From 66d9355fbecf99b3c019da02116fc0f14e73fb4a Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Fri, 26 Jul 2024 17:33:07 -0700 Subject: [PATCH 1/6] set extra='forbid' to catch erroneously included fields in high level ymls. --- detections/endpoint/linux_iptables_firewall_modification.yml | 2 -- .../endpoint/linux_kworker_process_in_writable_process_path.yml | 2 -- detections/endpoint/windows_modify_registry_disable_rdp.yml | 2 +- .../windows_modify_registry_on_smart_card_group_policy.yml | 2 +- .../endpoint/winevent_scheduled_task_created_to_spawn_shell.yml | 1 - .../winevent_scheduled_task_created_within_public_path.yml | 1 - .../web/ivanti_epm_sql_injection_remote_code_execution.yml | 2 -- lookups/prohibited_apps_launching_cmd.yml | 1 - stories/active_directory_discovery.yml | 1 - stories/deprecated/aws_cryptomining.yml | 1 - stories/deprecated/aws_suspicious_provisioning_activities.yml | 1 - stories/deprecated/common_phishing_frameworks.yml | 1 - stories/deprecated/host_redirection.yml | 1 - stories/deprecated/kubernetes_sensitive_role_activity.yml | 1 - stories/deprecated/lateral_movement.yml | 1 - stories/deprecated/monitor_backup_solution.yml | 1 - stories/deprecated/monitor_for_unauthorized_software.yml | 1 - stories/deprecated/spectre_and_meltdown_vulnerabilities.yml | 1 - stories/deprecated/suspicious_aws_ec2_activities.yml | 1 - stories/deprecated/unusual_aws_ec2_modifications.yml | 1 - stories/deprecated/web_fraud_detection.yml | 1 - stories/fin7.yml | 1 - stories/icedid.yml | 1 - stories/industroyer2.yml | 1 - stories/information_sabotage.yml | 1 - stories/proxyshell.yml | 1 - 26 files changed, 2 insertions(+), 29 deletions(-) diff --git a/detections/endpoint/linux_iptables_firewall_modification.yml b/detections/endpoint/linux_iptables_firewall_modification.yml index 7a97f54ae9..1102f93ee4 100644 --- a/detections/endpoint/linux_iptables_firewall_modification.yml +++ b/detections/endpoint/linux_iptables_firewall_modification.yml @@ -5,8 +5,6 @@ date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: Anomaly -datamodel: -- Endpoint description: The following analytic detects suspicious command-line activity that modifies the iptables firewall settings on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command patterns diff --git a/detections/endpoint/linux_kworker_process_in_writable_process_path.yml b/detections/endpoint/linux_kworker_process_in_writable_process_path.yml index e3ff726822..c0e73c5ec4 100644 --- a/detections/endpoint/linux_kworker_process_in_writable_process_path.yml +++ b/detections/endpoint/linux_kworker_process_in_writable_process_path.yml @@ -5,8 +5,6 @@ date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: Hunting -datamodel: -- Endpoint description: The following analytic detects the execution of a kworker process with a command line in writable directories such as /home/, /var/log, and /tmp on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing diff --git a/detections/endpoint/windows_modify_registry_disable_rdp.yml b/detections/endpoint/windows_modify_registry_disable_rdp.yml index c37f229460..65291ba326 100644 --- a/detections/endpoint/windows_modify_registry_disable_rdp.yml +++ b/detections/endpoint/windows_modify_registry_disable_rdp.yml @@ -25,7 +25,7 @@ how_to_implement: To successfully implement this search you need to be ingesting endpoint product. known_false_positives: administrators may enable or disable this feature that may cause some false positive. -eferences: +references: - https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml index f58b2852bd..c477e04ecd 100644 --- a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml +++ b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml @@ -25,7 +25,7 @@ how_to_implement: To successfully implement this search you need to be ingesting endpoint product. known_false_positives: administrators may enable or disable this feature that may cause some false positive. -eferences: +references: - https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ tags: analytic_story: diff --git a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml index cf1a395650..33aeb76209 100644 --- a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml +++ b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml @@ -5,7 +5,6 @@ date: '2024-05-18' author: Michael Haag, Splunk status: production type: TTP -datamodel: [] description: The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index c53101d242..e12de23452 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -5,7 +5,6 @@ date: '2024-05-16' author: Michael Haag, Splunk status: production type: TTP -datamodel: [] description: 'The following analytic detects the creation of scheduled tasks within user-writable paths using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService that execute commands from directories like Public, diff --git a/detections/web/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml b/detections/web/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml index a3702b7048..5b60ac269c 100644 --- a/detections/web/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml +++ b/detections/web/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml @@ -1,6 +1,4 @@ data_source: [] -mitre_attack_ids: T1190 -security_domain: network name: Ivanti EPM SQL Injection Remote Code Execution id: e20564ca-c86c-4e30-acdb-a8486673426f version: 1 diff --git a/lookups/prohibited_apps_launching_cmd.yml b/lookups/prohibited_apps_launching_cmd.yml index 2797c65682..1b2633330f 100644 --- a/lookups/prohibited_apps_launching_cmd.yml +++ b/lookups/prohibited_apps_launching_cmd.yml @@ -1,5 +1,4 @@ description: A list of processes that should not be launching cmd.exe -fields: prohibited_applications filename: prohibited_apps_launching_cmd20231221.csv match_type: WILDCARD(prohibited_applications) name: prohibited_apps_launching_cmd diff --git a/stories/active_directory_discovery.yml b/stories/active_directory_discovery.yml index f57b09a979..23067fde96 100644 --- a/stories/active_directory_discovery.yml +++ b/stories/active_directory_discovery.yml @@ -3,7 +3,6 @@ id: 8460679c-2b21-463e-b381-b813417c32f2 version: 1 date: '2021-08-20' author: Mauricio Velazco, Splunk -type: batch description: Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments. narrative: 'Discovery consists of techniques an adversay uses to gain knowledge about diff --git a/stories/deprecated/aws_cryptomining.yml b/stories/deprecated/aws_cryptomining.yml index bac9eba53e..00e67e2d10 100644 --- a/stories/deprecated/aws_cryptomining.yml +++ b/stories/deprecated/aws_cryptomining.yml @@ -3,7 +3,6 @@ id: ced74200-8465-4bc3-bd2c-9a782eec6750 version: 1 date: '2018-03-08' author: David Dorsey, Splunk -type: batch description: Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are diff --git a/stories/deprecated/aws_suspicious_provisioning_activities.yml b/stories/deprecated/aws_suspicious_provisioning_activities.yml index 77bec41d05..c71b2a26a5 100644 --- a/stories/deprecated/aws_suspicious_provisioning_activities.yml +++ b/stories/deprecated/aws_suspicious_provisioning_activities.yml @@ -3,7 +3,6 @@ id: 3338b567-3804-4261-9889-cf0ca4753c7f version: 1 date: '2018-03-16' author: David Dorsey, Splunk -type: batch description: Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network. diff --git a/stories/deprecated/common_phishing_frameworks.yml b/stories/deprecated/common_phishing_frameworks.yml index 95462f4798..0bda55d3fa 100644 --- a/stories/deprecated/common_phishing_frameworks.yml +++ b/stories/deprecated/common_phishing_frameworks.yml @@ -3,7 +3,6 @@ id: 9a64ab44-9214-4639-8163-7eaa2621bd61 version: 1 date: '2019-04-29' author: Splunk Research Team, Splunk -type: batch description: 'Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email. ' diff --git a/stories/deprecated/host_redirection.yml b/stories/deprecated/host_redirection.yml index 64b420529e..d9a497d2a3 100644 --- a/stories/deprecated/host_redirection.yml +++ b/stories/deprecated/host_redirection.yml @@ -3,7 +3,6 @@ id: 2e8948a5-5239-406b-b56b-6c50fe268af4 version: 1 date: '2017-09-14' author: Rico Valdez, Splunk -type: batch description: Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches diff --git a/stories/deprecated/kubernetes_sensitive_role_activity.yml b/stories/deprecated/kubernetes_sensitive_role_activity.yml index 6b06309c93..48c1c453f5 100644 --- a/stories/deprecated/kubernetes_sensitive_role_activity.yml +++ b/stories/deprecated/kubernetes_sensitive_role_activity.yml @@ -3,7 +3,6 @@ id: 8b3984d2-17b6-47e9-ba43-a3376e70fdcc version: 1 date: '2020-05-20' author: Rod Soto, Splunk -type: batch description: This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces. narrative: Kubernetes is the most used container orchestration platform, this orchestration diff --git a/stories/deprecated/lateral_movement.yml b/stories/deprecated/lateral_movement.yml index fa03562798..c9d262b51d 100644 --- a/stories/deprecated/lateral_movement.yml +++ b/stories/deprecated/lateral_movement.yml @@ -3,7 +3,6 @@ id: 399d65dc-1f08-499b-a259-abd9051f38ad version: 2 date: '2020-02-04' author: David Dorsey, Splunk -type: batch description: " DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts." narrative: "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. Indications of lateral movement can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor. An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software." references: diff --git a/stories/deprecated/monitor_backup_solution.yml b/stories/deprecated/monitor_backup_solution.yml index 587bc3a31e..8a7d64c2e3 100644 --- a/stories/deprecated/monitor_backup_solution.yml +++ b/stories/deprecated/monitor_backup_solution.yml @@ -3,7 +3,6 @@ id: abe807c7-1eb6-4304-ac32-6e7aacdb891d version: 1 date: '2017-09-12' author: David Dorsey, Splunk -type: batch description: Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints. diff --git a/stories/deprecated/monitor_for_unauthorized_software.yml b/stories/deprecated/monitor_for_unauthorized_software.yml index f94433c67e..40cc5b71c5 100644 --- a/stories/deprecated/monitor_for_unauthorized_software.yml +++ b/stories/deprecated/monitor_for_unauthorized_software.yml @@ -3,7 +3,6 @@ id: 8892a655-6205-43f7-abba-06460e38c8ae version: 1 date: '2017-09-15' author: David Dorsey, Splunk -type: batch description: 'Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. ' narrative: 'It is critical to identify unauthorized software and processes running diff --git a/stories/deprecated/spectre_and_meltdown_vulnerabilities.yml b/stories/deprecated/spectre_and_meltdown_vulnerabilities.yml index 19d8afde1b..47b8207275 100644 --- a/stories/deprecated/spectre_and_meltdown_vulnerabilities.yml +++ b/stories/deprecated/spectre_and_meltdown_vulnerabilities.yml @@ -3,7 +3,6 @@ id: 6d3306f6-bb2b-4219-8609-8efad64032f2 version: 1 date: '2018-01-08' author: David Dorsey, Splunk -type: batch description: Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story. narrative: Meltdown and Spectre exploit critical vulnerabilities in modern CPUs that diff --git a/stories/deprecated/suspicious_aws_ec2_activities.yml b/stories/deprecated/suspicious_aws_ec2_activities.yml index a7a1fe285d..ee51137331 100644 --- a/stories/deprecated/suspicious_aws_ec2_activities.yml +++ b/stories/deprecated/suspicious_aws_ec2_activities.yml @@ -3,7 +3,6 @@ id: 2e8948a5-5239-406b-b56b-6c50f1268af3 version: 1 date: '2018-02-09' author: Bhavin Patel, Splunk -type: batch description: Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users diff --git a/stories/deprecated/unusual_aws_ec2_modifications.yml b/stories/deprecated/unusual_aws_ec2_modifications.yml index 59910c8ff8..9c4e22c9d9 100644 --- a/stories/deprecated/unusual_aws_ec2_modifications.yml +++ b/stories/deprecated/unusual_aws_ec2_modifications.yml @@ -3,7 +3,6 @@ id: 73de57ef-0dfc-411f-b1e7-fa24428aeae0 version: 1 date: '2018-04-09' author: David Dorsey, Splunk -type: batch description: Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation. diff --git a/stories/deprecated/web_fraud_detection.yml b/stories/deprecated/web_fraud_detection.yml index a709a3a6f9..7aae434b6f 100644 --- a/stories/deprecated/web_fraud_detection.yml +++ b/stories/deprecated/web_fraud_detection.yml @@ -3,7 +3,6 @@ id: 18bb45b9-7684-45c6-9e97-1fdd0d98c0a7 version: 1 date: '2018-10-08' author: Jim Apger, Splunk -type: batch description: Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets. narrative: 'The Federal Bureau of Investigations (FBI) defines Internet fraud as the diff --git a/stories/fin7.yml b/stories/fin7.yml index 720c5a6d80..b79eb8d73c 100644 --- a/stories/fin7.yml +++ b/stories/fin7.yml @@ -3,7 +3,6 @@ id: df2b00d3-06ba-49f1-b253-b19cef19b569 version: 1 date: '2021-09-14' author: Teoderick Contreras, Splunk -type: batch description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and diff --git a/stories/icedid.yml b/stories/icedid.yml index 81d190ed24..9641e450ef 100644 --- a/stories/icedid.yml +++ b/stories/icedid.yml @@ -3,7 +3,6 @@ id: 1d2cc747-63d7-49a9-abb8-93aa36305603 version: 1 date: '2021-07-29' author: Teoderick Contreras, Splunk -type: batch description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection. diff --git a/stories/industroyer2.yml b/stories/industroyer2.yml index 250f1317ed..5cf0dfd0af 100644 --- a/stories/industroyer2.yml +++ b/stories/industroyer2.yml @@ -3,7 +3,6 @@ id: 7ff7db2b-b001-498e-8fe8-caf2dbc3428a version: 1 date: '2022-04-21' author: Teoderick Contreras, Splunk -type: batch description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction. diff --git a/stories/information_sabotage.yml b/stories/information_sabotage.yml index b7f1b51fda..6ee67f3f8f 100644 --- a/stories/information_sabotage.yml +++ b/stories/information_sabotage.yml @@ -3,7 +3,6 @@ id: b71ba595-ef80-4e39-8b66-887578a7a71b version: 1 date: '2021-11-17' author: Teoderick Contreras, Splunk -type: Anomaly description: Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage. narrative: Information sabotage is the type of crime many people associate with insider diff --git a/stories/proxyshell.yml b/stories/proxyshell.yml index ec6586c5f6..953d003a84 100644 --- a/stories/proxyshell.yml +++ b/stories/proxyshell.yml @@ -3,7 +3,6 @@ id: 413bb68e-04e2-11ec-a835-acde48001122 version: 1 date: '2021-08-24' author: Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk -type: batch description: ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. narrative: "During Pwn2Own April 2021, a security researcher demonstrated an attack From bcb3eee365b380c43e35ac5483d890a859bb9ea2 Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Fri, 26 Jul 2024 18:50:41 -0700 Subject: [PATCH 2/6] remove risk_score, update_timestamp, and some unused tags from baselines --- ...ohibited_processes_to_enterprise_security.yml | 16 +--------------- .../baseline_of_api_calls_per_user_arn.yml | 15 +-------------- ...ive_aws_instances_launched_by_user___mltk.yml | 15 +-------------- ...e_aws_instances_terminated_by_user___mltk.yml | 15 +-------------- ...een_api_call_per_user_roles_in_cloudtrail.yml | 15 +-------------- ...ly_seen_aws_provisioning_activity_sources.yml | 15 +-------------- .../deprecated/previously_seen_ec2_amis.yml | 15 +-------------- .../previously_seen_ec2_instance_types.yml | 15 +-------------- .../previously_seen_ec2_launches_by_user.yml | 15 +-------------- .../previously_seen_users_in_cloudtrail.yml | 15 +-------------- ...pdate_previously_seen_users_in_cloudtrail.yml | 15 +-------------- baselines/dnstwist_domain_names.yml | 16 +--------------- .../crushftp_server_side_template_injection.yml | 1 - ...etect_distributed_password_spray_attempts.yml | 1 - .../detect_new_login_attempts_to_routers.yml | 1 - .../detect_password_spray_attempts.yml | 1 - .../email_attachments_with_lots_of_spaces.yml | 1 - ..._written_outside_of_the_outlook_directory.yml | 1 - ...vers_sending_high_volume_traffic_to_hosts.yml | 1 - .../monitor_email_for_brand_abuse.yml | 1 - .../no_windows_updates_in_a_time_frame.yml | 1 - ...uthentication_failed_during_mfa_challenge.yml | 1 - .../okta_idp_lifecycle_modifications.yml | 1 - .../application/okta_mfa_exhaustion_hunt.yml | 1 - ...urce_and_response_for_verify_push_request.yml | 1 - ...okta_multi_factor_authentication_disabled.yml | 1 - .../okta_multiple_accounts_locked_out.yml | 1 - ...kta_multiple_failed_mfa_requests_for_user.yml | 1 - ...le_failed_requests_to_access_applications.yml | 1 - ...ple_users_failing_to_authenticate_from_ip.yml | 1 - .../application/okta_new_api_token_created.yml | 1 - .../okta_new_device_enrolled_on_account.yml | 1 - ...hing_detection_with_fastpass_origin_check.yml | 1 - .../application/okta_risk_threshold_exceeded.yml | 1 - ...a_successful_single_factor_authentication.yml | 1 - .../okta_suspicious_activity_reported.yml | 1 - .../okta_suspicious_use_of_a_session_cookie.yml | 1 - .../okta_threatinsight_threat_detected.yml | 1 - .../okta_unauthorized_access_to_application.yml | 1 - .../okta_user_logins_from_multiple_cities.yml | 1 - ...tch_auth_source_and_verification_response.yml | 2 -- ...gid_multiple_failed_mfa_requests_for_user.yml | 1 - ...gid_new_mfa_method_after_credential_reset.yml | 1 - ...pingid_new_mfa_method_registered_for_user.yml | 2 -- .../suspicious_email_attachment_extensions.yml | 1 - .../application/suspicious_java_classes.yml | 1 - ...eb_servers_executing_suspicious_processes.yml | 1 - .../application/windows_ad_add_self_to_group.yml | 1 - ..._in_group_or_object_modification_activity.yml | 1 - ...ws_increase_in_user_modification_activity.yml | 1 - ..._number_of_cloud_infrastructure_api_calls.yml | 2 -- ..._high_number_of_cloud_instances_destroyed.yml | 1 - ...y_high_number_of_cloud_instances_launched.yml | 1 - ..._number_of_cloud_security_group_api_calls.yml | 2 -- ...zon_eks_kubernetes_cluster_scan_detection.yml | 1 - .../amazon_eks_kubernetes_pod_scan_detection.yml | 1 - ...ws_concurrent_sessions_from_different_ips.yml | 1 - ...asl_aws_defense_evasion_delete_cloudtrail.yml | 1 - ...fense_evasion_delete_cloudwatch_log_group.yml | 1 - ..._defense_evasion_impair_security_services.yml | 1 - ...s_defense_evasion_stop_logging_cloudtrail.yml | 1 - ...asl_aws_defense_evasion_update_cloudtrail.yml | 1 - ...r_container_upload_outside_business_hours.yml | 1 - ...asl_aws_ecr_container_upload_unknown_user.yml | 1 - detections/cloud/asl_aws_iam_delete_policy.yml | 1 - .../cloud/asl_aws_iam_failure_group_deletion.yml | 1 - .../asl_aws_iam_successful_group_deletion.yml | 1 - ..._aws_multi_factor_authentication_disabled.yml | 1 - ...sl_aws_new_mfa_method_registered_for_user.yml | 1 - ...i_attribute_modification_for_exfiltration.yml | 2 -- ...ws_concurrent_sessions_from_different_ips.yml | 2 -- ...console_login_failed_during_mfa_challenge.yml | 2 -- ...ate_policy_version_to_allow_all_resources.yml | 2 -- detections/cloud/aws_createaccesskey.yml | 2 -- detections/cloud/aws_createloginprofile.yml | 2 -- .../cloud/aws_credential_access_failed_login.yml | 2 -- .../aws_credential_access_getpassworddata.yml | 2 -- .../aws_credential_access_rds_password_reset.yml | 2 -- ...t_activity_from_previously_unseen_account.yml | 2 -- .../aws_defense_evasion_delete_cloudtrail.yml | 1 - ...fense_evasion_delete_cloudwatch_log_group.yml | 2 -- ..._defense_evasion_impair_security_services.yml | 2 -- .../aws_defense_evasion_putbucketlifecycle.yml | 2 -- ...s_defense_evasion_stop_logging_cloudtrail.yml | 1 - .../aws_defense_evasion_update_cloudtrail.yml | 2 -- .../cloud/aws_detect_attach_to_role_policy.yml | 1 - .../cloud/aws_detect_permanent_key_creation.yml | 1 - detections/cloud/aws_detect_role_creation.yml | 1 - .../cloud/aws_detect_sts_assume_role_abuse.yml | 1 - .../aws_detect_sts_get_session_token_abuse.yml | 1 - ...ting_keys_with_encrypt_policy_without_mfa.yml | 2 -- ...rs_with_kms_keys_performing_encryption_s3.yml | 2 -- .../cloud/aws_disable_bucket_versioning.yml | 2 -- .../cloud/aws_ec2_snapshot_shared_externally.yml | 2 -- .../aws_ecr_container_scanning_findings_high.yml | 1 - ...anning_findings_low_informational_unknown.yml | 1 - ...ws_ecr_container_scanning_findings_medium.yml | 1 - ...r_container_upload_outside_business_hours.yml | 1 - .../aws_ecr_container_upload_unknown_user.yml | 1 - .../cloud/aws_excessive_security_scanning.yml | 2 -- ...tion_via_anomalous_getobject_api_activity.yml | 2 -- .../cloud/aws_exfiltration_via_batch_service.yml | 2 -- .../aws_exfiltration_via_bucket_replication.yml | 2 -- .../cloud/aws_exfiltration_via_datasync_task.yml | 2 -- .../cloud/aws_exfiltration_via_ec2_snapshot.yml | 2 -- ...number_of_failed_authentications_for_user.yml | 2 -- ..._number_of_failed_authentications_from_ip.yml | 2 -- .../aws_iam_accessdenied_discovery_events.yml | 2 -- .../aws_iam_assume_role_policy_brute_force.yml | 2 -- detections/cloud/aws_iam_delete_policy.yml | 2 -- .../cloud/aws_iam_failure_group_deletion.yml | 2 -- .../cloud/aws_iam_successful_group_deletion.yml | 2 -- .../cloud/aws_lambda_updatefunctioncode.yml | 2 -- .../aws_multi_factor_authentication_disabled.yml | 2 -- ...aws_multiple_failed_mfa_requests_for_user.yml | 2 -- ...ple_users_failing_to_authenticate_from_ip.yml | 1 - ..._control_list_created_with_all_open_ports.yml | 2 -- .../aws_network_access_control_list_deleted.yml | 2 -- .../aws_new_mfa_method_registered_for_user.yml | 2 -- detections/cloud/aws_password_policy_changes.yml | 2 -- .../aws_s3_exfiltration_behavior_identified.yml | 2 -- ...aml_access_by_provider_user_and_principal.yml | 2 -- .../cloud/aws_saml_update_identity_provider.yml | 2 -- detections/cloud/aws_setdefaultpolicyversion.yml | 2 -- ..._console_authentication_from_multiple_ips.yml | 2 -- ...s_successful_single_factor_authentication.yml | 2 -- ..._number_of_failed_authentications_from_ip.yml | 2 -- detections/cloud/aws_updateloginprofile.yml | 2 -- .../azure_active_directory_high_risk_sign_in.yml | 2 -- ...min_consent_bypassed_by_service_principal.yml | 2 -- ...d_application_administrator_role_assigned.yml | 2 -- ...uthentication_failed_during_mfa_challenge.yml | 2 -- ...lock_user_consent_for_risky_apps_disabled.yml | 1 - ...ad_concurrent_sessions_from_different_ips.yml | 2 -- .../azure_ad_device_code_authentication.yml | 1 - .../azure_ad_external_guest_user_invited.yml | 2 -- ...re_ad_fullaccessasapp_permission_assigned.yml | 2 -- ...ure_ad_global_administrator_role_assigned.yml | 2 -- ...number_of_failed_authentications_for_user.yml | 2 -- ..._number_of_failed_authentications_from_ip.yml | 2 -- ...e_ad_multi_factor_authentication_disabled.yml | 2 -- ...multi_source_failed_authentications_spike.yml | 1 - ...ppids_and_useragents_authentication_spike.yml | 1 - ..._ad_multiple_denied_mfa_requests_for_user.yml | 1 - ..._ad_multiple_failed_mfa_requests_for_user.yml | 2 -- ...multiple_service_principals_created_by_sp.yml | 2 -- ...ltiple_service_principals_created_by_user.yml | 2 -- ...ple_users_failing_to_authenticate_from_ip.yml | 2 -- .../cloud/azure_ad_new_custom_domain_added.yml | 2 -- .../azure_ad_new_federated_domain_added.yml | 2 -- .../cloud/azure_ad_new_mfa_method_registered.yml | 1 - ...ure_ad_new_mfa_method_registered_for_user.yml | 2 -- ...oauth_application_consent_granted_by_user.yml | 1 - detections/cloud/azure_ad_pim_role_assigned.yml | 1 - .../azure_ad_pim_role_assignment_activated.yml | 1 - ...uthentication_administrator_role_assigned.yml | 2 -- ..._privileged_graph_api_permission_assigned.yml | 2 -- .../cloud/azure_ad_privileged_role_assigned.yml | 2 -- ...ileged_role_assigned_to_service_principal.yml | 2 -- ...azure_ad_service_principal_authentication.yml | 2 -- .../cloud/azure_ad_service_principal_created.yml | 2 -- ..._service_principal_new_client_credentials.yml | 2 -- .../azure_ad_service_principal_owner_added.yml | 2 -- ...cessful_authentication_from_different_ips.yml | 2 -- ...e_ad_successful_powershell_authentication.yml | 2 -- ...d_successful_single_factor_authentication.yml | 2 -- ...zure_ad_tenant_wide_admin_consent_granted.yml | 1 - ..._number_of_failed_authentications_from_ip.yml | 2 -- ...ser_consent_blocked_for_risky_application.yml | 1 - ...user_consent_denied_for_oauth_application.yml | 1 - .../azure_ad_user_enabled_and_password_reset.yml | 2 -- ...ure_ad_user_immutableid_attribute_updated.yml | 2 -- .../cloud/azure_automation_account_created.yml | 2 -- .../cloud/azure_automation_runbook_created.yml | 2 -- .../cloud/azure_runbook_webhook_created.yml | 2 -- .../cloud/circle_ci_disable_security_job.yml | 1 - .../cloud/circle_ci_disable_security_step.yml | 1 - ...i_calls_from_previously_unseen_user_roles.yml | 2 -- ...nstance_created_by_previously_unseen_user.yml | 2 -- ...tance_created_in_previously_unused_region.yml | 2 -- ...ance_created_with_previously_unseen_image.yml | 2 -- ...ated_with_previously_unseen_instance_type.yml | 2 -- ...stance_modified_by_previously_unseen_user.yml | 2 -- ...ning_activity_from_previously_unseen_city.yml | 2 -- ...g_activity_from_previously_unseen_country.yml | 2 -- ...ctivity_from_previously_unseen_ip_address.yml | 2 -- ...ng_activity_from_previously_unseen_region.yml | 2 -- ...oud_security_groups_modifications_by_user.yml | 1 - .../detect_aws_console_login_by_new_user.yml | 2 -- ...t_aws_console_login_by_user_from_new_city.yml | 2 -- ...ws_console_login_by_user_from_new_country.yml | 2 -- ...aws_console_login_by_user_from_new_region.yml | 2 -- .../detect_gcp_storage_access_from_a_new_ip.yml | 1 - .../detect_new_open_gcp_storage_buckets.yml | 1 - detections/cloud/detect_new_open_s3_buckets.yml | 2 -- .../detect_new_open_s3_buckets_over_aws_cli.yml | 2 -- .../cloud/detect_s3_access_from_a_new_ip.yml | 1 - ..._aws_security_hub_alerts_for_ec2_instance.yml | 1 - ...spike_in_aws_security_hub_alerts_for_user.yml | 1 - ...in_blocked_outbound_traffic_from_your_aws.yml | 1 - .../cloud/detect_spike_in_s3_bucket_deletion.yml | 1 - ...uthentication_failed_during_mfa_challenge.yml | 2 -- .../cloud/gcp_detect_gcploit_framework.yml | 1 - ...gcp_kubernetes_cluster_pod_scan_detection.yml | 1 - .../gcp_multi_factor_authentication_disabled.yml | 2 -- ...gcp_multiple_failed_mfa_requests_for_user.yml | 2 -- ...ple_users_failing_to_authenticate_from_ip.yml | 2 -- ...p_successful_single_factor_authentication.yml | 2 -- ..._number_of_failed_authentications_from_ip.yml | 2 -- .../cloud/gdrive_suspicious_file_sharing.yml | 1 - .../github_actions_disable_security_workflow.yml | 1 - .../cloud/github_commit_changes_in_master.yml | 1 - detections/cloud/github_commit_in_develop.yml | 1 - detections/cloud/github_dependabot_alert.yml | 1 - .../github_pull_request_from_unknown_user.yml | 1 - .../gsuite_drive_share_in_external_email.yml | 1 - .../cloud/gsuite_email_suspicious_attachment.yml | 1 - ..._email_suspicious_subject_with_attachment.yml | 1 - ...e_email_with_known_abuse_web_service_link.yml | 1 - ..._email_with_attachment_to_external_domain.yml | 1 - .../cloud/gsuite_suspicious_calendar_invite.yml | 1 - .../cloud/gsuite_suspicious_shared_file_name.yml | 1 - ...er_of_login_failures_from_a_single_source.yml | 1 - ...netes_abuse_of_secret_by_unusual_location.yml | 1 - ...tes_abuse_of_secret_by_unusual_user_agent.yml | 1 - ...tes_abuse_of_secret_by_unusual_user_group.yml | 1 - ...etes_abuse_of_secret_by_unusual_user_name.yml | 1 - detections/cloud/kubernetes_access_scanning.yml | 1 - ...ous_inbound_network_activity_from_process.yml | 1 - ...tes_anomalous_inbound_outbound_network_io.yml | 1 - ...lous_inbound_to_outbound_network_io_ratio.yml | 1 - ...us_outbound_network_activity_from_process.yml | 1 - ...ernetes_anomalous_traffic_on_network_edge.yml | 1 - ...netes_aws_detect_suspicious_kubectl_calls.yml | 1 - ...ubernetes_create_or_update_privileged_pod.yml | 1 - .../cloud/kubernetes_cron_job_creation.yml | 1 - .../cloud/kubernetes_daemonset_deployed.yml | 1 - .../cloud/kubernetes_falco_shell_spawned.yml | 1 - .../cloud/kubernetes_newly_seen_tcp_edge.yml | 1 - .../cloud/kubernetes_newly_seen_udp_edge.yml | 1 - .../cloud/kubernetes_nginx_ingress_lfi.yml | 1 - .../cloud/kubernetes_nginx_ingress_rfi.yml | 1 - .../cloud/kubernetes_node_port_creation.yml | 1 - ...bernetes_pod_created_in_default_namespace.yml | 1 - ...bernetes_pod_with_host_network_attachment.yml | 1 - ...es_previously_unseen_container_image_name.yml | 1 - .../kubernetes_previously_unseen_process.yml | 1 - .../kubernetes_process_running_from_new_path.yml | 1 - ...ocess_with_anomalous_resource_utilisation.yml | 1 - ...tes_process_with_resource_ratio_anomalies.yml | 1 - .../cloud/kubernetes_scanner_image_pulling.yml | 1 - ...es_scanning_by_unauthenticated_ip_address.yml | 1 - .../kubernetes_shell_running_on_worker_node.yml | 1 - ..._running_on_worker_node_with_cpu_activity.yml | 1 - .../kubernetes_suspicious_image_pulling.yml | 1 - .../cloud/kubernetes_unauthorized_access.yml | 1 - .../o365_add_app_role_assignment_grant_user.yml | 1 - .../cloud/o365_added_service_principal.yml | 1 - ...min_consent_bypassed_by_service_principal.yml | 1 - .../cloud/o365_advanced_audit_disabled.yml | 1 - ...o365_application_registration_owner_added.yml | 1 - ...65_applicationimpersonation_role_assigned.yml | 1 - ...lock_user_consent_for_risky_apps_disabled.yml | 1 - .../cloud/o365_bypass_mfa_via_trusted_ip.yml | 1 - .../o365_compliance_content_search_exported.yml | 1 - .../o365_compliance_content_search_started.yml | 1 - ...65_concurrent_sessions_from_different_ips.yml | 2 -- detections/cloud/o365_disable_mfa.yml | 1 - ...o365_elevated_mailbox_permission_assigned.yml | 1 - ...5_excessive_authentication_failures_alert.yml | 1 - .../cloud/o365_excessive_sso_logon_errors.yml | 1 - ...ioned_application_consent_granted_by_user.yml | 1 - .../o365_fullaccessasapp_permission_assigned.yml | 1 - ...number_of_failed_authentications_for_user.yml | 1 - .../cloud/o365_high_privilege_role_granted.yml | 1 - ...ioned_application_consent_granted_by_user.yml | 1 - .../o365_mailbox_email_forwarding_enabled.yml | 1 - ...5_mailbox_folder_read_permission_assigned.yml | 1 - ...65_mailbox_folder_read_permission_granted.yml | 1 - ...ailbox_inbox_folder_shared_with_all_users.yml | 1 - ...ailbox_read_access_granted_to_application.yml | 1 - ...multi_source_failed_authentications_spike.yml | 1 - ...ppids_and_useragents_authentication_spike.yml | 1 - ...365_multiple_failed_mfa_requests_for_user.yml | 1 - .../o365_multiple_mailboxes_accessed_via_api.yml | 1 - ...multiple_service_principals_created_by_sp.yml | 1 - ...ltiple_service_principals_created_by_user.yml | 1 - ...ple_users_failing_to_authenticate_from_ip.yml | 1 - .../o365_new_email_forwarding_rule_created.yml | 1 - .../o365_new_email_forwarding_rule_enabled.yml | 1 - .../cloud/o365_new_federated_domain_added.yml | 2 -- ...o365_new_forwarding_mailflow_rule_created.yml | 1 - .../cloud/o365_new_mfa_method_registered.yml | 1 - .../o365_oauth_app_mailbox_access_via_ews.yml | 1 - ...65_oauth_app_mailbox_access_via_graph_api.yml | 1 - ..._privileged_graph_api_permission_assigned.yml | 1 - detections/cloud/o365_pst_export_alert.yml | 1 - ...5_security_and_compliance_alert_triggered.yml | 1 - ..._service_principal_new_client_credentials.yml | 1 - .../o365_tenant_wide_admin_consent_granted.yml | 1 - ...ser_consent_blocked_for_risky_application.yml | 1 - ...user_consent_denied_for_oauth_application.yml | 1 - .../risk_rule_for_dev_sec_ops_by_repository.yml | 1 - ...mally_high_aws_instances_launched_by_user.yml | 1 - ...igh_aws_instances_launched_by_user___mltk.yml | 1 - ...lly_high_aws_instances_terminated_by_user.yml | 1 - ...h_aws_instances_terminated_by_user___mltk.yml | 1 - .../deprecated/asl_aws_createaccesskey.yml | 2 -- .../asl_aws_excessive_security_scanning.yml | 1 - .../asl_aws_password_policy_changes.yml | 1 - ..._provisioning_from_previously_unseen_city.yml | 1 - ...ovisioning_from_previously_unseen_country.yml | 1 - ...sioning_from_previously_unseen_ip_address.yml | 1 - ...rovisioning_from_previously_unseen_region.yml | 1 - ...ubernetes_cluster_sensitive_object_access.yml | 1 - ...lients_connecting_to_multiple_dns_servers.yml | 1 - ...cloud_network_access_control_list_deleted.yml | 1 - .../correlation_by_repository_and_risk.yml | 1 - .../deprecated/correlation_by_user_and_risk.yml | 1 - ...activity_related_to_pass_the_hash_attacks.yml | 2 -- ...etect_api_activity_from_users_without_mfa.yml | 1 - ...s_api_activities_from_unapproved_accounts.yml | 1 - ...ts_to_phishing_sites_leveraging_evilginx2.yml | 1 - .../detect_long_dns_txt_record_response.yml | 1 - .../detect_mimikatz_using_loaded_images.yml | 1 - ...imikatz_via_powershell_and_eventcode_4703.yml | 1 - .../detect_new_api_calls_from_user_roles.yml | 1 - .../detect_new_user_aws_console_login.yml | 1 - .../detect_spike_in_aws_api_activity.yml | 1 - .../detect_spike_in_network_acl_activity.yml | 1 - .../detect_spike_in_security_group_activity.yml | 1 - .../deprecated/detect_usb_device_insertion.yml | 1 - ...t_web_traffic_to_dynamic_domain_providers.yml | 1 - .../deprecated/detection_of_dns_tunnels.yml | 1 - ...ests_resolved_by_unauthorized_dns_servers.yml | 1 - detections/deprecated/dns_record_changed.yml | 1 - .../dump_lsass_via_procdump_rename.yml | 1 - ...ance_modified_with_previously_unseen_user.yml | 1 - ...tance_started_in_previously_unseen_region.yml | 1 - ...stance_started_with_previously_unseen_ami.yml | 1 - ...rted_with_previously_unseen_instance_type.yml | 1 - ...tance_started_with_previously_unseen_user.yml | 1 - ...tion_of_file_with_spaces_before_extension.yml | 1 - ...riod_without_successful_netbackup_backups.yml | 1 - .../first_time_seen_command_line_argument.yml | 1 - ..._accounts_with_high_risk_roles_by_project.yml | 1 - ..._risk_permissions_by_resource_and_account.yml | 1 - .../deprecated/gcp_detect_oauth_token_abuse.yml | 1 - .../gcp_kubernetes_cluster_scan_detection.yml | 1 - .../deprecated/identify_new_user_accounts.yml | 1 - ...etect_most_active_service_accounts_by_pod.yml | 1 - ..._aws_detect_rbac_authorization_by_account.yml | 1 - ...bernetes_aws_detect_sensitive_role_access.yml | 1 - ...service_accounts_forbidden_failure_access.yml | 1 - ..._active_service_accounts_by_pod_namespace.yml | 1 - ...zure_detect_rbac_authorization_by_account.yml | 1 - ...etes_azure_detect_sensitive_object_access.yml | 1 - ...rnetes_azure_detect_sensitive_role_access.yml | 1 - ...service_accounts_forbidden_failure_access.yml | 1 - ...tes_azure_detect_suspicious_kubectl_calls.yml | 1 - .../kubernetes_azure_pod_scan_fingerprint.yml | 1 - .../kubernetes_azure_scan_fingerprint.yml | 1 - ...etect_most_active_service_accounts_by_pod.yml | 1 - ...gcp_detect_rbac_authorizations_by_account.yml | 1 - ...rnetes_gcp_detect_sensitive_object_access.yml | 1 - ...bernetes_gcp_detect_sensitive_role_access.yml | 1 - ...service_accounts_forbidden_failure_access.yml | 1 - ...netes_gcp_detect_suspicious_kubectl_calls.yml | 1 - .../deprecated/monitor_dns_for_brand_abuse.yml | 1 - ...with_invalid_credentials_from_the_same_ip.yml | 1 - .../o365_suspicious_admin_email_forwarding.yml | 1 - .../o365_suspicious_rights_delegation.yml | 1 - .../o365_suspicious_user_email_forwarding.yml | 1 - .../deprecated/okta_account_locked_out.yml | 1 - .../deprecated/okta_account_lockout_events.yml | 1 - .../deprecated/okta_failed_sso_attempts.yml | 1 - ...ght_login_failure_with_high_unknown_users.yml | 1 - ...eatinsight_suspected_passwordspray_attack.yml | 1 - .../okta_two_or_more_rejected_okta_pushes.yml | 1 - .../osquery_pack___coldroot_detection.yml | 1 - .../deprecated/processes_created_by_netsh.yml | 1 - .../prohibited_software_on_endpoint.yml | 1 - ..._hide_files_directories_via_registry_keys.yml | 1 - .../remote_registry_key_modifications.yml | 1 - ...eduled_tasks_used_in_badrabbit_ransomware.yml | 1 - .../spectre_and_meltdown_vulnerable_systems.yml | 1 - .../suspicious_changes_to_file_associations.yml | 1 - .../suspicious_email___uba_anomaly.yml | 1 - detections/deprecated/suspicious_file_write.yml | 1 - ...picious_powershell_command_line_arguments.yml | 1 - .../deprecated/suspicious_rundll32_rename.yml | 1 - ...cious_writes_to_system_volume_information.yml | 1 - .../uncommon_processes_on_endpoint.yml | 1 - .../unsigned_image_loaded_by_lsass.yml | 1 - .../unsuccessful_netbackup_backups.yml | 1 - .../web_fraud___account_harvesting.yml | 1 - .../web_fraud___anomalous_user_clickspeed.yml | 1 - ..._fraud___password_sharing_across_accounts.yml | 1 - .../windows_connhost_exe_started_forcefully.yml | 1 - .../windows_dll_search_order_hijacking_hunt.yml | 2 -- .../windows_hosts_file_modification.yml | 1 - ...cx_supply_chain_attack_network_indicators.yml | 1 - .../7zip_commandline_to_smb_share_path.yml | 1 - .../access_lsass_memory_for_dump_creation.yml | 1 - .../endpoint/account_discovery_with_net_app.yml | 1 - ...ive_directory_lateral_movement_identified.yml | 1 - ...directory_privilege_escalation_identified.yml | 1 - .../endpoint/active_setup_registry_autostart.yml | 1 - .../add_defaultuser_and_password_in_registry.yml | 1 - .../add_or_set_windows_defender_exclusion.yml | 1 - .../endpoint/adsisearcher_account_discovery.yml | 1 - ...low_file_and_printing_sharing_in_firewall.yml | 1 - ...inbound_traffic_by_firewall_rule_registry.yml | 1 - .../allow_inbound_traffic_in_firewall_rule.yml | 1 - .../allow_network_discovery_in_firewall.yml | 1 - .../allow_operation_with_consent_admin.yml | 1 - detections/endpoint/anomalous_usage_of_7zip.yml | 1 - .../endpoint/any_powershell_downloadfile.yml | 1 - .../endpoint/any_powershell_downloadstring.yml | 1 - .../endpoint/attacker_tools_on_endpoint.yml | 1 - ...mpt_to_add_certificate_to_untrusted_store.yml | 1 - .../attempt_to_stop_security_service.yml | 1 - ...credential_dump_from_registry_via_reg_exe.yml | 1 - .../endpoint/auto_admin_logon_registry_entry.yml | 1 - .../endpoint/batch_file_write_to_system32.yml | 1 - .../bcdedit_command_back_to_normal_mode_boot.yml | 1 - .../bcdedit_failure_recovery_modification.yml | 2 -- detections/endpoint/bits_job_persistence.yml | 1 - detections/endpoint/bitsadmin_download_file.yml | 1 - ...ownload_with_urlcache_and_split_arguments.yml | 1 - ...wnload_with_verifyctl_and_split_arguments.yml | 1 - .../certutil_exe_certificate_extraction.yml | 1 - .../endpoint/certutil_with_decode_argument.yml | 1 - .../endpoint/change_default_file_association.yml | 1 - .../change_to_safe_mode_with_network_config.yml | 1 - detections/endpoint/chcp_command_execution.yml | 1 - .../endpoint/check_elevated_cmd_using_whoami.yml | 1 - .../endpoint/child_processes_of_spoolsv_exe.yml | 1 - ...clear_unallocated_sector_using_cipher_app.yml | 1 - .../endpoint/clop_common_exec_parameter.yml | 1 - .../clop_ransomware_known_service_name.yml | 1 - .../cmd_carry_out_string_command_parameter.yml | 1 - .../endpoint/cmd_echo_pipe___escalation.yml | 1 - .../cmdline_tool_not_executed_in_cmd_shell.yml | 1 - .../endpoint/cmlua_or_cmstplua_uac_bypass.yml | 1 - .../endpoint/cobalt_strike_named_pipes.yml | 1 - .../endpoint/common_ransomware_extensions.yml | 1 - detections/endpoint/common_ransomware_notes.yml | 1 - .../connectwise_screenconnect_path_traversal.yml | 1 - ...screenconnect_path_traversal_windows_sacl.yml | 1 - .../endpoint/conti_common_exec_parameter.yml | 1 - ...rol_loading_from_world_writable_directory.yml | 1 - ...create_local_admin_accounts_using_net_exe.yml | 1 - ...te_or_delete_windows_shares_using_net_exe.yml | 1 - ...create_remote_thread_in_shell_application.yml | 1 - .../endpoint/create_remote_thread_into_lsass.yml | 1 - .../creation_of_lsass_dump_with_taskmgr.yml | 1 - detections/endpoint/creation_of_shadow_copy.yml | 1 - ...n_of_shadow_copy_with_wmic_and_powershell.yml | 1 - ...dumping_via_copy_command_from_shadow_copy.yml | 1 - ...ential_dumping_via_symlink_to_shadow_copy.yml | 1 - .../endpoint/csc_net_on_the_fly_compilation.yml | 1 - .../curl_download_and_bash_execution.yml | 1 - .../delete_shadowcopy_with_powershell.yml | 1 - detections/endpoint/deleting_of_net_users.yml | 1 - detections/endpoint/deleting_shadow_copies.yml | 1 - .../detect_azurehound_command_line_arguments.yml | 1 - .../detect_azurehound_file_modifications.yml | 1 - .../detect_baron_samedit_cve_2021_3156.yml | 1 - ...tect_baron_samedit_cve_2021_3156_segfault.yml | 1 - ...t_baron_samedit_cve_2021_3156_via_osquery.yml | 1 - .../detect_certify_command_line_arguments.yml | 2 -- ...tify_with_powershell_script_block_logging.yml | 2 -- .../detect_certipy_file_modifications.yml | 2 -- ...t_computer_changed_with_anonymous_account.yml | 1 - ...y_of_shadowcopy_with_script_block_logging.yml | 1 - ...t_credential_dumping_through_lsass_access.yml | 1 - ...pire_with_powershell_script_block_logging.yml | 1 - ..._excessive_account_lockouts_from_endpoint.yml | 4 ---- .../detect_excessive_user_account_lockouts.yml | 1 - .../endpoint/detect_exchange_web_shell.yml | 1 - detections/endpoint/detect_html_help_renamed.yml | 1 - .../detect_html_help_spawn_child_process.yml | 1 - .../detect_html_help_url_in_command_line.yml | 1 - ...html_help_using_infotech_storage_handlers.yml | 1 - ...katz_with_powershell_script_block_logging.yml | 1 - .../detect_mshta_inline_hta_execution.yml | 1 - detections/endpoint/detect_mshta_renamed.yml | 1 - .../detect_mshta_url_in_command_line.yml | 1 - .../endpoint/detect_new_local_admin_account.yml | 1 - .../detect_outlook_exe_writing_a_zip_file.yml | 1 - ...h_interception_by_creation_of_program_exe.yml | 1 - ...or_system_network_configuration_discovery.yml | 1 - ..._prohibited_applications_spawning_cmd_exe.yml | 1 - .../detect_psexec_with_accepteula_flag.yml | 1 - detections/endpoint/detect_rare_executables.yml | 1 - .../detect_rclone_command_line_usage.yml | 1 - .../detect_regasm_spawning_a_process.yml | 1 - .../detect_regasm_with_network_connection.yml | 1 - ...ect_regasm_with_no_command_line_arguments.yml | 1 - .../detect_regsvcs_spawning_a_process.yml | 1 - .../detect_regsvcs_with_network_connection.yml | 1 - ...ct_regsvcs_with_no_command_line_arguments.yml | 1 - ...etect_regsvr32_application_control_bypass.yml | 1 - .../detect_remote_access_software_usage_file.yml | 1 - ...ect_remote_access_software_usage_fileinfo.yml | 1 - ...tect_remote_access_software_usage_process.yml | 1 - detections/endpoint/detect_renamed_7_zip.yml | 1 - detections/endpoint/detect_renamed_psexec.yml | 1 - detections/endpoint/detect_renamed_rclone.yml | 1 - detections/endpoint/detect_renamed_winrar.yml | 1 - detections/endpoint/detect_rtlo_in_file_name.yml | 1 - detections/endpoint/detect_rtlo_in_process.yml | 1 - ...ll32_application_control_bypass___advpack.yml | 1 - ...l32_application_control_bypass___setupapi.yml | 1 - ...l32_application_control_bypass___syssetup.yml | 1 - .../detect_rundll32_inline_hta_execution.yml | 1 - .../detect_sharphound_command_line_arguments.yml | 1 - .../detect_sharphound_file_modifications.yml | 1 - detections/endpoint/detect_sharphound_usage.yml | 1 - ...ocessnames_using_pretrained_model_in_dsdl.yml | 1 - ..._of_cmd_exe_to_launch_script_interpreters.yml | 1 - .../detect_webshell_exploit_behavior.yml | 1 - ...detect_wmi_event_subscription_persistence.yml | 1 - .../detection_of_tools_built_by_nirsoft.yml | 1 - .../endpoint/disable_amsi_through_registry.yml | 1 - .../disable_defender_antivirus_registry.yml | 1 - ...disable_defender_blockatfirstseen_feature.yml | 1 - .../disable_defender_enhanced_notification.yml | 1 - .../disable_defender_mpengine_registry.yml | 1 - .../disable_defender_spynet_reporting.yml | 1 - ...e_defender_submit_samples_consent_feature.yml | 1 - .../endpoint/disable_etw_through_registry.yml | 1 - .../endpoint/disable_logs_using_wevtutil.yml | 1 - detections/endpoint/disable_registry_tool.yml | 1 - detections/endpoint/disable_schedule_task.yml | 1 - ...sable_security_logs_using_minint_registry.yml | 1 - .../endpoint/disable_show_hidden_files.yml | 1 - .../endpoint/disable_uac_remote_restriction.yml | 1 - .../endpoint/disable_windows_app_hotkeys.yml | 1 - .../disable_windows_behavior_monitoring.yml | 1 - .../disable_windows_smartscreen_protection.yml | 1 - ..._authentication_discovery_with_get_aduser.yml | 1 - ...e_authentication_discovery_with_powerview.yml | 1 - .../endpoint/disabling_cmd_application.yml | 1 - detections/endpoint/disabling_controlpanel.yml | 1 - .../endpoint/disabling_defender_services.yml | 1 - .../endpoint/disabling_firewall_with_netsh.yml | 1 - .../disabling_folderoptions_windows_feature.yml | 1 - .../endpoint/disabling_net_user_account.yml | 1 - .../endpoint/disabling_norun_windows_app.yml | 1 - .../disabling_remote_user_account_control.yml | 1 - .../disabling_systemrestore_in_registry.yml | 1 - detections/endpoint/disabling_task_manager.yml | 1 - ..._security_authority_defences_via_registry.yml | 1 - ...th_no_command_line_arguments_with_network.yml | 1 - .../dns_exfiltration_using_nslookup_app.yml | 1 - .../domain_account_discovery_with_dsquery.yml | 1 - .../domain_account_discovery_with_net_app.yml | 1 - .../domain_account_discovery_with_wmic.yml | 1 - .../domain_controller_discovery_with_nltest.yml | 1 - .../domain_controller_discovery_with_wmic.yml | 1 - .../domain_group_discovery_with_adsisearcher.yml | 1 - .../domain_group_discovery_with_dsquery.yml | 1 - .../endpoint/domain_group_discovery_with_net.yml | 1 - .../domain_group_discovery_with_wmic.yml | 1 - .../endpoint/download_files_using_telegram.yml | 1 - detections/endpoint/drop_icedid_license_dat.yml | 1 - detections/endpoint/dsquery_domain_discovery.yml | 1 - .../endpoint/dump_lsass_via_comsvcs_dll.yml | 1 - detections/endpoint/dump_lsass_via_procdump.yml | 1 - .../elevated_group_discovery_with_net.yml | 1 - .../elevated_group_discovery_with_powerview.yml | 1 - .../elevated_group_discovery_with_wmic.yml | 1 - .../endpoint/enable_rdp_in_other_port_number.yml | 1 - ...nable_wdigest_uselogoncredential_registry.yml | 1 - ...numerate_users_local_group_using_telegram.yml | 1 - detections/endpoint/esentutl_sam_copy.yml | 1 - detections/endpoint/etw_registry_disabled.yml | 1 - detections/endpoint/eventvwr_uac_bypass.yml | 1 - .../endpoint/excel_spawning_powershell.yml | 1 - .../excel_spawning_windows_script_host.yml | 1 - .../excessive_attempt_to_disable_services.yml | 1 - ...sive_distinct_processes_from_windows_temp.yml | 1 - ...ssive_file_deletion_in_windefender_folder.yml | 1 - ...mber_of_service_control_start_as_disabled.yml | 2 -- .../excessive_number_of_taskhost_processes.yml | 1 - .../endpoint/excessive_service_stop_attempt.yml | 1 - .../endpoint/excessive_usage_of_cacls_app.yml | 1 - .../endpoint/excessive_usage_of_net_app.yml | 1 - .../endpoint/excessive_usage_of_nslookup_app.yml | 1 - .../excessive_usage_of_sc_service_utility.yml | 1 - .../endpoint/excessive_usage_of_taskkill.yml | 1 - .../exchange_powershell_abuse_via_ssrf.yml | 1 - .../exchange_powershell_module_usage.yml | 1 - ..._file_written_in_administrative_smb_share.yml | 1 - ...les_or_script_creation_in_suspicious_path.yml | 1 - ...execute_javascript_with_jscript_com_clsid.yml | 1 - ...xecution_of_file_with_multiple_extensions.yml | 1 - .../endpoint/extraction_of_registry_hives.yml | 1 - .../endpoint/file_with_samsam_extension.yml | 1 - .../endpoint/firewall_allowed_program_enable.yml | 1 - .../first_time_seen_child_process_of_zoom.yml | 1 - .../first_time_seen_running_windows_service.yml | 1 - detections/endpoint/fodhelper_uac_bypass.yml | 1 - detections/endpoint/fsutil_zeroing_file.yml | 1 - ...faultdomainpasswordpolicy_with_powershell.yml | 1 - ...sswordpolicy_with_powershell_script_block.yml | 1 - .../endpoint/get_aduser_with_powershell.yml | 1 - .../get_aduser_with_powershell_script_block.yml | 1 - ...erresultantpasswordpolicy_with_powershell.yml | 1 - ...sswordpolicy_with_powershell_script_block.yml | 1 - .../get_domainpolicy_with_powershell.yml | 1 - ...domainpolicy_with_powershell_script_block.yml | 1 - .../endpoint/get_domaintrust_with_powershell.yml | 1 - ..._domaintrust_with_powershell_script_block.yml | 1 - .../endpoint/get_domainuser_with_powershell.yml | 1 - ...t_domainuser_with_powershell_script_block.yml | 1 - .../endpoint/get_foresttrust_with_powershell.yml | 1 - ..._foresttrust_with_powershell_script_block.yml | 1 - .../endpoint/get_wmiobject_group_discovery.yml | 1 - ...group_discovery_with_script_block_logging.yml | 1 - .../endpoint/getadcomputer_with_powershell.yml | 1 - ...etadcomputer_with_powershell_script_block.yml | 1 - .../endpoint/getadgroup_with_powershell.yml | 1 - .../getadgroup_with_powershell_script_block.yml | 1 - .../endpoint/getcurrent_user_with_powershell.yml | 1 - ...current_user_with_powershell_script_block.yml | 1 - .../getdomaincomputer_with_powershell.yml | 1 - ...maincomputer_with_powershell_script_block.yml | 1 - .../getdomaincontroller_with_powershell.yml | 1 - ...incontroller_with_powershell_script_block.yml | 1 - .../endpoint/getdomaingroup_with_powershell.yml | 1 - ...tdomaingroup_with_powershell_script_block.yml | 1 - .../endpoint/getlocaluser_with_powershell.yml | 1 - ...getlocaluser_with_powershell_script_block.yml | 1 - .../getnettcpconnection_with_powershell.yml | 1 - ...cpconnection_with_powershell_script_block.yml | 1 - .../getwmiobject_ds_computer_with_powershell.yml | 1 - ..._ds_computer_with_powershell_script_block.yml | 1 - .../getwmiobject_ds_group_with_powershell.yml | 1 - ...ect_ds_group_with_powershell_script_block.yml | 1 - .../getwmiobject_ds_user_with_powershell.yml | 1 - ...ject_ds_user_with_powershell_script_block.yml | 1 - ...getwmiobject_user_account_with_powershell.yml | 1 - ...user_account_with_powershell_script_block.yml | 1 - ...th_no_command_line_arguments_with_network.yml | 1 - ...headless_browser_mockbin_or_mocky_request.yml | 1 - detections/endpoint/headless_browser_usage.yml | 1 - .../hide_user_account_from_sign_in_screen.yml | 1 - ...ing_files_and_directories_with_attrib_exe.yml | 1 - ..._frequency_copy_of_files_in_network_share.yml | 2 -- .../high_process_termination_frequency.yml | 1 - .../endpoint/hunting_3cxdesktopapp_software.yml | 1 - detections/endpoint/icacls_deny_command.yml | 1 - detections/endpoint/icacls_grant_command.yml | 1 - ...icedid_exfiltrated_archived_file_creation.yml | 1 - ...t_lateral_movement_commandline_parameters.yml | 1 - ...l_movement_smbexec_commandline_parameters.yml | 1 - ...l_movement_wmiexec_commandline_parameters.yml | 1 - ...ession_on_remote_endpoint_with_powershell.yml | 1 - ...va_class_file_download_by_java_user_agent.yml | 1 - detections/endpoint/java_writing_jsp_file.yml | 1 - .../jscript_execution_using_cscript_app.yml | 1 - ...eroasting_spn_request_with_rc4_encryption.yml | 1 - ...ation_flag_disabled_in_useraccountcontrol.yml | 2 -- ...hentication_flag_disabled_with_powershell.yml | 2 -- ...rvice_ticket_request_using_rc4_encryption.yml | 1 - ...kerberos_tgt_request_using_rc4_encryption.yml | 1 - .../endpoint/kerberos_user_enumeration.yml | 1 - .../known_services_killed_by_ransomware.yml | 1 - ...count_manipulation_of_ssh_config_and_keys.yml | 1 - ...ux_add_files_in_known_crontab_directories.yml | 1 - detections/endpoint/linux_add_user_account.yml | 1 - ...linux_adding_crontab_using_list_parameter.yml | 1 - .../linux_apt_get_privilege_escalation.yml | 2 -- .../endpoint/linux_apt_privilege_escalation.yml | 2 -- .../linux_at_allow_config_file_creation.yml | 1 - .../endpoint/linux_at_application_execution.yml | 1 - .../endpoint/linux_awk_privilege_escalation.yml | 2 -- .../linux_busybox_privilege_escalation.yml | 2 -- .../endpoint/linux_c89_privilege_escalation.yml | 2 -- .../endpoint/linux_c99_privilege_escalation.yml | 2 -- .../endpoint/linux_change_file_owner_to_root.yml | 1 - .../endpoint/linux_clipboard_data_copy.yml | 2 -- ...inux_common_process_for_elevation_control.yml | 1 - .../linux_composer_privilege_escalation.yml | 2 -- .../linux_cpulimit_privilege_escalation.yml | 2 -- .../linux_csvtool_privilege_escalation.yml | 2 -- detections/endpoint/linux_curl_upload_file.yml | 2 -- .../endpoint/linux_data_destruction_command.yml | 2 -- detections/endpoint/linux_dd_file_overwrite.yml | 1 - .../endpoint/linux_decode_base64_to_shell.yml | 2 -- ...eting_critical_directory_using_rm_command.yml | 1 - .../endpoint/linux_deletion_of_cron_jobs.yml | 1 - .../linux_deletion_of_init_daemon_script.yml | 1 - .../endpoint/linux_deletion_of_services.yml | 1 - .../linux_deletion_of_ssl_certificate.yml | 1 - detections/endpoint/linux_disable_services.yml | 1 - .../endpoint/linux_doas_conf_file_creation.yml | 1 - .../endpoint/linux_doas_tool_execution.yml | 1 - .../linux_docker_privilege_escalation.yml | 2 -- .../endpoint/linux_edit_cron_table_parameter.yml | 1 - .../linux_emacs_privilege_escalation.yml | 2 -- ...x_file_created_in_kernel_driver_directory.yml | 1 - ...inux_file_creation_in_init_boot_directory.yml | 1 - .../linux_file_creation_in_profile_directory.yml | 1 - .../endpoint/linux_find_privilege_escalation.yml | 2 -- .../endpoint/linux_gdb_privilege_escalation.yml | 2 -- .../endpoint/linux_gem_privilege_escalation.yml | 2 -- .../linux_gnu_awk_privilege_escalation.yml | 2 -- .../endpoint/linux_hardware_addition_swapoff.yml | 2 -- ...frequency_of_file_deletion_in_boot_folder.yml | 1 - ..._frequency_of_file_deletion_in_etc_folder.yml | 1 - .../linux_impair_defenses_process_kill.yml | 2 -- .../linux_indicator_removal_clear_cache.yml | 2 -- ...x_indicator_removal_service_file_deletion.yml | 2 -- .../linux_ingress_tool_transfer_hunting.yml | 2 -- .../linux_ingress_tool_transfer_with_curl.yml | 2 -- ...insert_kernel_module_using_insmod_utility.yml | 1 - ...tall_kernel_module_using_modprobe_utility.yml | 1 - .../linux_iptables_firewall_modification.yml | 1 - .../endpoint/linux_java_spawning_shell.yml | 1 - .../endpoint/linux_kernel_module_enumeration.yml | 2 -- ..._kworker_process_in_writable_process_path.yml | 1 - .../endpoint/linux_make_privilege_escalation.yml | 2 -- .../linux_mysql_privilege_escalation.yml | 2 -- .../endpoint/linux_ngrok_reverse_proxy_usage.yml | 2 -- .../endpoint/linux_node_privilege_escalation.yml | 2 -- .../linux_nopasswd_entry_in_sudoers_file.yml | 1 - ...scated_files_or_information_base64_decode.yml | 2 -- .../linux_octave_privilege_escalation.yml | 2 -- .../linux_openvpn_privilege_escalation.yml | 2 -- ...ce_and_privilege_escalation_risk_behavior.yml | 2 -- .../endpoint/linux_php_privilege_escalation.yml | 2 -- .../linux_pkexec_privilege_escalation.yml | 1 - ...ccess_or_modification_of_sshd_config_file.yml | 1 - ...linux_possible_access_to_credential_files.yml | 1 - .../linux_possible_access_to_sudoers_file.yml | 1 - ...le_append_command_to_at_allow_config_file.yml | 1 - ...ble_append_command_to_profile_config_file.yml | 1 - ...nd_cronjob_entry_on_existing_cronjob_file.yml | 1 - ...possible_cronjob_modification_with_editor.yml | 1 - .../linux_possible_ssh_key_file_creation.yml | 1 - .../linux_preload_hijack_library_calls.yml | 1 - detections/endpoint/linux_proxy_socks_curl.yml | 2 -- .../linux_puppet_privilege_escalation.yml | 2 -- .../endpoint/linux_rpm_privilege_escalation.yml | 2 -- .../endpoint/linux_ruby_privilege_escalation.yml | 2 -- ...service_file_created_in_systemd_directory.yml | 1 - detections/endpoint/linux_service_restarted.yml | 1 - .../linux_service_started_or_enabled.yml | 1 - .../linux_setuid_using_chmod_utility.yml | 1 - .../linux_setuid_using_setcap_utility.yml | 1 - .../endpoint/linux_shred_overwrite_command.yml | 1 - .../linux_sqlite3_privilege_escalation.yml | 2 -- .../linux_ssh_authorized_keys_modification.yml | 2 -- .../linux_ssh_remote_services_script_execute.yml | 2 -- ...linux_stdout_redirection_to_dev_null_file.yml | 1 - detections/endpoint/linux_stop_services.yml | 1 - .../endpoint/linux_sudo_or_su_execution.yml | 1 - .../endpoint/linux_sudoers_tmp_file_creation.yml | 1 - .../endpoint/linux_system_network_discovery.yml | 1 - ...inux_system_reboot_via_system_request_key.yml | 2 -- ...nux_unix_shell_enable_all_sysrq_functions.yml | 2 -- .../endpoint/linux_visudo_utility_execution.yml | 1 - .../endpoint/living_off_the_land_detection.yml | 1 - .../endpoint/loading_of_dynwrapx_module.yml | 1 - .../local_account_discovery_with_net.yml | 1 - .../local_account_discovery_with_wmic.yml | 1 - .../log4shell_cve_2021_44228_exploitation.yml | 1 - .../logon_script_event_trigger_execution.yml | 1 - .../endpoint/lolbas_with_network_traffic.yml | 2 -- .../endpoint/macos___re_opened_applications.yml | 1 - detections/endpoint/macos_lolbin.yml | 1 - detections/endpoint/macos_plutil.yml | 1 - .../endpoint/mailsniper_invoke_functions.yml | 1 - .../malicious_inprocserver32_modification.yml | 1 - ...alicious_powershell_executed_as_a_service.yml | 1 - ...ious_powershell_process___encoded_command.yml | 1 - ...ershell_process___execution_policy_bypass.yml | 1 - ...shell_process_with_obfuscation_techniques.yml | 1 - ...katz_passtheticket_commandline_parameters.yml | 1 - .../mmc_lolbas_execution_process_spawn.yml | 1 - .../endpoint/modification_of_wallpaper.yml | 1 - .../modify_acl_permission_to_files_or_folder.yml | 1 - .../monitor_registry_keys_for_print_monitors.yml | 1 - .../moveit_certificate_store_access_failure.yml | 1 - ...ty_key_fingerprint_authentication_attempt.yml | 1 - ...ation_service_writing_active_server_pages.yml | 1 - .../ms_scripting_process_loading_ldap_module.yml | 1 - .../ms_scripting_process_loading_wmi_module.yml | 1 - ...uild_suspicious_spawned_by_script_process.yml | 1 - ...hta_spawning_rundll32_or_regsvr32_process.yml | 1 - .../mshtml_module_load_in_office_product.yml | 1 - .../msi_module_loaded_by_non_system_binary.yml | 1 - .../msmpeng_application_dll_side_loading.yml | 1 - detections/endpoint/net_localgroup_discovery.yml | 1 - detections/endpoint/net_profiler_uac_bypass.yml | 1 - .../network_connection_discovery_with_arp.yml | 1 - .../network_connection_discovery_with_net.yml | 1 - ...network_connection_discovery_with_netstat.yml | 1 - ...network_discovery_using_route_windows_app.yml | 1 - .../network_share_discovery_via_dir_command.yml | 1 - ...to_active_directory_web_services_protocol.yml | 1 - .../endpoint/nishang_powershelltcponeline.yml | 1 - .../endpoint/nltest_domain_trust_discovery.yml | 1 - ...rome_process_accessing_chrome_default_dir.yml | 1 - ...irefox_process_access_firefox_profile_dir.yml | 1 - .../notepad_with_no_command_line_arguments.yml | 1 - detections/endpoint/ntdsutil_export_ntds.yml | 1 - .../office_application_drop_executable.yml | 1 - ...office_application_spawn_regsvr32_process.yml | 1 - ...office_application_spawn_rundll32_process.yml | 1 - .../office_document_creating_schedule_task.yml | 1 - .../office_document_executing_macro_code.yml | 1 - ...ocument_spawned_child_process_to_download.yml | 1 - .../office_product_spawn_cmd_process.yml | 1 - .../office_product_spawning_bitsadmin.yml | 1 - .../office_product_spawning_certutil.yml | 1 - .../endpoint/office_product_spawning_mshta.yml | 1 - ...ice_product_spawning_rundll32_with_no_dll.yml | 1 - ...fice_product_spawning_windows_script_host.yml | 2 -- .../endpoint/office_product_spawning_wmic.yml | 1 - .../office_product_writing_cab_or_inf.yml | 1 - detections/endpoint/office_spawning_control.yml | 1 - ..._connection_from_java_using_default_ports.yml | 1 - .../overwriting_accessibility_binaries.yml | 1 - ...papercut_ng_suspicious_behavior_debug_log.yml | 1 - .../password_policy_discovery_with_net.yml | 1 - ...permission_modification_using_takeown_app.yml | 1 - .../petitpotam_network_share_access_request.yml | 1 - ...etitpotam_suspicious_kerberos_tgt_request.yml | 1 - detections/endpoint/ping_sleep_batch_command.yml | 1 - .../possible_browser_pass_view_parameter.yml | 1 - ...ossible_lateral_movement_powershell_spawn.yml | 1 - .../endpoint/potential_password_in_username.yml | 1 - ...potentially_malicious_code_on_commandline.yml | 1 - detections/endpoint/powershell_4104_hunting.yml | 1 - ...___connect_to_internet_with_hidden_window.yml | 1 - ...com_hijacking_inprocserver32_modification.yml | 2 -- .../powershell_creating_thread_mutex.yml | 1 - .../powershell_disable_security_monitoring.yml | 1 - .../endpoint/powershell_domain_enumeration.yml | 1 - .../powershell_enable_powershell_remoting.yml | 1 - .../powershell_enable_smb1protocol_feature.yml | 1 - .../endpoint/powershell_execute_com_object.yml | 1 - ...less_process_injection_via_getprocaddress.yml | 1 - ...ss_script_contains_base64_encoded_content.yml | 1 - .../powershell_get_localgroup_discovery.yml | 1 - ...group_discovery_with_script_block_logging.yml | 1 - .../powershell_invoke_cimmethod_cimsession.yml | 1 - .../endpoint/powershell_invoke_wmiexec_usage.yml | 1 - .../powershell_load_module_in_meterpreter.yml | 2 -- ...loading_dotnet_into_memory_via_reflection.yml | 1 - .../powershell_processing_stream_of_data.yml | 1 - ...owershell_remote_services_add_trustedhost.yml | 1 - ...ll_remote_thread_to_known_windows_process.yml | 1 - ...ershell_remove_windows_defender_directory.yml | 1 - .../powershell_script_block_with_url_chain.yml | 1 - .../endpoint/powershell_start_bitstransfer.yml | 1 - .../powershell_start_or_stop_service.yml | 1 - .../powershell_using_memory_as_backing_store.yml | 1 - ...powershell_webrequest_using_memory_stream.yml | 1 - ...shell_windows_defender_exclusion_commands.yml | 1 - ...event_automatic_repair_mode_using_bcdedit.yml | 1 - .../print_processor_registry_autostart.yml | 1 - .../print_spooler_adding_a_printer_driver.yml | 1 - .../print_spooler_failed_to_load_a_plug_in.yml | 1 - ..._creating_lnk_file_in_suspicious_location.yml | 1 - .../process_deleting_its_process_file_path.yml | 1 - .../endpoint/process_execution_via_wmi.yml | 1 - .../endpoint/process_kill_base_on_file_path.yml | 1 - .../endpoint/process_writing_dynamicwrapperx.yml | 1 - .../endpoint/processes_launching_netsh.yml | 1 - .../processes_tapping_keyboard_events.yml | 1 - .../randomly_generated_scheduled_task_name.yml | 1 - .../randomly_generated_windows_service_name.yml | 1 - .../endpoint/ransomware_notes_bulk_creation.yml | 1 - .../recon_avproduct_through_pwh_or_wmi.yml | 1 - detections/endpoint/recon_using_wmi_class.yml | 1 - ...ecursive_delete_of_directory_in_batch_cmd.yml | 1 - ...nipulating_windows_services_registry_keys.yml | 1 - ...registry_keys_for_creating_shim_databases.yml | 1 - .../registry_keys_used_for_persistence.yml | 1 - ...gistry_keys_used_for_privilege_escalation.yml | 1 - ...vr32_silent_and_install_param_dll_loading.yml | 1 - ...regsvr32_with_known_silent_switch_cmdline.yml | 1 - .../remcos_client_registry_install_entry.yml | 1 - ...remcos_rat_file_creation_in_remcos_folder.yml | 1 - .../remote_desktop_process_running_on_system.yml | 1 - ...ess_instantiation_via_dcom_and_powershell.yml | 1 - ...tion_via_dcom_and_powershell_script_block.yml | 1 - ...ss_instantiation_via_winrm_and_powershell.yml | 1 - ...ion_via_winrm_and_powershell_script_block.yml | 1 - ...process_instantiation_via_winrm_and_winrs.yml | 1 - .../remote_process_instantiation_via_wmi.yml | 1 - ...cess_instantiation_via_wmi_and_powershell.yml | 1 - ...ation_via_wmi_and_powershell_script_block.yml | 1 - ...remote_system_discovery_with_adsisearcher.yml | 1 - .../remote_system_discovery_with_dsquery.yml | 1 - .../remote_system_discovery_with_net.yml | 1 - .../remote_system_discovery_with_wmic.yml | 1 - .../endpoint/remote_wmi_command_attempt.yml | 1 - .../endpoint/resize_shadowstorage_volume.yml | 1 - .../endpoint/revil_common_exec_parameter.yml | 1 - detections/endpoint/revil_registry_entry.yml | 1 - .../endpoint/rubeus_command_line_parameters.yml | 1 - ...os_ticket_exports_through_winlogon_access.yml | 1 - .../endpoint/runas_execution_in_commandline.yml | 1 - .../endpoint/rundll32_control_rundll_hunt.yml | 1 - ...2_control_rundll_world_writable_directory.yml | 1 - ...undll32_create_remote_thread_to_a_process.yml | 1 - .../rundll32_createremotethread_in_browser.yml | 1 - detections/endpoint/rundll32_dnsquery.yml | 1 - detections/endpoint/rundll32_lockworkstation.yml | 1 - .../rundll32_process_creating_exe_dll_files.yml | 1 - detections/endpoint/rundll32_shimcache_flush.yml | 1 - ...th_no_command_line_arguments_with_network.yml | 1 - .../endpoint/rundll_loading_dll_by_ordinal.yml | 1 - detections/endpoint/ryuk_test_files_detected.yml | 1 - detections/endpoint/ryuk_wake_on_lan_command.yml | 1 - .../sam_database_file_access_attempt.yml | 1 - detections/endpoint/samsam_test_file_write.yml | 1 - .../sc_exe_manipulating_windows_services.yml | 1 - ...nge_by_app_connect_and_create_adsi_object.yml | 1 - ...schedule_task_with_http_command_arguments.yml | 1 - ...hedule_task_with_rundll32_command_trigger.yml | 1 - ...task_creation_on_remote_endpoint_using_at.yml | 1 - ...scheduled_task_deleted_or_created_via_cmd.yml | 1 - ...eduled_task_initiation_on_remote_endpoint.yml | 1 - .../endpoint/schtasks_run_task_on_demand.yml | 1 - .../schtasks_scheduling_job_on_remote_system.yml | 1 - .../schtasks_used_for_forcing_a_reboot.yml | 1 - .../screensaver_event_trigger_execution.yml | 1 - detections/endpoint/script_execution_via_wmi.yml | 1 - detections/endpoint/sdclt_uac_bypass.yml | 1 - .../endpoint/sdelete_application_execution.yml | 1 - ...colhost_with_no_command_line_with_network.yml | 1 - .../secretdumps_offline_ntds_dumping_tool.yml | 1 - ...eprincipalnames_discovery_with_powershell.yml | 1 - ...rviceprincipalnames_discovery_with_setspn.yml | 1 - detections/endpoint/services_escalate_exe.yml | 1 - .../services_lolbas_execution_process_spawn.yml | 1 - ...xecution_policy_to_unrestricted_or_bypass.yml | 1 - .../endpoint/shim_database_file_creation.yml | 1 - ...e_installation_with_suspicious_parameters.yml | 1 - .../endpoint/short_lived_scheduled_task.yml | 1 - .../endpoint/short_lived_windows_accounts.yml | 3 --- detections/endpoint/silentcleanup_uac_bypass.yml | 1 - .../single_letter_process_on_endpoint.yml | 1 - detections/endpoint/slui_runas_elevated.yml | 1 - detections/endpoint/slui_spawning_a_process.yml | 1 - detections/endpoint/spike_in_file_writes.yml | 1 - .../endpoint/spoolsv_spawning_rundll32.yml | 1 - .../spoolsv_suspicious_loaded_modules.yml | 1 - .../spoolsv_suspicious_process_access.yml | 1 - detections/endpoint/spoolsv_writing_a_dll.yml | 1 - .../endpoint/spoolsv_writing_a_dll___sysmon.yml | 1 - .../endpoint/sqlite_module_in_temp_folder.yml | 1 - ...tication_certificates_behavior_identified.yml | 1 - ...unburst_correlation_dll_and_network_event.yml | 1 - .../suspicious_computer_account_name_change.yml | 2 -- .../endpoint/suspicious_copy_on_system32.yml | 1 - .../suspicious_curl_network_connection.yml | 1 - ...picious_dllhost_no_command_line_arguments.yml | 1 - .../endpoint/suspicious_driver_loaded_path.yml | 1 - .../suspicious_event_log_service_behavior.yml | 1 - ...icious_gpupdate_no_command_line_arguments.yml | 1 - .../suspicious_icedid_rundll32_cmdline.yml | 1 - ...spicious_image_creation_in_appdata_folder.yml | 1 - ...uspicious_kerberos_service_ticket_request.yml | 1 - .../suspicious_linux_discovery_commands.yml | 1 - ...icious_microsoft_workflow_compiler_rename.yml | 1 - ...picious_microsoft_workflow_compiler_usage.yml | 1 - detections/endpoint/suspicious_msbuild_path.yml | 2 -- .../endpoint/suspicious_msbuild_rename.yml | 2 -- detections/endpoint/suspicious_msbuild_spawn.yml | 2 -- .../endpoint/suspicious_mshta_child_process.yml | 2 -- detections/endpoint/suspicious_mshta_spawn.yml | 1 - .../endpoint/suspicious_plistbuddy_usage.yml | 1 - .../suspicious_plistbuddy_usage_via_osquery.yml | 1 - ...rocess_dns_query_known_abuse_web_services.yml | 1 - ...ious_process_executed_from_container_file.yml | 1 - .../endpoint/suspicious_process_file_path.yml | 1 - ...suspicious_process_with_discord_dns_query.yml | 1 - .../endpoint/suspicious_reg_exe_process.yml | 1 - ...picious_regsvr32_register_suspicious_path.yml | 1 - .../suspicious_rundll32_dllregisterserver.yml | 1 - ...icious_rundll32_no_command_line_arguments.yml | 1 - .../endpoint/suspicious_rundll32_plugininit.yml | 1 - .../endpoint/suspicious_rundll32_startw.yml | 1 - ...ious_scheduled_task_from_public_directory.yml | 1 - ...rchprotocolhost_no_command_line_arguments.yml | 1 - .../suspicious_sqlite3_lsquarantine_behavior.yml | 1 - ...suspicious_ticket_granting_ticket_request.yml | 1 - .../suspicious_wav_file_in_appdata_folder.yml | 1 - .../endpoint/suspicious_wevtutil_usage.yml | 1 - .../suspicious_writes_to_windows_recycle_bin.yml | 1 - .../svchost_lolbas_execution_process_spawn.yml | 1 - ...m_info_gathering_using_dxdiag_application.yml | 1 - .../system_information_discovery_detection.yml | 1 - ...m_processes_run_from_unexpected_locations.yml | 1 - .../system_user_discovery_with_query.yml | 1 - .../system_user_discovery_with_whoami.yml | 1 - .../time_provider_persistence_registry.yml | 1 - detections/endpoint/trickbot_named_pipe.yml | 1 - .../uac_bypass_mmc_load_unsigned_dll.yml | 1 - .../uac_bypass_with_colorui_com_object.yml | 1 - .../endpoint/uninstall_app_using_msiexec.yml | 1 - ...known_process_using_the_kerberos_protocol.yml | 1 - .../endpoint/unload_sysmon_filter_driver.yml | 1 - .../endpoint/unloading_amsi_via_reflection.yml | 1 - ...ber_of_computer_service_tickets_requested.yml | 1 - ...ber_of_kerberos_service_tickets_requested.yml | 1 - ..._of_remote_endpoint_authentication_events.yml | 1 - .../endpoint/unusually_long_command_line.yml | 1 - .../unusually_long_command_line___mltk.yml | 1 - .../user_discovery_with_env_vars_powershell.yml | 1 - ...ery_with_env_vars_powershell_script_block.yml | 1 - detections/endpoint/usn_journal_deletion.yml | 1 - .../vbscript_execution_using_wscript_app.yml | 1 - detections/endpoint/verclsid_clsid_execution.yml | 1 - detections/endpoint/w3wp_spawning_shell.yml | 1 - .../endpoint/wbadmin_delete_system_backups.yml | 1 - .../endpoint/wbemprox_com_object_execution.yml | 1 - ...ocess_connecting_to_ip_check_web_services.yml | 1 - .../wermgr_process_create_executable_file.yml | 1 - ...process_spawned_cmd_or_powershell_process.yml | 1 - .../wget_download_and_bash_execution.yml | 1 - .../endpoint/windows_abused_web_services.yml | 1 - ...ccess_token_manipulation_sedebugprivilege.yml | 2 -- ...ipulation_winlogon_duplicate_token_handle.yml | 2 -- ...inlogon_duplicate_handle_in_uncommon_path.yml | 2 -- ...t_discovery_for_none_disable_user_account.yml | 1 - ...ws_account_discovery_for_sam_account_name.yml | 1 - ..._discovery_with_netuser_preauthnotrequire.yml | 1 - ...indows_ad_abnormal_object_access_activity.yml | 2 -- .../windows_ad_adminsdholder_acl_modified.yml | 1 - ...dows_ad_cross_domain_sid_history_addition.yml | 1 - ...d_domain_controller_audit_policy_disabled.yml | 1 - .../windows_ad_domain_controller_promotion.yml | 1 - ...indows_ad_domain_replication_acl_addition.yml | 1 - .../endpoint/windows_ad_dsrm_account_changes.yml | 1 - .../endpoint/windows_ad_dsrm_password_reset.yml | 1 - ...d_privileged_account_sid_history_addition.yml | 1 - ...dows_ad_privileged_object_access_activity.yml | 2 -- ...ication_request_initiated_by_user_account.yml | 1 - ...uest_initiated_from_unsanctioned_location.yml | 1 - ...ndows_ad_same_domain_sid_history_addition.yml | 1 - ...viceprincipalname_added_to_domain_account.yml | 1 - ...lived_domain_account_serviceprincipalname.yml | 1 - ...ort_lived_domain_controller_spn_attribute.yml | 1 - .../windows_ad_short_lived_server_object.yml | 1 - ...windows_ad_sid_history_attribute_modified.yml | 1 - detections/endpoint/windows_adfind_exe.yml | 1 - .../windows_admin_permission_discovery.yml | 2 -- ...trative_shares_accessed_on_multiple_hosts.yml | 1 - ...ows_alternate_datastream___base64_content.yml | 1 - ...alternate_datastream___executable_content.yml | 2 -- ..._alternate_datastream___process_execution.yml | 2 -- .../endpoint/windows_apache_benchmark_binary.yml | 2 -- ...ndows_app_layer_protocol_qakbot_namedpipe.yml | 2 -- ...ayer_protocol_wermgr_connect_to_namedpipe.yml | 2 -- ..._layer_protocol_rms_radmin_tool_namedpipe.yml | 2 -- .../endpoint/windows_applocker_block_events.yml | 1 - ...plocker_execution_from_uncommon_locations.yml | 1 - ...vilege_escalation_via_unauthorized_bypass.yml | 1 - ...plocker_rare_application_launch_detection.yml | 1 - ...ows_archive_collected_data_via_powershell.yml | 1 - .../windows_archive_collected_data_via_rar.yml | 1 - .../endpoint/windows_autoit3_execution.yml | 1 - ...cution_lsass_driver_registry_modification.yml | 2 -- ...y_proxy_execution_mavinject_dll_injection.yml | 2 -- ...gon_autostart_execution_in_startup_folder.yml | 2 -- .../endpoint/windows_bootloader_inventory.yml | 1 - .../windows_bypass_uac_via_pkgmgr_tool.yml | 1 - detections/endpoint/windows_cab_file_on_disk.yml | 1 - ...ndows_cached_domain_credentials_reg_query.yml | 2 -- ..._default_file_association_for_no_file_ext.yml | 2 -- .../windows_clipboard_data_via_get_clipboard.yml | 2 -- ...com_hijacking_inprocserver32_modification.yml | 2 -- ...ipting_interpreter_hunting_path_traversal.yml | 2 -- ...scripting_interpreter_path_traversal_exec.yml | 2 -- ...dows_command_shell_dcrat_forkbomb_payload.yml | 2 -- ...windows_command_shell_fetch_env_variables.yml | 2 -- ...ows_common_abused_cmd_shell_risk_behavior.yml | 1 - ...puter_account_created_by_computer_account.yml | 1 - ...mputer_account_requesting_kerberos_ticket.yml | 1 - .../windows_computer_account_with_spn.yml | 1 - .../windows_conhost_with_headless_argument.yml | 1 - .../endpoint/windows_create_local_account.yml | 2 -- ...ential_access_from_browser_password_store.yml | 1 - ...redential_dumping_lsass_memory_createdump.yml | 2 -- ...m_password_stores_chrome_extension_access.yml | 1 - ..._password_stores_chrome_localstate_access.yml | 1 - ..._password_stores_chrome_login_data_access.yml | 1 - ...credentials_from_password_stores_creation.yml | 1 - ...credentials_from_password_stores_deletion.yml | 1 - ...ws_credentials_from_password_stores_query.yml | 2 -- ...windows_credentials_in_registry_reg_query.yml | 2 -- .../windows_curl_download_to_suspicious_path.yml | 1 - ...windows_curl_upload_to_remote_destination.yml | 1 - ...destruction_recursive_exec_files_deletion.yml | 1 - .../endpoint/windows_debugger_tool_execution.yml | 1 - ...efacement_modify_transcodedwallpaper_file.yml | 2 -- ...dows_default_group_policy_object_modified.yml | 1 - ...lt_group_policy_object_modified_with_gpme.yml | 1 - .../windows_defender_asr_audit_events.yml | 1 - .../windows_defender_asr_block_events.yml | 1 - ...indows_defender_asr_registry_modification.yml | 1 - .../windows_defender_asr_rule_disabled.yml | 1 - .../windows_defender_asr_rules_stacking.yml | 1 - ...windows_defender_exclusion_registry_entry.yml | 1 - .../windows_delete_or_modify_system_firewall.yml | 1 - ...istry_by_a_non_critical_process_file_path.yml | 1 - ..._disable_change_password_through_registry.yml | 1 - ...lock_workstation_feature_through_registry.yml | 1 - ...ws_disable_logoff_button_through_registry.yml | 1 - .../windows_disable_memory_crash_dump.yml | 1 - .../windows_disable_notification_center.yml | 1 - ...dows_disable_or_modify_tools_via_taskkill.yml | 1 - ..._disable_shutdown_button_through_registry.yml | 1 - ...indows_event_logging_disable_http_logging.yml | 2 -- ...ws_group_policy_features_through_registry.yml | 1 - .../windows_disableantispyware_registry.yml | 1 - .../endpoint/windows_diskcryptor_usage.yml | 1 - .../windows_diskshadow_proxy_execution.yml | 1 - .../endpoint/windows_dism_remove_defender.yml | 1 - ...l_search_order_hijacking_hunt_with_sysmon.yml | 2 -- ..._dll_search_order_hijacking_with_iscsicpl.yml | 2 -- .../windows_dll_side_loading_in_calc.yml | 2 -- ...ws_dll_side_loading_process_child_of_calc.yml | 2 -- .../endpoint/windows_dns_gather_network_info.yml | 1 - .../windows_dnsadmins_new_member_added.yml | 1 - ...ain_account_discovery_via_get_netcomputer.yml | 1 - ...dows_domain_admin_impersonation_indicator.yml | 1 - ...indows_dotnet_binary_in_non_standard_path.yml | 1 - detections/endpoint/windows_driver_inventory.yml | 2 -- .../windows_driver_load_non_standard_path.yml | 2 -- .../windows_drivers_loaded_by_signature.yml | 1 - ...ws_enable_win32_scheduledjob_via_registry.yml | 1 - .../windows_event_for_service_disabled.yml | 1 - .../endpoint/windows_event_log_cleared.yml | 1 - ...ed_image_file_execution_options_injection.yml | 2 -- ...windows_excessive_disabled_services_event.yml | 1 - .../windows_executable_in_loaded_modules.yml | 1 - ...dows_execute_arbitrary_commands_with_msdt.yml | 2 -- ...xfiltration_over_c2_via_invoke_restmethod.yml | 1 - ...ation_over_c2_via_powershell_uploadstring.yml | 1 - .../endpoint/windows_export_certificate.yml | 2 -- ...ndows_file_share_discovery_with_powerview.yml | 1 - ...nsfer_protocol_in_non_common_process_path.yml | 2 -- ...file_without_extension_in_critical_folder.yml | 1 - ...irs_access_rights_modification_via_icacls.yml | 1 - ...ain_organizational_units_with_getdomainou.yml | 1 - ...resting_acl_with_findinterestingdomainacl.yml | 1 - .../endpoint/windows_findstr_gpp_discovery.yml | 1 - ...ows_forest_discovery_with_getforestdomain.yml | 1 - ...ows_gather_victim_host_information_camera.yml | 2 -- .../windows_gather_victim_identity_sam_info.yml | 2 -- ...etwork_info_through_ip_check_web_services.yml | 2 -- ...mputer_unconstrained_delegation_discovery.yml | 1 - ...get_local_admin_with_findlocaladminaccess.yml | 1 - .../windows_group_policy_object_created.yml | 1 - .../windows_hidden_schedule_task_settings.yml | 1 - ...de_notification_features_through_registry.yml | 1 - .../windows_high_file_deletion_frequency.yml | 1 - ...jack_execution_flow_version_dll_side_load.yml | 2 -- ...ws_hunting_system_account_targeting_lsass.yml | 1 - .../windows_identify_protocol_handlers.yml | 2 -- .../windows_iis_components_add_new_module.yml | 2 -- ...mponents_get_webglobalmodule_module_query.yml | 2 -- ...dows_iis_components_module_failed_to_load.yml | 2 -- .../windows_iis_components_new_module_added.yml | 2 -- ...ws_impair_defense_add_xml_applocker_rules.yml | 2 -- ...hange_win_defender_health_check_intervals.yml | 1 - ...e_change_win_defender_quick_scan_interval.yml | 1 - ...defense_change_win_defender_throttle_rate.yml | 1 - ...defense_change_win_defender_tracing_level.yml | 1 - ...air_defense_configure_app_install_control.yml | 1 - ...defense_define_win_defender_threat_action.yml | 1 - ..._defense_delete_win_defender_context_menu.yml | 2 -- ...ense_delete_win_defender_profile_registry.yml | 2 -- ...nse_deny_security_software_with_applocker.yml | 2 -- ..._defense_disable_controlled_folder_access.yml | 1 - ...nse_disable_defender_firewall_and_network.yml | 1 - ...nse_disable_defender_protocol_recognition.yml | 1 - ...ows_impair_defense_disable_pua_protection.yml | 1 - ...fense_disable_realtime_signature_delivery.yml | 1 - ...ows_impair_defense_disable_web_evaluation.yml | 1 - ...ir_defense_disable_win_defender_app_guard.yml | 1 - ..._disable_win_defender_compute_file_hashes.yml | 1 - ..._defense_disable_win_defender_gen_reports.yml | 1 - ...e_disable_win_defender_network_protection.yml | 1 - ...nse_disable_win_defender_report_infection.yml | 1 - ...fense_disable_win_defender_scan_on_update.yml | 1 - ...disable_win_defender_signature_retirement.yml | 1 - ...ense_overide_win_defender_phishing_filter.yml | 1 - ...mpair_defense_override_smartscreen_prompt.yml | 1 - ...t_win_defender_smart_screen_level_to_warn.yml | 1 - .../windows_impair_defenses_disable_hvci.yml | 1 - ...efenses_disable_win_defender_auto_logging.yml | 2 -- .../windows_indicator_removal_via_rmdir.yml | 1 - ...s_indirect_command_execution_via_forfiles.yml | 1 - ...ows_indirect_command_execution_via_pcalua.yml | 1 - ..._command_execution_via_series_of_forfiles.yml | 2 -- .../windows_information_discovery_fsutil.yml | 2 -- ...dows_ingress_tool_transfer_using_explorer.yml | 2 -- .../windows_inprocserver32_new_outlook_form.yml | 1 - ...ows_input_capture_using_credential_ui_dll.yml | 2 -- .../windows_installutil_credential_theft.yml | 1 - .../windows_installutil_in_non_standard_path.yml | 1 - ...ows_installutil_remote_network_connection.yml | 1 - .../windows_installutil_uninstall_option.yml | 1 - ...installutil_uninstall_option_with_network.yml | 1 - .../windows_installutil_url_in_command_line.yml | 1 - .../endpoint/windows_iso_lnk_file_creation.yml | 1 - .../endpoint/windows_java_spawning_shells.yml | 1 - .../windows_kerberos_local_successful_logon.yml | 1 - .../windows_known_abused_dll_created.yml | 1 - ...dows_known_abused_dll_loaded_suspiciously.yml | 1 - ...dows_known_graphicalproton_loaded_modules.yml | 1 - .../windows_krbrelayup_service_creation.yml | 1 - ...ber_of_computer_service_tickets_requested.yml | 1 - .../windows_lateral_tool_transfer_remcom.yml | 1 - .../windows_ldifde_directory_object_behavior.yml | 1 - ...windows_linked_policies_in_adsi_discovery.yml | 1 - ...s_local_administrator_credential_stuffing.yml | 1 - .../windows_lolbas_executed_as_renamed_file.yml | 1 - ...ows_lolbas_executed_outside_expected_path.yml | 1 - .../windows_lsa_secrets_nolmhash_registry.yml | 1 - ..._mail_protocol_in_non_common_process_path.yml | 2 -- .../endpoint/windows_mark_of_the_web_bypass.yml | 1 - ...ws_masquerading_explorer_as_child_process.yml | 2 -- .../windows_masquerading_msdtc_process.yml | 1 - .../windows_mimikatz_binary_execution.yml | 2 -- ...ws_mimikatz_crypto_export_file_extensions.yml | 2 -- ...dify_registry_authenticationleveloverride.yml | 1 - ...indows_modify_registry_auto_minor_updates.yml | 1 - ...windows_modify_registry_auto_update_notif.yml | 1 - ...ndows_modify_registry_configure_bitlocker.yml | 1 - ...dows_modify_registry_default_icon_setting.yml | 2 -- ...ows_modify_registry_delete_firewall_rules.yml | 1 - .../windows_modify_registry_disable_rdp.yml | 1 - ..._modify_registry_disable_restricted_admin.yml | 1 - ...dify_registry_disable_toast_notifications.yml | 2 -- ...stry_disable_win_defender_raw_write_notif.yml | 2 -- ...egistry_disable_windefender_notifications.yml | 1 - ...try_disable_windows_security_center_notif.yml | 2 -- ...fy_registry_disableremotedesktopantialias.yml | 1 - ...s_modify_registry_disablesecuritysettings.yml | 1 - ...ws_modify_registry_disabling_wer_settings.yml | 2 -- ...dows_modify_registry_disallow_windows_app.yml | 2 -- ...ify_registry_do_not_connect_to_win_update.yml | 1 - .../windows_modify_registry_dontshowui.yml | 1 - ...s_modify_registry_enablelinkedconnections.yml | 1 - .../windows_modify_registry_longpathsenabled.yml | 1 - ...ws_modify_registry_maxconnectionperserver.yml | 1 - ...y_registry_no_auto_reboot_with_logon_user.yml | 1 - .../windows_modify_registry_no_auto_update.yml | 1 - ...ndows_modify_registry_nochangingwallpaper.yml | 1 - ...odify_registry_on_smart_card_group_policy.yml | 1 - .../windows_modify_registry_proxyenable.yml | 1 - .../windows_modify_registry_proxyserver.yml | 1 - ...dify_registry_qakbot_binary_data_registry.yml | 2 -- .../windows_modify_registry_reg_restore.yml | 2 -- ...modify_registry_regedit_silent_reg_import.yml | 2 -- .../windows_modify_registry_risk_behavior.yml | 1 - ...dify_registry_suppress_win_defender_notif.yml | 2 -- ...windows_modify_registry_tamper_protection.yml | 1 - ...y_registry_to_add_or_modify_firewall_rule.yml | 1 - ...modify_registry_updateserviceurlalternate.yml | 1 - .../windows_modify_registry_usewuserver.yml | 1 - ...ows_modify_registry_with_md5_reg_key_name.yml | 1 - .../windows_modify_registry_wuserver.yml | 1 - .../windows_modify_registry_wustatusserver.yml | 1 - ...show_compress_color_and_info_tip_registry.yml | 1 - ...system_firewall_with_notable_process_path.yml | 1 - ...ows_mof_event_triggered_execution_via_wmi.yml | 2 -- .../windows_moveit_transfer_writing_aspx.yml | 1 - ...sexchange_management_mailbox_cmdlet_usage.yml | 2 -- .../windows_mshta_execution_in_registry.yml | 2 -- ...dows_mshta_writing_to_world_writable_path.yml | 1 - .../windows_msiexec_dllregisterserver.yml | 2 -- ...ows_msiexec_hidewindow_rundll32_execution.yml | 1 - .../endpoint/windows_msiexec_remote_download.yml | 2 -- .../windows_msiexec_spawn_discovery_command.yml | 2 -- .../endpoint/windows_msiexec_spawn_windbg.yml | 1 - ...dows_msiexec_unregister_dllregisterserver.yml | 2 -- .../windows_msiexec_with_network_connections.yml | 2 -- ...windows_multi_hop_proxy_tor_website_query.yml | 2 -- ...indows_multiple_account_passwords_changed.yml | 1 - .../windows_multiple_accounts_deleted.yml | 1 - .../windows_multiple_accounts_disabled.yml | 1 - ...users_failed_to_authenticate_wth_kerberos.yml | 1 - ...users_fail_to_authenticate_using_kerberos.yml | 1 - ...d_users_failed_to_authenticate_using_ntlm.yml | 1 - ...l_to_authenticate_wth_explicitcredentials.yml | 1 - ...iled_to_authenticate_from_host_using_ntlm.yml | 1 - ...users_failed_to_authenticate_from_process.yml | 1 - ...ers_failed_to_authenticate_using_kerberos.yml | 1 - ...remotely_failed_to_authenticate_from_host.yml | 1 - ...indows_network_share_interaction_with_net.yml | 1 - .../windows_new_inprocserver32_added.yml | 1 - .../windows_ngrok_reverse_proxy_usage.yml | 2 -- .../endpoint/windows_nirsoft_advancedrun.yml | 1 - .../endpoint/windows_nirsoft_utilities.yml | 1 - ...ndows_njrat_fileless_storage_via_registry.yml | 1 - ...ws_non_discord_app_access_discord_leveldb.yml | 1 - ...indows_non_system_account_targeting_lsass.yml | 1 - detections/endpoint/windows_odbcconf_hunting.yml | 2 -- .../endpoint/windows_odbcconf_load_dll.yml | 2 -- .../windows_odbcconf_load_response_file.yml | 2 -- .../windows_office_product_spawning_msdt.yml | 2 -- .../endpoint/windows_papercut_ng_spawn_shell.yml | 1 - ...windows_parent_pid_spoofing_with_explorer.yml | 1 - .../windows_password_managers_discovery.yml | 2 -- ...ows_phishing_outlook_drop_dll_in_form_dir.yml | 1 - ...ndows_phishing_pdf_file_executes_url_link.yml | 2 -- ...windows_phishing_recent_iso_exec_registry.yml | 2 -- .../windows_possible_credential_dumping.yml | 1 - .../windows_post_exploitation_risk_behavior.yml | 1 - ...shell_add_module_to_global_assembly_cache.yml | 2 -- ...windows_powershell_cryptography_namespace.yml | 2 -- .../windows_powershell_disable_http_logging.yml | 2 -- .../windows_powershell_export_certificate.yml | 1 - .../windows_powershell_export_pfxcertificate.yml | 2 -- ...owershell_get_ciminstance_remote_computer.yml | 1 - ...hell_iis_components_webglobalmodule_usage.yml | 2 -- ...indows_powershell_import_applocker_policy.yml | 2 -- .../windows_powershell_remotesigned_file.yml | 1 - .../endpoint/windows_powershell_scheduletask.yml | 1 - ...windows_powershell_wmi_win32_scheduledjob.yml | 2 -- .../windows_powersploit_gpp_discovery.yml | 1 - ...erview_ad_access_control_list_enumeration.yml | 1 - ...owerview_constrained_delegation_discovery.yml | 1 - ...powerview_kerberos_service_ticket_request.yml | 1 - .../endpoint/windows_powerview_spn_discovery.yml | 1 - ...erview_unconstrained_delegation_discovery.yml | 1 - .../endpoint/windows_private_keys_discovery.yml | 2 -- ...e_escalation_suspicious_process_elevation.yml | 2 -- ...tion_system_process_without_system_parent.yml | 2 -- ...alation_user_process_spawn_system_process.yml | 2 -- .../windows_process_commandline_discovery.yml | 1 - ...ss_injection_in_non_service_searchindexer.yml | 1 - .../windows_process_injection_into_notepad.yml | 2 -- ...cess_injection_of_wermgr_to_known_browser.yml | 2 -- .../windows_process_injection_remote_thread.yml | 2 -- ...ws_process_injection_wermgr_child_process.yml | 2 -- ...process_injection_with_public_source_path.yml | 2 -- ...indows_process_with_namedpipe_commandline.yml | 1 - ...ocess_writing_file_to_world_writable_path.yml | 1 - ..._processes_killed_by_industroyer2_malware.yml | 1 - .../windows_protocol_tunneling_with_plink.yml | 1 - detections/endpoint/windows_proxy_via_netsh.yml | 1 - .../endpoint/windows_proxy_via_registry.yml | 1 - ...s_query_registry_browser_list_application.yml | 1 - .../endpoint/windows_query_registry_reg_save.yml | 2 -- ...ows_query_registry_uninstall_program_list.yml | 1 - .../windows_raccine_scheduled_task_deletion.yml | 1 - ...ws_rapid_authentication_on_multiple_hosts.yml | 1 - .../endpoint/windows_rasautou_dll_execution.yml | 1 - ...ndows_raw_access_to_disk_volume_partition.yml | 1 - ...ws_raw_access_to_master_boot_record_drive.yml | 1 - .../windows_rdp_connection_successful.yml | 1 - ...windows_registry_bootexecute_modification.yml | 1 - .../windows_registry_certificate_added.yml | 1 - .../endpoint/windows_registry_delete_task_sd.yml | 1 - ...ry_modification_for_safe_mode_persistence.yml | 1 - .../windows_registry_payload_injection.yml | 1 - ...indows_registry_sip_provider_modification.yml | 1 - .../endpoint/windows_regsvr32_renamed_binary.yml | 2 -- ...ws_remote_access_software_brc4_loaded_dll.yml | 2 -- .../windows_remote_access_software_hunt.yml | 2 -- ...ndows_remote_access_software_rms_registry.yml | 2 -- ...indows_remote_assistance_spawning_process.yml | 1 - .../endpoint/windows_remote_create_service.yml | 2 -- ...ws_remote_service_rdpwinst_tool_execution.yml | 2 -- ...ows_remote_services_allow_rdp_in_firewall.yml | 2 -- ...s_remote_services_allow_remote_assistance.yml | 2 -- .../windows_remote_services_rdp_enable.yml | 2 -- ...ndows_replication_through_removable_media.yml | 2 -- ...ows_root_domain_linked_policies_discovery.yml | 1 - ...dows_rundll32_apply_user_settings_changes.yml | 1 - .../endpoint/windows_rundll32_webdav_request.yml | 1 - ...s_rundll32_webdav_with_network_connection.yml | 1 - .../windows_scheduled_task_created_via_xml.yml | 2 -- ...dows_scheduled_task_service_spawned_shell.yml | 1 - ...ws_scheduled_task_with_highest_privileges.yml | 2 -- .../windows_schtasks_create_run_as_system.yml | 1 - .../windows_screen_capture_via_powershell.yml | 2 -- .../windows_security_account_manager_stopped.yml | 1 - ...ndows_security_support_provider_reg_query.yml | 2 -- ...software_component_gacutil_install_to_gac.yml | 2 -- ...windows_service_create_kernel_mode_driver.yml | 2 -- .../windows_service_create_remcomsvc.yml | 2 -- .../endpoint/windows_service_create_sliverc2.yml | 1 - .../windows_service_create_with_tscon.yml | 1 - ...vice_created_with_suspicious_service_path.yml | 1 - ...indows_service_created_within_public_path.yml | 1 - ...ndows_service_creation_on_remote_endpoint.yml | 1 - ...ows_service_creation_using_registry_entry.yml | 1 - .../windows_service_deletion_in_registry.yml | 2 -- ...ows_service_initiation_on_remote_endpoint.yml | 1 - .../windows_service_stop_by_deletion.yml | 2 -- ..._service_stop_via_net__and_sc_application.yml | 2 -- .../windows_service_stop_win_updates.yml | 1 - .../endpoint/windows_sip_provider_inventory.yml | 1 - ...ip_winverifytrust_failed_trust_validation.yml | 1 - ...ws_snake_malware_file_modification_crmlog.yml | 1 - ...dows_snake_malware_kernel_driver_comadmin.yml | 1 - ...registry_modification_wav_openwithprogids.yml | 1 - .../windows_snake_malware_service_create.yml | 1 - .../windows_soaphound_binary_execution.yml | 1 - ...tachment_connect_to_none_ms_office_domain.yml | 2 -- ...arphishing_attachment_onenote_spawn_mshta.yml | 2 -- ...pecial_privileged_logon_on_multiple_hosts.yml | 1 - .../endpoint/windows_sql_spawning_certutil.yml | 1 - .../windows_sqlwriter_sqldumper_dll_sideload.yml | 1 - ..._authentication_certificates___esc1_abuse.yml | 2 -- ...cation_certificates___esc1_authentication.yml | 2 -- ...ntication_certificates_certificate_issued.yml | 2 -- ...tication_certificates_certificate_request.yml | 2 -- ...thentication_certificates_certutil_backup.yml | 2 -- ...eal_authentication_certificates_cryptoapi.yml | 2 -- ...eal_authentication_certificates_cs_backup.yml | 2 -- ...ntication_certificates_export_certificate.yml | 2 -- ...cation_certificates_export_pfxcertificate.yml | 2 -- ...ows_steal_or_forge_kerberos_tickets_klist.yml | 2 -- ...spect_process_with_authentication_traffic.yml | 2 -- ...xy_execution_compiled_html_file_decompile.yml | 2 -- ...dows_system_discovery_using_ldap_nslookup.yml | 2 -- .../windows_system_discovery_using_qwinsta.yml | 2 -- .../endpoint/windows_system_file_on_disk.yml | 2 -- .../windows_system_logoff_commandline.yml | 2 -- ...stem_network_config_discovery_display_dns.yml | 2 -- ...ystem_network_connections_discovery_netsh.yml | 2 -- .../windows_system_reboot_commandline.yml | 2 -- ..._proxy_execution_syncappvpublishingserver.yml | 2 -- .../windows_system_shutdown_commandline.yml | 2 -- ...windows_system_time_discovery_w32tm_delay.yml | 2 -- .../windows_system_user_discovery_via_quser.yml | 2 -- .../windows_system_user_privilege_discovery.yml | 1 - .../windows_terminating_lsass_process.yml | 1 - .../endpoint/windows_time_based_evasion.yml | 1 - ...indows_time_based_evasion_via_choice_exec.yml | 1 - ...ndows_uac_bypass_suspicious_child_process.yml | 2 -- ...uac_bypass_suspicious_escalation_behavior.yml | 2 -- ...ed_outlook_credentials_access_in_registry.yml | 1 - .../windows_unsigned_dll_side_loading.yml | 1 - ...ned_dll_side_loading_in_same_process_path.yml | 1 - .../windows_unsigned_ms_dll_side_loading.yml | 1 - ...disabled_users_failed_auth_using_kerberos.yml | 1 - ...invalid_users_fail_to_auth_using_kerberos.yml | 1 - ...f_invalid_users_failed_to_auth_using_ntlm.yml | 1 - ...sers_fail_to_auth_wth_explicitcredentials.yml | 1 - ...nt_of_users_failed_to_auth_using_kerberos.yml | 1 - ...users_failed_to_authenticate_from_process.yml | 1 - ...f_users_failed_to_authenticate_using_ntlm.yml | 1 - ...f_users_remotely_failed_to_auth_from_host.yml | 1 - ...ser_execution_malicious_url_shortcut_file.yml | 2 -- ...valid_account_with_never_expires_password.yml | 2 -- .../endpoint/windows_vulnerable_3cx_software.yml | 1 - .../windows_vulnerable_driver_installed.yml | 1 - .../windows_vulnerable_driver_loaded.yml | 2 -- .../endpoint/windows_windbg_spawning_autoit3.yml | 1 - ...s_winlogon_with_public_network_connection.yml | 1 - .../endpoint/windows_wmi_impersonate_token.yml | 2 -- .../windows_wmi_process_and_service_list.yml | 2 -- .../endpoint/windows_wmi_process_call_create.yml | 1 - ...ent_scheduled_task_created_to_spawn_shell.yml | 1 - ...scheduled_task_created_within_public_path.yml | 1 - ...ndows_task_scheduler_event_action_started.yml | 1 - .../endpoint/winhlp32_spawning_a_process.yml | 1 - .../winrar_spawning_shell_application.yml | 1 - detections/endpoint/winrm_spawning_a_process.yml | 1 - detections/endpoint/winword_spawning_cmd.yml | 1 - .../endpoint/winword_spawning_powershell.yml | 1 - .../winword_spawning_windows_script_host.yml | 1 - .../wmi_permanent_event_subscription.yml | 1 - ...wmi_permanent_event_subscription___sysmon.yml | 1 - .../wmi_recon_running_process_or_services.yml | 1 - .../wmi_temporary_event_subscription.yml | 1 - detections/endpoint/wmic_group_discovery.yml | 1 - .../wmic_noninteractive_app_uninstallation.yml | 1 - .../endpoint/wmic_xsl_execution_via_url.yml | 1 - .../wmiprsve_lolbas_execution_process_spawn.yml | 1 - ...cript_or_cscript_suspicious_child_process.yml | 1 - ...smprovhost_lolbas_execution_process_spawn.yml | 1 - detections/endpoint/wsreset_uac_bypass.yml | 1 - detections/endpoint/xmrig_driver_loaded.yml | 1 - .../endpoint/xsl_script_execution_with_wmic.yml | 1 - detections/network/detect_arp_poisoning.yml | 1 - ...ga_domains_using_pretrained_model_in_dsdl.yml | 1 - ...filtration_using_pretrained_model_in_dsdl.yml | 1 - ...ts_connecting_to_dynamic_domain_providers.yml | 1 - ...etect_ipv6_network_infrastructure_threats.yml | 1 - .../detect_large_outbound_icmp_packets.yml | 1 - .../network/detect_outbound_ldap_traffic.yml | 1 - .../network/detect_outbound_smb_traffic.yml | 1 - .../network/detect_port_security_violation.yml | 1 - .../detect_remote_access_software_usage_dns.yml | 1 - ...tect_remote_access_software_usage_traffic.yml | 1 - detections/network/detect_rogue_dhcp_server.yml | 1 - .../network/detect_snicat_sni_exfiltration.yml | 1 - ...etect_software_download_to_network_device.yml | 1 - ...xt_records_using_pretrained_model_in_dsdl.yml | 1 - detections/network/detect_traffic_mirroring.yml | 1 - ...detect_unauthorized_assets_by_mac_address.yml | 1 - ...tect_windows_dns_sigred_via_splunk_stream.yml | 1 - .../detect_windows_dns_sigred_via_zeek.yml | 1 - detections/network/detect_zerologon_via_zeek.yml | 1 - .../network/dns_query_length_outliers___mltk.yml | 1 - ...query_length_with_high_standard_deviation.yml | 1 - detections/network/excessive_dns_failures.yml | 1 - ...icontrol_rest_vulnerability_cve_2022_1388.yml | 2 -- .../network/high_volume_of_bytes_out_to_url.yml | 1 - ...lume_of_network_traffic_from_email_server.yml | 1 - .../network/internal_horizontal_port_scan.yml | 1 - .../network/internal_vertical_port_scan.yml | 1 - .../network/internal_vulnerability_scan.yml | 1 - .../network/large_volume_of_dns_any_queries.yml | 1 - .../multiple_archive_files_http_post_traffic.yml | 1 - .../network/ngrok_reverse_proxy_on_network.yml | 2 -- .../network/plain_http_post_exfiltrated_data.yml | 1 - .../prohibited_network_traffic_allowed.yml | 1 - detections/network/protocol_or_port_mismatch.yml | 1 - ...ocols_passing_authentication_in_cleartext.yml | 1 - .../remote_desktop_network_bruteforce.yml | 1 - .../network/remote_desktop_network_traffic.yml | 1 - detections/network/smb_traffic_spike.yml | 1 - detections/network/smb_traffic_spike___mltk.yml | 1 - .../network/ssl_certificates_with_punycode.yml | 1 - detections/network/tor_traffic.yml | 1 - .../unusually_long_content_type_length.yml | 1 - .../windows_ad_replication_service_traffic.yml | 1 - ..._rogue_domain_controller_network_activity.yml | 1 - .../zeek_x509_certificate_with_punycode.yml | 1 - ...e_ivanti_connect_secure_bookmark_endpoint.yml | 1 - .../adobe_coldfusion_access_control_bypass.yml | 1 - ...usion_unauthenticated_arbitrary_file_read.yml | 1 - detections/web/cisco_ios_xe_implant_access.yml | 1 - ..._and_gateway_unauthorized_data_disclosure.yml | 1 - .../citrix_adc_exploitation_cve_2023_3519.yml | 1 - ...rix_sharefile_exploitation_cve_2023_24489.yml | 1 - ...ence_cve_2023_22515_trigger_vulnerability.yml | 1 - ...ta_center_and_server_privilege_escalation.yml | 1 - ...uth_rce_via_ognl_injection_cve_2023_22527.yml | 1 - ...ated_remote_code_execution_cve_2022_26134.yml | 2 -- ...twise_screenconnect_authentication_bypass.yml | 1 - ...ers_scanning_for_vulnerable_jboss_servers.yml | 1 - .../web/detect_f5_tmui_rce_cve_2020_5902.yml | 1 - ...licious_requests_to_exploit_jboss_servers.yml | 1 - .../detect_remote_access_software_usage_url.yml | 1 - ...i_epm_sql_injection_remote_code_execution.yml | 1 - ...acing_application_via_apache_commons_text.yml | 1 - ...c_facing_fortinet_fortinac_cve_2022_39952.yml | 2 -- detections/web/f5_tmui_authentication_bypass.yml | 1 - .../web/fortinet_appliance_auth_bypass.yml | 2 -- detections/web/hunting_for_log4shell.yml | 1 - ...connect_secure_command_injection_attempts.yml | 1 - ...nti_connect_secure_ssrf_in_saml_component.yml | 1 - ...system_information_access_via_auth_bypass.yml | 1 - ...unauthenticated_api_access_cve_2023_35078.yml | 1 - ...unauthenticated_api_access_cve_2023_35082.yml | 1 - .../web/ivanti_sentry_authentication_bypass.yml | 1 - ...enkins_arbitrary_file_read_cve_2024_23897.yml | 1 - ...city_authentication_bypass_cve_2024_27198.yml | 1 - ...entication_bypass_suricata_cve_2024_27198.yml | 1 - ...mited_auth_bypass_suricata_cve_2024_27199.yml | 1 - .../web/jetbrains_teamcity_rce_attempt.yml | 1 - ...s_remote_code_execution_exploit_detection.yml | 1 - .../log4shell_jndi_payload_injection_attempt.yml | 1 - ...ayload_injection_with_outbound_connection.yml | 1 - ..._sharepoint_server_elevation_of_privilege.yml | 1 - .../web/monitor_web_traffic_for_brand_abuse.yml | 1 - ...twise_screenconnect_authentication_bypass.yml | 1 - .../papercut_ng_remote_web_access_attempt.yml | 1 - ...roxyshell_proxynotshell_behavior_detected.yml | 2 -- .../web/spring4shell_payload_url_request.yml | 1 - detections/web/sql_injection_with_long_urls.yml | 1 - detections/web/supernova_webshell.yml | 1 - .../vmware_aria_operations_exploit_attempt.yml | 1 - ...mware_server_side_template_injection_hunt.yml | 2 -- ...freemarker_server_side_template_injection.yml | 2 -- detections/web/web_jsp_request_via_url.yml | 1 - .../web/web_remote_shellservlet_access.yml | 1 - ...eb_spring4shell_http_request_class_module.yml | 1 - .../web_spring_cloud_function_functionrouter.yml | 1 - .../windows_exchange_autodiscover_ssrf_abuse.yml | 2 -- .../web/wordpress_bricks_builder_plugin_rce.yml | 1 - detections/web/ws_ftp_remote_code_execution.yml | 1 - .../zscaler_adware_activities_threat_blocked.yml | 1 - .../zscaler_behavior_analysis_threat_blocked.yml | 1 - ...ler_cryptominer_downloaded_threat_blocked.yml | 1 - .../zscaler_employment_search_web_activity.yml | 1 - .../web/zscaler_exploit_threat_blocked.yml | 1 - .../zscaler_legal_liability_threat_blocked.yml | 1 - .../zscaler_malware_activity_threat_blocked.yml | 1 - .../zscaler_phishing_activity_threat_blocked.yml | 1 - .../zscaler_potentially_abused_file_download.yml | 1 - ..._privacy_risk_destinations_threat_blocked.yml | 1 - .../zscaler_scam_destinations_threat_blocked.yml | 1 - .../zscaler_virus_download_threat_blocked.yml | 1 - .../investigate_network_traffic_from_src_ip.yml | 2 -- 1606 files changed, 12 insertions(+), 2109 deletions(-) diff --git a/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml b/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml index 6aa827b83b..045d81112c 100644 --- a/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml +++ b/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml @@ -20,7 +20,6 @@ tags: - Emotet Malware DHS Report TA18-201A - Monitor for Unauthorized Software - SamSam Ransomware - asset_type: Endpoint detections: - Prohibited Software On Endpoint product: @@ -29,17 +28,4 @@ tags: - Splunk Cloud required_fields: - _time - security_domain: endpoint - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: endpoint \ No newline at end of file diff --git a/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml b/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml index 02874c9c4a..ba5dd7e652 100644 --- a/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml +++ b/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml @@ -32,17 +32,4 @@ tags: - _time - eventType - userIdentity.arn - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml b/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml index d1dcf15f47..57eff79029 100644 --- a/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml +++ b/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml @@ -44,17 +44,4 @@ tags: - eventName - errorCode - src_user - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml b/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml index 1643566a67..ab4f8d7034 100644 --- a/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml +++ b/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml @@ -44,17 +44,4 @@ tags: - eventName - errorCode - src_user - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml b/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml index cfb61398a8..f8b4361464 100644 --- a/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml +++ b/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml @@ -35,17 +35,4 @@ tags: - userIdentity.type - userName - eventName - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml b/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml index 9c977eb85c..7f31d39d82 100644 --- a/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml +++ b/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml @@ -33,17 +33,4 @@ tags: - _time - eventName - sourceIPAddress - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/previously_seen_ec2_amis.yml b/baselines/deprecated/previously_seen_ec2_amis.yml index 7c07f5b16c..adc1b0bfe4 100644 --- a/baselines/deprecated/previously_seen_ec2_amis.yml +++ b/baselines/deprecated/previously_seen_ec2_amis.yml @@ -29,17 +29,4 @@ tags: - eventName - errorCode - requestParameters.instancesSet.items{}.imageId - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/previously_seen_ec2_instance_types.yml b/baselines/deprecated/previously_seen_ec2_instance_types.yml index caa4874b07..ad702b1b8d 100644 --- a/baselines/deprecated/previously_seen_ec2_instance_types.yml +++ b/baselines/deprecated/previously_seen_ec2_instance_types.yml @@ -29,17 +29,4 @@ tags: - eventName - errorCode - requestParameters.instanceType - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/previously_seen_ec2_launches_by_user.yml b/baselines/deprecated/previously_seen_ec2_launches_by_user.yml index b9055ec06d..aca991c9b3 100644 --- a/baselines/deprecated/previously_seen_ec2_launches_by_user.yml +++ b/baselines/deprecated/previously_seen_ec2_launches_by_user.yml @@ -30,17 +30,4 @@ tags: - eventName - errorCode - requestParameters.instanceType - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/previously_seen_users_in_cloudtrail.yml b/baselines/deprecated/previously_seen_users_in_cloudtrail.yml index c10e6be865..3b6c389848 100644 --- a/baselines/deprecated/previously_seen_users_in_cloudtrail.yml +++ b/baselines/deprecated/previously_seen_users_in_cloudtrail.yml @@ -37,17 +37,4 @@ tags: - eventName - userIdentity.arn - src - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml b/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml index f7672203b6..703754631e 100644 --- a/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml +++ b/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml @@ -39,17 +39,4 @@ tags: - eventName - userIdentity.arn - src - security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown + security_domain: network \ No newline at end of file diff --git a/baselines/dnstwist_domain_names.yml b/baselines/dnstwist_domain_names.yml index 56d143e729..c213db75ac 100644 --- a/baselines/dnstwist_domain_names.yml +++ b/baselines/dnstwist_domain_names.yml @@ -19,7 +19,6 @@ tags: analytic_story: - Brand Monitoring - Suspicious Emails - asset_type: Endpoint detections: - Monitor Email For Brand Abuse - Monitor DNS For Brand Abuse @@ -28,19 +27,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - kill_chain_phases: - - Exploitation required_fields: - _time - security_domain: network - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: dest - type: Other - role: - - Other + security_domain: network \ No newline at end of file diff --git a/detections/application/crushftp_server_side_template_injection.yml b/detections/application/crushftp_server_side_template_injection.yml index 6794bec15a..8a1ffb705b 100644 --- a/detections/application/crushftp_server_side_template_injection.yml +++ b/detections/application/crushftp_server_side_template_injection.yml @@ -52,7 +52,6 @@ tags: - user - action - message - risk_score: 64 security_domain: network cve: - CVE-2024-4040 diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml index 518b80d315..8983ddbd90 100644 --- a/detections/application/detect_distributed_password_spray_attempts.yml +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -66,7 +66,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - Authentication.action - Authentication.user diff --git a/detections/application/detect_new_login_attempts_to_routers.yml b/detections/application/detect_new_login_attempts_to_routers.yml index da1110bdb6..70bceec972 100644 --- a/detections/application/detect_new_login_attempts_to_routers.yml +++ b/detections/application/detect_new_login_attempts_to_routers.yml @@ -49,5 +49,4 @@ tags: - Authentication.dest_category - Authentication.dest - Authentication.user - risk_score: 25 security_domain: network diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml index 6a90bbebdc..636044499e 100644 --- a/detections/application/detect_password_spray_attempts.yml +++ b/detections/application/detect_password_spray_attempts.yml @@ -61,7 +61,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - Authentication.action - Authentication.user diff --git a/detections/application/email_attachments_with_lots_of_spaces.yml b/detections/application/email_attachments_with_lots_of_spaces.yml index 976223f493..9b1e593689 100644 --- a/detections/application/email_attachments_with_lots_of_spaces.yml +++ b/detections/application/email_attachments_with_lots_of_spaces.yml @@ -64,5 +64,4 @@ tags: - All_Email.src_user - All_Email.file_name - All_Email.message_id - risk_score: 25 security_domain: network diff --git a/detections/application/email_files_written_outside_of_the_outlook_directory.yml b/detections/application/email_files_written_outside_of_the_outlook_directory.yml index f37061e330..e6ffc5ed1d 100644 --- a/detections/application/email_files_written_outside_of_the_outlook_directory.yml +++ b/detections/application/email_files_written_outside_of_the_outlook_directory.yml @@ -58,5 +58,4 @@ tags: - Filesystem.action - Filesystem.process_id - Filesystem.dest - risk_score: 25 security_domain: endpoint diff --git a/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml b/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml index 1ab995f9d1..2a064ea69f 100644 --- a/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml +++ b/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml @@ -63,5 +63,4 @@ tags: - All_Traffic.bytes_out - All_Traffic.src_category - All_Traffic.dest_ip - risk_score: 25 security_domain: network diff --git a/detections/application/monitor_email_for_brand_abuse.yml b/detections/application/monitor_email_for_brand_abuse.yml index cc2471bbca..2edadcb52f 100644 --- a/detections/application/monitor_email_for_brand_abuse.yml +++ b/detections/application/monitor_email_for_brand_abuse.yml @@ -48,5 +48,4 @@ tags: - All_Email.recipient - All_Email.src_user - All_Email.message_id - risk_score: 25 security_domain: network diff --git a/detections/application/no_windows_updates_in_a_time_frame.yml b/detections/application/no_windows_updates_in_a_time_frame.yml index 5eeafa902c..5297323688 100644 --- a/detections/application/no_windows_updates_in_a_time_frame.yml +++ b/detections/application/no_windows_updates_in_a_time_frame.yml @@ -50,5 +50,4 @@ tags: - Updates.status - Updates.vendor_product - Updates.dest - risk_score: 25 security_domain: endpoint diff --git a/detections/application/okta_authentication_failed_during_mfa_challenge.yml b/detections/application/okta_authentication_failed_during_mfa_challenge.yml index 489b0178cb..ec98495ce6 100644 --- a/detections/application/okta_authentication_failed_during_mfa_challenge.yml +++ b/detections/application/okta_authentication_failed_during_mfa_challenge.yml @@ -67,7 +67,6 @@ tags: - Authentication.signature - Authentication.method - Authentication.src - risk_score: 48 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_idp_lifecycle_modifications.yml b/detections/application/okta_idp_lifecycle_modifications.yml index a9052093c0..3a2f073752 100644 --- a/detections/application/okta_idp_lifecycle_modifications.yml +++ b/detections/application/okta_idp_lifecycle_modifications.yml @@ -64,7 +64,6 @@ tags: - user_agent - command - description - risk_score: 81 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_mfa_exhaustion_hunt.yml b/detections/application/okta_mfa_exhaustion_hunt.yml index e17f3aee26..d9f09b420f 100644 --- a/detections/application/okta_mfa_exhaustion_hunt.yml +++ b/detections/application/okta_mfa_exhaustion_hunt.yml @@ -61,7 +61,6 @@ tags: - src_ip - eventType - status - risk_score: 18 security_domain: access tests: - name: True Positive Test diff --git a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml index 03a6a1aa0e..ade4869839 100644 --- a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml +++ b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml @@ -74,5 +74,4 @@ tags: - client.userAgent.rawUserAgent - debugContext.debugData.behaviors - group_push_time - risk_score: 64 security_domain: access diff --git a/detections/application/okta_multi_factor_authentication_disabled.yml b/detections/application/okta_multi_factor_authentication_disabled.yml index 478f4dbbac..34a17fd17d 100644 --- a/detections/application/okta_multi_factor_authentication_disabled.yml +++ b/detections/application/okta_multi_factor_authentication_disabled.yml @@ -61,7 +61,6 @@ tags: - All_Changes.result - All_Changes.src - sourcetype - risk_score: 30 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_multiple_accounts_locked_out.yml b/detections/application/okta_multiple_accounts_locked_out.yml index daf67758d4..d1c27964d8 100644 --- a/detections/application/okta_multiple_accounts_locked_out.yml +++ b/detections/application/okta_multiple_accounts_locked_out.yml @@ -59,7 +59,6 @@ tags: - All_Changes.result - All_Changes.src - sourcetype - risk_score: 49 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml index bf761654d3..d01914f83a 100644 --- a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml +++ b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml @@ -56,7 +56,6 @@ tags: - displayMessage - src_user - src_ip - risk_score: 42 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_multiple_failed_requests_to_access_applications.yml b/detections/application/okta_multiple_failed_requests_to_access_applications.yml index 2211b8fb5d..e079af5e38 100644 --- a/detections/application/okta_multiple_failed_requests_to_access_applications.yml +++ b/detections/application/okta_multiple_failed_requests_to_access_applications.yml @@ -63,5 +63,4 @@ tags: - actor.alternateId - client.ipAddress - eventType - risk_score: 56 security_domain: access diff --git a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml index 4f1af7ca0b..c76bec0af3 100644 --- a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml @@ -61,7 +61,6 @@ tags: - Authentication.authentication_method - Authentication.action - Authentication.src - risk_score: 54 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_new_api_token_created.yml b/detections/application/okta_new_api_token_created.yml index 4c4200cccb..af863e51ee 100644 --- a/detections/application/okta_new_api_token_created.yml +++ b/detections/application/okta_new_api_token_created.yml @@ -61,7 +61,6 @@ tags: - outcome.reason - outcome.result - severity - risk_score: 64 security_domain: access tests: - name: True Positive Test diff --git a/detections/application/okta_new_device_enrolled_on_account.yml b/detections/application/okta_new_device_enrolled_on_account.yml index 76288f15e1..43ce4b45b4 100644 --- a/detections/application/okta_new_device_enrolled_on_account.yml +++ b/detections/application/okta_new_device_enrolled_on_account.yml @@ -56,7 +56,6 @@ tags: - client.userAgent.browser - client.geographicalContext.city - client.geographicalContext.country - risk_score: 24 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml b/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml index 8fad808cf6..61f7b7ecb8 100644 --- a/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml +++ b/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml @@ -53,5 +53,4 @@ tags: - client.userAgent.browser - outcome.reason - displayMessage - risk_score: 100 security_domain: access diff --git a/detections/application/okta_risk_threshold_exceeded.yml b/detections/application/okta_risk_threshold_exceeded.yml index 8a6cb4a408..0286be39a2 100644 --- a/detections/application/okta_risk_threshold_exceeded.yml +++ b/detections/application/okta_risk_threshold_exceeded.yml @@ -68,7 +68,6 @@ tags: - All_Risk.annotations.mitre_attack.mitre_technique_id - All_Risk.tag - _time - risk_score: 56 security_domain: access tests: - name: True Positive Test diff --git a/detections/application/okta_successful_single_factor_authentication.yml b/detections/application/okta_successful_single_factor_authentication.yml index 85bf673cbe..6f8d121e5b 100644 --- a/detections/application/okta_successful_single_factor_authentication.yml +++ b/detections/application/okta_successful_single_factor_authentication.yml @@ -62,7 +62,6 @@ tags: - src_ip - user - _time - risk_score: 48 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_suspicious_activity_reported.yml b/detections/application/okta_suspicious_activity_reported.yml index 447b104ac5..91543fadd1 100644 --- a/detections/application/okta_suspicious_activity_reported.yml +++ b/detections/application/okta_suspicious_activity_reported.yml @@ -57,7 +57,6 @@ tags: - client.userAgent.browser - client.geographicalContext.city - client.geographicalContext.country - risk_score: 25 security_domain: access tests: - name: True Positive Test diff --git a/detections/application/okta_suspicious_use_of_a_session_cookie.yml b/detections/application/okta_suspicious_use_of_a_session_cookie.yml index 769fd797ab..983f4c54ea 100644 --- a/detections/application/okta_suspicious_use_of_a_session_cookie.yml +++ b/detections/application/okta_suspicious_use_of_a_session_cookie.yml @@ -60,7 +60,6 @@ tags: - device.os_platform - debugContext.debugData.dtHash - actor.alternateId - risk_score: 56 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_threatinsight_threat_detected.yml b/detections/application/okta_threatinsight_threat_detected.yml index 510f83e8df..ddb2be420e 100644 --- a/detections/application/okta_threatinsight_threat_detected.yml +++ b/detections/application/okta_threatinsight_threat_detected.yml @@ -64,7 +64,6 @@ tags: - outcome.reason - outcome.result - severity - risk_score: 25 security_domain: access tests: - name: True Positive Test diff --git a/detections/application/okta_unauthorized_access_to_application.yml b/detections/application/okta_unauthorized_access_to_application.yml index e7a0ad8897..3fd13107f4 100644 --- a/detections/application/okta_unauthorized_access_to_application.yml +++ b/detections/application/okta_unauthorized_access_to_application.yml @@ -61,7 +61,6 @@ tags: - Authentication.signature - Authentication.method - Authentication.src - risk_score: 81 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/okta_user_logins_from_multiple_cities.yml b/detections/application/okta_user_logins_from_multiple_cities.yml index 9834d29bd2..1a83fae1f0 100644 --- a/detections/application/okta_user_logins_from_multiple_cities.yml +++ b/detections/application/okta_user_logins_from_multiple_cities.yml @@ -65,7 +65,6 @@ tags: - Authentication.signature - Authentication.method - Authentication.src - risk_score: 81 security_domain: identity tests: - name: True Positive Test diff --git a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml index 19b718cce0..9cd7a79de5 100644 --- a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml +++ b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml @@ -79,7 +79,6 @@ tags: - resources{}.devicemodel - result.status - resources{}.websession - risk_score: 25 security_domain: access tests: - name: True Positive Test @@ -88,4 +87,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log source: PINGID sourcetype: _json - update_timestamp: true diff --git a/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml b/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml index 495f695cde..da9ee85ed8 100644 --- a/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml +++ b/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml @@ -59,7 +59,6 @@ tags: - result.message - resources{}.devicemodel - result.status - risk_score: 50 security_domain: access tests: - name: True Positive Test diff --git a/detections/application/pingid_new_mfa_method_after_credential_reset.yml b/detections/application/pingid_new_mfa_method_after_credential_reset.yml index 58957a5efe..eb0aa0b38d 100644 --- a/detections/application/pingid_new_mfa_method_after_credential_reset.yml +++ b/detections/application/pingid_new_mfa_method_after_credential_reset.yml @@ -75,7 +75,6 @@ tags: - actors{}.name - result.message - resources{}.devicemodel - risk_score: 50 security_domain: access tests: - name: True Positive Test diff --git a/detections/application/pingid_new_mfa_method_registered_for_user.yml b/detections/application/pingid_new_mfa_method_registered_for_user.yml index a298ba2b1a..318d798159 100644 --- a/detections/application/pingid_new_mfa_method_registered_for_user.yml +++ b/detections/application/pingid_new_mfa_method_registered_for_user.yml @@ -71,7 +71,6 @@ tags: - result.message - resources{}.devicemodel - result.status - risk_score: 10 security_domain: access tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log source: PINGID sourcetype: _json - update_timestamp: true diff --git a/detections/application/suspicious_email_attachment_extensions.yml b/detections/application/suspicious_email_attachment_extensions.yml index 964deb407c..c61c8454ec 100644 --- a/detections/application/suspicious_email_attachment_extensions.yml +++ b/detections/application/suspicious_email_attachment_extensions.yml @@ -58,5 +58,4 @@ tags: - All_Email.file_name - All_Email.src_user - All_Email.message_id - risk_score: 25 security_domain: network diff --git a/detections/application/suspicious_java_classes.yml b/detections/application/suspicious_java_classes.yml index 8244305477..d0ec442488 100644 --- a/detections/application/suspicious_java_classes.yml +++ b/detections/application/suspicious_java_classes.yml @@ -55,5 +55,4 @@ tags: - http_user_agent - src - dest - risk_score: 25 security_domain: threat diff --git a/detections/application/web_servers_executing_suspicious_processes.yml b/detections/application/web_servers_executing_suspicious_processes.yml index 86b21aef43..293147c0aa 100644 --- a/detections/application/web_servers_executing_suspicious_processes.yml +++ b/detections/application/web_servers_executing_suspicious_processes.yml @@ -56,5 +56,4 @@ tags: - Processes.process_name - Processes.dest - Processes.user - risk_score: 25 security_domain: endpoint diff --git a/detections/application/windows_ad_add_self_to_group.yml b/detections/application/windows_ad_add_self_to_group.yml index d01cf4389e..0c7c630bc3 100644 --- a/detections/application/windows_ad_add_self_to_group.yml +++ b/detections/application/windows_ad_add_self_to_group.yml @@ -37,7 +37,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 required_fields: - EventCode - user diff --git a/detections/application/windows_increase_in_group_or_object_modification_activity.yml b/detections/application/windows_increase_in_group_or_object_modification_activity.yml index e3099cbb2a..8d6f826ed0 100644 --- a/detections/application/windows_increase_in_group_or_object_modification_activity.yml +++ b/detections/application/windows_increase_in_group_or_object_modification_activity.yml @@ -43,7 +43,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 required_fields: - EventCode - src_user diff --git a/detections/application/windows_increase_in_user_modification_activity.yml b/detections/application/windows_increase_in_user_modification_activity.yml index 2f6baf93a7..d188ec5e6a 100644 --- a/detections/application/windows_increase_in_user_modification_activity.yml +++ b/detections/application/windows_increase_in_user_modification_activity.yml @@ -44,7 +44,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 required_fields: - EventCode - src_user diff --git a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml index 23aa020d39..cbffab719b 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml @@ -57,7 +57,6 @@ tags: - All_Changes.command - All_Changes.user - All_Changes.status - risk_score: 15 security_domain: network tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml index a7e7e2e048..1503f40ca1 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml @@ -65,5 +65,4 @@ tags: - All_Changes.status - All_Changes.object_category - All_Changes.user - risk_score: 25 security_domain: cloud diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml index 5dde904f38..b4efaee13e 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml @@ -61,5 +61,4 @@ tags: - All_Changes.status - All_Changes.object_category - All_Changes.user - risk_score: 25 security_domain: cloud diff --git a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml index 8eb7b0254b..33223d86ea 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml @@ -58,7 +58,6 @@ tags: - All_Changes.object_category - All_Changes.status - All_Changes.user - risk_score: 15 security_domain: network tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml b/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml index f9ea6826ae..2900497568 100644 --- a/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml +++ b/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml @@ -55,5 +55,4 @@ tags: - requestURI - src_ip - user.groups{} - risk_score: 25 security_domain: threat diff --git a/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml b/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml index fade7ab0fe..b5bce47615 100644 --- a/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml +++ b/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml @@ -52,5 +52,4 @@ tags: - userAgent - src_ip - user.groups{} - risk_score: 25 security_domain: threat diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index 2edc3ae569..8eec72b3bf 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -67,7 +67,6 @@ tags: - src_endpoint.ip - src_endpoint.domain - cloud.region - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index 4b958baf05..41551ee4f0 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -60,7 +60,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 90 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index c9b279013a..fdef1fa90f 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -61,7 +61,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 90 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index 5dd6005f28..ccf02cba52 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -65,7 +65,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index 387645fba2..c1b9563204 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -58,7 +58,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 90 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index ec7ec60f93..dd3d3d2de3 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -57,7 +57,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 90 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index 731dd5a167..6379d744df 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -55,7 +55,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index a9eba13166..6e1f57eb40 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -55,7 +55,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index 102a00c7cf..b13602482d 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -62,7 +62,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 10 security_domain: access tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index e3395a75e4..9f650e84cd 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -59,7 +59,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 5 security_domain: cloud tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index cb8780a39b..92d21ca2d3 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -57,7 +57,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 5 security_domain: cloud tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index eb58b23a3a..c6aa70c42e 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -65,7 +65,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 64 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 526f66fd1c..65668d9b03 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -64,7 +64,6 @@ tags: - http_request.user_agent - src_endpoint.ip - cloud.region - risk_score: 64 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml index 6737f239da..a61777aeda 100644 --- a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml +++ b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml @@ -68,7 +68,6 @@ tags: - vendor_region - user_agent - userIdentity.principalId - risk_score: 80 security_domain: threat tests: - name: True Positive Test @@ -77,4 +76,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml index 7ba859e18e..1f638b9f22 100644 --- a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml @@ -60,7 +60,6 @@ tags: - user_arn - aws_account_id - src_ip - risk_score: 42 security_domain: threat tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml index 49099d57ac..b31d1ffa8d 100644 --- a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml +++ b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml @@ -65,7 +65,6 @@ tags: - awsRegion - user_name - userIdentity.arn - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml index e769fabfc5..40d1c99286 100644 --- a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml @@ -61,7 +61,6 @@ tags: - aws_account_id - awsRegion - eventID - risk_score: 49 security_domain: network tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_createaccesskey.yml b/detections/cloud/aws_createaccesskey.yml index f9bc4065ea..d9b671ddae 100644 --- a/detections/cloud/aws_createaccesskey.yml +++ b/detections/cloud/aws_createaccesskey.yml @@ -57,7 +57,6 @@ tags: - userAgent - errorCode - requestParameters.userName - risk_score: 63 security_domain: network tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_createloginprofile.yml b/detections/cloud/aws_createloginprofile.yml index d63313a420..19b0e3fb92 100644 --- a/detections/cloud/aws_createloginprofile.yml +++ b/detections/cloud/aws_createloginprofile.yml @@ -59,7 +59,6 @@ tags: - userAgent - errorCode - requestParameters.userName - risk_score: 72 security_domain: network tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createloginprofile/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_credential_access_failed_login.yml b/detections/cloud/aws_credential_access_failed_login.yml index 502061bce0..61164cc426 100644 --- a/detections/cloud/aws_credential_access_failed_login.yml +++ b/detections/cloud/aws_credential_access_failed_login.yml @@ -60,7 +60,6 @@ tags: - dest - user - user_id - risk_score: 49 security_domain: threat tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_credential_access_getpassworddata.yml b/detections/cloud/aws_credential_access_getpassworddata.yml index 2e0929ead7..2b1f50c62d 100644 --- a/detections/cloud/aws_credential_access_getpassworddata.yml +++ b/detections/cloud/aws_credential_access_getpassworddata.yml @@ -63,7 +63,6 @@ tags: - userIdentity.accountId - sourceIPAddress - awsRegion - risk_score: 49 security_domain: threat tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/aws_getpassworddata/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_credential_access_rds_password_reset.yml b/detections/cloud/aws_credential_access_rds_password_reset.yml index 542a8622a7..1cb6100db9 100644 --- a/detections/cloud/aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/aws_credential_access_rds_password_reset.yml @@ -56,7 +56,6 @@ tags: - userAgent - sourceIPAddress - awsRegion - risk_score: 49 security_domain: threat tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml b/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml index 9e71e4ecdd..e7097afb5f 100644 --- a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml +++ b/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml @@ -64,7 +64,6 @@ tags: - Authentication.user - Authentication.user_role - Authentication.src - risk_score: 15 security_domain: network tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml index e06a095bef..3305f00009 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml @@ -59,7 +59,6 @@ tags: - aws_account_id - src - region - risk_score: 90 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml index 3867484e20..c0cb25f209 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -59,7 +59,6 @@ tags: - aws_account_id - src - region - risk_score: 90 security_domain: threat tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_impair_security_services.yml b/detections/cloud/aws_defense_evasion_impair_security_services.yml index df7ea110b8..46c32bb7d7 100644 --- a/detections/cloud/aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/aws_defense_evasion_impair_security_services.yml @@ -70,7 +70,6 @@ tags: - src - region - errorCode - risk_score: 42 security_domain: threat tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml index acb04a8e34..531b1774a4 100644 --- a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml @@ -63,7 +63,6 @@ tags: - region - requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days - requestParameters{}.bucketName - risk_score: 20 security_domain: threat tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml index 67ff658ff1..bcda86866c 100644 --- a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml @@ -59,7 +59,6 @@ tags: - aws_account_id - src - region - risk_score: 90 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml index 98568672ed..560d2c6156 100644 --- a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml @@ -59,7 +59,6 @@ tags: - aws_account_id - src - region - risk_score: 90 security_domain: threat tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/update_cloudtrail/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_detect_attach_to_role_policy.yml b/detections/cloud/aws_detect_attach_to_role_policy.yml index 4d13f690fb..a96a84b413 100644 --- a/detections/cloud/aws_detect_attach_to_role_policy.yml +++ b/detections/cloud/aws_detect_attach_to_role_policy.yml @@ -45,5 +45,4 @@ tags: required_fields: - _time - requestParameters.policyArn - risk_score: 25 security_domain: threat diff --git a/detections/cloud/aws_detect_permanent_key_creation.yml b/detections/cloud/aws_detect_permanent_key_creation.yml index 005a731001..0c2c051aac 100644 --- a/detections/cloud/aws_detect_permanent_key_creation.yml +++ b/detections/cloud/aws_detect_permanent_key_creation.yml @@ -51,5 +51,4 @@ tags: - responseElements.accessKey.createDate - esponseElements.accessKey.status - responseElements.accessKey.accessKeyId - risk_score: 25 security_domain: threat diff --git a/detections/cloud/aws_detect_role_creation.yml b/detections/cloud/aws_detect_role_creation.yml index 7e70f272a7..d6d1279b3e 100644 --- a/detections/cloud/aws_detect_role_creation.yml +++ b/detections/cloud/aws_detect_role_creation.yml @@ -60,5 +60,4 @@ tags: - requestParameters.description - responseElements.role.arn - responseElements.role.createDate - risk_score: 25 security_domain: threat diff --git a/detections/cloud/aws_detect_sts_assume_role_abuse.yml b/detections/cloud/aws_detect_sts_assume_role_abuse.yml index 6403001fd3..1a1985d747 100644 --- a/detections/cloud/aws_detect_sts_assume_role_abuse.yml +++ b/detections/cloud/aws_detect_sts_assume_role_abuse.yml @@ -55,5 +55,4 @@ tags: - requestParameters.roleName - esponseElements.role.roleName - esponseElements.role.createDate - risk_score: 25 security_domain: threat diff --git a/detections/cloud/aws_detect_sts_get_session_token_abuse.yml b/detections/cloud/aws_detect_sts_get_session_token_abuse.yml index 397db53297..f7df6ebd57 100644 --- a/detections/cloud/aws_detect_sts_get_session_token_abuse.yml +++ b/detections/cloud/aws_detect_sts_get_session_token_abuse.yml @@ -53,5 +53,4 @@ tags: - user_type - status - region - risk_score: 25 security_domain: threat diff --git a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index ffdd1b1caa..e40131925b 100644 --- a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -59,7 +59,6 @@ tags: - awsRegion - requestParameters.policy - userIdentity.principalId - risk_score: 25 security_domain: threat tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml index 75dbada08b..5460320eeb 100644 --- a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml +++ b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml @@ -56,7 +56,6 @@ tags: - requestParameters.key - userAgent - region - risk_score: 15 security_domain: threat tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/s3_file_encryption/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_disable_bucket_versioning.yml b/detections/cloud/aws_disable_bucket_versioning.yml index a130e3a2ab..9d52285cc2 100644 --- a/detections/cloud/aws_disable_bucket_versioning.yml +++ b/detections/cloud/aws_disable_bucket_versioning.yml @@ -64,7 +64,6 @@ tags: - sourceLocationArn - userAgent - userIdentity.principalId - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/aws_bucket_version/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_ec2_snapshot_shared_externally.yml b/detections/cloud/aws_ec2_snapshot_shared_externally.yml index e87c9dcd55..228f6ed9a7 100644 --- a/detections/cloud/aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/aws_ec2_snapshot_shared_externally.yml @@ -66,7 +66,6 @@ tags: - vendor_region - user_agent - userIdentity.principalId - risk_score: 48 security_domain: threat tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_ecr_container_scanning_findings_high.yml b/detections/cloud/aws_ecr_container_scanning_findings_high.yml index 3b0b605b0b..927f89e412 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_high.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_high.yml @@ -64,7 +64,6 @@ tags: - user - userName - src_ip - risk_score: 70 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml index 2a14d2d741..47bc8e570e 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml @@ -63,7 +63,6 @@ tags: - user - userName - src_ip - risk_score: 5 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml index ea803e9fe5..5a46746f89 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml @@ -62,7 +62,6 @@ tags: - user - userName - src_ip - risk_score: 21 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml index a716f748f7..e3406ce5d1 100644 --- a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml @@ -60,7 +60,6 @@ tags: - user - userName - src_ip - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/aws_ecr_container_upload_unknown_user.yml b/detections/cloud/aws_ecr_container_upload_unknown_user.yml index 3f9a5c86ae..14373cfa95 100644 --- a/detections/cloud/aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/aws_ecr_container_upload_unknown_user.yml @@ -58,7 +58,6 @@ tags: - user - userName - src_ip - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/aws_excessive_security_scanning.yml b/detections/cloud/aws_excessive_security_scanning.yml index 7484b37d82..5597dbd8ba 100644 --- a/detections/cloud/aws_excessive_security_scanning.yml +++ b/detections/cloud/aws_excessive_security_scanning.yml @@ -54,7 +54,6 @@ tags: - userAgent - user - userIdentity.arn - risk_score: 18 security_domain: network tests: - name: True Positive Test @@ -63,4 +62,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml index 3124872c30..d10f69884b 100644 --- a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml +++ b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml @@ -61,7 +61,6 @@ tags: - aws_account_id - userAgent - userIdentity.principalId - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_batch_service.yml b/detections/cloud/aws_exfiltration_via_batch_service.yml index 5bbdcec9a0..d3b35c9da1 100644 --- a/detections/cloud/aws_exfiltration_via_batch_service.yml +++ b/detections/cloud/aws_exfiltration_via_batch_service.yml @@ -56,7 +56,6 @@ tags: - src_ip - aws_account_id - userAgent - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_bucket_replication.yml b/detections/cloud/aws_exfiltration_via_bucket_replication.yml index aa548db71f..cc2de2adca 100644 --- a/detections/cloud/aws_exfiltration_via_bucket_replication.yml +++ b/detections/cloud/aws_exfiltration_via_bucket_replication.yml @@ -63,7 +63,6 @@ tags: - vendor_region - user_agent - userIdentity.principalId - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_datasync_task.yml b/detections/cloud/aws_exfiltration_via_datasync_task.yml index 1de0cebcc1..5d6dfa47e6 100644 --- a/detections/cloud/aws_exfiltration_via_datasync_task.yml +++ b/detections/cloud/aws_exfiltration_via_datasync_task.yml @@ -65,7 +65,6 @@ tags: - sourceLocationArn - userAgent - userIdentity.principalId - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml index 376e9183dd..219dfc8c3f 100644 --- a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml +++ b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml @@ -75,7 +75,6 @@ tags: - user_agent - userIdentity.principalId - requestParameters.createVolumePermission.add.items{}.userId - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -84,4 +83,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml index 5069058793..c6e172f3e2 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml @@ -54,7 +54,6 @@ tags: - user_arn - aws_account_id - src_ip - risk_score: 35 security_domain: threat tests: - name: True Positive Test @@ -63,4 +62,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml index 91eb702c21..5144655778 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml @@ -55,7 +55,6 @@ tags: - action - eventName - src_ip - risk_score: 54 security_domain: threat tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_iam_accessdenied_discovery_events.yml b/detections/cloud/aws_iam_accessdenied_discovery_events.yml index 774352e523..fd4b523a09 100644 --- a/detections/cloud/aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/aws_iam_accessdenied_discovery_events.yml @@ -56,7 +56,6 @@ tags: - userAgent - errorCode - userIdentity.type - risk_score: 10 security_domain: access tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/aws_iam_accessdenied_discovery_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml index 63ae1f0062..f1ca3ce424 100644 --- a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml @@ -61,7 +61,6 @@ tags: - userAgent - errorCode - requestParameters.policyName - risk_score: 28 security_domain: access tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/aws_iam_assume_role_policy_brute_force.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_iam_delete_policy.yml b/detections/cloud/aws_iam_delete_policy.yml index c65260764b..84741dd149 100644 --- a/detections/cloud/aws_iam_delete_policy.yml +++ b/detections/cloud/aws_iam_delete_policy.yml @@ -59,7 +59,6 @@ tags: - userAgent - errorCode - requestParameters.policyArn - risk_score: 10 security_domain: access tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/aws_iam_delete_policy.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_iam_failure_group_deletion.yml b/detections/cloud/aws_iam_failure_group_deletion.yml index 1897919347..27bca23a6c 100644 --- a/detections/cloud/aws_iam_failure_group_deletion.yml +++ b/detections/cloud/aws_iam_failure_group_deletion.yml @@ -59,7 +59,6 @@ tags: - userAgent - errorCode - requestParameters.groupName - risk_score: 5 security_domain: cloud tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/aws_iam_failure_group_deletion.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_iam_successful_group_deletion.yml b/detections/cloud/aws_iam_successful_group_deletion.yml index 4f2f102188..fb9f836dab 100644 --- a/detections/cloud/aws_iam_successful_group_deletion.yml +++ b/detections/cloud/aws_iam_successful_group_deletion.yml @@ -64,7 +64,6 @@ tags: - userAgent - errorCode - requestParameters.groupName - risk_score: 5 security_domain: cloud tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_lambda_updatefunctioncode.yml b/detections/cloud/aws_lambda_updatefunctioncode.yml index 978dc2da1c..b782c29880 100644 --- a/detections/cloud/aws_lambda_updatefunctioncode.yml +++ b/detections/cloud/aws_lambda_updatefunctioncode.yml @@ -53,7 +53,6 @@ tags: - eventName - userAgent - errorCode - risk_score: 63 security_domain: cloud tests: - name: True Positive Test @@ -62,4 +61,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_multi_factor_authentication_disabled.yml b/detections/cloud/aws_multi_factor_authentication_disabled.yml index ca298fb049..8845dbcedb 100644 --- a/detections/cloud/aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/aws_multi_factor_authentication_disabled.yml @@ -69,7 +69,6 @@ tags: - awsRegion - user_name - userIdentity.arn - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml index 9252883794..0b043dea5c 100644 --- a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml @@ -62,7 +62,6 @@ tags: - awsRegion - user_name - userIdentity.arn - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml index 4073132f6f..5d0289df26 100644 --- a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml @@ -59,7 +59,6 @@ tags: - action - eventName - src_ip - risk_score: 54 security_domain: threat manual_test: This search needs a specific number of events in a time window for the alert to trigger and events split up in CI testing while updating timestamp. diff --git a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml index 9ff1aab050..9d34389a75 100644 --- a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml @@ -69,7 +69,6 @@ tags: - userName - userIdentity.principalId - userAgent - risk_score: 48 security_domain: network tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_create_acl/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_network_access_control_list_deleted.yml b/detections/cloud/aws_network_access_control_list_deleted.yml index f0c511b5a3..2f022a8fe8 100644 --- a/detections/cloud/aws_network_access_control_list_deleted.yml +++ b/detections/cloud/aws_network_access_control_list_deleted.yml @@ -56,7 +56,6 @@ tags: - userIdentity.principalId - src - userAgent - risk_score: 5 security_domain: network tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_new_mfa_method_registered_for_user.yml b/detections/cloud/aws_new_mfa_method_registered_for_user.yml index 2abb607440..c5b037ffdd 100644 --- a/detections/cloud/aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/aws_new_mfa_method_registered_for_user.yml @@ -63,7 +63,6 @@ tags: - user_name - userIdentity.arn - _time - risk_score: 64 security_domain: identity tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_password_policy_changes.yml b/detections/cloud/aws_password_policy_changes.yml index 913ce9b858..68579b64ba 100644 --- a/detections/cloud/aws_password_policy_changes.yml +++ b/detections/cloud/aws_password_policy_changes.yml @@ -63,7 +63,6 @@ tags: - user_arn - aws_account_id - src_ip - risk_score: 72 security_domain: threat tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/aws_password_policy/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml index 9c7d68f30e..3e5782d377 100644 --- a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml +++ b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml @@ -61,7 +61,6 @@ tags: - All_Risk.annotations.mitre_attack.mitre_tactic - All_Risk.calculated_risk_score - source - risk_score: 81 security_domain: threat tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_risk.log sourcetype: stash source: aws_exfil - update_timestamp: true diff --git a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml b/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml index 949c17ac09..01dedc6789 100644 --- a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml +++ b/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml @@ -66,7 +66,6 @@ tags: - responseElements.issuer - sourceIPAddress - userAgent - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/assume_role_with_saml/assume_role_with_saml.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_saml_update_identity_provider.yml b/detections/cloud/aws_saml_update_identity_provider.yml index d1da02fe30..9f126b3148 100644 --- a/detections/cloud/aws_saml_update_identity_provider.yml +++ b/detections/cloud/aws_saml_update_identity_provider.yml @@ -62,7 +62,6 @@ tags: - sourceIPAddress - userIdentity.accessKeyId - userIdentity.principalId - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_setdefaultpolicyversion.yml b/detections/cloud/aws_setdefaultpolicyversion.yml index fd4ef5cde3..d8d101bbd1 100644 --- a/detections/cloud/aws_setdefaultpolicyversion.yml +++ b/detections/cloud/aws_setdefaultpolicyversion.yml @@ -59,7 +59,6 @@ tags: - errorCode - requestParameters.userName - eventSource - risk_score: 30 security_domain: threat tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml index 7e324252e3..4a26ea582e 100644 --- a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml +++ b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml @@ -55,7 +55,6 @@ tags: - userAgent - src_ip - user_arn - risk_score: 72 security_domain: threat tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_successful_single_factor_authentication.yml b/detections/cloud/aws_successful_single_factor_authentication.yml index 762f71e260..c0e6a2ec1b 100644 --- a/detections/cloud/aws_successful_single_factor_authentication.yml +++ b/detections/cloud/aws_successful_single_factor_authentication.yml @@ -65,7 +65,6 @@ tags: - awsRegion - user_name - userIdentity.arn - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/aws_login_sfa/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml index f7fb8db8f0..99a6d33862 100644 --- a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml @@ -61,7 +61,6 @@ tags: - action - eventName - src_ip - risk_score: 54 security_domain: threat tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_updateloginprofile.yml b/detections/cloud/aws_updateloginprofile.yml index 1ff20b3915..ed5d453f81 100644 --- a/detections/cloud/aws_updateloginprofile.yml +++ b/detections/cloud/aws_updateloginprofile.yml @@ -59,7 +59,6 @@ tags: - userAgent - errorCode - requestParameters.userName - risk_score: 30 security_domain: threat tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/azure_active_directory_high_risk_sign_in.yml b/detections/cloud/azure_active_directory_high_risk_sign_in.yml index 7f07462ef4..7dd09b3ece 100644 --- a/detections/cloud/azure_active_directory_high_risk_sign_in.yml +++ b/detections/cloud/azure_active_directory_high_risk_sign_in.yml @@ -64,7 +64,6 @@ tags: - properties.activity - properties.riskEventType - properties.additionalInfo - risk_score: 54 security_domain: identity tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azuread_highrisk/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml index 9080e4aaef..8f39a0a0da 100644 --- a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml +++ b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml @@ -65,7 +65,6 @@ tags: - operationName - targetResources{}.modifiedProperties{}.newValue - targetResources{}.id - risk_score: 54 security_domain: identity tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_application_administrator_role_assigned.yml b/detections/cloud/azure_ad_application_administrator_role_assigned.yml index f527f11123..059b4988bc 100644 --- a/detections/cloud/azure_ad_application_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_application_administrator_role_assigned.yml @@ -64,7 +64,6 @@ tags: - properties.targetResources{}.type - properties.initiatedBy.user.userPrincipalName - properties.result - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml index 86627df216..56e8e559a4 100644 --- a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml @@ -64,7 +64,6 @@ tags: - properties.status.additionalDetails - properties.appDisplayName - properties.userAgent - risk_score: 54 security_domain: identity tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azuread/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml b/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml index 75171daea3..82e75d5f1a 100644 --- a/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml +++ b/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 required_fields: - _time - operationName diff --git a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml index dc0b061ef5..e101681507 100644 --- a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml @@ -63,7 +63,6 @@ tags: - properties.authenticationDetails - user - src_ip - risk_score: 42 security_domain: threat tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azuread.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_device_code_authentication.yml b/detections/cloud/azure_ad_device_code_authentication.yml index 9bf37ac615..042b5a76fc 100644 --- a/detections/cloud/azure_ad_device_code_authentication.yml +++ b/detections/cloud/azure_ad_device_code_authentication.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 35 required_fields: - _time - category diff --git a/detections/cloud/azure_ad_external_guest_user_invited.yml b/detections/cloud/azure_ad_external_guest_user_invited.yml index ccd54623f8..8753183675 100644 --- a/detections/cloud/azure_ad_external_guest_user_invited.yml +++ b/detections/cloud/azure_ad_external_guest_user_invited.yml @@ -58,7 +58,6 @@ tags: - properties.targetResources{}.type - properties.initiatedBy.user.userPrincipalName - properties.result - risk_score: 45 security_domain: threat tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml b/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml index 74b8cac346..ac5bd5e880 100644 --- a/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml +++ b/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml @@ -59,7 +59,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 48 security_domain: threat tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_global_administrator_role_assigned.yml b/detections/cloud/azure_ad_global_administrator_role_assigned.yml index a97e7be545..d6d7093791 100644 --- a/detections/cloud/azure_ad_global_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_global_administrator_role_assigned.yml @@ -66,7 +66,6 @@ tags: - properties.targetResources{}.type - properties.initiatedBy.user.userPrincipalName - properties.result - risk_score: 72 security_domain: threat tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml index 98b05d1f52..877844db3f 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml @@ -58,7 +58,6 @@ tags: - properties.authenticationDetails - user - properties.ipAddress - risk_score: 35 security_domain: identity tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml index 3e5a6654a5..f985a893e6 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml @@ -64,7 +64,6 @@ tags: - properties.authenticationDetails - user - src_ip - risk_score: 35 security_domain: identity tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml index d02e86cbd9..55ae31e93c 100644 --- a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml +++ b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml @@ -62,7 +62,6 @@ tags: - properties.targetResources{}.type - properties.initiatedBy.user.userPrincipalName - properties.result - risk_score: 45 security_domain: identity tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/azuread/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml index e96759611d..2cba7733d1 100644 --- a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml +++ b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml @@ -70,7 +70,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 42 required_fields: - _time - category diff --git a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml index 4c973afffd..9908e8cc25 100644 --- a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 48 required_fields: - _time - category diff --git a/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml index 6889ecefd9..df92b2a1ab 100644 --- a/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 54 required_fields: - _time - category diff --git a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml index e56b196c40..ca0abf45a0 100644 --- a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml @@ -66,7 +66,6 @@ tags: - user - user_agent - operationName - risk_score: 54 security_domain: identity tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml index 407709ae8c..2c77987d52 100644 --- a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml +++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml @@ -53,7 +53,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 42 security_domain: identity tests: - name: True Positive Test @@ -62,5 +61,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml index bb71615da5..98570ba0e2 100644 --- a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml +++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml @@ -56,7 +56,6 @@ tags: - properties.initiatedBy.user.id - targetResources{}.displayName - src_user - risk_score: 42 security_domain: identity tests: - name: True Positive Test @@ -65,5 +64,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml index 3b4582fc2e..4afb700009 100644 --- a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml @@ -65,7 +65,6 @@ tags: - properties.authenticationDetails - user - user_agent - risk_score: 63 security_domain: identity tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_new_custom_domain_added.yml b/detections/cloud/azure_ad_new_custom_domain_added.yml index 9699b2bed5..aebb58f86c 100644 --- a/detections/cloud/azure_ad_new_custom_domain_added.yml +++ b/detections/cloud/azure_ad_new_custom_domain_added.yml @@ -60,7 +60,6 @@ tags: - src_ip - properties.targetResources{}.displayName - user - risk_score: 54 security_domain: threat tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_new_federated_domain_added.yml b/detections/cloud/azure_ad_new_federated_domain_added.yml index a0b3cad525..78c64b864e 100644 --- a/detections/cloud/azure_ad_new_federated_domain_added.yml +++ b/detections/cloud/azure_ad_new_federated_domain_added.yml @@ -58,7 +58,6 @@ tags: - src_ip - properties.targetResources{}.displayName - user - risk_score: 81 security_domain: threat tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_new_mfa_method_registered.yml b/detections/cloud/azure_ad_new_mfa_method_registered.yml index 601fed445a..90e70aad4a 100644 --- a/detections/cloud/azure_ad_new_mfa_method_registered.yml +++ b/detections/cloud/azure_ad_new_mfa_method_registered.yml @@ -61,7 +61,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 required_fields: - _time - operationName diff --git a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml index e0e0bd3bc5..9c92bb87ea 100644 --- a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml @@ -64,7 +64,6 @@ tags: - resultDescription - result - src_ip - risk_score: 64 security_domain: identity tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azuread.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml b/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml index 3e4b3baed2..9203a06f43 100644 --- a/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml +++ b/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml @@ -61,7 +61,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - operationName diff --git a/detections/cloud/azure_ad_pim_role_assigned.yml b/detections/cloud/azure_ad_pim_role_assigned.yml index 6d4ea20cdb..d78188c720 100644 --- a/detections/cloud/azure_ad_pim_role_assigned.yml +++ b/detections/cloud/azure_ad_pim_role_assigned.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 35 required_fields: - _time - properties diff --git a/detections/cloud/azure_ad_pim_role_assignment_activated.yml b/detections/cloud/azure_ad_pim_role_assignment_activated.yml index e87d24a8b2..4411920a46 100644 --- a/detections/cloud/azure_ad_pim_role_assignment_activated.yml +++ b/detections/cloud/azure_ad_pim_role_assignment_activated.yml @@ -58,7 +58,6 @@ tags: - user - initiatedBy.user.userPrincipalName - result - risk_score: 35 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml index f0c6deb71a..0b2b00423e 100644 --- a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml @@ -60,7 +60,6 @@ tags: - properties.targetResources{}.type - properties.initiatedBy.user.userPrincipalName - properties.result - risk_score: 50 security_domain: identity tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml b/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml index 36832caf61..754ad5e279 100644 --- a/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml +++ b/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 54 required_fields: - _time - category @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml index 9d7a02ef8f..ee0572492d 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned.yml @@ -70,7 +70,6 @@ tags: - properties.targetResources{}.type - properties.initiatedBy.user.userPrincipalName - properties.result - risk_score: 63 security_domain: audit tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml index 3022a4b9fd..11462a4cb3 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml @@ -59,7 +59,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 35 required_fields: - _time - properties.targetResources{}.type @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_authentication.yml b/detections/cloud/azure_ad_service_principal_authentication.yml index e357d5d3cb..19a93a6747 100644 --- a/detections/cloud/azure_ad_service_principal_authentication.yml +++ b/detections/cloud/azure_ad_service_principal_authentication.yml @@ -64,7 +64,6 @@ tags: - user - src_ip - user_id - risk_score: 25 security_domain: identity tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_created.yml b/detections/cloud/azure_ad_service_principal_created.yml index 174a84df04..b2a819b2b5 100644 --- a/detections/cloud/azure_ad_service_principal_created.yml +++ b/detections/cloud/azure_ad_service_principal_created.yml @@ -58,7 +58,6 @@ tags: - properties.targetResources{}.type - user - properties.result - risk_score: 45 security_domain: threat tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml index 6ba133cdc3..95b750243e 100644 --- a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml +++ b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml @@ -77,7 +77,6 @@ tags: - properties.targetResources{}.displayName - properties.targetResources{}.modifiedProperties{}.newValue - src_ip - risk_score: 35 security_domain: threat tests: - name: True Positive Test @@ -86,4 +85,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_owner_added.yml b/detections/cloud/azure_ad_service_principal_owner_added.yml index 104b919d26..ce597802df 100644 --- a/detections/cloud/azure_ad_service_principal_owner_added.yml +++ b/detections/cloud/azure_ad_service_principal_owner_added.yml @@ -62,7 +62,6 @@ tags: - properties.targetResources{}.userPrincipalName - properties.targetResources{}.modifiedProperties{}.newValue - properties.result - risk_score: 54 security_domain: audit tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml index 01ce2310b9..e5e5e8bab1 100644 --- a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml +++ b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml @@ -65,7 +65,6 @@ tags: - user - src_ip - properties.appDisplayName - risk_score: 56 security_domain: identity tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azuread.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_successful_powershell_authentication.yml b/detections/cloud/azure_ad_successful_powershell_authentication.yml index eeb37fcfc7..c1dc2a7b9d 100644 --- a/detections/cloud/azure_ad_successful_powershell_authentication.yml +++ b/detections/cloud/azure_ad_successful_powershell_authentication.yml @@ -65,7 +65,6 @@ tags: - src_ip - properties.appDisplayName - properties.userAgent - risk_score: 54 security_domain: identity tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread_pws/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_successful_single_factor_authentication.yml b/detections/cloud/azure_ad_successful_single_factor_authentication.yml index dd84988f4c..f04609ce4e 100644 --- a/detections/cloud/azure_ad_successful_single_factor_authentication.yml +++ b/detections/cloud/azure_ad_successful_single_factor_authentication.yml @@ -62,7 +62,6 @@ tags: - user - src_ip - properties.appDisplayName - risk_score: 45 security_domain: identity tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml b/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml index e84950d54b..0a29744d22 100644 --- a/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml +++ b/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - _time - operationName diff --git a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml index c6061000f6..bdbd0ce9b8 100644 --- a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml @@ -67,7 +67,6 @@ tags: - properties.authenticationDetails - properties.userPrincipalName - properties.ipAddress - risk_score: 54 security_domain: access tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml b/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml index 188c0831f2..10a07b7a7c 100644 --- a/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml +++ b/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml @@ -65,7 +65,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 required_fields: - _time - operationName diff --git a/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml b/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml index 3d0fd1b1a6..7181d5453e 100644 --- a/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml +++ b/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - operationName diff --git a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml index 6827fe05be..95d9465812 100644 --- a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml +++ b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml @@ -61,7 +61,6 @@ tags: - user - properties.initiatedBy.user.userPrincipalName - properties.result - risk_score: 45 security_domain: identity tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml index 4d389d1b08..7f27ec8994 100644 --- a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml +++ b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml @@ -61,7 +61,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 45 security_domain: threat tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_automation_account_created.yml b/detections/cloud/azure_automation_account_created.yml index af5fb1430f..9b4adcdbdf 100644 --- a/detections/cloud/azure_automation_account_created.yml +++ b/detections/cloud/azure_automation_account_created.yml @@ -62,7 +62,6 @@ tags: - claims.ipaddr - resourceGroupName - object_path - risk_score: 63 security_domain: audit tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_automation_account/azure-activity.log source: mscs:azure:audit sourcetype: mscs:azure:audit - update_timestamp: true diff --git a/detections/cloud/azure_automation_runbook_created.yml b/detections/cloud/azure_automation_runbook_created.yml index 3c1cfeb265..c376d40b18 100644 --- a/detections/cloud/azure_automation_runbook_created.yml +++ b/detections/cloud/azure_automation_runbook_created.yml @@ -62,7 +62,6 @@ tags: - claims.ipaddr - resourceGroupName - object_path - risk_score: 63 security_domain: audit tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure-activity.log source: mscs:azure:audit sourcetype: mscs:azure:audit - update_timestamp: true diff --git a/detections/cloud/azure_runbook_webhook_created.yml b/detections/cloud/azure_runbook_webhook_created.yml index 28fc9c5694..6f9fd6e0d1 100644 --- a/detections/cloud/azure_runbook_webhook_created.yml +++ b/detections/cloud/azure_runbook_webhook_created.yml @@ -62,7 +62,6 @@ tags: - claims.ipaddr - resourceGroupName - object_path - risk_score: 63 security_domain: threat tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure-activity.log source: mscs:azure:audit sourcetype: mscs:azure:audit - update_timestamp: true diff --git a/detections/cloud/circle_ci_disable_security_job.yml b/detections/cloud/circle_ci_disable_security_job.yml index 455ff6f326..b397385b5b 100644 --- a/detections/cloud/circle_ci_disable_security_job.yml +++ b/detections/cloud/circle_ci_disable_security_job.yml @@ -40,7 +40,6 @@ tags: - Splunk Cloud required_fields: - _times - risk_score: 72 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/circle_ci_disable_security_step.yml b/detections/cloud/circle_ci_disable_security_step.yml index 4c7c333edd..77747dc5be 100644 --- a/detections/cloud/circle_ci_disable_security_step.yml +++ b/detections/cloud/circle_ci_disable_security_step.yml @@ -40,7 +40,6 @@ tags: - Splunk Cloud required_fields: - _times - risk_score: 72 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml index f34a186296..aaea4dc435 100644 --- a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml +++ b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml @@ -54,7 +54,6 @@ tags: - All_Changes.status - All_Changes.command - All_Changes.object - risk_score: 36 security_domain: threat tests: - name: True Positive Test @@ -63,4 +62,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml index 3222e4c2d7..91e2c7c1b6 100644 --- a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml +++ b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml @@ -59,7 +59,6 @@ tags: - All_Changes.action - All_Changes.user - All_Changes.vendor_region - risk_score: 18 security_domain: threat tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml index e7b1e13efb..1302591e5f 100644 --- a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml +++ b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml @@ -62,7 +62,6 @@ tags: - All_Changes.action - All_Changes.vendor_region - All_Changes.user - risk_score: 42 security_domain: threat tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml index 59875c8683..82ab4f07d2 100644 --- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml +++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml @@ -55,7 +55,6 @@ tags: - All_Changes.action - All_Changes.Instance_Changes.image_id - All_Changes.user - risk_score: 36 security_domain: threat tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml index 85af9797fc..4d832722fe 100644 --- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml +++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml @@ -62,7 +62,6 @@ tags: - All_Changes.action - All_Changes.Instance_Changes.instance_type - All_Changes.user - risk_score: 30 security_domain: threat tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml index b80986d4ea..1461d90fe1 100644 --- a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml +++ b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml @@ -58,7 +58,6 @@ tags: - All_Changes.change_type - All_Changes.status - All_Changes.user - risk_score: 42 security_domain: threat tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml index b9d62ef08b..f9be88b8f8 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml @@ -82,7 +82,6 @@ tags: - All_Changes.user - All_Changes.object - All_Changes.command - risk_score: 18 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup tests: @@ -92,4 +91,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml index 15ebf020a3..d763c17cf7 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml @@ -82,7 +82,6 @@ tags: - All_Changes.user - All_Changes.object - All_Changes.command - risk_score: 42 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup tests: @@ -92,4 +91,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml index 7698432f62..1e07fdb9a6 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml @@ -81,7 +81,6 @@ tags: - All_Changes.src - All_Changes.user - All_Changes.command - risk_score: 42 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup tests: @@ -91,4 +90,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml index 779605e1eb..268c32116a 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml @@ -82,7 +82,6 @@ tags: - All_Changes.user - All_Changes.object - All_Changes.command - risk_score: 42 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup tests: @@ -92,4 +91,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_security_groups_modifications_by_user.yml b/detections/cloud/cloud_security_groups_modifications_by_user.yml index 1ce26bf6ec..a4967bef84 100644 --- a/detections/cloud/cloud_security_groups_modifications_by_user.yml +++ b/detections/cloud/cloud_security_groups_modifications_by_user.yml @@ -57,7 +57,6 @@ tags: - All_Changes.status - All_Changes.object_category - All_Changes.user - risk_score: 35 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/detect_aws_console_login_by_new_user.yml b/detections/cloud/detect_aws_console_login_by_new_user.yml index 523d3cb63b..d9764336c8 100644 --- a/detections/cloud/detect_aws_console_login_by_new_user.yml +++ b/detections/cloud/detect_aws_console_login_by_new_user.yml @@ -57,7 +57,6 @@ tags: - _time - Authentication.signature - Authentication.user - risk_score: 30 security_domain: threat tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml index 9488c17d39..b1ca5f4b17 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml @@ -66,7 +66,6 @@ tags: - Authentication.signature - Authentication.user - Authentication.src - risk_score: 18 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup. It also requires that the timestamps in the dataset be updated. @@ -77,4 +76,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml index 7cd18c04e7..e5035b813b 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml @@ -66,7 +66,6 @@ tags: - Authentication.signature - Authentication.user - Authentication.src - risk_score: 42 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup. It also requires that the timestamps in the dataset be updated. @@ -77,4 +76,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml index 69cda1c583..1ea23f4a46 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml @@ -67,7 +67,6 @@ tags: - Authentication.signature - Authentication.user - Authentication.src - risk_score: 36 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup. It also requires that the timestamps in the dataset be updated. @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml b/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml index 9d477d8143..340f638403 100644 --- a/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml +++ b/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml @@ -65,5 +65,4 @@ tags: - c_ip_ - cs_uri_ - cs_method_ - risk_score: 25 security_domain: network diff --git a/detections/cloud/detect_new_open_gcp_storage_buckets.yml b/detections/cloud/detect_new_open_gcp_storage_buckets.yml index 9f8eb5cae6..17e3a2b942 100644 --- a/detections/cloud/detect_new_open_gcp_storage_buckets.yml +++ b/detections/cloud/detect_new_open_gcp_storage_buckets.yml @@ -59,5 +59,4 @@ tags: - data.protoPayload.resourceName - data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role - data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member - risk_score: 25 security_domain: network diff --git a/detections/cloud/detect_new_open_s3_buckets.yml b/detections/cloud/detect_new_open_s3_buckets.yml index c4198c281d..20500c9663 100644 --- a/detections/cloud/detect_new_open_s3_buckets.yml +++ b/detections/cloud/detect_new_open_s3_buckets.yml @@ -62,7 +62,6 @@ tags: - userAgent - uri - permission - risk_score: 48 security_domain: threat tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml b/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml index 91cabf7138..d7f1d1e6fd 100644 --- a/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml +++ b/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml @@ -66,7 +66,6 @@ tags: - userIdentity.principalId - userAgent - bucketName - risk_score: 48 security_domain: threat tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_s3_access_from_a_new_ip.yml b/detections/cloud/detect_s3_access_from_a_new_ip.yml index 4b860bc4b6..9d37d952f3 100644 --- a/detections/cloud/detect_s3_access_from_a_new_ip.yml +++ b/detections/cloud/detect_s3_access_from_a_new_ip.yml @@ -58,5 +58,4 @@ tags: - http_status - bucket_name - remote_ip - risk_score: 25.0 security_domain: network diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml index 131d791a79..636f5756b2 100644 --- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml +++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml @@ -53,7 +53,6 @@ tags: - vendor_region - severity - dest - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml index 14a717bb9a..d95dcc01d2 100644 --- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml +++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml @@ -46,5 +46,4 @@ tags: - findings{}.Resources{}.Type - indings{}.Resources{}.Id - user - risk_score: 25 security_domain: network diff --git a/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml b/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml index 41844dd805..95f9ea317f 100644 --- a/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml +++ b/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml @@ -67,5 +67,4 @@ tags: - action - src_ip - dest_ip - risk_score: 25.0 security_domain: network diff --git a/detections/cloud/detect_spike_in_s3_bucket_deletion.yml b/detections/cloud/detect_spike_in_s3_bucket_deletion.yml index 88ed86c86e..3deeb6b513 100644 --- a/detections/cloud/detect_spike_in_s3_bucket_deletion.yml +++ b/detections/cloud/detect_spike_in_s3_bucket_deletion.yml @@ -63,5 +63,4 @@ tags: - _time - eventName - userIdentity.arn - risk_score: 25 security_domain: network diff --git a/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml b/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml index 2b04cfc1b8..2fe94ce9d8 100644 --- a/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml @@ -59,7 +59,6 @@ tags: - src_ip - login_challenge_method - event.parameters{}.multiValue{} - risk_score: 54 security_domain: identity tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/gcp_failed_mfa/gws_login.log source: gws:reports:login sourcetype: gws:reports:login - update_timestamp: true diff --git a/detections/cloud/gcp_detect_gcploit_framework.yml b/detections/cloud/gcp_detect_gcploit_framework.yml index 6ddb2bebce..bf4553b902 100644 --- a/detections/cloud/gcp_detect_gcploit_framework.yml +++ b/detections/cloud/gcp_detect_gcploit_framework.yml @@ -54,5 +54,4 @@ tags: - data.protoPayload.authorizationInfo{}.permission - data.protoPayload.request.location - http_user_agent - risk_score: 25 security_domain: threat diff --git a/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml b/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml index 56623ce73b..6f747f2170 100644 --- a/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml +++ b/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml @@ -50,5 +50,4 @@ tags: - requestURI - responseStatus.reason - properties.pod - risk_score: 25 security_domain: threat diff --git a/detections/cloud/gcp_multi_factor_authentication_disabled.yml b/detections/cloud/gcp_multi_factor_authentication_disabled.yml index 8acdae5d35..82bc9d3d1a 100644 --- a/detections/cloud/gcp_multi_factor_authentication_disabled.yml +++ b/detections/cloud/gcp_multi_factor_authentication_disabled.yml @@ -60,7 +60,6 @@ tags: - user - command - status - risk_score: 45 security_domain: identity tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/gcp_disable_mfa/gws_admin.log source: gws:reports:admin sourcetype: gws:reports:admin - update_timestamp: true diff --git a/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml index 501ca6414b..45384e06e3 100644 --- a/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml @@ -60,7 +60,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 54 security_domain: identity tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/gws_login.log source: gws:reports:login sourcetype: gws:reports:login - update_timestamp: true diff --git a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml index f4f9aceee7..1514c9be03 100644 --- a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml @@ -67,7 +67,6 @@ tags: - app - id.applicationName - src - risk_score: 54 security_domain: threat tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json source: gws_login sourcetype: gws:reports:login - update_timestamp: true diff --git a/detections/cloud/gcp_successful_single_factor_authentication.yml b/detections/cloud/gcp_successful_single_factor_authentication.yml index 7edda663ec..25cf8a2805 100644 --- a/detections/cloud/gcp_successful_single_factor_authentication.yml +++ b/detections/cloud/gcp_successful_single_factor_authentication.yml @@ -61,7 +61,6 @@ tags: - user - src_ip - login_challenge_method - risk_score: 45 security_domain: identity tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gws_login.log source: gws:reports:login sourcetype: gws:reports:login - update_timestamp: true diff --git a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml index 007e7b649a..b39de2523b 100644 --- a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml @@ -67,7 +67,6 @@ tags: - src - event.type - user_name - risk_score: 54 security_domain: threat tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json source: gws_login sourcetype: gws:reports:login - update_timestamp: true diff --git a/detections/cloud/gdrive_suspicious_file_sharing.yml b/detections/cloud/gdrive_suspicious_file_sharing.yml index 6a2d2fbd04..4783e23114 100644 --- a/detections/cloud/gdrive_suspicious_file_sharing.yml +++ b/detections/cloud/gdrive_suspicious_file_sharing.yml @@ -54,5 +54,4 @@ tags: - parameters.target_user - parameters.doc_title - parameters.doc_type - risk_score: 25 security_domain: threat diff --git a/detections/cloud/github_actions_disable_security_workflow.yml b/detections/cloud/github_actions_disable_security_workflow.yml index 4581f7344a..25a5c310b4 100644 --- a/detections/cloud/github_actions_disable_security_workflow.yml +++ b/detections/cloud/github_actions_disable_security_workflow.yml @@ -62,7 +62,6 @@ tags: - workflow_run.head_repository.owner.id - workflow_run.head_repository.owner.login - workflow_run.head_repository.owner.type - risk_score: 27 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/github_commit_changes_in_master.yml b/detections/cloud/github_commit_changes_in_master.yml index 0a4052114b..711eb2ea40 100644 --- a/detections/cloud/github_commit_changes_in_master.yml +++ b/detections/cloud/github_commit_changes_in_master.yml @@ -45,7 +45,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/github_commit_in_develop.yml b/detections/cloud/github_commit_in_develop.yml index 1346e0f952..9f0d727acc 100644 --- a/detections/cloud/github_commit_in_develop.yml +++ b/detections/cloud/github_commit_in_develop.yml @@ -45,7 +45,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/github_dependabot_alert.yml b/detections/cloud/github_dependabot_alert.yml index da4f09cdc9..00b3e88a2b 100644 --- a/detections/cloud/github_dependabot_alert.yml +++ b/detections/cloud/github_dependabot_alert.yml @@ -58,7 +58,6 @@ tags: - alert.external_reference - alert.fixed_in - alert.severity - risk_score: 27 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/github_pull_request_from_unknown_user.yml b/detections/cloud/github_pull_request_from_unknown_user.yml index 7ab0f9565a..fe8af8cc3b 100644 --- a/detections/cloud/github_pull_request_from_unknown_user.yml +++ b/detections/cloud/github_pull_request_from_unknown_user.yml @@ -58,7 +58,6 @@ tags: - alert.external_reference - alert.fixed_in - alert.severity - risk_score: 27 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/gsuite_drive_share_in_external_email.yml b/detections/cloud/gsuite_drive_share_in_external_email.yml index a6e197b24e..567ed9e49e 100644 --- a/detections/cloud/gsuite_drive_share_in_external_email.yml +++ b/detections/cloud/gsuite_drive_share_in_external_email.yml @@ -65,7 +65,6 @@ tags: - parameters.visibility - parameters.owner - parameters.doc_type - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/gsuite_email_suspicious_attachment.yml b/detections/cloud/gsuite_email_suspicious_attachment.yml index 5c9abfa33c..ad0fbff594 100644 --- a/detections/cloud/gsuite_email_suspicious_attachment.yml +++ b/detections/cloud/gsuite_email_suspicious_attachment.yml @@ -63,7 +63,6 @@ tags: - subject - destination{}.address - source.address - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml b/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml index ff370ee6bb..4d571b720d 100644 --- a/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml +++ b/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml @@ -60,7 +60,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml b/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml index f3b12b02de..ec9499f745 100644 --- a/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml +++ b/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml @@ -54,7 +54,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml b/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml index 8a4a5f238e..8baec88d03 100644 --- a/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml +++ b/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml @@ -62,7 +62,6 @@ tags: - dest_domain - phase - severity - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/gsuite_suspicious_calendar_invite.yml b/detections/cloud/gsuite_suspicious_calendar_invite.yml index 5c36602f3f..96759b5257 100644 --- a/detections/cloud/gsuite_suspicious_calendar_invite.yml +++ b/detections/cloud/gsuite_suspicious_calendar_invite.yml @@ -54,5 +54,4 @@ tags: - parameters.event_title - parameters.target_calendar_id - parameters.event_title - risk_score: 25 security_domain: threat diff --git a/detections/cloud/gsuite_suspicious_shared_file_name.yml b/detections/cloud/gsuite_suspicious_shared_file_name.yml index 00d9aecf1a..d349313072 100644 --- a/detections/cloud/gsuite_suspicious_shared_file_name.yml +++ b/detections/cloud/gsuite_suspicious_shared_file_name.yml @@ -67,7 +67,6 @@ tags: - parameters.visibility - parameters.owner - parameters.doc_type - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml index ed4ccbb777..922415f00e 100644 --- a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml +++ b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml @@ -66,7 +66,6 @@ tags: - UserAgent - src_ip - record_type - risk_score: 25 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml index d012c1e6ef..483e247644 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml @@ -67,7 +67,6 @@ tags: - user.username - userAgent - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml index e26121f0c5..38a4f911ee 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml @@ -66,7 +66,6 @@ tags: - user.username - userAgent - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml index 6d81b53ba3..89bb21c89b 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml @@ -65,7 +65,6 @@ tags: - user.username - userAgent - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml index 5b44d1e7f8..ebc6cdbc67 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml @@ -65,7 +65,6 @@ tags: - user.username - userAgent - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_access_scanning.yml b/detections/cloud/kubernetes_access_scanning.yml index 55e2362f32..f64fbfd0ca 100644 --- a/detections/cloud/kubernetes_access_scanning.yml +++ b/detections/cloud/kubernetes_access_scanning.yml @@ -63,7 +63,6 @@ tags: - verb - responseStatus.reason - responseStatus.status - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml b/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml index 678f392e81..bbaefffc05 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml @@ -73,5 +73,4 @@ tags: - k8s.cluster.name - dest.process.name - dest.workload.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml b/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml index 36e40b25e4..521575f054 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml @@ -92,5 +92,4 @@ tags: - k8s.cluster.name - k8s.node.name - k8s.pod.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml b/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml index a115c50b9f..96035c6dce 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml @@ -96,5 +96,4 @@ tags: - k8s.cluster.name - k8s.node.name - k8s.pod.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml b/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml index bfc7974b65..9c3f437974 100644 --- a/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml +++ b/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml @@ -74,5 +74,4 @@ tags: - source.workload.name - dest.workload.name - udp.packets - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml b/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml index 8d7a99c3bd..25ab088d8a 100644 --- a/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml +++ b/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml @@ -74,5 +74,4 @@ tags: - source.workload.name - dest.workload.name - udp.packets - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml b/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml index 2c4d27b19c..8f996fcf56 100644 --- a/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml +++ b/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml @@ -56,5 +56,4 @@ tags: - user.username - userAgent - verb - risk_score: 25 security_domain: threat diff --git a/detections/cloud/kubernetes_create_or_update_privileged_pod.yml b/detections/cloud/kubernetes_create_or_update_privileged_pod.yml index b9f1be1cba..ab18d322bd 100644 --- a/detections/cloud/kubernetes_create_or_update_privileged_pod.yml +++ b/detections/cloud/kubernetes_create_or_update_privileged_pod.yml @@ -64,7 +64,6 @@ tags: - userAgent - verb - requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_cron_job_creation.yml b/detections/cloud/kubernetes_cron_job_creation.yml index fd414326bb..254e41bf0b 100644 --- a/detections/cloud/kubernetes_cron_job_creation.yml +++ b/detections/cloud/kubernetes_cron_job_creation.yml @@ -64,7 +64,6 @@ tags: - user.username - userAgent - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_daemonset_deployed.yml b/detections/cloud/kubernetes_daemonset_deployed.yml index 059055675a..405d57cca2 100644 --- a/detections/cloud/kubernetes_daemonset_deployed.yml +++ b/detections/cloud/kubernetes_daemonset_deployed.yml @@ -62,7 +62,6 @@ tags: - user.username - userAgent - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_falco_shell_spawned.yml b/detections/cloud/kubernetes_falco_shell_spawned.yml index 71c85b1554..051afb8baf 100644 --- a/detections/cloud/kubernetes_falco_shell_spawned.yml +++ b/detections/cloud/kubernetes_falco_shell_spawned.yml @@ -53,7 +53,6 @@ tags: - proc_exepath - process - user - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_newly_seen_tcp_edge.yml b/detections/cloud/kubernetes_newly_seen_tcp_edge.yml index 2425eaa829..ad7f3c7be4 100644 --- a/detections/cloud/kubernetes_newly_seen_tcp_edge.yml +++ b/detections/cloud/kubernetes_newly_seen_tcp_edge.yml @@ -61,5 +61,4 @@ tags: - source.workload.name - dest.workload.name - tcp.packets - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_newly_seen_udp_edge.yml b/detections/cloud/kubernetes_newly_seen_udp_edge.yml index a264bff40e..e38ffe0b61 100644 --- a/detections/cloud/kubernetes_newly_seen_udp_edge.yml +++ b/detections/cloud/kubernetes_newly_seen_udp_edge.yml @@ -61,5 +61,4 @@ tags: - source.workload.name - dest.workload.name - udp.packets - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_nginx_ingress_lfi.yml b/detections/cloud/kubernetes_nginx_ingress_lfi.yml index ef247a2341..35755b97bd 100644 --- a/detections/cloud/kubernetes_nginx_ingress_lfi.yml +++ b/detections/cloud/kubernetes_nginx_ingress_lfi.yml @@ -50,7 +50,6 @@ tags: - Splunk Cloud required_fields: - raw - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_nginx_ingress_rfi.yml b/detections/cloud/kubernetes_nginx_ingress_rfi.yml index 5823d53346..5e06dd87c2 100644 --- a/detections/cloud/kubernetes_nginx_ingress_rfi.yml +++ b/detections/cloud/kubernetes_nginx_ingress_rfi.yml @@ -49,7 +49,6 @@ tags: - Splunk Cloud required_fields: - raw - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_node_port_creation.yml b/detections/cloud/kubernetes_node_port_creation.yml index 513e043486..12776caac0 100644 --- a/detections/cloud/kubernetes_node_port_creation.yml +++ b/detections/cloud/kubernetes_node_port_creation.yml @@ -63,7 +63,6 @@ tags: - user.username - userAgent - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_pod_created_in_default_namespace.yml b/detections/cloud/kubernetes_pod_created_in_default_namespace.yml index c5b94b6782..7ef67668ec 100644 --- a/detections/cloud/kubernetes_pod_created_in_default_namespace.yml +++ b/detections/cloud/kubernetes_pod_created_in_default_namespace.yml @@ -63,7 +63,6 @@ tags: - user.username - userAgent - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_pod_with_host_network_attachment.yml b/detections/cloud/kubernetes_pod_with_host_network_attachment.yml index 763299bf0c..11f4ea4e51 100644 --- a/detections/cloud/kubernetes_pod_with_host_network_attachment.yml +++ b/detections/cloud/kubernetes_pod_with_host_network_attachment.yml @@ -64,7 +64,6 @@ tags: - userAgent - verb - requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_previously_unseen_container_image_name.yml b/detections/cloud/kubernetes_previously_unseen_container_image_name.yml index 893fa07fce..c01c76ec7c 100644 --- a/detections/cloud/kubernetes_previously_unseen_container_image_name.yml +++ b/detections/cloud/kubernetes_previously_unseen_container_image_name.yml @@ -81,5 +81,4 @@ tags: - host.name - k8s.cluster.name - k8s.node.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_previously_unseen_process.yml b/detections/cloud/kubernetes_previously_unseen_process.yml index 605ca069bb..cb788693e9 100644 --- a/detections/cloud/kubernetes_previously_unseen_process.yml +++ b/detections/cloud/kubernetes_previously_unseen_process.yml @@ -81,5 +81,4 @@ tags: - k8s.cluster.name - k8s.node.name - process.executable.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_process_running_from_new_path.yml b/detections/cloud/kubernetes_process_running_from_new_path.yml index 41b969d36b..b79f385b14 100644 --- a/detections/cloud/kubernetes_process_running_from_new_path.yml +++ b/detections/cloud/kubernetes_process_running_from_new_path.yml @@ -82,5 +82,4 @@ tags: - k8s.cluster.name - k8s.node.name - process.executable.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml b/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml index 44d9d3dce9..a38ba1dfea 100644 --- a/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml +++ b/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml @@ -90,5 +90,4 @@ tags: - k8s.cluster.name - k8s.node.name - process.executable.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml b/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml index 870ba66146..26dae707d4 100644 --- a/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml +++ b/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml @@ -89,5 +89,4 @@ tags: - k8s.cluster.name - k8s.node.name - process.executable.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_scanner_image_pulling.yml b/detections/cloud/kubernetes_scanner_image_pulling.yml index c4984bd78c..65481845e4 100644 --- a/detections/cloud/kubernetes_scanner_image_pulling.yml +++ b/detections/cloud/kubernetes_scanner_image_pulling.yml @@ -50,7 +50,6 @@ tags: - object.involvedObject.kind - object.message - object.reason - risk_score: 81 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml b/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml index a94b5cf3fe..3ca9703eb0 100644 --- a/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml +++ b/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml @@ -60,7 +60,6 @@ tags: - verb - responseStatus.reason - responseStatus.status - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_shell_running_on_worker_node.yml b/detections/cloud/kubernetes_shell_running_on_worker_node.yml index 53ba59cfd2..6e9c24afd4 100644 --- a/detections/cloud/kubernetes_shell_running_on_worker_node.yml +++ b/detections/cloud/kubernetes_shell_running_on_worker_node.yml @@ -81,5 +81,4 @@ tags: - k8s.cluster.name - k8s.node.name - process.pid - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml b/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml index 7440e985c8..322dd887f7 100644 --- a/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml +++ b/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml @@ -82,5 +82,4 @@ tags: - k8s.cluster.name - k8s.node.name - process.pid - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_suspicious_image_pulling.yml b/detections/cloud/kubernetes_suspicious_image_pulling.yml index 4eeaa70812..5b96f12f92 100644 --- a/detections/cloud/kubernetes_suspicious_image_pulling.yml +++ b/detections/cloud/kubernetes_suspicious_image_pulling.yml @@ -63,7 +63,6 @@ tags: - verb - responseStatus.reason - responseStatus.status - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/kubernetes_unauthorized_access.yml b/detections/cloud/kubernetes_unauthorized_access.yml index 893a445494..213c518089 100644 --- a/detections/cloud/kubernetes_unauthorized_access.yml +++ b/detections/cloud/kubernetes_unauthorized_access.yml @@ -61,7 +61,6 @@ tags: - verb - responseStatus.reason - responseStatus.status - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/o365_add_app_role_assignment_grant_user.yml b/detections/cloud/o365_add_app_role_assignment_grant_user.yml index bfa016ef7e..ac530301fc 100644 --- a/detections/cloud/o365_add_app_role_assignment_grant_user.yml +++ b/detections/cloud/o365_add_app_role_assignment_grant_user.yml @@ -61,7 +61,6 @@ tags: - UserId - dest - ResultStatus - risk_score: 18 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_added_service_principal.yml b/detections/cloud/o365_added_service_principal.yml index 751bf096e0..1e5c484acc 100644 --- a/detections/cloud/o365_added_service_principal.yml +++ b/detections/cloud/o365_added_service_principal.yml @@ -60,7 +60,6 @@ tags: - action - Operation - authentication_service - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml index 01cee46fbe..3ba876cbfc 100644 --- a/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml +++ b/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml @@ -68,7 +68,6 @@ tags: - ModifiedProperties{}.NewValue - src_user - dest_user - risk_score: 54 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/o365_advanced_audit_disabled.yml b/detections/cloud/o365_advanced_audit_disabled.yml index 196993ba67..326fa27468 100644 --- a/detections/cloud/o365_advanced_audit_disabled.yml +++ b/detections/cloud/o365_advanced_audit_disabled.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 32 required_fields: - _time - Operation diff --git a/detections/cloud/o365_application_registration_owner_added.yml b/detections/cloud/o365_application_registration_owner_added.yml index 732e63150c..808db9c4fc 100644 --- a/detections/cloud/o365_application_registration_owner_added.yml +++ b/detections/cloud/o365_application_registration_owner_added.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 required_fields: - time - Workload diff --git a/detections/cloud/o365_applicationimpersonation_role_assigned.yml b/detections/cloud/o365_applicationimpersonation_role_assigned.yml index 4fdc9c751e..d74ce5e179 100644 --- a/detections/cloud/o365_applicationimpersonation_role_assigned.yml +++ b/detections/cloud/o365_applicationimpersonation_role_assigned.yml @@ -51,7 +51,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 56 required_fields: - _time - Workload diff --git a/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml b/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml index 447f87e2d5..c58f178527 100644 --- a/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml +++ b/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 required_fields: - _time - Workload diff --git a/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml b/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml index a33d96cb85..277afb842e 100644 --- a/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml +++ b/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml @@ -68,7 +68,6 @@ tags: - status - user_id - action - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_compliance_content_search_exported.yml b/detections/cloud/o365_compliance_content_search_exported.yml index 2103c7707a..aa0bed4bcb 100644 --- a/detections/cloud/o365_compliance_content_search_exported.yml +++ b/detections/cloud/o365_compliance_content_search_exported.yml @@ -54,7 +54,6 @@ tags: - ExchangeLocations - Query - user_id - risk_score: 42 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/o365_compliance_content_search_started.yml b/detections/cloud/o365_compliance_content_search_started.yml index 28eeaca71b..0a6c8c18bb 100644 --- a/detections/cloud/o365_compliance_content_search_started.yml +++ b/detections/cloud/o365_compliance_content_search_started.yml @@ -54,7 +54,6 @@ tags: - ExchangeLocations - Query - user_id - risk_score: 42 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml index 94efdef9cd..80d29ef480 100644 --- a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml @@ -56,7 +56,6 @@ tags: - src_ip - user - user_agent - risk_score: 42 security_domain: threat tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.log sourcetype: o365:management:activity source: o365 - update_timestamp: true diff --git a/detections/cloud/o365_disable_mfa.yml b/detections/cloud/o365_disable_mfa.yml index 9b85e10668..a32e2f8da2 100644 --- a/detections/cloud/o365_disable_mfa.yml +++ b/detections/cloud/o365_disable_mfa.yml @@ -54,7 +54,6 @@ tags: - signature - dest - ResultStatus - risk_score: 64 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_elevated_mailbox_permission_assigned.yml b/detections/cloud/o365_elevated_mailbox_permission_assigned.yml index b2c1c243e6..656a6351ff 100644 --- a/detections/cloud/o365_elevated_mailbox_permission_assigned.yml +++ b/detections/cloud/o365_elevated_mailbox_permission_assigned.yml @@ -54,7 +54,6 @@ tags: - user - src_user - dest_user - risk_score: 42 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/o365_excessive_authentication_failures_alert.yml b/detections/cloud/o365_excessive_authentication_failures_alert.yml index 08ed28b052..c1f6a95766 100644 --- a/detections/cloud/o365_excessive_authentication_failures_alert.yml +++ b/detections/cloud/o365_excessive_authentication_failures_alert.yml @@ -56,7 +56,6 @@ tags: - UserAgent - src_ip - user - risk_score: 64 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_excessive_sso_logon_errors.yml b/detections/cloud/o365_excessive_sso_logon_errors.yml index faef098f21..7b8ce5c60a 100644 --- a/detections/cloud/o365_excessive_sso_logon_errors.yml +++ b/detections/cloud/o365_excessive_sso_logon_errors.yml @@ -60,7 +60,6 @@ tags: - authentication_service - authentication_method - Operation - risk_score: 64 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml b/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml index f0fbd80d5d..045760fec9 100644 --- a/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml +++ b/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 40 required_fields: - _time - Workload diff --git a/detections/cloud/o365_fullaccessasapp_permission_assigned.yml b/detections/cloud/o365_fullaccessasapp_permission_assigned.yml index c6f2706e01..daa303e4d3 100644 --- a/detections/cloud/o365_fullaccessasapp_permission_assigned.yml +++ b/detections/cloud/o365_fullaccessasapp_permission_assigned.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 48 required_fields: - _time - Workload diff --git a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml index e684d23e4c..0af3b63e60 100644 --- a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml @@ -49,7 +49,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 35 required_fields: - _time - src_ip diff --git a/detections/cloud/o365_high_privilege_role_granted.yml b/detections/cloud/o365_high_privilege_role_granted.yml index da3e718fb0..6762bd755a 100644 --- a/detections/cloud/o365_high_privilege_role_granted.yml +++ b/detections/cloud/o365_high_privilege_role_granted.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 48 required_fields: - _time - Operation diff --git a/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml b/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml index 41b81db2a0..7c38b73593 100644 --- a/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml +++ b/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 40 required_fields: - _time - Workload diff --git a/detections/cloud/o365_mailbox_email_forwarding_enabled.yml b/detections/cloud/o365_mailbox_email_forwarding_enabled.yml index feb85ab074..be9655d26c 100644 --- a/detections/cloud/o365_mailbox_email_forwarding_enabled.yml +++ b/detections/cloud/o365_mailbox_email_forwarding_enabled.yml @@ -58,7 +58,6 @@ tags: - src_user - DeliverToMailboxAndForward - ObjectId - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml b/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml index 49bbeb8296..eb462d2af7 100644 --- a/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml +++ b/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml @@ -58,7 +58,6 @@ tags: - UserId - object - Item.ParentFolder.MemberRights - risk_score: 42 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/o365_mailbox_folder_read_permission_granted.yml b/detections/cloud/o365_mailbox_folder_read_permission_granted.yml index 7d13aaa76c..ca03cca05d 100644 --- a/detections/cloud/o365_mailbox_folder_read_permission_granted.yml +++ b/detections/cloud/o365_mailbox_folder_read_permission_granted.yml @@ -54,7 +54,6 @@ tags: - UserId - Identity - User - risk_score: 42 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml b/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml index a47d64ad76..de310a8e44 100644 --- a/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml +++ b/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 56 required_fields: - _time - Operation diff --git a/detections/cloud/o365_mailbox_read_access_granted_to_application.yml b/detections/cloud/o365_mailbox_read_access_granted_to_application.yml index d8a3f346dc..15c67eee83 100644 --- a/detections/cloud/o365_mailbox_read_access_granted_to_application.yml +++ b/detections/cloud/o365_mailbox_read_access_granted_to_application.yml @@ -59,7 +59,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - Operation - _time diff --git a/detections/cloud/o365_multi_source_failed_authentications_spike.yml b/detections/cloud/o365_multi_source_failed_authentications_spike.yml index 2972dea980..002a5ac27b 100644 --- a/detections/cloud/o365_multi_source_failed_authentications_spike.yml +++ b/detections/cloud/o365_multi_source_failed_authentications_spike.yml @@ -62,7 +62,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 42 required_fields: - _time - Workload diff --git a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml index 6dac7c57d2..fb35d46dfb 100644 --- a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 48 required_fields: - _time - Workload diff --git a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml index 778080e17c..33db530afd 100644 --- a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml @@ -44,7 +44,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 48 required_fields: - _time - Workload diff --git a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml index 4ade3a6007..e23a4a0a1f 100644 --- a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml +++ b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml @@ -62,7 +62,6 @@ tags: - ClientInfoString - ClientIPAddress - user - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_multiple_service_principals_created_by_sp.yml b/detections/cloud/o365_multiple_service_principals_created_by_sp.yml index 89a32250e8..a353b8109a 100644 --- a/detections/cloud/o365_multiple_service_principals_created_by_sp.yml +++ b/detections/cloud/o365_multiple_service_principals_created_by_sp.yml @@ -62,7 +62,6 @@ tags: - Actor{}.ID - src_user - object - risk_score: 42 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/o365_multiple_service_principals_created_by_user.yml b/detections/cloud/o365_multiple_service_principals_created_by_user.yml index f726e973c7..7c20e503ab 100644 --- a/detections/cloud/o365_multiple_service_principals_created_by_user.yml +++ b/detections/cloud/o365_multiple_service_principals_created_by_user.yml @@ -62,7 +62,6 @@ tags: - Actor{}.ID - src_user - object - risk_score: 42 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml index b8f4cbcd51..0e53e9feda 100644 --- a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 63 required_fields: - _time - Workload diff --git a/detections/cloud/o365_new_email_forwarding_rule_created.yml b/detections/cloud/o365_new_email_forwarding_rule_created.yml index eb75fa4a3e..5192abd63c 100644 --- a/detections/cloud/o365_new_email_forwarding_rule_created.yml +++ b/detections/cloud/o365_new_email_forwarding_rule_created.yml @@ -58,7 +58,6 @@ tags: - Name - user - UserId - risk_score: 42 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/o365_new_email_forwarding_rule_enabled.yml b/detections/cloud/o365_new_email_forwarding_rule_enabled.yml index d11d1a2f55..9a8ccb88a9 100644 --- a/detections/cloud/o365_new_email_forwarding_rule_enabled.yml +++ b/detections/cloud/o365_new_email_forwarding_rule_enabled.yml @@ -64,7 +64,6 @@ tags: - Actions - Name - user - risk_score: 42 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/o365_new_federated_domain_added.yml b/detections/cloud/o365_new_federated_domain_added.yml index f52ee289bb..4b42a27037 100644 --- a/detections/cloud/o365_new_federated_domain_added.yml +++ b/detections/cloud/o365_new_federated_domain_added.yml @@ -59,7 +59,6 @@ tags: - user - user_agent - action - risk_score: 64 security_domain: threat tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_add_federated_domain.log sourcetype: o365:management:activity source: o365 - update_timestamp: true diff --git a/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml b/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml index 3abb02e02f..578cc69d36 100644 --- a/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml +++ b/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml @@ -55,7 +55,6 @@ tags: - Parameters{}.Name - user - Name - risk_score: 42 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/o365_new_mfa_method_registered.yml b/detections/cloud/o365_new_mfa_method_registered.yml index 29478235b8..b94580a57d 100644 --- a/detections/cloud/o365_new_mfa_method_registered.yml +++ b/detections/cloud/o365_new_mfa_method_registered.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 required_fields: - _time - Workload diff --git a/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml b/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml index 7f866b4325..ca74422f58 100644 --- a/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml +++ b/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml @@ -55,7 +55,6 @@ tags: - AppId - ClientAppId - OperationCount - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml b/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml index bd66c03848..dd5c594abb 100644 --- a/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml +++ b/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml @@ -54,7 +54,6 @@ tags: - AppId - ClientAppId - OperationCount - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_privileged_graph_api_permission_assigned.yml b/detections/cloud/o365_privileged_graph_api_permission_assigned.yml index b122535a63..5bd64d2997 100644 --- a/detections/cloud/o365_privileged_graph_api_permission_assigned.yml +++ b/detections/cloud/o365_privileged_graph_api_permission_assigned.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 54 required_fields: - _time - Workload diff --git a/detections/cloud/o365_pst_export_alert.yml b/detections/cloud/o365_pst_export_alert.yml index d6aa52da7a..47c329eb0d 100644 --- a/detections/cloud/o365_pst_export_alert.yml +++ b/detections/cloud/o365_pst_export_alert.yml @@ -54,7 +54,6 @@ tags: - Severity - AlertEntityId - Operation - risk_score: 48 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_security_and_compliance_alert_triggered.yml b/detections/cloud/o365_security_and_compliance_alert_triggered.yml index 814038f5f3..ebe6514af7 100644 --- a/detections/cloud/o365_security_and_compliance_alert_triggered.yml +++ b/detections/cloud/o365_security_and_compliance_alert_triggered.yml @@ -58,7 +58,6 @@ tags: - Operation - Name - Data - risk_score: 48 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/o365_service_principal_new_client_credentials.yml b/detections/cloud/o365_service_principal_new_client_credentials.yml index 4dd03b4f3c..d6e06c2e3b 100644 --- a/detections/cloud/o365_service_principal_new_client_credentials.yml +++ b/detections/cloud/o365_service_principal_new_client_credentials.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 35 required_fields: - _time - Workload diff --git a/detections/cloud/o365_tenant_wide_admin_consent_granted.yml b/detections/cloud/o365_tenant_wide_admin_consent_granted.yml index 8b5a9bc611..08799f4835 100644 --- a/detections/cloud/o365_tenant_wide_admin_consent_granted.yml +++ b/detections/cloud/o365_tenant_wide_admin_consent_granted.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - _time - Operation diff --git a/detections/cloud/o365_user_consent_blocked_for_risky_application.yml b/detections/cloud/o365_user_consent_blocked_for_risky_application.yml index 5ff69a0f26..faacf0e924 100644 --- a/detections/cloud/o365_user_consent_blocked_for_risky_application.yml +++ b/detections/cloud/o365_user_consent_blocked_for_risky_application.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 required_fields: - _time - Workload diff --git a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml index f38efad892..77768e7381 100644 --- a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml +++ b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 required_fields: - _time - status.errorCode diff --git a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml index e1746bf9b1..abc6997d3f 100644 --- a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml +++ b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml @@ -42,7 +42,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 70 security_domain: cloud tests: - name: True Positive Test diff --git a/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml b/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml index 02a1beea15..7ea6361310 100644 --- a/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml +++ b/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml @@ -49,5 +49,4 @@ tags: - eventName - errorCode - userName - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml b/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml index 29b10d287d..29c6e42eae 100644 --- a/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml +++ b/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml @@ -45,5 +45,4 @@ tags: - eventName - errorCode - src_user - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml index ac6a7f26c3..5581fa8c98 100644 --- a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml +++ b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml @@ -49,5 +49,4 @@ tags: - eventName - errorCode - userName - risk_score: 25 security_domain: network diff --git a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml index 936faf0ed0..35a73063d9 100644 --- a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml +++ b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml @@ -44,5 +44,4 @@ tags: - eventName - errorCode - src_user - risk_score: 25 security_domain: network diff --git a/detections/deprecated/asl_aws_createaccesskey.yml b/detections/deprecated/asl_aws_createaccesskey.yml index c7e3ceeccc..9144a370a6 100644 --- a/detections/deprecated/asl_aws_createaccesskey.yml +++ b/detections/deprecated/asl_aws_createaccesskey.yml @@ -75,7 +75,6 @@ tags: - src_endpoint.ip - unmapped{}.key - unmapped{}.value - risk_score: 63 security_domain: threat tests: - name: True Positive Test @@ -83,5 +82,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/amazon_security_lake.json sourcetype: aws:asl source: aws_asl - update_timestamp: true diff --git a/detections/deprecated/asl_aws_excessive_security_scanning.yml b/detections/deprecated/asl_aws_excessive_security_scanning.yml index 8745c3d0f3..4a7badf3d4 100644 --- a/detections/deprecated/asl_aws_excessive_security_scanning.yml +++ b/detections/deprecated/asl_aws_excessive_security_scanning.yml @@ -46,5 +46,4 @@ tags: - identity.user.name - http_request.user_agent - src_endpoint.ip - risk_score: 18 security_domain: network \ No newline at end of file diff --git a/detections/deprecated/asl_aws_password_policy_changes.yml b/detections/deprecated/asl_aws_password_policy_changes.yml index 91d7e5659a..946e0d8f92 100644 --- a/detections/deprecated/asl_aws_password_policy_changes.yml +++ b/detections/deprecated/asl_aws_password_policy_changes.yml @@ -58,7 +58,6 @@ tags: - identity.user.uuid - http_request.user_agent - src_endpoint.ip - risk_score: 72 security_domain: threat tests: - name: True Positive Test diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml index 0ee85cd68e..3c95497bce 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml @@ -60,5 +60,4 @@ tags: - _time - eventName - sourceIPAddress - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml index 972bf2dc55..60b56b7785 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml @@ -61,5 +61,4 @@ tags: - _time - eventName - sourceIPAddress - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml index 58590b0009..9c34b7b583 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml @@ -58,5 +58,4 @@ tags: - _time - eventName - sourceIPAddress - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml index 2de77ce5f2..956fe1d011 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml @@ -60,5 +60,4 @@ tags: - _time - eventName - sourceIPAddress - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml b/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml index 4602746c28..3da78be4c5 100644 --- a/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml +++ b/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml b/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml index ad4302443a..ef7ef35d41 100644 --- a/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml +++ b/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml @@ -55,5 +55,4 @@ tags: - DNS.dest - DNS.message_type - DNS.src - risk_score: 25 security_domain: network diff --git a/detections/deprecated/cloud_network_access_control_list_deleted.yml b/detections/deprecated/cloud_network_access_control_list_deleted.yml index 679c55e796..e014c8e6bc 100644 --- a/detections/deprecated/cloud_network_access_control_list_deleted.yml +++ b/detections/deprecated/cloud_network_access_control_list_deleted.yml @@ -48,5 +48,4 @@ tags: - src - userName - arn - risk_score: 25 security_domain: network diff --git a/detections/deprecated/correlation_by_repository_and_risk.yml b/detections/deprecated/correlation_by_repository_and_risk.yml index e08e6b053a..55c383cd62 100644 --- a/detections/deprecated/correlation_by_repository_and_risk.yml +++ b/detections/deprecated/correlation_by_repository_and_risk.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 70 security_domain: network diff --git a/detections/deprecated/correlation_by_user_and_risk.yml b/detections/deprecated/correlation_by_user_and_risk.yml index 690d2834df..d2e41e8e8f 100644 --- a/detections/deprecated/correlation_by_user_and_risk.yml +++ b/detections/deprecated/correlation_by_user_and_risk.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 70 security_domain: network diff --git a/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml b/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml index 0c911874c3..b92c1bbea0 100644 --- a/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml +++ b/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml @@ -56,7 +56,6 @@ tags: - WorkstationName - user - dest - risk_score: 49 security_domain: access tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.002/atomic_red_team/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - update_timestamp: true diff --git a/detections/deprecated/detect_api_activity_from_users_without_mfa.yml b/detections/deprecated/detect_api_activity_from_users_without_mfa.yml index b071794296..3fb7adda0f 100644 --- a/detections/deprecated/detect_api_activity_from_users_without_mfa.yml +++ b/detections/deprecated/detect_api_activity_from_users_without_mfa.yml @@ -65,5 +65,4 @@ tags: - userIdentity.arn - userIdentity.type - user - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/detect_aws_api_activities_from_unapproved_accounts.yml b/detections/deprecated/detect_aws_api_activities_from_unapproved_accounts.yml index 5614e6ced8..6bb632d8cb 100644 --- a/detections/deprecated/detect_aws_api_activities_from_unapproved_accounts.yml +++ b/detections/deprecated/detect_aws_api_activities_from_unapproved_accounts.yml @@ -69,5 +69,4 @@ tags: - userName - eventName - user - risk_score: 25.0 security_domain: access diff --git a/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml b/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml index e263b72ed3..edd45504eb 100644 --- a/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml +++ b/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml @@ -65,5 +65,4 @@ tags: - DNS.src - DNS.query - host - risk_score: 25 security_domain: network diff --git a/detections/deprecated/detect_long_dns_txt_record_response.yml b/detections/deprecated/detect_long_dns_txt_record_response.yml index a4c4066d07..2518c10366 100644 --- a/detections/deprecated/detect_long_dns_txt_record_response.yml +++ b/detections/deprecated/detect_long_dns_txt_record_response.yml @@ -55,5 +55,4 @@ tags: - DNS.src - DNS.dest - DNS.answer - risk_score: 25 security_domain: network diff --git a/detections/deprecated/detect_mimikatz_using_loaded_images.yml b/detections/deprecated/detect_mimikatz_using_loaded_images.yml index 3d89d50c5d..27d7b0844d 100644 --- a/detections/deprecated/detect_mimikatz_using_loaded_images.yml +++ b/detections/deprecated/detect_mimikatz_using_loaded_images.yml @@ -62,7 +62,6 @@ tags: - ProcessId - dest - Image - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml b/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml index a404feefa4..581e776f9c 100644 --- a/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml +++ b/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml @@ -51,5 +51,4 @@ tags: - Message - dest - Process_ID - risk_score: 25 security_domain: access diff --git a/detections/deprecated/detect_new_api_calls_from_user_roles.yml b/detections/deprecated/detect_new_api_calls_from_user_roles.yml index 7551bc3370..e83f95d7bf 100644 --- a/detections/deprecated/detect_new_api_calls_from_user_roles.yml +++ b/detections/deprecated/detect_new_api_calls_from_user_roles.yml @@ -52,5 +52,4 @@ tags: - userIdentity.type - userName - eventName - risk_score: 25.0 security_domain: endpoint diff --git a/detections/deprecated/detect_new_user_aws_console_login.yml b/detections/deprecated/detect_new_user_aws_console_login.yml index fb00e3d683..9dcfd4907f 100644 --- a/detections/deprecated/detect_new_user_aws_console_login.yml +++ b/detections/deprecated/detect_new_user_aws_console_login.yml @@ -49,5 +49,4 @@ tags: - _time - eventName - userIdentity.arn - risk_score: 25 security_domain: network diff --git a/detections/deprecated/detect_spike_in_aws_api_activity.yml b/detections/deprecated/detect_spike_in_aws_api_activity.yml index 6fc824e5ef..af44594422 100644 --- a/detections/deprecated/detect_spike_in_aws_api_activity.yml +++ b/detections/deprecated/detect_spike_in_aws_api_activity.yml @@ -71,5 +71,4 @@ tags: - _time - eventType - userIdentity.arn - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/detect_spike_in_network_acl_activity.yml b/detections/deprecated/detect_spike_in_network_acl_activity.yml index 8b1cc6a0f1..f547debf0f 100644 --- a/detections/deprecated/detect_spike_in_network_acl_activity.yml +++ b/detections/deprecated/detect_spike_in_network_acl_activity.yml @@ -57,5 +57,4 @@ tags: required_fields: - _time - userIdentity.arn - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/detect_spike_in_security_group_activity.yml b/detections/deprecated/detect_spike_in_security_group_activity.yml index 448a1e74fe..a73c1c5389 100644 --- a/detections/deprecated/detect_spike_in_security_group_activity.yml +++ b/detections/deprecated/detect_spike_in_security_group_activity.yml @@ -58,5 +58,4 @@ tags: required_fields: - _time - serIdentity.arn - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/detect_usb_device_insertion.yml b/detections/deprecated/detect_usb_device_insertion.yml index 4b0a6e8380..8cdb1be5c2 100644 --- a/detections/deprecated/detect_usb_device_insertion.yml +++ b/detections/deprecated/detect_usb_device_insertion.yml @@ -48,5 +48,4 @@ tags: - All_Changes.result_id - All_Changes.src_priority - All_Changes.dest - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml b/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml index 7aad030ee3..1fe375590a 100644 --- a/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml +++ b/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml @@ -57,5 +57,4 @@ tags: - Web.status - Web.src - Web.dest - risk_score: 25 security_domain: network diff --git a/detections/deprecated/detection_of_dns_tunnels.yml b/detections/deprecated/detection_of_dns_tunnels.yml index 6ecfdf260a..c26d602e70 100644 --- a/detections/deprecated/detection_of_dns_tunnels.yml +++ b/detections/deprecated/detection_of_dns_tunnels.yml @@ -70,5 +70,4 @@ tags: - DNS.message_type - DNS.src_category - DNS.src - risk_score: 25 security_domain: network diff --git a/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml b/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml index 078029a1fe..510f332f5c 100644 --- a/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml +++ b/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml @@ -46,5 +46,4 @@ tags: - DNS.src_category - DNS.src - DNS.dest - risk_score: 25 security_domain: network diff --git a/detections/deprecated/dns_record_changed.yml b/detections/deprecated/dns_record_changed.yml index 288a4c7855..b7b45acd5e 100644 --- a/detections/deprecated/dns_record_changed.yml +++ b/detections/deprecated/dns_record_changed.yml @@ -63,5 +63,4 @@ tags: - DNS.src - DNS.message_type - DNS.query - risk_score: 25 security_domain: network diff --git a/detections/deprecated/dump_lsass_via_procdump_rename.yml b/detections/deprecated/dump_lsass_via_procdump_rename.yml index 904d367839..3fb0516b15 100644 --- a/detections/deprecated/dump_lsass_via_procdump_rename.yml +++ b/detections/deprecated/dump_lsass_via_procdump_rename.yml @@ -65,5 +65,4 @@ tags: - CommandLine - dest - parent_process_name - risk_score: 80 security_domain: endpoint diff --git a/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml b/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml index be0aa0099b..e74d8fa433 100644 --- a/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml +++ b/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml @@ -48,5 +48,4 @@ tags: - _time - errorCode - userIdentity.arn - risk_score: 25.0 security_domain: endpoint diff --git a/detections/deprecated/ec2_instance_started_in_previously_unseen_region.yml b/detections/deprecated/ec2_instance_started_in_previously_unseen_region.yml index fa7e7c922f..1cd7937159 100644 --- a/detections/deprecated/ec2_instance_started_in_previously_unseen_region.yml +++ b/detections/deprecated/ec2_instance_started_in_previously_unseen_region.yml @@ -46,5 +46,4 @@ tags: required_fields: - _time - awsRegion - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml b/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml index f4f7fec762..100c23efe4 100644 --- a/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml +++ b/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml @@ -49,5 +49,4 @@ tags: - eventName - errorCode - requestParameters.instancesSet.items{}.imageId - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml b/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml index ea7355984c..1df720dc6f 100644 --- a/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml +++ b/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml @@ -49,5 +49,4 @@ tags: - eventName - errorCode - requestParameters.instanceType - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml b/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml index cf6e38c445..5243c1c858 100644 --- a/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml +++ b/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml @@ -50,5 +50,4 @@ tags: - eventName - errorCode - userIdentity.arn - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/execution_of_file_with_spaces_before_extension.yml b/detections/deprecated/execution_of_file_with_spaces_before_extension.yml index 7519f91f51..af2082ad4e 100644 --- a/detections/deprecated/execution_of_file_with_spaces_before_extension.yml +++ b/detections/deprecated/execution_of_file_with_spaces_before_extension.yml @@ -52,5 +52,4 @@ tags: - Processes.dest - Processes.user - Processes.process_name - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/extended_period_without_successful_netbackup_backups.yml b/detections/deprecated/extended_period_without_successful_netbackup_backups.yml index a905b68aaa..67bcf59511 100644 --- a/detections/deprecated/extended_period_without_successful_netbackup_backups.yml +++ b/detections/deprecated/extended_period_without_successful_netbackup_backups.yml @@ -40,5 +40,4 @@ tags: - _time - MESSAGE - COMPUTERNAME - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/first_time_seen_command_line_argument.yml b/detections/deprecated/first_time_seen_command_line_argument.yml index b29165d760..a2ce892f88 100644 --- a/detections/deprecated/first_time_seen_command_line_argument.yml +++ b/detections/deprecated/first_time_seen_command_line_argument.yml @@ -64,5 +64,4 @@ tags: - Processes.process - Processes.parent_process_name - Processes.dest - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/gcp_detect_accounts_with_high_risk_roles_by_project.yml b/detections/deprecated/gcp_detect_accounts_with_high_risk_roles_by_project.yml index 5ea6f95f72..77c3f94f9b 100644 --- a/detections/deprecated/gcp_detect_accounts_with_high_risk_roles_by_project.yml +++ b/detections/deprecated/gcp_detect_accounts_with_high_risk_roles_by_project.yml @@ -51,5 +51,4 @@ tags: - data.protoPayload.authorizationInfo{}.resource - data.protoPayload.response.bindings{}.role - data.protoPayload.response.bindings{}.members{} - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/gcp_detect_high_risk_permissions_by_resource_and_account.yml b/detections/deprecated/gcp_detect_high_risk_permissions_by_resource_and_account.yml index 2e938d033f..74acade073 100644 --- a/detections/deprecated/gcp_detect_high_risk_permissions_by_resource_and_account.yml +++ b/detections/deprecated/gcp_detect_high_risk_permissions_by_resource_and_account.yml @@ -50,5 +50,4 @@ tags: - data.protoPayload.authorizationInfo{}.permission - data.protoPayload.response.bindings{}.members{} - data.resource.labels.project_id - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/gcp_detect_oauth_token_abuse.yml b/detections/deprecated/gcp_detect_oauth_token_abuse.yml index b40eddc360..d2161a7572 100644 --- a/detections/deprecated/gcp_detect_oauth_token_abuse.yml +++ b/detections/deprecated/gcp_detect_oauth_token_abuse.yml @@ -40,5 +40,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml b/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml index 8639f1dc7a..301901fff6 100644 --- a/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml +++ b/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml @@ -44,5 +44,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/identify_new_user_accounts.yml b/detections/deprecated/identify_new_user_accounts.yml index 59dbaacef0..7e40221152 100644 --- a/detections/deprecated/identify_new_user_accounts.yml +++ b/detections/deprecated/identify_new_user_accounts.yml @@ -39,5 +39,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: access diff --git a/detections/deprecated/kubernetes_aws_detect_most_active_service_accounts_by_pod.yml b/detections/deprecated/kubernetes_aws_detect_most_active_service_accounts_by_pod.yml index 3a946be0ee..850ba63939 100644 --- a/detections/deprecated/kubernetes_aws_detect_most_active_service_accounts_by_pod.yml +++ b/detections/deprecated/kubernetes_aws_detect_most_active_service_accounts_by_pod.yml @@ -34,5 +34,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml b/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml index 4efb07706d..29c48b6170 100644 --- a/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml +++ b/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat \ No newline at end of file diff --git a/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml b/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml index 516dbda7eb..99f51ebc9d 100644 --- a/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml +++ b/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml b/detections/deprecated/kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml index 9f0651b3a9..95167e857a 100644 --- a/detections/deprecated/kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml +++ b/detections/deprecated/kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_active_service_accounts_by_pod_namespace.yml b/detections/deprecated/kubernetes_azure_active_service_accounts_by_pod_namespace.yml index 2878342321..f76a6890bd 100644 --- a/detections/deprecated/kubernetes_azure_active_service_accounts_by_pod_namespace.yml +++ b/detections/deprecated/kubernetes_azure_active_service_accounts_by_pod_namespace.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_detect_rbac_authorization_by_account.yml b/detections/deprecated/kubernetes_azure_detect_rbac_authorization_by_account.yml index 2881d8d765..94816a676f 100644 --- a/detections/deprecated/kubernetes_azure_detect_rbac_authorization_by_account.yml +++ b/detections/deprecated/kubernetes_azure_detect_rbac_authorization_by_account.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_detect_sensitive_object_access.yml b/detections/deprecated/kubernetes_azure_detect_sensitive_object_access.yml index e93c26f489..8f41335dd9 100644 --- a/detections/deprecated/kubernetes_azure_detect_sensitive_object_access.yml +++ b/detections/deprecated/kubernetes_azure_detect_sensitive_object_access.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml b/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml index 38bb3710cf..750a4d6219 100644 --- a/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml +++ b/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml b/detections/deprecated/kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml index 3a81b57338..909f07bafd 100644 --- a/detections/deprecated/kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml +++ b/detections/deprecated/kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_detect_suspicious_kubectl_calls.yml b/detections/deprecated/kubernetes_azure_detect_suspicious_kubectl_calls.yml index 31c7237848..7e3677d88d 100644 --- a/detections/deprecated/kubernetes_azure_detect_suspicious_kubectl_calls.yml +++ b/detections/deprecated/kubernetes_azure_detect_suspicious_kubectl_calls.yml @@ -38,5 +38,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_pod_scan_fingerprint.yml b/detections/deprecated/kubernetes_azure_pod_scan_fingerprint.yml index 4c09f89d36..42fe53a81e 100644 --- a/detections/deprecated/kubernetes_azure_pod_scan_fingerprint.yml +++ b/detections/deprecated/kubernetes_azure_pod_scan_fingerprint.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_scan_fingerprint.yml b/detections/deprecated/kubernetes_azure_scan_fingerprint.yml index dbd4220f90..55a73ef062 100644 --- a/detections/deprecated/kubernetes_azure_scan_fingerprint.yml +++ b/detections/deprecated/kubernetes_azure_scan_fingerprint.yml @@ -37,5 +37,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml b/detections/deprecated/kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml index 46481a7a42..fcdfce07dc 100644 --- a/detections/deprecated/kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml +++ b/detections/deprecated/kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_rbac_authorizations_by_account.yml b/detections/deprecated/kubernetes_gcp_detect_rbac_authorizations_by_account.yml index c8e0ef24ec..64a2b4d629 100644 --- a/detections/deprecated/kubernetes_gcp_detect_rbac_authorizations_by_account.yml +++ b/detections/deprecated/kubernetes_gcp_detect_rbac_authorizations_by_account.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_sensitive_object_access.yml b/detections/deprecated/kubernetes_gcp_detect_sensitive_object_access.yml index f237528f37..50e419e32c 100644 --- a/detections/deprecated/kubernetes_gcp_detect_sensitive_object_access.yml +++ b/detections/deprecated/kubernetes_gcp_detect_sensitive_object_access.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml b/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml index 84d7db1a83..51975ce21b 100644 --- a/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml +++ b/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml b/detections/deprecated/kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml index 4904afdb5c..9c0c0fa993 100644 --- a/detections/deprecated/kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml +++ b/detections/deprecated/kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml @@ -38,5 +38,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_suspicious_kubectl_calls.yml b/detections/deprecated/kubernetes_gcp_detect_suspicious_kubectl_calls.yml index cbdfd5e008..c8a57639d2 100644 --- a/detections/deprecated/kubernetes_gcp_detect_suspicious_kubectl_calls.yml +++ b/detections/deprecated/kubernetes_gcp_detect_suspicious_kubectl_calls.yml @@ -37,5 +37,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/monitor_dns_for_brand_abuse.yml b/detections/deprecated/monitor_dns_for_brand_abuse.yml index 8acf3ec95c..b3bde8cc69 100644 --- a/detections/deprecated/monitor_dns_for_brand_abuse.yml +++ b/detections/deprecated/monitor_dns_for_brand_abuse.yml @@ -39,5 +39,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: network diff --git a/detections/deprecated/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml b/detections/deprecated/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml index 26d54ddf4c..ab54b90ee0 100644 --- a/detections/deprecated/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml +++ b/detections/deprecated/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml @@ -59,7 +59,6 @@ tags: - displayMessage - eventType - outcome.result - risk_score: 9 security_domain: access tests: - name: True Positive Test diff --git a/detections/deprecated/o365_suspicious_admin_email_forwarding.yml b/detections/deprecated/o365_suspicious_admin_email_forwarding.yml index 28373c5a4b..95ebe3698a 100644 --- a/detections/deprecated/o365_suspicious_admin_email_forwarding.yml +++ b/detections/deprecated/o365_suspicious_admin_email_forwarding.yml @@ -44,7 +44,6 @@ tags: - _time - Operation - Parameters - risk_score: 48 security_domain: threat tests: - name: True Positive Test diff --git a/detections/deprecated/o365_suspicious_rights_delegation.yml b/detections/deprecated/o365_suspicious_rights_delegation.yml index 92d7ea1cb0..311b0ad671 100644 --- a/detections/deprecated/o365_suspicious_rights_delegation.yml +++ b/detections/deprecated/o365_suspicious_rights_delegation.yml @@ -45,7 +45,6 @@ tags: - _time - Operation - Parameters - risk_score: 48 security_domain: threat tests: - name: True Positive Test diff --git a/detections/deprecated/o365_suspicious_user_email_forwarding.yml b/detections/deprecated/o365_suspicious_user_email_forwarding.yml index b9eda6557b..012851ccdb 100644 --- a/detections/deprecated/o365_suspicious_user_email_forwarding.yml +++ b/detections/deprecated/o365_suspicious_user_email_forwarding.yml @@ -47,7 +47,6 @@ tags: - _time - Operation - Parameters - risk_score: 48 security_domain: threat tests: - name: True Positive Test diff --git a/detections/deprecated/okta_account_locked_out.yml b/detections/deprecated/okta_account_locked_out.yml index 1c40467302..862d9d1179 100644 --- a/detections/deprecated/okta_account_locked_out.yml +++ b/detections/deprecated/okta_account_locked_out.yml @@ -46,7 +46,6 @@ tags: - src_ip - eventType - status - risk_score: 64 security_domain: access tests: - name: True Positive Test diff --git a/detections/deprecated/okta_account_lockout_events.yml b/detections/deprecated/okta_account_lockout_events.yml index 589d968df0..c8df6c5e9d 100644 --- a/detections/deprecated/okta_account_lockout_events.yml +++ b/detections/deprecated/okta_account_lockout_events.yml @@ -56,7 +56,6 @@ tags: - client.geographicalContext.city - src_ip - src_user - risk_score: 25 security_domain: access tests: - name: True Positive Test diff --git a/detections/deprecated/okta_failed_sso_attempts.yml b/detections/deprecated/okta_failed_sso_attempts.yml index 22f2a00260..cba99c304a 100644 --- a/detections/deprecated/okta_failed_sso_attempts.yml +++ b/detections/deprecated/okta_failed_sso_attempts.yml @@ -43,5 +43,4 @@ tags: - src_user - result - src_ip - risk_score: 16 security_domain: access diff --git a/detections/deprecated/okta_threatinsight_login_failure_with_high_unknown_users.yml b/detections/deprecated/okta_threatinsight_login_failure_with_high_unknown_users.yml index a91c807f39..270f1d9279 100644 --- a/detections/deprecated/okta_threatinsight_login_failure_with_high_unknown_users.yml +++ b/detections/deprecated/okta_threatinsight_login_failure_with_high_unknown_users.yml @@ -45,5 +45,4 @@ tags: - client.userAgent.browser - outcome.reason - displayMessage - risk_score: 50 security_domain: access diff --git a/detections/deprecated/okta_threatinsight_suspected_passwordspray_attack.yml b/detections/deprecated/okta_threatinsight_suspected_passwordspray_attack.yml index 0ab7b85ded..475c134bde 100644 --- a/detections/deprecated/okta_threatinsight_suspected_passwordspray_attack.yml +++ b/detections/deprecated/okta_threatinsight_suspected_passwordspray_attack.yml @@ -46,5 +46,4 @@ tags: - client.userAgent.browser - outcome.reason - displayMessage - risk_score: 60 security_domain: access diff --git a/detections/deprecated/okta_two_or_more_rejected_okta_pushes.yml b/detections/deprecated/okta_two_or_more_rejected_okta_pushes.yml index f6e1c13a28..aae6969d3a 100644 --- a/detections/deprecated/okta_two_or_more_rejected_okta_pushes.yml +++ b/detections/deprecated/okta_two_or_more_rejected_okta_pushes.yml @@ -53,5 +53,4 @@ tags: - src_ip - eventType - status - risk_score: 64 security_domain: access diff --git a/detections/deprecated/osquery_pack___coldroot_detection.yml b/detections/deprecated/osquery_pack___coldroot_detection.yml index 14ccc214ee..92e16f7617 100644 --- a/detections/deprecated/osquery_pack___coldroot_detection.yml +++ b/detections/deprecated/osquery_pack___coldroot_detection.yml @@ -35,5 +35,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/processes_created_by_netsh.yml b/detections/deprecated/processes_created_by_netsh.yml index 9caca611a1..bb29ed658a 100644 --- a/detections/deprecated/processes_created_by_netsh.yml +++ b/detections/deprecated/processes_created_by_netsh.yml @@ -53,5 +53,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/prohibited_software_on_endpoint.yml b/detections/deprecated/prohibited_software_on_endpoint.yml index 27b76ed896..99e96a62f7 100644 --- a/detections/deprecated/prohibited_software_on_endpoint.yml +++ b/detections/deprecated/prohibited_software_on_endpoint.yml @@ -44,5 +44,4 @@ tags: - Splunk Cloud required_fields: - _times - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml b/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml index 26ee538d51..7e8a64e106 100644 --- a/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml +++ b/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml @@ -49,5 +49,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/remote_registry_key_modifications.yml b/detections/deprecated/remote_registry_key_modifications.yml index 8c8435ee89..804c29ebb5 100644 --- a/detections/deprecated/remote_registry_key_modifications.yml +++ b/detections/deprecated/remote_registry_key_modifications.yml @@ -41,5 +41,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml b/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml index e7d235b110..065aa0ed4a 100644 --- a/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml +++ b/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml @@ -47,5 +47,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml b/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml index 34aa5f5d0e..754721e214 100644 --- a/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml +++ b/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml @@ -38,5 +38,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/suspicious_changes_to_file_associations.yml b/detections/deprecated/suspicious_changes_to_file_associations.yml index 08ca5c2989..4fc52b1b09 100644 --- a/detections/deprecated/suspicious_changes_to_file_associations.yml +++ b/detections/deprecated/suspicious_changes_to_file_associations.yml @@ -53,5 +53,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/suspicious_email___uba_anomaly.yml b/detections/deprecated/suspicious_email___uba_anomaly.yml index 77ca06d485..ab45a09b69 100644 --- a/detections/deprecated/suspicious_email___uba_anomaly.yml +++ b/detections/deprecated/suspicious_email___uba_anomaly.yml @@ -45,5 +45,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/suspicious_file_write.yml b/detections/deprecated/suspicious_file_write.yml index b7a2b0c9ef..e7608920fc 100644 --- a/detections/deprecated/suspicious_file_write.yml +++ b/detections/deprecated/suspicious_file_write.yml @@ -47,5 +47,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/suspicious_powershell_command_line_arguments.yml b/detections/deprecated/suspicious_powershell_command_line_arguments.yml index 572bb38339..01068a6e14 100644 --- a/detections/deprecated/suspicious_powershell_command_line_arguments.yml +++ b/detections/deprecated/suspicious_powershell_command_line_arguments.yml @@ -54,5 +54,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/suspicious_rundll32_rename.yml b/detections/deprecated/suspicious_rundll32_rename.yml index 015dddaa02..3eeec3e17b 100644 --- a/detections/deprecated/suspicious_rundll32_rename.yml +++ b/detections/deprecated/suspicious_rundll32_rename.yml @@ -73,5 +73,4 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint diff --git a/detections/deprecated/suspicious_writes_to_system_volume_information.yml b/detections/deprecated/suspicious_writes_to_system_volume_information.yml index c3ea9c5edf..64bc3c9b71 100644 --- a/detections/deprecated/suspicious_writes_to_system_volume_information.yml +++ b/detections/deprecated/suspicious_writes_to_system_volume_information.yml @@ -40,5 +40,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/uncommon_processes_on_endpoint.yml b/detections/deprecated/uncommon_processes_on_endpoint.yml index 18a30cc4de..aea2554186 100644 --- a/detections/deprecated/uncommon_processes_on_endpoint.yml +++ b/detections/deprecated/uncommon_processes_on_endpoint.yml @@ -46,5 +46,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/unsigned_image_loaded_by_lsass.yml b/detections/deprecated/unsigned_image_loaded_by_lsass.yml index 5a926b6aff..9b24a0113c 100644 --- a/detections/deprecated/unsigned_image_loaded_by_lsass.yml +++ b/detections/deprecated/unsigned_image_loaded_by_lsass.yml @@ -43,5 +43,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/unsuccessful_netbackup_backups.yml b/detections/deprecated/unsuccessful_netbackup_backups.yml index b8457b91e5..395f77b33e 100644 --- a/detections/deprecated/unsuccessful_netbackup_backups.yml +++ b/detections/deprecated/unsuccessful_netbackup_backups.yml @@ -36,5 +36,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/web_fraud___account_harvesting.yml b/detections/deprecated/web_fraud___account_harvesting.yml index 4cf762f1ac..fa8fbcb007 100644 --- a/detections/deprecated/web_fraud___account_harvesting.yml +++ b/detections/deprecated/web_fraud___account_harvesting.yml @@ -58,5 +58,4 @@ tags: - http_content_type - uri - cookie - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml b/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml index 37dc1e7655..8a4ad0deea 100644 --- a/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml +++ b/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml @@ -53,5 +53,4 @@ tags: - _time - http_content_type - cookie - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/web_fraud___password_sharing_across_accounts.yml b/detections/deprecated/web_fraud___password_sharing_across_accounts.yml index 0819ba7af8..cd3d10482f 100644 --- a/detections/deprecated/web_fraud___password_sharing_across_accounts.yml +++ b/detections/deprecated/web_fraud___password_sharing_across_accounts.yml @@ -46,5 +46,4 @@ tags: - _time - http_content_type - uri - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/windows_connhost_exe_started_forcefully.yml b/detections/deprecated/windows_connhost_exe_started_forcefully.yml index 173ee8ff8a..bd2b410bc5 100644 --- a/detections/deprecated/windows_connhost_exe_started_forcefully.yml +++ b/detections/deprecated/windows_connhost_exe_started_forcefully.yml @@ -49,5 +49,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml b/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml index d81b9ab21e..d2310c8a78 100644 --- a/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml +++ b/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_name - Processes.process_name - Processes.process_path - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/deprecated/windows_hosts_file_modification.yml b/detections/deprecated/windows_hosts_file_modification.yml index ffa7d52961..cb2d0c5045 100644 --- a/detections/deprecated/windows_hosts_file_modification.yml +++ b/detections/deprecated/windows_hosts_file_modification.yml @@ -41,5 +41,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml b/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml index e14aa34e3d..05be074205 100644 --- a/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml +++ b/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml @@ -58,7 +58,6 @@ tags: - DNS.src - DNS.query - _time - risk_score: 100 security_domain: network tests: - name: True Positive Test diff --git a/detections/endpoint/7zip_commandline_to_smb_share_path.yml b/detections/endpoint/7zip_commandline_to_smb_share_path.yml index b065f64bc2..6741287c13 100644 --- a/detections/endpoint/7zip_commandline_to_smb_share_path.yml +++ b/detections/endpoint/7zip_commandline_to_smb_share_path.yml @@ -71,7 +71,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/access_lsass_memory_for_dump_creation.yml b/detections/endpoint/access_lsass_memory_for_dump_creation.yml index 04d4d021a0..15f55d2bec 100644 --- a/detections/endpoint/access_lsass_memory_for_dump_creation.yml +++ b/detections/endpoint/access_lsass_memory_for_dump_creation.yml @@ -64,7 +64,6 @@ tags: - TargetProcessId - SourceImage - SourceProcessId - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/account_discovery_with_net_app.yml b/detections/endpoint/account_discovery_with_net_app.yml index 9c6aa7d7a1..2e351b2ddb 100644 --- a/detections/endpoint/account_discovery_with_net_app.yml +++ b/detections/endpoint/account_discovery_with_net_app.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/active_directory_lateral_movement_identified.yml b/detections/endpoint/active_directory_lateral_movement_identified.yml index 461d0227f5..d3dd117cb7 100644 --- a/detections/endpoint/active_directory_lateral_movement_identified.yml +++ b/detections/endpoint/active_directory_lateral_movement_identified.yml @@ -68,7 +68,6 @@ tags: - All_Risk.risk_object_type - All_Risk.risk_object - All_Risk.annotations.mitre_attack.mitre_tactic - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/active_directory_privilege_escalation_identified.yml b/detections/endpoint/active_directory_privilege_escalation_identified.yml index f22fc57f3e..96375d5456 100644 --- a/detections/endpoint/active_directory_privilege_escalation_identified.yml +++ b/detections/endpoint/active_directory_privilege_escalation_identified.yml @@ -68,7 +68,6 @@ tags: - All_Risk.risk_object_type - All_Risk.risk_object - All_Risk.annotations.mitre_attack.mitre_tactic - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/active_setup_registry_autostart.yml b/detections/endpoint/active_setup_registry_autostart.yml index 35414f35ac..205a5a7a18 100644 --- a/detections/endpoint/active_setup_registry_autostart.yml +++ b/detections/endpoint/active_setup_registry_autostart.yml @@ -64,7 +64,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/add_defaultuser_and_password_in_registry.yml b/detections/endpoint/add_defaultuser_and_password_in_registry.yml index 549e04b2db..2e08f8e72f 100644 --- a/detections/endpoint/add_defaultuser_and_password_in_registry.yml +++ b/detections/endpoint/add_defaultuser_and_password_in_registry.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/add_or_set_windows_defender_exclusion.yml b/detections/endpoint/add_or_set_windows_defender_exclusion.yml index 82a65ac702..0a84529841 100644 --- a/detections/endpoint/add_or_set_windows_defender_exclusion.yml +++ b/detections/endpoint/add_or_set_windows_defender_exclusion.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/adsisearcher_account_discovery.yml b/detections/endpoint/adsisearcher_account_discovery.yml index caeba199f2..369c6e0291 100644 --- a/detections/endpoint/adsisearcher_account_discovery.yml +++ b/detections/endpoint/adsisearcher_account_discovery.yml @@ -61,7 +61,6 @@ tags: - Message - ComputerName - User - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml index 5a2ac8f40d..f2bce14910 100644 --- a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml +++ b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml index 7ad7cf43f9..02cbe89c7e 100644 --- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml +++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml @@ -67,7 +67,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml b/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml index e5c93cfb36..fc76e03e28 100644 --- a/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml +++ b/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml @@ -55,7 +55,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 3 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/allow_network_discovery_in_firewall.yml b/detections/endpoint/allow_network_discovery_in_firewall.yml index e56d04a430..4755148e18 100644 --- a/detections/endpoint/allow_network_discovery_in_firewall.yml +++ b/detections/endpoint/allow_network_discovery_in_firewall.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/allow_operation_with_consent_admin.yml b/detections/endpoint/allow_operation_with_consent_admin.yml index 02a978d199..2f5204592c 100644 --- a/detections/endpoint/allow_operation_with_consent_admin.yml +++ b/detections/endpoint/allow_operation_with_consent_admin.yml @@ -65,7 +65,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml index 37ed56590f..b8691d2163 100644 --- a/detections/endpoint/anomalous_usage_of_7zip.yml +++ b/detections/endpoint/anomalous_usage_of_7zip.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml index 5455e24e79..990a98ab9a 100644 --- a/detections/endpoint/any_powershell_downloadfile.yml +++ b/detections/endpoint/any_powershell_downloadfile.yml @@ -94,7 +94,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/any_powershell_downloadstring.yml b/detections/endpoint/any_powershell_downloadstring.yml index 7b8a99521f..a6be0351ab 100644 --- a/detections/endpoint/any_powershell_downloadstring.yml +++ b/detections/endpoint/any_powershell_downloadstring.yml @@ -95,7 +95,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/attacker_tools_on_endpoint.yml b/detections/endpoint/attacker_tools_on_endpoint.yml index 8a7e564e20..8a49beb9b1 100644 --- a/detections/endpoint/attacker_tools_on_endpoint.yml +++ b/detections/endpoint/attacker_tools_on_endpoint.yml @@ -69,7 +69,6 @@ tags: - Processes.user - Processes.process_name - Processes.parent_process - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml index 4b9f66efaa..6e10ec52bf 100644 --- a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml +++ b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process - Processes.process_id - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/attempt_to_stop_security_service.yml b/detections/endpoint/attempt_to_stop_security_service.yml index 6a3c54360b..a8b97ef2e1 100644 --- a/detections/endpoint/attempt_to_stop_security_service.yml +++ b/detections/endpoint/attempt_to_stop_security_service.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml index 0ef5debd5a..f4473bca0f 100644 --- a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml +++ b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml @@ -88,7 +88,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/auto_admin_logon_registry_entry.yml b/detections/endpoint/auto_admin_logon_registry_entry.yml index 45f2adea93..b86f904b90 100644 --- a/detections/endpoint/auto_admin_logon_registry_entry.yml +++ b/detections/endpoint/auto_admin_logon_registry_entry.yml @@ -60,7 +60,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/batch_file_write_to_system32.yml b/detections/endpoint/batch_file_write_to_system32.yml index 6f0cad7956..6f0e12887d 100644 --- a/detections/endpoint/batch_file_write_to_system32.yml +++ b/detections/endpoint/batch_file_write_to_system32.yml @@ -79,7 +79,6 @@ tags: - Processes.process_guid - Processes.dest - Processes.process_name - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml index adaef8948f..0c2224bf46 100644 --- a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml +++ b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process - Processes.dest - Processes.user - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/bcdedit_failure_recovery_modification.yml b/detections/endpoint/bcdedit_failure_recovery_modification.yml index d49abaada7..2dbd303d6c 100644 --- a/detections/endpoint/bcdedit_failure_recovery_modification.yml +++ b/detections/endpoint/bcdedit_failure_recovery_modification.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test @@ -84,4 +83,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/bits_job_persistence.yml b/detections/endpoint/bits_job_persistence.yml index 36a409ddd5..aace96c961 100644 --- a/detections/endpoint/bits_job_persistence.yml +++ b/detections/endpoint/bits_job_persistence.yml @@ -86,7 +86,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml index 1cf57d3352..6699ce5553 100644 --- a/detections/endpoint/bitsadmin_download_file.yml +++ b/detections/endpoint/bitsadmin_download_file.yml @@ -90,7 +90,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml index 01481cc3e8..34bd107b65 100644 --- a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml @@ -89,7 +89,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml index 8e754fd5f8..368a29b769 100644 --- a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml @@ -86,7 +86,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/certutil_exe_certificate_extraction.yml b/detections/endpoint/certutil_exe_certificate_extraction.yml index c8dde3208e..8b8c92a692 100644 --- a/detections/endpoint/certutil_exe_certificate_extraction.yml +++ b/detections/endpoint/certutil_exe_certificate_extraction.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/certutil_with_decode_argument.yml b/detections/endpoint/certutil_with_decode_argument.yml index f4c25f7b0a..aaf776ad46 100644 --- a/detections/endpoint/certutil_with_decode_argument.yml +++ b/detections/endpoint/certutil_with_decode_argument.yml @@ -91,7 +91,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/change_default_file_association.yml b/detections/endpoint/change_default_file_association.yml index 7dd89984e1..d97d417e64 100644 --- a/detections/endpoint/change_default_file_association.yml +++ b/detections/endpoint/change_default_file_association.yml @@ -66,7 +66,6 @@ tags: - Registry.registry_path - Registry.registry_key_name - Registry.registry_value_name - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/change_to_safe_mode_with_network_config.yml b/detections/endpoint/change_to_safe_mode_with_network_config.yml index ccf84c1fe2..b0b960c817 100644 --- a/detections/endpoint/change_to_safe_mode_with_network_config.yml +++ b/detections/endpoint/change_to_safe_mode_with_network_config.yml @@ -65,7 +65,6 @@ tags: - Processes.parent_process - Processes.dest - Processes.user - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/endpoint/chcp_command_execution.yml index fb247f8443..9ec8753d8b 100644 --- a/detections/endpoint/chcp_command_execution.yml +++ b/detections/endpoint/chcp_command_execution.yml @@ -73,7 +73,6 @@ tags: - parent_process_id - dest - user - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/check_elevated_cmd_using_whoami.yml b/detections/endpoint/check_elevated_cmd_using_whoami.yml index f9d98c1330..507e1cc1d2 100644 --- a/detections/endpoint/check_elevated_cmd_using_whoami.yml +++ b/detections/endpoint/check_elevated_cmd_using_whoami.yml @@ -64,7 +64,6 @@ tags: - Processes.process - Processes.dest - Processes.user - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/child_processes_of_spoolsv_exe.yml b/detections/endpoint/child_processes_of_spoolsv_exe.yml index af335b10da..136356289c 100644 --- a/detections/endpoint/child_processes_of_spoolsv_exe.yml +++ b/detections/endpoint/child_processes_of_spoolsv_exe.yml @@ -71,5 +71,4 @@ tags: - Processes.dest - Processes.parent_process - Processes.user - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml index e643ff1945..71f758059b 100644 --- a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml +++ b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/clop_common_exec_parameter.yml b/detections/endpoint/clop_common_exec_parameter.yml index f22c836b05..9c37b095c9 100644 --- a/detections/endpoint/clop_common_exec_parameter.yml +++ b/detections/endpoint/clop_common_exec_parameter.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/clop_ransomware_known_service_name.yml b/detections/endpoint/clop_ransomware_known_service_name.yml index 29ccc9225f..5f652878cd 100644 --- a/detections/endpoint/clop_ransomware_known_service_name.yml +++ b/detections/endpoint/clop_ransomware_known_service_name.yml @@ -52,7 +52,6 @@ tags: - process_name - OriginalFileName - process_path - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index 4566f7c623..70ed39bd01 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -93,7 +93,6 @@ tags: - Processes.user - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/cmd_echo_pipe___escalation.yml b/detections/endpoint/cmd_echo_pipe___escalation.yml index 7f4267b42a..d2abd25c7e 100644 --- a/detections/endpoint/cmd_echo_pipe___escalation.yml +++ b/detections/endpoint/cmd_echo_pipe___escalation.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml index fd291497ce..42a721f799 100644 --- a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml +++ b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml @@ -97,7 +97,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index e578c0bcd9..fa5fdbd6fa 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -58,7 +58,6 @@ tags: - EventCode - Signed - ProcessId - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/cobalt_strike_named_pipes.yml b/detections/endpoint/cobalt_strike_named_pipes.yml index c9057d1433..d92f72d40c 100644 --- a/detections/endpoint/cobalt_strike_named_pipes.yml +++ b/detections/endpoint/cobalt_strike_named_pipes.yml @@ -72,7 +72,6 @@ tags: - process_name - process_path - process_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/common_ransomware_extensions.yml b/detections/endpoint/common_ransomware_extensions.yml index 0aded4d1e3..013702c156 100644 --- a/detections/endpoint/common_ransomware_extensions.yml +++ b/detections/endpoint/common_ransomware_extensions.yml @@ -70,7 +70,6 @@ tags: - Filesystem.dest - Filesystem.file_path - Filesystem.file_name - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/common_ransomware_notes.yml b/detections/endpoint/common_ransomware_notes.yml index 289ec69c0a..98de55d4e8 100644 --- a/detections/endpoint/common_ransomware_notes.yml +++ b/detections/endpoint/common_ransomware_notes.yml @@ -66,7 +66,6 @@ tags: - Filesystem.dest - Filesystem.file_path - Filesystem.file_name - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/connectwise_screenconnect_path_traversal.yml b/detections/endpoint/connectwise_screenconnect_path_traversal.yml index e8c22ba833..d831b9f66e 100644 --- a/detections/endpoint/connectwise_screenconnect_path_traversal.yml +++ b/detections/endpoint/connectwise_screenconnect_path_traversal.yml @@ -60,7 +60,6 @@ tags: - Filesystem.file_name - Filesystem.file_path - Filesystem.dest - risk_score: 100 security_domain: endpoint cve: - CVE-2024-1708 diff --git a/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml b/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml index 8dfdb15d92..263ffbe61f 100644 --- a/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml +++ b/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml @@ -59,7 +59,6 @@ tags: - EventCode - Computer - Caller_User_Name - risk_score: 100 security_domain: endpoint cve: - CVE-2024-1708 diff --git a/detections/endpoint/conti_common_exec_parameter.yml b/detections/endpoint/conti_common_exec_parameter.yml index 8d5d490ba6..fd923a37ed 100644 --- a/detections/endpoint/conti_common_exec_parameter.yml +++ b/detections/endpoint/conti_common_exec_parameter.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/control_loading_from_world_writable_directory.yml b/detections/endpoint/control_loading_from_world_writable_directory.yml index 7347951756..0b475659ef 100644 --- a/detections/endpoint/control_loading_from_world_writable_directory.yml +++ b/detections/endpoint/control_loading_from_world_writable_directory.yml @@ -89,7 +89,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/create_local_admin_accounts_using_net_exe.yml b/detections/endpoint/create_local_admin_accounts_using_net_exe.yml index 4264233edf..eb95bbcefe 100644 --- a/detections/endpoint/create_local_admin_accounts_using_net_exe.yml +++ b/detections/endpoint/create_local_admin_accounts_using_net_exe.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml index 1e5abbd05b..500e336c28 100644 --- a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml +++ b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/create_remote_thread_in_shell_application.yml b/detections/endpoint/create_remote_thread_in_shell_application.yml index 5266ae0b5d..d57f11b5cd 100644 --- a/detections/endpoint/create_remote_thread_in_shell_application.yml +++ b/detections/endpoint/create_remote_thread_in_shell_application.yml @@ -61,7 +61,6 @@ tags: - StartAddress - EventCode - dest - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/create_remote_thread_into_lsass.yml b/detections/endpoint/create_remote_thread_into_lsass.yml index 1def414675..37c735c99f 100644 --- a/detections/endpoint/create_remote_thread_into_lsass.yml +++ b/detections/endpoint/create_remote_thread_into_lsass.yml @@ -61,7 +61,6 @@ tags: - TargetImage - TargetProcessId - dest - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml index b1c933f75b..c67f3cc46e 100644 --- a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml +++ b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml @@ -58,7 +58,6 @@ tags: - TargetFilename - dest - object_category - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/creation_of_shadow_copy.yml b/detections/endpoint/creation_of_shadow_copy.yml index 8f8a9ba2d2..3e44cc5e16 100644 --- a/detections/endpoint/creation_of_shadow_copy.yml +++ b/detections/endpoint/creation_of_shadow_copy.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml index 70575f4245..e4b04158e0 100644 --- a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml +++ b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml index 52246deb24..6c5ee73835 100644 --- a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml +++ b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml index dbb443f677..dd820ba24e 100644 --- a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml +++ b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml @@ -67,7 +67,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/csc_net_on_the_fly_compilation.yml b/detections/endpoint/csc_net_on_the_fly_compilation.yml index c768549ae9..541e65c30d 100644 --- a/detections/endpoint/csc_net_on_the_fly_compilation.yml +++ b/detections/endpoint/csc_net_on_the_fly_compilation.yml @@ -68,7 +68,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/curl_download_and_bash_execution.yml b/detections/endpoint/curl_download_and_bash_execution.yml index 5f074c7b88..bf553cb8ae 100644 --- a/detections/endpoint/curl_download_and_bash_execution.yml +++ b/detections/endpoint/curl_download_and_bash_execution.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/delete_shadowcopy_with_powershell.yml b/detections/endpoint/delete_shadowcopy_with_powershell.yml index 4e9538f69c..088f1608db 100644 --- a/detections/endpoint/delete_shadowcopy_with_powershell.yml +++ b/detections/endpoint/delete_shadowcopy_with_powershell.yml @@ -59,7 +59,6 @@ tags: - Computer - UserID - EventCode - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/deleting_of_net_users.yml b/detections/endpoint/deleting_of_net_users.yml index aa2aa52505..259b157b16 100644 --- a/detections/endpoint/deleting_of_net_users.yml +++ b/detections/endpoint/deleting_of_net_users.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/deleting_shadow_copies.yml b/detections/endpoint/deleting_shadow_copies.yml index ef98a61925..4f2bcc9924 100644 --- a/detections/endpoint/deleting_shadow_copies.yml +++ b/detections/endpoint/deleting_shadow_copies.yml @@ -91,7 +91,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_azurehound_command_line_arguments.yml b/detections/endpoint/detect_azurehound_command_line_arguments.yml index 23fd528463..3c66f4e565 100644 --- a/detections/endpoint/detect_azurehound_command_line_arguments.yml +++ b/detections/endpoint/detect_azurehound_command_line_arguments.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_azurehound_file_modifications.yml b/detections/endpoint/detect_azurehound_file_modifications.yml index e65d2bf826..8d849607a3 100644 --- a/detections/endpoint/detect_azurehound_file_modifications.yml +++ b/detections/endpoint/detect_azurehound_file_modifications.yml @@ -70,7 +70,6 @@ tags: - file_name - process_id - file_create_time - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml index b185a14275..83ab6ecfef 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml @@ -37,5 +37,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml index 4968593a16..8bd852810e 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml @@ -41,5 +41,4 @@ tags: required_fields: - _time - host - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml index 6a17163717..4f27fa3db4 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml @@ -44,5 +44,4 @@ tags: required_fields: - _time - columns.cmdline - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/detect_certify_command_line_arguments.yml b/detections/endpoint/detect_certify_command_line_arguments.yml index 54c5cf2e88..db9483e27c 100644 --- a/detections/endpoint/detect_certify_command_line_arguments.yml +++ b/detections/endpoint/detect_certify_command_line_arguments.yml @@ -76,7 +76,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -85,4 +84,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml index 6255204005..4125bde3a0 100644 --- a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml @@ -65,7 +65,6 @@ tags: - user - Computer - EventCode - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/detect_certipy_file_modifications.yml b/detections/endpoint/detect_certipy_file_modifications.yml index 7b19537648..39fb3b7bbb 100644 --- a/detections/endpoint/detect_certipy_file_modifications.yml +++ b/detections/endpoint/detect_certipy_file_modifications.yml @@ -86,7 +86,6 @@ tags: - Filesystem.file_name - Filesystem.file_path - Filesystem.dest - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test @@ -95,4 +94,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/detect_computer_changed_with_anonymous_account.yml b/detections/endpoint/detect_computer_changed_with_anonymous_account.yml index c0e053fe2b..154e31ab44 100644 --- a/detections/endpoint/detect_computer_changed_with_anonymous_account.yml +++ b/detections/endpoint/detect_computer_changed_with_anonymous_account.yml @@ -64,5 +64,4 @@ tags: - LogonType - TargetDomainName - user - risk_score: 49 security_domain: endpoint diff --git a/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml b/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml index 123f62d901..3ce67feceb 100644 --- a/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml +++ b/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml @@ -61,7 +61,6 @@ tags: - Computer - UserID - EventCode - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml index 77f0b0e806..550d7f32ca 100644 --- a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml +++ b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml @@ -66,7 +66,6 @@ tags: - SourceProcessId - TargetImage - TargetProcessId - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml b/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml index 51deda2276..f2d7f91fa2 100644 --- a/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml @@ -65,7 +65,6 @@ tags: - Computer - UserID - EventCode - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml b/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml index 5c139a563b..993ab28825 100644 --- a/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml +++ b/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml @@ -65,7 +65,6 @@ tags: - nodename - All_Changes.result - All_Changes.dest - risk_score: 36 security_domain: access tests: - name: True Positive Test @@ -74,14 +73,11 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - update_timestamp: true - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-system.log source: WinEventLog:System sourcetype: WinEventLog - update_timestamp: true - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/detect_excessive_user_account_lockouts.yml b/detections/endpoint/detect_excessive_user_account_lockouts.yml index fb18194ac8..85d4d99300 100644 --- a/detections/endpoint/detect_excessive_user_account_lockouts.yml +++ b/detections/endpoint/detect_excessive_user_account_lockouts.yml @@ -49,7 +49,6 @@ tags: - All_Changes.result - nodename - All_Changes.user - risk_score: 36 security_domain: access tests: - name: True Positive Test diff --git a/detections/endpoint/detect_exchange_web_shell.yml b/detections/endpoint/detect_exchange_web_shell.yml index 940893d70b..2fed3023af 100644 --- a/detections/endpoint/detect_exchange_web_shell.yml +++ b/detections/endpoint/detect_exchange_web_shell.yml @@ -80,7 +80,6 @@ tags: - Filesystem.file_name - Filesystem.file_hash - Filesystem.user - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_html_help_renamed.yml b/detections/endpoint/detect_html_help_renamed.yml index 96c1c6504d..383b30d123 100644 --- a/detections/endpoint/detect_html_help_renamed.yml +++ b/detections/endpoint/detect_html_help_renamed.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_html_help_spawn_child_process.yml b/detections/endpoint/detect_html_help_spawn_child_process.yml index 0bf59fa7b4..999aee6b81 100644 --- a/detections/endpoint/detect_html_help_spawn_child_process.yml +++ b/detections/endpoint/detect_html_help_spawn_child_process.yml @@ -88,7 +88,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_html_help_url_in_command_line.yml b/detections/endpoint/detect_html_help_url_in_command_line.yml index 39e6d921f4..662268ae9e 100644 --- a/detections/endpoint/detect_html_help_url_in_command_line.yml +++ b/detections/endpoint/detect_html_help_url_in_command_line.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml index c12f5cc105..aa040e1cdf 100644 --- a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml +++ b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml b/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml index 5e546a2561..72eb8586e4 100644 --- a/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml @@ -67,7 +67,6 @@ tags: - Computer - UserID - EventCode - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml index 9e3393e513..afe1b0ddef 100644 --- a/detections/endpoint/detect_mshta_inline_hta_execution.yml +++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_mshta_renamed.yml b/detections/endpoint/detect_mshta_renamed.yml index e9ec5aeee1..db714379af 100644 --- a/detections/endpoint/detect_mshta_renamed.yml +++ b/detections/endpoint/detect_mshta_renamed.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_mshta_url_in_command_line.yml b/detections/endpoint/detect_mshta_url_in_command_line.yml index 3ae2c2e361..04d9a83001 100644 --- a/detections/endpoint/detect_mshta_url_in_command_line.yml +++ b/detections/endpoint/detect_mshta_url_in_command_line.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_new_local_admin_account.yml b/detections/endpoint/detect_new_local_admin_account.yml index 7726935583..93f985b8a0 100644 --- a/detections/endpoint/detect_new_local_admin_account.yml +++ b/detections/endpoint/detect_new_local_admin_account.yml @@ -59,7 +59,6 @@ tags: - member_id - dest - user - risk_score: 42 security_domain: access tests: - name: True Positive Test diff --git a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml index 54570dfcff..e7272622c9 100644 --- a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml +++ b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml @@ -69,5 +69,4 @@ tags: - Processes.dest - Processes.parent_process_name - Processes.user - risk_score: 25 security_domain: network diff --git a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml index 13e0540cab..e5002a720d 100644 --- a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml +++ b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml b/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml index 34ed7012f3..6abd51501d 100644 --- a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml +++ b/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml index 42b3afa82c..c7aa02023f 100644 --- a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml +++ b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_psexec_with_accepteula_flag.yml b/detections/endpoint/detect_psexec_with_accepteula_flag.yml index 7425d35887..7463404aa7 100644 --- a/detections/endpoint/detect_psexec_with_accepteula_flag.yml +++ b/detections/endpoint/detect_psexec_with_accepteula_flag.yml @@ -94,7 +94,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rare_executables.yml b/detections/endpoint/detect_rare_executables.yml index f57cfa9c70..0312aa4ff2 100644 --- a/detections/endpoint/detect_rare_executables.yml +++ b/detections/endpoint/detect_rare_executables.yml @@ -59,7 +59,6 @@ tags: - Processes.dest - Processes.user - Processes.process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml index 4f19089aa9..86ca4f9b2d 100644 --- a/detections/endpoint/detect_rclone_command_line_usage.yml +++ b/detections/endpoint/detect_rclone_command_line_usage.yml @@ -84,7 +84,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.original_file_name - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_regasm_spawning_a_process.yml b/detections/endpoint/detect_regasm_spawning_a_process.yml index 3c1cbc05e1..c97fed288c 100644 --- a/detections/endpoint/detect_regasm_spawning_a_process.yml +++ b/detections/endpoint/detect_regasm_spawning_a_process.yml @@ -86,7 +86,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_regasm_with_network_connection.yml b/detections/endpoint/detect_regasm_with_network_connection.yml index 75b4df73f2..1d40ac9252 100644 --- a/detections/endpoint/detect_regasm_with_network_connection.yml +++ b/detections/endpoint/detect_regasm_with_network_connection.yml @@ -68,7 +68,6 @@ tags: - src_ip - dest_host - dest_ip - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml index 24689955db..02699f5ecf 100644 --- a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_regsvcs_spawning_a_process.yml b/detections/endpoint/detect_regsvcs_spawning_a_process.yml index 646e697301..960cedaa29 100644 --- a/detections/endpoint/detect_regsvcs_spawning_a_process.yml +++ b/detections/endpoint/detect_regsvcs_spawning_a_process.yml @@ -83,7 +83,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_regsvcs_with_network_connection.yml b/detections/endpoint/detect_regsvcs_with_network_connection.yml index 10b6cd44f8..102685bd43 100644 --- a/detections/endpoint/detect_regsvcs_with_network_connection.yml +++ b/detections/endpoint/detect_regsvcs_with_network_connection.yml @@ -68,7 +68,6 @@ tags: - user - src_ip - dest_host - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml index 0a0fe2847a..f6871b95db 100644 --- a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_regsvr32_application_control_bypass.yml b/detections/endpoint/detect_regsvr32_application_control_bypass.yml index ccb6c34f83..69283258d0 100644 --- a/detections/endpoint/detect_regsvr32_application_control_bypass.yml +++ b/detections/endpoint/detect_regsvr32_application_control_bypass.yml @@ -89,7 +89,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_remote_access_software_usage_file.yml b/detections/endpoint/detect_remote_access_software_usage_file.yml index aaf1b8c515..d1317ae659 100644 --- a/detections/endpoint/detect_remote_access_software_usage_file.yml +++ b/detections/endpoint/detect_remote_access_software_usage_file.yml @@ -76,7 +76,6 @@ tags: - Filesystem.dest - Filesystem.user - Filesystem.file_name - risk_score: 25 security_domain: endpoint manual_test: This detection uses A&I lookups from Enterprise Security. tests: diff --git a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml index 61e05f0745..ace8416481 100644 --- a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml +++ b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml @@ -69,7 +69,6 @@ tags: - parent_process_name - process_name - process - risk_score: 25 security_domain: endpoint manual_test: This detection uses A&I lookups from Enterprise Security. tests: diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml index 0ce8bcbe32..c7028c52a1 100644 --- a/detections/endpoint/detect_remote_access_software_usage_process.yml +++ b/detections/endpoint/detect_remote_access_software_usage_process.yml @@ -83,7 +83,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_name - risk_score: 25 security_domain: endpoint manual_test: This detection uses A&I lookups from Enterprise Security. tests: diff --git a/detections/endpoint/detect_renamed_7_zip.yml b/detections/endpoint/detect_renamed_7_zip.yml index 4e2ebc0a7f..b3adb12a6b 100644 --- a/detections/endpoint/detect_renamed_7_zip.yml +++ b/detections/endpoint/detect_renamed_7_zip.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_renamed_psexec.yml b/detections/endpoint/detect_renamed_psexec.yml index 9d7d8bc7d4..ad52dfc3c5 100644 --- a/detections/endpoint/detect_renamed_psexec.yml +++ b/detections/endpoint/detect_renamed_psexec.yml @@ -91,7 +91,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_renamed_rclone.yml b/detections/endpoint/detect_renamed_rclone.yml index 7f6f2869a7..5f3adda29e 100644 --- a/detections/endpoint/detect_renamed_rclone.yml +++ b/detections/endpoint/detect_renamed_rclone.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_renamed_winrar.yml b/detections/endpoint/detect_renamed_winrar.yml index b5f4ed522a..00f4e68c22 100644 --- a/detections/endpoint/detect_renamed_winrar.yml +++ b/detections/endpoint/detect_renamed_winrar.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rtlo_in_file_name.yml b/detections/endpoint/detect_rtlo_in_file_name.yml index 0f65d1d91a..50f54b57f8 100644 --- a/detections/endpoint/detect_rtlo_in_file_name.yml +++ b/detections/endpoint/detect_rtlo_in_file_name.yml @@ -67,7 +67,6 @@ tags: - Filesystem.file_name - Filesystem.file_path - Filesystem.process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rtlo_in_process.yml b/detections/endpoint/detect_rtlo_in_process.yml index 518c423119..4e77ce338f 100644 --- a/detections/endpoint/detect_rtlo_in_process.yml +++ b/detections/endpoint/detect_rtlo_in_process.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_name - Processes.parent_process - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml index f8f73f69f3..ad5acc81f2 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml index 9d20f58aff..85ef704413 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml index 721f1d0f62..3ed5cc858d 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rundll32_inline_hta_execution.yml b/detections/endpoint/detect_rundll32_inline_hta_execution.yml index 2e59eba9ae..74ef870d19 100644 --- a/detections/endpoint/detect_rundll32_inline_hta_execution.yml +++ b/detections/endpoint/detect_rundll32_inline_hta_execution.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_sharphound_command_line_arguments.yml b/detections/endpoint/detect_sharphound_command_line_arguments.yml index 51d16a6f89..b83494f7b9 100644 --- a/detections/endpoint/detect_sharphound_command_line_arguments.yml +++ b/detections/endpoint/detect_sharphound_command_line_arguments.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_sharphound_file_modifications.yml b/detections/endpoint/detect_sharphound_file_modifications.yml index 718559e461..2c5e665b17 100644 --- a/detections/endpoint/detect_sharphound_file_modifications.yml +++ b/detections/endpoint/detect_sharphound_file_modifications.yml @@ -69,7 +69,6 @@ tags: - file_name - process_id - file_create_time - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_sharphound_usage.yml b/detections/endpoint/detect_sharphound_usage.yml index cf04812b7a..a51f2b4007 100644 --- a/detections/endpoint/detect_sharphound_usage.yml +++ b/detections/endpoint/detect_sharphound_usage.yml @@ -78,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml index 1aeb9d8929..2f9773a445 100644 --- a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml +++ b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml @@ -71,5 +71,4 @@ tags: - Processes.parent_process - Processes.user - Processes.dest - risk_score: 45 security_domain: endpoint diff --git a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml index 2f836cb956..d5a9cc22c4 100644 --- a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml +++ b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process - Processes.user - Processes.dest - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_webshell_exploit_behavior.yml b/detections/endpoint/detect_webshell_exploit_behavior.yml index 42de72b989..ab94c119c3 100644 --- a/detections/endpoint/detect_webshell_exploit_behavior.yml +++ b/detections/endpoint/detect_webshell_exploit_behavior.yml @@ -90,7 +90,6 @@ tags: - Processes.parent_process_name - Processes.process - Processes.process_name - risk_score: 80 security_domain: endpoint supported_tas: - Splunk_TA_microsoft_sysmon diff --git a/detections/endpoint/detect_wmi_event_subscription_persistence.yml b/detections/endpoint/detect_wmi_event_subscription_persistence.yml index ffc30d9f99..d120c520c3 100644 --- a/detections/endpoint/detect_wmi_event_subscription_persistence.yml +++ b/detections/endpoint/detect_wmi_event_subscription_persistence.yml @@ -54,7 +54,6 @@ tags: - Destination - dest - User - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml index f12a51960e..e3448a67da 100644 --- a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml +++ b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml @@ -58,5 +58,4 @@ tags: - Processes.parent_process - Processes.process_name - Processes.user - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/disable_amsi_through_registry.yml b/detections/endpoint/disable_amsi_through_registry.yml index ef574c1785..a8b07389f5 100644 --- a/detections/endpoint/disable_amsi_through_registry.yml +++ b/detections/endpoint/disable_amsi_through_registry.yml @@ -62,7 +62,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml index 9ed2c7f702..cdc0c899fd 100644 --- a/detections/endpoint/disable_defender_antivirus_registry.yml +++ b/detections/endpoint/disable_defender_antivirus_registry.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml index 2fd43e341e..da53bb95f2 100644 --- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml +++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml @@ -64,7 +64,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_defender_enhanced_notification.yml b/detections/endpoint/disable_defender_enhanced_notification.yml index 060054c957..efa23e41c3 100644 --- a/detections/endpoint/disable_defender_enhanced_notification.yml +++ b/detections/endpoint/disable_defender_enhanced_notification.yml @@ -85,7 +85,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_defender_mpengine_registry.yml b/detections/endpoint/disable_defender_mpengine_registry.yml index f722cb1842..fc510a38c0 100644 --- a/detections/endpoint/disable_defender_mpengine_registry.yml +++ b/detections/endpoint/disable_defender_mpengine_registry.yml @@ -62,7 +62,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_defender_spynet_reporting.yml b/detections/endpoint/disable_defender_spynet_reporting.yml index 05b46452a9..d8ff25a885 100644 --- a/detections/endpoint/disable_defender_spynet_reporting.yml +++ b/detections/endpoint/disable_defender_spynet_reporting.yml @@ -65,7 +65,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml index d75edf1bfb..30abdcef23 100644 --- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml +++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml @@ -64,7 +64,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml index 4f8881e579..fcbddb814e 100644 --- a/detections/endpoint/disable_etw_through_registry.yml +++ b/detections/endpoint/disable_etw_through_registry.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_logs_using_wevtutil.yml b/detections/endpoint/disable_logs_using_wevtutil.yml index 775e2ce23f..c9cea30cf8 100644 --- a/detections/endpoint/disable_logs_using_wevtutil.yml +++ b/detections/endpoint/disable_logs_using_wevtutil.yml @@ -66,7 +66,6 @@ tags: - Processes.user - Processes.process_id - Processes.process_guid - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_registry_tool.yml b/detections/endpoint/disable_registry_tool.yml index 0af25ed655..d58dba0de5 100644 --- a/detections/endpoint/disable_registry_tool.yml +++ b/detections/endpoint/disable_registry_tool.yml @@ -60,7 +60,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_schedule_task.yml b/detections/endpoint/disable_schedule_task.yml index 7196040a3c..b8c18cb465 100644 --- a/detections/endpoint/disable_schedule_task.yml +++ b/detections/endpoint/disable_schedule_task.yml @@ -62,7 +62,6 @@ tags: - Processes.process_name - Processes.parent_process_name - Processes.dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_security_logs_using_minint_registry.yml b/detections/endpoint/disable_security_logs_using_minint_registry.yml index 7e7b26e8f2..d559bbad1b 100644 --- a/detections/endpoint/disable_security_logs_using_minint_registry.yml +++ b/detections/endpoint/disable_security_logs_using_minint_registry.yml @@ -61,7 +61,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_show_hidden_files.yml b/detections/endpoint/disable_show_hidden_files.yml index 9a64a34bc3..d63fea3943 100644 --- a/detections/endpoint/disable_show_hidden_files.yml +++ b/detections/endpoint/disable_show_hidden_files.yml @@ -62,7 +62,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_uac_remote_restriction.yml b/detections/endpoint/disable_uac_remote_restriction.yml index be01d67a03..31de046593 100644 --- a/detections/endpoint/disable_uac_remote_restriction.yml +++ b/detections/endpoint/disable_uac_remote_restriction.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_windows_app_hotkeys.yml b/detections/endpoint/disable_windows_app_hotkeys.yml index 85e4112bf5..ff4870fca7 100644 --- a/detections/endpoint/disable_windows_app_hotkeys.yml +++ b/detections/endpoint/disable_windows_app_hotkeys.yml @@ -58,7 +58,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guidr - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 6c8d9b60f5..39c49d2573 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -69,7 +69,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disable_windows_smartscreen_protection.yml b/detections/endpoint/disable_windows_smartscreen_protection.yml index f4eac676b8..9c44d60a1b 100644 --- a/detections/endpoint/disable_windows_smartscreen_protection.yml +++ b/detections/endpoint/disable_windows_smartscreen_protection.yml @@ -64,7 +64,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml index fc69094941..683c6dcfab 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml @@ -55,7 +55,6 @@ tags: - Computer - UserID - EventCode - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml index ffc44e5bce..ebb8cb7c69 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml @@ -53,7 +53,6 @@ tags: - Computer - UserID - EventCode - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_cmd_application.yml b/detections/endpoint/disabling_cmd_application.yml index 6dee1757b5..c38f149225 100644 --- a/detections/endpoint/disabling_cmd_application.yml +++ b/detections/endpoint/disabling_cmd_application.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_controlpanel.yml b/detections/endpoint/disabling_controlpanel.yml index 19c156b161..00b1fdc160 100644 --- a/detections/endpoint/disabling_controlpanel.yml +++ b/detections/endpoint/disabling_controlpanel.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test (XML) diff --git a/detections/endpoint/disabling_defender_services.yml b/detections/endpoint/disabling_defender_services.yml index 2b6483c299..6225a9d1ce 100644 --- a/detections/endpoint/disabling_defender_services.yml +++ b/detections/endpoint/disabling_defender_services.yml @@ -64,7 +64,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_firewall_with_netsh.yml b/detections/endpoint/disabling_firewall_with_netsh.yml index bb022e6e77..32ceaa3375 100644 --- a/detections/endpoint/disabling_firewall_with_netsh.yml +++ b/detections/endpoint/disabling_firewall_with_netsh.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_folderoptions_windows_feature.yml b/detections/endpoint/disabling_folderoptions_windows_feature.yml index 22f362cb21..2229a73d01 100644 --- a/detections/endpoint/disabling_folderoptions_windows_feature.yml +++ b/detections/endpoint/disabling_folderoptions_windows_feature.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_net_user_account.yml b/detections/endpoint/disabling_net_user_account.yml index fcc5590493..b034988708 100644 --- a/detections/endpoint/disabling_net_user_account.yml +++ b/detections/endpoint/disabling_net_user_account.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_norun_windows_app.yml b/detections/endpoint/disabling_norun_windows_app.yml index 2654bf65a0..46d5dcb667 100644 --- a/detections/endpoint/disabling_norun_windows_app.yml +++ b/detections/endpoint/disabling_norun_windows_app.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_remote_user_account_control.yml b/detections/endpoint/disabling_remote_user_account_control.yml index f6ea7faffd..ff7703aa9a 100644 --- a/detections/endpoint/disabling_remote_user_account_control.yml +++ b/detections/endpoint/disabling_remote_user_account_control.yml @@ -67,7 +67,6 @@ tags: - Registry.registry_key_name - Registry.user - Registry.action - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_systemrestore_in_registry.yml b/detections/endpoint/disabling_systemrestore_in_registry.yml index a3cc1f29a0..8684df0352 100644 --- a/detections/endpoint/disabling_systemrestore_in_registry.yml +++ b/detections/endpoint/disabling_systemrestore_in_registry.yml @@ -65,7 +65,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_task_manager.yml b/detections/endpoint/disabling_task_manager.yml index 382f4a93e3..8f278a1180 100644 --- a/detections/endpoint/disabling_task_manager.yml +++ b/detections/endpoint/disabling_task_manager.yml @@ -62,7 +62,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml index 0903cfcc9d..118bf1fa71 100644 --- a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml +++ b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml @@ -69,7 +69,6 @@ tags: - Registry.registry_path - Registry.dest - Registry.user - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml index 1788a42946..4ca6d84680 100644 --- a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml @@ -80,7 +80,6 @@ tags: - parent_process_name - dest_port - process_path - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml index ce76b2bb3e..594c920fd0 100644 --- a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml +++ b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml @@ -86,7 +86,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_account_discovery_with_dsquery.yml b/detections/endpoint/domain_account_discovery_with_dsquery.yml index 9568e08f11..7a18e659c3 100644 --- a/detections/endpoint/domain_account_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_account_discovery_with_dsquery.yml @@ -73,7 +73,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_account_discovery_with_net_app.yml b/detections/endpoint/domain_account_discovery_with_net_app.yml index afcc6c7711..51ce93b2d4 100644 --- a/detections/endpoint/domain_account_discovery_with_net_app.yml +++ b/detections/endpoint/domain_account_discovery_with_net_app.yml @@ -74,7 +74,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_account_discovery_with_wmic.yml b/detections/endpoint/domain_account_discovery_with_wmic.yml index 0bc293890b..d047c9a664 100644 --- a/detections/endpoint/domain_account_discovery_with_wmic.yml +++ b/detections/endpoint/domain_account_discovery_with_wmic.yml @@ -73,7 +73,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_controller_discovery_with_nltest.yml b/detections/endpoint/domain_controller_discovery_with_nltest.yml index 6a1dd7d0e5..61be1a6aa0 100644 --- a/detections/endpoint/domain_controller_discovery_with_nltest.yml +++ b/detections/endpoint/domain_controller_discovery_with_nltest.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_controller_discovery_with_wmic.yml b/detections/endpoint/domain_controller_discovery_with_wmic.yml index eb4c6682fc..d1c11c0161 100644 --- a/detections/endpoint/domain_controller_discovery_with_wmic.yml +++ b/detections/endpoint/domain_controller_discovery_with_wmic.yml @@ -65,7 +65,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_group_discovery_with_adsisearcher.yml b/detections/endpoint/domain_group_discovery_with_adsisearcher.yml index 9627870eb9..88abd7390d 100644 --- a/detections/endpoint/domain_group_discovery_with_adsisearcher.yml +++ b/detections/endpoint/domain_group_discovery_with_adsisearcher.yml @@ -52,7 +52,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 18 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_group_discovery_with_dsquery.yml b/detections/endpoint/domain_group_discovery_with_dsquery.yml index eb8f5e3edc..a93252c518 100644 --- a/detections/endpoint/domain_group_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_group_discovery_with_dsquery.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_group_discovery_with_net.yml b/detections/endpoint/domain_group_discovery_with_net.yml index 640a60b233..07427b11dd 100644 --- a/detections/endpoint/domain_group_discovery_with_net.yml +++ b/detections/endpoint/domain_group_discovery_with_net.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/domain_group_discovery_with_wmic.yml b/detections/endpoint/domain_group_discovery_with_wmic.yml index 4878ea0088..564265eeeb 100644 --- a/detections/endpoint/domain_group_discovery_with_wmic.yml +++ b/detections/endpoint/domain_group_discovery_with_wmic.yml @@ -67,7 +67,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/download_files_using_telegram.yml b/detections/endpoint/download_files_using_telegram.yml index b8ebf9ba8b..d14ba24643 100644 --- a/detections/endpoint/download_files_using_telegram.yml +++ b/detections/endpoint/download_files_using_telegram.yml @@ -55,7 +55,6 @@ tags: - process_id - TargetFilename - Hash - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/drop_icedid_license_dat.yml b/detections/endpoint/drop_icedid_license_dat.yml index 8414b775e6..78219669ef 100644 --- a/detections/endpoint/drop_icedid_license_dat.yml +++ b/detections/endpoint/drop_icedid_license_dat.yml @@ -51,7 +51,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/dsquery_domain_discovery.yml b/detections/endpoint/dsquery_domain_discovery.yml index c93cf5eeaf..90ea4bd0c2 100644 --- a/detections/endpoint/dsquery_domain_discovery.yml +++ b/detections/endpoint/dsquery_domain_discovery.yml @@ -80,7 +80,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml index f74ff6c01a..b7c934a3d7 100644 --- a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml +++ b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/dump_lsass_via_procdump.yml b/detections/endpoint/dump_lsass_via_procdump.yml index c43a1f303b..46b06a7fb9 100644 --- a/detections/endpoint/dump_lsass_via_procdump.yml +++ b/detections/endpoint/dump_lsass_via_procdump.yml @@ -81,7 +81,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/elevated_group_discovery_with_net.yml b/detections/endpoint/elevated_group_discovery_with_net.yml index f667778adf..00dd378b5a 100644 --- a/detections/endpoint/elevated_group_discovery_with_net.yml +++ b/detections/endpoint/elevated_group_discovery_with_net.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/elevated_group_discovery_with_powerview.yml b/detections/endpoint/elevated_group_discovery_with_powerview.yml index 8d4663dd5b..f638831279 100644 --- a/detections/endpoint/elevated_group_discovery_with_powerview.yml +++ b/detections/endpoint/elevated_group_discovery_with_powerview.yml @@ -54,7 +54,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/elevated_group_discovery_with_wmic.yml b/detections/endpoint/elevated_group_discovery_with_wmic.yml index c13ce10927..69938ec18d 100644 --- a/detections/endpoint/elevated_group_discovery_with_wmic.yml +++ b/detections/endpoint/elevated_group_discovery_with_wmic.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/enable_rdp_in_other_port_number.yml b/detections/endpoint/enable_rdp_in_other_port_number.yml index 29c3736edc..cd00432dc8 100644 --- a/detections/endpoint/enable_rdp_in_other_port_number.yml +++ b/detections/endpoint/enable_rdp_in_other_port_number.yml @@ -61,7 +61,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml index d32c39f50f..48966a7dea 100644 --- a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml +++ b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/enumerate_users_local_group_using_telegram.yml b/detections/endpoint/enumerate_users_local_group_using_telegram.yml index ae1cf9dc5c..2d21655d63 100644 --- a/detections/endpoint/enumerate_users_local_group_using_telegram.yml +++ b/detections/endpoint/enumerate_users_local_group_using_telegram.yml @@ -61,7 +61,6 @@ tags: - Logon_ID - Security_ID - Message - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/esentutl_sam_copy.yml b/detections/endpoint/esentutl_sam_copy.yml index 484a90ff0c..3621ef0d42 100644 --- a/detections/endpoint/esentutl_sam_copy.yml +++ b/detections/endpoint/esentutl_sam_copy.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/etw_registry_disabled.yml b/detections/endpoint/etw_registry_disabled.yml index 1dd5816a6e..c280d1041e 100644 --- a/detections/endpoint/etw_registry_disabled.yml +++ b/detections/endpoint/etw_registry_disabled.yml @@ -67,7 +67,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/eventvwr_uac_bypass.yml b/detections/endpoint/eventvwr_uac_bypass.yml index 1fa34580aa..0649e84756 100644 --- a/detections/endpoint/eventvwr_uac_bypass.yml +++ b/detections/endpoint/eventvwr_uac_bypass.yml @@ -87,7 +87,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excel_spawning_powershell.yml b/detections/endpoint/excel_spawning_powershell.yml index a3e559a028..9c02834007 100644 --- a/detections/endpoint/excel_spawning_powershell.yml +++ b/detections/endpoint/excel_spawning_powershell.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excel_spawning_windows_script_host.yml b/detections/endpoint/excel_spawning_windows_script_host.yml index 0dbb970645..a670f1182c 100644 --- a/detections/endpoint/excel_spawning_windows_script_host.yml +++ b/detections/endpoint/excel_spawning_windows_script_host.yml @@ -78,7 +78,6 @@ tags: - dest - user - parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_attempt_to_disable_services.yml b/detections/endpoint/excessive_attempt_to_disable_services.yml index 289c6878be..a90af37a57 100644 --- a/detections/endpoint/excessive_attempt_to_disable_services.yml +++ b/detections/endpoint/excessive_attempt_to_disable_services.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml index 0988a0f3b1..e7be0e276f 100644 --- a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml +++ b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml @@ -60,7 +60,6 @@ tags: - Processes.process - Processes.dest - Processes.user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml index 482a141d0d..4a0d3dfa8a 100644 --- a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml +++ b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml @@ -67,7 +67,6 @@ tags: - process_name - process_path - process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml index 84c8c83e3d..f01eef3d42 100644 --- a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml +++ b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/sc_service_start_disabled/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/excessive_number_of_taskhost_processes.yml b/detections/endpoint/excessive_number_of_taskhost_processes.yml index 673e2ab90b..6909f224a5 100644 --- a/detections/endpoint/excessive_number_of_taskhost_processes.yml +++ b/detections/endpoint/excessive_number_of_taskhost_processes.yml @@ -65,7 +65,6 @@ tags: - Processes.process_name - Processes.dest - Processes.user - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_service_stop_attempt.yml b/detections/endpoint/excessive_service_stop_attempt.yml index d9f2ccc4cb..20a51ef804 100644 --- a/detections/endpoint/excessive_service_stop_attempt.yml +++ b/detections/endpoint/excessive_service_stop_attempt.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_usage_of_cacls_app.yml b/detections/endpoint/excessive_usage_of_cacls_app.yml index c25a3d7d46..f6e37e0cc7 100644 --- a/detections/endpoint/excessive_usage_of_cacls_app.yml +++ b/detections/endpoint/excessive_usage_of_cacls_app.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_usage_of_net_app.yml b/detections/endpoint/excessive_usage_of_net_app.yml index 3fd324c5c1..203918acee 100644 --- a/detections/endpoint/excessive_usage_of_net_app.yml +++ b/detections/endpoint/excessive_usage_of_net_app.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_usage_of_nslookup_app.yml b/detections/endpoint/excessive_usage_of_nslookup_app.yml index 85204a4ab8..b98a3dc27f 100644 --- a/detections/endpoint/excessive_usage_of_nslookup_app.yml +++ b/detections/endpoint/excessive_usage_of_nslookup_app.yml @@ -59,7 +59,6 @@ tags: - dest - process_name - EventCode - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_usage_of_sc_service_utility.yml b/detections/endpoint/excessive_usage_of_sc_service_utility.yml index 41194d4c27..a73abc493a 100644 --- a/detections/endpoint/excessive_usage_of_sc_service_utility.yml +++ b/detections/endpoint/excessive_usage_of_sc_service_utility.yml @@ -56,7 +56,6 @@ tags: - EventCode - process_name - process - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_usage_of_taskkill.yml b/detections/endpoint/excessive_usage_of_taskkill.yml index 448d2a796a..53647cef44 100644 --- a/detections/endpoint/excessive_usage_of_taskkill.yml +++ b/detections/endpoint/excessive_usage_of_taskkill.yml @@ -78,7 +78,6 @@ tags: - Processes.user - Processes.process - Processes.process_id - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml index 46ee0fee33..1948b1b832 100644 --- a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml +++ b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml @@ -54,5 +54,4 @@ tags: - cs_uri_query - cs_method - c_uri - risk_score: 80 security_domain: endpoint diff --git a/detections/endpoint/exchange_powershell_module_usage.yml b/detections/endpoint/exchange_powershell_module_usage.yml index cc3fa2cf81..1c5934bb20 100644 --- a/detections/endpoint/exchange_powershell_module_usage.yml +++ b/detections/endpoint/exchange_powershell_module_usage.yml @@ -66,7 +66,6 @@ tags: - Computer - UserID - EventCode - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml index ac28c68fd7..862daade3c 100644 --- a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml +++ b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml @@ -69,7 +69,6 @@ tags: - user - src_port - Source_Address - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 1710b61e9a..69758336f0 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -100,7 +100,6 @@ tags: - Filesystem.process_id - Filesystem.file_name - Filesystem.user - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml index 2d4425be5e..4489480cb5 100644 --- a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml +++ b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml @@ -73,7 +73,6 @@ tags: - Processes.process_id - Processes.dest - Processes.user - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/execution_of_file_with_multiple_extensions.yml b/detections/endpoint/execution_of_file_with_multiple_extensions.yml index 2fe73696eb..30f9918056 100644 --- a/detections/endpoint/execution_of_file_with_multiple_extensions.yml +++ b/detections/endpoint/execution_of_file_with_multiple_extensions.yml @@ -74,7 +74,6 @@ tags: - Processes.dest - Processes.user - Processes.parent_process - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/extraction_of_registry_hives.yml b/detections/endpoint/extraction_of_registry_hives.yml index 9154c3ea89..9403fb41c8 100644 --- a/detections/endpoint/extraction_of_registry_hives.yml +++ b/detections/endpoint/extraction_of_registry_hives.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/file_with_samsam_extension.yml b/detections/endpoint/file_with_samsam_extension.yml index 5a80d37e93..25660c6e09 100644 --- a/detections/endpoint/file_with_samsam_extension.yml +++ b/detections/endpoint/file_with_samsam_extension.yml @@ -57,7 +57,6 @@ tags: - Filesystem.dest - Filesystem.file_path - Filesystem.file_name - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/firewall_allowed_program_enable.yml b/detections/endpoint/firewall_allowed_program_enable.yml index fd941db74c..f1b24d718d 100644 --- a/detections/endpoint/firewall_allowed_program_enable.yml +++ b/detections/endpoint/firewall_allowed_program_enable.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/first_time_seen_child_process_of_zoom.yml b/detections/endpoint/first_time_seen_child_process_of_zoom.yml index 75ddc76ae6..3a449c537c 100644 --- a/detections/endpoint/first_time_seen_child_process_of_zoom.yml +++ b/detections/endpoint/first_time_seen_child_process_of_zoom.yml @@ -76,5 +76,4 @@ tags: - Processes.parent_process_name - Processes.process_id - Processes.dest - risk_score: 64 security_domain: endpoint diff --git a/detections/endpoint/first_time_seen_running_windows_service.yml b/detections/endpoint/first_time_seen_running_windows_service.yml index 99367df419..16c0b60629 100644 --- a/detections/endpoint/first_time_seen_running_windows_service.yml +++ b/detections/endpoint/first_time_seen_running_windows_service.yml @@ -58,5 +58,4 @@ tags: - EventCode - Message - dest - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/fodhelper_uac_bypass.yml b/detections/endpoint/fodhelper_uac_bypass.yml index 036d21325a..eae0a852c0 100644 --- a/detections/endpoint/fodhelper_uac_bypass.yml +++ b/detections/endpoint/fodhelper_uac_bypass.yml @@ -78,7 +78,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/fsutil_zeroing_file.yml b/detections/endpoint/fsutil_zeroing_file.yml index 2258c46943..f373657bdd 100644 --- a/detections/endpoint/fsutil_zeroing_file.yml +++ b/detections/endpoint/fsutil_zeroing_file.yml @@ -63,7 +63,6 @@ tags: - Processes.dest - Processes.process - Processes.parent_process - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml index d349cb5654..0db389e6ba 100644 --- a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml +++ b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml @@ -74,7 +74,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml index 8933daddbf..fe843973dd 100644 --- a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml @@ -56,7 +56,6 @@ tags: - Message - ComputerName - User - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_aduser_with_powershell.yml b/detections/endpoint/get_aduser_with_powershell.yml index 4b3d94f474..7a604d378a 100644 --- a/detections/endpoint/get_aduser_with_powershell.yml +++ b/detections/endpoint/get_aduser_with_powershell.yml @@ -76,7 +76,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_aduser_with_powershell_script_block.yml b/detections/endpoint/get_aduser_with_powershell_script_block.yml index 20c59c72ef..3520b397e5 100644 --- a/detections/endpoint/get_aduser_with_powershell_script_block.yml +++ b/detections/endpoint/get_aduser_with_powershell_script_block.yml @@ -58,7 +58,6 @@ tags: - Message - ComputerName - User - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml index 32f37856d5..227e8993bf 100644 --- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml +++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml @@ -75,7 +75,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml index 0b54225dd0..fb30d5b39a 100644 --- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml @@ -58,7 +58,6 @@ tags: - Computer - UserID - EventCode - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_domainpolicy_with_powershell.yml b/detections/endpoint/get_domainpolicy_with_powershell.yml index 7a2e87b802..879d9d736c 100644 --- a/detections/endpoint/get_domainpolicy_with_powershell.yml +++ b/detections/endpoint/get_domainpolicy_with_powershell.yml @@ -74,7 +74,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml index 59b8d1e7b7..91c49df767 100644 --- a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml @@ -57,7 +57,6 @@ tags: - Computer - UserID - EventCode - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_domaintrust_with_powershell.yml b/detections/endpoint/get_domaintrust_with_powershell.yml index bda69be0e0..1374b1a593 100644 --- a/detections/endpoint/get_domaintrust_with_powershell.yml +++ b/detections/endpoint/get_domaintrust_with_powershell.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_domaintrust_with_powershell_script_block.yml b/detections/endpoint/get_domaintrust_with_powershell_script_block.yml index 1e54882d05..19efd5f5fc 100644 --- a/detections/endpoint/get_domaintrust_with_powershell_script_block.yml +++ b/detections/endpoint/get_domaintrust_with_powershell_script_block.yml @@ -60,7 +60,6 @@ tags: - Computer - UserID - EventCode - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_domainuser_with_powershell.yml b/detections/endpoint/get_domainuser_with_powershell.yml index da73ac277b..896d36fd24 100644 --- a/detections/endpoint/get_domainuser_with_powershell.yml +++ b/detections/endpoint/get_domainuser_with_powershell.yml @@ -75,7 +75,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_domainuser_with_powershell_script_block.yml b/detections/endpoint/get_domainuser_with_powershell_script_block.yml index e05a37c3ba..8d3989f594 100644 --- a/detections/endpoint/get_domainuser_with_powershell_script_block.yml +++ b/detections/endpoint/get_domainuser_with_powershell_script_block.yml @@ -56,7 +56,6 @@ tags: - Message - ComputerName - User - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_foresttrust_with_powershell.yml b/detections/endpoint/get_foresttrust_with_powershell.yml index 0bd85b5a93..d79e0a5bef 100644 --- a/detections/endpoint/get_foresttrust_with_powershell.yml +++ b/detections/endpoint/get_foresttrust_with_powershell.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_foresttrust_with_powershell_script_block.yml b/detections/endpoint/get_foresttrust_with_powershell_script_block.yml index 553b45eccc..920d5b13a9 100644 --- a/detections/endpoint/get_foresttrust_with_powershell_script_block.yml +++ b/detections/endpoint/get_foresttrust_with_powershell_script_block.yml @@ -58,7 +58,6 @@ tags: - Opcode - Computer - UserID - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_wmiobject_group_discovery.yml b/detections/endpoint/get_wmiobject_group_discovery.yml index 2e98a4c861..c22c9e0559 100644 --- a/detections/endpoint/get_wmiobject_group_discovery.yml +++ b/detections/endpoint/get_wmiobject_group_discovery.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml b/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml index 7d41986854..586a379ada 100644 --- a/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml +++ b/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml @@ -58,7 +58,6 @@ tags: - Message - ComputerName - User - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getadcomputer_with_powershell.yml b/detections/endpoint/getadcomputer_with_powershell.yml index abc814c1b9..22e76f5e12 100644 --- a/detections/endpoint/getadcomputer_with_powershell.yml +++ b/detections/endpoint/getadcomputer_with_powershell.yml @@ -65,7 +65,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getadcomputer_with_powershell_script_block.yml b/detections/endpoint/getadcomputer_with_powershell_script_block.yml index 42af01c411..3a23d64c01 100644 --- a/detections/endpoint/getadcomputer_with_powershell_script_block.yml +++ b/detections/endpoint/getadcomputer_with_powershell_script_block.yml @@ -53,7 +53,6 @@ tags: - Computer - UserID - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getadgroup_with_powershell.yml b/detections/endpoint/getadgroup_with_powershell.yml index 78cbf49c22..6f079b4ab8 100644 --- a/detections/endpoint/getadgroup_with_powershell.yml +++ b/detections/endpoint/getadgroup_with_powershell.yml @@ -67,7 +67,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getadgroup_with_powershell_script_block.yml b/detections/endpoint/getadgroup_with_powershell_script_block.yml index efa6aa9cd5..e2af4a8a0d 100644 --- a/detections/endpoint/getadgroup_with_powershell_script_block.yml +++ b/detections/endpoint/getadgroup_with_powershell_script_block.yml @@ -51,7 +51,6 @@ tags: - Message - Computer - UserID - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getcurrent_user_with_powershell.yml b/detections/endpoint/getcurrent_user_with_powershell.yml index 063bf16ec7..1c3fbf0b8a 100644 --- a/detections/endpoint/getcurrent_user_with_powershell.yml +++ b/detections/endpoint/getcurrent_user_with_powershell.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getcurrent_user_with_powershell_script_block.yml b/detections/endpoint/getcurrent_user_with_powershell_script_block.yml index acd52a9f63..d984b70e07 100644 --- a/detections/endpoint/getcurrent_user_with_powershell_script_block.yml +++ b/detections/endpoint/getcurrent_user_with_powershell_script_block.yml @@ -54,7 +54,6 @@ tags: - ComputerName - User - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getdomaincomputer_with_powershell.yml b/detections/endpoint/getdomaincomputer_with_powershell.yml index 20beca8a43..424668eded 100644 --- a/detections/endpoint/getdomaincomputer_with_powershell.yml +++ b/detections/endpoint/getdomaincomputer_with_powershell.yml @@ -65,7 +65,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml b/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml index 592155e6e4..87be9d00bc 100644 --- a/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml @@ -51,7 +51,6 @@ tags: - Computer - UserID - EventCode - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getdomaincontroller_with_powershell.yml b/detections/endpoint/getdomaincontroller_with_powershell.yml index a2b4dab869..70c61a97c3 100644 --- a/detections/endpoint/getdomaincontroller_with_powershell.yml +++ b/detections/endpoint/getdomaincontroller_with_powershell.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml b/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml index 47f1e5591c..801a115ff9 100644 --- a/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml @@ -51,7 +51,6 @@ tags: - Computer - UserID - EventCode - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getdomaingroup_with_powershell.yml b/detections/endpoint/getdomaingroup_with_powershell.yml index 0c8f9512fd..86d0fc51a6 100644 --- a/detections/endpoint/getdomaingroup_with_powershell.yml +++ b/detections/endpoint/getdomaingroup_with_powershell.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getdomaingroup_with_powershell_script_block.yml b/detections/endpoint/getdomaingroup_with_powershell_script_block.yml index d8c35b4d1d..b5e3a15cb8 100644 --- a/detections/endpoint/getdomaingroup_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaingroup_with_powershell_script_block.yml @@ -52,7 +52,6 @@ tags: - Computer - UserID - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getlocaluser_with_powershell.yml b/detections/endpoint/getlocaluser_with_powershell.yml index c68191a45e..53ef05a08d 100644 --- a/detections/endpoint/getlocaluser_with_powershell.yml +++ b/detections/endpoint/getlocaluser_with_powershell.yml @@ -57,7 +57,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getlocaluser_with_powershell_script_block.yml b/detections/endpoint/getlocaluser_with_powershell_script_block.yml index 68d2f1f35c..d394df3909 100644 --- a/detections/endpoint/getlocaluser_with_powershell_script_block.yml +++ b/detections/endpoint/getlocaluser_with_powershell_script_block.yml @@ -54,7 +54,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getnettcpconnection_with_powershell.yml b/detections/endpoint/getnettcpconnection_with_powershell.yml index 3eb51f64e7..539bad3098 100644 --- a/detections/endpoint/getnettcpconnection_with_powershell.yml +++ b/detections/endpoint/getnettcpconnection_with_powershell.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml b/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml index 1c27f7acfd..1e24f393f1 100644 --- a/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml +++ b/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml @@ -51,7 +51,6 @@ tags: - Computer - UserID - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml index 296d8e1db3..5e4509412b 100644 --- a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml @@ -67,7 +67,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml index 831c8bacc4..bb50364351 100644 --- a/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml @@ -51,7 +51,6 @@ tags: - Computer - UserID - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml index bc8d730680..5ab73fc84f 100644 --- a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml index 534309df72..60b2177e0d 100644 --- a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml @@ -53,7 +53,6 @@ tags: - Computer - UserID - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml index d2cde911cf..a662deeb37 100644 --- a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml @@ -74,7 +74,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml index fbecd4cc1c..c42a06a561 100644 --- a/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml @@ -58,7 +58,6 @@ tags: - Computer - UserID - EventCode - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getwmiobject_user_account_with_powershell.yml b/detections/endpoint/getwmiobject_user_account_with_powershell.yml index a9d593662c..9fdaf6eece 100644 --- a/detections/endpoint/getwmiobject_user_account_with_powershell.yml +++ b/detections/endpoint/getwmiobject_user_account_with_powershell.yml @@ -58,7 +58,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml index f2d0eeb8bd..c5c771af09 100644 --- a/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml @@ -53,7 +53,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml index 76ce24e0be..40a8f56d1c 100644 --- a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml @@ -83,7 +83,6 @@ tags: - parent_process_name - dest_port - process_path - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml index 0ffc7a1d57..c825401771 100644 --- a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml +++ b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 56 required_fields: - Processes.dest - Processes.user diff --git a/detections/endpoint/headless_browser_usage.yml b/detections/endpoint/headless_browser_usage.yml index bf3b7080c1..f2b250f090 100644 --- a/detections/endpoint/headless_browser_usage.yml +++ b/detections/endpoint/headless_browser_usage.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 required_fields: - Processes.dest - Processes.user diff --git a/detections/endpoint/hide_user_account_from_sign_in_screen.yml b/detections/endpoint/hide_user_account_from_sign_in_screen.yml index d5316561c5..5b21945ff0 100644 --- a/detections/endpoint/hide_user_account_from_sign_in_screen.yml +++ b/detections/endpoint/hide_user_account_from_sign_in_screen.yml @@ -70,7 +70,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml index 7602cac895..5178c72106 100644 --- a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml +++ b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process - Processes.user - Processes.dest - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml b/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml index 0918d8df50..88586fee46 100644 --- a/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml +++ b/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml @@ -64,7 +64,6 @@ tags: - user - src_port - Source_Address - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/high_frequency_copy_of_files_in_network_share/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/high_process_termination_frequency.yml b/detections/endpoint/high_process_termination_frequency.yml index b70fe60b7e..c943b5c52e 100644 --- a/detections/endpoint/high_process_termination_frequency.yml +++ b/detections/endpoint/high_process_termination_frequency.yml @@ -58,7 +58,6 @@ tags: - dest - _time - ProcessID - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/hunting_3cxdesktopapp_software.yml b/detections/endpoint/hunting_3cxdesktopapp_software.yml index d9914ac6c4..dca599a96f 100644 --- a/detections/endpoint/hunting_3cxdesktopapp_software.yml +++ b/detections/endpoint/hunting_3cxdesktopapp_software.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/icacls_deny_command.yml b/detections/endpoint/icacls_deny_command.yml index a6158bdba3..7159997255 100644 --- a/detections/endpoint/icacls_deny_command.yml +++ b/detections/endpoint/icacls_deny_command.yml @@ -69,7 +69,6 @@ tags: - Processes.user - Processes.process_id - Processes.process - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/icacls_grant_command.yml b/detections/endpoint/icacls_grant_command.yml index 82e167f054..f66227fa28 100644 --- a/detections/endpoint/icacls_grant_command.yml +++ b/detections/endpoint/icacls_grant_command.yml @@ -67,7 +67,6 @@ tags: - Processes.user - Processes.process_id - Processes.process - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml index 6998dd405f..47f0c8d49a 100644 --- a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml +++ b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml @@ -58,7 +58,6 @@ tags: - process_id - process_name - dest - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml index c968848ce4..2cdf1c132d 100644 --- a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml @@ -90,7 +90,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml index efcc0dd700..108681a495 100644 --- a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml @@ -86,7 +86,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml index 74c957958b..795803b526 100644 --- a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml @@ -86,7 +86,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml b/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml index ef6c6e6352..db8701c5e4 100644 --- a/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml +++ b/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml @@ -54,7 +54,6 @@ tags: - Message - ComputerName - User - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/java_class_file_download_by_java_user_agent.yml b/detections/endpoint/java_class_file_download_by_java_user_agent.yml index 77213e3c78..198d6c8c8e 100644 --- a/detections/endpoint/java_class_file_download_by_java_user_agent.yml +++ b/detections/endpoint/java_class_file_download_by_java_user_agent.yml @@ -62,7 +62,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 40 security_domain: network tests: - name: True Positive Test diff --git a/detections/endpoint/java_writing_jsp_file.yml b/detections/endpoint/java_writing_jsp_file.yml index d52ac5996c..1f63a208a2 100644 --- a/detections/endpoint/java_writing_jsp_file.yml +++ b/detections/endpoint/java_writing_jsp_file.yml @@ -83,7 +83,6 @@ tags: - Filesystem.file_path - Filesystem.process_guid - Filesystem.user - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/jscript_execution_using_cscript_app.yml b/detections/endpoint/jscript_execution_using_cscript_app.yml index 4e6cb61b70..1c3d8358bd 100644 --- a/detections/endpoint/jscript_execution_using_cscript_app.yml +++ b/detections/endpoint/jscript_execution_using_cscript_app.yml @@ -70,7 +70,6 @@ tags: - Processes.process - Processes.dest - Processes.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml index 206a89180c..6b8def8701 100644 --- a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml +++ b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml @@ -58,7 +58,6 @@ tags: - Computer - service - service_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml index 7b99ce810a..c0f526a668 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml @@ -52,7 +52,6 @@ tags: - Account_Name - Security_ID - MSADChangedAttributes - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test @@ -61,4 +60,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - update_timestamp: true diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml index 22119be938..355d61f0e3 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml @@ -54,7 +54,6 @@ tags: - ScriptBlockText - Computer - user_id - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test @@ -63,4 +62,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml index f361a4b6fc..5b9b4f6d99 100644 --- a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml +++ b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml @@ -63,7 +63,6 @@ tags: - dest - service - service_id - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml index 31815fd33b..5a307f2d5b 100644 --- a/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml +++ b/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml @@ -52,7 +52,6 @@ tags: - EventCode - TicketEncryptionType - ServiceName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/kerberos_user_enumeration.yml b/detections/endpoint/kerberos_user_enumeration.yml index 9fd94aa879..c9a571ecd1 100644 --- a/detections/endpoint/kerberos_user_enumeration.yml +++ b/detections/endpoint/kerberos_user_enumeration.yml @@ -54,7 +54,6 @@ tags: - Result_Code - Account_Name - Client_Address - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/known_services_killed_by_ransomware.yml b/detections/endpoint/known_services_killed_by_ransomware.yml index 0a0cb065f2..81af234d7f 100644 --- a/detections/endpoint/known_services_killed_by_ransomware.yml +++ b/detections/endpoint/known_services_killed_by_ransomware.yml @@ -63,7 +63,6 @@ tags: - Message - dest - Type - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml index 0f3add9bba..4ba4891c31 100644 --- a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml +++ b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml @@ -57,7 +57,6 @@ tags: - Filesystem.process_guid - Filesystem.file_path - Filesystem.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml index 606c573d9a..6417011fd2 100644 --- a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml +++ b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml @@ -57,7 +57,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_add_user_account.yml b/detections/endpoint/linux_add_user_account.yml index dd614a81d2..6038c30794 100644 --- a/detections/endpoint/linux_add_user_account.yml +++ b/detections/endpoint/linux_add_user_account.yml @@ -62,7 +62,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml index 2350c26f3d..8630bb08ee 100644 --- a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml +++ b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml @@ -69,7 +69,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_apt_get_privilege_escalation.yml b/detections/endpoint/linux_apt_get_privilege_escalation.yml index 3f64e0e5be..2d0db47628 100644 --- a/detections/endpoint/linux_apt_get_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_get_privilege_escalation.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt_get/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_apt_privilege_escalation.yml b/detections/endpoint/linux_apt_privilege_escalation.yml index 388b86e419..0e87ee51cc 100644 --- a/detections/endpoint/linux_apt_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_privilege_escalation.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_at_allow_config_file_creation.yml b/detections/endpoint/linux_at_allow_config_file_creation.yml index 25996012bd..e95a619b89 100644 --- a/detections/endpoint/linux_at_allow_config_file_creation.yml +++ b/detections/endpoint/linux_at_allow_config_file_creation.yml @@ -57,7 +57,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index 05649e4cff..4a3a5ad183 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -67,7 +67,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_awk_privilege_escalation.yml b/detections/endpoint/linux_awk_privilege_escalation.yml index a7fea37ec7..0546bcfcf5 100644 --- a/detections/endpoint/linux_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_awk_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/awk/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_busybox_privilege_escalation.yml b/detections/endpoint/linux_busybox_privilege_escalation.yml index b32e411a9b..2c36585c07 100644 --- a/detections/endpoint/linux_busybox_privilege_escalation.yml +++ b/detections/endpoint/linux_busybox_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/busybox/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_c89_privilege_escalation.yml b/detections/endpoint/linux_c89_privilege_escalation.yml index 912bcac714..c65b420533 100644 --- a/detections/endpoint/linux_c89_privilege_escalation.yml +++ b/detections/endpoint/linux_c89_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c89/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_c99_privilege_escalation.yml b/detections/endpoint/linux_c99_privilege_escalation.yml index a13ecbdf76..67afff3706 100644 --- a/detections/endpoint/linux_c99_privilege_escalation.yml +++ b/detections/endpoint/linux_c99_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c99/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_change_file_owner_to_root.yml b/detections/endpoint/linux_change_file_owner_to_root.yml index ac42f0748a..0e792c8330 100644 --- a/detections/endpoint/linux_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_change_file_owner_to_root.yml @@ -64,7 +64,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_clipboard_data_copy.yml b/detections/endpoint/linux_clipboard_data_copy.yml index 4281335323..32ea593e37 100644 --- a/detections/endpoint/linux_clipboard_data_copy.yml +++ b/detections/endpoint/linux_clipboard_data_copy.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 16 security_domain: endpoint tests: - name: True Positive Test @@ -83,4 +82,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_common_process_for_elevation_control.yml b/detections/endpoint/linux_common_process_for_elevation_control.yml index f36c6826fd..531e783958 100644 --- a/detections/endpoint/linux_common_process_for_elevation_control.yml +++ b/detections/endpoint/linux_common_process_for_elevation_control.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_composer_privilege_escalation.yml b/detections/endpoint/linux_composer_privilege_escalation.yml index 4860e1f884..9af7fcc75a 100644 --- a/detections/endpoint/linux_composer_privilege_escalation.yml +++ b/detections/endpoint/linux_composer_privilege_escalation.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/composer/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_cpulimit_privilege_escalation.yml b/detections/endpoint/linux_cpulimit_privilege_escalation.yml index 2b3e30b903..6d691b63ca 100644 --- a/detections/endpoint/linux_cpulimit_privilege_escalation.yml +++ b/detections/endpoint/linux_cpulimit_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/cpulimit/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_csvtool_privilege_escalation.yml b/detections/endpoint/linux_csvtool_privilege_escalation.yml index d64d789396..1ebf3c6c97 100644 --- a/detections/endpoint/linux_csvtool_privilege_escalation.yml +++ b/detections/endpoint/linux_csvtool_privilege_escalation.yml @@ -71,7 +71,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/csvtool/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_curl_upload_file.yml b/detections/endpoint/linux_curl_upload_file.yml index 108708e413..cfebfc31fd 100644 --- a/detections/endpoint/linux_curl_upload_file.yml +++ b/detections/endpoint/linux_curl_upload_file.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_data_destruction_command.yml b/detections/endpoint/linux_data_destruction_command.yml index 7716d9c8e6..a9141b0705 100644 --- a/detections/endpoint/linux_data_destruction_command.yml +++ b/detections/endpoint/linux_data_destruction_command.yml @@ -67,7 +67,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_dd_file_overwrite.yml b/detections/endpoint/linux_dd_file_overwrite.yml index a948daa321..ed18331ba8 100644 --- a/detections/endpoint/linux_dd_file_overwrite.yml +++ b/detections/endpoint/linux_dd_file_overwrite.yml @@ -62,7 +62,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_decode_base64_to_shell.yml b/detections/endpoint/linux_decode_base64_to_shell.yml index 6a9f2be9a7..566b635707 100644 --- a/detections/endpoint/linux_decode_base64_to_shell.yml +++ b/detections/endpoint/linux_decode_base64_to_shell.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -83,4 +82,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml index 5ed033e710..1ffa8abf5d 100644 --- a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml +++ b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml @@ -66,7 +66,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_deletion_of_cron_jobs.yml b/detections/endpoint/linux_deletion_of_cron_jobs.yml index 1c601fcce1..c2fbe0ed1b 100644 --- a/detections/endpoint/linux_deletion_of_cron_jobs.yml +++ b/detections/endpoint/linux_deletion_of_cron_jobs.yml @@ -61,7 +61,6 @@ tags: - Filesystem.process_guid - Filesystem.file_path - Filesystem.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_deletion_of_init_daemon_script.yml b/detections/endpoint/linux_deletion_of_init_daemon_script.yml index 5e8ebdc99b..7edd97cbc3 100644 --- a/detections/endpoint/linux_deletion_of_init_daemon_script.yml +++ b/detections/endpoint/linux_deletion_of_init_daemon_script.yml @@ -61,7 +61,6 @@ tags: - Filesystem.process_guid - Filesystem.file_path - Filesystem.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_deletion_of_services.yml b/detections/endpoint/linux_deletion_of_services.yml index 3d34d9e14e..bd9261ad9e 100644 --- a/detections/endpoint/linux_deletion_of_services.yml +++ b/detections/endpoint/linux_deletion_of_services.yml @@ -66,7 +66,6 @@ tags: - Filesystem.process_guid - Filesystem.file_path - Filesystem.action - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_deletion_of_ssl_certificate.yml b/detections/endpoint/linux_deletion_of_ssl_certificate.yml index d8b3954336..0b7523bc43 100644 --- a/detections/endpoint/linux_deletion_of_ssl_certificate.yml +++ b/detections/endpoint/linux_deletion_of_ssl_certificate.yml @@ -62,7 +62,6 @@ tags: - Filesystem.process_guid - Filesystem.file_path - Filesystem.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_disable_services.yml b/detections/endpoint/linux_disable_services.yml index 9c16ea6bf1..bbfebd6f34 100644 --- a/detections/endpoint/linux_disable_services.yml +++ b/detections/endpoint/linux_disable_services.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_doas_conf_file_creation.yml b/detections/endpoint/linux_doas_conf_file_creation.yml index b17c9253c8..ab34597608 100644 --- a/detections/endpoint/linux_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_doas_conf_file_creation.yml @@ -55,7 +55,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_doas_tool_execution.yml b/detections/endpoint/linux_doas_tool_execution.yml index 7b3ac542c7..eb0ae981df 100644 --- a/detections/endpoint/linux_doas_tool_execution.yml +++ b/detections/endpoint/linux_doas_tool_execution.yml @@ -63,7 +63,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_docker_privilege_escalation.yml b/detections/endpoint/linux_docker_privilege_escalation.yml index e0ff97e473..1d2d9fcd2c 100644 --- a/detections/endpoint/linux_docker_privilege_escalation.yml +++ b/detections/endpoint/linux_docker_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_edit_cron_table_parameter.yml b/detections/endpoint/linux_edit_cron_table_parameter.yml index fd1845cafb..4e4b88989a 100644 --- a/detections/endpoint/linux_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_edit_cron_table_parameter.yml @@ -64,7 +64,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_emacs_privilege_escalation.yml b/detections/endpoint/linux_emacs_privilege_escalation.yml index 80663bbd03..70a78fcd1f 100644 --- a/detections/endpoint/linux_emacs_privilege_escalation.yml +++ b/detections/endpoint/linux_emacs_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/emacs/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml b/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml index a1abd5c193..d003c3b852 100644 --- a/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml +++ b/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml @@ -55,7 +55,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml index 4f2897be3f..21da802f92 100644 --- a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml +++ b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml @@ -53,7 +53,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_file_creation_in_profile_directory.yml b/detections/endpoint/linux_file_creation_in_profile_directory.yml index 3a9a11e994..47239fe3b1 100644 --- a/detections/endpoint/linux_file_creation_in_profile_directory.yml +++ b/detections/endpoint/linux_file_creation_in_profile_directory.yml @@ -55,7 +55,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_find_privilege_escalation.yml b/detections/endpoint/linux_find_privilege_escalation.yml index 337e22a5a1..8a0da33bed 100644 --- a/detections/endpoint/linux_find_privilege_escalation.yml +++ b/detections/endpoint/linux_find_privilege_escalation.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/find/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_gdb_privilege_escalation.yml b/detections/endpoint/linux_gdb_privilege_escalation.yml index a4d996349f..4c5bccf2da 100644 --- a/detections/endpoint/linux_gdb_privilege_escalation.yml +++ b/detections/endpoint/linux_gdb_privilege_escalation.yml @@ -71,7 +71,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gdb/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_gem_privilege_escalation.yml b/detections/endpoint/linux_gem_privilege_escalation.yml index 8b642f2b9a..219db73f48 100644 --- a/detections/endpoint/linux_gem_privilege_escalation.yml +++ b/detections/endpoint/linux_gem_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gem/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml index 739707132d..6c9b6c8e29 100644 --- a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml @@ -71,7 +71,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gawk/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_hardware_addition_swapoff.yml b/detections/endpoint/linux_hardware_addition_swapoff.yml index 25501520b6..1092c9ca1e 100644 --- a/detections/endpoint/linux_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_hardware_addition_swapoff.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml index af5360497c..7289d8c493 100644 --- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml +++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml @@ -60,7 +60,6 @@ tags: - Filesystem.process_guid - Filesystem.file_path - Filesystem.action - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml index 5ee59ba96b..6bec314b46 100644 --- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml +++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml @@ -58,7 +58,6 @@ tags: - Filesystem.process_guid - Filesystem.file_path - Filesystem.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_impair_defenses_process_kill.yml b/detections/endpoint/linux_impair_defenses_process_kill.yml index 2780fcd8c0..e13c94a18a 100644 --- a/detections/endpoint/linux_impair_defenses_process_kill.yml +++ b/detections/endpoint/linux_impair_defenses_process_kill.yml @@ -69,7 +69,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_indicator_removal_clear_cache.yml b/detections/endpoint/linux_indicator_removal_clear_cache.yml index 11e72cdef5..c9cd899de6 100644 --- a/detections/endpoint/linux_indicator_removal_clear_cache.yml +++ b/detections/endpoint/linux_indicator_removal_clear_cache.yml @@ -67,7 +67,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test3/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml index bfe37dea46..6054b55ce8 100644 --- a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml +++ b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml @@ -69,7 +69,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml index 207c64c6cd..e1939693ab 100644 --- a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml +++ b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml @@ -78,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test @@ -87,4 +86,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml index c0c2a18a16..2c53ac308d 100644 --- a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml +++ b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test @@ -86,4 +85,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml index 41d35b04ca..eb66625214 100644 --- a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml @@ -66,7 +66,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml index 9049b9a000..e4acdaa4e9 100644 --- a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml @@ -66,7 +66,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_iptables_firewall_modification.yml b/detections/endpoint/linux_iptables_firewall_modification.yml index 1102f93ee4..097b8bc8be 100644 --- a/detections/endpoint/linux_iptables_firewall_modification.yml +++ b/detections/endpoint/linux_iptables_firewall_modification.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_java_spawning_shell.yml b/detections/endpoint/linux_java_spawning_shell.yml index 991d68fae9..37a52e99a6 100644 --- a/detections/endpoint/linux_java_spawning_shell.yml +++ b/detections/endpoint/linux_java_spawning_shell.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_kernel_module_enumeration.yml b/detections/endpoint/linux_kernel_module_enumeration.yml index 9716b729ca..59f29732a3 100644 --- a/detections/endpoint/linux_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_kernel_module_enumeration.yml @@ -78,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test @@ -87,4 +86,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_kworker_process_in_writable_process_path.yml b/detections/endpoint/linux_kworker_process_in_writable_process_path.yml index c0e73c5ec4..1e2466aafd 100644 --- a/detections/endpoint/linux_kworker_process_in_writable_process_path.yml +++ b/detections/endpoint/linux_kworker_process_in_writable_process_path.yml @@ -67,7 +67,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_path - Processes.process_path - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_make_privilege_escalation.yml b/detections/endpoint/linux_make_privilege_escalation.yml index 45512b41a9..20595de531 100644 --- a/detections/endpoint/linux_make_privilege_escalation.yml +++ b/detections/endpoint/linux_make_privilege_escalation.yml @@ -71,7 +71,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/make/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_mysql_privilege_escalation.yml b/detections/endpoint/linux_mysql_privilege_escalation.yml index 5d3a2ddc22..aec9788466 100644 --- a/detections/endpoint/linux_mysql_privilege_escalation.yml +++ b/detections/endpoint/linux_mysql_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/mysql/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml index 0f435fca52..5b484b4c7e 100644 --- a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/ngrok_linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_node_privilege_escalation.yml b/detections/endpoint/linux_node_privilege_escalation.yml index 6b7f465551..310667893f 100644 --- a/detections/endpoint/linux_node_privilege_escalation.yml +++ b/detections/endpoint/linux_node_privilege_escalation.yml @@ -74,7 +74,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test @@ -83,4 +82,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/node/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml index 0eb96a8627..1265d9ed4b 100644 --- a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml @@ -64,7 +64,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml index a5757d1f28..f3c8441fc6 100644 --- a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml +++ b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test @@ -85,4 +84,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_octave_privilege_escalation.yml b/detections/endpoint/linux_octave_privilege_escalation.yml index 91976f6e5f..8002a26fac 100644 --- a/detections/endpoint/linux_octave_privilege_escalation.yml +++ b/detections/endpoint/linux_octave_privilege_escalation.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/octave/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_openvpn_privilege_escalation.yml b/detections/endpoint/linux_openvpn_privilege_escalation.yml index cf1aadc893..8f3baecaf9 100644 --- a/detections/endpoint/linux_openvpn_privilege_escalation.yml +++ b/detections/endpoint/linux_openvpn_privilege_escalation.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/openvpn/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml index c9db51e233..60608b4e6f 100644 --- a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml +++ b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml @@ -64,7 +64,6 @@ tags: - All_Risk.risk_object - All_Risk.annotations.mitre_attack.mitre_tactic - source - risk_score: 56 security_domain: audit tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/linux_risk/linuxrisk.log source: linuxrisk sourcetype: stash - update_timestamp: true diff --git a/detections/endpoint/linux_php_privilege_escalation.yml b/detections/endpoint/linux_php_privilege_escalation.yml index 3b41c80d4c..e468687d1b 100644 --- a/detections/endpoint/linux_php_privilege_escalation.yml +++ b/detections/endpoint/linux_php_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/php/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_pkexec_privilege_escalation.yml b/detections/endpoint/linux_pkexec_privilege_escalation.yml index 118b7f8937..800c78499f 100644 --- a/detections/endpoint/linux_pkexec_privilege_escalation.yml +++ b/detections/endpoint/linux_pkexec_privilege_escalation.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml index 1795a873f8..3fd189ceb9 100644 --- a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_access_to_credential_files.yml b/detections/endpoint/linux_possible_access_to_credential_files.yml index 81a283e83d..24bce0b0e6 100644 --- a/detections/endpoint/linux_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_possible_access_to_credential_files.yml @@ -63,7 +63,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_possible_access_to_sudoers_file.yml index 814f5dfe46..226c60bade 100644 --- a/detections/endpoint/linux_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_possible_access_to_sudoers_file.yml @@ -63,7 +63,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml index 009ff74a40..b6925f2c2b 100644 --- a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml index f907aa375e..ae3bbaf2de 100644 --- a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml index a221d86e38..cb9d4928a0 100644 --- a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -68,7 +68,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml index 7ad33cf314..772f7002ff 100644 --- a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml +++ b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 6 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_ssh_key_file_creation.yml b/detections/endpoint/linux_possible_ssh_key_file_creation.yml index 9b2bd11807..6f11234d95 100644 --- a/detections/endpoint/linux_possible_ssh_key_file_creation.yml +++ b/detections/endpoint/linux_possible_ssh_key_file_creation.yml @@ -55,7 +55,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_preload_hijack_library_calls.yml b/detections/endpoint/linux_preload_hijack_library_calls.yml index d9e8cd45eb..8706ef3570 100644 --- a/detections/endpoint/linux_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_preload_hijack_library_calls.yml @@ -63,7 +63,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_proxy_socks_curl.yml b/detections/endpoint/linux_proxy_socks_curl.yml index 00d9d54891..896c19f267 100644 --- a/detections/endpoint/linux_proxy_socks_curl.yml +++ b/detections/endpoint/linux_proxy_socks_curl.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test @@ -91,4 +90,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_puppet_privilege_escalation.yml b/detections/endpoint/linux_puppet_privilege_escalation.yml index fc160989a9..f6d5e42885 100644 --- a/detections/endpoint/linux_puppet_privilege_escalation.yml +++ b/detections/endpoint/linux_puppet_privilege_escalation.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/puppet/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_rpm_privilege_escalation.yml b/detections/endpoint/linux_rpm_privilege_escalation.yml index 69c6e106e7..0d5986a120 100644 --- a/detections/endpoint/linux_rpm_privilege_escalation.yml +++ b/detections/endpoint/linux_rpm_privilege_escalation.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/rpm/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ruby_privilege_escalation.yml b/detections/endpoint/linux_ruby_privilege_escalation.yml index a4ebe6d2ad..68175b9b94 100644 --- a/detections/endpoint/linux_ruby_privilege_escalation.yml +++ b/detections/endpoint/linux_ruby_privilege_escalation.yml @@ -71,7 +71,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/ruby/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml index 4c165ae904..1b9a39161c 100644 --- a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml +++ b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml @@ -65,7 +65,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_service_restarted.yml b/detections/endpoint/linux_service_restarted.yml index 6926755af4..6c5503bc61 100644 --- a/detections/endpoint/linux_service_restarted.yml +++ b/detections/endpoint/linux_service_restarted.yml @@ -69,7 +69,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_service_started_or_enabled.yml b/detections/endpoint/linux_service_started_or_enabled.yml index 72eebc0fce..3b6e7bea05 100644 --- a/detections/endpoint/linux_service_started_or_enabled.yml +++ b/detections/endpoint/linux_service_started_or_enabled.yml @@ -68,7 +68,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_setuid_using_chmod_utility.yml b/detections/endpoint/linux_setuid_using_chmod_utility.yml index 661c9931e7..b580823976 100644 --- a/detections/endpoint/linux_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_setuid_using_chmod_utility.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_setuid_using_setcap_utility.yml b/detections/endpoint/linux_setuid_using_setcap_utility.yml index a6478eb949..0a26c7d150 100644 --- a/detections/endpoint/linux_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_setuid_using_setcap_utility.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_shred_overwrite_command.yml b/detections/endpoint/linux_shred_overwrite_command.yml index d6af5c9e88..ec5a894575 100644 --- a/detections/endpoint/linux_shred_overwrite_command.yml +++ b/detections/endpoint/linux_shred_overwrite_command.yml @@ -66,7 +66,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_sqlite3_privilege_escalation.yml b/detections/endpoint/linux_sqlite3_privilege_escalation.yml index 24fd1e2fed..0af7086718 100644 --- a/detections/endpoint/linux_sqlite3_privilege_escalation.yml +++ b/detections/endpoint/linux_sqlite3_privilege_escalation.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/sqlite3/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ssh_authorized_keys_modification.yml b/detections/endpoint/linux_ssh_authorized_keys_modification.yml index 2caccf2eb4..832a0670fe 100644 --- a/detections/endpoint/linux_ssh_authorized_keys_modification.yml +++ b/detections/endpoint/linux_ssh_authorized_keys_modification.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test @@ -88,4 +87,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/authkey_linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ssh_remote_services_script_execute.yml b/detections/endpoint/linux_ssh_remote_services_script_execute.yml index 9e13bd446e..df1f41bd18 100644 --- a/detections/endpoint/linux_ssh_remote_services_script_execute.yml +++ b/detections/endpoint/linux_ssh_remote_services_script_execute.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test @@ -83,4 +82,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.004/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml index 4fe80ecb18..ea918daf6e 100644 --- a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml +++ b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml @@ -64,7 +64,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_stop_services.yml b/detections/endpoint/linux_stop_services.yml index 28b9aee7f8..c38c09262f 100644 --- a/detections/endpoint/linux_stop_services.yml +++ b/detections/endpoint/linux_stop_services.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_sudo_or_su_execution.yml b/detections/endpoint/linux_sudo_or_su_execution.yml index 323969cbee..d40b6be95c 100644 --- a/detections/endpoint/linux_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_sudo_or_su_execution.yml @@ -63,7 +63,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_sudoers_tmp_file_creation.yml b/detections/endpoint/linux_sudoers_tmp_file_creation.yml index 8e3da22f96..8cd85b56ef 100644 --- a/detections/endpoint/linux_sudoers_tmp_file_creation.yml +++ b/detections/endpoint/linux_sudoers_tmp_file_creation.yml @@ -55,7 +55,6 @@ tags: - Filesystem.file_name - Filesystem.process_guid - Filesystem.file_path - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_system_network_discovery.yml b/detections/endpoint/linux_system_network_discovery.yml index 6247fc97d8..17a3a3e7e0 100644 --- a/detections/endpoint/linux_system_network_discovery.yml +++ b/detections/endpoint/linux_system_network_discovery.yml @@ -65,7 +65,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_system_reboot_via_system_request_key.yml b/detections/endpoint/linux_system_reboot_via_system_request_key.yml index 6351f75b97..de9bdb4214 100644 --- a/detections/endpoint/linux_system_reboot_via_system_request_key.yml +++ b/detections/endpoint/linux_system_reboot_via_system_request_key.yml @@ -64,7 +64,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml index 6f248fd7e4..fc7e72254e 100644 --- a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml +++ b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml @@ -67,7 +67,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_visudo_utility_execution.yml b/detections/endpoint/linux_visudo_utility_execution.yml index 106f4f8587..644007f0ba 100644 --- a/detections/endpoint/linux_visudo_utility_execution.yml +++ b/detections/endpoint/linux_visudo_utility_execution.yml @@ -63,7 +63,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 16 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/living_off_the_land_detection.yml b/detections/endpoint/living_off_the_land_detection.yml index 26f3ab58e1..c6319256bb 100644 --- a/detections/endpoint/living_off_the_land_detection.yml +++ b/detections/endpoint/living_off_the_land_detection.yml @@ -66,7 +66,6 @@ tags: - All_Risk.risk_object - All_Risk.annotations.mitre_attack.mitre_tactic - source - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/loading_of_dynwrapx_module.yml b/detections/endpoint/loading_of_dynwrapx_module.yml index 2e3c85aa3e..6d207d1335 100644 --- a/detections/endpoint/loading_of_dynwrapx_module.yml +++ b/detections/endpoint/loading_of_dynwrapx_module.yml @@ -67,7 +67,6 @@ tags: - EventCode - Signed - ProcessId - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/local_account_discovery_with_net.yml b/detections/endpoint/local_account_discovery_with_net.yml index 8af1029345..9688dc29a5 100644 --- a/detections/endpoint/local_account_discovery_with_net.yml +++ b/detections/endpoint/local_account_discovery_with_net.yml @@ -57,7 +57,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/local_account_discovery_with_wmic.yml b/detections/endpoint/local_account_discovery_with_wmic.yml index dc3b012ed7..6273f199a7 100644 --- a/detections/endpoint/local_account_discovery_with_wmic.yml +++ b/detections/endpoint/local_account_discovery_with_wmic.yml @@ -55,7 +55,6 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml index d58be5a40a..d0f6247c99 100644 --- a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml +++ b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml @@ -66,7 +66,6 @@ tags: - All_Risk.risk_object - All_Risk.annotations.mitre_attack.mitre_tactic - source - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/logon_script_event_trigger_execution.yml b/detections/endpoint/logon_script_event_trigger_execution.yml index 91c271f74f..0deadc018c 100644 --- a/detections/endpoint/logon_script_event_trigger_execution.yml +++ b/detections/endpoint/logon_script_event_trigger_execution.yml @@ -62,7 +62,6 @@ tags: - Registry.registry_path - Registry.registry_key_name - Registry.registry_value_name - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml index d60a07c41e..4419e4aa38 100644 --- a/detections/endpoint/lolbas_with_network_traffic.yml +++ b/detections/endpoint/lolbas_with_network_traffic.yml @@ -83,7 +83,6 @@ tags: - All_Traffic.dest - All_Traffic.dest_ip - All_Traffic.process_id - risk_score: 25 security_domain: network tests: - name: True Positive Test @@ -92,4 +91,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/macos___re_opened_applications.yml b/detections/endpoint/macos___re_opened_applications.yml index 0a7e2b4bec..92db18d882 100644 --- a/detections/endpoint/macos___re_opened_applications.yml +++ b/detections/endpoint/macos___re_opened_applications.yml @@ -66,5 +66,4 @@ tags: - Processes.process_name - Processes.parent_process_name - Processes.dest - risk_score: 25 security_domain: threat diff --git a/detections/endpoint/macos_lolbin.yml b/detections/endpoint/macos_lolbin.yml index eb2f4574d6..b941534493 100644 --- a/detections/endpoint/macos_lolbin.yml +++ b/detections/endpoint/macos_lolbin.yml @@ -60,7 +60,6 @@ tags: - columns.signing_id - columns.username - host - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/macos_plutil.yml b/detections/endpoint/macos_plutil.yml index 5052388030..5ecc56d90d 100644 --- a/detections/endpoint/macos_plutil.yml +++ b/detections/endpoint/macos_plutil.yml @@ -57,7 +57,6 @@ tags: - columns.signing_id - columns.username - host - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/mailsniper_invoke_functions.yml b/detections/endpoint/mailsniper_invoke_functions.yml index 63b03ef528..08e747519e 100644 --- a/detections/endpoint/mailsniper_invoke_functions.yml +++ b/detections/endpoint/mailsniper_invoke_functions.yml @@ -57,7 +57,6 @@ tags: - Computer - UserID - EventCode - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/malicious_inprocserver32_modification.yml b/detections/endpoint/malicious_inprocserver32_modification.yml index 4ebe25fee1..7b250550c6 100644 --- a/detections/endpoint/malicious_inprocserver32_modification.yml +++ b/detections/endpoint/malicious_inprocserver32_modification.yml @@ -76,7 +76,6 @@ tags: - registry_key_name - registry_value_name - user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/malicious_powershell_executed_as_a_service.yml b/detections/endpoint/malicious_powershell_executed_as_a_service.yml index 57a0c7f994..0841477821 100644 --- a/detections/endpoint/malicious_powershell_executed_as_a_service.yml +++ b/detections/endpoint/malicious_powershell_executed_as_a_service.yml @@ -64,7 +64,6 @@ tags: - Service_Start_Type - Service_Account - user - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml index 2361965649..68633c8b4c 100644 --- a/detections/endpoint/malicious_powershell_process___encoded_command.yml +++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index 07111d4bc2..b1f4e1e599 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml index 38e345f8f3..3103d1e8e9 100644 --- a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml +++ b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml index 2b34a30818..82a8e52dbc 100644 --- a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml +++ b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml @@ -78,7 +78,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml index b07f02f030..05bb9b3a26 100644 --- a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/modification_of_wallpaper.yml b/detections/endpoint/modification_of_wallpaper.yml index d82dc62ae6..5b529f7e91 100644 --- a/detections/endpoint/modification_of_wallpaper.yml +++ b/detections/endpoint/modification_of_wallpaper.yml @@ -65,7 +65,6 @@ tags: - process_guid - process_id - user_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml index 98c03804bc..09343457b0 100644 --- a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml +++ b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml @@ -62,7 +62,6 @@ tags: - Processes.user - Processes.process - Processes.process_id - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml index ea1a640407..0598d8d007 100644 --- a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml +++ b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml @@ -57,7 +57,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/moveit_certificate_store_access_failure.yml b/detections/endpoint/moveit_certificate_store_access_failure.yml index 78f9a718ff..aa1ea95a5d 100644 --- a/detections/endpoint/moveit_certificate_store_access_failure.yml +++ b/detections/endpoint/moveit_certificate_store_access_failure.yml @@ -33,7 +33,6 @@ tags: required_fields: - source - _raw - risk_score: 9 security_domain: endpoint cve: - CVE-2024-5806 diff --git a/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml b/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml index 4be4c33ed8..b82a8da6b7 100644 --- a/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml +++ b/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml @@ -33,7 +33,6 @@ tags: required_fields: - source - _raw - risk_score: 9 security_domain: endpoint cve: - CVE-2024-5806 diff --git a/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml b/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml index 41c700af5e..0f7fe9dbfb 100644 --- a/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml +++ b/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml @@ -80,5 +80,4 @@ tags: - Processes.process_id - Processes.process_name - Processes.process_guid - risk_score: 81 security_domain: endpoint diff --git a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml index 750a86f48a..97f896b0dd 100644 --- a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml @@ -56,7 +56,6 @@ tags: - ProcessGuid - dest - ImageLoaded - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml index 719ef1f264..e6304044f9 100644 --- a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml @@ -58,7 +58,6 @@ tags: - ProcessGuid - dest - ImageLoaded - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml index 46d80c1e16..5ede50eacd 100644 --- a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml +++ b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml @@ -70,7 +70,6 @@ tags: - Processes.process_name - Processes.original_file_name - Processes.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml index ba8a54b183..3418910066 100644 --- a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml +++ b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/mshtml_module_load_in_office_product.yml b/detections/endpoint/mshtml_module_load_in_office_product.yml index b54ab9b15c..d54429dbd0 100644 --- a/detections/endpoint/mshtml_module_load_in_office_product.yml +++ b/detections/endpoint/mshtml_module_load_in_office_product.yml @@ -65,7 +65,6 @@ tags: - OriginalFileName - process_id - dest - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml index 9e694af832..467b0d7002 100644 --- a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml +++ b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml @@ -59,7 +59,6 @@ tags: - dest - EventCode - ProcessId - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/msmpeng_application_dll_side_loading.yml b/detections/endpoint/msmpeng_application_dll_side_loading.yml index 7418bfde83..80541a9028 100644 --- a/detections/endpoint/msmpeng_application_dll_side_loading.yml +++ b/detections/endpoint/msmpeng_application_dll_side_loading.yml @@ -57,7 +57,6 @@ tags: - Filesystem.file_name - Filesystem.user - Filesystem.file_path - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/net_localgroup_discovery.yml b/detections/endpoint/net_localgroup_discovery.yml index bd88ee31cc..fdd9252662 100644 --- a/detections/endpoint/net_localgroup_discovery.yml +++ b/detections/endpoint/net_localgroup_discovery.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/net_profiler_uac_bypass.yml b/detections/endpoint/net_profiler_uac_bypass.yml index 4efe979c66..0b59705aef 100644 --- a/detections/endpoint/net_profiler_uac_bypass.yml +++ b/detections/endpoint/net_profiler_uac_bypass.yml @@ -55,7 +55,6 @@ tags: - Registry.registry_key_name - Registry.registry_value_name - Registry.dest - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/network_connection_discovery_with_arp.yml b/detections/endpoint/network_connection_discovery_with_arp.yml index ab79da0570..dddb0f8d1a 100644 --- a/detections/endpoint/network_connection_discovery_with_arp.yml +++ b/detections/endpoint/network_connection_discovery_with_arp.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/network_connection_discovery_with_net.yml b/detections/endpoint/network_connection_discovery_with_net.yml index 35b00a4faa..3b9a2810f1 100644 --- a/detections/endpoint/network_connection_discovery_with_net.yml +++ b/detections/endpoint/network_connection_discovery_with_net.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/network_connection_discovery_with_netstat.yml b/detections/endpoint/network_connection_discovery_with_netstat.yml index fe95b08f33..412b6861bc 100644 --- a/detections/endpoint/network_connection_discovery_with_netstat.yml +++ b/detections/endpoint/network_connection_discovery_with_netstat.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/network_discovery_using_route_windows_app.yml b/detections/endpoint/network_discovery_using_route_windows_app.yml index f5b53520ce..41667f7de6 100644 --- a/detections/endpoint/network_discovery_using_route_windows_app.yml +++ b/detections/endpoint/network_discovery_using_route_windows_app.yml @@ -69,7 +69,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/network_share_discovery_via_dir_command.yml b/detections/endpoint/network_share_discovery_via_dir_command.yml index 7be5739254..e1e794feb0 100644 --- a/detections/endpoint/network_share_discovery_via_dir_command.yml +++ b/detections/endpoint/network_share_discovery_via_dir_command.yml @@ -49,7 +49,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - _time - ShareName diff --git a/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml b/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml index f3dc6a139b..ec1a819d45 100644 --- a/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml +++ b/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml @@ -61,7 +61,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 10 required_fields: - All_Traffic.src_ip - All_Traffic.dest_ip diff --git a/detections/endpoint/nishang_powershelltcponeline.yml b/detections/endpoint/nishang_powershelltcponeline.yml index 6959615fe3..2d243ab0f2 100644 --- a/detections/endpoint/nishang_powershelltcponeline.yml +++ b/detections/endpoint/nishang_powershelltcponeline.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/nltest_domain_trust_discovery.yml b/detections/endpoint/nltest_domain_trust_discovery.yml index f7fe8fdc4b..9ffd40386e 100644 --- a/detections/endpoint/nltest_domain_trust_discovery.yml +++ b/detections/endpoint/nltest_domain_trust_discovery.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process - Processes.process_id - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index f1e940a766..534667c07b 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -66,7 +66,6 @@ tags: - EventCode - dest - user - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index 0bf0bb5353..5f8679c668 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -66,7 +66,6 @@ tags: - EventCode - dest - user - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/notepad_with_no_command_line_arguments.yml b/detections/endpoint/notepad_with_no_command_line_arguments.yml index 25f31f4117..e6dca7e847 100644 --- a/detections/endpoint/notepad_with_no_command_line_arguments.yml +++ b/detections/endpoint/notepad_with_no_command_line_arguments.yml @@ -78,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/ntdsutil_export_ntds.yml b/detections/endpoint/ntdsutil_export_ntds.yml index 19227bf537..801e4c2ac1 100644 --- a/detections/endpoint/ntdsutil_export_ntds.yml +++ b/detections/endpoint/ntdsutil_export_ntds.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process - Processes.process_id - Processes.parent_process_id - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_application_drop_executable.yml b/detections/endpoint/office_application_drop_executable.yml index 3d99783b40..2e9df563de 100644 --- a/detections/endpoint/office_application_drop_executable.yml +++ b/detections/endpoint/office_application_drop_executable.yml @@ -70,7 +70,6 @@ tags: - process_guid - dest - user_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_application_spawn_regsvr32_process.yml b/detections/endpoint/office_application_spawn_regsvr32_process.yml index 7c7186e554..af1bfec5b0 100644 --- a/detections/endpoint/office_application_spawn_regsvr32_process.yml +++ b/detections/endpoint/office_application_spawn_regsvr32_process.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_application_spawn_rundll32_process.yml b/detections/endpoint/office_application_spawn_rundll32_process.yml index d233706b21..f2149fa0e0 100644 --- a/detections/endpoint/office_application_spawn_rundll32_process.yml +++ b/detections/endpoint/office_application_spawn_rundll32_process.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_document_creating_schedule_task.yml b/detections/endpoint/office_document_creating_schedule_task.yml index bf7281830a..1f042c2d18 100644 --- a/detections/endpoint/office_document_creating_schedule_task.yml +++ b/detections/endpoint/office_document_creating_schedule_task.yml @@ -61,7 +61,6 @@ tags: - ProcessId - ProcessGuid - _time - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_document_executing_macro_code.yml b/detections/endpoint/office_document_executing_macro_code.yml index 41a3287902..548e400721 100644 --- a/detections/endpoint/office_document_executing_macro_code.yml +++ b/detections/endpoint/office_document_executing_macro_code.yml @@ -72,7 +72,6 @@ tags: - ProcessId - ProcessGuid - _time - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_document_spawned_child_process_to_download.yml b/detections/endpoint/office_document_spawned_child_process_to_download.yml index 01534f5b1a..53925a8e21 100644 --- a/detections/endpoint/office_document_spawned_child_process_to_download.yml +++ b/detections/endpoint/office_document_spawned_child_process_to_download.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_product_spawn_cmd_process.yml b/detections/endpoint/office_product_spawn_cmd_process.yml index fe08d92687..5636a9d265 100644 --- a/detections/endpoint/office_product_spawn_cmd_process.yml +++ b/detections/endpoint/office_product_spawn_cmd_process.yml @@ -91,7 +91,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_product_spawning_bitsadmin.yml b/detections/endpoint/office_product_spawning_bitsadmin.yml index b3e2d4d3ad..80c023da73 100644 --- a/detections/endpoint/office_product_spawning_bitsadmin.yml +++ b/detections/endpoint/office_product_spawning_bitsadmin.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_product_spawning_certutil.yml b/detections/endpoint/office_product_spawning_certutil.yml index 16a928f462..b48cc125c1 100644 --- a/detections/endpoint/office_product_spawning_certutil.yml +++ b/detections/endpoint/office_product_spawning_certutil.yml @@ -78,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_product_spawning_mshta.yml b/detections/endpoint/office_product_spawning_mshta.yml index 8c0cf83a9b..446f88f6d3 100644 --- a/detections/endpoint/office_product_spawning_mshta.yml +++ b/detections/endpoint/office_product_spawning_mshta.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml b/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml index c2bf3c1353..a6c4e01549 100644 --- a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml +++ b/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_product_spawning_windows_script_host.yml b/detections/endpoint/office_product_spawning_windows_script_host.yml index 0ac2621443..97bc9f4e39 100644 --- a/detections/endpoint/office_product_spawning_windows_script_host.yml +++ b/detections/endpoint/office_product_spawning_windows_script_host.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test @@ -91,4 +90,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/office_product_spawning_wmic.yml b/detections/endpoint/office_product_spawning_wmic.yml index a2fdc495a4..33a16c3607 100644 --- a/detections/endpoint/office_product_spawning_wmic.yml +++ b/detections/endpoint/office_product_spawning_wmic.yml @@ -78,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_product_writing_cab_or_inf.yml b/detections/endpoint/office_product_writing_cab_or_inf.yml index ca2b9bca25..3579200a79 100644 --- a/detections/endpoint/office_product_writing_cab_or_inf.yml +++ b/detections/endpoint/office_product_writing_cab_or_inf.yml @@ -77,7 +77,6 @@ tags: - file_create_time - file_name - file_path - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_spawning_control.yml b/detections/endpoint/office_spawning_control.yml index 4c426962fa..ddef75dad3 100644 --- a/detections/endpoint/office_spawning_control.yml +++ b/detections/endpoint/office_spawning_control.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml index 0e8f8fe2c2..5c68aa98a2 100644 --- a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml +++ b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml @@ -72,7 +72,6 @@ tags: - All_Traffic.process_id - All_Traffic.dest - All_Traffic.dest_port - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/overwriting_accessibility_binaries.yml b/detections/endpoint/overwriting_accessibility_binaries.yml index ce700f1d5c..3ee7c774fa 100644 --- a/detections/endpoint/overwriting_accessibility_binaries.yml +++ b/detections/endpoint/overwriting_accessibility_binaries.yml @@ -62,7 +62,6 @@ tags: - Filesystem.file_path - Filesystem.file_name - Filesystem.dest - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml b/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml index 3419aa89a2..40af3ebc3d 100644 --- a/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml +++ b/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - uri_match - ip_match diff --git a/detections/endpoint/password_policy_discovery_with_net.yml b/detections/endpoint/password_policy_discovery_with_net.yml index 6b697a7d73..da4d69f1e4 100644 --- a/detections/endpoint/password_policy_discovery_with_net.yml +++ b/detections/endpoint/password_policy_discovery_with_net.yml @@ -73,7 +73,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/permission_modification_using_takeown_app.yml b/detections/endpoint/permission_modification_using_takeown_app.yml index 45039ce8d3..e6c8013334 100644 --- a/detections/endpoint/permission_modification_using_takeown_app.yml +++ b/detections/endpoint/permission_modification_using_takeown_app.yml @@ -70,7 +70,6 @@ tags: - Processes.user - Processes.process_id - Processes.process_guid - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/petitpotam_network_share_access_request.yml b/detections/endpoint/petitpotam_network_share_access_request.yml index 2e05e72116..07d8a01ef3 100644 --- a/detections/endpoint/petitpotam_network_share_access_request.yml +++ b/detections/endpoint/petitpotam_network_share_access_request.yml @@ -56,7 +56,6 @@ tags: - src - AccessMask - AccessReason - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml b/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml index c8508e737c..158ee6d6dc 100644 --- a/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml +++ b/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml @@ -55,7 +55,6 @@ tags: - Client_Address - action - Message - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml index a0e7829645..6a11d62012 100644 --- a/detections/endpoint/ping_sleep_batch_command.yml +++ b/detections/endpoint/ping_sleep_batch_command.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/possible_browser_pass_view_parameter.yml b/detections/endpoint/possible_browser_pass_view_parameter.yml index 8af97a9021..0258d39396 100644 --- a/detections/endpoint/possible_browser_pass_view_parameter.yml +++ b/detections/endpoint/possible_browser_pass_view_parameter.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 16 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index ffa2ba48c5..ed00f2f198 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -86,7 +86,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/potential_password_in_username.yml b/detections/endpoint/potential_password_in_username.yml index e9ec637a72..af6187adf9 100644 --- a/detections/endpoint/potential_password_in_username.yml +++ b/detections/endpoint/potential_password_in_username.yml @@ -71,7 +71,6 @@ tags: - Authentication.src - Authentication.dest - sourcetype - risk_score: 21 security_domain: access tests: - name: True Positive Test diff --git a/detections/endpoint/potentially_malicious_code_on_commandline.yml b/detections/endpoint/potentially_malicious_code_on_commandline.yml index cc2bb36f5b..a521d7bb46 100644 --- a/detections/endpoint/potentially_malicious_code_on_commandline.yml +++ b/detections/endpoint/potentially_malicious_code_on_commandline.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process - Processes.user - Processes.dest - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index e02d365720..e9580204c7 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -94,7 +94,6 @@ tags: - Computer - UserID - EventCode - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml index 410de1915b..484938d16b 100644 --- a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml +++ b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml @@ -85,7 +85,6 @@ tags: - Processes.user - Processes.parent_process_name - Processes.dest - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml index a0a31fea09..2669da982f 100644 --- a/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml +++ b/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml @@ -57,7 +57,6 @@ tags: - Computer - UserID - EventCode - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/powershell_creating_thread_mutex.yml b/detections/endpoint/powershell_creating_thread_mutex.yml index a8d2094a2c..4185779064 100644 --- a/detections/endpoint/powershell_creating_thread_mutex.yml +++ b/detections/endpoint/powershell_creating_thread_mutex.yml @@ -60,7 +60,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_disable_security_monitoring.yml b/detections/endpoint/powershell_disable_security_monitoring.yml index 1cf9ea9210..882964dae9 100644 --- a/detections/endpoint/powershell_disable_security_monitoring.yml +++ b/detections/endpoint/powershell_disable_security_monitoring.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_domain_enumeration.yml b/detections/endpoint/powershell_domain_enumeration.yml index a1aff99a00..c40784a39c 100644 --- a/detections/endpoint/powershell_domain_enumeration.yml +++ b/detections/endpoint/powershell_domain_enumeration.yml @@ -64,7 +64,6 @@ tags: - Computer - UserID - EventCode - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_enable_powershell_remoting.yml b/detections/endpoint/powershell_enable_powershell_remoting.yml index 1fc3db9be9..b716ec303b 100644 --- a/detections/endpoint/powershell_enable_powershell_remoting.yml +++ b/detections/endpoint/powershell_enable_powershell_remoting.yml @@ -50,7 +50,6 @@ tags: - EventCode - ScriptBlockText - Computer - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_enable_smb1protocol_feature.yml b/detections/endpoint/powershell_enable_smb1protocol_feature.yml index 21aa4a6bf1..54fea95e1f 100644 --- a/detections/endpoint/powershell_enable_smb1protocol_feature.yml +++ b/detections/endpoint/powershell_enable_smb1protocol_feature.yml @@ -53,7 +53,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_execute_com_object.yml b/detections/endpoint/powershell_execute_com_object.yml index 97984f444a..10a7a1b1a3 100644 --- a/detections/endpoint/powershell_execute_com_object.yml +++ b/detections/endpoint/powershell_execute_com_object.yml @@ -54,7 +54,6 @@ tags: - ScriptBlockText - Computer - EventCode - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml b/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml index e6c8b33ec8..da64f5ea5d 100644 --- a/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml +++ b/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml @@ -58,7 +58,6 @@ tags: - Computer - UserID - EventCode - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml index cc9b1ab5e6..8e9d9f733f 100644 --- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml +++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml @@ -61,7 +61,6 @@ tags: - Computer - UserID - EventCode - risk_score: 56 security_domain: endpoint asset_type: Endpoint tests: diff --git a/detections/endpoint/powershell_get_localgroup_discovery.yml b/detections/endpoint/powershell_get_localgroup_discovery.yml index 233a46805d..e13fca7bb8 100644 --- a/detections/endpoint/powershell_get_localgroup_discovery.yml +++ b/detections/endpoint/powershell_get_localgroup_discovery.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml b/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml index 549f09229e..81b6592c69 100644 --- a/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml +++ b/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml @@ -60,7 +60,6 @@ tags: - Computer - UserID - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml b/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml index cf32efd7e0..66bd403b06 100644 --- a/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml +++ b/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml @@ -51,7 +51,6 @@ tags: - EventCode - ScriptBlockText - Computer - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_invoke_wmiexec_usage.yml b/detections/endpoint/powershell_invoke_wmiexec_usage.yml index e7f329da66..859a4b6ec9 100644 --- a/detections/endpoint/powershell_invoke_wmiexec_usage.yml +++ b/detections/endpoint/powershell_invoke_wmiexec_usage.yml @@ -48,7 +48,6 @@ tags: - EventCode - ScriptBlockText - Computer - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_load_module_in_meterpreter.yml b/detections/endpoint/powershell_load_module_in_meterpreter.yml index 68dedb6a49..7d2926c864 100644 --- a/detections/endpoint/powershell_load_module_in_meterpreter.yml +++ b/detections/endpoint/powershell_load_module_in_meterpreter.yml @@ -56,7 +56,6 @@ tags: - ScriptBlockText - Computer - User_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/msf.powershell.powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml index 29948081ed..1e8d7ed54d 100644 --- a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml +++ b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml @@ -67,7 +67,6 @@ tags: - Computer - UserID - EventCode - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_processing_stream_of_data.yml b/detections/endpoint/powershell_processing_stream_of_data.yml index 56184299fa..92b5169c12 100644 --- a/detections/endpoint/powershell_processing_stream_of_data.yml +++ b/detections/endpoint/powershell_processing_stream_of_data.yml @@ -66,7 +66,6 @@ tags: - Computer - UserID - Score - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_remote_services_add_trustedhost.yml b/detections/endpoint/powershell_remote_services_add_trustedhost.yml index c8f4b8d880..52221ef6ca 100644 --- a/detections/endpoint/powershell_remote_services_add_trustedhost.yml +++ b/detections/endpoint/powershell_remote_services_add_trustedhost.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - EventCode diff --git a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml index 292b8a1164..56884b6893 100644 --- a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml +++ b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml @@ -63,7 +63,6 @@ tags: - StartAddress - dest - EventCode - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_remove_windows_defender_directory.yml b/detections/endpoint/powershell_remove_windows_defender_directory.yml index eda9198315..5f44a21bde 100644 --- a/detections/endpoint/powershell_remove_windows_defender_directory.yml +++ b/detections/endpoint/powershell_remove_windows_defender_directory.yml @@ -55,7 +55,6 @@ tags: - Computer - UserID - EventCode - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_script_block_with_url_chain.yml b/detections/endpoint/powershell_script_block_with_url_chain.yml index 66e0a38616..35e59dae87 100644 --- a/detections/endpoint/powershell_script_block_with_url_chain.yml +++ b/detections/endpoint/powershell_script_block_with_url_chain.yml @@ -69,7 +69,6 @@ tags: - ActivityID - Computer - ScriptBlockText - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_start_bitstransfer.yml b/detections/endpoint/powershell_start_bitstransfer.yml index 43d3b3a09e..d5fc98ee1b 100644 --- a/detections/endpoint/powershell_start_bitstransfer.yml +++ b/detections/endpoint/powershell_start_bitstransfer.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_start_or_stop_service.yml b/detections/endpoint/powershell_start_or_stop_service.yml index abd5ec0598..57cccf65b8 100644 --- a/detections/endpoint/powershell_start_or_stop_service.yml +++ b/detections/endpoint/powershell_start_or_stop_service.yml @@ -52,7 +52,6 @@ tags: - EventCode - ScriptBlockText - Computer - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_using_memory_as_backing_store.yml b/detections/endpoint/powershell_using_memory_as_backing_store.yml index af0da3f683..bf0013ab20 100644 --- a/detections/endpoint/powershell_using_memory_as_backing_store.yml +++ b/detections/endpoint/powershell_using_memory_as_backing_store.yml @@ -64,7 +64,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_webrequest_using_memory_stream.yml b/detections/endpoint/powershell_webrequest_using_memory_stream.yml index 46e0715da3..5973dbeda0 100644 --- a/detections/endpoint/powershell_webrequest_using_memory_stream.yml +++ b/detections/endpoint/powershell_webrequest_using_memory_stream.yml @@ -64,7 +64,6 @@ tags: - ActivityID - Computer - ScriptBlockText - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml index 9edee81398..0eff058678 100644 --- a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml +++ b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml @@ -63,7 +63,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml index f88b6c2c0a..576a34d102 100644 --- a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml +++ b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml @@ -71,7 +71,6 @@ tags: - Processes.user - Processes.process_id - Processes.process_guid - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/print_processor_registry_autostart.yml b/detections/endpoint/print_processor_registry_autostart.yml index 489f58f2e0..3580c0cbfc 100644 --- a/detections/endpoint/print_processor_registry_autostart.yml +++ b/detections/endpoint/print_processor_registry_autostart.yml @@ -65,7 +65,6 @@ tags: - Registry.registry_path - Registry.registry_key_name - Registry.registry_value_name - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/print_spooler_adding_a_printer_driver.yml b/detections/endpoint/print_spooler_adding_a_printer_driver.yml index 3952fd8e68..14fe00448b 100644 --- a/detections/endpoint/print_spooler_adding_a_printer_driver.yml +++ b/detections/endpoint/print_spooler_adding_a_printer_driver.yml @@ -56,7 +56,6 @@ tags: - EventCode - ComputerName - Message - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml index 335ac79e6e..b1fa389c15 100644 --- a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml +++ b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml @@ -57,7 +57,6 @@ tags: - EventCode - ComputerName - Message - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml index b5fa6e5d7f..d6cfe87c99 100644 --- a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml +++ b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml @@ -73,7 +73,6 @@ tags: - Filesystem.file_path - Filesystem.file_hash - Filesystem.user - risk_score: 63 security_domain: network tests: - name: True Positive Test diff --git a/detections/endpoint/process_deleting_its_process_file_path.yml b/detections/endpoint/process_deleting_its_process_file_path.yml index afd82714e3..646d736c6a 100644 --- a/detections/endpoint/process_deleting_its_process_file_path.yml +++ b/detections/endpoint/process_deleting_its_process_file_path.yml @@ -74,7 +74,6 @@ tags: - ProcessID - result - _time - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/process_execution_via_wmi.yml b/detections/endpoint/process_execution_via_wmi.yml index 3fe30bde40..b87ede5896 100644 --- a/detections/endpoint/process_execution_via_wmi.yml +++ b/detections/endpoint/process_execution_via_wmi.yml @@ -67,7 +67,6 @@ tags: - Processes.user - Processes.dest - Processes.process_name - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/process_kill_base_on_file_path.yml b/detections/endpoint/process_kill_base_on_file_path.yml index 21e767e52b..d583224114 100644 --- a/detections/endpoint/process_kill_base_on_file_path.yml +++ b/detections/endpoint/process_kill_base_on_file_path.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/process_writing_dynamicwrapperx.yml b/detections/endpoint/process_writing_dynamicwrapperx.yml index ba6276e497..c6f5febd23 100644 --- a/detections/endpoint/process_writing_dynamicwrapperx.yml +++ b/detections/endpoint/process_writing_dynamicwrapperx.yml @@ -77,7 +77,6 @@ tags: - file_name - file_path - file_create_time user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/processes_launching_netsh.yml b/detections/endpoint/processes_launching_netsh.yml index 863babfa24..5bb2d775df 100644 --- a/detections/endpoint/processes_launching_netsh.yml +++ b/detections/endpoint/processes_launching_netsh.yml @@ -75,7 +75,6 @@ tags: - Processes.process_name - Processes.user - Processes.dest - risk_score: 14 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/processes_tapping_keyboard_events.yml b/detections/endpoint/processes_tapping_keyboard_events.yml index 78f429cedd..8c5450eea0 100644 --- a/detections/endpoint/processes_tapping_keyboard_events.yml +++ b/detections/endpoint/processes_tapping_keyboard_events.yml @@ -52,5 +52,4 @@ tags: - columns.name - columns.pid - host - risk_score: 25 security_domain: threat diff --git a/detections/endpoint/randomly_generated_scheduled_task_name.yml b/detections/endpoint/randomly_generated_scheduled_task_name.yml index ecb46d821e..357a81e0d4 100644 --- a/detections/endpoint/randomly_generated_scheduled_task_name.yml +++ b/detections/endpoint/randomly_generated_scheduled_task_name.yml @@ -53,5 +53,4 @@ tags: - Task_Name - Description - Command - risk_score: 45 security_domain: endpoint diff --git a/detections/endpoint/randomly_generated_windows_service_name.yml b/detections/endpoint/randomly_generated_windows_service_name.yml index 24a5d97d46..16fa1225f4 100644 --- a/detections/endpoint/randomly_generated_windows_service_name.yml +++ b/detections/endpoint/randomly_generated_windows_service_name.yml @@ -55,5 +55,4 @@ tags: - Service_Type - Service_Name - Service_Start_Type - risk_score: 45 security_domain: endpoint diff --git a/detections/endpoint/ransomware_notes_bulk_creation.yml b/detections/endpoint/ransomware_notes_bulk_creation.yml index 662f35efe9..dc1a9e35fd 100644 --- a/detections/endpoint/ransomware_notes_bulk_creation.yml +++ b/detections/endpoint/ransomware_notes_bulk_creation.yml @@ -59,7 +59,6 @@ tags: - dest - Image - user - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml index eedc4ade5b..8f0246a5c3 100644 --- a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml +++ b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml @@ -65,7 +65,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/recon_using_wmi_class.yml b/detections/endpoint/recon_using_wmi_class.yml index c38b04e789..6fc6eeace0 100644 --- a/detections/endpoint/recon_using_wmi_class.yml +++ b/detections/endpoint/recon_using_wmi_class.yml @@ -72,7 +72,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml index d54e914328..688c84d832 100644 --- a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml +++ b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml index 4a899f456e..5d6caa93d0 100644 --- a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml +++ b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml @@ -70,7 +70,6 @@ tags: - Processes.process - Processes.process_id - Processes.dest - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/registry_keys_for_creating_shim_databases.yml b/detections/endpoint/registry_keys_for_creating_shim_databases.yml index 8fcb18edc5..968b8dddf4 100644 --- a/detections/endpoint/registry_keys_for_creating_shim_databases.yml +++ b/detections/endpoint/registry_keys_for_creating_shim_databases.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 9c70a13351..d03831382d 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -102,7 +102,6 @@ tags: - Registry.registry_path - Registry.dest - Registry.user - risk_score: 76 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml index f040e11561..db8f0588d9 100644 --- a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml +++ b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml @@ -68,7 +68,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 76 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml index 818f60890d..dcafa2894b 100644 --- a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml +++ b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml index ef55514830..bed6b94c8b 100644 --- a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml +++ b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remcos_client_registry_install_entry.yml b/detections/endpoint/remcos_client_registry_install_entry.yml index 284c4f7e56..94de2277f9 100644 --- a/detections/endpoint/remcos_client_registry_install_entry.yml +++ b/detections/endpoint/remcos_client_registry_install_entry.yml @@ -73,7 +73,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml b/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml index ad7ea90bde..f1f9d703a0 100644 --- a/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml +++ b/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml @@ -51,7 +51,6 @@ tags: - file_create_time - file_name - file_path - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_desktop_process_running_on_system.yml b/detections/endpoint/remote_desktop_process_running_on_system.yml index 0811121698..9678f3ec79 100644 --- a/detections/endpoint/remote_desktop_process_running_on_system.yml +++ b/detections/endpoint/remote_desktop_process_running_on_system.yml @@ -63,5 +63,4 @@ tags: - Processes.dest_category - Processes.dest - Processes.user - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml index 14db3eb4de..7b993c60d9 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml index 555aea074b..597498d946 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml @@ -53,7 +53,6 @@ tags: - ScriptBlockText - Computer - user_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml index ee7a0dbcfc..11b4016637 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml index 1feea35a2e..8a5d23c8e7 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml @@ -56,7 +56,6 @@ tags: - Computer - UserID - EventCode - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml index 28bf4680c7..f883a09820 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_process_instantiation_via_wmi.yml b/detections/endpoint/remote_process_instantiation_via_wmi.yml index f2a87b8c6a..6804a1562c 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml index ca63658762..684063ea3a 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml index 110e6db09a..f575f0947b 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml @@ -55,7 +55,6 @@ tags: - Message - Computer - UserID - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_system_discovery_with_adsisearcher.yml b/detections/endpoint/remote_system_discovery_with_adsisearcher.yml index 5887b1fb3b..bfb3eca4fa 100644 --- a/detections/endpoint/remote_system_discovery_with_adsisearcher.yml +++ b/detections/endpoint/remote_system_discovery_with_adsisearcher.yml @@ -51,7 +51,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_system_discovery_with_dsquery.yml b/detections/endpoint/remote_system_discovery_with_dsquery.yml index 6c05bd96af..44b5cd6286 100644 --- a/detections/endpoint/remote_system_discovery_with_dsquery.yml +++ b/detections/endpoint/remote_system_discovery_with_dsquery.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_system_discovery_with_net.yml b/detections/endpoint/remote_system_discovery_with_net.yml index fe77a7dcf4..edf519f413 100644 --- a/detections/endpoint/remote_system_discovery_with_net.yml +++ b/detections/endpoint/remote_system_discovery_with_net.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_system_discovery_with_wmic.yml b/detections/endpoint/remote_system_discovery_with_wmic.yml index 6f0debeedd..6bae27d884 100644 --- a/detections/endpoint/remote_system_discovery_with_wmic.yml +++ b/detections/endpoint/remote_system_discovery_with_wmic.yml @@ -67,7 +67,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_wmi_command_attempt.yml b/detections/endpoint/remote_wmi_command_attempt.yml index ad4cc1dc12..d009ba16b7 100644 --- a/detections/endpoint/remote_wmi_command_attempt.yml +++ b/detections/endpoint/remote_wmi_command_attempt.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process - Processes.parent_process_id - Processes.process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/resize_shadowstorage_volume.yml b/detections/endpoint/resize_shadowstorage_volume.yml index 07215402da..edb4adbcf7 100644 --- a/detections/endpoint/resize_shadowstorage_volume.yml +++ b/detections/endpoint/resize_shadowstorage_volume.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process - Processes.dest - Processes.user - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/revil_common_exec_parameter.yml b/detections/endpoint/revil_common_exec_parameter.yml index 0c6bc248ad..ddbca1619d 100644 --- a/detections/endpoint/revil_common_exec_parameter.yml +++ b/detections/endpoint/revil_common_exec_parameter.yml @@ -72,7 +72,6 @@ tags: - Processes.user - Processes.process_id - Processes.process_guid - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/revil_registry_entry.yml b/detections/endpoint/revil_registry_entry.yml index 21ccf24d35..f66c848af8 100644 --- a/detections/endpoint/revil_registry_entry.yml +++ b/detections/endpoint/revil_registry_entry.yml @@ -88,7 +88,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rubeus_command_line_parameters.yml b/detections/endpoint/rubeus_command_line_parameters.yml index 24bb8f5c65..f298d7dd72 100644 --- a/detections/endpoint/rubeus_command_line_parameters.yml +++ b/detections/endpoint/rubeus_command_line_parameters.yml @@ -86,7 +86,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml index 4b8c89fca1..96b5b6c8e7 100644 --- a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml +++ b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml @@ -66,7 +66,6 @@ tags: - TargetProcessId - SourceImage - SourceProcessId - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/runas_execution_in_commandline.yml b/detections/endpoint/runas_execution_in_commandline.yml index 59fcb501df..d8ac914651 100644 --- a/detections/endpoint/runas_execution_in_commandline.yml +++ b/detections/endpoint/runas_execution_in_commandline.yml @@ -68,7 +68,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_control_rundll_hunt.yml b/detections/endpoint/rundll32_control_rundll_hunt.yml index 2415080e37..e46ba6a310 100644 --- a/detections/endpoint/rundll32_control_rundll_hunt.yml +++ b/detections/endpoint/rundll32_control_rundll_hunt.yml @@ -89,7 +89,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml index 951b4f5ea3..fa662c42eb 100644 --- a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml +++ b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml @@ -90,7 +90,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml index cfc70b8712..3a99f544b5 100644 --- a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml +++ b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml @@ -58,7 +58,6 @@ tags: - StartAddress - EventCode - dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_createremotethread_in_browser.yml b/detections/endpoint/rundll32_createremotethread_in_browser.yml index dd4d0665e3..af0fd40025 100644 --- a/detections/endpoint/rundll32_createremotethread_in_browser.yml +++ b/detections/endpoint/rundll32_createremotethread_in_browser.yml @@ -60,7 +60,6 @@ tags: - StartAddress - EventCode - dest - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_dnsquery.yml b/detections/endpoint/rundll32_dnsquery.yml index e0b2bb34a2..299e4444bd 100644 --- a/detections/endpoint/rundll32_dnsquery.yml +++ b/detections/endpoint/rundll32_dnsquery.yml @@ -59,7 +59,6 @@ tags: - QueryStatus - ProcessId - dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_lockworkstation.yml b/detections/endpoint/rundll32_lockworkstation.yml index a4330ce22e..e8c2b15558 100644 --- a/detections/endpoint/rundll32_lockworkstation.yml +++ b/detections/endpoint/rundll32_lockworkstation.yml @@ -67,7 +67,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml index 57f71e63ee..2f36dc6d0b 100644 --- a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml +++ b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml @@ -56,7 +56,6 @@ tags: - process_guid - dest - user_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_shimcache_flush.yml b/detections/endpoint/rundll32_shimcache_flush.yml index 205e9c912e..4e9521bcda 100644 --- a/detections/endpoint/rundll32_shimcache_flush.yml +++ b/detections/endpoint/rundll32_shimcache_flush.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml index f1fe25961f..c2de5067ed 100644 --- a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/rundll_loading_dll_by_ordinal.yml b/detections/endpoint/rundll_loading_dll_by_ordinal.yml index d74d961b49..9a4bbf7367 100644 --- a/detections/endpoint/rundll_loading_dll_by_ordinal.yml +++ b/detections/endpoint/rundll_loading_dll_by_ordinal.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/ryuk_test_files_detected.yml b/detections/endpoint/ryuk_test_files_detected.yml index 1d514bba77..068d55576f 100644 --- a/detections/endpoint/ryuk_test_files_detected.yml +++ b/detections/endpoint/ryuk_test_files_detected.yml @@ -53,7 +53,6 @@ tags: - Filesystem.file_path - Filesystem.dest - Filesystem.user - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/ryuk_wake_on_lan_command.yml b/detections/endpoint/ryuk_wake_on_lan_command.yml index 5b33f29853..737a414fdc 100644 --- a/detections/endpoint/ryuk_wake_on_lan_command.yml +++ b/detections/endpoint/ryuk_wake_on_lan_command.yml @@ -71,7 +71,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/sam_database_file_access_attempt.yml b/detections/endpoint/sam_database_file_access_attempt.yml index 5f3e2f16c2..417cb102f2 100644 --- a/detections/endpoint/sam_database_file_access_attempt.yml +++ b/detections/endpoint/sam_database_file_access_attempt.yml @@ -74,7 +74,6 @@ tags: - Object_Name - dest - user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/samsam_test_file_write.yml b/detections/endpoint/samsam_test_file_write.yml index f530b5add9..2840ab3587 100644 --- a/detections/endpoint/samsam_test_file_write.yml +++ b/detections/endpoint/samsam_test_file_write.yml @@ -54,7 +54,6 @@ tags: - Filesystem.dest - Filesystem.file_name - Filesystem.file_path - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/sc_exe_manipulating_windows_services.yml b/detections/endpoint/sc_exe_manipulating_windows_services.yml index 38342ca70c..961fe9bfbf 100644 --- a/detections/endpoint/sc_exe_manipulating_windows_services.yml +++ b/detections/endpoint/sc_exe_manipulating_windows_services.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml index 3f1fd31caf..24f5ad2341 100644 --- a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml +++ b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml @@ -56,7 +56,6 @@ tags: - process_id - process_name - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/schedule_task_with_http_command_arguments.yml b/detections/endpoint/schedule_task_with_http_command_arguments.yml index aaded3e025..7b2bed1cbc 100644 --- a/detections/endpoint/schedule_task_with_http_command_arguments.yml +++ b/detections/endpoint/schedule_task_with_http_command_arguments.yml @@ -56,7 +56,6 @@ tags: - Enabled - Hidden - Arguments - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml index a399bddb7a..b48d4cdf90 100644 --- a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml +++ b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml @@ -58,7 +58,6 @@ tags: - Enabled - Hidden - Arguments - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml index 37493db23d..73b8cccfbf 100644 --- a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml +++ b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index ba5b4d7ec2..50b0c5b6d8 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -92,7 +92,6 @@ tags: - Processes.user - Processes.parent_process_name - Processes.dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml index f33cbf68fa..d40d3bb21b 100644 --- a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/schtasks_run_task_on_demand.yml b/detections/endpoint/schtasks_run_task_on_demand.yml index cb789f9f01..ca5217746b 100644 --- a/detections/endpoint/schtasks_run_task_on_demand.yml +++ b/detections/endpoint/schtasks_run_task_on_demand.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml index 9e3e1f57cd..ece2a996db 100644 --- a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml +++ b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml index d1920c9677..2267e641bf 100644 --- a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml +++ b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/screensaver_event_trigger_execution.yml b/detections/endpoint/screensaver_event_trigger_execution.yml index 2def2d3f72..14d44605a4 100644 --- a/detections/endpoint/screensaver_event_trigger_execution.yml +++ b/detections/endpoint/screensaver_event_trigger_execution.yml @@ -65,7 +65,6 @@ tags: - Registry.registry_path - Registry.registry_key_name - Registry.registry_value_name - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/script_execution_via_wmi.yml b/detections/endpoint/script_execution_via_wmi.yml index 7fc4cc0b69..5b1a003ab8 100644 --- a/detections/endpoint/script_execution_via_wmi.yml +++ b/detections/endpoint/script_execution_via_wmi.yml @@ -56,7 +56,6 @@ tags: - Processes.process_name - Processes.user - Processes.dest - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/sdclt_uac_bypass.yml b/detections/endpoint/sdclt_uac_bypass.yml index 01964f6054..b3308ecbbc 100644 --- a/detections/endpoint/sdclt_uac_bypass.yml +++ b/detections/endpoint/sdclt_uac_bypass.yml @@ -84,7 +84,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/sdelete_application_execution.yml b/detections/endpoint/sdelete_application_execution.yml index 9cdfa0fa42..b7fa53576a 100644 --- a/detections/endpoint/sdelete_application_execution.yml +++ b/detections/endpoint/sdelete_application_execution.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml index 7b62a8a795..3bd60ecc9d 100644 --- a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml +++ b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml @@ -69,7 +69,6 @@ tags: - parent_process_name - dest_port - process_path - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml index 2ab87de25b..0996a0bf40 100644 --- a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml +++ b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml @@ -73,7 +73,6 @@ tags: - Processes.user - Processes.process_id - Processes.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml b/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml index 95cce99f66..0bc9794226 100644 --- a/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml +++ b/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml @@ -70,7 +70,6 @@ tags: - Computer - UserID - EventCode - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml index 780b947022..bd32f328a7 100644 --- a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml +++ b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml @@ -90,7 +90,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/services_escalate_exe.yml b/detections/endpoint/services_escalate_exe.yml index 5ff12df1af..847e2cb1bf 100644 --- a/detections/endpoint/services_escalate_exe.yml +++ b/detections/endpoint/services_escalate_exe.yml @@ -73,7 +73,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 76 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/services_lolbas_execution_process_spawn.yml b/detections/endpoint/services_lolbas_execution_process_spawn.yml index e1402493f6..56984faac6 100644 --- a/detections/endpoint/services_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/services_lolbas_execution_process_spawn.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml index 3b96b3f5bd..1e965de642 100644 --- a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml +++ b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml @@ -91,7 +91,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/shim_database_file_creation.yml b/detections/endpoint/shim_database_file_creation.yml index 737398ef05..5369856f89 100644 --- a/detections/endpoint/shim_database_file_creation.yml +++ b/detections/endpoint/shim_database_file_creation.yml @@ -56,7 +56,6 @@ tags: - Filesystem.file_path - Filesystem.file_name - Filesystem.dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml index 44ae46e3bf..2c391c314a 100644 --- a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml +++ b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml @@ -63,7 +63,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/short_lived_scheduled_task.yml b/detections/endpoint/short_lived_scheduled_task.yml index 59415847fe..84dee8bc4d 100644 --- a/detections/endpoint/short_lived_scheduled_task.yml +++ b/detections/endpoint/short_lived_scheduled_task.yml @@ -58,7 +58,6 @@ tags: - Task_Name - Description - Command - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/short_lived_windows_accounts.yml b/detections/endpoint/short_lived_windows_accounts.yml index 211e0ef1ec..7af1799761 100644 --- a/detections/endpoint/short_lived_windows_accounts.yml +++ b/detections/endpoint/short_lived_windows_accounts.yml @@ -51,7 +51,6 @@ tags: - All_Changes.result_id - All_Changes.user - All_Changes.dest - risk_score: 63 security_domain: access tests: - name: True Positive Test @@ -60,12 +59,10 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - update_timestamp: true - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log source: WinEventLog:System sourcetype: WinEventLog - update_timestamp: true - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/silentcleanup_uac_bypass.yml b/detections/endpoint/silentcleanup_uac_bypass.yml index 8aca5c188e..ea4611e49c 100644 --- a/detections/endpoint/silentcleanup_uac_bypass.yml +++ b/detections/endpoint/silentcleanup_uac_bypass.yml @@ -82,7 +82,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/single_letter_process_on_endpoint.yml b/detections/endpoint/single_letter_process_on_endpoint.yml index bf6039c9e6..b7ace5c1c1 100644 --- a/detections/endpoint/single_letter_process_on_endpoint.yml +++ b/detections/endpoint/single_letter_process_on_endpoint.yml @@ -59,7 +59,6 @@ tags: - Processes.user - Processes.process - Processes.process_name - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/slui_runas_elevated.yml b/detections/endpoint/slui_runas_elevated.yml index 9067232703..dfb88a2367 100644 --- a/detections/endpoint/slui_runas_elevated.yml +++ b/detections/endpoint/slui_runas_elevated.yml @@ -74,7 +74,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/slui_spawning_a_process.yml b/detections/endpoint/slui_spawning_a_process.yml index 8ae1396e04..f07ae1406a 100644 --- a/detections/endpoint/slui_spawning_a_process.yml +++ b/detections/endpoint/slui_spawning_a_process.yml @@ -72,7 +72,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/spike_in_file_writes.yml b/detections/endpoint/spike_in_file_writes.yml index b7c38733cb..529c0dbf4c 100644 --- a/detections/endpoint/spike_in_file_writes.yml +++ b/detections/endpoint/spike_in_file_writes.yml @@ -53,5 +53,4 @@ tags: - _time - Filesystem.action - Filesystem.dest - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/spoolsv_spawning_rundll32.yml b/detections/endpoint/spoolsv_spawning_rundll32.yml index 3fb7053870..3179b6f007 100644 --- a/detections/endpoint/spoolsv_spawning_rundll32.yml +++ b/detections/endpoint/spoolsv_spawning_rundll32.yml @@ -78,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml index 7e743e28c8..256f633bbf 100644 --- a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml +++ b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml @@ -53,7 +53,6 @@ tags: - dest - EventCode - ImageLoaded - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/spoolsv_suspicious_process_access.yml b/detections/endpoint/spoolsv_suspicious_process_access.yml index 5321e878ab..af0b981c91 100644 --- a/detections/endpoint/spoolsv_suspicious_process_access.yml +++ b/detections/endpoint/spoolsv_suspicious_process_access.yml @@ -66,7 +66,6 @@ tags: - GrantedAccess - CallTrace - EventCode - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/spoolsv_writing_a_dll.yml b/detections/endpoint/spoolsv_writing_a_dll.yml index 476e83b162..6f3e6c0f0c 100644 --- a/detections/endpoint/spoolsv_writing_a_dll.yml +++ b/detections/endpoint/spoolsv_writing_a_dll.yml @@ -73,7 +73,6 @@ tags: - Processes.process_id - Processes.process_name - Processes.dest - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml index e65673de82..4df8a70f29 100644 --- a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml +++ b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml @@ -67,7 +67,6 @@ tags: - file_path - file_name - TargetFilename - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/sqlite_module_in_temp_folder.yml b/detections/endpoint/sqlite_module_in_temp_folder.yml index dc4abc1eed..2ae11aaf9d 100644 --- a/detections/endpoint/sqlite_module_in_temp_folder.yml +++ b/detections/endpoint/sqlite_module_in_temp_folder.yml @@ -55,7 +55,6 @@ tags: - EventCode - ProcessId - Image - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml b/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml index 05f3834ed9..bc5425735a 100644 --- a/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml +++ b/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - All_Risk.analyticstories - All_Risk.risk_object_type diff --git a/detections/endpoint/sunburst_correlation_dll_and_network_event.yml b/detections/endpoint/sunburst_correlation_dll_and_network_event.yml index 227e15f570..405b62ebda 100644 --- a/detections/endpoint/sunburst_correlation_dll_and_network_event.yml +++ b/detections/endpoint/sunburst_correlation_dll_and_network_event.yml @@ -51,5 +51,4 @@ tags: - EventCode - ImageLoaded - QueryName - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/suspicious_computer_account_name_change.yml b/detections/endpoint/suspicious_computer_account_name_change.yml index 84d32e4c57..88839bd7f6 100644 --- a/detections/endpoint/suspicious_computer_account_name_change.yml +++ b/detections/endpoint/suspicious_computer_account_name_change.yml @@ -60,7 +60,6 @@ tags: - Caller_User_Name - OldTargetUserName - NewTargetUserName - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/suspicious_computer_account_name_change/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml index 0bf17e0415..ab752da475 100644 --- a/detections/endpoint/suspicious_copy_on_system32.yml +++ b/detections/endpoint/suspicious_copy_on_system32.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_curl_network_connection.yml b/detections/endpoint/suspicious_curl_network_connection.yml index bb7ade140e..4d7b3d1802 100644 --- a/detections/endpoint/suspicious_curl_network_connection.yml +++ b/detections/endpoint/suspicious_curl_network_connection.yml @@ -69,5 +69,4 @@ tags: - Processes.parent_process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml index b8135a973c..c4452eb704 100644 --- a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_driver_loaded_path.yml b/detections/endpoint/suspicious_driver_loaded_path.yml index 0b866e2df3..fd09f7789e 100644 --- a/detections/endpoint/suspicious_driver_loaded_path.yml +++ b/detections/endpoint/suspicious_driver_loaded_path.yml @@ -63,7 +63,6 @@ tags: - IMPHASH - Signature - Signed - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_event_log_service_behavior.yml b/detections/endpoint/suspicious_event_log_service_behavior.yml index 28ca08176e..e5ba788306 100644 --- a/detections/endpoint/suspicious_event_log_service_behavior.yml +++ b/detections/endpoint/suspicious_event_log_service_behavior.yml @@ -51,7 +51,6 @@ tags: - _time - EventCode - dest - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml index e65674f175..7ee70252ea 100644 --- a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml index 2d5cb01f68..29941f1da7 100644 --- a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml +++ b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml index fe52632afb..235b1d0319 100644 --- a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml +++ b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml @@ -65,7 +65,6 @@ tags: - process_name - process_path - process - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml index e1a1d54d94..1525d671f2 100644 --- a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml +++ b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml @@ -61,7 +61,6 @@ tags: - Account_Name - Client_Address - Failure_Code - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_linux_discovery_commands.yml b/detections/endpoint/suspicious_linux_discovery_commands.yml index c71814a399..5ec4f52a74 100644 --- a/detections/endpoint/suspicious_linux_discovery_commands.yml +++ b/detections/endpoint/suspicious_linux_discovery_commands.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_name - Processes.user - Processes.process_name - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml index 31643cf1fe..4140f1592f 100644 --- a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml +++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml index efc1b7bd41..4ac56e580c 100644 --- a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml +++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_msbuild_path.yml b/detections/endpoint/suspicious_msbuild_path.yml index cbf33a061c..0381ccf5ab 100644 --- a/detections/endpoint/suspicious_msbuild_path.yml +++ b/detections/endpoint/suspicious_msbuild_path.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/suspicious_msbuild_rename.yml b/detections/endpoint/suspicious_msbuild_rename.yml index 3151e43ca5..233030b0b4 100644 --- a/detections/endpoint/suspicious_msbuild_rename.yml +++ b/detections/endpoint/suspicious_msbuild_rename.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/suspicious_msbuild_spawn.yml b/detections/endpoint/suspicious_msbuild_spawn.yml index b5f7878d19..efbbdc2cfb 100644 --- a/detections/endpoint/suspicious_msbuild_spawn.yml +++ b/detections/endpoint/suspicious_msbuild_spawn.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test @@ -83,4 +82,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/suspicious_mshta_child_process.yml b/detections/endpoint/suspicious_mshta_child_process.yml index c392117799..0f2cde2c76 100644 --- a/detections/endpoint/suspicious_mshta_child_process.yml +++ b/detections/endpoint/suspicious_mshta_child_process.yml @@ -77,7 +77,6 @@ tags: - Processes.dest - Processes.parent_process - Processes.user - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test @@ -86,4 +85,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/suspicious_mshta_spawn.yml b/detections/endpoint/suspicious_mshta_spawn.yml index 4bcdb845fa..57b5a9eb95 100644 --- a/detections/endpoint/suspicious_mshta_spawn.yml +++ b/detections/endpoint/suspicious_mshta_spawn.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_plistbuddy_usage.yml b/detections/endpoint/suspicious_plistbuddy_usage.yml index 096d7654b2..282062dab8 100644 --- a/detections/endpoint/suspicious_plistbuddy_usage.yml +++ b/detections/endpoint/suspicious_plistbuddy_usage.yml @@ -69,5 +69,4 @@ tags: - Processes.parent_process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml b/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml index abeb9ae75c..3ed4560141 100644 --- a/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml +++ b/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml @@ -46,5 +46,4 @@ tags: required_fields: - _time - columns.cmdline - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml index a743b438b9..def4e38496 100644 --- a/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml +++ b/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml @@ -64,7 +64,6 @@ tags: - process_name - QueryResults - dest - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_process_executed_from_container_file.yml b/detections/endpoint/suspicious_process_executed_from_container_file.yml index 2b223dad30..5ccda7c372 100644 --- a/detections/endpoint/suspicious_process_executed_from_container_file.yml +++ b/detections/endpoint/suspicious_process_executed_from_container_file.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process - Processes.process - Processes.user - risk_score: 16 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml index 183bce4670..5ab7c80a8b 100644 --- a/detections/endpoint/suspicious_process_file_path.yml +++ b/detections/endpoint/suspicious_process_file_path.yml @@ -107,7 +107,6 @@ tags: - Processes.process_path - Processes.dest - Processes.user - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_process_with_discord_dns_query.yml b/detections/endpoint/suspicious_process_with_discord_dns_query.yml index a307238a63..7539217685 100644 --- a/detections/endpoint/suspicious_process_with_discord_dns_query.yml +++ b/detections/endpoint/suspicious_process_with_discord_dns_query.yml @@ -59,7 +59,6 @@ tags: - process_name - QueryResults - dest - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_reg_exe_process.yml b/detections/endpoint/suspicious_reg_exe_process.yml index 6cfea57cca..caefbcfe43 100644 --- a/detections/endpoint/suspicious_reg_exe_process.yml +++ b/detections/endpoint/suspicious_reg_exe_process.yml @@ -84,7 +84,6 @@ tags: - Processes.dest - Processes.process_id - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml index 100fc1b120..91b6a8d286 100644 --- a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml +++ b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml @@ -90,7 +90,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml index 7ac0a8e5db..f4698fb8ba 100644 --- a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml +++ b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml @@ -89,7 +89,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml index 2e6f02d75c..f46c48bf36 100644 --- a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_rundll32_plugininit.yml b/detections/endpoint/suspicious_rundll32_plugininit.yml index 5aead75ded..3020de1735 100644 --- a/detections/endpoint/suspicious_rundll32_plugininit.yml +++ b/detections/endpoint/suspicious_rundll32_plugininit.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_rundll32_startw.yml b/detections/endpoint/suspicious_rundll32_startw.yml index 51d99dfeca..8e6d5904fd 100644 --- a/detections/endpoint/suspicious_rundll32_startw.yml +++ b/detections/endpoint/suspicious_rundll32_startw.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index bac243e316..b8172cb848 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -79,7 +79,6 @@ tags: - Processes.process_name - Processes.process_id - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml index 22de13f058..116ff48c85 100644 --- a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml b/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml index d5317a10ef..617bad5ac5 100644 --- a/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml +++ b/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml @@ -67,5 +67,4 @@ tags: - Processes.parent_process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/suspicious_ticket_granting_ticket_request.yml b/detections/endpoint/suspicious_ticket_granting_ticket_request.yml index db115afd9d..f9f2aee92d 100644 --- a/detections/endpoint/suspicious_ticket_granting_ticket_request.yml +++ b/detections/endpoint/suspicious_ticket_granting_ticket_request.yml @@ -60,7 +60,6 @@ tags: - New_Account_Name - Account_Name - ComputerName - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml index c760f75277..ebd25270d9 100644 --- a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml +++ b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml @@ -68,7 +68,6 @@ tags: - process_name - process_path - process - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_wevtutil_usage.yml b/detections/endpoint/suspicious_wevtutil_usage.yml index 1206f7b71a..969c8984f2 100644 --- a/detections/endpoint/suspicious_wevtutil_usage.yml +++ b/detections/endpoint/suspicious_wevtutil_usage.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml index a7eaa48cd9..476a9170cf 100644 --- a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml +++ b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml @@ -59,7 +59,6 @@ tags: - Processes.parent_process_name - Processes.process_id - Processes.dest - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml index 233f1b41a3..b96f241ee2 100644 --- a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml index 6ac1bc2106..bba37b4aa4 100644 --- a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml +++ b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index d2fcf549d3..1fd5392009 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -66,7 +66,6 @@ tags: - Processes.user - Processes.process_name - Processes.dest - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/system_processes_run_from_unexpected_locations.yml b/detections/endpoint/system_processes_run_from_unexpected_locations.yml index a9c8c5d032..321a90ee1f 100644 --- a/detections/endpoint/system_processes_run_from_unexpected_locations.yml +++ b/detections/endpoint/system_processes_run_from_unexpected_locations.yml @@ -76,7 +76,6 @@ tags: - Processes.process_id - Processes.parent_process_name - Processes.process_hash - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/system_user_discovery_with_query.yml b/detections/endpoint/system_user_discovery_with_query.yml index 14ae5099f4..fbd9da0afd 100644 --- a/detections/endpoint/system_user_discovery_with_query.yml +++ b/detections/endpoint/system_user_discovery_with_query.yml @@ -65,7 +65,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/system_user_discovery_with_whoami.yml b/detections/endpoint/system_user_discovery_with_whoami.yml index 23ac3bf748..4ed22d0921 100644 --- a/detections/endpoint/system_user_discovery_with_whoami.yml +++ b/detections/endpoint/system_user_discovery_with_whoami.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/time_provider_persistence_registry.yml b/detections/endpoint/time_provider_persistence_registry.yml index 08637f9b05..d78b29ae45 100644 --- a/detections/endpoint/time_provider_persistence_registry.yml +++ b/detections/endpoint/time_provider_persistence_registry.yml @@ -65,7 +65,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/trickbot_named_pipe.yml b/detections/endpoint/trickbot_named_pipe.yml index 927054df22..61067bb843 100644 --- a/detections/endpoint/trickbot_named_pipe.yml +++ b/detections/endpoint/trickbot_named_pipe.yml @@ -57,7 +57,6 @@ tags: - signature - Image - process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml index 92ba9a187a..4b3fc1b8e0 100644 --- a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml +++ b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml @@ -59,7 +59,6 @@ tags: - dest - EventCode - Company - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/uac_bypass_with_colorui_com_object.yml b/detections/endpoint/uac_bypass_with_colorui_com_object.yml index f40dff0bff..5be456caa9 100644 --- a/detections/endpoint/uac_bypass_with_colorui_com_object.yml +++ b/detections/endpoint/uac_bypass_with_colorui_com_object.yml @@ -60,7 +60,6 @@ tags: - EventCode - Signed - ProcessId - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/uninstall_app_using_msiexec.yml b/detections/endpoint/uninstall_app_using_msiexec.yml index 9477ed70f1..0a5969cf53 100644 --- a/detections/endpoint/uninstall_app_using_msiexec.yml +++ b/detections/endpoint/uninstall_app_using_msiexec.yml @@ -68,7 +68,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml index edc7472aa2..de8b445eda 100644 --- a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml +++ b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml @@ -67,7 +67,6 @@ tags: - Processes.process_path - Processes.process - Processes.parent_process_name - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/unload_sysmon_filter_driver.yml b/detections/endpoint/unload_sysmon_filter_driver.yml index c3d901f658..e5cf4b0e0d 100644 --- a/detections/endpoint/unload_sysmon_filter_driver.yml +++ b/detections/endpoint/unload_sysmon_filter_driver.yml @@ -63,7 +63,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/unloading_amsi_via_reflection.yml b/detections/endpoint/unloading_amsi_via_reflection.yml index a96829949e..b5123f65cb 100644 --- a/detections/endpoint/unloading_amsi_via_reflection.yml +++ b/detections/endpoint/unloading_amsi_via_reflection.yml @@ -58,7 +58,6 @@ tags: - Computer - UserID - EventCode - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml index 4f9f960d7e..102a4468f3 100644 --- a/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml @@ -58,5 +58,4 @@ tags: - dest - service - service_id - risk_score: 42 security_domain: endpoint diff --git a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml index 066ee5a7f2..5270ec1b7d 100644 --- a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml @@ -58,7 +58,6 @@ tags: - Service_Name - service_id - Client_Address - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml b/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml index 1d25cdb3b5..5ce87b9f9d 100644 --- a/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml +++ b/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml @@ -57,5 +57,4 @@ tags: - Security_ID - Account_Name - ComputerName - risk_score: 42 security_domain: endpoint diff --git a/detections/endpoint/unusually_long_command_line.yml b/detections/endpoint/unusually_long_command_line.yml index 6db35490b6..90fcea1dcb 100644 --- a/detections/endpoint/unusually_long_command_line.yml +++ b/detections/endpoint/unusually_long_command_line.yml @@ -59,5 +59,4 @@ tags: - Processes.dest - Processes.process_name - Processes.process - risk_score: 42 security_domain: endpoint diff --git a/detections/endpoint/unusually_long_command_line___mltk.yml b/detections/endpoint/unusually_long_command_line___mltk.yml index 0581f36735..9008b115ec 100644 --- a/detections/endpoint/unusually_long_command_line___mltk.yml +++ b/detections/endpoint/unusually_long_command_line___mltk.yml @@ -70,5 +70,4 @@ tags: - Processes.dest - Processes.process_name - Processes.process - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/user_discovery_with_env_vars_powershell.yml b/detections/endpoint/user_discovery_with_env_vars_powershell.yml index 82bcb5d5f3..cb09bda707 100644 --- a/detections/endpoint/user_discovery_with_env_vars_powershell.yml +++ b/detections/endpoint/user_discovery_with_env_vars_powershell.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml b/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml index 1c031185cc..f0ced8b76c 100644 --- a/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml +++ b/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml @@ -57,7 +57,6 @@ tags: - ComputerName - User - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/usn_journal_deletion.yml b/detections/endpoint/usn_journal_deletion.yml index 8c07f82226..1aa261c75b 100644 --- a/detections/endpoint/usn_journal_deletion.yml +++ b/detections/endpoint/usn_journal_deletion.yml @@ -61,7 +61,6 @@ tags: - Processes.user - Processes.parent_process_name - Processes.dest - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/vbscript_execution_using_wscript_app.yml b/detections/endpoint/vbscript_execution_using_wscript_app.yml index edf4a61aaf..11454e9f2e 100644 --- a/detections/endpoint/vbscript_execution_using_wscript_app.yml +++ b/detections/endpoint/vbscript_execution_using_wscript_app.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/verclsid_clsid_execution.yml b/detections/endpoint/verclsid_clsid_execution.yml index f13a64bca5..a94b5fdee5 100644 --- a/detections/endpoint/verclsid_clsid_execution.yml +++ b/detections/endpoint/verclsid_clsid_execution.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/w3wp_spawning_shell.yml b/detections/endpoint/w3wp_spawning_shell.yml index 5ca141c849..c7b4cfc55d 100644 --- a/detections/endpoint/w3wp_spawning_shell.yml +++ b/detections/endpoint/w3wp_spawning_shell.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wbadmin_delete_system_backups.yml b/detections/endpoint/wbadmin_delete_system_backups.yml index 1650bd43c0..b2c6a34c92 100644 --- a/detections/endpoint/wbadmin_delete_system_backups.yml +++ b/detections/endpoint/wbadmin_delete_system_backups.yml @@ -65,7 +65,6 @@ tags: - Processes.parent_process_name - Processes.dest - Processes.user - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wbemprox_com_object_execution.yml b/detections/endpoint/wbemprox_com_object_execution.yml index b9cf151cb4..b83dbc207a 100644 --- a/detections/endpoint/wbemprox_com_object_execution.yml +++ b/detections/endpoint/wbemprox_com_object_execution.yml @@ -61,7 +61,6 @@ tags: - ProcessId - Hashes - IMPHASH - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml b/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml index 3d0107a0a5..701121f0a4 100644 --- a/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml +++ b/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml @@ -59,7 +59,6 @@ tags: - QueryResults - dest - EventCode - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wermgr_process_create_executable_file.yml b/detections/endpoint/wermgr_process_create_executable_file.yml index 231e40d92a..a12701ab26 100644 --- a/detections/endpoint/wermgr_process_create_executable_file.yml +++ b/detections/endpoint/wermgr_process_create_executable_file.yml @@ -52,7 +52,6 @@ tags: - dest - EventCode - ProcessId - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml index 1309486162..2428c75345 100644 --- a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml +++ b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wget_download_and_bash_execution.yml b/detections/endpoint/wget_download_and_bash_execution.yml index cc8783ec62..5c988e0fdd 100644 --- a/detections/endpoint/wget_download_and_bash_execution.yml +++ b/detections/endpoint/wget_download_and_bash_execution.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_abused_web_services.yml b/detections/endpoint/windows_abused_web_services.yml index 1095d267ba..c098b6e9b8 100644 --- a/detections/endpoint/windows_abused_web_services.yml +++ b/detections/endpoint/windows_abused_web_services.yml @@ -48,7 +48,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - Image diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml index 36a82e515d..2af4f43e05 100644 --- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml +++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml @@ -67,7 +67,6 @@ tags: - member_dn - ComputerName - user - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/sedebugprivilege_token/security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml b/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml index 3379233382..6703a6fecd 100644 --- a/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml +++ b/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml @@ -65,7 +65,6 @@ tags: - CallTrace - dest - user_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml index cc92288e72..099aa6ad20 100644 --- a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml +++ b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml @@ -66,7 +66,6 @@ tags: - CallTrace - dest - user_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml b/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml index c4aadd207c..4615db61f9 100644 --- a/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml +++ b/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 required_fields: - _time - ScriptBlockText diff --git a/detections/endpoint/windows_account_discovery_for_sam_account_name.yml b/detections/endpoint/windows_account_discovery_for_sam_account_name.yml index 2701339e68..0238479db9 100644 --- a/detections/endpoint/windows_account_discovery_for_sam_account_name.yml +++ b/detections/endpoint/windows_account_discovery_for_sam_account_name.yml @@ -45,7 +45,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 required_fields: - _time - ScriptBlockText diff --git a/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml b/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml index 6545581668..a8de3917a2 100644 --- a/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml +++ b/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml @@ -45,7 +45,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 required_fields: - _time - ScriptBlockText diff --git a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml index af65815e95..60f7427785 100644 --- a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml +++ b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml @@ -58,7 +58,6 @@ tags: - ObjectName - EventCode - SubjectUserName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/4662_ad_enum/4662_priv_events.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml index b78653d7b2..e49236cf23 100644 --- a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml +++ b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml @@ -64,7 +64,6 @@ tags: - Computer - SubjectUserName - AttributeValue - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml index d5a0b0fbd1..1f46595a81 100644 --- a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml @@ -63,7 +63,6 @@ tags: - user - src_user - Logon_ID - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml b/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml index 10b933d2aa..b69f70baba 100644 --- a/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml +++ b/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml @@ -53,7 +53,6 @@ tags: - EventCode - AuditPolicyChanges - SubcategoryGuid - risk_score: 60 security_domain: endpoint manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested diff --git a/detections/endpoint/windows_ad_domain_controller_promotion.yml b/detections/endpoint/windows_ad_domain_controller_promotion.yml index 43fd9e1f94..eb9d0416f3 100644 --- a/detections/endpoint/windows_ad_domain_controller_promotion.yml +++ b/detections/endpoint/windows_ad_domain_controller_promotion.yml @@ -58,7 +58,6 @@ tags: - user - Logon_ID - dvc - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml index 7ffe52a19a..2479c9b371 100644 --- a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml +++ b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml @@ -71,7 +71,6 @@ tags: - AttributeLDAPDisplayName - AttributeValue - ObjectClass - risk_score: 80 security_domain: endpoint manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested. diff --git a/detections/endpoint/windows_ad_dsrm_account_changes.yml b/detections/endpoint/windows_ad_dsrm_account_changes.yml index 2e7df399df..e18e81e416 100644 --- a/detections/endpoint/windows_ad_dsrm_account_changes.yml +++ b/detections/endpoint/windows_ad_dsrm_account_changes.yml @@ -68,7 +68,6 @@ tags: - Registry.registry_path - Registry.dest - Registry.user - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_dsrm_password_reset.yml b/detections/endpoint/windows_ad_dsrm_password_reset.yml index 6afb115e79..e3387c2a70 100644 --- a/detections/endpoint/windows_ad_dsrm_password_reset.yml +++ b/detections/endpoint/windows_ad_dsrm_password_reset.yml @@ -57,7 +57,6 @@ tags: - All_Changes.dest - All_Changes.src - All_Changes.user - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml b/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml index 471e1d7456..141c37e5cc 100644 --- a/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml @@ -58,7 +58,6 @@ tags: - user - src_user - Logon_ID - risk_score: 90 security_domain: endpoint manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested. diff --git a/detections/endpoint/windows_ad_privileged_object_access_activity.yml b/detections/endpoint/windows_ad_privileged_object_access_activity.yml index fde48019ed..3655d47aa6 100644 --- a/detections/endpoint/windows_ad_privileged_object_access_activity.yml +++ b/detections/endpoint/windows_ad_privileged_object_access_activity.yml @@ -67,7 +67,6 @@ tags: - EventCode - Computer - SubjectUserName - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/4662_ad_enum/4662_priv_events.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml index 3b998d3d3b..d74657ef42 100644 --- a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml +++ b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml @@ -83,7 +83,6 @@ tags: - ObjectType - OperationType - status - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml index d1d6135208..b64b020c67 100644 --- a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml +++ b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml @@ -87,7 +87,6 @@ tags: - ObjectType - OperationType - status - risk_score: 100 security_domain: endpoint manual_test: This detection runs correctly when run manually and given some time is given for data to settle in the splunk index. tests: diff --git a/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml index 8aa08c4d09..bc7428f3b7 100644 --- a/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml @@ -64,7 +64,6 @@ tags: - user - src_user - Logon_ID - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml index e22a02f6f0..07f90c8633 100644 --- a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml +++ b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml @@ -59,7 +59,6 @@ tags: - signature - SubjectUserName - Computer - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml index 8d1a3b2fe9..6d71d0a18d 100644 --- a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml +++ b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml @@ -56,7 +56,6 @@ tags: - signature - SubjectUserName - Computer - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml b/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml index aaa5800936..5cd763a448 100644 --- a/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml +++ b/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml @@ -67,7 +67,6 @@ tags: - ObjectDN - Logon_ID - signature - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_short_lived_server_object.yml b/detections/endpoint/windows_ad_short_lived_server_object.yml index 1aefbcaed6..6b3a268a79 100644 --- a/detections/endpoint/windows_ad_short_lived_server_object.yml +++ b/detections/endpoint/windows_ad_short_lived_server_object.yml @@ -62,7 +62,6 @@ tags: - signature - SubjectUserName - Computer - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ad_sid_history_attribute_modified.yml b/detections/endpoint/windows_ad_sid_history_attribute_modified.yml index c855fcc1d1..eba224b951 100644 --- a/detections/endpoint/windows_ad_sid_history_attribute_modified.yml +++ b/detections/endpoint/windows_ad_sid_history_attribute_modified.yml @@ -58,7 +58,6 @@ tags: - Computer - SubjectUserName - AttributeValue - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_adfind_exe.yml b/detections/endpoint/windows_adfind_exe.yml index 396269cb15..8d28f8530d 100644 --- a/detections/endpoint/windows_adfind_exe.yml +++ b/detections/endpoint/windows_adfind_exe.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process - Processes.process_id - Processes.parent_process_id - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_admin_permission_discovery.yml b/detections/endpoint/windows_admin_permission_discovery.yml index 5bb5a9d541..cfb4e54498 100644 --- a/detections/endpoint/windows_admin_permission_discovery.yml +++ b/detections/endpoint/windows_admin_permission_discovery.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - _time - Filesystem.file_path @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/njrat_admin_check/win_dat.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml b/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml index fc8331a2e3..4de5bf9bd8 100644 --- a/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml +++ b/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml @@ -64,7 +64,6 @@ tags: - Computer - IpAddress - SubjectUserName - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_alternate_datastream___base64_content.yml b/detections/endpoint/windows_alternate_datastream___base64_content.yml index 5367f1dac7..399604279b 100644 --- a/detections/endpoint/windows_alternate_datastream___base64_content.yml +++ b/detections/endpoint/windows_alternate_datastream___base64_content.yml @@ -67,7 +67,6 @@ tags: - Contents - file_hash - process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_alternate_datastream___executable_content.yml b/detections/endpoint/windows_alternate_datastream___executable_content.yml index fe8f8306b1..a2848227e1 100644 --- a/detections/endpoint/windows_alternate_datastream___executable_content.yml +++ b/detections/endpoint/windows_alternate_datastream___executable_content.yml @@ -69,7 +69,6 @@ tags: - file_hash - process_guid - IMPHASH - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_alternate_datastream___process_execution.yml b/detections/endpoint/windows_alternate_datastream___process_execution.yml index 87fb3f1bde..0083f3a4d7 100644 --- a/detections/endpoint/windows_alternate_datastream___process_execution.yml +++ b/detections/endpoint/windows_alternate_datastream___process_execution.yml @@ -69,7 +69,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_apache_benchmark_binary.yml b/detections/endpoint/windows_apache_benchmark_binary.yml index 99ff92162d..f035cc7a89 100644 --- a/detections/endpoint/windows_apache_benchmark_binary.yml +++ b/detections/endpoint/windows_apache_benchmark_binary.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test @@ -89,4 +88,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/apachebench_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml b/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml index f515b71eb6..76735f68da 100644 --- a/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml +++ b/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml @@ -59,7 +59,6 @@ tags: - dest - UserID - SecurityID - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml b/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml index 66902e8b36..cbbca7c496 100644 --- a/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml +++ b/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml @@ -56,7 +56,6 @@ tags: - dest - UserID - SecurityID - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml b/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml index 8c42bfe2c6..21be615ada 100644 --- a/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml +++ b/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml @@ -56,7 +56,6 @@ tags: - PipeName - dest - UserID - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_applocker_block_events.yml b/detections/endpoint/windows_applocker_block_events.yml index c2f0a7c99c..0831c69b2c 100644 --- a/detections/endpoint/windows_applocker_block_events.yml +++ b/detections/endpoint/windows_applocker_block_events.yml @@ -52,7 +52,6 @@ tags: - TargetProcessId - FilePath - FullFilePath - risk_score: 16 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml b/detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml index b9459e4c05..962760c956 100644 --- a/detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml +++ b/detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml @@ -56,7 +56,6 @@ tags: - FullFilePath - dest - user - risk_score: 49 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml b/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml index 0dc0da18b9..2ae3cffd8b 100644 --- a/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml +++ b/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml @@ -41,7 +41,6 @@ tags: - Computer - FullFilePath - TargetUser - risk_score: 64 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_applocker_rare_application_launch_detection.yml b/detections/endpoint/windows_applocker_rare_application_launch_detection.yml index 3e97153c5e..5184ee6262 100644 --- a/detections/endpoint/windows_applocker_rare_application_launch_detection.yml +++ b/detections/endpoint/windows_applocker_rare_application_launch_detection.yml @@ -54,7 +54,6 @@ tags: - FullFilePath - dest - user - risk_score: 15 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_archive_collected_data_via_powershell.yml b/detections/endpoint/windows_archive_collected_data_via_powershell.yml index 6e45ec66b2..846fad6845 100644 --- a/detections/endpoint/windows_archive_collected_data_via_powershell.yml +++ b/detections/endpoint/windows_archive_collected_data_via_powershell.yml @@ -42,7 +42,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - EventCode diff --git a/detections/endpoint/windows_archive_collected_data_via_rar.yml b/detections/endpoint/windows_archive_collected_data_via_rar.yml index 7372166416..ee464377c2 100644 --- a/detections/endpoint/windows_archive_collected_data_via_rar.yml +++ b/detections/endpoint/windows_archive_collected_data_via_rar.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_autoit3_execution.yml b/detections/endpoint/windows_autoit3_execution.yml index 8b6a637a9d..91a38c58c9 100644 --- a/detections/endpoint/windows_autoit3_execution.yml +++ b/detections/endpoint/windows_autoit3_execution.yml @@ -68,7 +68,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 required_fields: - Processes.dest - Processes.user diff --git a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml index 16e498f509..6146af5985 100644 --- a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml +++ b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml @@ -61,7 +61,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.008/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml index 2c897efca7..c99e9b4787 100644 --- a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml +++ b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -92,4 +91,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.013/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index 8a4c0901bd..048af75813 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -63,7 +63,6 @@ tags: - Filesystem.file_path - Filesystem.process_guid - Filesystem.dest - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_bootloader_inventory.yml b/detections/endpoint/windows_bootloader_inventory.yml index a3c6ac2f68..45ee1bf0ff 100644 --- a/detections/endpoint/windows_bootloader_inventory.yml +++ b/detections/endpoint/windows_bootloader_inventory.yml @@ -49,5 +49,4 @@ tags: required_fields: - _time - _raw - risk_score: 81 security_domain: endpoint diff --git a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml index 3fc287e4ba..b143cdfb59 100644 --- a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml +++ b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml @@ -64,7 +64,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 9 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_cab_file_on_disk.yml b/detections/endpoint/windows_cab_file_on_disk.yml index be9ec1dbfa..4a33585706 100644 --- a/detections/endpoint/windows_cab_file_on_disk.yml +++ b/detections/endpoint/windows_cab_file_on_disk.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 5 required_fields: - Filesystem.dest - Filesystem.action diff --git a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml index 7978a53dcf..de5b99eeff 100644 --- a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml +++ b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -84,4 +83,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml index b2183ba46f..def6739d9f 100644 --- a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml +++ b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml index 4d38dd0681..468c6ad384 100644 --- a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml +++ b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml @@ -57,7 +57,6 @@ tags: - Computer - UserID - EventCode - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/powershell/windows-powershell-xml2.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml index 55eaacf00d..150eaac8fa 100644 --- a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml +++ b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml @@ -71,7 +71,6 @@ tags: - Splunk Cloud required_fields: - UPDATE - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml index 80cf509cd0..24be426582 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml index 0fc8280bc9..f16ff9ba56 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml index e8e2f0e169..d66693afb4 100644 --- a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml +++ b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test @@ -84,4 +83,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_forkbomb/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_command_shell_fetch_env_variables.yml b/detections/endpoint/windows_command_shell_fetch_env_variables.yml index 5dba1abde8..b5c6f89aea 100644 --- a/detections/endpoint/windows_command_shell_fetch_env_variables.yml +++ b/detections/endpoint/windows_command_shell_fetch_env_variables.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml index 2e491afdbf..d3beb41fef 100644 --- a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml +++ b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml @@ -76,7 +76,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - All_Risk.analyticstories diff --git a/detections/endpoint/windows_computer_account_created_by_computer_account.yml b/detections/endpoint/windows_computer_account_created_by_computer_account.yml index 1d2617f73f..b130748e62 100644 --- a/detections/endpoint/windows_computer_account_created_by_computer_account.yml +++ b/detections/endpoint/windows_computer_account_created_by_computer_account.yml @@ -58,7 +58,6 @@ tags: - Account_Name - Subject_Account_Name - Subject_Account_Domain - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml b/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml index e5c67a084e..92dffb86bc 100644 --- a/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml +++ b/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml @@ -55,7 +55,6 @@ tags: - user - Account_Name - src_ip - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_computer_account_with_spn.yml b/detections/endpoint/windows_computer_account_with_spn.yml index 54e3819a2e..a7694a9322 100644 --- a/detections/endpoint/windows_computer_account_with_spn.yml +++ b/detections/endpoint/windows_computer_account_with_spn.yml @@ -59,7 +59,6 @@ tags: - SAM_Account_Name - DNS_Host_Name - Logon_Id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_conhost_with_headless_argument.yml b/detections/endpoint/windows_conhost_with_headless_argument.yml index cc79f44408..5af3a2fb84 100644 --- a/detections/endpoint/windows_conhost_with_headless_argument.yml +++ b/detections/endpoint/windows_conhost_with_headless_argument.yml @@ -62,7 +62,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 70 required_fields: - Processes.dest - Processes.user diff --git a/detections/endpoint/windows_create_local_account.yml b/detections/endpoint/windows_create_local_account.yml index c50b25d2b5..b1aefed9aa 100644 --- a/detections/endpoint/windows_create_local_account.yml +++ b/detections/endpoint/windows_create_local_account.yml @@ -55,7 +55,6 @@ tags: - All_Changes.dest - All_Changes.result - All_Changes.action - risk_score: 18 security_domain: endpoint tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/4720.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index 18dc559f24..6ebd35ce01 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -61,7 +61,6 @@ tags: - process_id - EventCode - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml index fe68d9e5c1..16c06753f9 100644 --- a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml +++ b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/createdump_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index e340082a93..c8c636a2da 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -60,7 +60,6 @@ tags: - process_id - EventCode - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index fa7a0cbff2..25a069ccd0 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -61,7 +61,6 @@ tags: - process_id - EventCode - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 729c15e631..a98409cfe9 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -62,7 +62,6 @@ tags: - process_id - EventCode - dest - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_credentials_from_password_stores_creation.yml b/detections/endpoint/windows_credentials_from_password_stores_creation.yml index ecef8bec4a..7bfbde5e58 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_creation.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_creation.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml index 8a95cf7a02..22449b7b46 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_credentials_from_password_stores_query.yml b/detections/endpoint/windows_credentials_from_password_stores_query.yml index 03147e0096..296919ca50 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_query.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_query.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -83,4 +82,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_credentials_in_registry_reg_query.yml b/detections/endpoint/windows_credentials_in_registry_reg_query.yml index f2d7b84ded..16e32575e5 100644 --- a/detections/endpoint/windows_credentials_in_registry_reg_query.yml +++ b/detections/endpoint/windows_credentials_in_registry_reg_query.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -85,4 +84,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd/query-putty-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml index 9665d8ddb2..c2f5a38565 100644 --- a/detections/endpoint/windows_curl_download_to_suspicious_path.yml +++ b/detections/endpoint/windows_curl_download_to_suspicious_path.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_curl_upload_to_remote_destination.yml b/detections/endpoint/windows_curl_upload_to_remote_destination.yml index beba138a0c..fdfbb18ac5 100644 --- a/detections/endpoint/windows_curl_upload_to_remote_destination.yml +++ b/detections/endpoint/windows_curl_upload_to_remote_destination.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml index 9832d05ab5..15c4c0375f 100644 --- a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml +++ b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml @@ -66,7 +66,6 @@ tags: - signature_id - process_name - process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_debugger_tool_execution.yml b/detections/endpoint/windows_debugger_tool_execution.yml index 48e3b65ec4..0d91af3643 100644 --- a/detections/endpoint/windows_debugger_tool_execution.yml +++ b/detections/endpoint/windows_debugger_tool_execution.yml @@ -64,7 +64,6 @@ tags: - Processes.user - Processes.process_id - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml index ab05fafed6..0e02a738bb 100644 --- a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml +++ b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml @@ -69,7 +69,6 @@ tags: - process_name - process_path - process - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_default_group_policy_object_modified.yml b/detections/endpoint/windows_default_group_policy_object_modified.yml index 712adb5d73..3f438913cd 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified.yml @@ -67,7 +67,6 @@ tags: - DSName - AttributeValue - SubjectUserSid - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml index 9fced33409..d9c05db13e 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_defender_asr_audit_events.yml b/detections/endpoint/windows_defender_asr_audit_events.yml index ea86b39227..e2ddf2fde9 100644 --- a/detections/endpoint/windows_defender_asr_audit_events.yml +++ b/detections/endpoint/windows_defender_asr_audit_events.yml @@ -46,7 +46,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 5 required_fields: - host - Process_Name diff --git a/detections/endpoint/windows_defender_asr_block_events.yml b/detections/endpoint/windows_defender_asr_block_events.yml index 7fefbb6800..4c4e00350e 100644 --- a/detections/endpoint/windows_defender_asr_block_events.yml +++ b/detections/endpoint/windows_defender_asr_block_events.yml @@ -46,7 +46,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - host - Process_Name diff --git a/detections/endpoint/windows_defender_asr_registry_modification.yml b/detections/endpoint/windows_defender_asr_registry_modification.yml index b354f2a3a5..27dcea76f1 100644 --- a/detections/endpoint/windows_defender_asr_registry_modification.yml +++ b/detections/endpoint/windows_defender_asr_registry_modification.yml @@ -59,7 +59,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 required_fields: - host - New_Value diff --git a/detections/endpoint/windows_defender_asr_rule_disabled.yml b/detections/endpoint/windows_defender_asr_rule_disabled.yml index 04693b4cf6..06718b5ce6 100644 --- a/detections/endpoint/windows_defender_asr_rule_disabled.yml +++ b/detections/endpoint/windows_defender_asr_rule_disabled.yml @@ -45,7 +45,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - host - New_Value diff --git a/detections/endpoint/windows_defender_asr_rules_stacking.yml b/detections/endpoint/windows_defender_asr_rules_stacking.yml index 9ef8f5ab7b..336c542fc5 100644 --- a/detections/endpoint/windows_defender_asr_rules_stacking.yml +++ b/detections/endpoint/windows_defender_asr_rules_stacking.yml @@ -70,7 +70,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 required_fields: - host - Parent_Commandline diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index f2c43428c9..b45a9e6314 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -65,7 +65,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_delete_or_modify_system_firewall.yml b/detections/endpoint/windows_delete_or_modify_system_firewall.yml index 5cde83838b..1b2573244b 100644 --- a/detections/endpoint/windows_delete_or_modify_system_firewall.yml +++ b/detections/endpoint/windows_delete_or_modify_system_firewall.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml index 1cb171f835..bd44d003c7 100644 --- a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml +++ b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml @@ -75,7 +75,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_disable_change_password_through_registry.yml b/detections/endpoint/windows_disable_change_password_through_registry.yml index 76ee500f88..430c42fa46 100644 --- a/detections/endpoint/windows_disable_change_password_through_registry.yml +++ b/detections/endpoint/windows_disable_change_password_through_registry.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml index b74c266c1f..aa27e9b22e 100644 --- a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml +++ b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_disable_logoff_button_through_registry.yml b/detections/endpoint/windows_disable_logoff_button_through_registry.yml index c1fb076d93..856d094f37 100644 --- a/detections/endpoint/windows_disable_logoff_button_through_registry.yml +++ b/detections/endpoint/windows_disable_logoff_button_through_registry.yml @@ -61,7 +61,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_disable_memory_crash_dump.yml b/detections/endpoint/windows_disable_memory_crash_dump.yml index 1a51b92dff..9d711e8ffc 100644 --- a/detections/endpoint/windows_disable_memory_crash_dump.yml +++ b/detections/endpoint/windows_disable_memory_crash_dump.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_disable_notification_center.yml b/detections/endpoint/windows_disable_notification_center.yml index d0cdee55a5..d28524f3f3 100644 --- a/detections/endpoint/windows_disable_notification_center.yml +++ b/detections/endpoint/windows_disable_notification_center.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml index e35d798836..47eedd46fa 100644 --- a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml +++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml @@ -65,7 +65,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml index e81ee734ce..fa007f1d93 100644 --- a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml +++ b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml index 930e0fffb4..9b6fd50c8e 100644 --- a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml +++ b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml @@ -89,7 +89,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -98,4 +97,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/disable_http_logging_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml index 48c54a01a2..c89cb3ad0c 100644 --- a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml +++ b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml @@ -64,7 +64,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_disableantispyware_registry.yml b/detections/endpoint/windows_disableantispyware_registry.yml index 22c91d7e31..37882a3923 100644 --- a/detections/endpoint/windows_disableantispyware_registry.yml +++ b/detections/endpoint/windows_disableantispyware_registry.yml @@ -63,7 +63,6 @@ tags: - Registry.dest - Registry.user - Registry.registry_path - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_diskcryptor_usage.yml b/detections/endpoint/windows_diskcryptor_usage.yml index 0a2d6aae6f..ff33c07cfe 100644 --- a/detections/endpoint/windows_diskcryptor_usage.yml +++ b/detections/endpoint/windows_diskcryptor_usage.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_diskshadow_proxy_execution.yml b/detections/endpoint/windows_diskshadow_proxy_execution.yml index 7202c0a229..15e269f533 100644 --- a/detections/endpoint/windows_diskshadow_proxy_execution.yml +++ b/detections/endpoint/windows_diskshadow_proxy_execution.yml @@ -64,7 +64,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.original_file_name - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_dism_remove_defender.yml b/detections/endpoint/windows_dism_remove_defender.yml index 7a3bf4d484..a441582568 100644 --- a/detections/endpoint/windows_dism_remove_defender.yml +++ b/detections/endpoint/windows_dism_remove_defender.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: access tests: - name: True Positive Test diff --git a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml index d023af11cf..01969f9935 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml @@ -53,7 +53,6 @@ tags: - dest - ImageLoaded - Module_Path - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test @@ -62,4 +61,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml index 1dde696bef..cdc780b5d4 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -91,4 +90,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_dll_side_loading_in_calc.yml b/detections/endpoint/windows_dll_side_loading_in_calc.yml index 358f90443f..4d7264d283 100644 --- a/detections/endpoint/windows_dll_side_loading_in_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_in_calc.yml @@ -60,7 +60,6 @@ tags: - EventCode - Signed - ProcessId - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml index 7ac8024482..596a65b9e2 100644 --- a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml @@ -67,7 +67,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test @@ -76,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_dns_gather_network_info.yml b/detections/endpoint/windows_dns_gather_network_info.yml index f14d1e23fa..612d7bde4a 100644 --- a/detections/endpoint/windows_dns_gather_network_info.yml +++ b/detections/endpoint/windows_dns_gather_network_info.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_dnsadmins_new_member_added.yml b/detections/endpoint/windows_dnsadmins_new_member_added.yml index a4559e7d79..90bab28f20 100644 --- a/detections/endpoint/windows_dnsadmins_new_member_added.yml +++ b/detections/endpoint/windows_dnsadmins_new_member_added.yml @@ -55,7 +55,6 @@ tags: - Computer - MemberSid - TargetUserName - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml b/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml index ad82cbcb87..1654ef1a3a 100644 --- a/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml +++ b/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml @@ -46,7 +46,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 required_fields: - _time - ScriptBlockText diff --git a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml index 3f2f25103c..f9f2a482d4 100644 --- a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml +++ b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml @@ -42,7 +42,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 80 required_fields: - _time, - EventCode diff --git a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml index 20c4d31540..c1f4a0aa53 100644 --- a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml +++ b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml @@ -95,7 +95,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_driver_inventory.yml b/detections/endpoint/windows_driver_inventory.yml index 4998c8378d..8de5358808 100644 --- a/detections/endpoint/windows_driver_inventory.yml +++ b/detections/endpoint/windows_driver_inventory.yml @@ -44,7 +44,6 @@ tags: - Path - host - DriverType - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test @@ -53,4 +52,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/driver_inventory.log source: PwSh:DriverInventory sourcetype: PwSh:DriverInventory - update_timestamp: true diff --git a/detections/endpoint/windows_driver_load_non_standard_path.yml b/detections/endpoint/windows_driver_load_non_standard_path.yml index 9dd0aacff0..24c59fb384 100644 --- a/detections/endpoint/windows_driver_load_non_standard_path.yml +++ b/detections/endpoint/windows_driver_load_non_standard_path.yml @@ -58,7 +58,6 @@ tags: - ImagePath - ServiceName - ServiceType - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_drivers_loaded_by_signature.yml b/detections/endpoint/windows_drivers_loaded_by_signature.yml index 1f813a27d6..6043357a30 100644 --- a/detections/endpoint/windows_drivers_loaded_by_signature.yml +++ b/detections/endpoint/windows_drivers_loaded_by_signature.yml @@ -60,7 +60,6 @@ tags: - service_signature_verified - service_signature_exists - Hashes - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml index 97ace872e1..003e2d5e41 100644 --- a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml +++ b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml @@ -69,7 +69,6 @@ tags: - Registry.user - Registry.registry_value_name - Registry.registry_value_type - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_event_for_service_disabled.yml b/detections/endpoint/windows_event_for_service_disabled.yml index 400e0541d9..069dec6555 100644 --- a/detections/endpoint/windows_event_for_service_disabled.yml +++ b/detections/endpoint/windows_event_for_service_disabled.yml @@ -52,7 +52,6 @@ tags: - Message - User - Sid - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_event_log_cleared.yml b/detections/endpoint/windows_event_log_cleared.yml index deb8a1e7c0..8e74b04bb6 100644 --- a/detections/endpoint/windows_event_log_cleared.yml +++ b/detections/endpoint/windows_event_log_cleared.yml @@ -54,7 +54,6 @@ tags: - _time - EventCode - dest - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml b/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml index 66c6eae42d..bb618964fb 100644 --- a/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml +++ b/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml @@ -51,7 +51,6 @@ tags: - Exit_Code - dest - EventCode - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -60,4 +59,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log source: XmlWinEventLog:Application sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_excessive_disabled_services_event.yml b/detections/endpoint/windows_excessive_disabled_services_event.yml index 3ec5426f6f..0910ddcf09 100644 --- a/detections/endpoint/windows_excessive_disabled_services_event.yml +++ b/detections/endpoint/windows_excessive_disabled_services_event.yml @@ -55,7 +55,6 @@ tags: - Message - User - Sid - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_executable_in_loaded_modules.yml b/detections/endpoint/windows_executable_in_loaded_modules.yml index d50c4786ac..9f32777961 100644 --- a/detections/endpoint/windows_executable_in_loaded_modules.yml +++ b/detections/endpoint/windows_executable_in_loaded_modules.yml @@ -43,7 +43,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Image diff --git a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml index bbf533cf75..148d091dab 100644 --- a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml +++ b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml @@ -89,7 +89,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test @@ -98,4 +97,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml index bbdf5110a0..d781ff316e 100644 --- a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml +++ b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml @@ -52,7 +52,6 @@ tags: - Computer - UserID - EventCode - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml index cf10e3a8e9..dead80abb2 100644 --- a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml +++ b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml @@ -51,7 +51,6 @@ tags: - Computer - UserID - EventCode - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_export_certificate.yml b/detections/endpoint/windows_export_certificate.yml index 7b7b8813e6..4b8d0adf97 100644 --- a/detections/endpoint/windows_export_certificate.yml +++ b/detections/endpoint/windows_export_certificate.yml @@ -49,7 +49,6 @@ tags: - dest - SubjectName - UserData_Xml - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -59,4 +58,3 @@ tests: source: XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_file_share_discovery_with_powerview.yml b/detections/endpoint/windows_file_share_discovery_with_powerview.yml index 6300157fa4..3f0df176c7 100644 --- a/detections/endpoint/windows_file_share_discovery_with_powerview.yml +++ b/detections/endpoint/windows_file_share_discovery_with_powerview.yml @@ -61,7 +61,6 @@ tags: - Opcode - Computer - UserID - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml index fc788f5756..4806bd2e8e 100644 --- a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml @@ -62,7 +62,6 @@ tags: - DestinationIp - dest - user - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_ftp/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml index 635c1167de..537e56c542 100644 --- a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml +++ b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml @@ -62,7 +62,6 @@ tags: - Processes.dest - Processes.process_guid - Processes.user - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml index 3b1379adc0..c8d87bedff 100644 --- a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml +++ b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml @@ -64,7 +64,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Processes.parent_process_name diff --git a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml index 28a1e72c69..57d35e686d 100644 --- a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml +++ b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml @@ -58,7 +58,6 @@ tags: - Message - Computer - UserID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml index 5cf2bf2017..6a2f6f806c 100644 --- a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml +++ b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml @@ -57,7 +57,6 @@ tags: - Message - Computer - UserID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_findstr_gpp_discovery.yml b/detections/endpoint/windows_findstr_gpp_discovery.yml index c2d420d05b..f8dc210f24 100644 --- a/detections/endpoint/windows_findstr_gpp_discovery.yml +++ b/detections/endpoint/windows_findstr_gpp_discovery.yml @@ -77,7 +77,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.original_file_name - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml index 625c6836f4..2fbd11a77a 100644 --- a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml +++ b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml @@ -57,7 +57,6 @@ tags: - Message - Computer - UserID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_gather_victim_host_information_camera.yml b/detections/endpoint/windows_gather_victim_host_information_camera.yml index 0db4ac23ef..61a4308a81 100644 --- a/detections/endpoint/windows_gather_victim_host_information_camera.yml +++ b/detections/endpoint/windows_gather_victim_host_information_camera.yml @@ -57,7 +57,6 @@ tags: - ScriptBlockText - Computer - EventCode - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_enum_camera/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_gather_victim_identity_sam_info.yml b/detections/endpoint/windows_gather_victim_identity_sam_info.yml index 98025e0495..9519dd6382 100644 --- a/detections/endpoint/windows_gather_victim_identity_sam_info.yml +++ b/detections/endpoint/windows_gather_victim_identity_sam_info.yml @@ -56,7 +56,6 @@ tags: - EventCode - Signed - ProcessId - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/loading_samlib/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml index ed1ca881f8..ce07c3af02 100644 --- a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml +++ b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml @@ -61,7 +61,6 @@ tags: - QueryResults - dest - EventCode - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml b/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml index 872b578c88..afe6d12442 100644 --- a/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml +++ b/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml @@ -59,7 +59,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml index d77f2be686..4e4350e925 100644 --- a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml +++ b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml @@ -58,7 +58,6 @@ tags: - Message - Computer - UserID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_group_policy_object_created.yml b/detections/endpoint/windows_group_policy_object_created.yml index 16771eae70..aff63fed72 100644 --- a/detections/endpoint/windows_group_policy_object_created.yml +++ b/detections/endpoint/windows_group_policy_object_created.yml @@ -65,7 +65,6 @@ tags: - ObjectDN - ObjectGUID - Computer - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_hidden_schedule_task_settings.yml b/detections/endpoint/windows_hidden_schedule_task_settings.yml index ba483a22a0..001437e45a 100644 --- a/detections/endpoint/windows_hidden_schedule_task_settings.yml +++ b/detections/endpoint/windows_hidden_schedule_task_settings.yml @@ -57,7 +57,6 @@ tags: - Enabled - Hidden - Arguments - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_hide_notification_features_through_registry.yml b/detections/endpoint/windows_hide_notification_features_through_registry.yml index 71c42cefd0..fdb1ed52d0 100644 --- a/detections/endpoint/windows_hide_notification_features_through_registry.yml +++ b/detections/endpoint/windows_hide_notification_features_through_registry.yml @@ -58,7 +58,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_high_file_deletion_frequency.yml b/detections/endpoint/windows_high_file_deletion_frequency.yml index 8e3e59f1e3..9c1742ee84 100644 --- a/detections/endpoint/windows_high_file_deletion_frequency.yml +++ b/detections/endpoint/windows_high_file_deletion_frequency.yml @@ -78,7 +78,6 @@ tags: - Image - ProcessID - _time - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml index c65837e084..d8848a2bd1 100644 --- a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml +++ b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml @@ -54,7 +54,6 @@ tags: - EventCode - Signed - ProcessId - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test @@ -63,4 +62,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml index 13c7c899e9..f213c5e3f8 100644 --- a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml @@ -65,7 +65,6 @@ tags: - SourceProcessId - SourceUser - TargetUser - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_identify_protocol_handlers.yml b/detections/endpoint/windows_identify_protocol_handlers.yml index da2eb4eb95..f6cb52d067 100644 --- a/detections/endpoint/windows_identify_protocol_handlers.yml +++ b/detections/endpoint/windows_identify_protocol_handlers.yml @@ -88,7 +88,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 6 security_domain: endpoint tests: - name: True Positive Test @@ -97,4 +96,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/protocol_handlers/protocolhandlers.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_add_new_module.yml b/detections/endpoint/windows_iis_components_add_new_module.yml index 679feaf087..bc3636ca8f 100644 --- a/detections/endpoint/windows_iis_components_add_new_module.yml +++ b/detections/endpoint/windows_iis_components_add_new_module.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -96,4 +95,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/appcmd_install-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml b/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml index 5133121c97..d58ea362ef 100644 --- a/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml +++ b/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml @@ -51,7 +51,6 @@ tags: - host - name - image - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test @@ -60,4 +59,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_installediismodules.log source: powershell://AppCmdModules sourcetype: Pwsh:InstalledIISModules - update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_module_failed_to_load.yml b/detections/endpoint/windows_iis_components_module_failed_to_load.yml index bf64fbbb77..5e8feaea40 100644 --- a/detections/endpoint/windows_iis_components_module_failed_to_load.yml +++ b/detections/endpoint/windows_iis_components_module_failed_to_load.yml @@ -55,7 +55,6 @@ tags: - EventCode - ComputerName - Message - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/2282_windows-application.log source: XmlWinEventLog:Application sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_new_module_added.yml b/detections/endpoint/windows_iis_components_new_module_added.yml index 753d10b9bf..3eea9b2717 100644 --- a/detections/endpoint/windows_iis_components_new_module_added.yml +++ b/detections/endpoint/windows_iis_components_new_module_added.yml @@ -55,7 +55,6 @@ tags: - EventCode - ComputerName - Message - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/IIS-Configuration-Operational.log source: IIS:Configuration:Operational sourcetype: IIS:Configuration:Operational - update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml index 277edfbd68..5b5cb3a526 100644 --- a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml +++ b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml @@ -64,7 +64,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -73,4 +72,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml index c7b169a004..bf7c268d6c 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml index 8e1009bac9..ff9930cc8e 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml @@ -51,7 +51,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml index e513ac0774..5c0bf25346 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml index 0ae92aa3fc..7265891f71 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml index 39802aae08..d8829e2ced 100644 --- a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml +++ b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml index e60f169f61..e859b4e690 100644 --- a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml +++ b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml index 36d8922ff8..a3da03fa90 100644 --- a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml +++ b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml @@ -60,7 +60,6 @@ tags: - Registry.user - Registry.registry_path - Registry.action - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml index 15d50803ee..19763d91da 100644 --- a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml +++ b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml @@ -60,7 +60,6 @@ tags: - Registry.user - Registry.registry_path - Registry.action - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml index cd90b0102d..ed8393b0e4 100644 --- a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml +++ b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml index 0ef27735e7..0447d014ea 100644 --- a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml +++ b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml index c5f35b7a7d..3e2a6e2395 100644 --- a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml +++ b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml index 87916a6e12..041af6781d 100644 --- a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml +++ b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml index 7801a8da16..72fd45e199 100644 --- a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml index be20e163d4..344c4635bd 100644 --- a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml +++ b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml index 8b4b40941b..fb0f9bdde8 100644 --- a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml +++ b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml index 44e4b0824b..bfbccb3d56 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml index 2718885ddc..afdc15c08f 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml index f9ba1e6b7a..32f0fcbd34 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml index 2e972eba4f..8903891b9b 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml index 3451fb7079..5a94fcc354 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml index fb4aeb7f7e..7f2512c945 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml @@ -51,7 +51,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml index 103c913657..06c6c89519 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml index bd97134d0a..def2dcca91 100644 --- a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml +++ b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml index 1eaf1df99c..71651da77e 100644 --- a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml +++ b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml index f56729718e..ed761ef748 100644 --- a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml +++ b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_impair_defenses_disable_hvci.yml b/detections/endpoint/windows_impair_defenses_disable_hvci.yml index 47402295cb..e25980a40b 100644 --- a/detections/endpoint/windows_impair_defenses_disable_hvci.yml +++ b/detections/endpoint/windows_impair_defenses_disable_hvci.yml @@ -61,7 +61,6 @@ tags: - Registry.action - Registry.user - Registry.dest - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml index 5c325b9018..a5c51dd91e 100644 --- a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml +++ b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml @@ -61,7 +61,6 @@ tags: - Registry.user - Registry.registry_path - Registry.action - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_indicator_removal_via_rmdir.yml b/detections/endpoint/windows_indicator_removal_via_rmdir.yml index 63df9d0661..e4dc882a91 100644 --- a/detections/endpoint/windows_indicator_removal_via_rmdir.yml +++ b/detections/endpoint/windows_indicator_removal_via_rmdir.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml index 489dbe3794..86c1bd2aa9 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml @@ -70,7 +70,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.process_path - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml index 85a3095433..5d45e4710c 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml @@ -68,7 +68,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.process_path - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml index 219b7ab5a9..7e4dfc5e41 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_information_discovery_fsutil.yml b/detections/endpoint/windows_information_discovery_fsutil.yml index 9955f3ce9d..aa848d21b2 100644 --- a/detections/endpoint/windows_information_discovery_fsutil.yml +++ b/detections/endpoint/windows_information_discovery_fsutil.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_fsutil/fsutil-fsinfo-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml index a860417c29..9a50a04d10 100644 --- a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml +++ b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -91,4 +90,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_explorer_url/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml index c2a3773cf5..d11dc6b879 100644 --- a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml +++ b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml @@ -58,7 +58,6 @@ tags: - Registry.dest - Registry.process_guid - Registry.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml index 638b2a7d98..6884c32fde 100644 --- a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml +++ b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml @@ -56,7 +56,6 @@ tags: - EventCode - Signed - ProcessId - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_installutil_credential_theft.yml b/detections/endpoint/windows_installutil_credential_theft.yml index 5445ac16f5..82eab08395 100644 --- a/detections/endpoint/windows_installutil_credential_theft.yml +++ b/detections/endpoint/windows_installutil_credential_theft.yml @@ -63,7 +63,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_installutil_in_non_standard_path.yml b/detections/endpoint/windows_installutil_in_non_standard_path.yml index 9e17deb2a9..f01bf0aa14 100644 --- a/detections/endpoint/windows_installutil_in_non_standard_path.yml +++ b/detections/endpoint/windows_installutil_in_non_standard_path.yml @@ -94,7 +94,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_installutil_remote_network_connection.yml b/detections/endpoint/windows_installutil_remote_network_connection.yml index 3e4ded5b5b..90dd82066e 100644 --- a/detections/endpoint/windows_installutil_remote_network_connection.yml +++ b/detections/endpoint/windows_installutil_remote_network_connection.yml @@ -88,7 +88,6 @@ tags: - Ports.process_guid - Ports.dest - Ports.dest_port - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_installutil_uninstall_option.yml b/detections/endpoint/windows_installutil_uninstall_option.yml index 0a704ec3ec..9f65294129 100644 --- a/detections/endpoint/windows_installutil_uninstall_option.yml +++ b/detections/endpoint/windows_installutil_uninstall_option.yml @@ -86,7 +86,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml index 98edc863e1..0100b6e444 100644 --- a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml +++ b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml @@ -90,7 +90,6 @@ tags: - Ports.process_guid - Ports.dest - Ports.dest_port - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_installutil_url_in_command_line.yml b/detections/endpoint/windows_installutil_url_in_command_line.yml index 9f30dd1f26..c0d8475104 100644 --- a/detections/endpoint/windows_installutil_url_in_command_line.yml +++ b/detections/endpoint/windows_installutil_url_in_command_line.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_iso_lnk_file_creation.yml b/detections/endpoint/windows_iso_lnk_file_creation.yml index c0c866145d..aa55077a53 100644 --- a/detections/endpoint/windows_iso_lnk_file_creation.yml +++ b/detections/endpoint/windows_iso_lnk_file_creation.yml @@ -70,7 +70,6 @@ tags: - Filesystem.file_name - Filesystem.file_path - Filesystem.dest - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_java_spawning_shells.yml b/detections/endpoint/windows_java_spawning_shells.yml index 268a73b7d2..d92a665b61 100644 --- a/detections/endpoint/windows_java_spawning_shells.yml +++ b/detections/endpoint/windows_java_spawning_shells.yml @@ -85,5 +85,4 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 40 security_domain: endpoint diff --git a/detections/endpoint/windows_kerberos_local_successful_logon.yml b/detections/endpoint/windows_kerberos_local_successful_logon.yml index 5b28939ffb..84b5eafcb4 100644 --- a/detections/endpoint/windows_kerberos_local_successful_logon.yml +++ b/detections/endpoint/windows_kerberos_local_successful_logon.yml @@ -55,7 +55,6 @@ tags: - user - TargetUserName - src_ip - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_known_abused_dll_created.yml b/detections/endpoint/windows_known_abused_dll_created.yml index def54ea110..e6a9475fba 100644 --- a/detections/endpoint/windows_known_abused_dll_created.yml +++ b/detections/endpoint/windows_known_abused_dll_created.yml @@ -98,7 +98,6 @@ tags: - Filesystem.file_name - Filesystem.file_path - Filesystem.process_guid - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml index 964d91c8a2..5c4ae0b881 100644 --- a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml +++ b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml @@ -61,7 +61,6 @@ tags: - ImageLoaded - Computer - ProcessGuid - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml index ab871bc23d..f6ef4140e7 100644 --- a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml +++ b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml @@ -48,7 +48,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - Image diff --git a/detections/endpoint/windows_krbrelayup_service_creation.yml b/detections/endpoint/windows_krbrelayup_service_creation.yml index 8686afb672..5b055a6ea1 100644 --- a/detections/endpoint/windows_krbrelayup_service_creation.yml +++ b/detections/endpoint/windows_krbrelayup_service_creation.yml @@ -48,7 +48,6 @@ tags: - Service_Name - Service_Start_Type - Service_Type - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml index cb6ced8840..e72d764b62 100644 --- a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml +++ b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml @@ -57,7 +57,6 @@ tags: - ServiceName - TargetUserName - IpAddress - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_lateral_tool_transfer_remcom.yml b/detections/endpoint/windows_lateral_tool_transfer_remcom.yml index 196699eaeb..52f31af3db 100644 --- a/detections/endpoint/windows_lateral_tool_transfer_remcom.yml +++ b/detections/endpoint/windows_lateral_tool_transfer_remcom.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_ldifde_directory_object_behavior.yml b/detections/endpoint/windows_ldifde_directory_object_behavior.yml index 6e49a95030..c55e254faa 100644 --- a/detections/endpoint/windows_ldifde_directory_object_behavior.yml +++ b/detections/endpoint/windows_ldifde_directory_object_behavior.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml index 881d251a75..bfc52261da 100644 --- a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml +++ b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml @@ -54,7 +54,6 @@ tags: - ScriptBlockText - Computer - user_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_local_administrator_credential_stuffing.yml b/detections/endpoint/windows_local_administrator_credential_stuffing.yml index 87560c5f9e..76ff75cbb5 100644 --- a/detections/endpoint/windows_local_administrator_credential_stuffing.yml +++ b/detections/endpoint/windows_local_administrator_credential_stuffing.yml @@ -64,7 +64,6 @@ tags: - TargetUserName - Computer - IpAddress - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml b/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml index b41c548119..f37ca06d96 100644 --- a/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml +++ b/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml @@ -58,7 +58,6 @@ tags: - Processes.process_name - Processes.original_file_name - Processes.process_path - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml index 2fbc729935..1b25b10538 100644 --- a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml +++ b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml @@ -59,7 +59,6 @@ tags: - Processes.process_name - Processes.original_file_name - Processes.process_path - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml index e63a6b0aae..a554b9808d 100644 --- a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml +++ b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Registry.registry_path diff --git a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml index c56ab5a29f..18cfb81c2c 100644 --- a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml @@ -62,7 +62,6 @@ tags: - DestinationIp - dest - user - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_smtp/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_mark_of_the_web_bypass.yml b/detections/endpoint/windows_mark_of_the_web_bypass.yml index fd2f47ba7b..53e32405cd 100644 --- a/detections/endpoint/windows_mark_of_the_web_bypass.yml +++ b/detections/endpoint/windows_mark_of_the_web_bypass.yml @@ -47,7 +47,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - EventCode - TargetFilename diff --git a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml index 5450d746e5..162a507888 100644 --- a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml +++ b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_masquerading_msdtc_process.yml b/detections/endpoint/windows_masquerading_msdtc_process.yml index 3331347e54..a121dd5a7e 100644 --- a/detections/endpoint/windows_masquerading_msdtc_process.yml +++ b/detections/endpoint/windows_masquerading_msdtc_process.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_mimikatz_binary_execution.yml b/detections/endpoint/windows_mimikatz_binary_execution.yml index 5eed6aaa66..964f80ccfc 100644 --- a/detections/endpoint/windows_mimikatz_binary_execution.yml +++ b/detections/endpoint/windows_mimikatz_binary_execution.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test @@ -96,4 +95,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/mimikatzwindows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml b/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml index 046014d798..cf59fd8422 100644 --- a/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml +++ b/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml @@ -56,7 +56,6 @@ tags: - Filesystem.file_create_time - Filesystem.file_name - Filesystem.file_path - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certwrite_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml index 69b3cf513b..1854e24abb 100644 --- a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml +++ b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml @@ -48,7 +48,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml index f7134f4fb3..f1c6357d1e 100644 --- a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml +++ b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml @@ -57,7 +57,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_auto_update_notif.yml b/detections/endpoint/windows_modify_registry_auto_update_notif.yml index d0c1d43e7a..7937b02503 100644 --- a/detections/endpoint/windows_modify_registry_auto_update_notif.yml +++ b/detections/endpoint/windows_modify_registry_auto_update_notif.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_configure_bitlocker.yml b/detections/endpoint/windows_modify_registry_configure_bitlocker.yml index 8560a49471..c02ecee139 100644 --- a/detections/endpoint/windows_modify_registry_configure_bitlocker.yml +++ b/detections/endpoint/windows_modify_registry_configure_bitlocker.yml @@ -57,7 +57,6 @@ tags: - Registry.action - Registry.registry_value_data - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_default_icon_setting.yml b/detections/endpoint/windows_modify_registry_default_icon_setting.yml index 034a6152ca..c829ff39d9 100644 --- a/detections/endpoint/windows_modify_registry_default_icon_setting.yml +++ b/detections/endpoint/windows_modify_registry_default_icon_setting.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_key_name - Registry.registry_value_name - Registry.action - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -72,4 +71,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/lockbit_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml index 6cd4fdb20c..6eacfc1beb 100644 --- a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml +++ b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml @@ -55,7 +55,6 @@ tags: - Image - user - dest - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_disable_rdp.yml b/detections/endpoint/windows_modify_registry_disable_rdp.yml index 65291ba326..53412fefcb 100644 --- a/detections/endpoint/windows_modify_registry_disable_rdp.yml +++ b/detections/endpoint/windows_modify_registry_disable_rdp.yml @@ -56,7 +56,6 @@ tags: - Registry.action - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml index 649ccc3627..4760cff557 100644 --- a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml +++ b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Registry.registry_path diff --git a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml index 7b6a0c6bfc..a710953721 100644 --- a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml @@ -58,7 +58,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml index a168702d5e..6cf0e8f2a2 100644 --- a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml +++ b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml @@ -60,7 +60,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml index 9d55f54208..a27cced870 100644 --- a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml @@ -61,7 +61,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml index 6a7e5cf8f8..1886716c8c 100644 --- a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml +++ b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml @@ -60,7 +60,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml index 6ec37a2410..0a8c1f099b 100644 --- a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml +++ b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml @@ -49,7 +49,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml index df7bd7bf55..808ef11a98 100644 --- a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml +++ b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml index b3d1d4f59c..e5b7daf126 100644 --- a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml +++ b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml @@ -57,7 +57,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml index 22d3783127..b1a2530054 100644 --- a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml +++ b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml @@ -56,7 +56,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml index 71bd681e79..16676350a7 100644 --- a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml +++ b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml @@ -61,7 +61,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_dontshowui.yml b/detections/endpoint/windows_modify_registry_dontshowui.yml index 5264f4251f..841959cba4 100644 --- a/detections/endpoint/windows_modify_registry_dontshowui.yml +++ b/detections/endpoint/windows_modify_registry_dontshowui.yml @@ -48,7 +48,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml index 49e5c60bf6..c74aa0274f 100644 --- a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml +++ b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_longpathsenabled.yml b/detections/endpoint/windows_modify_registry_longpathsenabled.yml index be3d23dcb8..e855c04c9f 100644 --- a/detections/endpoint/windows_modify_registry_longpathsenabled.yml +++ b/detections/endpoint/windows_modify_registry_longpathsenabled.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 16 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml index 3da3cb3c99..a1c2c5420e 100644 --- a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml +++ b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml index e961a39544..d77676b108 100644 --- a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml +++ b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_no_auto_update.yml b/detections/endpoint/windows_modify_registry_no_auto_update.yml index f4edf71299..4ab73021b3 100644 --- a/detections/endpoint/windows_modify_registry_no_auto_update.yml +++ b/detections/endpoint/windows_modify_registry_no_auto_update.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml index 0004e9f3de..0c3552d802 100644 --- a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml +++ b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml @@ -48,7 +48,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml index c477e04ecd..5a0ff810b7 100644 --- a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml +++ b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml @@ -56,7 +56,6 @@ tags: - Registry.action - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_proxyenable.yml b/detections/endpoint/windows_modify_registry_proxyenable.yml index 60f720e50c..72be1284d1 100644 --- a/detections/endpoint/windows_modify_registry_proxyenable.yml +++ b/detections/endpoint/windows_modify_registry_proxyenable.yml @@ -48,7 +48,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_proxyserver.yml b/detections/endpoint/windows_modify_registry_proxyserver.yml index 5870318cda..d57570f307 100644 --- a/detections/endpoint/windows_modify_registry_proxyserver.yml +++ b/detections/endpoint/windows_modify_registry_proxyserver.yml @@ -47,7 +47,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml index a91ab6e4ea..4dfe07d651 100644 --- a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml +++ b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml @@ -80,7 +80,6 @@ tags: - registry_key_name - registry_key_name_len - registry_value_name_len - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -89,4 +88,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_reg_restore.yml b/detections/endpoint/windows_modify_registry_reg_restore.yml index 961ae033b1..956bf9f4ef 100644 --- a/detections/endpoint/windows_modify_registry_reg_restore.yml +++ b/detections/endpoint/windows_modify_registry_reg_restore.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -85,4 +84,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml index 6bcd169e25..d7c43b976d 100644 --- a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml +++ b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_risk_behavior.yml b/detections/endpoint/windows_modify_registry_risk_behavior.yml index f44605d7f1..3bbc413b30 100644 --- a/detections/endpoint/windows_modify_registry_risk_behavior.yml +++ b/detections/endpoint/windows_modify_registry_risk_behavior.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - All_Risk.analyticstories diff --git a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml index f3317d9729..5ef66f542d 100644 --- a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml +++ b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml @@ -59,7 +59,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -68,4 +67,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_tamper_protection.yml b/detections/endpoint/windows_modify_registry_tamper_protection.yml index 260fd5ba85..e14fd08cca 100644 --- a/detections/endpoint/windows_modify_registry_tamper_protection.yml +++ b/detections/endpoint/windows_modify_registry_tamper_protection.yml @@ -60,7 +60,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml index e55a319353..fdbaa8d90c 100644 --- a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml +++ b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml @@ -60,7 +60,6 @@ tags: - Registry.registry_value_data - Registry.process_guid - Registry.action - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml index e9d8f22e58..bbf26108c8 100644 --- a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml +++ b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml @@ -57,7 +57,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_usewuserver.yml b/detections/endpoint/windows_modify_registry_usewuserver.yml index 5b4c591d67..032a595cdd 100644 --- a/detections/endpoint/windows_modify_registry_usewuserver.yml +++ b/detections/endpoint/windows_modify_registry_usewuserver.yml @@ -57,7 +57,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml index 14a104ee88..9fbb37af90 100644 --- a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml +++ b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml @@ -51,7 +51,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_modify_registry_wuserver.yml b/detections/endpoint/windows_modify_registry_wuserver.yml index c67ea368a9..7bcc7aca6d 100644 --- a/detections/endpoint/windows_modify_registry_wuserver.yml +++ b/detections/endpoint/windows_modify_registry_wuserver.yml @@ -57,7 +57,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_registry_wustatusserver.yml b/detections/endpoint/windows_modify_registry_wustatusserver.yml index c347ac54e5..fe0de2fc81 100644 --- a/detections/endpoint/windows_modify_registry_wustatusserver.yml +++ b/detections/endpoint/windows_modify_registry_wustatusserver.yml @@ -57,7 +57,6 @@ tags: - Registry.registry_value_name - Registry.action - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml index 80738ab935..10b30e54b7 100644 --- a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml +++ b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml index 6e4a52b436..e8bc03205d 100644 --- a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml +++ b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml @@ -70,7 +70,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml index 570b766e26..3dcb9850c8 100644 --- a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml +++ b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -94,4 +93,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/mofcomp.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_moveit_transfer_writing_aspx.yml b/detections/endpoint/windows_moveit_transfer_writing_aspx.yml index afa42c67af..8fab557073 100644 --- a/detections/endpoint/windows_moveit_transfer_writing_aspx.yml +++ b/detections/endpoint/windows_moveit_transfer_writing_aspx.yml @@ -59,7 +59,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - Filesystem.file_path diff --git a/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml b/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml index 707a655921..262f5d0c8d 100644 --- a/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml +++ b/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml @@ -55,7 +55,6 @@ tags: - _time - Message - dest - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/msexchangemanagement.log source: WinEventLog:MSExchange Management sourcetype: MSExchange:management - update_timestamp: true diff --git a/detections/endpoint/windows_mshta_execution_in_registry.yml b/detections/endpoint/windows_mshta_execution_in_registry.yml index 4100435773..155333ba27 100644 --- a/detections/endpoint/windows_mshta_execution_in_registry.yml +++ b/detections/endpoint/windows_mshta_execution_in_registry.yml @@ -62,7 +62,6 @@ tags: - Registry.dest - Registry.registry_value_data - Registry.action - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon3.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml index cbe89e7960..ba687cea1d 100644 --- a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml +++ b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml @@ -74,7 +74,6 @@ tags: - user - Image - TargetFilename - risk_score: 64 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_msiexec_dllregisterserver.yml b/detections/endpoint/windows_msiexec_dllregisterserver.yml index 25d55657ca..3febaea345 100644 --- a/detections/endpoint/windows_msiexec_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_dllregisterserver.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml index 2e2a73f927..3b80ae5f9b 100644 --- a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml +++ b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml index 2b7f246cee..69ba09b43a 100644 --- a/detections/endpoint/windows_msiexec_remote_download.yml +++ b/detections/endpoint/windows_msiexec_remote_download.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test @@ -89,4 +88,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml index 0367683bf1..a57a9754eb 100644 --- a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml +++ b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml @@ -83,7 +83,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test @@ -92,4 +91,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_msiexec_spawn_windbg.yml b/detections/endpoint/windows_msiexec_spawn_windbg.yml index 1243cdbe4e..8aa557316e 100644 --- a/detections/endpoint/windows_msiexec_spawn_windbg.yml +++ b/detections/endpoint/windows_msiexec_spawn_windbg.yml @@ -68,7 +68,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - Processes.dest - Processes.user diff --git a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml index 30e7efb7dd..41400108fd 100644 --- a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_msiexec_with_network_connections.yml b/detections/endpoint/windows_msiexec_with_network_connections.yml index fde323dc9b..87079cb7d4 100644 --- a/detections/endpoint/windows_msiexec_with_network_connections.yml +++ b/detections/endpoint/windows_msiexec_with_network_connections.yml @@ -80,7 +80,6 @@ tags: - All_Traffic.dest - All_Traffic.dest_port - All_Traffic.dest_ip - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test @@ -89,4 +88,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml b/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml index ac04567ed7..822158559a 100644 --- a/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml +++ b/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml @@ -54,7 +54,6 @@ tags: - QueryStatus - ProcessId - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -63,4 +62,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_multiple_account_passwords_changed.yml b/detections/endpoint/windows_multiple_account_passwords_changed.yml index a699fadee2..7a6642ea93 100644 --- a/detections/endpoint/windows_multiple_account_passwords_changed.yml +++ b/detections/endpoint/windows_multiple_account_passwords_changed.yml @@ -58,7 +58,6 @@ tags: - TargetDomainName - Logon_ID - user - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_multiple_accounts_deleted.yml b/detections/endpoint/windows_multiple_accounts_deleted.yml index 9b49d44623..e1550523f2 100644 --- a/detections/endpoint/windows_multiple_accounts_deleted.yml +++ b/detections/endpoint/windows_multiple_accounts_deleted.yml @@ -56,7 +56,6 @@ tags: - TargetDomainName - Logon_ID - user - risk_score: 18 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_multiple_accounts_disabled.yml b/detections/endpoint/windows_multiple_accounts_disabled.yml index 38cc7c019c..c2cf63c120 100644 --- a/detections/endpoint/windows_multiple_accounts_disabled.yml +++ b/detections/endpoint/windows_multiple_accounts_disabled.yml @@ -57,7 +57,6 @@ tags: - TargetDomainName - Logon_ID - user - risk_score: 18 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml b/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml index 0fc83fc237..69f65e9e43 100644 --- a/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml +++ b/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml @@ -56,7 +56,6 @@ tags: - Status - TargetUserName - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml b/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml index a369d3a1f0..2bbf94d985 100644 --- a/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml +++ b/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml @@ -56,7 +56,6 @@ tags: - Status - TargetUserName - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml index 4a0d9fefbf..d0519d1f00 100644 --- a/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml +++ b/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml @@ -54,7 +54,6 @@ tags: - TargetUserName - Workstation - Status - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml b/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml index 2c0916a271..3eb2c6fcb1 100644 --- a/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml +++ b/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml @@ -57,7 +57,6 @@ tags: - Target_User_Name - Caller_User_Name - Computer - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml index 1ca6318c8d..8eb8c4159a 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml @@ -53,7 +53,6 @@ tags: - Status - TargetUserName - Workstation - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml index 596020b269..068e59d9ff 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml @@ -57,7 +57,6 @@ tags: - SubjectUserName - TargetUserName - Computer - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml index 3b007a7059..ce8802344f 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml @@ -58,7 +58,6 @@ tags: - Status - TargetUserName - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml index 8084bdfb50..92f76ac6f7 100644 --- a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml +++ b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml @@ -56,7 +56,6 @@ tags: - TargetUserName - Computer - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_network_share_interaction_with_net.yml b/detections/endpoint/windows_network_share_interaction_with_net.yml index 057b77623e..00fddafe86 100644 --- a/detections/endpoint/windows_network_share_interaction_with_net.yml +++ b/detections/endpoint/windows_network_share_interaction_with_net.yml @@ -61,7 +61,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_new_inprocserver32_added.yml b/detections/endpoint/windows_new_inprocserver32_added.yml index 9d0e9c77fb..e2c1c6494b 100644 --- a/detections/endpoint/windows_new_inprocserver32_added.yml +++ b/detections/endpoint/windows_new_inprocserver32_added.yml @@ -54,7 +54,6 @@ tags: - Registry.dest - Registry.process_guid - Registry.user - risk_score: 2 security_domain: endpoint cve: - CVE-2024-21378 diff --git a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml index e0f670b1ed..29acde1cba 100644 --- a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test @@ -91,4 +90,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_nirsoft_advancedrun.yml b/detections/endpoint/windows_nirsoft_advancedrun.yml index 84c78b5116..a8aec4c52a 100644 --- a/detections/endpoint/windows_nirsoft_advancedrun.yml +++ b/detections/endpoint/windows_nirsoft_advancedrun.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_nirsoft_utilities.yml b/detections/endpoint/windows_nirsoft_utilities.yml index cae71dc40f..4cd5fca4d2 100644 --- a/detections/endpoint/windows_nirsoft_utilities.yml +++ b/detections/endpoint/windows_nirsoft_utilities.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml index 75586bd532..8d49de6dbd 100644 --- a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml +++ b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml @@ -49,7 +49,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml index d4bd14b414..050d2c262b 100644 --- a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml +++ b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml @@ -54,7 +54,6 @@ tags: - process_id - EventCode - dest - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_non_system_account_targeting_lsass.yml b/detections/endpoint/windows_non_system_account_targeting_lsass.yml index e5df2652ed..bb83a33e6a 100644 --- a/detections/endpoint/windows_non_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_non_system_account_targeting_lsass.yml @@ -70,7 +70,6 @@ tags: - SourceProcessId - SourceUser - TargetUser - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_odbcconf_hunting.yml b/detections/endpoint/windows_odbcconf_hunting.yml index d0b037f761..2b44d1745a 100644 --- a/detections/endpoint/windows_odbcconf_hunting.yml +++ b/detections/endpoint/windows_odbcconf_hunting.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 6 security_domain: endpoint tests: - name: True Positive Test @@ -89,4 +88,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_odbcconf_load_dll.yml b/detections/endpoint/windows_odbcconf_load_dll.yml index c14bfc2a35..1e83d5586d 100644 --- a/detections/endpoint/windows_odbcconf_load_dll.yml +++ b/detections/endpoint/windows_odbcconf_load_dll.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_odbcconf_load_response_file.yml b/detections/endpoint/windows_odbcconf_load_response_file.yml index 1067f4314a..a1a10596c9 100644 --- a/detections/endpoint/windows_odbcconf_load_response_file.yml +++ b/detections/endpoint/windows_odbcconf_load_response_file.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-rsp.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_office_product_spawning_msdt.yml b/detections/endpoint/windows_office_product_spawning_msdt.yml index 4977b332f7..8851a0395e 100644 --- a/detections/endpoint/windows_office_product_spawning_msdt.yml +++ b/detections/endpoint/windows_office_product_spawning_msdt.yml @@ -90,7 +90,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test @@ -99,4 +98,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_papercut_ng_spawn_shell.yml b/detections/endpoint/windows_papercut_ng_spawn_shell.yml index 720d9addcc..36bec3576e 100644 --- a/detections/endpoint/windows_papercut_ng_spawn_shell.yml +++ b/detections/endpoint/windows_papercut_ng_spawn_shell.yml @@ -67,7 +67,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 90 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml index 145c0623b7..5645c6f629 100644 --- a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml +++ b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_password_managers_discovery.yml b/detections/endpoint/windows_password_managers_discovery.yml index a3bdf3b310..246956f6bc 100644 --- a/detections/endpoint/windows_password_managers_discovery.yml +++ b/detections/endpoint/windows_password_managers_discovery.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -84,4 +83,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd_db/dir-db-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml b/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml index 67dc39b952..4b4ad4743f 100644 --- a/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml +++ b/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml @@ -58,7 +58,6 @@ tags: - process_name - process_path - process - risk_score: 49 security_domain: endpoint cve: - CVE-2024-21378 diff --git a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml index 96e4214e77..da95896abb 100644 --- a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml +++ b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/phishing_pdf_uri/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml index 78e39062d7..68ebd181a4 100644 --- a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml +++ b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml @@ -70,7 +70,6 @@ tags: - Registry.registry_value_data - Registry.action - Registry.dest - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_possible_credential_dumping.yml b/detections/endpoint/windows_possible_credential_dumping.yml index 075f0bb069..d4dbbcd647 100644 --- a/detections/endpoint/windows_possible_credential_dumping.yml +++ b/detections/endpoint/windows_possible_credential_dumping.yml @@ -78,7 +78,6 @@ tags: - SourceProcessId - SourceUser - TargetUser - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_post_exploitation_risk_behavior.yml b/detections/endpoint/windows_post_exploitation_risk_behavior.yml index 8c5248c6d0..a5a5ae1e30 100644 --- a/detections/endpoint/windows_post_exploitation_risk_behavior.yml +++ b/detections/endpoint/windows_post_exploitation_risk_behavior.yml @@ -61,7 +61,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - All_Risk.analyticstories diff --git a/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml b/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml index 156612b04f..9148f10fcf 100644 --- a/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml +++ b/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml @@ -52,7 +52,6 @@ tags: - ScriptBlockText - Computer - EventCode - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -61,4 +60,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_publish_powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_cryptography_namespace.yml b/detections/endpoint/windows_powershell_cryptography_namespace.yml index e3dee7cefc..058040deed 100644 --- a/detections/endpoint/windows_powershell_cryptography_namespace.yml +++ b/detections/endpoint/windows_powershell_cryptography_namespace.yml @@ -58,7 +58,6 @@ tags: - Computer - UserID - EventCodes - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_disable_http_logging.yml b/detections/endpoint/windows_powershell_disable_http_logging.yml index 040423703e..15643ba7e6 100644 --- a/detections/endpoint/windows_powershell_disable_http_logging.yml +++ b/detections/endpoint/windows_powershell_disable_http_logging.yml @@ -58,7 +58,6 @@ tags: - ScriptBlockText - Computer - EventCode - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_disable_http_logging_windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_export_certificate.yml b/detections/endpoint/windows_powershell_export_certificate.yml index bfe5693087..e477e9c845 100644 --- a/detections/endpoint/windows_powershell_export_certificate.yml +++ b/detections/endpoint/windows_powershell_export_certificate.yml @@ -53,7 +53,6 @@ tags: - ScriptBlockText - dest - EventCode - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_powershell_export_pfxcertificate.yml b/detections/endpoint/windows_powershell_export_pfxcertificate.yml index 0fd15df427..f6a57a8842 100644 --- a/detections/endpoint/windows_powershell_export_pfxcertificate.yml +++ b/detections/endpoint/windows_powershell_export_pfxcertificate.yml @@ -52,7 +52,6 @@ tags: - ScriptBlockText - dest - EventCode - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -61,4 +60,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4104_export_pfxcertificate.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml b/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml index 08cd5b08aa..0f607bdd8d 100644 --- a/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml +++ b/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml @@ -50,7 +50,6 @@ tags: - ScriptBlockText - Computer - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml index 6414336358..45c973203d 100644 --- a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml +++ b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml @@ -56,7 +56,6 @@ tags: - ScriptBlockText - Computer - EventCode - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_import_applocker_policy.yml b/detections/endpoint/windows_powershell_import_applocker_policy.yml index bab67f0b21..9510b0ef8b 100644 --- a/detections/endpoint/windows_powershell_import_applocker_policy.yml +++ b/detections/endpoint/windows_powershell_import_applocker_policy.yml @@ -58,7 +58,6 @@ tags: - ScriptBlockText - Computer - EventCode - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_remotesigned_file.yml b/detections/endpoint/windows_powershell_remotesigned_file.yml index 82ee57dd4a..e50b1c97d2 100644 --- a/detections/endpoint/windows_powershell_remotesigned_file.yml +++ b/detections/endpoint/windows_powershell_remotesigned_file.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_powershell_scheduletask.yml b/detections/endpoint/windows_powershell_scheduletask.yml index aefdb37203..9b32948272 100644 --- a/detections/endpoint/windows_powershell_scheduletask.yml +++ b/detections/endpoint/windows_powershell_scheduletask.yml @@ -63,7 +63,6 @@ tags: - Computer - EventCode security_domain: endpoint - risk_score: 25 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml b/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml index eda87ec83a..48a7d054ed 100644 --- a/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml +++ b/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml @@ -55,7 +55,6 @@ tags: - ScriptBlockText - dest - EventCode - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test @@ -64,4 +63,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/win32_scheduledjob_windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_powersploit_gpp_discovery.yml b/detections/endpoint/windows_powersploit_gpp_discovery.yml index 6fb35c4eaf..cd05f0e81b 100644 --- a/detections/endpoint/windows_powersploit_gpp_discovery.yml +++ b/detections/endpoint/windows_powersploit_gpp_discovery.yml @@ -60,7 +60,6 @@ tags: - Opcode - Computer - UserID - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml b/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml index 4b9c329ff4..4c75207f43 100644 --- a/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml +++ b/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml @@ -56,7 +56,6 @@ tags: - ScriptBlockText - Opcode - UserID - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml b/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml index cac12014b8..11e8845b35 100644 --- a/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml +++ b/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml @@ -62,7 +62,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml b/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml index fd8f21bf0a..6ee7c928fb 100644 --- a/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml +++ b/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml @@ -56,7 +56,6 @@ tags: - EventCode - Computer - ScriptBlockText - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_powerview_spn_discovery.yml b/detections/endpoint/windows_powerview_spn_discovery.yml index d4542f0745..ee7e2b8f41 100644 --- a/detections/endpoint/windows_powerview_spn_discovery.yml +++ b/detections/endpoint/windows_powerview_spn_discovery.yml @@ -56,7 +56,6 @@ tags: - EventCode - Computer - ScriptBlockText - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml b/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml index 8480b2bcdc..a450ea5423 100644 --- a/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml +++ b/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml @@ -61,7 +61,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_private_keys_discovery.yml b/detections/endpoint/windows_private_keys_discovery.yml index 5ec5ce937b..3ee8bc8e19 100644 --- a/detections/endpoint/windows_private_keys_discovery.yml +++ b/detections/endpoint/windows_private_keys_discovery.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -86,4 +85,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_private_key/dir-private-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml index 8320268295..32c9b6b0a4 100644 --- a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml +++ b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml @@ -99,7 +99,6 @@ tags: - Processes.process_guid - Processes.process_integrity_level - Processes.process_current_directory - risk_score: 40 security_domain: endpoint tests: - attack_data: @@ -107,5 +106,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true name: True Positive Test diff --git a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml index a879e325d8..ec27565591 100644 --- a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml +++ b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml @@ -69,7 +69,6 @@ tags: - parent_process_name - parent_process_guid - IntegrityLevel - risk_score: 80 security_domain: endpoint tests: - attack_data: @@ -77,5 +76,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true name: True Positive Test diff --git a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml index 801c75f46e..6fc03daff5 100644 --- a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml +++ b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml @@ -84,7 +84,6 @@ tags: - parent_process_name - parent_process_guid - IntegrityLevel - risk_score: 80 security_domain: endpoint tests: - attack_data: @@ -92,5 +91,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true name: True Positive Test diff --git a/detections/endpoint/windows_process_commandline_discovery.yml b/detections/endpoint/windows_process_commandline_discovery.yml index 7f43b2812b..68b4cf7aa2 100644 --- a/detections/endpoint/windows_process_commandline_discovery.yml +++ b/detections/endpoint/windows_process_commandline_discovery.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml index d8485edfd8..fa25e0421a 100644 --- a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml +++ b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_process_injection_into_notepad.yml b/detections/endpoint/windows_process_injection_into_notepad.yml index 5402b29917..ce2e2b4e41 100644 --- a/detections/endpoint/windows_process_injection_into_notepad.yml +++ b/detections/endpoint/windows_process_injection_into_notepad.yml @@ -65,7 +65,6 @@ tags: - TargetImage - GrantedAccess - CallTrace - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/T1055_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml index 0079c49fc0..1fca315388 100644 --- a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml +++ b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml @@ -61,7 +61,6 @@ tags: - TargetProcessId - EventCode - dest - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -70,4 +69,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/remote_thread/sysmon_wermgr_remote.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_remote_thread.yml b/detections/endpoint/windows_process_injection_remote_thread.yml index 8435afb15e..e46a55f1b2 100644 --- a/detections/endpoint/windows_process_injection_remote_thread.yml +++ b/detections/endpoint/windows_process_injection_remote_thread.yml @@ -69,7 +69,6 @@ tags: - TargetProcessGuid - SourceProcessGuid - StartAddress - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_wermgr_child_process.yml b/detections/endpoint/windows_process_injection_wermgr_child_process.yml index 05db4a79a4..ade6c7d80d 100644 --- a/detections/endpoint/windows_process_injection_wermgr_child_process.yml +++ b/detections/endpoint/windows_process_injection_wermgr_child_process.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test @@ -77,4 +76,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_with_public_source_path.yml b/detections/endpoint/windows_process_injection_with_public_source_path.yml index 9353d63f25..441501d616 100644 --- a/detections/endpoint/windows_process_injection_with_public_source_path.yml +++ b/detections/endpoint/windows_process_injection_with_public_source_path.yml @@ -69,7 +69,6 @@ tags: - TargetProcessGuid - SourceProcessGuid - StartAddress - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/create_remote_thread/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_process_with_namedpipe_commandline.yml b/detections/endpoint/windows_process_with_namedpipe_commandline.yml index 82887100fe..af3ff614e3 100644 --- a/detections/endpoint/windows_process_with_namedpipe_commandline.yml +++ b/detections/endpoint/windows_process_with_namedpipe_commandline.yml @@ -69,7 +69,6 @@ tags: - Processes.process_path - Processes.parent_process_id - Processes.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml b/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml index 5b80780b15..75878da94d 100644 --- a/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml +++ b/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml @@ -72,7 +72,6 @@ tags: - user - file_name - file_path - risk_score: 25 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml index e0a30efa52..af341fedf9 100644 --- a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml +++ b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml @@ -60,7 +60,6 @@ tags: - Processes.process_path - Processes.parent_process_id - Processes.process_guid - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_protocol_tunneling_with_plink.yml b/detections/endpoint/windows_protocol_tunneling_with_plink.yml index d810345bb3..c761ca2364 100644 --- a/detections/endpoint/windows_protocol_tunneling_with_plink.yml +++ b/detections/endpoint/windows_protocol_tunneling_with_plink.yml @@ -87,7 +87,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_proxy_via_netsh.yml b/detections/endpoint/windows_proxy_via_netsh.yml index f72b9963f7..9fe23b451d 100644 --- a/detections/endpoint/windows_proxy_via_netsh.yml +++ b/detections/endpoint/windows_proxy_via_netsh.yml @@ -64,7 +64,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Processes.process diff --git a/detections/endpoint/windows_proxy_via_registry.yml b/detections/endpoint/windows_proxy_via_registry.yml index 54f12e54e0..bd53881019 100644 --- a/detections/endpoint/windows_proxy_via_registry.yml +++ b/detections/endpoint/windows_proxy_via_registry.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Registry.registry_key_name diff --git a/detections/endpoint/windows_query_registry_browser_list_application.yml b/detections/endpoint/windows_query_registry_browser_list_application.yml index 0d91467a1e..2e0f971744 100644 --- a/detections/endpoint/windows_query_registry_browser_list_application.yml +++ b/detections/endpoint/windows_query_registry_browser_list_application.yml @@ -55,7 +55,6 @@ tags: - process_id - EventCode - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_query_registry_reg_save.yml b/detections/endpoint/windows_query_registry_reg_save.yml index 65375b15c8..ccded787c3 100644 --- a/detections/endpoint/windows_query_registry_reg_save.yml +++ b/detections/endpoint/windows_query_registry_reg_save.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -85,4 +84,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_query_registry_uninstall_program_list.yml b/detections/endpoint/windows_query_registry_uninstall_program_list.yml index b6d63d8d56..1b082fd300 100644 --- a/detections/endpoint/windows_query_registry_uninstall_program_list.yml +++ b/detections/endpoint/windows_query_registry_uninstall_program_list.yml @@ -52,7 +52,6 @@ tags: - process_id - EventCode - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml index cb5045f62c..b954445776 100644 --- a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml +++ b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml b/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml index 745a615e16..ee8fb929a3 100644 --- a/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml +++ b/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml @@ -59,7 +59,6 @@ tags: - TargetUserName - Computer - IpAddress - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_rasautou_dll_execution.yml b/detections/endpoint/windows_rasautou_dll_execution.yml index 03d814e613..117b15e15a 100644 --- a/detections/endpoint/windows_rasautou_dll_execution.yml +++ b/detections/endpoint/windows_rasautou_dll_execution.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml index 7f86e6ccc8..1a0d27c815 100644 --- a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml +++ b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml @@ -64,7 +64,6 @@ tags: - Device - EventCode - Image - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml index 11751c9edc..baf20aa462 100644 --- a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml +++ b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml @@ -65,7 +65,6 @@ tags: - ProcessId - EventDescription - EventCode - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_rdp_connection_successful.yml b/detections/endpoint/windows_rdp_connection_successful.yml index 8733534473..da3114f7c9 100644 --- a/detections/endpoint/windows_rdp_connection_successful.yml +++ b/detections/endpoint/windows_rdp_connection_successful.yml @@ -51,7 +51,6 @@ tags: - Source_Network_Address - User - Message - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_registry_bootexecute_modification.yml b/detections/endpoint/windows_registry_bootexecute_modification.yml index 546d7f54b7..49b42552a3 100644 --- a/detections/endpoint/windows_registry_bootexecute_modification.yml +++ b/detections/endpoint/windows_registry_bootexecute_modification.yml @@ -51,7 +51,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - Registry.dest diff --git a/detections/endpoint/windows_registry_certificate_added.yml b/detections/endpoint/windows_registry_certificate_added.yml index 1166aab216..08012025e0 100644 --- a/detections/endpoint/windows_registry_certificate_added.yml +++ b/detections/endpoint/windows_registry_certificate_added.yml @@ -59,7 +59,6 @@ tags: - Registry.registry_key_name - Registry.registry_value_name - Registry.dest - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_registry_delete_task_sd.yml b/detections/endpoint/windows_registry_delete_task_sd.yml index 2b76652237..21b1ac6c60 100644 --- a/detections/endpoint/windows_registry_delete_task_sd.yml +++ b/detections/endpoint/windows_registry_delete_task_sd.yml @@ -67,7 +67,6 @@ tags: - Processes.process - Processes.dest - Processes.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml index 8f49937bed..677758dbed 100644 --- a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml +++ b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml @@ -63,7 +63,6 @@ tags: - Registry.registry_key_name - Registry.registry_value_name - Registry.dest - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_registry_payload_injection.yml b/detections/endpoint/windows_registry_payload_injection.yml index 7268cbf11f..b152411ac6 100644 --- a/detections/endpoint/windows_registry_payload_injection.yml +++ b/detections/endpoint/windows_registry_payload_injection.yml @@ -90,7 +90,6 @@ tags: - registry_value_name - registry_value_data - registry_key_name - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_registry_sip_provider_modification.yml b/detections/endpoint/windows_registry_sip_provider_modification.yml index e32c501a70..1443f67561 100644 --- a/detections/endpoint/windows_registry_sip_provider_modification.yml +++ b/detections/endpoint/windows_registry_sip_provider_modification.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - Registry.dest - Registry.user diff --git a/detections/endpoint/windows_regsvr32_renamed_binary.yml b/detections/endpoint/windows_regsvr32_renamed_binary.yml index 756589cc02..9c6dc071e7 100644 --- a/detections/endpoint/windows_regsvr32_renamed_binary.yml +++ b/detections/endpoint/windows_regsvr32_renamed_binary.yml @@ -66,7 +66,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_3/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml index 8a7d263fbc..2def4fb1a3 100644 --- a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml +++ b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml @@ -66,7 +66,6 @@ tags: - EventCode - Signed - ProcessId - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_access_software_hunt.yml b/detections/endpoint/windows_remote_access_software_hunt.yml index fca384f7fa..c3af76bddc 100644 --- a/detections/endpoint/windows_remote_access_software_hunt.yml +++ b/detections/endpoint/windows_remote_access_software_hunt.yml @@ -75,7 +75,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test @@ -84,4 +83,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_access_software_rms_registry.yml b/detections/endpoint/windows_remote_access_software_rms_registry.yml index e883290d69..44a7a4f9e2 100644 --- a/detections/endpoint/windows_remote_access_software_rms_registry.yml +++ b/detections/endpoint/windows_remote_access_software_rms_registry.yml @@ -56,7 +56,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_assistance_spawning_process.yml b/detections/endpoint/windows_remote_assistance_spawning_process.yml index 8a42185fe2..8f2888d6a2 100644 --- a/detections/endpoint/windows_remote_assistance_spawning_process.yml +++ b/detections/endpoint/windows_remote_assistance_spawning_process.yml @@ -77,7 +77,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_remote_create_service.yml b/detections/endpoint/windows_remote_create_service.yml index 540a231e87..88f1307176 100644 --- a/detections/endpoint/windows_remote_create_service.yml +++ b/detections/endpoint/windows_remote_create_service.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -91,4 +90,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remote_service_create_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml index 9102087879..c01dd9cf17 100644 --- a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml +++ b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml index 6bda4a9dc6..85295ccb48 100644 --- a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml +++ b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_id - Processes.dest - Processes.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -77,4 +76,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml index 390f815024..4fa16934ce 100644 --- a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml +++ b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml @@ -58,7 +58,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_services_rdp_enable.yml b/detections/endpoint/windows_remote_services_rdp_enable.yml index 4d62b4d31a..084cb45aa1 100644 --- a/detections/endpoint/windows_remote_services_rdp_enable.yml +++ b/detections/endpoint/windows_remote_services_rdp_enable.yml @@ -57,7 +57,6 @@ tags: - Registry.dest - Registry.registry_value_name - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml index a22f38ca07..e0f08d805f 100644 --- a/detections/endpoint/windows_replication_through_removable_media.yml +++ b/detections/endpoint/windows_replication_through_removable_media.yml @@ -66,7 +66,6 @@ tags: - Filesystem.process_id - Filesystem.file_name - Filesystem.user - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -75,4 +74,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/spread_in_root_drives/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml index c1fd6ba784..9fd3f3cb29 100644 --- a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml +++ b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml @@ -54,7 +54,6 @@ tags: - ScriptBlockText - Computer - user_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml index ec22b31589..36e64c1694 100644 --- a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml +++ b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml @@ -69,7 +69,6 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_rundll32_webdav_request.yml b/detections/endpoint/windows_rundll32_webdav_request.yml index 162eecae41..9c9d1eae12 100644 --- a/detections/endpoint/windows_rundll32_webdav_request.yml +++ b/detections/endpoint/windows_rundll32_webdav_request.yml @@ -85,7 +85,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml index 71b1d73175..5fa0d0fc15 100644 --- a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml +++ b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml @@ -91,7 +91,6 @@ tags: - All_Traffic.dest_port - All_Traffic.dest_ip - All_Traffic.dest - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml index 89770fce58..78f1f57d3d 100644 --- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml +++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml @@ -76,7 +76,6 @@ tags: - Processes.user - Processes.process_id - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -85,4 +84,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml index 613baa3846..955a7fde3c 100644 --- a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml +++ b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml @@ -79,7 +79,6 @@ tags: - Processes.process_id - Processes.parent_process_id - Processes.parent_process_name - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index 422b8186f5..0127d15d32 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml index 4c101f1cb2..b7b0b3a035 100644 --- a/detections/endpoint/windows_schtasks_create_run_as_system.yml +++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml @@ -78,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_screen_capture_via_powershell.yml b/detections/endpoint/windows_screen_capture_via_powershell.yml index 3a7e848183..2e83aa709e 100644 --- a/detections/endpoint/windows_screen_capture_via_powershell.yml +++ b/detections/endpoint/windows_screen_capture_via_powershell.yml @@ -56,7 +56,6 @@ tags: - Computer - UserID - EventCode - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -65,4 +64,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_security_account_manager_stopped.yml b/detections/endpoint/windows_security_account_manager_stopped.yml index ea67e8ab1a..90756d5d9a 100644 --- a/detections/endpoint/windows_security_account_manager_stopped.yml +++ b/detections/endpoint/windows_security_account_manager_stopped.yml @@ -64,7 +64,6 @@ tags: - Processes.process - Processes.dest - Processes.user - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_security_support_provider_reg_query.yml b/detections/endpoint/windows_security_support_provider_reg_query.yml index a411a590b5..aba8b0fb1e 100644 --- a/detections/endpoint/windows_security_support_provider_reg_query.yml +++ b/detections/endpoint/windows_security_support_provider_reg_query.yml @@ -76,7 +76,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -85,4 +84,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml index be217da44e..2910f7dc84 100644 --- a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml +++ b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -93,4 +92,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/gacutil_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_service_create_kernel_mode_driver.yml b/detections/endpoint/windows_service_create_kernel_mode_driver.yml index 707c7296c2..69bc4923a6 100644 --- a/detections/endpoint/windows_service_create_kernel_mode_driver.yml +++ b/detections/endpoint/windows_service_create_kernel_mode_driver.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sc_kernel.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_service_create_remcomsvc.yml b/detections/endpoint/windows_service_create_remcomsvc.yml index 0d71be6da5..184e18358d 100644 --- a/detections/endpoint/windows_service_create_remcomsvc.yml +++ b/detections/endpoint/windows_service_create_remcomsvc.yml @@ -52,7 +52,6 @@ tags: - ImagePath - ServiceName - ServiceType - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test @@ -61,4 +60,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remcom_windows-system.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_service_create_sliverc2.yml b/detections/endpoint/windows_service_create_sliverc2.yml index f328e79128..fdd06e5b92 100644 --- a/detections/endpoint/windows_service_create_sliverc2.yml +++ b/detections/endpoint/windows_service_create_sliverc2.yml @@ -51,7 +51,6 @@ tags: - ServiceName - ImagePath - ServiceType - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_service_create_with_tscon.yml b/detections/endpoint/windows_service_create_with_tscon.yml index d490345a09..a7da98f025 100644 --- a/detections/endpoint/windows_service_create_with_tscon.yml +++ b/detections/endpoint/windows_service_create_with_tscon.yml @@ -92,7 +92,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml index b3f638846a..a2b8103e07 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml @@ -67,7 +67,6 @@ tags: - Service_Name - Service_Start_Type - dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_service_created_within_public_path.yml b/detections/endpoint/windows_service_created_within_public_path.yml index 6992ebaa34..bae207e8ce 100644 --- a/detections/endpoint/windows_service_created_within_public_path.yml +++ b/detections/endpoint/windows_service_created_within_public_path.yml @@ -59,7 +59,6 @@ tags: - _time - Service_Name - Service_Start_Type - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml index 7b95893fb1..9b31b95216 100644 --- a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index 3815ab0278..d6708f12ac 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -62,7 +62,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_service_deletion_in_registry.yml b/detections/endpoint/windows_service_deletion_in_registry.yml index c7b30db767..cc848fb0b1 100644 --- a/detections/endpoint/windows_service_deletion_in_registry.yml +++ b/detections/endpoint/windows_service_deletion_in_registry.yml @@ -65,7 +65,6 @@ tags: - Processes.parent_process_name - Processes.parent_process - Processes.process_guid - risk_score: 18 security_domain: endpoint tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/service_deletion/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml index 4eb50b66c0..c4f0ac78d6 100644 --- a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_service_stop_by_deletion.yml b/detections/endpoint/windows_service_stop_by_deletion.yml index e03a0339d1..2d97d4dbe3 100644 --- a/detections/endpoint/windows_service_stop_by_deletion.yml +++ b/detections/endpoint/windows_service_stop_by_deletion.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_id - Processes.dest - Processes.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml index 8bee80e860..a9ee2a4285 100644 --- a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml +++ b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml @@ -68,7 +68,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -77,4 +76,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_service_stop_win_updates.yml b/detections/endpoint/windows_service_stop_win_updates.yml index e8ec84f55b..c16943e3ef 100644 --- a/detections/endpoint/windows_service_stop_win_updates.yml +++ b/detections/endpoint/windows_service_stop_win_updates.yml @@ -58,7 +58,6 @@ tags: - param2 - param3 - param4 - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_sip_provider_inventory.yml b/detections/endpoint/windows_sip_provider_inventory.yml index 95fd394161..82975d46e9 100644 --- a/detections/endpoint/windows_sip_provider_inventory.yml +++ b/detections/endpoint/windows_sip_provider_inventory.yml @@ -43,7 +43,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - Path - Dll diff --git a/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml b/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml index 274d7a84c2..d54a1dc164 100644 --- a/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml +++ b/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml @@ -49,7 +49,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Computer diff --git a/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml b/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml index 554d342ca8..fdaf508aed 100644 --- a/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml +++ b/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - _time - Filesystem.file_create_time diff --git a/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml b/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml index 346e20826c..ddf753e35b 100644 --- a/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml +++ b/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml @@ -49,7 +49,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 56 required_fields: - _time - Filesystem.file_create_time diff --git a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml index 0b1a4bd6af..62ae4062bd 100644 --- a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml +++ b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - _time - Registry.dest diff --git a/detections/endpoint/windows_snake_malware_service_create.yml b/detections/endpoint/windows_snake_malware_service_create.yml index a256f60b75..93f2387e66 100644 --- a/detections/endpoint/windows_snake_malware_service_create.yml +++ b/detections/endpoint/windows_snake_malware_service_create.yml @@ -47,7 +47,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - EventCode - Service_File_Name diff --git a/detections/endpoint/windows_soaphound_binary_execution.yml b/detections/endpoint/windows_soaphound_binary_execution.yml index ab9a4a5e1d..ac4066717d 100644 --- a/detections/endpoint/windows_soaphound_binary_execution.yml +++ b/detections/endpoint/windows_soaphound_binary_execution.yml @@ -69,7 +69,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 80 required_fields: - Processes.process - Processes.dest diff --git a/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml b/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml index ce4cd751bd..26160f8863 100644 --- a/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml +++ b/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml @@ -57,7 +57,6 @@ tags: - QueryResults - QueryStatus - dest - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -66,4 +65,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml index 049d921724..e7bd20fd2f 100644 --- a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml +++ b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml @@ -74,7 +74,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test @@ -83,4 +82,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/onenote_spear_phishing/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml b/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml index ebdfcb4170..abd4f8bb9b 100644 --- a/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml +++ b/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml @@ -58,7 +58,6 @@ tags: - Caller_User_Name - Computer - PrivilegeList - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_sql_spawning_certutil.yml b/detections/endpoint/windows_sql_spawning_certutil.yml index 0fc30cee1f..0f3d29f2a5 100644 --- a/detections/endpoint/windows_sql_spawning_certutil.yml +++ b/detections/endpoint/windows_sql_spawning_certutil.yml @@ -66,7 +66,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 90 required_fields: - Processes.dest - Processes.user diff --git a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml index e2e505f872..678bf23fd6 100644 --- a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml +++ b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml @@ -67,7 +67,6 @@ tags: - user - Computer - EventCode - risk_score: 64 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml index be6c246e52..27c86c6c70 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml @@ -79,7 +79,6 @@ tags: - EventCode - Requester - RequestId - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test @@ -88,4 +87,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_winsecurity.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml index dd46987277..9cd6a2d0d5 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml @@ -103,7 +103,6 @@ tags: - TargetUserName - Computer - IpAddress - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -112,4 +111,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_winsecurity.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml b/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml index 73de2f92b3..e5f0a29457 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml @@ -50,7 +50,6 @@ tags: - Requester - action - Attributes - risk_score: 8 security_domain: endpoint tests: - name: True Positive Test @@ -59,4 +58,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4887_windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml b/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml index 5b5fac3a21..cb00e0ac4b 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml @@ -50,7 +50,6 @@ tags: - Requester - action - Attributes - risk_score: 8 security_domain: endpoint tests: - name: True Positive Test @@ -59,4 +58,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4886_windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml index eb383c7f53..aa6f3fa465 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/backupdb_certutil_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml b/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml index ebeefc9216..641c4fdfd9 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml @@ -48,7 +48,6 @@ tags: - _time - Computer - UserData_Xml - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test @@ -57,4 +56,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/capi2-operational.log source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml index 4af79337fa..76326bdfa0 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml @@ -51,7 +51,6 @@ tags: - action - Caller_Domain - Caller_User_Name - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test @@ -60,4 +59,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4876_windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml index f6707a3b2a..4cfea44f65 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_certificate_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml index a166cbf42c..2e87be2456 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml @@ -81,7 +81,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -90,4 +89,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_pfxcertificate_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml index c757ae6f36..b80ffafc51 100644 --- a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml +++ b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml index 3529b53f4f..a417837dad 100644 --- a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml +++ b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml @@ -79,7 +79,6 @@ tags: - All_Traffic.dest - All_Traffic.dest_ip - All_Traffic.dest_port - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -88,4 +87,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml index b3159bdd92..4068f19bd4 100644 --- a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml +++ b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -88,4 +87,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/hh_decom_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml index b121af2adf..1c48eb3d3a 100644 --- a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml +++ b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_discovery_using_qwinsta.yml b/detections/endpoint/windows_system_discovery_using_qwinsta.yml index cad6db4e70..ef1193b25a 100644 --- a/detections/endpoint/windows_system_discovery_using_qwinsta.yml +++ b/detections/endpoint/windows_system_discovery_using_qwinsta.yml @@ -69,7 +69,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -78,4 +77,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_file_on_disk.yml b/detections/endpoint/windows_system_file_on_disk.yml index 0b7236e303..3e82f7cca9 100644 --- a/detections/endpoint/windows_system_file_on_disk.yml +++ b/detections/endpoint/windows_system_file_on_disk.yml @@ -58,7 +58,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_logoff_commandline.yml b/detections/endpoint/windows_system_logoff_commandline.yml index 47df27c902..0055a8a82b 100644 --- a/detections/endpoint/windows_system_logoff_commandline.yml +++ b/detections/endpoint/windows_system_logoff_commandline.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml index 819e644fb7..b8b67bbc00 100644 --- a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml +++ b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml index 30bb8b9341..68449a0b7c 100644 --- a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml +++ b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index 8fc6f31501..0ea65d4f73 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml index 125d4594ea..c17b066617 100644 --- a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml +++ b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml @@ -84,7 +84,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test @@ -93,4 +92,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1216/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml index e08094384d..b2a55c06c3 100644 --- a/detections/endpoint/windows_system_shutdown_commandline.yml +++ b/detections/endpoint/windows_system_shutdown_commandline.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/shutdown_commandline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml index 8112d779b7..223c96973b 100644 --- a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml +++ b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml @@ -71,7 +71,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -80,4 +79,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_delay_execution/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_user_discovery_via_quser.yml b/detections/endpoint/windows_system_user_discovery_via_quser.yml index 6615b6fd5c..86e11b1b32 100644 --- a/detections/endpoint/windows_system_user_discovery_via_quser.yml +++ b/detections/endpoint/windows_system_user_discovery_via_quser.yml @@ -73,7 +73,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -82,4 +81,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_system_user_privilege_discovery.yml b/detections/endpoint/windows_system_user_privilege_discovery.yml index 7133161692..3cecc237cc 100644 --- a/detections/endpoint/windows_system_user_privilege_discovery.yml +++ b/detections/endpoint/windows_system_user_privilege_discovery.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_terminating_lsass_process.yml b/detections/endpoint/windows_terminating_lsass_process.yml index fe239ff752..c305b9af67 100644 --- a/detections/endpoint/windows_terminating_lsass_process.yml +++ b/detections/endpoint/windows_terminating_lsass_process.yml @@ -63,7 +63,6 @@ tags: - SourceImage - SourceProcessId - GrantedAccess - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_time_based_evasion.yml b/detections/endpoint/windows_time_based_evasion.yml index 652ad00ac9..008485c922 100644 --- a/detections/endpoint/windows_time_based_evasion.yml +++ b/detections/endpoint/windows_time_based_evasion.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml index 824ee4ec3e..69cf41ff9a 100644 --- a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml +++ b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - _time - Processes.dest diff --git a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml index 043391f020..99a8e016fa 100644 --- a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml +++ b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml @@ -75,7 +75,6 @@ tags: - Processes.process_path - Processes.process_integrity_level - Processes.process_current_directory - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test @@ -84,4 +83,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml index e52844bd6f..24f5582e0b 100644 --- a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml +++ b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml @@ -95,7 +95,6 @@ tags: - Processes.process_path - Processes.process_integrity_level - Processes.process_current_directory - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -104,4 +103,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml index c482f4cee1..bddbf5568b 100644 --- a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml +++ b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml @@ -47,7 +47,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - object_file_name diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml index 0217eacff5..2116748bb1 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading.yml @@ -47,7 +47,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Image diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml index 1265f51ed7..1e58e86183 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml @@ -46,7 +46,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 required_fields: - _time - Image diff --git a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml index 3145bf094b..04fa0d6a6c 100644 --- a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml @@ -72,7 +72,6 @@ tags: - user - Computer - EventCode - risk_score: 9 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml index c35ac5aff3..05c0ad54bd 100644 --- a/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml @@ -59,7 +59,6 @@ tags: - Status - TargetUserName - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml index 73c8ec95b0..cb649a3dcf 100644 --- a/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml @@ -59,7 +59,6 @@ tags: - Status - TargetUserName - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml index 7a5203e123..5219c921e3 100644 --- a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml @@ -61,7 +61,6 @@ tags: - TargetUserName - Workstation - Status - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml index 458d7d8f5f..b1d112342c 100644 --- a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml +++ b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml @@ -62,7 +62,6 @@ tags: - Target_User_Name - Caller_User_Name - Computer - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml index 32184389f6..25129b6542 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml @@ -60,7 +60,6 @@ tags: - Status - TargetUserName - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml index b9a9ff7198..bb4d9277e2 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml @@ -64,7 +64,6 @@ tags: - SubjectUserName - TargetUserName - Computer - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml index 48afd2bdfe..a65c4ea2c6 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml @@ -57,7 +57,6 @@ tags: - Status - TargetUserName - Workstation - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml index 8c07be7abd..387f9141de 100644 --- a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml +++ b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml @@ -58,7 +58,6 @@ tags: - TargetUserName - Computer - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml index 819ed666d4..db950808e6 100644 --- a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml +++ b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml @@ -62,7 +62,6 @@ tags: - Filesystem.file_path - Filesystem.process_guid - Filesystem.dest - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_valid_account_with_never_expires_password.yml b/detections/endpoint/windows_valid_account_with_never_expires_password.yml index bbd1bc14bf..37798d710c 100644 --- a/detections/endpoint/windows_valid_account_with_never_expires_password.yml +++ b/detections/endpoint/windows_valid_account_with_never_expires_password.yml @@ -70,7 +70,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_vulnerable_3cx_software.yml b/detections/endpoint/windows_vulnerable_3cx_software.yml index 92b8990d68..b85079fac2 100644 --- a/detections/endpoint/windows_vulnerable_3cx_software.yml +++ b/detections/endpoint/windows_vulnerable_3cx_software.yml @@ -65,7 +65,6 @@ tags: - CommandLine - dest - parent_process_name - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml index 373abfb0ea..e7336ad880 100644 --- a/detections/endpoint/windows_vulnerable_driver_installed.yml +++ b/detections/endpoint/windows_vulnerable_driver_installed.yml @@ -46,7 +46,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 required_fields: - ServiceType - driver_name diff --git a/detections/endpoint/windows_vulnerable_driver_loaded.yml b/detections/endpoint/windows_vulnerable_driver_loaded.yml index c85fdcc548..c65d21d923 100644 --- a/detections/endpoint/windows_vulnerable_driver_loaded.yml +++ b/detections/endpoint/windows_vulnerable_driver_loaded.yml @@ -65,7 +65,6 @@ tags: - _time - dest - ImageLoaded - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_windbg_spawning_autoit3.yml b/detections/endpoint/windows_windbg_spawning_autoit3.yml index c8bbd6fdf2..9eaecbf97e 100644 --- a/detections/endpoint/windows_windbg_spawning_autoit3.yml +++ b/detections/endpoint/windows_windbg_spawning_autoit3.yml @@ -70,7 +70,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - Processes.dest - Processes.user diff --git a/detections/endpoint/windows_winlogon_with_public_network_connection.yml b/detections/endpoint/windows_winlogon_with_public_network_connection.yml index 2f9a4cf7c8..f1f66edb2b 100644 --- a/detections/endpoint/windows_winlogon_with_public_network_connection.yml +++ b/detections/endpoint/windows_winlogon_with_public_network_connection.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 required_fields: - dest - parent_process_name diff --git a/detections/endpoint/windows_wmi_impersonate_token.yml b/detections/endpoint/windows_wmi_impersonate_token.yml index f6cb1a1bf1..169fb10ab1 100644 --- a/detections/endpoint/windows_wmi_impersonate_token.yml +++ b/detections/endpoint/windows_wmi_impersonate_token.yml @@ -60,7 +60,6 @@ tags: - GrantedAccess - CallTrace - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_wmi_process_and_service_list.yml b/detections/endpoint/windows_wmi_process_and_service_list.yml index 66318b4a45..55bf94ff0b 100644 --- a/detections/endpoint/windows_wmi_process_and_service_list.yml +++ b/detections/endpoint/windows_wmi_process_and_service_list.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_id - Processes.parent_process_guid - Processes.process_guid - risk_score: 4 security_domain: endpoint tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/endpoint/windows_wmi_process_call_create.yml b/detections/endpoint/windows_wmi_process_call_create.yml index 4b25361044..6adb5f8f1f 100644 --- a/detections/endpoint/windows_wmi_process_call_create.yml +++ b/detections/endpoint/windows_wmi_process_call_create.yml @@ -80,7 +80,6 @@ tags: - Processes.process_path - Processes.parent_process_id - Processes.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml index 33aeb76209..d517247458 100644 --- a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml +++ b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml @@ -62,7 +62,6 @@ tags: - Task_Name - Description - Command - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index e12de23452..384d9c2176 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -68,7 +68,6 @@ tags: - Task_Name - Description - Command - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index a30da724a5..5c3be3a5fc 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -66,7 +66,6 @@ tags: - EventID - dest - ProcessID - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winhlp32_spawning_a_process.yml b/detections/endpoint/winhlp32_spawning_a_process.yml index 8a548f94a9..25473bbd6c 100644 --- a/detections/endpoint/winhlp32_spawning_a_process.yml +++ b/detections/endpoint/winhlp32_spawning_a_process.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winrar_spawning_shell_application.yml b/detections/endpoint/winrar_spawning_shell_application.yml index 2664e41ba3..612ddc135c 100644 --- a/detections/endpoint/winrar_spawning_shell_application.yml +++ b/detections/endpoint/winrar_spawning_shell_application.yml @@ -77,7 +77,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 70 required_fields: - Processes.dest - Processes.user diff --git a/detections/endpoint/winrm_spawning_a_process.yml b/detections/endpoint/winrm_spawning_a_process.yml index f264bee32b..fc16fe1b5e 100644 --- a/detections/endpoint/winrm_spawning_a_process.yml +++ b/detections/endpoint/winrm_spawning_a_process.yml @@ -72,5 +72,4 @@ tags: - Processes.process - Processes.process_id - Processes.parent_process_id - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/winword_spawning_cmd.yml b/detections/endpoint/winword_spawning_cmd.yml index b556dd77a0..2c46ee50ca 100644 --- a/detections/endpoint/winword_spawning_cmd.yml +++ b/detections/endpoint/winword_spawning_cmd.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winword_spawning_powershell.yml b/detections/endpoint/winword_spawning_powershell.yml index 8dcfca564b..4bb4095c54 100644 --- a/detections/endpoint/winword_spawning_powershell.yml +++ b/detections/endpoint/winword_spawning_powershell.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winword_spawning_windows_script_host.yml b/detections/endpoint/winword_spawning_windows_script_host.yml index fe26ab1e9c..3fda44bbff 100644 --- a/detections/endpoint/winword_spawning_windows_script_host.yml +++ b/detections/endpoint/winword_spawning_windows_script_host.yml @@ -72,7 +72,6 @@ tags: - dest - user - parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wmi_permanent_event_subscription.yml b/detections/endpoint/wmi_permanent_event_subscription.yml index 66c5755a09..1029e0ca3a 100644 --- a/detections/endpoint/wmi_permanent_event_subscription.yml +++ b/detections/endpoint/wmi_permanent_event_subscription.yml @@ -43,5 +43,4 @@ tags: - Message - consumer - ComputerName - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml b/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml index 754d36939a..1b2bc09b0b 100644 --- a/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml +++ b/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml @@ -61,7 +61,6 @@ tags: - Query - Consumer - Filter - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wmi_recon_running_process_or_services.yml b/detections/endpoint/wmi_recon_running_process_or_services.yml index bd3d1d259a..6e85c0635e 100644 --- a/detections/endpoint/wmi_recon_running_process_or_services.yml +++ b/detections/endpoint/wmi_recon_running_process_or_services.yml @@ -62,7 +62,6 @@ tags: - Computer - UserID - EventCode - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wmi_temporary_event_subscription.yml b/detections/endpoint/wmi_temporary_event_subscription.yml index 8f1072481d..62e7026dd9 100644 --- a/detections/endpoint/wmi_temporary_event_subscription.yml +++ b/detections/endpoint/wmi_temporary_event_subscription.yml @@ -51,5 +51,4 @@ tags: - EventCode - Message - query - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/wmic_group_discovery.yml b/detections/endpoint/wmic_group_discovery.yml index 716380a511..d6aad37b3e 100644 --- a/detections/endpoint/wmic_group_discovery.yml +++ b/detections/endpoint/wmic_group_discovery.yml @@ -72,7 +72,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml index fb1fb67d6f..96096b1a49 100644 --- a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml +++ b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wmic_xsl_execution_via_url.yml b/detections/endpoint/wmic_xsl_execution_via_url.yml index 70e85434ac..2f2507f146 100644 --- a/detections/endpoint/wmic_xsl_execution_via_url.yml +++ b/detections/endpoint/wmic_xsl_execution_via_url.yml @@ -82,7 +82,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml index f8d610725e..76e09d7739 100644 --- a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml @@ -79,7 +79,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml index d66f48a080..e16d234297 100644 --- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml +++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml index 2d595d3285..21b6c960b9 100644 --- a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml @@ -80,7 +80,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/wsreset_uac_bypass.yml b/detections/endpoint/wsreset_uac_bypass.yml index addf1d284f..a7bf349a8b 100644 --- a/detections/endpoint/wsreset_uac_bypass.yml +++ b/detections/endpoint/wsreset_uac_bypass.yml @@ -81,7 +81,6 @@ tags: - Registry.registry_path - Registry.registry_value_data - Registry.process_guid - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/xmrig_driver_loaded.yml b/detections/endpoint/xmrig_driver_loaded.yml index e68eb7e1b4..958c636dac 100644 --- a/detections/endpoint/xmrig_driver_loaded.yml +++ b/detections/endpoint/xmrig_driver_loaded.yml @@ -53,7 +53,6 @@ tags: - IMPHASH - Signature - Signed - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/xsl_script_execution_with_wmic.yml b/detections/endpoint/xsl_script_execution_with_wmic.yml index b06116aa92..0cf9d43b49 100644 --- a/detections/endpoint/xsl_script_execution_with_wmic.yml +++ b/detections/endpoint/xsl_script_execution_with_wmic.yml @@ -79,7 +79,6 @@ tags: - Processes.process - Processes.dest - Processes.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/network/detect_arp_poisoning.yml b/detections/network/detect_arp_poisoning.yml index 2dae82e3f5..5969546a75 100644 --- a/detections/network/detect_arp_poisoning.yml +++ b/detections/network/detect_arp_poisoning.yml @@ -60,5 +60,4 @@ tags: - src_int_suffix - host - src_interface - risk_score: 25 security_domain: network diff --git a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml b/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml index 9b33d3d609..795ce57e9c 100644 --- a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml @@ -86,5 +86,4 @@ tags: - domain - firstTime - lastTime - risk_score: 63 security_domain: network diff --git a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml b/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml index 2b626e75f4..28f3953b25 100644 --- a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml @@ -78,5 +78,4 @@ tags: - DNS.src - DNS.dest - DNS.answer - risk_score: 45 security_domain: network diff --git a/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml b/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml index 390d41a9a6..e371310f36 100644 --- a/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml +++ b/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml @@ -74,7 +74,6 @@ tags: - DNS.answer - DNS.query - host - risk_score: 56 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/detect_ipv6_network_infrastructure_threats.yml b/detections/network/detect_ipv6_network_infrastructure_threats.yml index 3a50bf7804..ca9570246c 100644 --- a/detections/network/detect_ipv6_network_infrastructure_threats.yml +++ b/detections/network/detect_ipv6_network_infrastructure_threats.yml @@ -71,5 +71,4 @@ tags: - src_vlan - vendor_explanation - action - risk_score: 25 security_domain: network diff --git a/detections/network/detect_large_outbound_icmp_packets.yml b/detections/network/detect_large_outbound_icmp_packets.yml index c4dc8a9563..8b2d892e02 100644 --- a/detections/network/detect_large_outbound_icmp_packets.yml +++ b/detections/network/detect_large_outbound_icmp_packets.yml @@ -65,5 +65,4 @@ tags: - All_Traffic.transport - All_Traffic.src_ip - All_Traffic.dest_ip - risk_score: 25 security_domain: network diff --git a/detections/network/detect_outbound_ldap_traffic.yml b/detections/network/detect_outbound_ldap_traffic.yml index ea8dfaf973..f5147ed679 100644 --- a/detections/network/detect_outbound_ldap_traffic.yml +++ b/detections/network/detect_outbound_ldap_traffic.yml @@ -58,7 +58,6 @@ tags: - All_Traffic.dest_ip - All_Traffic.dest_port - All_Traffic.src_ip - risk_score: 56 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/detect_outbound_smb_traffic.yml b/detections/network/detect_outbound_smb_traffic.yml index 67643b492d..ae5f1f504a 100644 --- a/detections/network/detect_outbound_smb_traffic.yml +++ b/detections/network/detect_outbound_smb_traffic.yml @@ -69,7 +69,6 @@ tags: - sourcetype - All_Traffic.src_ip - All_Traffic.direction - risk_score: 25 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/detect_port_security_violation.yml b/detections/network/detect_port_security_violation.yml index 3df84d3efe..c6b40291d1 100644 --- a/detections/network/detect_port_security_violation.yml +++ b/detections/network/detect_port_security_violation.yml @@ -63,5 +63,4 @@ tags: - action - host - src_interface - risk_score: 25 security_domain: network diff --git a/detections/network/detect_remote_access_software_usage_dns.yml b/detections/network/detect_remote_access_software_usage_dns.yml index a48285b7ee..de94a9d4c3 100644 --- a/detections/network/detect_remote_access_software_usage_dns.yml +++ b/detections/network/detect_remote_access_software_usage_dns.yml @@ -60,7 +60,6 @@ tags: - DNS.src - DNS.query - DNS.answer - risk_score: 4 security_domain: endpoint manual_test: This detection uses A&I lookups from Enterprise Security. tests: diff --git a/detections/network/detect_remote_access_software_usage_traffic.yml b/detections/network/detect_remote_access_software_usage_traffic.yml index a5dcf1b690..d6cc81a15c 100644 --- a/detections/network/detect_remote_access_software_usage_traffic.yml +++ b/detections/network/detect_remote_access_software_usage_traffic.yml @@ -66,7 +66,6 @@ tags: - All_Traffic.app - All_Traffic.dest_port - user - risk_score: 25 security_domain: network manual_test: This detection uses A&I lookups from Enterprise Security. tests: diff --git a/detections/network/detect_rogue_dhcp_server.yml b/detections/network/detect_rogue_dhcp_server.yml index a9254f53b9..1a84ae421f 100644 --- a/detections/network/detect_rogue_dhcp_server.yml +++ b/detections/network/detect_rogue_dhcp_server.yml @@ -54,5 +54,4 @@ tags: - message_type - src_mac - host - risk_score: 25 security_domain: network diff --git a/detections/network/detect_snicat_sni_exfiltration.yml b/detections/network/detect_snicat_sni_exfiltration.yml index 6f67469d31..7499c113c2 100644 --- a/detections/network/detect_snicat_sni_exfiltration.yml +++ b/detections/network/detect_snicat_sni_exfiltration.yml @@ -50,5 +50,4 @@ tags: - server_name - src_ip - dest_ip - risk_score: 25 security_domain: network diff --git a/detections/network/detect_software_download_to_network_device.yml b/detections/network/detect_software_download_to_network_device.yml index 50d3f0b30c..a02fecff79 100644 --- a/detections/network/detect_software_download_to_network_device.yml +++ b/detections/network/detect_software_download_to_network_device.yml @@ -58,5 +58,4 @@ tags: - All_Traffic.src_category - All_Traffic.src - All_Traffic.dest - risk_score: 25 security_domain: network diff --git a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml b/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml index 093cf15ce4..7358f15cf6 100644 --- a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml @@ -89,5 +89,4 @@ tags: - DNS.src - DNS.dest - DNS.answer - risk_score: 45 security_domain: network diff --git a/detections/network/detect_traffic_mirroring.yml b/detections/network/detect_traffic_mirroring.yml index 6905c3e69a..f8421b5e9c 100644 --- a/detections/network/detect_traffic_mirroring.yml +++ b/detections/network/detect_traffic_mirroring.yml @@ -55,5 +55,4 @@ tags: - facility - mnemonic - host - risk_score: 25 security_domain: network diff --git a/detections/network/detect_unauthorized_assets_by_mac_address.yml b/detections/network/detect_unauthorized_assets_by_mac_address.yml index dd1bed53cc..f66a124ba2 100644 --- a/detections/network/detect_unauthorized_assets_by_mac_address.yml +++ b/detections/network/detect_unauthorized_assets_by_mac_address.yml @@ -51,5 +51,4 @@ tags: - All_Sessions.signature - All_Sessions.src_ip - All_Sessions.dest_mac - risk_score: 25 security_domain: network diff --git a/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml b/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml index 6dc617e251..0e07b0377d 100644 --- a/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml +++ b/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml @@ -46,5 +46,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: network diff --git a/detections/network/detect_windows_dns_sigred_via_zeek.yml b/detections/network/detect_windows_dns_sigred_via_zeek.yml index 6cffde76c0..f47afd957b 100644 --- a/detections/network/detect_windows_dns_sigred_via_zeek.yml +++ b/detections/network/detect_windows_dns_sigred_via_zeek.yml @@ -46,5 +46,4 @@ tags: - DNS.flow_id - All_Traffic.bytes_in - All_Traffic.flow_id - risk_score: 25 security_domain: endpoint diff --git a/detections/network/detect_zerologon_via_zeek.yml b/detections/network/detect_zerologon_via_zeek.yml index d7885eff30..0c04fb447b 100644 --- a/detections/network/detect_zerologon_via_zeek.yml +++ b/detections/network/detect_zerologon_via_zeek.yml @@ -47,5 +47,4 @@ tags: required_fields: - _time - operation - risk_score: 25 security_domain: network diff --git a/detections/network/dns_query_length_outliers___mltk.yml b/detections/network/dns_query_length_outliers___mltk.yml index 30677e8872..60707a618b 100644 --- a/detections/network/dns_query_length_outliers___mltk.yml +++ b/detections/network/dns_query_length_outliers___mltk.yml @@ -69,5 +69,4 @@ tags: - DNS.dest - DNS.query - DNS.record_type - risk_score: 25 security_domain: network diff --git a/detections/network/dns_query_length_with_high_standard_deviation.yml b/detections/network/dns_query_length_with_high_standard_deviation.yml index db3f32e5c8..450e082c48 100644 --- a/detections/network/dns_query_length_with_high_standard_deviation.yml +++ b/detections/network/dns_query_length_with_high_standard_deviation.yml @@ -51,7 +51,6 @@ tags: required_fields: - _time - DNS.query - risk_score: 56 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/excessive_dns_failures.yml b/detections/network/excessive_dns_failures.yml index 81820f3276..c0f412d2c4 100644 --- a/detections/network/excessive_dns_failures.yml +++ b/detections/network/excessive_dns_failures.yml @@ -54,5 +54,4 @@ tags: - DNS.query - DNS.reply_code - DNS.src - risk_score: 25 security_domain: network diff --git a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml index 2cb77c3b2f..5fba2b185f 100644 --- a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml +++ b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml @@ -60,7 +60,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 70 security_domain: network tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/f5/f5.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/network/high_volume_of_bytes_out_to_url.yml b/detections/network/high_volume_of_bytes_out_to_url.yml index 44ca220d6a..f6488bac3a 100644 --- a/detections/network/high_volume_of_bytes_out_to_url.yml +++ b/detections/network/high_volume_of_bytes_out_to_url.yml @@ -62,7 +62,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 9 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml b/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml index be65e76829..1b296278f8 100644 --- a/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml +++ b/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml @@ -62,5 +62,4 @@ tags: - All_Traffic.bytes_in - All_Traffic.dest_category - All_Traffic.src_ip - risk_score: 25 security_domain: network diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml index 2482756b8d..ef09ce0649 100644 --- a/detections/network/internal_horizontal_port_scan.yml +++ b/detections/network/internal_horizontal_port_scan.yml @@ -48,7 +48,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - All_Traffic.action diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml index d322a38390..5f2fae84f5 100644 --- a/detections/network/internal_vertical_port_scan.yml +++ b/detections/network/internal_vertical_port_scan.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - All_Traffic.action diff --git a/detections/network/internal_vulnerability_scan.yml b/detections/network/internal_vulnerability_scan.yml index 342cb164d1..14d917f75a 100644 --- a/detections/network/internal_vulnerability_scan.yml +++ b/detections/network/internal_vulnerability_scan.yml @@ -49,7 +49,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - IDS_Attacks.action diff --git a/detections/network/large_volume_of_dns_any_queries.yml b/detections/network/large_volume_of_dns_any_queries.yml index 22007a1cfa..fb927fcdb8 100644 --- a/detections/network/large_volume_of_dns_any_queries.yml +++ b/detections/network/large_volume_of_dns_any_queries.yml @@ -47,5 +47,4 @@ tags: - DNS.message_type - DNS.record_type - DNS.dest - risk_score: 25 security_domain: network diff --git a/detections/network/multiple_archive_files_http_post_traffic.yml b/detections/network/multiple_archive_files_http_post_traffic.yml index 9120c894ba..7573a3ed8f 100644 --- a/detections/network/multiple_archive_files_http_post_traffic.yml +++ b/detections/network/multiple_archive_files_http_post_traffic.yml @@ -60,7 +60,6 @@ tags: - archive_hdr1 - archive_hdr2 - form_data - risk_score: 25 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/ngrok_reverse_proxy_on_network.yml b/detections/network/ngrok_reverse_proxy_on_network.yml index d1b33bc26b..4a2c7f3fc0 100644 --- a/detections/network/ngrok_reverse_proxy_on_network.yml +++ b/detections/network/ngrok_reverse_proxy_on_network.yml @@ -50,7 +50,6 @@ tags: - DNS.src - DNS.query - DNS.answer - risk_score: 50 security_domain: network tests: - name: True Positive Test @@ -59,4 +58,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true diff --git a/detections/network/plain_http_post_exfiltrated_data.yml b/detections/network/plain_http_post_exfiltrated_data.yml index d44da6f3e8..190006f5ed 100644 --- a/detections/network/plain_http_post_exfiltrated_data.yml +++ b/detections/network/plain_http_post_exfiltrated_data.yml @@ -55,7 +55,6 @@ tags: - url - bytes_in - bytes_out - risk_score: 63 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/prohibited_network_traffic_allowed.yml b/detections/network/prohibited_network_traffic_allowed.yml index 4c1c265a7e..62207b492e 100644 --- a/detections/network/prohibited_network_traffic_allowed.yml +++ b/detections/network/prohibited_network_traffic_allowed.yml @@ -57,7 +57,6 @@ tags: - All_Traffic.src_ip - All_Traffic.dest_ip - All_Traffic.dest_port - risk_score: 25 security_domain: network manual_test: This detection uses builtin lookup from Enterprise Security. tests: diff --git a/detections/network/protocol_or_port_mismatch.yml b/detections/network/protocol_or_port_mismatch.yml index 7651f15b0c..4aa30cc2dd 100644 --- a/detections/network/protocol_or_port_mismatch.yml +++ b/detections/network/protocol_or_port_mismatch.yml @@ -54,5 +54,4 @@ tags: - All_Traffic.dest_port - All_Traffic.src_ip - All_Traffic.dest_ip - risk_score: 25 security_domain: network diff --git a/detections/network/protocols_passing_authentication_in_cleartext.yml b/detections/network/protocols_passing_authentication_in_cleartext.yml index b46553a399..2ce2e34862 100644 --- a/detections/network/protocols_passing_authentication_in_cleartext.yml +++ b/detections/network/protocols_passing_authentication_in_cleartext.yml @@ -58,5 +58,4 @@ tags: - All_Traffic.src - All_Traffic.dest - All_Traffic.action - risk_score: 25 security_domain: network diff --git a/detections/network/remote_desktop_network_bruteforce.yml b/detections/network/remote_desktop_network_bruteforce.yml index 44de7180fa..21bfad9f41 100644 --- a/detections/network/remote_desktop_network_bruteforce.yml +++ b/detections/network/remote_desktop_network_bruteforce.yml @@ -51,5 +51,4 @@ tags: - All_Traffic.src - All_Traffic.dest - All_Traffic.dest_port - risk_score: 25 security_domain: network diff --git a/detections/network/remote_desktop_network_traffic.yml b/detections/network/remote_desktop_network_traffic.yml index 90269189f7..c6928c5cb0 100644 --- a/detections/network/remote_desktop_network_traffic.yml +++ b/detections/network/remote_desktop_network_traffic.yml @@ -65,7 +65,6 @@ tags: - All_Traffic.src - All_Traffic.dest - All_Traffic.dest_port - risk_score: 25 security_domain: network manual_test: This detection uses builtin lookup from Enterprise Security. tests: diff --git a/detections/network/smb_traffic_spike.yml b/detections/network/smb_traffic_spike.yml index ab999aa0dc..3c4d54eaab 100644 --- a/detections/network/smb_traffic_spike.yml +++ b/detections/network/smb_traffic_spike.yml @@ -48,5 +48,4 @@ tags: - All_Traffic.dest_port - All_Traffic.app - All_Traffic.src - risk_score: 25 security_domain: network diff --git a/detections/network/smb_traffic_spike___mltk.yml b/detections/network/smb_traffic_spike___mltk.yml index 5f2317f4e6..31a76e709f 100644 --- a/detections/network/smb_traffic_spike___mltk.yml +++ b/detections/network/smb_traffic_spike___mltk.yml @@ -70,5 +70,4 @@ tags: - All_Traffic.dest_port - All_Traffic.app - All_Traffic.src - risk_score: 25 security_domain: network diff --git a/detections/network/ssl_certificates_with_punycode.yml b/detections/network/ssl_certificates_with_punycode.yml index 15f10eb50a..ec2158d107 100644 --- a/detections/network/ssl_certificates_with_punycode.yml +++ b/detections/network/ssl_certificates_with_punycode.yml @@ -58,5 +58,4 @@ tags: - All_Certificates.SSL.src - All_Certificates.SSL.sourcetype - All_Certificates.SSL.ssl_subject_email_domain - risk_score: 15 security_domain: network diff --git a/detections/network/tor_traffic.yml b/detections/network/tor_traffic.yml index 200eddc4f1..70f3e0732b 100644 --- a/detections/network/tor_traffic.yml +++ b/detections/network/tor_traffic.yml @@ -59,7 +59,6 @@ tags: - All_Traffic.src_ip - All_Traffic.dest_ip - All_Traffic.dest_port - risk_score: 80 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/unusually_long_content_type_length.yml b/detections/network/unusually_long_content_type_length.yml index 2d6ecb1b3c..695ad46ac1 100644 --- a/detections/network/unusually_long_content_type_length.yml +++ b/detections/network/unusually_long_content_type_length.yml @@ -46,5 +46,4 @@ tags: - src_ip - dest_ip - url - risk_score: 25 security_domain: network diff --git a/detections/network/windows_ad_replication_service_traffic.yml b/detections/network/windows_ad_replication_service_traffic.yml index 4d254d24ea..792922311f 100644 --- a/detections/network/windows_ad_replication_service_traffic.yml +++ b/detections/network/windows_ad_replication_service_traffic.yml @@ -56,5 +56,4 @@ tags: - All_Traffic.src - All_Traffic.dest - All_Traffic.app - risk_score: 100 security_domain: network diff --git a/detections/network/windows_ad_rogue_domain_controller_network_activity.yml b/detections/network/windows_ad_rogue_domain_controller_network_activity.yml index e4678ee492..70c200e8d8 100644 --- a/detections/network/windows_ad_rogue_domain_controller_network_activity.yml +++ b/detections/network/windows_ad_rogue_domain_controller_network_activity.yml @@ -49,5 +49,4 @@ tags: - _time - src - dest - risk_score: 100 security_domain: network diff --git a/detections/network/zeek_x509_certificate_with_punycode.yml b/detections/network/zeek_x509_certificate_with_punycode.yml index 5fddaf6167..4701b1c898 100644 --- a/detections/network/zeek_x509_certificate_with_punycode.yml +++ b/detections/network/zeek_x509_certificate_with_punycode.yml @@ -55,5 +55,4 @@ tags: - basic_constraints.ca - source - host - risk_score: 15 security_domain: network diff --git a/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml b/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml index 2ee10a8f52..b317bf515b 100644 --- a/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml +++ b/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - Web.src - Web.dest diff --git a/detections/web/adobe_coldfusion_access_control_bypass.yml b/detections/web/adobe_coldfusion_access_control_bypass.yml index 5828ebffb2..bc1b9fe9c0 100644 --- a/detections/web/adobe_coldfusion_access_control_bypass.yml +++ b/detections/web/adobe_coldfusion_access_control_bypass.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - _time - Web.http_method diff --git a/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml b/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml index 76a708daf5..4fba5c1b5d 100644 --- a/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml +++ b/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - _time - Web.http_method diff --git a/detections/web/cisco_ios_xe_implant_access.yml b/detections/web/cisco_ios_xe_implant_access.yml index 790ff1f9fd..d36774e9bb 100644 --- a/detections/web/cisco_ios_xe_implant_access.yml +++ b/detections/web/cisco_ios_xe_implant_access.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 required_fields: - _time - Web.http_method diff --git a/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml b/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml index 3e08a9a9b5..c299ee6c83 100644 --- a/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml +++ b/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 90 required_fields: - Web.http_user_agent - Web.status diff --git a/detections/web/citrix_adc_exploitation_cve_2023_3519.yml b/detections/web/citrix_adc_exploitation_cve_2023_3519.yml index a7bdea2439..5823ed0d5f 100644 --- a/detections/web/citrix_adc_exploitation_cve_2023_3519.yml +++ b/detections/web/citrix_adc_exploitation_cve_2023_3519.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - _time - Web.http_method diff --git a/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml b/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml index 92cfe69c6f..6da27c8e48 100644 --- a/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml +++ b/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - _time - Web.http_method diff --git a/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml b/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml index 00769b851c..41b4151d99 100644 --- a/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml +++ b/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - _time - Web.http_method diff --git a/detections/web/confluence_data_center_and_server_privilege_escalation.yml b/detections/web/confluence_data_center_and_server_privilege_escalation.yml index 778fd3c8cd..966077321f 100644 --- a/detections/web/confluence_data_center_and_server_privilege_escalation.yml +++ b/detections/web/confluence_data_center_and_server_privilege_escalation.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - _time - Web.http_method diff --git a/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml b/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml index 11fa43ee4b..c783f21372 100644 --- a/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml +++ b/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 required_fields: - Web.src - Web.dest diff --git a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml index 99ce8e6a16..f0af0fd912 100644 --- a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml +++ b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml @@ -70,7 +70,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 100 security_domain: network tests: - name: True Positive Test @@ -79,4 +78,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/confluence.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/web/connectwise_screenconnect_authentication_bypass.yml b/detections/web/connectwise_screenconnect_authentication_bypass.yml index 53cb0b4819..eec83e0af6 100644 --- a/detections/web/connectwise_screenconnect_authentication_bypass.yml +++ b/detections/web/connectwise_screenconnect_authentication_bypass.yml @@ -62,7 +62,6 @@ tags: - Web.url - Web.status - Web.http_method - risk_score: 100 security_domain: network cve: - CVE-2024-1708 diff --git a/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml b/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml index fe8f6db42c..0d7c148ce4 100644 --- a/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml +++ b/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml @@ -50,5 +50,4 @@ tags: - Web.url - Web.src - Web.dest - risk_score: 25 security_domain: network diff --git a/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml b/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml index 568b19452a..364ce20005 100644 --- a/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml +++ b/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml @@ -48,5 +48,4 @@ tags: - Splunk Cloud required_fields: - _time - risk_score: 25 security_domain: network diff --git a/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml b/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml index ffa0658783..0fd9c504be 100644 --- a/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml +++ b/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml @@ -49,5 +49,4 @@ tags: - Web.url_length - Web.src - Web.dest - risk_score: 25 security_domain: network diff --git a/detections/web/detect_remote_access_software_usage_url.yml b/detections/web/detect_remote_access_software_usage_url.yml index 9e20cc85a2..8998a08911 100644 --- a/detections/web/detect_remote_access_software_usage_url.yml +++ b/detections/web/detect_remote_access_software_usage_url.yml @@ -73,7 +73,6 @@ tags: - Web.src - Web.category - Web.url_domain - risk_score: 25 security_domain: network manual_test: This detection uses A&I lookups from Enterprise Security. tests: diff --git a/detections/web/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml b/detections/web/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml index 5b60ac269c..b0c3fd8ea4 100644 --- a/detections/web/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml +++ b/detections/web/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml @@ -45,7 +45,6 @@ tags: - Web.src - Web.dest - sourcetype - risk_score: 80 security_domain: network cve: - CVE-2024-29824 diff --git a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml index 7d640a4274..ea6996e996 100644 --- a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml +++ b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml @@ -85,7 +85,6 @@ tags: - Web.status - Web.uri_query - Web.uri_path - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml index 4b1bdbf7fc..40a1d4d088 100644 --- a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml +++ b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml @@ -58,7 +58,6 @@ tags: - Web.src - Web.dest - sourcetype - risk_score: 64 security_domain: network tests: - name: True Positive Test @@ -67,4 +66,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/web_fortinetnac.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/web/f5_tmui_authentication_bypass.yml b/detections/web/f5_tmui_authentication_bypass.yml index 57992b1fa8..ea5c537f52 100644 --- a/detections/web/f5_tmui_authentication_bypass.yml +++ b/detections/web/f5_tmui_authentication_bypass.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 90 required_fields: - Web.http_user_agent - Web.status diff --git a/detections/web/fortinet_appliance_auth_bypass.yml b/detections/web/fortinet_appliance_auth_bypass.yml index 185ae83c36..baeab397bd 100644 --- a/detections/web/fortinet_appliance_auth_bypass.yml +++ b/detections/web/fortinet_appliance_auth_bypass.yml @@ -65,7 +65,6 @@ tags: - Web.src - Web.dest - sourcetype - risk_score: 81 security_domain: network tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/fortinetcve202240684.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/web/hunting_for_log4shell.yml b/detections/web/hunting_for_log4shell.yml index d5aa4dc7ba..66361e1e44 100644 --- a/detections/web/hunting_for_log4shell.yml +++ b/detections/web/hunting_for_log4shell.yml @@ -76,7 +76,6 @@ tags: required_fields: - _time - _raw - risk_score: 40 security_domain: network tests: - name: True Positive Test diff --git a/detections/web/ivanti_connect_secure_command_injection_attempts.yml b/detections/web/ivanti_connect_secure_command_injection_attempts.yml index c65d92aa41..f9a94f4dbb 100644 --- a/detections/web/ivanti_connect_secure_command_injection_attempts.yml +++ b/detections/web/ivanti_connect_secure_command_injection_attempts.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 90 required_fields: - Web.src - Web.dest diff --git a/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml b/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml index d47456ac9a..560e392ad0 100644 --- a/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml +++ b/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml @@ -55,7 +55,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 required_fields: - Web.src - Web.dest diff --git a/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml b/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml index a3724e46c5..ab6eaeb84c 100644 --- a/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml +++ b/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - Web.src - Web.dest diff --git a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml index 190dd5dbca..a8bcb00dc9 100644 --- a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml +++ b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Web.http_method diff --git a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml index 83094bd53a..462e99bc43 100644 --- a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml +++ b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml @@ -56,7 +56,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - Web.http_method diff --git a/detections/web/ivanti_sentry_authentication_bypass.yml b/detections/web/ivanti_sentry_authentication_bypass.yml index 220df4f5d7..ae6d6f884f 100644 --- a/detections/web/ivanti_sentry_authentication_bypass.yml +++ b/detections/web/ivanti_sentry_authentication_bypass.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - Web.http_user_agent - Web.status diff --git a/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml b/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml index 145082ee5c..8981b7800c 100644 --- a/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml +++ b/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 required_fields: - Web.src - Web.dest diff --git a/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml b/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml index 9548f959e1..b610c2caa4 100644 --- a/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml +++ b/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml @@ -66,7 +66,6 @@ tags: - Web.http_method - sourcetype - source - risk_score: 81 security_domain: network cve: - CVE-2024-27198 diff --git a/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml b/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml index 132724f73a..4b97dce722 100644 --- a/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml +++ b/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml @@ -62,7 +62,6 @@ tags: - http.url - http.status - http_method - risk_score: 81 security_domain: network cve: - CVE-2024-27198 diff --git a/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml b/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml index d1ed0622f0..96a5b9c463 100644 --- a/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml +++ b/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml @@ -67,7 +67,6 @@ tags: - http.url - http.status - http_method - risk_score: 63 security_domain: network cve: - CVE-2024-27199 diff --git a/detections/web/jetbrains_teamcity_rce_attempt.yml b/detections/web/jetbrains_teamcity_rce_attempt.yml index abca1f2fc1..988b3e5b69 100644 --- a/detections/web/jetbrains_teamcity_rce_attempt.yml +++ b/detections/web/jetbrains_teamcity_rce_attempt.yml @@ -61,7 +61,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 required_fields: - Web.http_user_agent - Web.status diff --git a/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml b/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml index 2fc4c95b69..2505c4242d 100644 --- a/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml +++ b/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml @@ -68,7 +68,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - Web.http_user_agent - Web.status diff --git a/detections/web/log4shell_jndi_payload_injection_attempt.yml b/detections/web/log4shell_jndi_payload_injection_attempt.yml index fa9fb75dbe..df091a72dd 100644 --- a/detections/web/log4shell_jndi_payload_injection_attempt.yml +++ b/detections/web/log4shell_jndi_payload_injection_attempt.yml @@ -66,7 +66,6 @@ tags: - url - url_domain - user - risk_score: 15 security_domain: threat tests: - name: True Positive Test diff --git a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml index 765298db54..1200d4477a 100644 --- a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml +++ b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml @@ -67,7 +67,6 @@ tags: - url - url_domain - user - risk_score: 15 security_domain: threat tests: - name: True Positive Test diff --git a/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml b/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml index fe3ef716bc..baddfa1377 100644 --- a/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml +++ b/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 required_fields: - _time - Web.http_method diff --git a/detections/web/monitor_web_traffic_for_brand_abuse.yml b/detections/web/monitor_web_traffic_for_brand_abuse.yml index 6f4429a77d..40164ca6b5 100644 --- a/detections/web/monitor_web_traffic_for_brand_abuse.yml +++ b/detections/web/monitor_web_traffic_for_brand_abuse.yml @@ -43,5 +43,4 @@ tags: - _time - Web.url - Web.src - risk_score: 25 security_domain: network diff --git a/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml b/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml index 3dbacac6c5..ae42c7a616 100644 --- a/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml +++ b/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml @@ -65,7 +65,6 @@ tags: - http_method - sourcetype - source - risk_score: 100 security_domain: network cve: - CVE-2024-1708 diff --git a/detections/web/papercut_ng_remote_web_access_attempt.yml b/detections/web/papercut_ng_remote_web_access_attempt.yml index 1fc500207c..4d8b88e1f8 100644 --- a/detections/web/papercut_ng_remote_web_access_attempt.yml +++ b/detections/web/papercut_ng_remote_web_access_attempt.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 63 required_fields: - _time - Web.http_user_agent diff --git a/detections/web/proxyshell_proxynotshell_behavior_detected.yml b/detections/web/proxyshell_proxynotshell_behavior_detected.yml index a7a9c09997..89bf43e00b 100644 --- a/detections/web/proxyshell_proxynotshell_behavior_detected.yml +++ b/detections/web/proxyshell_proxynotshell_behavior_detected.yml @@ -65,7 +65,6 @@ tags: - All_Risk.risk_object - All_Risk.annotations.mitre_attack.mitre_tactic - source - risk_score: 81 security_domain: network tests: - name: True Positive Test @@ -74,4 +73,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell-risk.log source: proxyshell sourcetype: stash - update_timestamp: true diff --git a/detections/web/spring4shell_payload_url_request.yml b/detections/web/spring4shell_payload_url_request.yml index 1355219306..65d4d2689d 100644 --- a/detections/web/spring4shell_payload_url_request.yml +++ b/detections/web/spring4shell_payload_url_request.yml @@ -62,7 +62,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 36 security_domain: network tests: - name: True Positive Test diff --git a/detections/web/sql_injection_with_long_urls.yml b/detections/web/sql_injection_with_long_urls.yml index 768940b1f0..4f50aa9b9e 100644 --- a/detections/web/sql_injection_with_long_urls.yml +++ b/detections/web/sql_injection_with_long_urls.yml @@ -63,5 +63,4 @@ tags: - Web.dest - Web.url - Web.http_user_agent - risk_score: 25 security_domain: network diff --git a/detections/web/supernova_webshell.yml b/detections/web/supernova_webshell.yml index df3acd20f3..30ffd6321c 100644 --- a/detections/web/supernova_webshell.yml +++ b/detections/web/supernova_webshell.yml @@ -52,5 +52,4 @@ tags: - Web.vendor_product - Web.user - Web.http_user_agent - risk_score: 25 security_domain: network diff --git a/detections/web/vmware_aria_operations_exploit_attempt.yml b/detections/web/vmware_aria_operations_exploit_attempt.yml index a873108626..1e75c2c252 100644 --- a/detections/web/vmware_aria_operations_exploit_attempt.yml +++ b/detections/web/vmware_aria_operations_exploit_attempt.yml @@ -59,7 +59,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - Web.http_method - Web.url diff --git a/detections/web/vmware_server_side_template_injection_hunt.yml b/detections/web/vmware_server_side_template_injection_hunt.yml index 5da68493cf..ab5de261db 100644 --- a/detections/web/vmware_server_side_template_injection_hunt.yml +++ b/detections/web/vmware_server_side_template_injection_hunt.yml @@ -62,7 +62,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 35 security_domain: network tests: - name: True Positive Test @@ -71,4 +70,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml index 65d65d4321..60903a229b 100644 --- a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml +++ b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml @@ -60,7 +60,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 49 security_domain: network tests: - name: True Positive Test @@ -69,4 +68,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/web/web_jsp_request_via_url.yml b/detections/web/web_jsp_request_via_url.yml index 1fce35b1a7..f7d7fec6e2 100644 --- a/detections/web/web_jsp_request_via_url.yml +++ b/detections/web/web_jsp_request_via_url.yml @@ -63,7 +63,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 72 security_domain: network tests: - name: True Positive Test diff --git a/detections/web/web_remote_shellservlet_access.yml b/detections/web/web_remote_shellservlet_access.yml index 10353c2884..e8bbcf25e7 100644 --- a/detections/web/web_remote_shellservlet_access.yml +++ b/detections/web/web_remote_shellservlet_access.yml @@ -51,7 +51,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 required_fields: - Web.http_user_agent - Web.status diff --git a/detections/web/web_spring4shell_http_request_class_module.yml b/detections/web/web_spring4shell_http_request_class_module.yml index c0b3fb7032..9b24092344 100644 --- a/detections/web/web_spring4shell_http_request_class_module.yml +++ b/detections/web/web_spring4shell_http_request_class_module.yml @@ -62,7 +62,6 @@ tags: - url - bytes_in - bytes_out - risk_score: 72 security_domain: network tests: - name: True Positive Test diff --git a/detections/web/web_spring_cloud_function_functionrouter.yml b/detections/web/web_spring_cloud_function_functionrouter.yml index f850adbf3b..dc4751e4c3 100644 --- a/detections/web/web_spring_cloud_function_functionrouter.yml +++ b/detections/web/web_spring_cloud_function_functionrouter.yml @@ -60,7 +60,6 @@ tags: - Web.src - Web.dest - Web.http_user_agent - risk_score: 42 security_domain: network tests: - name: True Positive Test diff --git a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml index 8ff6285ca5..3927457e3f 100644 --- a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml +++ b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml @@ -72,7 +72,6 @@ tags: - Web.dest - Web.http_method - Web.uri_query - risk_score: 72 security_domain: network tests: - name: True Positive Test @@ -81,4 +80,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell.log source: ms:iis:splunk sourcetype: ms:iis:splunk - update_timestamp: true diff --git a/detections/web/wordpress_bricks_builder_plugin_rce.yml b/detections/web/wordpress_bricks_builder_plugin_rce.yml index 8be952b7ad..b741cf3ba0 100644 --- a/detections/web/wordpress_bricks_builder_plugin_rce.yml +++ b/detections/web/wordpress_bricks_builder_plugin_rce.yml @@ -65,7 +65,6 @@ tags: - Web.http_method - sourcetype - source - risk_score: 100 security_domain: network cve: - CVE-2024-25600 diff --git a/detections/web/ws_ftp_remote_code_execution.yml b/detections/web/ws_ftp_remote_code_execution.yml index 12d1f3d7d0..bce32f0209 100644 --- a/detections/web/ws_ftp_remote_code_execution.yml +++ b/detections/web/ws_ftp_remote_code_execution.yml @@ -59,7 +59,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 required_fields: - Web.http_user_agent - Web.status diff --git a/detections/web/zscaler_adware_activities_threat_blocked.yml b/detections/web/zscaler_adware_activities_threat_blocked.yml index 2637a4838c..f703a0feda 100644 --- a/detections/web/zscaler_adware_activities_threat_blocked.yml +++ b/detections/web/zscaler_adware_activities_threat_blocked.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 required_fields: - action - threatname diff --git a/detections/web/zscaler_behavior_analysis_threat_blocked.yml b/detections/web/zscaler_behavior_analysis_threat_blocked.yml index a2b7853530..68cf7f2643 100644 --- a/detections/web/zscaler_behavior_analysis_threat_blocked.yml +++ b/detections/web/zscaler_behavior_analysis_threat_blocked.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 required_fields: - action - threatname diff --git a/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml b/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml index f89e0356df..c131e82a81 100644 --- a/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml +++ b/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 32 required_fields: - action - threatname diff --git a/detections/web/zscaler_employment_search_web_activity.yml b/detections/web/zscaler_employment_search_web_activity.yml index d515afdc21..3fe513621c 100644 --- a/detections/web/zscaler_employment_search_web_activity.yml +++ b/detections/web/zscaler_employment_search_web_activity.yml @@ -54,7 +54,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 4 required_fields: - action - threatname diff --git a/detections/web/zscaler_exploit_threat_blocked.yml b/detections/web/zscaler_exploit_threat_blocked.yml index d242640e18..62f8c57ec7 100644 --- a/detections/web/zscaler_exploit_threat_blocked.yml +++ b/detections/web/zscaler_exploit_threat_blocked.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 40 required_fields: - action - threatname diff --git a/detections/web/zscaler_legal_liability_threat_blocked.yml b/detections/web/zscaler_legal_liability_threat_blocked.yml index 3975036c91..090bea1c20 100644 --- a/detections/web/zscaler_legal_liability_threat_blocked.yml +++ b/detections/web/zscaler_legal_liability_threat_blocked.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 16 required_fields: - action - threatname diff --git a/detections/web/zscaler_malware_activity_threat_blocked.yml b/detections/web/zscaler_malware_activity_threat_blocked.yml index 856cc106f2..f2e9327e36 100644 --- a/detections/web/zscaler_malware_activity_threat_blocked.yml +++ b/detections/web/zscaler_malware_activity_threat_blocked.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 40 required_fields: - action - threatname diff --git a/detections/web/zscaler_phishing_activity_threat_blocked.yml b/detections/web/zscaler_phishing_activity_threat_blocked.yml index 46e4d27601..aabc0ba058 100644 --- a/detections/web/zscaler_phishing_activity_threat_blocked.yml +++ b/detections/web/zscaler_phishing_activity_threat_blocked.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 16 required_fields: - action - threatname diff --git a/detections/web/zscaler_potentially_abused_file_download.yml b/detections/web/zscaler_potentially_abused_file_download.yml index 818100944d..0e792c9c1d 100644 --- a/detections/web/zscaler_potentially_abused_file_download.yml +++ b/detections/web/zscaler_potentially_abused_file_download.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 required_fields: - action - threatname diff --git a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml index 1c3d4fe82c..b9d133e649 100644 --- a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml +++ b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 required_fields: - action - threatname diff --git a/detections/web/zscaler_scam_destinations_threat_blocked.yml b/detections/web/zscaler_scam_destinations_threat_blocked.yml index 46a7960ad0..0e37aa2ffc 100644 --- a/detections/web/zscaler_scam_destinations_threat_blocked.yml +++ b/detections/web/zscaler_scam_destinations_threat_blocked.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 required_fields: - action - threatname diff --git a/detections/web/zscaler_virus_download_threat_blocked.yml b/detections/web/zscaler_virus_download_threat_blocked.yml index 3393bd7b75..06543ecf42 100644 --- a/detections/web/zscaler_virus_download_threat_blocked.yml +++ b/detections/web/zscaler_virus_download_threat_blocked.yml @@ -53,7 +53,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 40 required_fields: - action - threatname diff --git a/investigations/investigate_network_traffic_from_src_ip.yml b/investigations/investigate_network_traffic_from_src_ip.yml index 67424cbe4b..2a81e04487 100644 --- a/investigations/investigate_network_traffic_from_src_ip.yml +++ b/investigations/investigate_network_traffic_from_src_ip.yml @@ -16,8 +16,6 @@ references: [] tags: analytic_story: - ColdRoot MacOS RAT - cve: - - CVE-2018-11409 product: - Splunk Phantom required_fields: From d5e60e50c33f38417540ba5e23048b1501b5cd57 Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Fri, 26 Jul 2024 18:58:33 -0700 Subject: [PATCH 3/6] remove more extra keys from detections --- detections/application/windows_ad_add_self_to_group.yml | 3 +-- detections/deprecated/asl_aws_password_policy_changes.yml | 3 +-- detections/endpoint/cmd_carry_out_string_command_parameter.yml | 1 - detections/endpoint/detect_webshell_exploit_behavior.yml | 2 -- detections/endpoint/windows_protocol_tunneling_with_plink.yml | 3 +-- detections/endpoint/windows_scheduled_task_created_via_xml.yml | 2 -- detections/endpoint/windows_screen_capture_via_powershell.yml | 2 -- detections/endpoint/windows_vulnerable_driver_installed.yml | 3 +-- detections/network/internal_horizontal_port_scan.yml | 3 +-- detections/network/internal_vertical_port_scan.yml | 3 +-- detections/web/vmware_aria_operations_exploit_attempt.yml | 2 +- 11 files changed, 7 insertions(+), 20 deletions(-) diff --git a/detections/application/windows_ad_add_self_to_group.yml b/detections/application/windows_ad_add_self_to_group.yml index 0c7c630bc3..41658a907a 100644 --- a/detections/application/windows_ad_add_self_to_group.yml +++ b/detections/application/windows_ad_add_self_to_group.yml @@ -49,5 +49,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog - update_timestamp: true \ No newline at end of file + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/deprecated/asl_aws_password_policy_changes.yml b/detections/deprecated/asl_aws_password_policy_changes.yml index 946e0d8f92..d27cc137fe 100644 --- a/detections/deprecated/asl_aws_password_policy_changes.yml +++ b/detections/deprecated/asl_aws_password_policy_changes.yml @@ -64,5 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/aws_password_policy/amazon_security_lake.json sourcetype: aws:asl - source: aws_asl - update_timestamp: true \ No newline at end of file + source: aws_asl \ No newline at end of file diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index 70ed39bd01..3d16af5029 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -59,7 +59,6 @@ tags: - CISA AA23-347A - Data Destruction asset_type: Endpoint - automated_detection_testing: passed confidence: 50 cve: - CVE-2021-44228 diff --git a/detections/endpoint/detect_webshell_exploit_behavior.yml b/detections/endpoint/detect_webshell_exploit_behavior.yml index ab94c119c3..439f1343e8 100644 --- a/detections/endpoint/detect_webshell_exploit_behavior.yml +++ b/detections/endpoint/detect_webshell_exploit_behavior.yml @@ -91,8 +91,6 @@ tags: - Processes.process - Processes.process_name security_domain: endpoint - supported_tas: - - Splunk_TA_microsoft_sysmon tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_protocol_tunneling_with_plink.yml b/detections/endpoint/windows_protocol_tunneling_with_plink.yml index c761ca2364..ca5cfb428f 100644 --- a/detections/endpoint/windows_protocol_tunneling_with_plink.yml +++ b/detections/endpoint/windows_protocol_tunneling_with_plink.yml @@ -94,5 +94,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog - update_timestamp: true \ No newline at end of file + sourcetype: xmlwineventlog \ No newline at end of file diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml index 78f1f57d3d..7084a10ba0 100644 --- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml +++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml @@ -44,8 +44,6 @@ tags: - Scheduled Tasks asset_type: Endpoint confidence: 70 - dataset: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log impact: 70 message: A scheduled task process, $process_name$, with 'create' or 'delete' commands present in the command line. diff --git a/detections/endpoint/windows_screen_capture_via_powershell.yml b/detections/endpoint/windows_screen_capture_via_powershell.yml index 2e83aa709e..01a7874543 100644 --- a/detections/endpoint/windows_screen_capture_via_powershell.yml +++ b/detections/endpoint/windows_screen_capture_via_powershell.yml @@ -34,8 +34,6 @@ tags: context: - Source:Endpoint - Stage:Collection - dataset: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log impact: 70 message: A PowerShell script was identified possibly performing screen captures on $Computer$. diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml index e7336ad880..8b23362fc3 100644 --- a/detections/endpoint/windows_vulnerable_driver_installed.yml +++ b/detections/endpoint/windows_vulnerable_driver_installed.yml @@ -55,5 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-system.log source: XmlWinEventLog:System - sourcetype: XmlWinEventLog - update_timestamp: true \ No newline at end of file + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml index ef09ce0649..fbe66abf42 100644 --- a/detections/network/internal_horizontal_port_scan.yml +++ b/detections/network/internal_horizontal_port_scan.yml @@ -60,5 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log source: aws:cloudwatchlogs:vpcflow - sourcetype: aws:cloudwatchlogs:vpcflow - update_timestamp: true \ No newline at end of file + sourcetype: aws:cloudwatchlogs:vpcflow \ No newline at end of file diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml index 5f2fae84f5..e03ad110ab 100644 --- a/detections/network/internal_vertical_port_scan.yml +++ b/detections/network/internal_vertical_port_scan.yml @@ -62,5 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/vertical.log source: aws:cloudwatchlogs:vpcflow - sourcetype: aws:cloudwatchlogs:vpcflow - update_timestamp: trues \ No newline at end of file + sourcetype: aws:cloudwatchlogs:vpcflow \ No newline at end of file diff --git a/detections/web/vmware_aria_operations_exploit_attempt.yml b/detections/web/vmware_aria_operations_exploit_attempt.yml index 1e75c2c252..adf4f34ef4 100644 --- a/detections/web/vmware_aria_operations_exploit_attempt.yml +++ b/detections/web/vmware_aria_operations_exploit_attempt.yml @@ -31,7 +31,7 @@ references: - https://github.com/sinsinology/CVE-2023-20887 - https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/ tags: - CVE: + cve: - CVE-2023-20887 analytic_story: - VMware Aria Operations vRealize CVE-2023-20887 From 5e04f5cc71ea96ab0515930a525598736a209034 Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Tue, 30 Jul 2024 15:56:06 -0700 Subject: [PATCH 4/6] update contentctl.yml format --- contentctl.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/contentctl.yml b/contentctl.yml index 4a3adfa19e..a427f0e9a0 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -3,7 +3,7 @@ app: uid: 3449 title: ES Content Updates appid: DA-ESS-ContentUpdate - version: 4.36.0 + version: 4.37.1 description: Explore the Analytic Stories included with ES Content Updates. prefix: ESCU label: ESCU @@ -15,8 +15,9 @@ build_app: true build_api: true build_ssa: false build_path: dist -test_instance: - splunk_app_username: admin +test_instances: +- splunk_app_username: admin + instance_name: test_instance instance_address: localhost hec_port: 8088 web_ui_port: 8000 @@ -29,12 +30,12 @@ mode: {} splunk_api_username: null post_test_behavior: pause_on_failure apps: -# - uid: 263 -# title: Splunk Enterprise Security -# appid: SplunkEnterpriseSecuritySuite -# version: 7.3.1 -# description: description of app -# hardcoded_path: ~/Downloads/splunk-enterprise-security_731.spl +#- uid: 263 +# title: Splunk Enterprise Security +# appid: SplunkEnterpriseSecuritySuite +# version: 7.3.2 +# description: description of app +# hardcoded_path: apps/splunk-enterprise-security_732.spl - uid: 1621 title: Splunk Common Information Model (CIM) appid: Splunk_SA_CIM @@ -182,4 +183,3 @@ apps: version: 1.9.2 description: description of app hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/url-toolbox_192.tgz -githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd From 96572cdc9b5acd99a273b63c810753d99c85be50 Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Tue, 30 Jul 2024 16:10:27 -0700 Subject: [PATCH 5/6] Remove some more extra fields from new ymls --- .../windows_admon_default_group_policy_object_modified.yml | 1 - .../endpoint/windows_admon_group_policy_object_created.yml | 1 - .../windows_esx_admins_group_creation_security_event.yml | 1 - .../endpoint/windows_esx_admins_group_creation_via_net.yml | 1 - .../windows_esx_admins_group_creation_via_powershell.yml | 1 - .../endpoint/windows_outlook_webview_registry_modification.yml | 1 - detections/endpoint/windows_privileged_group_modification.yml | 3 +-- 7 files changed, 1 insertion(+), 8 deletions(-) diff --git a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml index a7d737f541..5cf1f5a316 100644 --- a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml @@ -58,7 +58,6 @@ tags: - displayName - gPCFileSysPath - dcName - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_admon_group_policy_object_created.yml b/detections/endpoint/windows_admon_group_policy_object_created.yml index c09e970738..f49f41caea 100644 --- a/detections/endpoint/windows_admon_group_policy_object_created.yml +++ b/detections/endpoint/windows_admon_group_policy_object_created.yml @@ -56,7 +56,6 @@ tags: - displayName - gPCFileSysPath - dcName - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml index 631c86f244..34d1a4677f 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml @@ -59,7 +59,6 @@ tags: - SubjectUserName - SubjectDomainName - Computer - risk_score: 25 security_domain: endpoint cve: - CVE-2024-37085 diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml index 17a42c082d..bc36efeb16 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml @@ -59,7 +59,6 @@ tags: - Processes.process - Processes.process_id - Processes.original_file_name - risk_score: 56 security_domain: endpoint cve: - CVE-2024-37085 diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml index 04869a9d40..dd74a21ced 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml @@ -52,7 +52,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_outlook_webview_registry_modification.yml b/detections/endpoint/windows_outlook_webview_registry_modification.yml index c60975a5c7..2d9a39add9 100644 --- a/detections/endpoint/windows_outlook_webview_registry_modification.yml +++ b/detections/endpoint/windows_outlook_webview_registry_modification.yml @@ -54,7 +54,6 @@ tags: - Registry.registry_path - Registry.registry_value_name - Registry.registry_value_data - risk_score: 100 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_privileged_group_modification.yml b/detections/endpoint/windows_privileged_group_modification.yml index d9505bdb38..804fafd128 100644 --- a/detections/endpoint/windows_privileged_group_modification.yml +++ b/detections/endpoint/windows_privileged_group_modification.yml @@ -3,7 +3,7 @@ id: b8cbef2c-2cc3-4550-b0fc-9715b7852df9 version: 1 date: '2024-07-30' author: Brandon Sternfield, Optiv + ClearShark -data_sources: +data_source: - Windows Event Log Security 4727 - Windows Event Log Security 4731 - Windows Event Log Security 4744 @@ -79,7 +79,6 @@ tags: - result - status - _time - risk_score: 80 security_domain: endpoint cve: - CVE-2024-37085 From f172d78c68795dcb7eefb620fa2a574554fa0e8b Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Wed, 21 Aug 2024 13:41:58 -0700 Subject: [PATCH 6/6] fix merge conflict in contentctl.yml. remove risk_score field from many new or updarted detections. --- contentctl.yml | 5 ----- .../windows_ad_dangerous_deny_acl_modification.yml | 1 - .../windows_ad_dangerous_group_acl_modification.yml | 1 - .../windows_ad_dangerous_user_acl_modification.yml | 1 - .../windows_ad_dcshadow_privileges_acl_addition.yml | 1 - .../application/windows_ad_domain_root_acl_deletion.yml | 1 - .../application/windows_ad_domain_root_acl_modification.yml | 1 - detections/application/windows_ad_gpo_deleted.yml | 1 - detections/application/windows_ad_gpo_disabled.yml | 1 - detections/application/windows_ad_gpo_new_cse_addition.yml | 1 - detections/application/windows_ad_hidden_ou_creation.yml | 1 - detections/application/windows_ad_object_owner_updated.yml | 1 - .../application/windows_ad_privileged_group_modification.yml | 1 - detections/application/windows_ad_self_dacl_assignment.yml | 1 - .../windows_ad_suspicious_attribute_modification.yml | 1 - .../application/windows_ad_suspicious_gpo_modification.yml | 1 - .../cloud/o365_application_available_to_other_tenants.yml | 1 - detections/cloud/o365_cross_tenant_access_change.yml | 1 - detections/cloud/o365_external_guest_user_invited.yml | 1 - detections/cloud/o365_external_identity_policy_changed.yml | 1 - detections/cloud/o365_privileged_role_assigned.yml | 1 - .../o365_privileged_role_assigned_to_service_principal.yml | 1 - .../endpoint/crowdstrike_admin_weak_password_policy.yml | 1 - .../endpoint/crowdstrike_admin_with_duplicate_password.yml | 1 - .../endpoint/crowdstrike_high_identity_risk_severity.yml | 1 - .../endpoint/crowdstrike_medium_identity_risk_severity.yml | 1 - detections/endpoint/crowdstrike_medium_severity_alert.yml | 1 - .../endpoint/crowdstrike_multiple_low_severity_alerts.yml | 1 - .../crowdstrike_privilege_escalation_for_non_admin_user.yml | 1 - .../endpoint/crowdstrike_user_weak_password_policy.yml | 1 - .../endpoint/crowdstrike_user_with_duplicate_password.yml | 1 - .../windows_multiple_ntlm_null_domain_authentications.yml | 1 - ...ws_unusual_ntlm_authentication_destinations_by_source.yml | 1 - ...dows_unusual_ntlm_authentication_destinations_by_user.yml | 1 - ...dows_unusual_ntlm_authentication_users_by_destination.yml | 1 - .../windows_unusual_ntlm_authentication_users_by_source.yml | 1 - 36 files changed, 40 deletions(-) diff --git a/contentctl.yml b/contentctl.yml index 9a6369fea3..8014d0a2ae 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -182,8 +182,6 @@ apps: version: 1.9.2 description: description of app hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/url-toolbox_192.tgz -<<<<<<< HEAD -======= - uid: 6853 title: Splunk Add-on for Admon Enrichment appid: SA-admon @@ -196,6 +194,3 @@ apps: version: 3.2.1 description: description of app hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/crowdstrike-falcon-event-streams-technical-add-on_321.tgz - -githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd ->>>>>>> develop diff --git a/detections/application/windows_ad_dangerous_deny_acl_modification.yml b/detections/application/windows_ad_dangerous_deny_acl_modification.yml index b7f6bee2cc..6a3fe6582f 100644 --- a/detections/application/windows_ad_dangerous_deny_acl_modification.yml +++ b/detections/application/windows_ad_dangerous_deny_acl_modification.yml @@ -63,7 +63,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_dangerous_group_acl_modification.yml b/detections/application/windows_ad_dangerous_group_acl_modification.yml index ae125e8c7d..aa248e0a6f 100644 --- a/detections/application/windows_ad_dangerous_group_acl_modification.yml +++ b/detections/application/windows_ad_dangerous_group_acl_modification.yml @@ -67,7 +67,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_dangerous_user_acl_modification.yml b/detections/application/windows_ad_dangerous_user_acl_modification.yml index 8cfdbceb4c..f0436e385e 100644 --- a/detections/application/windows_ad_dangerous_user_acl_modification.yml +++ b/detections/application/windows_ad_dangerous_user_acl_modification.yml @@ -67,7 +67,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml b/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml index 07654823a8..af9845bb0f 100644 --- a/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml +++ b/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml @@ -64,7 +64,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_domain_root_acl_deletion.yml b/detections/application/windows_ad_domain_root_acl_deletion.yml index 3d117d3d82..b3b96164cd 100644 --- a/detections/application/windows_ad_domain_root_acl_deletion.yml +++ b/detections/application/windows_ad_domain_root_acl_deletion.yml @@ -63,7 +63,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_domain_root_acl_modification.yml b/detections/application/windows_ad_domain_root_acl_modification.yml index b6e2a09041..c5c2f12d7f 100644 --- a/detections/application/windows_ad_domain_root_acl_modification.yml +++ b/detections/application/windows_ad_domain_root_acl_modification.yml @@ -63,7 +63,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_gpo_deleted.yml b/detections/application/windows_ad_gpo_deleted.yml index 7caec33736..ff3095af20 100644 --- a/detections/application/windows_ad_gpo_deleted.yml +++ b/detections/application/windows_ad_gpo_deleted.yml @@ -43,7 +43,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_gpo_disabled.yml b/detections/application/windows_ad_gpo_disabled.yml index d7b122d2bd..f2043b249b 100644 --- a/detections/application/windows_ad_gpo_disabled.yml +++ b/detections/application/windows_ad_gpo_disabled.yml @@ -38,7 +38,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_gpo_new_cse_addition.yml b/detections/application/windows_ad_gpo_new_cse_addition.yml index 7404ec85a7..b84decafc7 100644 --- a/detections/application/windows_ad_gpo_new_cse_addition.yml +++ b/detections/application/windows_ad_gpo_new_cse_addition.yml @@ -50,7 +50,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_hidden_ou_creation.yml b/detections/application/windows_ad_hidden_ou_creation.yml index edc4f97dc3..c9baf63cc6 100644 --- a/detections/application/windows_ad_hidden_ou_creation.yml +++ b/detections/application/windows_ad_hidden_ou_creation.yml @@ -62,7 +62,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_object_owner_updated.yml b/detections/application/windows_ad_object_owner_updated.yml index 3aca7ad031..09fbc7a42a 100644 --- a/detections/application/windows_ad_object_owner_updated.yml +++ b/detections/application/windows_ad_object_owner_updated.yml @@ -57,7 +57,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_privileged_group_modification.yml b/detections/application/windows_ad_privileged_group_modification.yml index 82aaff088d..9c6de39b08 100644 --- a/detections/application/windows_ad_privileged_group_modification.yml +++ b/detections/application/windows_ad_privileged_group_modification.yml @@ -36,7 +36,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 required_fields: - EventCode - user diff --git a/detections/application/windows_ad_self_dacl_assignment.yml b/detections/application/windows_ad_self_dacl_assignment.yml index 25e3e509fa..ebd8c23a18 100644 --- a/detections/application/windows_ad_self_dacl_assignment.yml +++ b/detections/application/windows_ad_self_dacl_assignment.yml @@ -58,7 +58,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 80 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_suspicious_attribute_modification.yml b/detections/application/windows_ad_suspicious_attribute_modification.yml index f006dae853..9e538a5b50 100644 --- a/detections/application/windows_ad_suspicious_attribute_modification.yml +++ b/detections/application/windows_ad_suspicious_attribute_modification.yml @@ -52,7 +52,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 required_fields: - _time - OperationType diff --git a/detections/application/windows_ad_suspicious_gpo_modification.yml b/detections/application/windows_ad_suspicious_gpo_modification.yml index 7abeb092eb..42c54bb574 100644 --- a/detections/application/windows_ad_suspicious_gpo_modification.yml +++ b/detections/application/windows_ad_suspicious_gpo_modification.yml @@ -68,7 +68,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 80 required_fields: - _time - OperationType diff --git a/detections/cloud/o365_application_available_to_other_tenants.yml b/detections/cloud/o365_application_available_to_other_tenants.yml index afe0f18efd..df615c42e9 100644 --- a/detections/cloud/o365_application_available_to_other_tenants.yml +++ b/detections/cloud/o365_application_available_to_other_tenants.yml @@ -55,7 +55,6 @@ tags: - UserId - Workload - Target{}.ID - risk_score: 50 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_cross_tenant_access_change.yml b/detections/cloud/o365_cross_tenant_access_change.yml index 6f6cb2f0e1..334222de18 100644 --- a/detections/cloud/o365_cross_tenant_access_change.yml +++ b/detections/cloud/o365_cross_tenant_access_change.yml @@ -52,7 +52,6 @@ tags: - ModifiedProperties{}.Name - UserId - Workload - risk_score: 75 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_external_guest_user_invited.yml b/detections/cloud/o365_external_guest_user_invited.yml index a00581e3d9..fa4cbdad35 100644 --- a/detections/cloud/o365_external_guest_user_invited.yml +++ b/detections/cloud/o365_external_guest_user_invited.yml @@ -54,7 +54,6 @@ tags: - UserId - Id - Workload - risk_score: 25 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/o365_external_identity_policy_changed.yml b/detections/cloud/o365_external_identity_policy_changed.yml index a9dbb3c6f0..ed2a067e44 100644 --- a/detections/cloud/o365_external_identity_policy_changed.yml +++ b/detections/cloud/o365_external_identity_policy_changed.yml @@ -54,7 +54,6 @@ tags: - ModifiedProperties{}.Name - UserId - Workload - risk_score: 75 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/o365_privileged_role_assigned.yml b/detections/cloud/o365_privileged_role_assigned.yml index f5f626d370..c8b165e024 100644 --- a/detections/cloud/o365_privileged_role_assigned.yml +++ b/detections/cloud/o365_privileged_role_assigned.yml @@ -54,7 +54,6 @@ tags: - UserId - ObjectId - Workload - risk_score: 75 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml index ebbe154331..adc44893ce 100644 --- a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml +++ b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml @@ -55,7 +55,6 @@ tags: - UserId - ObjectId - Workload - risk_score: 75 security_domain: identity tests: - name: True Positive Test diff --git a/detections/endpoint/crowdstrike_admin_weak_password_policy.yml b/detections/endpoint/crowdstrike_admin_weak_password_policy.yml index d06b56996c..b38d75adad 100644 --- a/detections/endpoint/crowdstrike_admin_weak_password_policy.yml +++ b/detections/endpoint/crowdstrike_admin_weak_password_policy.yml @@ -49,7 +49,6 @@ tags: - accounts{}.domain - accounts{}.dn - accounts{}.samAccountName - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml b/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml index c0280b56b7..710c76ff7d 100644 --- a/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml +++ b/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml @@ -48,7 +48,6 @@ tags: - accounts{}.domain - accounts{}.dn - accounts{}.samAccountName - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/crowdstrike_high_identity_risk_severity.yml b/detections/endpoint/crowdstrike_high_identity_risk_severity.yml index 31137e1d61..65061e6cf5 100644 --- a/detections/endpoint/crowdstrike_high_identity_risk_severity.yml +++ b/detections/endpoint/crowdstrike_high_identity_risk_severity.yml @@ -48,7 +48,6 @@ tags: - accounts{}.domain - accounts{}.dn - accounts{}.samAccountName - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml b/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml index d07b0f86aa..97a67e1ba8 100644 --- a/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml +++ b/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml @@ -48,7 +48,6 @@ tags: - accounts{}.domain - accounts{}.dn - accounts{}.samAccountName - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/crowdstrike_medium_severity_alert.yml b/detections/endpoint/crowdstrike_medium_severity_alert.yml index c71c3192db..e73f2a4353 100644 --- a/detections/endpoint/crowdstrike_medium_severity_alert.yml +++ b/detections/endpoint/crowdstrike_medium_severity_alert.yml @@ -50,7 +50,6 @@ tags: - event.IncidentType - event.NumbersOfAlerts - event.SeverityName - risk_score: 49 security_domain: endpoint manual_test: This detection is marked manual test because the attack_data file and TA do not provide the event.EndpointIp and event.EndpointName fields. event.EndpointName diff --git a/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml b/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml index dd22106a7f..4b6965ba20 100644 --- a/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml +++ b/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml @@ -52,7 +52,6 @@ tags: - event.IncidentType - event.NumbersOfAlerts - event.SeverityName - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml b/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml index b02ac4a1ad..1966cf57ea 100644 --- a/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml +++ b/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml @@ -50,7 +50,6 @@ tags: - event.IncidentType - event.NumbersOfAlerts - event.SeverityName - risk_score: 49 security_domain: endpoint manual_test: This detection is marked manual test because the attack_data file and TA do not provide the event.EndpointIp and event.EndpointName fields. event.EndpointName diff --git a/detections/endpoint/crowdstrike_user_weak_password_policy.yml b/detections/endpoint/crowdstrike_user_weak_password_policy.yml index c2b09d2c12..d0c58be96f 100644 --- a/detections/endpoint/crowdstrike_user_weak_password_policy.yml +++ b/detections/endpoint/crowdstrike_user_weak_password_policy.yml @@ -50,7 +50,6 @@ tags: - accounts{}.domain - accounts{}.dn - accounts{}.samAccountName - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/crowdstrike_user_with_duplicate_password.yml b/detections/endpoint/crowdstrike_user_with_duplicate_password.yml index b7ae4192aa..895fbfa9f5 100644 --- a/detections/endpoint/crowdstrike_user_with_duplicate_password.yml +++ b/detections/endpoint/crowdstrike_user_with_duplicate_password.yml @@ -49,7 +49,6 @@ tags: - accounts{}.domain - accounts{}.dn - accounts{}.samAccountName - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml index c33eb07a00..0158642e0e 100644 --- a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml +++ b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml @@ -53,7 +53,6 @@ tags: - DomainName - Security - WorkstationName - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml index d4fae926ee..52471f9949 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml @@ -53,7 +53,6 @@ tags: - DomainName - Security - WorkstationName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml index c2042d89bc..08462eed62 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml @@ -53,7 +53,6 @@ tags: - DomainName - Security - WorkstationName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml index 089daddfbc..cada877503 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml @@ -53,7 +53,6 @@ tags: - DomainName - Security - WorkstationName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml index 9bc1940f8c..70d3781ff6 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml @@ -53,7 +53,6 @@ tags: - DomainName - Security - WorkstationName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test