score: 25 security_domain: network manual_test: This detection uses A&I lookups from Enterprise Security. tests: diff --git a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml index 7d640a4274..ea6996e996 100644 --- a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml +++ b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml @@ -85,7 +85,6 @@ tags: - Web.status - Web.uri_query - Web.uri_path - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml index 4b1bdbf7fc..40a1d4d088 100644 --- a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml +++ b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml @@ -58,7 +58,6 @@ tags: - Web.src - Web.dest - sourcetype - risk_score: 64 security_domain: network tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/web_fortinetnac.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/web/f5_tmui_authentication_bypass.yml b/detections/web/f5_tmui_authentication_bypass.yml index 57992b1fa8..ea5c537f52 100644 --- a/detections/web/f5_tmui_authentication_bypass.yml +++ b/detections/web/f5_tmui_authentication_bypass.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 90 required_fields: - Web.http_user_agent - Web.status diff --git a/detections/web/fortinet_appliance_auth_bypass.yml b/detections/web/fortinet_appliance_auth_bypass.yml index 185ae83c36..baeab397bd 100644 --- a/detections/web/fortinet_appliance_auth_bypass.yml +++ b/detections/web/fortinet_appliance_auth_bypass.yml @@ -65,7 +65,6 @@ tags: - Web.src - Web.dest - sourcetype - risk_score: 81 security_domain: network tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/fortinetcve202240684.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/web/hunting_for_log4shell.yml b/detections/web/hunting_for_log4shell.yml index fa2b09881d..8dcc74d818 100644 --- a/detections/web/hunting_for_log4shell.yml +++ b/detections/web/hunting_for_log4shell.yml @@ -72,7 +72,6 @@ tags: required_fields: - _time - _raw - risk_score: 40 security_domain: network tests: - name: True Positive Test diff --git a/detections/web/ivanti_connect_secure_command_injection_attempts.yml b/detections/web/ivanti_connect_secure_command_injection_attempts.yml index c65d92aa41..f9a94f4dbb 100644 --- a/detections/web/ivanti_connect_secure_command_injection_attempts.yml +++ b/detections/web/ivanti_connect_secure_command_injection_attempts.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 90 required_fields: - Web.src - Web.dest diff --git a/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml b/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml index d47456ac9a..560e392ad0 100644 --- a/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml +++ b/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 required_fields: - Web.src - Web.dest diff --git a/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml b/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml index a3724e46c5..ab6eaeb84c 100644 --- a/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml +++ b/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - Web.src - Web.dest diff --git a/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml b/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml index a3702b7048..b0c3fd8ea4 100644 --- a/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml +++ b/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml @@ -1,6 +1,4 @@ data_source: [] -mitre_attack_ids: T1190 -security_domain: network name: Ivanti EPM SQL Injection Remote Code Execution id: e20564ca-c86c-4e30-acdb-a8486673426f version: 1 @@ -47,7 +45,6 @@ tags: - Web.src - Web.dest - sourcetype - risk_score: 80 security_domain: network cve: - CVE-2024-29824 diff --git a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml index 190dd5dbca..a8bcb00dc9 100644 --- a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml +++ b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Web.http_method diff --git a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml index 83094bd53a..462e99bc43 100644 --- a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml +++ b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Web.http_method diff --git a/detections/web/ivanti_sentry_authentication_bypass.yml b/detections/web/ivanti_sentry_authentication_bypass.yml index 220df4f5d7..ae6d6f884f 100644 --- a/detections/web/ivanti_sentry_authentication_bypass.yml +++ b/detections/web/ivanti_sentry_authentication_bypass.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - Web.http_user_agent - Web.status diff --git a/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml b/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml index 145082ee5c..8981b7800c 100644 --- a/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml +++ b/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 required_fields: - Web.src - Web.dest diff --git a/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml b/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml index 9548f959e1..b610c2caa4 100644 --- a/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml +++ b/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml @@ -66,7 +66,6 @@ tags: - Web.http_method - sourcetype - source - risk_score: 81 security_domain: network cve: - CVE-2024-27198 diff --git a/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml b/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml index 132724f73a..4b97dce722 100644 --- a/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml +++ b/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml @@ -62,7 +62,6 @@ tags: - http.url - http.status - http_method - risk_score: 81 security_domain: network cve: - CVE-2024-27198 diff --git a/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml b/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml index d1ed0622f0..96a5b9c463 100644 --- a/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml +++ b/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml @@ -67,7 +67,6 @@ tags: - http.url - http.status - http_method - risk_score: 63 security_domain: network cve: - CVE-2024-27199 diff --git a/detections/web/jetbrains_teamcity_rce_attempt.yml b/detections/web/jetbrains_teamcity_rce_attempt.yml index e525d10bca..f8f2d63ed2 100644 --- a/detections/web/jetbrains_teamcity_rce_attempt.yml +++ b/detections/web/jetbrains_teamcity_rce_attempt.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 required_fields: - Web.http_user_agent - Web.status diff --git a/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml b/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml index 2fc4c95b69..2505c4242d 100644 --- a/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml +++ b/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml @@ -68,7 +68,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - Web.http_user_agent - Web.status diff --git a/detections/web/log4shell_jndi_payload_injection_attempt.yml b/detections/web/log4shell_jndi_payload_injection_attempt.yml index fa9fb75dbe..df091a72dd 100644 --- a/detections/web/log4shell_jndi_payload_injection_attempt.yml +++ b/detections/web/log4shell_jndi_payload_injection_attempt.yml @@ -66,7 +66,6 @@ tags: - url - url_domain - user - risk_score: 15 security_domain: threat tests: - name: True Positive Test diff --git a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml index 765298db54..1200d4477a 100644 --- a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml +++ b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml @@ -67,7 +67,6 @@ tags: - url - url_domain - user - risk_score: 15 security_domain: threat tests: - name: True Positive Test diff --git a/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml b/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml index fe3ef716bc..baddfa1377 100644 --- a/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml +++ b/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - _time - Web.http_method diff --git a/detections/web/monitor_web_traffic_for_brand_abuse.yml b/detections/web/monitor_web_traffic_for_brand_abuse.yml index 6f4429a77d..40164ca6b5 100644 --- a/detections/web/monitor_web_traffic_for_brand_abuse.yml +++ b/detections/web/monitor_web_traffic_for_brand_abuse.yml @@ -43,5 +43,4 @@ tags: - _time - Web.url - Web.src - risk_score: 25 security_domain: network diff --git a/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml b/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml index 3dbacac6c5..ae42c7a616 100644 --- a/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml +++ b/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml @@ -65,7 +65,6 @@ tags: - http_method - sourcetype - source - risk_score: 100 security_domain: network cve: - CVE-2024-1708 diff --git a/detections/web/papercut_ng_remote_web_access_attempt.yml b/detections/web/papercut_ng_remote_web_access_attempt.yml index 1fc500207c..4d8b88e1f8 100644 --- a/detections/web/papercut_ng_remote_web_access_attempt.yml +++ b/detections/web/papercut_ng_remote_web_access_attempt.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 63 required_fields: - _time - Web.http_user_agent diff --git a/detections/web/proxyshell_proxynotshell_behavior_detected.yml b/detections/web/proxyshell_proxynotshell_behavior_detected.yml index a7a9c09997..89bf43e00b 100644 --- a/detections/web/proxyshell_proxynotshell_behavior_detected.yml +++ b/detections/web/proxyshell_proxynotshell_behavior_detected.yml @@ -65,7 +65,6 @@ tags: - All_Risk.risk_object - All_Risk.annotations.mitre_attack.mitre_tactic - source - risk_score: 81 security_domain: network tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell-risk.log source: proxyshell sourcetype: stash - update_timestamp: true diff --git a/detections/web/spring4shell_payload_url_request.yml b/detections/web/spring4shell_payload_url_request.yml index 1355219306..65d4d2689d 100644 --- a/detections/web/spring4shell_payload_url_request.yml +++ b/detections/web/spring4shell_payload_url_request.yml @@ -62,7 +62,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 36 security_domain: network tests: - name: True Positive Test diff --git a/detections/web/sql_injection_with_long_urls.yml b/detections/web/sql_injection_with_long_urls.yml index 768940b1f0..4f50aa9b9e 100644 --- a/detections/web/sql_injection_with_long_urls.yml +++ b/detections/web/sql_injection_with_long_urls.yml @@ -63,5 +63,4 @@ tags: - Web.dest - Web.url - Web.http_user_agent - risk_score: 25 security_domain: network diff --git a/detections/web/supernova_webshell.yml b/detections/web/supernova_webshell.yml index df3acd20f3..30ffd6321c 100644 --- a/detections/web/supernova_webshell.yml +++ b/detections/web/supernova_webshell.yml @@ -52,5 +52,4 @@ tags: - Web.vendor_product - Web.user - Web.http_user_agent - risk_score: 25 security_domain: network diff --git a/detections/web/vmware_aria_operations_exploit_attempt.yml b/detections/web/vmware_aria_operations_exploit_attempt.yml index a873108626..adf4f34ef4 100644 --- a/detections/web/vmware_aria_operations_exploit_attempt.yml +++ b/detections/web/vmware_aria_operations_exploit_attempt.yml @@ -31,7 +31,7 @@ references: - https://github.com/sinsinology/CVE-2023-20887 - https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/ tags: - CVE: + cve: - CVE-2023-20887 analytic_story: - VMware Aria Operations vRealize CVE-2023-20887 @@ -59,7 +59,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - Web.http_method - Web.url diff --git a/detections/web/vmware_server_side_template_injection_hunt.yml b/detections/web/vmware_server_side_template_injection_hunt.yml index 5da68493cf..ab5de261db 100644 --- a/detections/web/vmware_server_side_template_injection_hunt.yml +++ b/detections/web/vmware_server_side_template_injection_hunt.yml @@ -62,7 +62,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 35 security_domain: network tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml index 65d65d4321..60903a229b 100644 --- a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml +++ b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml @@ -60,7 +60,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 49 security_domain: network tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/web/web_jsp_request_via_url.yml b/detections/web/web_jsp_request_via_url.yml index 1fce35b1a7..f7d7fec6e2 100644 --- a/detections/web/web_jsp_request_via_url.yml +++ b/detections/web/web_jsp_request_via_url.yml @@ -63,7 +63,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 72 security_domain: network tests: - name: True Positive Test diff --git a/detections/web/web_remote_shellservlet_access.yml b/detections/web/web_remote_shellservlet_access.yml index 10353c2884..e8bbcf25e7 100644 --- a/detections/web/web_remote_shellservlet_access.yml +++ b/detections/web/web_remote_shellservlet_access.yml @@ -51,7 +51,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 required_fields: - Web.http_user_agent - Web.status diff --git a/detections/web/web_spring4shell_http_request_class_module.yml b/detections/web/web_spring4shell_http_request_class_module.yml index c0b3fb7032..9b24092344 100644 --- a/detections/web/web_spring4shell_http_request_class_module.yml +++ b/detections/web/web_spring4shell_http_request_class_module.yml @@ -62,7 +62,6 @@ tags: - url - bytes_in - bytes_out - risk_score: 72 security_domain: network tests: - name: True Positive Test diff --git a/detections/web/web_spring_cloud_function_functionrouter.yml b/detections/web/web_spring_cloud_function_functionrouter.yml index f850adbf3b..dc4751e4c3 100644 --- a/detections/web/web_spring_cloud_function_functionrouter.yml +++ b/detections/web/web_spring_cloud_function_functionrouter.yml @@ -60,7 +60,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 42 security_domain: network tests: - name: True Positive Test diff --git a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml index 8ff6285ca5..3927457e3f 100644 --- a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml +++ b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml @@ -72,7 +72,6 @@ tags: - Web.dest - Web.http_method - Web.uri_query - risk_score: 72 security_domain: network tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell.log source: ms:iis:splunk sourcetype: ms:iis:splunk - update_timestamp: true diff --git a/detections/web/wordpress_bricks_builder_plugin_rce.yml b/detections/web/wordpress_bricks_builder_plugin_rce.yml index 8be952b7ad..b741cf3ba0 100644 --- a/detections/web/wordpress_bricks_builder_plugin_rce.yml +++ b/detections/web/wordpress_bricks_builder_plugin_rce.yml @@ -65,7 +65,6 @@ tags: - Web.http_method - sourcetype - source - risk_score: 100 security_domain: network cve: - CVE-2024-25600 diff --git a/detections/web/ws_ftp_remote_code_execution.yml b/detections/web/ws_ftp_remote_code_execution.yml index 178af37f1b..b4e9e561d6 100644 --- a/detections/web/ws_ftp_remote_code_execution.yml +++ b/detections/web/ws_ftp_remote_code_execution.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - Web.http_user_agent - Web.status diff --git a/detections/web/zscaler_adware_activities_threat_blocked.yml b/detections/web/zscaler_adware_activities_threat_blocked.yml index 2637a4838c..f703a0feda 100644 --- a/detections/web/zscaler_adware_activities_threat_blocked.yml +++ b/detections/web/zscaler_adware_activities_threat_blocked.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 required_fields: - action - threatname diff --git a/detections/web/zscaler_behavior_analysis_threat_blocked.yml b/detections/web/zscaler_behavior_analysis_threat_blocked.yml index a2b7853530..68cf7f2643 100644 --- a/detections/web/zscaler_behavior_analysis_threat_blocked.yml +++ b/detections/web/zscaler_behavior_analysis_threat_blocked.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 required_fields: - action - threatname diff --git a/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml b/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml index f89e0356df..c131e82a81 100644 --- a/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml +++ b/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 32 required_fields: - action - threatname diff --git a/detections/web/zscaler_employment_search_web_activity.yml b/detections/web/zscaler_employment_search_web_activity.yml index d515afdc21..3fe513621c 100644 --- a/detections/web/zscaler_employment_search_web_activity.yml +++ b/detections/web/zscaler_employment_search_web_activity.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 4 required_fields: - action - threatname diff --git a/detections/web/zscaler_exploit_threat_blocked.yml b/detections/web/zscaler_exploit_threat_blocked.yml index d242640e18..62f8c57ec7 100644 --- a/detections/web/zscaler_exploit_threat_blocked.yml +++ b/detections/web/zscaler_exploit_threat_blocked.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 40 required_fields: - action - threatname diff --git a/detections/web/zscaler_legal_liability_threat_blocked.yml b/detections/web/zscaler_legal_liability_threat_blocked.yml index 3975036c91..090bea1c20 100644 --- a/detections/web/zscaler_legal_liability_threat_blocked.yml +++ b/detections/web/zscaler_legal_liability_threat_blocked.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 16 required_fields: - action - threatname diff --git a/detections/web/zscaler_malware_activity_threat_blocked.yml b/detections/web/zscaler_malware_activity_threat_blocked.yml index 856cc106f2..f2e9327e36 100644 --- a/detections/web/zscaler_malware_activity_threat_blocked.yml +++ b/detections/web/zscaler_malware_activity_threat_blocked.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 40 required_fields: - action - threatname diff --git a/detections/web/zscaler_phishing_activity_threat_blocked.yml b/detections/web/zscaler_phishing_activity_threat_blocked.yml index 46e4d27601..aabc0ba058 100644 --- a/detections/web/zscaler_phishing_activity_threat_blocked.yml +++ b/detections/web/zscaler_phishing_activity_threat_blocked.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 16 required_fields: - action - threatname diff --git a/detections/web/zscaler_potentially_abused_file_download.yml b/detections/web/zscaler_potentially_abused_file_download.yml index 818100944d..0e792c9c1d 100644 --- a/detections/web/zscaler_potentially_abused_file_download.yml +++ b/detections/web/zscaler_potentially_abused_file_download.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 required_fields: - action - threatname diff --git a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml index 1c3d4fe82c..b9d133e649 100644 --- a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml +++ b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 required_fields: - action - threatname diff --git a/detections/web/zscaler_scam_destinations_threat_blocked.yml b/detections/web/zscaler_scam_destinations_threat_blocked.yml index 46a7960ad0..0e37aa2ffc 100644 --- a/detections/web/zscaler_scam_destinations_threat_blocked.yml +++ b/detections/web/zscaler_scam_destinations_threat_blocked.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 required_fields: - action - threatname diff --git a/detections/web/zscaler_virus_download_threat_blocked.yml b/detections/web/zscaler_virus_download_threat_blocked.yml index 3393bd7b75..06543ecf42 100644 --- a/detections/web/zscaler_virus_download_threat_blocked.yml +++ b/detections/web/zscaler_virus_download_threat_blocked.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 40 required_fields: - action - threatname diff --git a/investigations/investigate_network_traffic_from_src_ip.yml b/investigations/investigate_network_traffic_from_src_ip.yml index 67424cbe4b..2a81e04487 100644 --- a/investigations/investigate_network_traffic_from_src_ip.yml +++ b/investigations/investigate_network_traffic_from_src_ip.yml @@ -16,8 +16,6 @@ references: [] tags: analytic_story: - ColdRoot MacOS RAT - cve: - - CVE-2018-11409 product: - Splunk Phantom required_fields: diff --git a/lookups/prohibited_apps_launching_cmd.yml b/lookups/prohibited_apps_launching_cmd.yml index 2797c65682..1b2633330f 100644 --- a/lookups/prohibited_apps_launching_cmd.yml +++ b/lookups/prohibited_apps_launching_cmd.yml @@ -1,5 +1,4 @@ description: A list of processes that should not be launching cmd.exe -fields: prohibited_applications filename: prohibited_apps_launching_cmd20231221.csv match_type: WILDCARD(prohibited_applications) name: prohibited_apps_launching_cmd diff --git a/stories/active_directory_discovery.yml b/stories/active_directory_discovery.yml index f57b09a979..23067fde96 100644 --- a/stories/active_directory_discovery.yml +++ b/stories/active_directory_discovery.yml @@ -3,7 +3,6 @@ id: 8460679c-2b21-463e-b381-b813417c32f2 version: 1 date: '2021-08-20' author: Mauricio Velazco, Splunk -type: batch description: Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments. narrative: 'Discovery consists of techniques an adversay uses to gain knowledge about diff --git a/stories/deprecated/aws_cryptomining.yml b/stories/deprecated/aws_cryptomining.yml index bac9eba53e..00e67e2d10 100644 --- a/stories/deprecated/aws_cryptomining.yml +++ b/stories/deprecated/aws_cryptomining.yml @@ -3,7 +3,6 @@ id: ced74200-8465-4bc3-bd2c-9a782eec6750 version: 1 date: '2018-03-08' author: David Dorsey, Splunk -type: batch description: Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are diff --git a/stories/deprecated/aws_suspicious_provisioning_activities.yml b/stories/deprecated/aws_suspicious_provisioning_activities.yml index 77bec41d05..c71b2a26a5 100644 --- a/stories/deprecated/aws_suspicious_provisioning_activities.yml +++ b/stories/deprecated/aws_suspicious_provisioning_activities.yml @@ -3,7 +3,6 @@ id: 3338b567-3804-4261-9889-cf0ca4753c7f version: 1 date: '2018-03-16' author: David Dorsey, Splunk -type: batch description: Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network. diff --git a/stories/deprecated/common_phishing_frameworks.yml b/stories/deprecated/common_phishing_frameworks.yml index 95462f4798..0bda55d3fa 100644 --- a/stories/deprecated/common_phishing_frameworks.yml +++ b/stories/deprecated/common_phishing_frameworks.yml @@ -3,7 +3,6 @@ id: 9a64ab44-9214-4639-8163-7eaa2621bd61 version: 1 date: '2019-04-29' author: Splunk Research Team, Splunk -type: batch description: 'Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email. ' diff --git a/stories/deprecated/host_redirection.yml b/stories/deprecated/host_redirection.yml index 64b420529e..d9a497d2a3 100644 --- a/stories/deprecated/host_redirection.yml +++ b/stories/deprecated/host_redirection.yml @@ -3,7 +3,6 @@ id: 2e8948a5-5239-406b-b56b-6c50fe268af4 version: 1 date: '2017-09-14' author: Rico Valdez, Splunk -type: batch description: Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches diff --git a/stories/deprecated/kubernetes_sensitive_role_activity.yml b/stories/deprecated/kubernetes_sensitive_role_activity.yml index 6b06309c93..48c1c453f5 100644 --- a/stories/deprecated/kubernetes_sensitive_role_activity.yml +++ b/stories/deprecated/kubernetes_sensitive_role_activity.yml @@ -3,7 +3,6 @@ id: 8b3984d2-17b6-47e9-ba43-a3376e70fdcc version: 1 date: '2020-05-20' author: Rod Soto, Splunk -type: batch description: This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces. narrative: Kubernetes is the most used container orchestration platform, this orchestration diff --git a/stories/deprecated/lateral_movement.yml b/stories/deprecated/lateral_movement.yml index fa03562798..c9d262b51d 100644 --- a/stories/deprecated/lateral_movement.yml +++ b/stories/deprecated/lateral_movement.yml @@ -3,7 +3,6 @@ id: 399d65dc-1f08-499b-a259-abd9051f38ad version: 2 date: '2020-02-04' author: David Dorsey, Splunk -type: batch description: " DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts." narrative: "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. Indications of lateral movement can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor. An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software." references: diff --git a/stories/deprecated/monitor_backup_solution.yml b/stories/deprecated/monitor_backup_solution.yml index 587bc3a31e..8a7d64c2e3 100644 --- a/stories/deprecated/monitor_backup_solution.yml +++ b/stories/deprecated/monitor_backup_solution.yml @@ -3,7 +3,6 @@ id: abe807c7-1eb6-4304-ac32-6e7aacdb891d version: 1 date: '2017-09-12' author: David Dorsey, Splunk -type: batch description: Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints. diff --git a/stories/deprecated/monitor_for_unauthorized_software.yml b/stories/deprecated/monitor_for_unauthorized_software.yml index f94433c67e..40cc5b71c5 100644 --- a/stories/deprecated/monitor_for_unauthorized_software.yml +++ b/stories/deprecated/monitor_for_unauthorized_software.yml @@ -3,7 +3,6 @@ id: 8892a655-6205-43f7-abba-06460e38c8ae version: 1 date: '2017-09-15' author: David Dorsey, Splunk -type: batch description: 'Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. ' narrative: 'It is critical to identify unauthorized software and processes running diff --git a/stories/deprecated/spectre_and_meltdown_vulnerabilities.yml b/stories/deprecated/spectre_and_meltdown_vulnerabilities.yml index 19d8afde1b..47b8207275 100644 --- a/stories/deprecated/spectre_and_meltdown_vulnerabilities.yml +++ b/stories/deprecated/spectre_and_meltdown_vulnerabilities.yml @@ -3,7 +3,6 @@ id: 6d3306f6-bb2b-4219-8609-8efad64032f2 version: 1 date: '2018-01-08' author: David Dorsey, Splunk -type: batch description: Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story. narrative: Meltdown and Spectre exploit critical vulnerabilities in modern CPUs that diff --git a/stories/deprecated/suspicious_aws_ec2_activities.yml b/stories/deprecated/suspicious_aws_ec2_activities.yml index a7a1fe285d..ee51137331 100644 --- a/stories/deprecated/suspicious_aws_ec2_activities.yml +++ b/stories/deprecated/suspicious_aws_ec2_activities.yml @@ -3,7 +3,6 @@ id: 2e8948a5-5239-406b-b56b-6c50f1268af3 version: 1 date: '2018-02-09' author: Bhavin Patel, Splunk -type: batch description: Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users diff --git a/stories/deprecated/unusual_aws_ec2_modifications.yml b/stories/deprecated/unusual_aws_ec2_modifications.yml index 59910c8ff8..9c4e22c9d9 100644 --- a/stories/deprecated/unusual_aws_ec2_modifications.yml +++ b/stories/deprecated/unusual_aws_ec2_modifications.yml @@ -3,7 +3,6 @@ id: 73de57ef-0dfc-411f-b1e7-fa24428aeae0 version: 1 date: '2018-04-09' author: David Dorsey, Splunk -type: batch description: Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation. diff --git a/stories/deprecated/web_fraud_detection.yml b/stories/deprecated/web_fraud_detection.yml index a709a3a6f9..7aae434b6f 100644 --- a/stories/deprecated/web_fraud_detection.yml +++ b/stories/deprecated/web_fraud_detection.yml @@ -3,7 +3,6 @@ id: 18bb45b9-7684-45c6-9e97-1fdd0d98c0a7 version: 1 date: '2018-10-08' author: Jim Apger, Splunk -type: batch description: Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets. narrative: 'The Federal Bureau of Investigations (FBI) defines Internet fraud as the diff --git a/stories/fin7.yml b/stories/fin7.yml index 720c5a6d80..b79eb8d73c 100644 --- a/stories/fin7.yml +++ b/stories/fin7.yml @@ -3,7 +3,6 @@ id: df2b00d3-06ba-49f1-b253-b19cef19b569 version: 1 date: '2021-09-14' author: Teoderick Contreras, Splunk -type: batch description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and diff --git a/stories/icedid.yml b/stories/icedid.yml index 81d190ed24..9641e450ef 100644 --- a/stories/icedid.yml +++ b/stories/icedid.yml @@ -3,7 +3,6 @@ id: 1d2cc747-63d7-49a9-abb8-93aa36305603 version: 1 date: '2021-07-29' author: Teoderick Contreras, Splunk -type: batch description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection. diff --git a/stories/industroyer2.yml b/stories/industroyer2.yml index 250f1317ed..5cf0dfd0af 100644 --- a/stories/industroyer2.yml +++ b/stories/industroyer2.yml @@ -3,7 +3,6 @@ id: 7ff7db2b-b001-498e-8fe8-caf2dbc3428a version: 1 date: '2022-04-21' author: Teoderick Contreras, Splunk -type: batch description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction. diff --git a/stories/information_sabotage.yml b/stories/information_sabotage.yml index b7f1b51fda..6ee67f3f8f 100644 --- a/stories/information_sabotage.yml +++ b/stories/information_sabotage.yml @@ -3,7 +3,6 @@ id: b71ba595-ef80-4e39-8b66-887578a7a71b version: 1 date: '2021-11-17' author: Teoderick Contreras, Splunk -type: Anomaly description: Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage. narrative: Information sabotage is the type of crime many people associate with insider diff --git a/stories/proxyshell.yml b/stories/proxyshell.yml index ec6586c5f6..953d003a84 100644 --- a/stories/proxyshell.yml +++ b/stories/proxyshell.yml @@ -3,7 +3,6 @@ id: 413bb68e-04e2-11ec-a835-acde48001122 version: 1 date: '2021-08-24' author: Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk -type: batch description: ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. narrative: "During Pwn2Own April 2021, a security researcher demonstrated an attack