Skip to content

Commit bc18194

Browse files
committed
Reordering keys
1 parent b196ddc commit bc18194

15 files changed

Lines changed: 90 additions & 90 deletions

detections/application/okta_risk_threshold_exceeded.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,12 @@ drilldown_searches:
3030
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
3131
earliest_offset: 7d
3232
latest_offset: "0"
33+
finding:
34+
title: Multiple suspicious Okta risk events - $risk_object$
35+
entity:
36+
field: risk_object
37+
type: user
38+
score: 0
3339
analytic_story:
3440
- Okta Account Takeover
3541
- Okta MFA Exhaustion
@@ -51,9 +57,3 @@ tests:
5157
source: risk_data
5258
sourcetype: stash
5359
test_type: unit
54-
finding:
55-
title: Multiple suspicious Okta risk events - $risk_object$
56-
entity:
57-
field: risk_object
58-
type: user
59-
score: 0

detections/cloud/aws_s3_exfiltration_behavior_identified.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,12 @@ drilldown_searches:
3434
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
3535
earliest_offset: 7d
3636
latest_offset: "0"
37+
finding:
38+
title: Suspicious AWS S3 exfiltration behavior identified - $risk_object$
39+
entity:
40+
field: risk_object
41+
type: other
42+
score: 0
3743
analytic_story:
3844
- Suspicious Cloud Instance Activities
3945
- Data Exfiltration
@@ -53,9 +59,3 @@ tests:
5359
sourcetype: stash
5460
source: aws_exfil
5561
test_type: unit
56-
finding:
57-
title: Suspicious AWS S3 exfiltration behavior identified - $risk_object$
58-
entity:
59-
field: risk_object
60-
type: other
61-
score: 0

detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,12 @@ drilldown_searches:
2929
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
3030
earliest_offset: 7d
3131
latest_offset: "0"
32+
finding:
33+
title: Risk Threshold Exceeded for $risk_object$
34+
entity:
35+
field: risk_object
36+
type: other
37+
score: 0
3238
analytic_story:
3339
- Dev Sec Ops
3440
asset_type: Amazon Elastic Container Registry
@@ -47,9 +53,3 @@ tests:
4753
source: aws_ecr_risk_dataset.log
4854
sourcetype: stash
4955
test_type: unit
50-
finding:
51-
title: Risk Threshold Exceeded for $risk_object$
52-
entity:
53-
field: risk_object
54-
type: other
55-
score: 0

detections/endpoint/active_directory_lateral_movement_identified.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,12 @@ drilldown_searches:
3131
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
3232
earliest_offset: 7d
3333
latest_offset: "0"
34+
finding:
35+
title: Active Directory Lateral Movement Identified - $risk_object$
36+
entity:
37+
field: risk_object
38+
type: system
39+
score: 0
3440
analytic_story:
3541
- Active Directory Lateral Movement
3642
asset_type: Endpoint
@@ -49,9 +55,3 @@ tests:
4955
source: adlm
5056
sourcetype: stash
5157
test_type: unit
52-
finding:
53-
title: Active Directory Lateral Movement Identified - $risk_object$
54-
entity:
55-
field: risk_object
56-
type: system
57-
score: 0

detections/endpoint/active_directory_privilege_escalation_identified.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,12 @@ drilldown_searches:
3131
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
3232
earliest_offset: 7d
3333
latest_offset: "0"
34+
finding:
35+
title: Active Directory Privilege Escalation Identified - $risk_object$
36+
entity:
37+
field: risk_object
38+
type: system
39+
score: 0
3440
analytic_story:
3541
- Active Directory Privilege Escalation
3642
asset_type: Endpoint
@@ -42,9 +48,3 @@ product:
4248
- Splunk Cloud
4349
category: endpoint
4450
security_domain: endpoint
45-
finding:
46-
title: Active Directory Privilege Escalation Identified - $risk_object$
47-
entity:
48-
field: risk_object
49-
type: system
50-
score: 0

detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,12 @@ drilldown_searches:
3535
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
3636
earliest_offset: 7d
3737
latest_offset: "0"
38+
finding:
39+
title: Linux Persistence and Privilege Escalation Risk Behavior - $risk_object$
40+
entity:
41+
field: risk_object
42+
type: system
43+
score: 0
3844
analytic_story:
3945
- Linux Privilege Escalation
4046
- Linux Persistence Techniques
@@ -54,9 +60,3 @@ tests:
5460
source: linuxrisk
5561
sourcetype: stash
5662
test_type: unit
57-
finding:
58-
title: Linux Persistence and Privilege Escalation Risk Behavior - $risk_object$
59-
entity:
60-
field: risk_object
61-
type: system
62-
score: 0

detections/endpoint/living_off_the_land_detection.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,12 @@ drilldown_searches:
3131
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
3232
earliest_offset: 7d
3333
latest_offset: "0"
34+
finding:
35+
title: Living Off The Land Behavior detected - $risk_object$
36+
entity:
37+
field: risk_object
38+
type: system
39+
score: 0
3440
analytic_story:
3541
- Living Off The Land
3642
- Hellcat Ransomware
@@ -53,9 +59,3 @@ tests:
5359
source: lotl
5460
sourcetype: stash
5561
test_type: unit
56-
finding:
57-
title: Living Off The Land Behavior detected - $risk_object$
58-
entity:
59-
field: risk_object
60-
type: system
61-
score: 0

detections/endpoint/log4shell_cve_2021_44228_exploitation.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,12 @@ drilldown_searches:
3131
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
3232
earliest_offset: 7d
3333
latest_offset: "0"
34+
finding:
35+
title: Log4Shell CVE-2021-44228 Exploitation detected - $risk_object$
36+
entity:
37+
field: risk_object
38+
type: system
39+
score: 0
3440
analytic_story:
3541
- Log4Shell CVE-2021-44228
3642
- CISA AA22-320A
@@ -53,9 +59,3 @@ tests:
5359
source: log4shell
5460
sourcetype: stash
5561
test_type: unit
56-
finding:
57-
title: Log4Shell CVE-2021-44228 Exploitation detected - $risk_object$
58-
entity:
59-
field: risk_object
60-
type: system
61-
score: 0

detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,12 @@ drilldown_searches:
3131
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
3232
earliest_offset: 7d
3333
latest_offset: "0"
34+
finding:
35+
title: Steal or Forge Authentication Certificates Behavior Identified - $risk_object$
36+
entity:
37+
field: risk_object
38+
type: system
39+
score: 0
3440
analytic_story:
3541
- Windows Certificate Services
3642
asset_type: Endpoint
@@ -53,9 +59,3 @@ tests:
5359
source: certs
5460
sourcetype: stash
5561
test_type: unit
56-
finding:
57-
title: Steal or Forge Authentication Certificates Behavior Identified - $risk_object$
58-
entity:
59-
field: risk_object
60-
type: system
61-
score: 0

detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,12 @@ drilldown_searches:
3131
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
3232
earliest_offset: 7d
3333
latest_offset: "0"
34+
finding:
35+
title: Windows Common Abused Cmd Shell Risk Behavior - $risk_object$
36+
entity:
37+
field: risk_object
38+
type: system
39+
score: 0
3440
analytic_story:
3541
- Azorult
3642
- Volt Typhoon
@@ -65,9 +71,3 @@ tests:
6571
source: risk
6672
sourcetype: stash
6773
test_type: unit
68-
finding:
69-
title: Windows Common Abused Cmd Shell Risk Behavior - $risk_object$
70-
entity:
71-
field: risk_object
72-
type: system
73-
score: 0

0 commit comments

Comments
 (0)