Merge pull request #3502 from splunk/deprecate_rmm_hunt

Sebastian Wurl Feedback - Update RMM searches

Author: patel-bhavin

…/windows_remote_access_software_hunt.yml …/windows_remote_access_software_hunt.ymldetections/endpoint/windows_remote_access_software_hunt.yml renamed to detections/deprecated/windows_remote_access_software_hunt.yml detections/endpoint/windows_remote_access_software_hunt.yml renamed to detections/deprecated/windows_remote_access_software_hunt.yml

@@ -1,11 +1,11 @@
 name: Windows Remote Access Software Hunt
 id: 8bd22c9f-05a2-4db1-b131-29271f28cb0a
-version: 7
-date: '2025-04-18'
+version: 8
+date: '2025-04-30'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: Hunting
-description: The following analytic identifies the use of remote access software within
+description: This search is deprecated in favor of the new detection - Detect Remote Access Software Usage Process. The following analytic identifies the use of remote access software within
   the environment. It leverages data from Endpoint Detection and Response (EDR) agents,
   focusing on process execution logs. This detection is significant as unauthorized
   remote access tools can be used by adversaries to maintain persistent access to

detections/endpoint/detect_remote_access_software_usage_process.yml

@@ -1,34 +1,38 @@
 name: Detect Remote Access Software Usage Process
 id: ffd5e001-2e34-48f4-97a2-26dc4bb08178
-version: 8
-date: '2025-04-18'
-author: Steven Dick
+version: 9
+date: '2025-04-30'
+author: Steven Dick, Sebastian Wurl, Splunk Community
 status: production
 type: Anomaly
 description: The following analytic detects the execution of known remote access software
   within the environment. It leverages data from Endpoint Detection and Response (EDR)
   agents, focusing on process names and parent processes mapped to the Endpoint data
-  model. This activity is significant as adversaries often use remote access tools
-  like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access.
+  model. We then compare with with a list of known remote access software shipped as a lookup file - remote_access_software. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access.
   If confirmed malicious, this could allow attackers to control systems remotely,
   exfiltrate data, or deploy additional malware, posing a severe threat to the organization's
   security.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes
-  where Processes.dest!=unknown Processes.process!=unknown by Processes.action Processes.dest
-  Processes.original_file_name Processes.parent_process Processes.parent_process_exec
-  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
-  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
-  Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
-  Processes.process_path Processes.user Processes.user_id Processes.vendor_product
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)`
-  | lookup remote_access_software remote_utility AS process_name OUTPUT isutility,
-  description as signature, comment_reference as desc, category | search isutility
-  = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_process_filter`'
+search: |
+  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.parent_process) as parent_process 
+    from datamodel=Endpoint.Processes 
+    where 
+    [| inputlookup remote_access_software where isutility=TRUE
+    | rename remote_utility AS Processes.process_name 
+    | fields Processes.process_name] 
+    AND Processes.dest!="unknown" 
+    AND Processes.user!="unknown" 
+    by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `drop_dm_object_name(Processes)` 
+  | lookup remote_access_software remote_utility AS process_name OUTPUT isutility description AS signature comment_reference AS desc category
+  | search isutility = TRUE
+  | `remote_access_software_usage_exceptions`
+  | `detect_remote_access_software_usage_process_filter`
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
@@ -107,3 +111,6 @@ tests:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

removed/deprecation_mapping.YML

@@ -1,4 +1,9 @@
 detections:
+  - content: Windows Remote Access Software Hunt
+    removed_in_version: 5.8.0
+    reason: Detection has been replaced by a new detection with a more specific name and logic
+    replacement_content:
+    - Detect Remote Access Software Usage Process
   - content: CertUtil Download With URLCache and Split Arguments
     removed_in_version: 5.8.0
     reason: Detection deprecated in favor of "Windows File Download Via CertUtil", in order to provide a better experience of the alert