Merge branch 'escu6_manual_review' into port_playbooks

Author: pyth0n1c

baselines/baseline_of_network_acl_activity_by_arn.yml

@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: network
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: Detect Spike in Network ACL Activity'

baselines/baseline_of_security_group_activity_by_arn.yml

@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: network
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: Detect Spike in Security Group Activity'

baselines/create_a_list_of_approved_aws_service_accounts.yml

@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: network
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: Detect AWS API Activities From Unapproved Accounts'

baselines/discover_dns_records.yml

@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: network
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: DNS record changed'

baselines/dnstwist_domain_names.yml

@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: network
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: Monitor DNS For Brand Abuse'

baselines/previously_seen_command_line_arguments.yml

@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: endpoint
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: First time seen command line argument'

detections/application/esxi_external_root_login_activity.yml

@@ -26,11 +26,11 @@ intermediate_findings:
         - field: dest
           type: system
           score: 20
-          message: Root logged in on ESXi host $dest$ from $SrcIpAddr.
+          message: Root logged in on ESXi host $dest$ from $SrcIpAddr$.
         - field: SrcIpAddr
           type: system
           score: 20
-          message: Root logged in on ESXi host $dest$ from $SrcIpAddr.
+          message: Root logged in on ESXi host $dest$ from $SrcIpAddr$.
 analytic_story:
     - ESXi Post Compromise
     - Black Basta Ransomware
@@ -50,15 +50,3 @@ tests:
           source: vmware:esxlog
           sourcetype: vmw-syslog
       test_type: unit
-MANUAL_REVIEW:
-    rba:
-        message: Root logged in on ESXi host $dest$ from $SrcIpAddr.
-        risk_objects:
-            - field: dest
-              type: system
-              score: 20
-            - field: SrcIpAddr
-              type: system
-              score: 20
-        threat_objects: []
-    manual_review_rationale: "The following error was found while validating the intermediate finding message: 1 validation error for EsTokenString\n  Value error, Unbalanced $ delimiter in token string: 'Root logged in on ESXi host $dest$ from $SrcIpAddr.'. Each $ must be part of a $field_name$ token pair. [type=value_error, input_value='Root logged in on ESXi h...$dest$ from $SrcIpAddr.', input_type=str]\n    For further information visit https://errors.pydantic.dev/2.13/v/value_error"

detections/application/monitor_email_for_brand_abuse.yml

@@ -43,6 +43,3 @@ category: application
 security_domain: network
 baselines:
     - DNSTwist Domain Names
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Detection references baseline(s) flagged for manual review: DNSTwist Domain Names'

detections/application/okta_risk_threshold_exceeded.yml

@@ -30,6 +30,12 @@ drilldown_searches:
       search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
       earliest_offset: 7d
       latest_offset: "0"
+finding:
+    title: Multiple suspicious Okta risk events - $risk_object$
+    entity:
+        field: risk_object
+        type: user
+        score: 0
 analytic_story:
     - Okta Account Takeover
     - Okta MFA Exhaustion
@@ -51,6 +57,3 @@ tests:
           source: risk_data
           sourcetype: stash
       test_type: unit
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate.

detections/cloud/aws_s3_exfiltration_behavior_identified.yml

@@ -20,7 +20,7 @@ search: |-
     | where source_count >= 2 and mitre_tactic_id_count>=2
     | `aws_s3_exfiltration_behavior_identified_filter`
 how_to_implement: You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security.
-known_false_positives: alse positives may be present based on automated tooling or system administrators. Filter as needed.
+known_false_positives: False positives may be present based on automated tooling or system administrators. Filter as needed.
 references:
     - https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/
     - https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/
@@ -34,6 +34,12 @@ drilldown_searches:
       search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
       earliest_offset: 7d
       latest_offset: "0"
+finding:
+    title: Suspicious AWS S3 exfiltration behavior identified - $risk_object$
+    entity:
+        field: risk_object
+        type: other
+        score: 0
 analytic_story:
     - Suspicious Cloud Instance Activities
     - Data Exfiltration
@@ -53,6 +59,3 @@ tests:
           sourcetype: stash
           source: aws_exfil
       test_type: unit
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate.