diff --git a/.vscode/settings.json b/.vscode/settings.json index 363e91f0ad..a079a5b988 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -17,6 +17,7 @@ "./schemas/KVStoreLookup.schema.json": "lookups/kvstore/*.yml", "./schemas/FilebackedMacro.schema.json": "macros/*.yml", "./schemas/FilebackedSchedule.schema.json": "schedules/*.yml", + "./schemas/Playbook.schema.json": "playbooks/*.yml", "./schemas/Story.schema.json": ["stories/*.yml", "!removed/stories/*.yml"] } } \ No newline at end of file diff --git a/baselines/baseline_of_network_acl_activity_by_arn.yml b/baselines/baseline_of_network_acl_activity_by_arn.yml index 4df7f8204c..33a49df180 100644 --- a/baselines/baseline_of_network_acl_activity_by_arn.yml +++ b/baselines/baseline_of_network_acl_activity_by_arn.yml @@ -16,6 +16,3 @@ product: - Splunk Cloud security_domain: network schedule: Default Baseline -MANUAL_REVIEW: - rba: {} - manual_review_rationale: 'Baseline references detections that do not exist in the corpus: Detect Spike in Network ACL Activity' diff --git a/baselines/baseline_of_security_group_activity_by_arn.yml b/baselines/baseline_of_security_group_activity_by_arn.yml index eb428bdcb6..8c0de31c67 100644 --- a/baselines/baseline_of_security_group_activity_by_arn.yml +++ b/baselines/baseline_of_security_group_activity_by_arn.yml @@ -16,6 +16,3 @@ product: - Splunk Cloud security_domain: network schedule: Default Baseline -MANUAL_REVIEW: - rba: {} - manual_review_rationale: 'Baseline references detections that do not exist in the corpus: Detect Spike in Security Group Activity' diff --git a/baselines/create_a_list_of_approved_aws_service_accounts.yml b/baselines/create_a_list_of_approved_aws_service_accounts.yml index c7f660a7eb..ba592b2cf0 100644 --- a/baselines/create_a_list_of_approved_aws_service_accounts.yml +++ b/baselines/create_a_list_of_approved_aws_service_accounts.yml @@ -16,6 +16,3 @@ product: - Splunk Cloud security_domain: network schedule: Default Baseline -MANUAL_REVIEW: - rba: {} - manual_review_rationale: 'Baseline references detections that do not exist in the corpus: Detect AWS API Activities From Unapproved Accounts' diff --git a/baselines/discover_dns_records.yml b/baselines/discover_dns_records.yml index d5be87e656..f2f7ceb1ad 100644 --- a/baselines/discover_dns_records.yml +++ b/baselines/discover_dns_records.yml @@ -16,6 +16,3 @@ product: - Splunk Cloud security_domain: network schedule: Default Baseline -MANUAL_REVIEW: - rba: {} - manual_review_rationale: 'Baseline references detections that do not exist in the corpus: DNS record changed' diff --git a/baselines/dnstwist_domain_names.yml b/baselines/dnstwist_domain_names.yml index 1e9fc0b362..169bf9dd51 100644 --- a/baselines/dnstwist_domain_names.yml +++ b/baselines/dnstwist_domain_names.yml @@ -16,6 +16,3 @@ product: - Splunk Cloud security_domain: network schedule: Default Baseline -MANUAL_REVIEW: - rba: {} - manual_review_rationale: 'Baseline references detections that do not exist in the corpus: Monitor DNS For Brand Abuse' diff --git a/baselines/previously_seen_command_line_arguments.yml b/baselines/previously_seen_command_line_arguments.yml index 44c9262551..34b4efbaa5 100644 --- a/baselines/previously_seen_command_line_arguments.yml +++ b/baselines/previously_seen_command_line_arguments.yml @@ -16,6 +16,3 @@ product: - Splunk Cloud security_domain: endpoint schedule: Default Baseline -MANUAL_REVIEW: - rba: {} - manual_review_rationale: 'Baseline references detections that do not exist in the corpus: First time seen command line argument' diff --git a/contentctl.yml b/contentctl.yml new file mode 100644 index 0000000000..b40b943e4d --- /dev/null +++ b/contentctl.yml @@ -0,0 +1,268 @@ +path: . +app: + uid: 3449 + title: ES Content Updates + appid: DA-ESS-ContentUpdate + version: 6.0.0 + description: Explore the Analytic Stories included with ES Content Updates. + prefix: ESCU + label: ESCU + author_name: Splunk Threat Research Team + author_email: research@splunk.com + author_company: Splunk +enrichments: false +build_app: true +build_api: true +build_ssa: false +build_path: dist +test_instance: + splunk_app_username: admin + instance_address: localhost + hec_port: 8088 + web_ui_port: 8000 + api_port: 8089 +container_settings: + full_image_path: registry.hub.docker.com/splunk/splunk:9.3 + leave_running: true + num_containers: 1 +mode: {} +splunk_api_username: null +post_test_behavior: pause_on_failure +apps: +- uid: 1621 + title: Splunk_SA_CIM + appid: Splunk_SA_CIM + version: 8.5.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-common-information-model-cim_850.tgz +- uid: 6553 + title: Splunk Add-on for Okta Identity Cloud + appid: Splunk_TA_okta_identity_cloud + version: 5.0.2 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-okta-identity-cloud_502.tgz +- uid: 7404 + title: Cisco Security Cloud + appid: CiscoSecurityCloud + version: 3.6.5 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_365.tgz +- uid: 7569 + title: Cisco Secure Access Add-on for Splunk + appid: TA-cisco-cloud-security-addon + version: 1.0.50 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-secure-access-add-on-for-splunk_1050.tar.gz +- uid: 6652 + title: Add-on for Linux Sysmon + appid: Splunk_TA_linux_sysmon + version: 1.0.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-sysmon-for-linux_100.tgz +- uid: null + title: Splunk Fix XmlWinEventLog HEC Parsing + appid: Splunk_FIX_XMLWINEVENTLOG_HEC_PARSING + version: '0.1' + description: This TA is required for replaying Windows Data into the Test Environment. + The Default TA does not include logic for properly splitting multiple log events + in a single file. In production environments, this logic is applied by the Universal + Forwarder. + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/Splunk_TA_fix_windows.tgz +- uid: 742 + title: Splunk Add-on for Microsoft Windows + appid: SPLUNK_ADD_ON_FOR_MICROSOFT_WINDOWS + version: 10.0.1 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-windows_1001.tgz +- uid: 5709 + title: Splunk Add-on for Sysmon + appid: Splunk_TA_microsoft_sysmon + version: 5.0.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-sysmon_500.tgz +- uid: 833 + title: Splunk Add-on for Unix and Linux + appid: Splunk_TA_nix + version: 10.2.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-unix-and-linux_1020.tgz +- uid: 5579 + title: Splunk Add-on for CrowdStrike FDR + appid: Splunk_TA_CrowdStrike_FDR + version: 2.0.5 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_205.tgz +- uid: 3185 + title: Splunk Add-on for Microsoft IIS + appid: SPLUNK_TA_FOR_IIS + version: 1.3.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-iis_130.tgz +- uid: 6994 + title: CCX Add-on for Suricata + appid: SPLUNK_TA_FOR_SURICATA + version: 1.0.1 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ccx-add-on-for-suricata_101.tgz +- uid: 5466 + title: TA for Zeek + appid: SPLUNK_TA_FOR_ZEEK + version: 1.0.11 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-for-zeek_1011.tgz +- uid: 3258 + title: Splunk Add-on for NGINX + appid: SPLUNK_ADD_ON_FOR_NGINX + version: 3.3.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-nginx_330.tgz +- uid: 5238 + title: Splunk Add-on for Stream Forwarders + appid: SPLUNK_ADD_ON_FOR_STREAM_FORWARDERS + version: 8.1.3 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-stream-forwarders_813.tgz +- uid: 5234 + title: Splunk Add-on for Stream Wire Data + appid: SPLUNK_ADD_ON_FOR_STREAM_WIRE_DATA + version: 8.1.6 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-stream-wire-data_816.tgz +- uid: 2757 + title: Splunk Add-on for Palo Alto Networks + appid: SPLUNK_ADD_ON_FOR_PALO_ALTO_NETWORKS + version: 3.0.1 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-palo-alto-networks_301.tgz +- uid: 3865 + title: Zscaler Technical Add-On for Splunk + appid: Zscaler_CIM + version: 4.0.16 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/zscaler-technical-add-on-for-splunk_4016.tgz +- uid: 3719 + title: Splunk Add-on for Amazon Kinesis Firehose + appid: SPLUNK_ADD_ON_FOR_AMAZON_KINESIS_FIREHOSE + version: 1.3.2 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-amazon-kinesis-firehose_132.tgz +- uid: 1876 + title: Splunk Add-on for AWS + appid: Splunk_TA_aws + version: 8.1.1 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-amazon-web-services-aws_811.tgz +- uid: 3088 + title: Splunk Add-on for Google Cloud Platform + appid: SPLUNK_ADD_ON_FOR_GOOGLE_CLOUD_PLATFORM + version: 4.7.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-cloud-platform_470.tgz +- uid: 5556 + title: Splunk Add-on for Google Workspace + appid: SPLUNK_ADD_ON_FOR_GOOGLE_WORKSPACE + version: 3.1.1 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-workspace_311.tgz +- uid: 3110 + title: Splunk Add-on for Microsoft Cloud Services + appid: SPLUNK_TA_MICROSOFT_CLOUD_SERVICES + version: 6.1.1 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-cloud-services_611.tgz +- uid: 4055 + title: Splunk Add-on for Microsoft Office 365 + appid: SPLUNK_ADD_ON_FOR_MICROSOFT_OFFICE_365 + version: 6.0.2 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-office-365_602.tgz +- uid: 5518 + title: Splunk add on for Microsoft Defender Advanced Hunting + appid: SPLUNK_ADD_ON_FOR_MICROSOFT_DEFENDER_ADVANCED_HUNTING + version: 1.4.2 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/microsoft-defender-advanced-hunting-add-on-for-splunk_142.tgz +- uid: 6207 + title: Splunk Add-on for Microsoft Security + appid: Splunk_TA_MS_Security + version: 3.0.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_300.tgz +- uid: 2734 + title: URL Toolbox + appid: URL_TOOLBOX + version: 1.9.4 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/url-toolbox_194.tgz +- uid: 6853 + title: Splunk Add-on for Admon Enrichment + appid: SA-admon + version: 1.1.2 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-admon-enrichment_112.tgz +- uid: 5082 + title: CrowdStrike Falcon Event Streams Technical Add-On + appid: TA-crowdstrike-falcon-event-streams + version: 3.2.1 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/crowdstrike-falcon-event-streams-technical-add-on_321.tgz +- uid: 6254 + title: Splunk Add-on for Github + appid: Splunk_TA_github + version: 3.2.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-github_320.tgz +- uid: 3471 + title: Splunk Add-on for AppDynamics + appid: Splunk_TA_AppDynamics + version: 3.2.1 + description: The Splunk Add-on for AppDynamics enables you to easily configure data + inputs to pull data from AppDynamics' REST APIs + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-splunk-add-on-for-appdynamics_321.tgz +- uid: 4221 + title: Cisco NVM Add-on for Splunk + appid: TA-Cisco-NVM + version: 4.0.7 + description: The Cisco Endpoint Security Analytics (CESA) Add-On for Splunk allows + IT administrators to analyze and correlate user and endpoint behavior in Splunk + Enterprise. This Add-on provides configuration and collection of data from the + Cisco AnyConnect Network Visibility Module IPFIX (nvzFlow) Collector. This module + collects additional context such as user, device, application, location and destination + for flows both on and off premise. + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-endpoint-security-analytics-cesa-add-on-for-splunk_407.tgz +- uid: 5603 + title: Add-on for VMware ESXi Logs + appid: Splunk_TA_esxilogs + version: 4.2.2 + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-vmware-esxi-logs_422.tgz +- uid: 5640 + title: Splunk Add-on for VMware Indexes + appid: SPLUNK_ADD_ON_FOR_VMWARE_INDEXES + version: 4.0.3 + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-vmware-indexes_403.tgz +- uid: 1467 + title: Cisco Networks Add-on + appid: TA-cisco_ios + version: 2.7.9 + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/add-on-for-cisco-network-data_279.tgz +- uid: 8024 + title: TA-ollama + appid: ta-ollama + version: 0.1.5 + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-ollama_015.tgz +- uid: 8377 + title: MCP TA + appid: mcp-ta + version: 0.1.2 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/mcp-ta_012.tgz +- uid: 8574 + title: TA-osquery + appid: ta-osquery + version: 1.0.4 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-osquery_104.tgz +githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd +test_data_caches: +- base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/ + base_directory_name: external_repos/attack_data diff --git a/detections/application/esxi_external_root_login_activity.yml b/detections/application/esxi_external_root_login_activity.yml index 5e4450879f..336842d8b4 100644 --- a/detections/application/esxi_external_root_login_activity.yml +++ b/detections/application/esxi_external_root_login_activity.yml @@ -26,11 +26,11 @@ intermediate_findings: - field: dest type: system score: 20 - message: Root logged in on ESXi host $dest$ from $SrcIpAddr. + message: Root logged in on ESXi host $dest$ from $SrcIpAddr$. - field: SrcIpAddr type: system score: 20 - message: Root logged in on ESXi host $dest$ from $SrcIpAddr. + message: Root logged in on ESXi host $dest$ from $SrcIpAddr$. analytic_story: - ESXi Post Compromise - Black Basta Ransomware @@ -50,15 +50,3 @@ tests: source: vmware:esxlog sourcetype: vmw-syslog test_type: unit -MANUAL_REVIEW: - rba: - message: Root logged in on ESXi host $dest$ from $SrcIpAddr. - risk_objects: - - field: dest - type: system - score: 20 - - field: SrcIpAddr - type: system - score: 20 - threat_objects: [] - manual_review_rationale: "The following error was found while validating the intermediate finding message: 1 validation error for EsTokenString\n Value error, Unbalanced $ delimiter in token string: 'Root logged in on ESXi host $dest$ from $SrcIpAddr.'. Each $ must be part of a $field_name$ token pair. [type=value_error, input_value='Root logged in on ESXi h...$dest$ from $SrcIpAddr.', input_type=str]\n For further information visit https://errors.pydantic.dev/2.13/v/value_error" diff --git a/detections/application/monitor_email_for_brand_abuse.yml b/detections/application/monitor_email_for_brand_abuse.yml index 0dca1b0e13..5f1bd58064 100644 --- a/detections/application/monitor_email_for_brand_abuse.yml +++ b/detections/application/monitor_email_for_brand_abuse.yml @@ -43,6 +43,3 @@ category: application security_domain: network baselines: - DNSTwist Domain Names -MANUAL_REVIEW: - rba: {} - manual_review_rationale: 'Detection references baseline(s) flagged for manual review: DNSTwist Domain Names' diff --git a/detections/application/okta_risk_threshold_exceeded.yml b/detections/application/okta_risk_threshold_exceeded.yml index c67abbe6ea..24d7ca2bd3 100644 --- a/detections/application/okta_risk_threshold_exceeded.yml +++ b/detections/application/okta_risk_threshold_exceeded.yml @@ -30,6 +30,12 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" +finding: + title: Multiple suspicious Okta risk events - $risk_object$ + entity: + field: risk_object + type: user + score: 0 analytic_story: - Okta Account Takeover - Okta MFA Exhaustion @@ -51,6 +57,3 @@ tests: source: risk_data sourcetype: stash test_type: unit -MANUAL_REVIEW: - rba: {} - manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate. diff --git a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml index afb690e77d..a80f696154 100644 --- a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml +++ b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml @@ -20,7 +20,7 @@ search: |- | where source_count >= 2 and mitre_tactic_id_count>=2 | `aws_s3_exfiltration_behavior_identified_filter` how_to_implement: You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security. -known_false_positives: alse positives may be present based on automated tooling or system administrators. Filter as needed. +known_false_positives: False positives may be present based on automated tooling or system administrators. Filter as needed. references: - https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/ - https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/ @@ -34,6 +34,12 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" +finding: + title: Suspicious AWS S3 exfiltration behavior identified - $risk_object$ + entity: + field: risk_object + type: other + score: 0 analytic_story: - Suspicious Cloud Instance Activities - Data Exfiltration @@ -53,6 +59,3 @@ tests: sourcetype: stash source: aws_exfil test_type: unit -MANUAL_REVIEW: - rba: {} - manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate. diff --git a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml index f647908b36..6a796eabb2 100644 --- a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml +++ b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml @@ -54,15 +54,3 @@ tests: source: Azure AD sourcetype: azure:monitor:aad test_type: unit -MANUAL_REVIEW: - rba: - message: Service principal $src_user$ bypassed the admin consent process and granted permissions to $user$ - risk_objects: - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/azure_ad_external_guest_user_invited.yml b/detections/cloud/azure_ad_external_guest_user_invited.yml index 39bf01ac2f..5860b56eb1 100644 --- a/detections/cloud/azure_ad_external_guest_user_invited.yml +++ b/detections/cloud/azure_ad_external_guest_user_invited.yml @@ -69,15 +69,3 @@ tests: source: Azure AD sourcetype: azure:monitor:aad test_type: unit -MANUAL_REVIEW: - rba: - message: External Guest User $user$ initiated by $initiatedBy$ - risk_objects: - - field: user - type: user - score: 50 - - field: initiatedBy - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/azure_ad_global_administrator_role_assigned.yml b/detections/cloud/azure_ad_global_administrator_role_assigned.yml index 19898cd54f..54a3367893 100644 --- a/detections/cloud/azure_ad_global_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_global_administrator_role_assigned.yml @@ -43,12 +43,12 @@ drilldown_searches: finding: title: Global Administrator Role assigned for User $user$ initiated by $initiatedBy$ entity: - field: user + field: initiatedBy type: user score: 50 intermediate_findings: entities: - - field: initiatedBy + - field: user type: user score: 50 message: Global Administrator Role assigned for User $user$ initiated by $initiatedBy$ @@ -72,15 +72,3 @@ tests: source: Azure AD sourcetype: azure:monitor:aad test_type: unit -MANUAL_REVIEW: - rba: - message: Global Administrator Role assigned for User $user$ initiated by $initiatedBy$ - risk_objects: - - field: user - type: user - score: 50 - - field: initiatedBy - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml index 9703e8a5af..870208b2f7 100644 --- a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml @@ -39,12 +39,12 @@ drilldown_searches: finding: title: The privileged Azure AD role Privileged Authentication Administrator was assigned for User $user$ initiated by $initiatedBy$ entity: - field: user + field: initiatedBy type: user score: 50 intermediate_findings: entities: - - field: initiatedBy + - field: user type: user score: 50 message: The privileged Azure AD role Privileged Authentication Administrator was assigned for User $user$ initiated by $initiatedBy$ @@ -67,15 +67,3 @@ tests: source: Azure AD sourcetype: azure:monitor:aad test_type: unit -MANUAL_REVIEW: - rba: - message: The privileged Azure AD role Privileged Authentication Administrator was assigned for User $user$ initiated by $initiatedBy$ - risk_objects: - - field: user - type: user - score: 50 - - field: initiatedBy - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml index 3e773c314e..d352b47e15 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned.yml @@ -46,12 +46,12 @@ drilldown_searches: finding: title: A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$ entity: - field: user + field: initiatedBy type: user score: 50 intermediate_findings: entities: - - field: initiatedBy + - field: user type: user score: 50 message: A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$ @@ -76,15 +76,3 @@ tests: source: Azure AD sourcetype: azure:monitor:aad test_type: unit -MANUAL_REVIEW: - rba: - message: A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$ - risk_objects: - - field: user - type: user - score: 50 - - field: initiatedBy - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/azure_ad_service_principal_owner_added.yml b/detections/cloud/azure_ad_service_principal_owner_added.yml index 39cd3815a3..2bca3052d6 100644 --- a/detections/cloud/azure_ad_service_principal_owner_added.yml +++ b/detections/cloud/azure_ad_service_principal_owner_added.yml @@ -42,12 +42,12 @@ drilldown_searches: finding: title: A new owner was added for service principal $displayName$ by $initiatedBy$ entity: - field: displayName + field: initiatedBy type: user score: 50 intermediate_findings: entities: - - field: initiatedBy + - field: displayName type: user score: 50 message: A new owner was added for service principal $displayName$ by $initiatedBy$ @@ -71,15 +71,3 @@ tests: source: Azure AD sourcetype: azure:monitor:aad test_type: unit -MANUAL_REVIEW: - rba: - message: A new owner was added for service principal $displayName$ by $initiatedBy$ - risk_objects: - - field: displayName - type: user - score: 50 - - field: initiatedBy - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml index ef3e732432..1f74fa1f2d 100644 --- a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml +++ b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml @@ -40,12 +40,12 @@ drilldown_searches: finding: title: A user account, $user$, was enabled and its password reset within 2 minutes by $initiatedBy$ entity: - field: user + field: initiatedBy type: user score: 50 intermediate_findings: entities: - - field: initiatedBy + - field: user type: user score: 50 message: A user account, $user$, was enabled and its password reset within 2 minutes by $initiatedBy$ @@ -68,15 +68,3 @@ tests: source: Azure AD sourcetype: azure:monitor:aad test_type: unit -MANUAL_REVIEW: - rba: - message: A user account, $user$, was enabled and its password reset within 2 minutes by $initiatedBy$ - risk_objects: - - field: user - type: user - score: 50 - - field: initiatedBy - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml index c14679b0c4..4302eb132d 100644 --- a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml +++ b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml @@ -43,12 +43,12 @@ drilldown_searches: finding: title: The SourceAnchor or ImmutableID attribute has been modified for user $user$ by $initiatedBy$ entity: - field: user + field: initiatedBy type: user score: 50 intermediate_findings: entities: - - field: initiatedBy + - field: user type: user score: 50 message: The SourceAnchor or ImmutableID attribute has been modified for user $user$ by $initiatedBy$ @@ -71,15 +71,3 @@ tests: source: Azure AD sourcetype: azure:monitor:aad test_type: unit -MANUAL_REVIEW: - rba: - message: The SourceAnchor or ImmutableID attribute has been modified for user $user$ by $initiatedBy$ - risk_objects: - - field: user - type: user - score: 50 - - field: initiatedBy - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/gcp_multi_factor_authentication_disabled.yml b/detections/cloud/gcp_multi_factor_authentication_disabled.yml index 99fd3a89fc..c9f8563677 100644 --- a/detections/cloud/gcp_multi_factor_authentication_disabled.yml +++ b/detections/cloud/gcp_multi_factor_authentication_disabled.yml @@ -36,12 +36,12 @@ drilldown_searches: finding: title: MFA disabled for User $user$ initiated by $actor.email$ entity: - field: user + field: actor.email type: user score: 50 intermediate_findings: entities: - - field: actor.email + - field: user type: user score: 50 message: MFA disabled for User $user$ initiated by $actor.email$ @@ -65,15 +65,3 @@ tests: source: gws:reports:admin sourcetype: gws:reports:admin test_type: unit -MANUAL_REVIEW: - rba: - message: MFA disabled for User $user$ initiated by $actor.email$ - risk_objects: - - field: user - type: user - score: 50 - - field: actor.email - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/o365_applicationimpersonation_role_assigned.yml b/detections/cloud/o365_applicationimpersonation_role_assigned.yml index 16d137c1bd..e823edba72 100644 --- a/detections/cloud/o365_applicationimpersonation_role_assigned.yml +++ b/detections/cloud/o365_applicationimpersonation_role_assigned.yml @@ -37,12 +37,12 @@ drilldown_searches: finding: title: $user$ granted the ApplicationImpersonation role to $target_user$ entity: - field: target_user + field: user type: user score: 50 intermediate_findings: entities: - - field: user + - field: target_user type: user score: 50 message: $user$ granted the ApplicationImpersonation role to $target_user$ @@ -66,15 +66,3 @@ tests: source: O365 sourcetype: o365:management:activity test_type: unit -MANUAL_REVIEW: - rba: - message: $user$ granted the ApplicationImpersonation role to $target_user$ - risk_objects: - - field: target_user - type: user - score: 50 - - field: user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/o365_bec_email_hiding_rule_created.yml b/detections/cloud/o365_bec_email_hiding_rule_created.yml index 92f704c763..7887386766 100644 --- a/detections/cloud/o365_bec_email_hiding_rule_created.yml +++ b/detections/cloud/o365_bec_email_hiding_rule_created.yml @@ -7,6 +7,7 @@ author: '0xC0FFEEEE, Github Community' status: production type: TTP description: This analytic detects mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. This may indicate that an attacker has gained access to the account. +data_source: [] search: |- `o365_management_activity` Workload=Exchange Operation IN ("New-InboxRule", "Set-InboxRule") | stats min(_time) as firstTime, max(_time) as lastTime, values(Operation) as Operation, latest(Name) as Name, latest(MarkAsRead) as MarkAsRead, latest(MoveToFolder) as MoveToFolder by object_id user @@ -40,8 +41,7 @@ finding: type: user score: 50 threat_objects: - - &id001 - field: Name + - field: Name type: signature analytic_story: - Office 365 Account Takeover @@ -61,13 +61,3 @@ tests: sourcetype: o365:management:activity source: o365 test_type: unit -MANUAL_REVIEW: - rba: - message: Potential BEC mailbox rule - $Name$ was created by user - $user$ - risk_objects: - - field: user - type: user - score: 50 - threat_objects: - - *id001 - manual_review_rationale: "This detection is missing a data_source: section. Even if it has value 'data_source: []', every detection MUST include the data_source key/value." diff --git a/detections/cloud/o365_email_access_by_security_administrator.yml b/detections/cloud/o365_email_access_by_security_administrator.yml index 5f7360c8e0..a78e4ac9ab 100644 --- a/detections/cloud/o365_email_access_by_security_administrator.yml +++ b/detections/cloud/o365_email_access_by_security_administrator.yml @@ -36,12 +36,12 @@ drilldown_searches: finding: title: A security administrator $src_user$ accessed email messages for $user$ entity: - field: user + field: src_user type: user score: 50 intermediate_findings: entities: - - field: src_user + - field: user type: user score: 50 message: A security administrator $src_user$ accessed email messages for $user$ @@ -66,15 +66,3 @@ tests: sourcetype: o365:management:activity source: o365 test_type: unit -MANUAL_REVIEW: - rba: - message: A security administrator $src_user$ accessed email messages for $user$ - risk_objects: - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/o365_email_reported_by_admin_found_malicious.yml b/detections/cloud/o365_email_reported_by_admin_found_malicious.yml index 23bd3cbbea..9616815ae3 100644 --- a/detections/cloud/o365_email_reported_by_admin_found_malicious.yml +++ b/detections/cloud/o365_email_reported_by_admin_found_malicious.yml @@ -41,15 +41,8 @@ finding: field: src_user type: user score: 50 -intermediate_findings: - entities: - - field: user - type: user - score: 50 - message: O365 security admin $user$ manually reported a suspicious email from $src_user$ threat_objects: - - &id001 - field: Subject + - field: Subject type: email_subject analytic_story: - Spearphishing Attachments @@ -71,16 +64,3 @@ tests: sourcetype: o365:management:activity source: o365 test_type: unit -MANUAL_REVIEW: - rba: - message: O365 security admin $user$ manually reported a suspicious email from $src_user$ - risk_objects: - - field: src_user - type: user - score: 50 - - field: user - type: user - score: 50 - threat_objects: - - *id001 - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/o365_email_reported_by_user_found_malicious.yml b/detections/cloud/o365_email_reported_by_user_found_malicious.yml index 4009bb54cb..97c3350c4c 100644 --- a/detections/cloud/o365_email_reported_by_user_found_malicious.yml +++ b/detections/cloud/o365_email_reported_by_user_found_malicious.yml @@ -47,15 +47,8 @@ finding: field: src_user type: user score: 50 -intermediate_findings: - entities: - - field: user - type: user - score: 50 - message: The user $user$ reported an email classified from $src_user$ threat_objects: - - &id001 - field: subject + - field: subject type: email_subject analytic_story: - Spearphishing Attachments @@ -77,16 +70,3 @@ tests: sourcetype: o365:management:activity source: o365 test_type: unit -MANUAL_REVIEW: - rba: - message: The user $user$ reported an email classified from $src_user$ - risk_objects: - - field: src_user - type: user - score: 50 - - field: user - type: user - score: 50 - threat_objects: - - *id001 - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/o365_external_guest_user_invited.yml b/detections/cloud/o365_external_guest_user_invited.yml index 9df77a2536..3e6a51c792 100644 --- a/detections/cloud/o365_external_guest_user_invited.yml +++ b/detections/cloud/o365_external_guest_user_invited.yml @@ -29,12 +29,12 @@ drilldown_searches: finding: title: Azure Guest User $user$ invited by $src_user$ entity: - field: user + field: src_user type: user score: 50 intermediate_findings: entities: - - field: src_user + - field: user type: user score: 50 message: Azure Guest User $user$ invited by $src_user$ @@ -56,15 +56,3 @@ tests: sourcetype: o365:management:activity source: o365 test_type: unit -MANUAL_REVIEW: - rba: - message: Azure Guest User $user$ invited by $src_user$ - risk_objects: - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/o365_privileged_role_assigned.yml b/detections/cloud/o365_privileged_role_assigned.yml index 512fed06ad..75a8eaf325 100644 --- a/detections/cloud/o365_privileged_role_assigned.yml +++ b/detections/cloud/o365_privileged_role_assigned.yml @@ -28,12 +28,12 @@ drilldown_searches: finding: title: A privileged Azure AD role [$object_name$] was assigned to user $user$ by $src_user$ entity: - field: user + field: src_user type: user score: 50 intermediate_findings: entities: - - field: src_user + - field: user type: user score: 50 message: A privileged Azure AD role [$object_name$] was assigned to user $user$ by $src_user$ @@ -56,15 +56,3 @@ tests: sourcetype: o365:management:activity source: o365 test_type: unit -MANUAL_REVIEW: - rba: - message: A privileged Azure AD role [$object_name$] was assigned to user $user$ by $src_user$ - risk_objects: - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml index 59fb1471b1..3ccfbf7cbf 100644 --- a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml +++ b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml @@ -29,12 +29,12 @@ drilldown_searches: finding: title: A privileged Azure AD role [$object_name$] was assigned to the Service Principal $user$ initiated by $src_user$ entity: - field: user + field: src_user type: user score: 50 intermediate_findings: entities: - - field: src_user + - field: user type: user score: 50 message: A privileged Azure AD role [$object_name$] was assigned to the Service Principal $user$ initiated by $src_user$ @@ -57,15 +57,3 @@ tests: sourcetype: o365:management:activity source: o365 test_type: unit -MANUAL_REVIEW: - rba: - message: A privileged Azure AD role [$object_name$] was assigned to the Service Principal $user$ initiated by $src_user$ - risk_objects: - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/o365_service_principal_new_client_credentials.yml b/detections/cloud/o365_service_principal_new_client_credentials.yml index 6a1e4cf02b..830e144f9a 100644 --- a/detections/cloud/o365_service_principal_new_client_credentials.yml +++ b/detections/cloud/o365_service_principal_new_client_credentials.yml @@ -66,15 +66,3 @@ tests: sourcetype: o365:management:activity source: o365 test_type: unit -MANUAL_REVIEW: - rba: - message: New credentials added for Service Principal $object$ - risk_objects: - - field: object - type: user - score: 50 - - field: user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml index b4eca8800c..99c07a6d54 100644 --- a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml +++ b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml @@ -29,6 +29,12 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" +finding: + title: Risk Threshold Exceeded for $risk_object$ + entity: + field: risk_object + type: other + score: 0 analytic_story: - Dev Sec Ops asset_type: Amazon Elastic Container Registry @@ -47,6 +53,3 @@ tests: source: aws_ecr_risk_dataset.log sourcetype: stash test_type: unit -MANUAL_REVIEW: - rba: {} - manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate. diff --git a/detections/endpoint/active_directory_lateral_movement_identified.yml b/detections/endpoint/active_directory_lateral_movement_identified.yml index ed220e7c57..2877582be1 100644 --- a/detections/endpoint/active_directory_lateral_movement_identified.yml +++ b/detections/endpoint/active_directory_lateral_movement_identified.yml @@ -31,6 +31,12 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" +finding: + title: Active Directory Lateral Movement Identified - $risk_object$ + entity: + field: risk_object + type: system + score: 0 analytic_story: - Active Directory Lateral Movement asset_type: Endpoint @@ -49,6 +55,3 @@ tests: source: adlm sourcetype: stash test_type: unit -MANUAL_REVIEW: - rba: {} - manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate. diff --git a/detections/endpoint/active_directory_privilege_escalation_identified.yml b/detections/endpoint/active_directory_privilege_escalation_identified.yml index 5b44ad6960..1c6e402a55 100644 --- a/detections/endpoint/active_directory_privilege_escalation_identified.yml +++ b/detections/endpoint/active_directory_privilege_escalation_identified.yml @@ -31,6 +31,12 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" +finding: + title: Active Directory Privilege Escalation Identified - $risk_object$ + entity: + field: risk_object + type: system + score: 0 analytic_story: - Active Directory Privilege Escalation asset_type: Endpoint @@ -42,6 +48,3 @@ product: - Splunk Cloud category: endpoint security_domain: endpoint -MANUAL_REVIEW: - rba: {} - manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate. diff --git a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml index d5a903a2c0..3dbd5fc8dc 100644 --- a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml +++ b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml @@ -35,6 +35,12 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" +finding: + title: Linux Persistence and Privilege Escalation Risk Behavior - $risk_object$ + entity: + field: risk_object + type: system + score: 0 analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques @@ -54,6 +60,3 @@ tests: source: linuxrisk sourcetype: stash test_type: unit -MANUAL_REVIEW: - rba: {} - manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate. diff --git a/detections/endpoint/living_off_the_land_detection.yml b/detections/endpoint/living_off_the_land_detection.yml index a038a65116..c221bb6203 100644 --- a/detections/endpoint/living_off_the_land_detection.yml +++ b/detections/endpoint/living_off_the_land_detection.yml @@ -31,6 +31,12 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" +finding: + title: Living Off The Land Behavior detected - $risk_object$ + entity: + field: risk_object + type: system + score: 0 analytic_story: - Living Off The Land - Hellcat Ransomware @@ -53,6 +59,3 @@ tests: source: lotl sourcetype: stash test_type: unit -MANUAL_REVIEW: - rba: {} - manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate. diff --git a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml index 3b7246ff30..72ffd77d48 100644 --- a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml +++ b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml @@ -31,6 +31,12 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" +finding: + title: Log4Shell CVE-2021-44228 Exploitation detected - $risk_object$ + entity: + field: risk_object + type: system + score: 0 analytic_story: - Log4Shell CVE-2021-44228 - CISA AA22-320A @@ -53,6 +59,3 @@ tests: source: log4shell sourcetype: stash test_type: unit -MANUAL_REVIEW: - rba: {} - manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate. diff --git a/detections/endpoint/slui_runas_elevated.yml b/detections/endpoint/slui_runas_elevated.yml index c718c6ed37..f7c4eb43cb 100644 --- a/detections/endpoint/slui_runas_elevated.yml +++ b/detections/endpoint/slui_runas_elevated.yml @@ -45,12 +45,12 @@ drilldown_searches: finding: title: A slui process $process_name$ with elevated commandline $process$ on host $dest$ entity: - field: dest - type: system + field: user + type: user score: 50 intermediate_findings: entities: - - field: user + - field: dest type: system score: 50 message: A slui process $process_name$ with elevated commandline $process$ on host $dest$ @@ -74,15 +74,3 @@ tests: source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog test_type: unit -MANUAL_REVIEW: - rba: - message: A slui process $process_name$ with elevated commandline $process$ on host $dest$ - risk_objects: - - field: dest - type: system - score: 50 - - field: user - type: system - score: 50 - threat_objects: [] - manual_review_rationale: Multiple non-user-type entities found, but no user-type entities. We have picked the first non-user type entity and flagged this detection for manual review. diff --git a/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml b/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml index 40949313e5..bb94157473 100644 --- a/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml +++ b/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml @@ -31,6 +31,12 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" +finding: + title: Steal or Forge Authentication Certificates Behavior Identified - $risk_object$ + entity: + field: risk_object + type: system + score: 0 analytic_story: - Windows Certificate Services asset_type: Endpoint @@ -53,6 +59,3 @@ tests: source: certs sourcetype: stash test_type: unit -MANUAL_REVIEW: - rba: {} - manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate. diff --git a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml index 66fc40e6b5..9d6cd43a91 100644 --- a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml +++ b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml @@ -33,12 +33,12 @@ drilldown_searches: finding: title: The AdminSDHolder domain object $ObjectDN$ has been modified by $src_user$ entity: - field: user + field: src_user type: user score: 50 intermediate_findings: entities: - - field: src_user + - field: user type: user score: 50 message: The AdminSDHolder domain object $ObjectDN$ has been modified by $src_user$ @@ -60,15 +60,3 @@ tests: source: XmlWinEventLog:Security sourcetype: XmlWinEventLog test_type: unit -MANUAL_REVIEW: - rba: - message: The AdminSDHolder domain object $ObjectDN$ has been modified by $src_user$ - risk_objects: - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml index fdd36e8949..ea8934990b 100644 --- a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml @@ -57,15 +57,3 @@ tests: source: XmlWinEventLog:Security sourcetype: XmlWinEventLog test_type: unit -MANUAL_REVIEW: - rba: - message: Active Directory SID History Attribute was added to $user$ by $src_user$ - risk_objects: - - field: src_user - type: user - score: 50 - - field: user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/endpoint/windows_ad_dangerous_deny_acl_modification.yml b/detections/endpoint/windows_ad_dangerous_deny_acl_modification.yml index 88e5ae74d8..4c843d442b 100644 --- a/detections/endpoint/windows_ad_dangerous_deny_acl_modification.yml +++ b/detections/endpoint/windows_ad_dangerous_deny_acl_modification.yml @@ -28,12 +28,12 @@ drilldown_searches: finding: title: $src_user$ has added ACL rights to deny $user$ $aceControlAccessRights$ $aceAccessRights$ to $ObjectDN$ entity: - field: user + field: src_user type: user score: 50 intermediate_findings: entities: - - field: src_user + - field: user type: user score: 50 message: $src_user$ has added ACL rights to deny $user$ $aceControlAccessRights$ $aceAccessRights$ to $ObjectDN$ @@ -56,15 +56,3 @@ tests: source: XmlWinEventLog:Security sourcetype: XmlWinEventLog test_type: unit -MANUAL_REVIEW: - rba: - message: $src_user$ has added ACL rights to deny $user$ $aceControlAccessRights$ $aceAccessRights$ to $ObjectDN$ - risk_objects: - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/endpoint/windows_ad_dangerous_group_acl_modification.yml b/detections/endpoint/windows_ad_dangerous_group_acl_modification.yml index f999c2f56a..496738c80c 100644 --- a/detections/endpoint/windows_ad_dangerous_group_acl_modification.yml +++ b/detections/endpoint/windows_ad_dangerous_group_acl_modification.yml @@ -29,12 +29,12 @@ drilldown_searches: finding: title: $src_user$ has added ACL rights to grant $user$ $aceControlAccessRights$ $aceAccessRights$ to group $ObjectDN$ entity: - field: user + field: src_user type: user score: 50 intermediate_findings: entities: - - field: src_user + - field: user type: user score: 50 message: $src_user$ has added ACL rights to grant $user$ $aceControlAccessRights$ $aceAccessRights$ to group $ObjectDN$ @@ -57,15 +57,3 @@ tests: source: XmlWinEventLog:Security sourcetype: XmlWinEventLog test_type: unit -MANUAL_REVIEW: - rba: - message: $src_user$ has added ACL rights to grant $user$ $aceControlAccessRights$ $aceAccessRights$ to group $ObjectDN$ - risk_objects: - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/endpoint/windows_ad_dangerous_user_acl_modification.yml b/detections/endpoint/windows_ad_dangerous_user_acl_modification.yml index 16825f71ee..953f11c028 100644 --- a/detections/endpoint/windows_ad_dangerous_user_acl_modification.yml +++ b/detections/endpoint/windows_ad_dangerous_user_acl_modification.yml @@ -29,12 +29,12 @@ drilldown_searches: finding: title: $src_user$ has added ACL rights to grant $user$ $aceControlAccessRights$ $aceAccessRights$ to user $ObjectDN$ entity: - field: user + field: src_user type: user score: 50 intermediate_findings: entities: - - field: src_user + - field: user type: user score: 50 message: $src_user$ has added ACL rights to grant $user$ $aceControlAccessRights$ $aceAccessRights$ to user $ObjectDN$ @@ -57,15 +57,3 @@ tests: source: XmlWinEventLog:Security sourcetype: XmlWinEventLog test_type: unit -MANUAL_REVIEW: - rba: - message: $src_user$ has added ACL rights to grant $user$ $aceControlAccessRights$ $aceAccessRights$ to user $ObjectDN$ - risk_objects: - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/endpoint/windows_ad_dcshadow_privileges_acl_addition.yml b/detections/endpoint/windows_ad_dcshadow_privileges_acl_addition.yml index 67d90e220f..961b49dc71 100644 --- a/detections/endpoint/windows_ad_dcshadow_privileges_acl_addition.yml +++ b/detections/endpoint/windows_ad_dcshadow_privileges_acl_addition.yml @@ -54,12 +54,12 @@ drilldown_searches: finding: title: ACL modification Event Initiated by $src_user$ applying $user$ the minimum required extended rights to perform a DCShadow attack. entity: - field: user + field: src_user type: user score: 50 intermediate_findings: entities: - - field: src_user + - field: user type: user score: 50 message: ACL modification Event Initiated by $src_user$ applying $user$ the minimum required extended rights to perform a DCShadow attack. @@ -83,15 +83,3 @@ tests: source: XmlWinEventLog:Security sourcetype: XmlWinEventLog test_type: unit -MANUAL_REVIEW: - rba: - message: ACL modification Event Initiated by $src_user$ applying $user$ the minimum required extended rights to perform a DCShadow attack. - risk_objects: - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml index 6e5964faf7..fa3da3a0fa 100644 --- a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml +++ b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml @@ -50,12 +50,12 @@ drilldown_searches: finding: title: $src_user$ has granted $user$ permission to replicate AD objects entity: - field: user + field: src_user type: user score: 50 intermediate_findings: entities: - - field: src_user + - field: user type: user score: 50 message: $src_user$ has granted $user$ permission to replicate AD objects @@ -79,15 +79,3 @@ tests: sourcetype: XmlWinEventLog description: PORTED MANUAL TEST - This search uses a lookup provided by Enterprise Security and needs to be manually tested. test_type: experimental -MANUAL_REVIEW: - rba: - message: $src_user$ has granted $user$ permission to replicate AD objects - risk_objects: - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/endpoint/windows_ad_domain_root_acl_deletion.yml b/detections/endpoint/windows_ad_domain_root_acl_deletion.yml index d6a7124aa7..3d8f5ea920 100644 --- a/detections/endpoint/windows_ad_domain_root_acl_deletion.yml +++ b/detections/endpoint/windows_ad_domain_root_acl_deletion.yml @@ -29,12 +29,12 @@ drilldown_searches: finding: title: $src_user$ has removed $user$ $aceAccessRights$ ACL rights to domain root $ObjectDN$ entity: - field: user + field: src_user type: user score: 50 intermediate_findings: entities: - - field: src_user + - field: user type: user score: 50 message: $src_user$ has removed $user$ $aceAccessRights$ ACL rights to domain root $ObjectDN$ @@ -57,15 +57,3 @@ tests: source: XmlWinEventLog:Security sourcetype: XmlWinEventLog test_type: unit -MANUAL_REVIEW: - rba: - message: $src_user$ has removed $user$ $aceAccessRights$ ACL rights to domain root $ObjectDN$ - risk_objects: - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/endpoint/windows_ad_domain_root_acl_modification.yml b/detections/endpoint/windows_ad_domain_root_acl_modification.yml index ba7ce077d3..dd7f05a1ec 100644 --- a/detections/endpoint/windows_ad_domain_root_acl_modification.yml +++ b/detections/endpoint/windows_ad_domain_root_acl_modification.yml @@ -29,12 +29,12 @@ drilldown_searches: finding: title: $src_user$ has granted $user$ $aceAccessRights$ ACL rights to domain root $ObjectDN$ entity: - field: user + field: src_user type: user score: 50 intermediate_findings: entities: - - field: src_user + - field: user type: user score: 50 message: $src_user$ has granted $user$ $aceAccessRights$ ACL rights to domain root $ObjectDN$ @@ -57,15 +57,3 @@ tests: source: XmlWinEventLog:Security sourcetype: XmlWinEventLog test_type: unit -MANUAL_REVIEW: - rba: - message: $src_user$ has granted $user$ $aceAccessRights$ ACL rights to domain root $ObjectDN$ - risk_objects: - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/endpoint/windows_ad_hidden_ou_creation.yml b/detections/endpoint/windows_ad_hidden_ou_creation.yml index c3ed4f5b21..753e995803 100644 --- a/detections/endpoint/windows_ad_hidden_ou_creation.yml +++ b/detections/endpoint/windows_ad_hidden_ou_creation.yml @@ -27,12 +27,12 @@ drilldown_searches: finding: title: $src_user$ has hidden the contents of OU $ObjectDN$ from $user$ entity: - field: user + field: src_user type: user score: 50 intermediate_findings: entities: - - field: src_user + - field: user type: user score: 50 message: $src_user$ has hidden the contents of OU $ObjectDN$ from $user$ @@ -55,15 +55,3 @@ tests: source: XmlWinEventLog:Security sourcetype: XmlWinEventLog test_type: unit -MANUAL_REVIEW: - rba: - message: $src_user$ has hidden the contents of OU $ObjectDN$ from $user$ - risk_objects: - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/endpoint/windows_ad_object_owner_updated.yml b/detections/endpoint/windows_ad_object_owner_updated.yml index e1ba1e2771..b242e6adef 100644 --- a/detections/endpoint/windows_ad_object_owner_updated.yml +++ b/detections/endpoint/windows_ad_object_owner_updated.yml @@ -47,12 +47,12 @@ drilldown_searches: finding: title: $src_user$ has made $user$ the owner of AD object $ObjectDN$ entity: - field: user + field: src_user type: user score: 50 intermediate_findings: entities: - - field: src_user + - field: user type: user score: 50 message: $src_user$ has made $user$ the owner of AD object $ObjectDN$ @@ -75,15 +75,3 @@ tests: source: XmlWinEventLog:Security sourcetype: XmlWinEventLog test_type: unit -MANUAL_REVIEW: - rba: - message: $src_user$ has made $user$ the owner of AD object $ObjectDN$ - risk_objects: - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml index 3f0660c50c..27e35e336b 100644 --- a/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml @@ -59,15 +59,3 @@ tests: source: XmlWinEventLog:Security sourcetype: XmlWinEventLog test_type: unit -MANUAL_REVIEW: - rba: - message: Active Directory SID History Attribute was added to $user$ by $src_user$ - risk_objects: - - field: src_user - type: user - score: 50 - - field: user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml index 8f1b9aca38..a34569ea8f 100644 --- a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml +++ b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml @@ -62,15 +62,3 @@ tests: source: XmlWinEventLog:Security sourcetype: XmlWinEventLog test_type: unit -MANUAL_REVIEW: - rba: - message: A Servince Principal Name for $ObjectDN$ was set by $user$ - risk_objects: - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: [] - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/endpoint/windows_cabinet_file_extraction_via_expand.yml b/detections/endpoint/windows_cabinet_file_extraction_via_expand.yml index 180daf49e0..8d6ee95eb7 100644 --- a/detections/endpoint/windows_cabinet_file_extraction_via_expand.yml +++ b/detections/endpoint/windows_cabinet_file_extraction_via_expand.yml @@ -44,29 +44,28 @@ drilldown_searches: latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" search: | - | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$","$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" - values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" - values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" - by normalized_risk_object - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$","$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" + values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" + values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` earliest_offset: 7d latest_offset: "0" finding: title: expand.exe extracted cabinet contents on $dest$ executed by $user$. entity: - field: dest - type: system + field: user + type: user score: 50 intermediate_findings: entities: - - field: user + - field: dest type: system score: 50 message: expand.exe extracted cabinet contents on $dest$ executed by $user$. threat_objects: - - &id001 - field: process_name + - field: process_name type: process_name analytic_story: - APT37 Rustonotto and FadeStealer @@ -87,16 +86,3 @@ tests: source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog test_type: unit -MANUAL_REVIEW: - rba: - message: expand.exe extracted cabinet contents on $dest$ executed by $user$. - risk_objects: - - field: dest - type: system - score: 50 - - field: user - type: system - score: 50 - threat_objects: - - *id001 - manual_review_rationale: Multiple non-user-type entities found, but no user-type entities. We have picked the first non-user type entity and flagged this detection for manual review. diff --git a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml index 3bdf1f1b75..0e413b2747 100644 --- a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml +++ b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml @@ -31,6 +31,12 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" +finding: + title: Windows Common Abused Cmd Shell Risk Behavior - $risk_object$ + entity: + field: risk_object + type: system + score: 0 analytic_story: - Azorult - Volt Typhoon @@ -65,6 +71,3 @@ tests: source: risk sourcetype: stash test_type: unit -MANUAL_REVIEW: - rba: {} - manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate. diff --git a/detections/endpoint/windows_modify_registry_risk_behavior.yml b/detections/endpoint/windows_modify_registry_risk_behavior.yml index e5d4d5e456..22b7146def 100644 --- a/detections/endpoint/windows_modify_registry_risk_behavior.yml +++ b/detections/endpoint/windows_modify_registry_risk_behavior.yml @@ -33,6 +33,12 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" +finding: + title: Windows Modify Registry Risk Behavior - $risk_object$ + entity: + field: risk_object + type: other + score: 0 analytic_story: - Windows Registry Abuse asset_type: Endpoint @@ -51,6 +57,3 @@ tests: source: mod_reg sourcetype: stash test_type: unit -MANUAL_REVIEW: - rba: {} - manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate. diff --git a/detections/endpoint/windows_post_exploitation_risk_behavior.yml b/detections/endpoint/windows_post_exploitation_risk_behavior.yml index f60df5a8c0..13e7633a14 100644 --- a/detections/endpoint/windows_post_exploitation_risk_behavior.yml +++ b/detections/endpoint/windows_post_exploitation_risk_behavior.yml @@ -30,6 +30,12 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" +finding: + title: Windows Post Exploitation Risk Behavior - $risk_object$ + entity: + field: risk_object + type: other + score: 0 analytic_story: - Windows Post-Exploitation asset_type: Endpoint @@ -55,6 +61,3 @@ tests: source: wpe sourcetype: stash test_type: unit -MANUAL_REVIEW: - rba: {} - manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate. diff --git a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml index 994ba628c9..7b711dbac0 100644 --- a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml +++ b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml @@ -138,22 +138,17 @@ drilldown_searches: finding: title: The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$]. entity: - field: user + field: src_user type: user score: 50 intermediate_findings: entities: - - field: src_user - type: user - score: 50 - message: The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$]. - field: dest type: system score: 50 message: The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$]. threat_objects: - - &id001 - field: process_name + - field: process_name type: process_name analytic_story: - Windows Privilege Escalation @@ -177,19 +172,3 @@ tests: sourcetype: XmlWinEventLog name: True Positive Test test_type: unit -MANUAL_REVIEW: - rba: - message: The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$]. - risk_objects: - - field: dest - type: system - score: 50 - - field: user - type: user - score: 50 - - field: src_user - type: user - score: 50 - threat_objects: - - *id001 - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/endpoint/windows_sql_server_critical_procedures_enabled.yml b/detections/endpoint/windows_sql_server_critical_procedures_enabled.yml index bf843e1f5d..c300a27be0 100644 --- a/detections/endpoint/windows_sql_server_critical_procedures_enabled.yml +++ b/detections/endpoint/windows_sql_server_critical_procedures_enabled.yml @@ -48,12 +48,6 @@ finding: field: dest type: system score: 50 -intermediate_findings: - entities: - - field: config_name - type: other - score: 50 - message: SQL Server critical procedure "$config_name$" was $change_type$ on host $dest$, which could indicate an attempt to gain code execution or perform reconnaissance analytic_story: - SQL Server Abuse asset_type: Windows @@ -73,15 +67,3 @@ tests: source: XmlWinEventLog:Application description: PORTED MANUAL TEST - The risk message is dynamically generated in the SPL and it needs to be manually tested for integration testing. test_type: experimental -MANUAL_REVIEW: - rba: - message: SQL Server critical procedure "$config_name$" was $change_type$ on host $dest$, which could indicate an attempt to gain code execution or perform reconnaissance - risk_objects: - - field: dest - type: system - score: 50 - - field: config_name - type: other - score: 50 - threat_objects: [] - manual_review_rationale: Multiple non-user-type entities found, but no user-type entities. We have picked the first non-user type entity and flagged this detection for manual review. diff --git a/detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml b/detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml index dea0008927..7e1717ce84 100644 --- a/detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml +++ b/detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml @@ -48,12 +48,6 @@ finding: field: dest type: system score: 50 -intermediate_findings: - entities: - - field: config_name - type: other - score: 50 - message: SQL Server xp_cmdshell configuration was $change_type$ on host $dest$, which could indicate an attempt to gain operating system command execution capabilities analytic_story: - SQL Server Abuse - Seashell Blizzard @@ -75,15 +69,3 @@ tests: sourcetype: XmlWinEventLog description: PORTED MANUAL TEST - The risk message is dynamically generated in the SPL and it needs to be manually tested for integration testing. test_type: experimental -MANUAL_REVIEW: - rba: - message: SQL Server xp_cmdshell configuration was $change_type$ on host $dest$, which could indicate an attempt to gain operating system command execution capabilities - risk_objects: - - field: dest - type: system - score: 50 - - field: config_name - type: other - score: 50 - threat_objects: [] - manual_review_rationale: Multiple non-user-type entities found, but no user-type entities. We have picked the first non-user type entity and flagged this detection for manual review. diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml index 665ba1d9f5..8686a907b3 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml @@ -94,11 +94,9 @@ intermediate_findings: score: 50 message: Possible AD CS ESC1 authentication on $dest$ threat_objects: - - &id001 - field: ssl_hash + - field: ssl_hash type: tls_hash - - &id002 - field: ssl_serial + - field: ssl_serial type: certificate_serial analytic_story: - Windows Certificate Services @@ -120,23 +118,3 @@ tests: source: XmlWinEventLog:Security sourcetype: XmlWinEventLog test_type: unit -MANUAL_REVIEW: - rba: - message: Possible AD CS ESC1 authentication on $dest$ - risk_objects: - - field: src - type: system - score: 50 - - field: dest - type: system - score: 50 - - field: src_user - type: user - score: 50 - - field: user - type: user - score: 50 - threat_objects: - - *id001 - - *id002 - manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review. diff --git a/detections/network/cisco_privileged_account_creation_with_http_command_execution.yml b/detections/network/cisco_privileged_account_creation_with_http_command_execution.yml index 129bb160d8..a7e3c2b4ab 100644 --- a/detections/network/cisco_privileged_account_creation_with_http_command_execution.yml +++ b/detections/network/cisco_privileged_account_creation_with_http_command_execution.yml @@ -61,6 +61,12 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" +finding: + title: Cisco Privileged Account Creation with HTTP Command Execution - $risk_object$ + entity: + field: risk_object + type: other + score: 0 analytic_story: - Cisco Secure Firewall Threat Defense Analytics - Salt Typhoon @@ -82,6 +88,3 @@ tests: source: not_applicable sourcetype: stash test_type: unit -MANUAL_REVIEW: - rba: {} - manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate. diff --git a/detections/network/cisco_privileged_account_creation_with_suspicious_ssh_activity.yml b/detections/network/cisco_privileged_account_creation_with_suspicious_ssh_activity.yml index a9615fdbf2..69661c6670 100644 --- a/detections/network/cisco_privileged_account_creation_with_suspicious_ssh_activity.yml +++ b/detections/network/cisco_privileged_account_creation_with_suspicious_ssh_activity.yml @@ -73,6 +73,12 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$normalized_risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" +finding: + title: Cisco Privileged Account Creation with Suspicious SSH Activity - $risk_object$ + entity: + field: risk_object + type: other + score: 0 analytic_story: - Cisco Secure Firewall Threat Defense Analytics - Salt Typhoon @@ -94,6 +100,3 @@ tests: source: not_applicable sourcetype: stash test_type: unit -MANUAL_REVIEW: - rba: {} - manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate. diff --git a/detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml b/detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml index c1ff194d38..d3e1e344bd 100644 --- a/detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml +++ b/detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml @@ -58,9 +58,9 @@ analytic_story: - Cisco Secure Firewall Threat Defense Analytics asset_type: Network mitre_attack_id: - - T1059 # Command and Scripting Interpreter - - T1071 # Application Layer Protocol - - T1595.002 # Active Scanning: Vulnerability Scanning + - T1059 # Command and Scripting Interpreter + - T1071 # Application Layer Protocol + - T1595.002 # Active Scanning: Vulnerability Scanning product: - Splunk Enterprise - Splunk Cloud diff --git a/detections/network/detect_large_icmp_traffic.yml b/detections/network/detect_large_icmp_traffic.yml index 7f94e9d1c5..98f14307a8 100644 --- a/detections/network/detect_large_icmp_traffic.yml +++ b/detections/network/detect_large_icmp_traffic.yml @@ -59,12 +59,12 @@ drilldown_searches: finding: title: Large ICMP traffic greater than a 1000 bytes detected from $src_ip$ to $dest_ip$ entity: - field: dest_ip + field: src_ip type: system score: 50 intermediate_findings: entities: - - field: src_ip + - field: dest_ip type: system score: 50 message: Large ICMP traffic greater than a 1000 bytes detected from $src_ip$ to $dest_ip$ @@ -95,15 +95,3 @@ tests: source: cisco_cloud_security_addon sourcetype: cisco:cloud_security:firewall test_type: unit -MANUAL_REVIEW: - rba: - message: Large ICMP traffic greater than a 1000 bytes detected from $src_ip$ to $dest_ip$ - risk_objects: - - field: dest_ip - type: system - score: 50 - - field: src_ip - type: system - score: 50 - threat_objects: [] - manual_review_rationale: Multiple non-user-type entities found, but no user-type entities. We have picked the first non-user type entity and flagged this detection for manual review. diff --git a/detections/network/detect_unauthorized_assets_by_mac_address.yml b/detections/network/detect_unauthorized_assets_by_mac_address.yml index 8fd8852285..0b29328bdd 100644 --- a/detections/network/detect_unauthorized_assets_by_mac_address.yml +++ b/detections/network/detect_unauthorized_assets_by_mac_address.yml @@ -24,9 +24,9 @@ how_to_implement: This search uses the Network_Sessions data model shipped with known_false_positives: This search might be prone to high false positives. Please consider this when conducting analysis or investigations. Authorized devices may be detected as unauthorized. If this is the case, verify the MAC address of the system responsible for the false positive and add it to the Assets and Identity framework with the proper information. references: [] finding: - title: Potentially Unauthorized Device observed + title: Potentially Unauthorized Device observed [ $dest_ip$ ] entity: - field: dest + field: dest_ip type: system score: 50 analytic_story: @@ -41,12 +41,3 @@ category: network security_domain: network baselines: - Count of assets by category -MANUAL_REVIEW: - rba: - message: Potentially Unauthorized Device observed - risk_objects: - - field: dest - type: system - score: 50 - threat_objects: [] - manual_review_rationale: "The following error was found while validating the finding title: 1 validation error for EsTokenString\n Value error, No $field_name$ tokens found in token string: 'Potentially Unauthorized Device observed'. At least one token is required. [type=value_error, input_value='Potentially Unauthorized Device observed', input_type=str]\n For further information visit https://errors.pydantic.dev/2.13/v/value_error" diff --git a/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml b/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml index 9d0b0707f7..ca816697bc 100644 --- a/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml +++ b/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml @@ -23,7 +23,7 @@ how_to_implement: You must be ingesting Splunk Stream DNS and Splunk Stream TCP. known_false_positives: No false positives have been identified at this time. references: [] finding: - title: Potential SIGRed activity detected + title: Potential SIGRed activity detected [ $flow_id$ ] entity: field: flow_id type: other @@ -41,12 +41,3 @@ product: - Splunk Cloud category: network security_domain: network -MANUAL_REVIEW: - rba: - message: Potential SIGRed activity detected - risk_objects: - - field: flow_id - type: other - score: 50 - threat_objects: [] - manual_review_rationale: "The following error was found while validating the finding title: 1 validation error for EsTokenString\n Value error, No $field_name$ tokens found in token string: 'Potential SIGRed activity detected'. At least one token is required. [type=value_error, input_value='Potential SIGRed activity detected', input_type=str]\n For further information visit https://errors.pydantic.dev/2.13/v/value_error" diff --git a/detections/network/detect_windows_dns_sigred_via_zeek.yml b/detections/network/detect_windows_dns_sigred_via_zeek.yml index 1c009f932a..728722c68c 100644 --- a/detections/network/detect_windows_dns_sigred_via_zeek.yml +++ b/detections/network/detect_windows_dns_sigred_via_zeek.yml @@ -27,7 +27,7 @@ how_to_implement: You must be ingesting Zeek DNS and Zeek Conn data into Splunk. known_false_positives: No false positives have been identified at this time. references: [] finding: - title: Potential SIGRed activity detected + title: Potential SIGRed activity detected [ $flow_id$ ] entity: field: flow_id type: other @@ -45,12 +45,3 @@ product: - Splunk Cloud category: network security_domain: endpoint -MANUAL_REVIEW: - rba: - message: Potential SIGRed activity detected - risk_objects: - - field: flow_id - type: other - score: 50 - threat_objects: [] - manual_review_rationale: "The following error was found while validating the finding title: 1 validation error for EsTokenString\n Value error, No $field_name$ tokens found in token string: 'Potential SIGRed activity detected'. At least one token is required. [type=value_error, input_value='Potential SIGRed activity detected', input_type=str]\n For further information visit https://errors.pydantic.dev/2.13/v/value_error" diff --git a/detections/network/detect_zerologon_via_zeek.yml b/detections/network/detect_zerologon_via_zeek.yml index 31ce9268e2..78bab2ceb0 100644 --- a/detections/network/detect_zerologon_via_zeek.yml +++ b/detections/network/detect_zerologon_via_zeek.yml @@ -23,7 +23,7 @@ references: - https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a finding: - title: Potential Zerologon activity detected + title: Potential Zerologon activity detected [ $dest_ip$ ] entity: field: dest_ip type: system @@ -43,12 +43,3 @@ product: - Splunk Cloud category: network security_domain: network -MANUAL_REVIEW: - rba: - message: Potential Zerologon activity detected - risk_objects: - - field: dest_ip - type: system - score: 50 - threat_objects: [] - manual_review_rationale: "The following error was found while validating the finding title: 1 validation error for EsTokenString\n Value error, No $field_name$ tokens found in token string: 'Potential Zerologon activity detected'. At least one token is required. [type=value_error, input_value='Potential Zerologon activity detected', input_type=str]\n For further information visit https://errors.pydantic.dev/2.13/v/value_error" diff --git a/detections/network/prohibited_network_traffic_allowed.yml b/detections/network/prohibited_network_traffic_allowed.yml index c7bd86ae81..155b55babb 100644 --- a/detections/network/prohibited_network_traffic_allowed.yml +++ b/detections/network/prohibited_network_traffic_allowed.yml @@ -35,14 +35,13 @@ drilldown_searches: earliest_offset: 7d latest_offset: "0" finding: - title: Potentially Prohibited Network Traffic allowed + title: Potentially Prohibited Network Traffic allowed from $src_ip$ entity: field: src_ip type: system score: 50 threat_objects: - - &id001 - field: dest_ip + - field: dest_ip type: ip_address analytic_story: - Prohibited Traffic Allowed or Protocol Mismatch @@ -68,13 +67,3 @@ tests: sourcetype: cisco:sfw:estreamer description: PORTED MANUAL TEST - This detection uses a builtin lookup from Enterprise Security. test_type: experimental -MANUAL_REVIEW: - rba: - message: Potentially Prohibited Network Traffic allowed - risk_objects: - - field: src_ip - type: system - score: 50 - threat_objects: - - *id001 - manual_review_rationale: "The following error was found while validating the finding title: 1 validation error for EsTokenString\n Value error, No $field_name$ tokens found in token string: 'Potentially Prohibited Network Traffic allowed'. At least one token is required. [type=value_error, input_value='Potentially Prohibited Network Traffic allowed', input_type=str]\n For further information visit https://errors.pydantic.dev/2.13/v/value_error" diff --git a/detections/network/protocol_or_port_mismatch.yml b/detections/network/protocol_or_port_mismatch.yml index d2ef1f1aeb..ecf8fe90c6 100644 --- a/detections/network/protocol_or_port_mismatch.yml +++ b/detections/network/protocol_or_port_mismatch.yml @@ -61,10 +61,9 @@ intermediate_findings: - field: src_ip type: system score: 20 - message: Port or Protocol Traffic Mismatch + message: Port or Protocol Traffic Mismatch [ $src_ip$ ] threat_objects: - - &id001 - field: dest_ip + - field: dest_ip type: ip_address analytic_story: - Prohibited Traffic Allowed or Protocol Mismatch @@ -86,13 +85,3 @@ tests: source: not_applicable sourcetype: cisco:sfw:estreamer test_type: unit -MANUAL_REVIEW: - rba: - message: Port or Protocol Traffic Mismatch - risk_objects: - - field: src_ip - type: system - score: 20 - threat_objects: - - *id001 - manual_review_rationale: "The following error was found while validating the intermediate finding message: 1 validation error for EsTokenString\n Value error, No $field_name$ tokens found in token string: 'Port or Protocol Traffic Mismatch'. At least one token is required. [type=value_error, input_value='Port or Protocol Traffic Mismatch', input_type=str]\n For further information visit https://errors.pydantic.dev/2.13/v/value_error" diff --git a/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml b/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml index 2bc96adb4e..7746659bcd 100644 --- a/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml +++ b/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml @@ -26,7 +26,7 @@ how_to_implement: You must be ingesting data from the web server or network traf known_false_positives: It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths. references: [] finding: - title: Potential Scanning for Vulnerable JBoss Servers + title: Potential Scanning for Vulnerable JBoss Servers - $dest$ entity: field: dest type: system @@ -44,12 +44,3 @@ product: - Splunk Cloud category: web security_domain: network -MANUAL_REVIEW: - rba: - message: Potential Scanning for Vulnerable JBoss Servers - risk_objects: - - field: dest - type: system - score: 50 - threat_objects: [] - manual_review_rationale: "The following error was found while validating the finding title: 1 validation error for EsTokenString\n Value error, No $field_name$ tokens found in token string: 'Potential Scanning for Vulnerable JBoss Servers'. At least one token is required. [type=value_error, input_value='Potential Scanning for Vulnerable JBoss Servers', input_type=str]\n For further information visit https://errors.pydantic.dev/2.13/v/value_error" diff --git a/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml b/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml index d45bccc206..888745f082 100644 --- a/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml +++ b/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml @@ -15,7 +15,7 @@ references: - https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/ - https://support.f5.com/csp/article/K52145254 finding: - title: Potential F5 TMUI RCE traffic + title: Potential F5 TMUI RCE traffic [ $dest$ ] entity: field: dest type: system @@ -33,12 +33,3 @@ product: - Splunk Cloud category: web security_domain: network -MANUAL_REVIEW: - rba: - message: Potential F5 TMUI RCE traffic - risk_objects: - - field: dest - type: system - score: 50 - threat_objects: [] - manual_review_rationale: "The following error was found while validating the finding title: 1 validation error for EsTokenString\n Value error, No $field_name$ tokens found in token string: 'Potential F5 TMUI RCE traffic'. At least one token is required. [type=value_error, input_value='Potential F5 TMUI RCE traffic', input_type=str]\n For further information visit https://errors.pydantic.dev/2.13/v/value_error" diff --git a/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml b/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml index 7528bf2324..892d5d0dcd 100644 --- a/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml +++ b/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml @@ -27,7 +27,7 @@ how_to_implement: You must ingest data from the web server or capture network da known_false_positives: No known false positives for this detection. references: [] finding: - title: Potentially malicious traffic exploiting JBoss servers + title: Potentially malicious traffic exploiting JBoss servers [ $dest_ip$ ] entity: field: dest_ip type: system @@ -43,12 +43,3 @@ product: - Splunk Cloud category: web security_domain: network -MANUAL_REVIEW: - rba: - message: Potentially malicious traffic exploiting JBoss servers - risk_objects: - - field: dest_ip - type: system - score: 50 - threat_objects: [] - manual_review_rationale: "The following error was found while validating the finding title: 1 validation error for EsTokenString\n Value error, No $field_name$ tokens found in token string: 'Potentially malicious traffic exploiting JBoss servers'. At least one token is required. [type=value_error, input_value='Potentially malicious tr...xploiting JBoss servers', input_type=str]\n For further information visit https://errors.pydantic.dev/2.13/v/value_error" diff --git a/detections/web/monitor_web_traffic_for_brand_abuse.yml b/detections/web/monitor_web_traffic_for_brand_abuse.yml index c261ccc758..89bc334956 100644 --- a/detections/web/monitor_web_traffic_for_brand_abuse.yml +++ b/detections/web/monitor_web_traffic_for_brand_abuse.yml @@ -23,7 +23,7 @@ how_to_implement: You need to ingest data from your web traffic. This can be acc known_false_positives: No false positives have been identified at this time. references: [] finding: - title: Potential Brand Abus discovered in web logs + title: Potential brand abuse discovered in web logs from $src$ entity: field: src type: system @@ -40,12 +40,3 @@ category: web security_domain: network baselines: - DNSTwist Domain Names -MANUAL_REVIEW: - rba: - message: Potential Brand Abus discovered in web logs - risk_objects: - - field: src - type: system - score: 50 - threat_objects: [] - manual_review_rationale: "The following error was found while validating the finding title: 1 validation error for EsTokenString\n Value error, No $field_name$ tokens found in token string: 'Potential Brand Abus discovered in web logs'. At least one token is required. [type=value_error, input_value='Potential Brand Abus discovered in web logs', input_type=str]\n For further information visit https://errors.pydantic.dev/2.13/v/value_error AND Detection references baseline(s) flagged for manual review: DNSTwist Domain Names" diff --git a/detections/web/proxyshell_proxynotshell_behavior_detected.yml b/detections/web/proxyshell_proxynotshell_behavior_detected.yml index 23c5de27b8..4328241cec 100644 --- a/detections/web/proxyshell_proxynotshell_behavior_detected.yml +++ b/detections/web/proxyshell_proxynotshell_behavior_detected.yml @@ -36,6 +36,12 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" +finding: + title: ProxyShell/ProxyNotShell Behavior Detected - $risk_object$ + entity: + field: risk_object + type: other + score: 0 analytic_story: - ProxyShell - ProxyNotShell @@ -57,6 +63,3 @@ tests: source: proxyshell sourcetype: stash test_type: unit -MANUAL_REVIEW: - rba: {} - manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate. diff --git a/playbooks/AD_LDAP_Account_Locking.yml b/playbooks/AD_LDAP_Account_Locking.yml index e0d43cc322..4a8cd93079 100644 --- a/playbooks/AD_LDAP_Account_Locking.yml +++ b/playbooks/AD_LDAP_Account_Locking.yml @@ -1,29 +1,28 @@ name: AD LDAP Account Locking id: e6f96caf-610c-4ced-aa2c-ba9b19b89e1f -version: 1 -date: '2023-05-08' +version: 2 +creation_date: '2023-05-17' +modification_date: '2026-05-19' author: Teoderick Contreras, Splunk type: Investigation description: "Accepts user, to be disabled using Microsoft AD LDAP connector. This playbook produces a normalized observables output for each user and device." playbook: AD_LDAP_Account_Locking -how_to_implement: This input playbook requires the Microsoft AD LDAP connector to be configured. - It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the Microsoft AD LDAP connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. references: [] -app_list: - - AD LDAP -tags: - platform_tags: +app_list: + - AD LDAP +platform_tags: - user - microsoft_ad_ldap - D3-AL - disable_account - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - - Endpoint - defend_technique_id: - - D3-AL \ No newline at end of file +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing + - Endpoint +defend_technique_id: + - D3-AL diff --git a/playbooks/AD_LDAP_Account_Unlocking.yml b/playbooks/AD_LDAP_Account_Unlocking.yml index 02b4c5a75f..d343896bff 100644 --- a/playbooks/AD_LDAP_Account_Unlocking.yml +++ b/playbooks/AD_LDAP_Account_Unlocking.yml @@ -1,24 +1,24 @@ name: AD LDAP Account Unlocking id: e6f96caf-61ac-4ced-aabc-ba9b19bd9e1f -version: 1 -date: '2023-06-21' +version: 2 +creation_date: '2023-06-22' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Response description: "Accepts user, to be unlocked using Microsoft AD LDAP connector. This playbook produces a normalized observable output for each user." playbook: AD_LDAP_Account_Unlocking -how_to_implement: This input playbook requires the Microsoft AD LDAP connector to be configured. It is designed to work in conjunction with the Active Directory Enable Account Dispatch playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the Microsoft AD LDAP connector to be configured. It is designed to work in conjunction with the Active Directory Enable Account Dispatch playbook or other playbooks in the same style. references: [] -app_list: - - AD LDAP -tags: - platform_tags: +app_list: + - AD LDAP +platform_tags: - user - microsoft_ad_ldap - D3-RUAA - active_directory - enable_account - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR diff --git a/playbooks/AD_LDAP_Entity_Attribute_Lookup.yml b/playbooks/AD_LDAP_Entity_Attribute_Lookup.yml index 6df100865b..c47ee1bdfa 100644 --- a/playbooks/AD_LDAP_Entity_Attribute_Lookup.yml +++ b/playbooks/AD_LDAP_Entity_Attribute_Lookup.yml @@ -1,25 +1,25 @@ name: AD LDAP Entity Attribute Lookup id: fc0edc96-aa2b-4cb0-7b4d-63da67d3fe74 -version: 1 -date: '2023-01-11' +version: 2 +creation_date: '2023-03-06' +modification_date: '2026-05-19' author: Kelby Shelton, Lou Stella, Splunk type: Investigation description: "Accepts a user or device and looks up the most recent attributes and groups for that user or device. This playbook produces a normalized output for each user and device." playbook: AD_LDAP_Entity_Attribute_Lookup -how_to_implement: This input playbook requires the AD LDAP connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the AD LDAP connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. references: [] -app_list: - - AD LDAP -tags: - platform_tags: - - attributes +app_list: + - AD LDAP +platform_tags: + - attributes - user - - device + - device - ad_ldap - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment \ No newline at end of file +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment diff --git a/playbooks/AWS_IAM_Account_Locking.yml b/playbooks/AWS_IAM_Account_Locking.yml index 8d19b7954d..d1ce53abe9 100644 --- a/playbooks/AWS_IAM_Account_Locking.yml +++ b/playbooks/AWS_IAM_Account_Locking.yml @@ -1,29 +1,28 @@ name: AWS IAM Account Locking id: f15e4ab7-b057-4225-86ae-c36ab78b50f2 -version: 1 -date: '2023-05-08' +version: 2 +creation_date: '2023-05-10' +modification_date: '2026-05-19' author: Teoderick Contreras, Splunk type: Investigation description: "Accepts user name that needs to be disabled in AWS IAM Active Directory. Disabling an account involves deleting their login profile which will clear the user's password. Generates an observable output based on the status of account locking or disabling." playbook: AWS_IAM_Account_Locking -how_to_implement: This input playbook requires the AWS IAM connector to be configured. - It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the AWS IAM connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. references: [] -app_list: - - AWS IAM -tags: - platform_tags: +app_list: + - AWS IAM +platform_tags: - user - aws_iam - D3-AL - disable_account - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - - Endpoint - defend_technique_id: - - D3-AL \ No newline at end of file +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing + - Endpoint +defend_technique_id: + - D3-AL diff --git a/playbooks/AWS_IAM_Account_Unlocking.yml b/playbooks/AWS_IAM_Account_Unlocking.yml index a333e9fa53..9dd352d0fe 100644 --- a/playbooks/AWS_IAM_Account_Unlocking.yml +++ b/playbooks/AWS_IAM_Account_Unlocking.yml @@ -1,25 +1,25 @@ name: AWS IAM Account Unlocking id: f15a4db3-b157-4225-86ae-c36ab78b50f2 -version: 1 -date: '2023-06-21' +version: 2 +creation_date: '2023-06-22' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Response description: "Accepts user, to be enabled using AWS IAM connector. Enabling an account involves reattaching their login profile which will require setting a new password. This playbook produces a normalized observables output for each user. " playbook: AWS_IAM_Account_Unlocking -how_to_implement: This input playbook requires the AWS IAM connector to be configured. +how_to_implement: This input playbook requires the AWS IAM connector to be configured. references: [] -app_list: - - AWS IAM -tags: - platform_tags: +app_list: + - AWS IAM +platform_tags: - user - aws_iam - D3-RUAA - enable_account - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - defend_technique_id: - - D3-RUAA +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +defend_technique_id: + - D3-RUAA diff --git a/playbooks/Active_Directory_Disable_Account_Dispatch.yml b/playbooks/Active_Directory_Disable_Account_Dispatch.yml index 796f3cb4f5..db34b8f48f 100644 --- a/playbooks/Active_Directory_Disable_Account_Dispatch.yml +++ b/playbooks/Active_Directory_Disable_Account_Dispatch.yml @@ -1,29 +1,28 @@ name: Active Directory Disable Account Dispatch id: 86320591-1bbd-41ab-8990-602a3968fd99 -version: 1 -date: '2023-05-23' +version: 2 +creation_date: '2023-05-23' +modification_date: '2026-05-19' author: Teoderick Contreras, Splunk type: Investigation -description: Automatically dispatches input playbooks with the 'disable_account' tag. - This will produce a merge report and indicator tag for each inputs. +description: Automatically dispatches input playbooks with the 'disable_account' tag. This will produce a merge report and indicator tag for each inputs. playbook: Active_Directory_Disable_Account_Dispatch how_to_implement: This automatic playbook requires "disable_account" tag be present on each input playbook you want to launch. references: [] -app_list: - - AD LDAP - - Azure AD Graph -tags: - platform_tags: +app_list: + - AD LDAP + - Azure AD Graph +platform_tags: - user - D3-AL - disable_account - playbook_type: Automation - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - - Endpoint - defend_technique_id: - - D3-AL \ No newline at end of file +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing + - Endpoint +defend_technique_id: + - D3-AL diff --git a/playbooks/Active_Directory_Enable_Account_Dispatch.yml b/playbooks/Active_Directory_Enable_Account_Dispatch.yml index c515dcdf71..468044c430 100644 --- a/playbooks/Active_Directory_Enable_Account_Dispatch.yml +++ b/playbooks/Active_Directory_Enable_Account_Dispatch.yml @@ -1,25 +1,25 @@ name: Active Directory Enable Account Dispatch id: 86320a91-1bde-41ab-8990-602a3768fd99 -version: 1 -date: '2023-05-23' +version: 2 +creation_date: '2023-06-22' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Response description: Automatically dispatches input playbooks with the 'enable_account' tag. This will produce a merge report and indicator tag for each inputs. playbook: Active_Directory_Enable_Account_Dispatch how_to_implement: This automatic playbook requires the "enable_account" tag be present on each input playbook you want to launch. references: [] -app_list: - - AD LDAP - - Azure AD Graph - - AWS IAM -tags: - platform_tags: +app_list: + - AD LDAP + - Azure AD Graph + - AWS IAM +platform_tags: - user - D3-RUAA - enable_account - active_directory - playbook_type: Automation - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR diff --git a/playbooks/Attribute_Lookup_Dispatch.yml b/playbooks/Attribute_Lookup_Dispatch.yml index 6ba8311e5c..0f107ec7be 100644 --- a/playbooks/Attribute_Lookup_Dispatch.yml +++ b/playbooks/Attribute_Lookup_Dispatch.yml @@ -1,20 +1,20 @@ name: Attribute Lookup Dispatch id: fc0edc96-ff2b-68d0-9a4d-63da6783fd64 -version: 1 -date: '2023-03-06' +version: 2 +creation_date: '2023-03-06' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Investigation description: "Detects available entities and routes them to attribute lookup playbooks. The output of the playbooks will create new artifacts for any technologies that returned information." playbook: Attribute_Lookup_Dispatch -how_to_implement: This playbook looks for artifacts and then dispatches the community Attribute Lookup playbooks. This playbook takes the output of those playbooks and nicely formats them into new artifacts with their results. +how_to_implement: This playbook looks for artifacts and then dispatches the community Attribute Lookup playbooks. This playbook takes the output of those playbooks and nicely formats them into new artifacts with their results. references: [] app_list: [] -tags: - platform_tags: [] - playbook_type: Automation - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment \ No newline at end of file +platform_tags: [] +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment diff --git a/playbooks/Automated_Enrichment.yml b/playbooks/Automated_Enrichment.yml index b88ba8c3e8..c679161aa7 100644 --- a/playbooks/Automated_Enrichment.yml +++ b/playbooks/Automated_Enrichment.yml @@ -1,7 +1,8 @@ name: Automated Enrichment id: fc0edc96-ff1b-65e0-9a4d-64da6783fd64 -version: 2 -date: '2023-03-06' +version: 3 +creation_date: '2023-03-06' +modification_date: '2026-05-19' author: Kelby Shelton, Patrick Bareiss, Teoderick Contreras, Lou Stella Splunk type: Investigation description: "Moves the event status to open and then launches the Dispatch playbooks for Reputation Analysis, Attribute Lookup, and Related Tickets." @@ -9,11 +10,10 @@ playbook: Automated_Enrichment how_to_implement: 1. Ensure you have a reputation analysis playbook (e.g. VirusTotal v3), an attribute lookup playbook (e.g. Azure AD), and a related ticket search playbook (e.g. ServiceNow).\n2. Download local versions of Identifier Reputation Analysis Dispatch, Attribute Lookup Dispatch, and Related Tickets Search Dispatch playbooks. references: [] app_list: [] -tags: - platform_tags: +platform_tags: - Enrichment - playbook_type: Automation - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR \ No newline at end of file +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR diff --git a/playbooks/Azure_AD_Account_Locking.yml b/playbooks/Azure_AD_Account_Locking.yml index be9f4b5fbb..0336e739c0 100644 --- a/playbooks/Azure_AD_Account_Locking.yml +++ b/playbooks/Azure_AD_Account_Locking.yml @@ -1,29 +1,28 @@ name: Azure AD Account Locking id: c3c0157d-7da0-46cb-8b97-327ee92f591c -version: 1 -date: '2023-05-08' +version: 2 +creation_date: '2023-05-15' +modification_date: '2026-05-19' author: Teoderick Contreras, Splunk type: Investigation description: "Accepts user, to be disabled using Azure AD Graph connector. This playbook produces a normalized observables output for each user and device." playbook: Azure_AD_Account_Locking -how_to_implement: This input playbook requires the Azure AD Graph connector to be configured. - It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the Azure AD Graph connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. references: [] -app_list: - - Azure AD Graph -tags: - platform_tags: +app_list: + - Azure AD Graph +platform_tags: - user - D3-AL - azure_ad_graph - disable_account - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - - Endpoint - defend_technique_id: - - D3-AL +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing + - Endpoint +defend_technique_id: + - D3-AL diff --git a/playbooks/Azure_AD_Account_Unlocking.yml b/playbooks/Azure_AD_Account_Unlocking.yml index 16927afc19..31baec7a93 100644 --- a/playbooks/Azure_AD_Account_Unlocking.yml +++ b/playbooks/Azure_AD_Account_Unlocking.yml @@ -1,26 +1,26 @@ name: Azure AD Account Unlocking id: c3c0157d-7da0-4dcb-8ba7-327ee91f531c -version: 1 -date: '2023-06-21' +version: 2 +creation_date: '2023-06-22' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Response description: "Accepts user, to be enabled using Azure AD Graph connector. This playbook produces a normalized observables output for each user." playbook: Azure_AD_Account_Unlocking -how_to_implement: This input playbook requires the Azure AD Graph connector to be configured. It is designed to work in conjunction with the Active Directory Enable Account Dispatch playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the Azure AD Graph connector to be configured. It is designed to work in conjunction with the Active Directory Enable Account Dispatch playbook or other playbooks in the same style. references: [] -app_list: - - Azure AD Graph -tags: - platform_tags: +app_list: + - Azure AD Graph +platform_tags: - user - D3-RUAA - active_directory - azure_ad_graph - enable_account - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - defend_technique_id: - - D3-RUAA +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +defend_technique_id: + - D3-RUAA diff --git a/playbooks/Azure_AD_Graph_User_Attribute_Lookup.yml b/playbooks/Azure_AD_Graph_User_Attribute_Lookup.yml index af8b703ab6..2b9f923472 100644 --- a/playbooks/Azure_AD_Graph_User_Attribute_Lookup.yml +++ b/playbooks/Azure_AD_Graph_User_Attribute_Lookup.yml @@ -1,25 +1,25 @@ name: Azure AD Graph User Attribute Lookup id: fc0edc96-aa2b-4cb0-7b4d-63da67e71d74 -version: 1 -date: '2023-01-11' +version: 2 +creation_date: '2023-03-06' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Investigation description: "Accepts a user or device and looks up the most recent attributes and groups for that user or device. This playbook produces a normalized output for each user and device." playbook: Azure_AD_Graph_User_Attribute_Lookup -how_to_implement: This input playbook requires the Azure AD Graph connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the Azure AD Graph connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. references: [] -app_list: - - Azure AD Graph -tags: - platform_tags: - - attributes +app_list: + - Azure AD Graph +platform_tags: + - attributes - user - - device + - device - azure_ad_graph - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment \ No newline at end of file +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment diff --git a/playbooks/Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.json b/playbooks/CiscoTalosIntelligence_Identifier_Reputation_Analysis.json similarity index 100% rename from playbooks/Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.json rename to playbooks/CiscoTalosIntelligence_Identifier_Reputation_Analysis.json diff --git a/playbooks/Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.py b/playbooks/CiscoTalosIntelligence_Identifier_Reputation_Analysis.py similarity index 100% rename from playbooks/Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.py rename to playbooks/CiscoTalosIntelligence_Identifier_Reputation_Analysis.py diff --git a/playbooks/Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.yml b/playbooks/CiscoTalosIntelligence_Identifier_Reputation_Analysis.yml similarity index 55% rename from playbooks/Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.yml rename to playbooks/CiscoTalosIntelligence_Identifier_Reputation_Analysis.yml index a66cd2fd49..7a0467fe60 100644 --- a/playbooks/Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.yml +++ b/playbooks/CiscoTalosIntelligence_Identifier_Reputation_Analysis.yml @@ -1,29 +1,29 @@ -name: Cisco Talos Intelligence Identifier Reputation Analysis +name: CiscoTalosIntelligence Identifier Reputation Analysis id: 9cea2ec7-9e6c-4861-b828-336410cdc1cc -version: 1 -date: '2025-01-17' +version: 2 +creation_date: '2025-01-17' +modification_date: '2026-05-19' author: Kelby Shelton, Tapish Jain, Splunk type: Investigation description: "Accepts a URL, IP or Domain and provides intelligence on the objects. Generates a per observable report that includes the objects threat level, threat categories, acceptable use categories and score." playbook: CiscoTalosIntelligence_Identifier_Reputation_Analysis -how_to_implement: This input playbook requires the Cisco Talos Intelligence connector to be configured and a Splunk SOAR cloud license. +how_to_implement: This input playbook requires the Cisco Talos Intelligence connector to be configured and a Splunk SOAR cloud license. references: - - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ -app_list: - - Cisco Talos Intelligence -tags: - defend_technique_id: - - D3-IRA - platform_tags: - - reputation + - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ +app_list: + - Cisco Talos Intelligence +platform_tags: + - reputation - url - - ip - - domain + - ip + - domain - Cisco Talos Intelligence - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment +defend_technique_id: + - D3-IRA diff --git a/playbooks/Cisco_Umbrella_DNS_Denylisting.yml b/playbooks/Cisco_Umbrella_DNS_Denylisting.yml index ac4b29e5b7..a974a5dccf 100644 --- a/playbooks/Cisco_Umbrella_DNS_Denylisting.yml +++ b/playbooks/Cisco_Umbrella_DNS_Denylisting.yml @@ -1,29 +1,28 @@ name: Cisco Umbrella DNS Denylisting id: 3705f371-f355-46d7-979a-3bc4c26e2208 -version: 1 -date: '2023-07-14' +version: 2 +creation_date: '2023-07-14' +modification_date: '2026-05-19' author: Patrick Bareiss, Splunk type: Response description: Accepts a domain or list of domains and block them in Cisco Umbrella. Generates a list of observables with the blocked domains. playbook: Cisco_Umbrella_DNS_Denylisting -how_to_implement: This input playbook requires the Cisco Umbrella connector to be configured. - It is designed to work in conjunction with the DNS Denylisting Dispatch playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the Cisco Umbrella connector to be configured. It is designed to work in conjunction with the DNS Denylisting Dispatch playbook or other playbooks in the same style. references: [] -app_list: - - Cisco Umbrella -tags: - platform_tags: +app_list: + - Cisco Umbrella +platform_tags: - url - D3-DNSDL - Cisco Umbrella - denylist - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - - Endpoint - defend_technique_id: - - D3-DNSDL +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing + - Endpoint +defend_technique_id: + - D3-DNSDL diff --git a/playbooks/CrowdStrike_OAuth_API_Device_Attribute_Lookup.yml b/playbooks/CrowdStrike_OAuth_API_Device_Attribute_Lookup.yml index ad6eeb0244..d667594931 100644 --- a/playbooks/CrowdStrike_OAuth_API_Device_Attribute_Lookup.yml +++ b/playbooks/CrowdStrike_OAuth_API_Device_Attribute_Lookup.yml @@ -1,28 +1,28 @@ name: CrowdStrike OAuth API Device Attribute Lookup id: fc0eac01-af2b-4cb0-7b4d-63da67d3fe74 -version: 1 -date: '2023-01-11' +version: 2 +creation_date: '2023-03-06' +modification_date: '2026-05-19' author: Teoderick Contreras, Splunk type: Investigation description: "Accepts a user or device and looks up the most recent attributes and groups for that user or device. This playbook produces a normalized output for each user and device." playbook: CrowdStrike_OAuth_API_Device_Attribute_Lookup -how_to_implement: This input playbook requires the Crowdstrike OAuth API connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the Crowdstrike OAuth API connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. references: [] -app_list: - - CrowdStrike OAuth API -tags: - platform_tags: - - attributes +app_list: + - CrowdStrike OAuth API +platform_tags: + - attributes - user - - device + - device - host name - - ip + - ip - crowdstrike_oauth_api - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment - - Endpoint +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment + - Endpoint diff --git a/playbooks/CrowdStrike_OAuth_API_Dynamic_Analysis.yml b/playbooks/CrowdStrike_OAuth_API_Dynamic_Analysis.yml index 21d2ac39ea..94b217c068 100644 --- a/playbooks/CrowdStrike_OAuth_API_Dynamic_Analysis.yml +++ b/playbooks/CrowdStrike_OAuth_API_Dynamic_Analysis.yml @@ -1,31 +1,31 @@ name: CrowdStrike OAuth API Dynamic Analysis id: 5299d9dc-e9d5-41fb-b051-92ace0ff816d -version: 1 -date: '2023-03-23' +version: 2 +creation_date: '2023-03-06' +modification_date: '2026-05-19' author: Teoderick Contreras, Splunk type: Investigation description: "Accepts url link, domain or vault_id (hash) to be detonated using CrowdStrike OAuth API connector. This playbook produces a normalized output for each user and device." playbook: CrowdStrike_OAuth_API_Dynamic_Analysis -how_to_implement: This input playbook requires the Crowdstrike OAuth API connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the Crowdstrike OAuth API connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. references: [] -app_list: - - CrowdStrike OAuth API -tags: - platform_tags: - - reputation +app_list: + - CrowdStrike OAuth API +platform_tags: + - reputation - url - domain - sandbox - ip - file_hash - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment - - Phishing - - Endpoint - defend_technique_id: - - D3-DA +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment + - Phishing + - Endpoint +defend_technique_id: + - D3-DA diff --git a/playbooks/CrowdStrike_OAuth_API_Endpoint_Analysis.yml b/playbooks/CrowdStrike_OAuth_API_Endpoint_Analysis.yml index c1adce850f..956c69c702 100644 --- a/playbooks/CrowdStrike_OAuth_API_Endpoint_Analysis.yml +++ b/playbooks/CrowdStrike_OAuth_API_Endpoint_Analysis.yml @@ -1,17 +1,17 @@ name: CrowdStrike OAuth API Endpoint Analysis id: 1356baeb-9ad4-4d2c-b6ae-55dda6bd9db5 -version: 1 -date: '2025-06-09' +version: 2 +creation_date: '2025-06-20' +modification_date: '2026-05-19' author: Christian Cloutier, Splunk type: Investigation description: "Accepts a hostname or device id as input and collects running processes, network connections and various system information from the device via Crowdstrike. We then generate an observable report for each. This can be customized based on user preference." playbook: CrowdStrike_OAuth_API_Endpoint_Analysis -how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or device id and collect key information about the system, network connections and running processes for use in automation playbooks. +how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or device id and collect key information about the system, network connections and running processes for use in automation playbooks. references: [] -app_list: - - CrowdStrike OAuth API -tags: - platform_tags: +app_list: + - CrowdStrike OAuth API +platform_tags: - "host name" - "device id" - "enrichment" @@ -19,16 +19,16 @@ tags: - "D3-PA" - "D3-AI" - "CrowdStrike_OAuth_API" - playbook_type: Input - vpe_type: Modern - playbook_fields: [device] - product: - - Splunk SOAR - use_cases: - - Enrichment - - Malware - - Endpoint - defend_technique_id: - - D3-NTA - - D3-PA - - D3-AI +playbook_type: Input +vpe_type: Modern +playbook_fields: [device] +product: + - Splunk SOAR +use_cases: + - Enrichment + - Malware + - Endpoint +defend_technique_id: + - D3-NTA + - D3-PA + - D3-AI diff --git a/playbooks/CrowdStrike_OAuth_API_Executable_Denylisting.yml b/playbooks/CrowdStrike_OAuth_API_Executable_Denylisting.yml index 0a985541e8..40d5197768 100644 --- a/playbooks/CrowdStrike_OAuth_API_Executable_Denylisting.yml +++ b/playbooks/CrowdStrike_OAuth_API_Executable_Denylisting.yml @@ -1,31 +1,31 @@ name: CrowdStrike OAuth API Executable Denylisting id: 9d87f2d5-2578-4f39-9eee-c1a88af658bb -version: 1 -date: '2025-06-09' +version: 2 +creation_date: '2025-06-20' +modification_date: '2026-05-19' author: Christian Cloutier, Splunk type: Response description: "Accepts a hostname or device id as well as a file hash as input and add an indicator (IOC) for a device in Crowdstrike. We then generate an observable report as well as a Markdown formatted report. Both reports can be customized based on user preference." playbook: CrowdStrike_OAuth_API_Executable_Denylisting -how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or device id and create an indicator in CrowdStrike Falcon based on the malicious process hash value (preventing it from running on other endpoints) for use in automation playbooks. +how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or device id and create an indicator in CrowdStrike Falcon based on the malicious process hash value (preventing it from running on other endpoints) for use in automation playbooks. references: [] -app_list: - - CrowdStrike OAuth API -tags: - platform_tags: +app_list: + - CrowdStrike OAuth API +platform_tags: - "host name" - "device id" - "file_hash" - "Executable Denylisting" - "D3-EDL" - "CrowdStrike_OAuth_API" - playbook_type: Input - vpe_type: Modern - playbook_fields: [device,file_hash] - product: - - Splunk SOAR - use_cases: - - Response - - Malware - - Endpoint - defend_technique_id: - - D3-EDL +playbook_type: Input +vpe_type: Modern +playbook_fields: [device, file_hash] +product: + - Splunk SOAR +use_cases: + - Response + - Malware + - Endpoint +defend_technique_id: + - D3-EDL diff --git a/playbooks/CrowdStrike_OAuth_API_File_Collection.yml b/playbooks/CrowdStrike_OAuth_API_File_Collection.yml index 4094ab98e0..08a77e5699 100644 --- a/playbooks/CrowdStrike_OAuth_API_File_Collection.yml +++ b/playbooks/CrowdStrike_OAuth_API_File_Collection.yml @@ -1,31 +1,31 @@ name: CrowdStrike OAuth API File Collection id: 2296ce3f-171f-467f-8025-f046f5d59133 -version: 1 -date: '2025-06-09' +version: 2 +creation_date: '2025-06-20' +modification_date: '2026-05-19' author: Christian Cloutier, Splunk type: Investigation description: "Accepts a hostname or device id as well as a file path as input and collects the file to the event File Vault from a device in Crowdstrike. An artifact is created from the collected file. We then generate an observable report as well as a Markdown formatted report. Both reports can be customized based on user preference." playbook: CrowdStrike_OAuth_API_File_Collection -how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or agent id and collect a specific file from the endpoint (using an absolute path) for forensics or later use in automation playbooks. +how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or agent id and collect a specific file from the endpoint (using an absolute path) for forensics or later use in automation playbooks. references: [] -app_list: - - CrowdStrike OAuth API -tags: - platform_tags: +app_list: + - CrowdStrike OAuth API +platform_tags: - "host name" - "device id" - "path" - "File Collection" - "D3-FA" - "CrowdStrike_OAuth_API" - playbook_type: Input - vpe_type: Modern - playbook_fields: [device,path] - product: - - Splunk SOAR - use_cases: - - Collection - - Malware - - Endpoint - defend_technique_id: - - D3-FA +playbook_type: Input +vpe_type: Modern +playbook_fields: [device, path] +product: + - Splunk SOAR +use_cases: + - Collection + - Malware + - Endpoint +defend_technique_id: + - D3-FA diff --git a/playbooks/CrowdStrike_OAuth_API_File_Eviction.yml b/playbooks/CrowdStrike_OAuth_API_File_Eviction.yml index 2c8456a6d1..b93d57d524 100644 --- a/playbooks/CrowdStrike_OAuth_API_File_Eviction.yml +++ b/playbooks/CrowdStrike_OAuth_API_File_Eviction.yml @@ -1,31 +1,31 @@ name: CrowdStrike OAuth API File Eviction id: 4750935c-0105-416f-aca4-0d7a4207666d -version: 1 -date: '2025-06-09' +version: 2 +creation_date: '2025-06-20' +modification_date: '2026-05-19' author: Christian Cloutier, Splunk type: Response description: "Accepts a hostname or device id as well as a file path as input and deletes the file from a device in Crowdstrike. We then generate an observable report as well as a Markdown formatted report. Both reports can be customized based on user preference." playbook: CrowdStrike_OAuth_API_File_Eviction -how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or device id and delete a specific file from the endpoint (using an absolute path) for use in automation playbooks. +how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or device id and delete a specific file from the endpoint (using an absolute path) for use in automation playbooks. references: [] -app_list: - - CrowdStrike OAuth API -tags: - platform_tags: +app_list: + - CrowdStrike OAuth API +platform_tags: - "host name" - "device id" - "path" - "File Eviction" - "D3-FEV" - "CrowdStrike_OAuth_API" - playbook_type: Input - vpe_type: Modern - playbook_fields: [device,path] - product: - - Splunk SOAR - use_cases: - - Response - - Malware - - Endpoint - defend_technique_id: - - D3-FEV +playbook_type: Input +vpe_type: Modern +playbook_fields: [device, path] +product: + - Splunk SOAR +use_cases: + - Response + - Malware + - Endpoint +defend_technique_id: + - D3-FEV diff --git a/playbooks/CrowdStrike_OAuth_API_File_Restore.yml b/playbooks/CrowdStrike_OAuth_API_File_Restore.yml index f6d8db71a8..deb6f83859 100644 --- a/playbooks/CrowdStrike_OAuth_API_File_Restore.yml +++ b/playbooks/CrowdStrike_OAuth_API_File_Restore.yml @@ -1,31 +1,31 @@ name: CrowdStrike OAuth API File Restore id: 8afd7816-bab2-41f6-a848-395115c46d1c -version: 1 -date: '2025-06-09' +version: 2 +creation_date: '2025-06-20' +modification_date: '2026-05-19' author: Christian Cloutier, Splunk type: Response description: "Accepts a hostname or device id as well as a file path as input and restores the file from the File Vault to a device in Crowdstrike. We then generate an observable report as well as a Markdown formatted report. Both reports can be customized based on user preference." playbook: CrowdStrike_OAuth_API_File_Restore -how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or device id and restore a specific file to the endpoint (based on a previous run of the CrowdStrike_OAuth_API_File_Collection playbook) for use in automation playbooks. +how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or device id and restore a specific file to the endpoint (based on a previous run of the CrowdStrike_OAuth_API_File_Collection playbook) for use in automation playbooks. references: [] -app_list: - - CrowdStrike OAuth API -tags: - platform_tags: +app_list: + - CrowdStrike OAuth API +platform_tags: - "host name" - "device id" - "file name" - "File Restore" - "D3-RF" - "CrowdStrike_OAuth_API" - playbook_type: Input - vpe_type: Modern - playbook_fields: [device,file] - product: - - Splunk SOAR - use_cases: - - Response - - Malware - - Endpoint - defend_technique_id: - - D3-RF +playbook_type: Input +vpe_type: Modern +playbook_fields: [device, file] +product: + - Splunk SOAR +use_cases: + - Response + - Malware + - Endpoint +defend_technique_id: + - D3-RF diff --git a/playbooks/CrowdStrike_OAuth_API_Get_Device_Info.yml b/playbooks/CrowdStrike_OAuth_API_Get_Device_Info.yml index e7439ec37f..3c4b33ac7c 100644 --- a/playbooks/CrowdStrike_OAuth_API_Get_Device_Info.yml +++ b/playbooks/CrowdStrike_OAuth_API_Get_Device_Info.yml @@ -1,26 +1,25 @@ name: CrowdStrike OAuth API Get Device Info id: d97f8a59-fbb0-40db-a4ca-a681000c3b6d -version: 1 -date: '2025-06-09' +version: 2 +creation_date: '2025-06-20' +modification_date: '2026-05-19' author: Christian Cloutier, Splunk type: Investigation description: "Given either a CrowdStrike device id (agentId) or a hostname, will query the device to get the other missing attribute. This enables finding the hostname from a device id or the device id from a hostname and can be used in front of other CrowdStrike custom playbooks for added flexibility." playbook: CrowdStrike_OAuth_API_Get_Device_Info -how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or device id and will provide the correspoding information (hostname for a device id, and vice versa) for use in automation playbooks. +how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or device id and will provide the correspoding information (hostname for a device id, and vice versa) for use in automation playbooks. references: [] -app_list: - - CrowdStrike OAuth API -tags: - platform_tags: +app_list: + - CrowdStrike OAuth API +platform_tags: - "host name" - "device id" - "CrowdStrike_OAuth_API" - playbook_type: Input - vpe_type: Modern - playbook_fields: [device] - product: - - Splunk SOAR - use_cases: - - Utility - - Endpoint - defend_technique_id: +playbook_type: Input +vpe_type: Modern +playbook_fields: [device] +product: + - Splunk SOAR +use_cases: + - Utility + - Endpoint diff --git a/playbooks/CrowdStrike_OAuth_API_Identifier_Activity_Analysis.yml b/playbooks/CrowdStrike_OAuth_API_Identifier_Activity_Analysis.yml index b907d8cf33..c0bd100a58 100644 --- a/playbooks/CrowdStrike_OAuth_API_Identifier_Activity_Analysis.yml +++ b/playbooks/CrowdStrike_OAuth_API_Identifier_Activity_Analysis.yml @@ -1,27 +1,27 @@ name: CrowdStrike OAuth API Identifier Activity Analysis id: 5299d9dc-e9c4-42fa-b051-92ace0ff816d -version: 1 -date: '2023-03-30' +version: 2 +creation_date: '2023-03-30' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Investigation description: "Accepts a file hash or domain name, and asks CrowdStrike for a list of device IDs that have interacted with each. The list of IDs is then sent back to Crowdstrike to get more information, and then produces a normalized output and summary table." playbook: CrowdStrike_OAuth_API_Identifier_Activity_Analysis -how_to_implement: This input playbook requires the Crowdstrike OAuth API connector to be configured. It is designed to work in conjunction with the Dynamic Identifier Activity Analysis playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the Crowdstrike OAuth API connector to be configured. It is designed to work in conjunction with the Dynamic Identifier Activity Analysis playbook or other playbooks in the same style. references: [] -app_list: - - CrowdStrike OAuth API -tags: - platform_tags: - - identifier_activity +app_list: + - CrowdStrike OAuth API +platform_tags: + - identifier_activity - domain - file_hash - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment - - Endpoint - defend_technique_id: - - D3-IAA +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment + - Endpoint +defend_technique_id: + - D3-IAA diff --git a/playbooks/CrowdStrike_OAuth_API_Network_Isolation.yml b/playbooks/CrowdStrike_OAuth_API_Network_Isolation.yml index 198489ecda..77c9586eb2 100644 --- a/playbooks/CrowdStrike_OAuth_API_Network_Isolation.yml +++ b/playbooks/CrowdStrike_OAuth_API_Network_Isolation.yml @@ -1,30 +1,30 @@ name: CrowdStrike OAuth API Network Isolation id: dd7ef79b-2bfd-4844-821d-a9e8db570d0a -version: 1 -date: '2025-06-09' +version: 2 +creation_date: '2025-06-20' +modification_date: '2026-05-19' author: Christian Cloutier, Splunk type: Response description: "Accepts a hostname or device id as input and attempts to isolate (quarantine) the device in Crowdstrike. We then generate an observable report as well as a Markdown formatted report from the results. Both reports can be customized based on user preference." playbook: CrowdStrike_OAuth_API_Network_Isolation -how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or device id and contain the corresponding endpoint for use in automation playbooks. +how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or device id and contain the corresponding endpoint for use in automation playbooks. references: [] -app_list: - - CrowdStrike OAuth API -tags: - platform_tags: +app_list: + - CrowdStrike OAuth API +platform_tags: - "host name" - "device id" - "Network Isolation" - "D3-NAM" - "CrowdStrike_OAuth_API" - playbook_type: Input - vpe_type: Modern - playbook_fields: [device] - product: - - Splunk SOAR - use_cases: - - Response - - Malware - - Endpoint - defend_technique_id: - - D3-NAM +playbook_type: Input +vpe_type: Modern +playbook_fields: [device] +product: + - Splunk SOAR +use_cases: + - Response + - Malware + - Endpoint +defend_technique_id: + - D3-NAM diff --git a/playbooks/CrowdStrike_OAuth_API_Network_Restore.yml b/playbooks/CrowdStrike_OAuth_API_Network_Restore.yml index 0d5a0d1da5..9c069afeed 100644 --- a/playbooks/CrowdStrike_OAuth_API_Network_Restore.yml +++ b/playbooks/CrowdStrike_OAuth_API_Network_Restore.yml @@ -1,30 +1,30 @@ name: CrowdStrike OAuth API Network Restore id: 92ddd3da-02ac-40d1-84fb-1bc8c9fdc1da -version: 1 -date: '2025-06-09' +version: 2 +creation_date: '2025-06-20' +modification_date: '2026-05-19' author: Christian Cloutier, Splunk type: Response description: "Accepts a hostname or device id as input and tries to restore access for (unquarantines) the device in Crowdstrike. We then generate an observable report as well as a Markdown formatted report of the results. Both can be customized based on user preference." playbook: CrowdStrike_OAuth_API_Network_Restore -how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or device id and remove the corresponding endpoint from containment for use in automation playbooks. +how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or device id and remove the corresponding endpoint from containment for use in automation playbooks. references: [] -app_list: - - CrowdStrike OAuth API -tags: - platform_tags: +app_list: + - CrowdStrike OAuth API +platform_tags: - "host name" - "device id" - "Network Restore" - "D3-RNA" - "CrowdStrike_OAuth_API" - playbook_type: Input - vpe_type: Modern - playbook_fields: [device] - product: - - Splunk SOAR - use_cases: - - Response - - Malware - - Endpoint - defend_technique_id: - - D3-RNA +playbook_type: Input +vpe_type: Modern +playbook_fields: [device] +product: + - Splunk SOAR +use_cases: + - Response + - Malware + - Endpoint +defend_technique_id: + - D3-RNA diff --git a/playbooks/CrowdStrike_OAuth_API_Process_Termination.yml b/playbooks/CrowdStrike_OAuth_API_Process_Termination.yml index 3a601d2ad2..d7fb11f716 100644 --- a/playbooks/CrowdStrike_OAuth_API_Process_Termination.yml +++ b/playbooks/CrowdStrike_OAuth_API_Process_Termination.yml @@ -1,31 +1,31 @@ name: CrowdStrike OAuth API Process Termination id: 4a64ee9b-09fa-42fa-8b43-0de75908ff08 -version: 1 -date: '2025-06-09' +version: 2 +creation_date: '2025-06-20' +modification_date: '2026-05-19' author: Christian Cloutier, Splunk type: Response description: "Accepts a hostname or device id as well as one or more process IDs as input and terminates those process(es) on a device in CrowdStrike. We then generate an observable report as well as a Markdown formatted report. Both reports can be customized based on user preference. Note that the Markdown report can report a status of success even when a particular PID is not actually killed. Rely on the observable output if you need to reliably check that." playbook: CrowdStrike_OAuth_API_Process_Termination -how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or device id and terminate the corresponding process on the endpoint for use in automation playbooks. +how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or device id and terminate the corresponding process on the endpoint for use in automation playbooks. references: [] -app_list: - - CrowdStrike OAuth API -tags: - platform_tags: +app_list: + - CrowdStrike OAuth API +platform_tags: - "host name" - "device id" - "pid" - "Process Termination" - "D3-PT" - "CrowdStrike_OAuth_API" - playbook_type: Input - vpe_type: Modern - playbook_fields: [device,pid] - product: - - Splunk SOAR - use_cases: - - Response - - Malware - - Endpoint - defend_technique_id: - - D3-PT +playbook_type: Input +vpe_type: Modern +playbook_fields: [device, pid] +product: + - Splunk SOAR +use_cases: + - Response + - Malware + - Endpoint +defend_technique_id: + - D3-PT diff --git a/playbooks/DNS_Denylisting_Dispatch.yml b/playbooks/DNS_Denylisting_Dispatch.yml index 083692ba6c..55021f81d5 100644 --- a/playbooks/DNS_Denylisting_Dispatch.yml +++ b/playbooks/DNS_Denylisting_Dispatch.yml @@ -1,25 +1,25 @@ name: DNS Denylisting Dispatch id: 7fd9a82f-517a-4d86-bf24-4d4158719dc1 -version: 1 -date: '2023-07-14' +version: 2 +creation_date: '2023-05-22' +modification_date: '2026-05-19' author: Patrick Bareiss, Splunk type: Response description: Accepts a list of domains and blocks them. Generates a global report and list of observables. playbook: DNS_Denylisting_Dispatch -how_to_implement: This playbook looks for artifacts and then dispatches the community denylisting playbooks. This playbook takes the output of those playbooks and nicely formats them into notes and tags indicators with their results. +how_to_implement: This playbook looks for artifacts and then dispatches the community denylisting playbooks. This playbook takes the output of those playbooks and nicely formats them into notes and tags indicators with their results. references: - - https://d3fend.mitre.org/technique/d3f:DNSDenylisting/ + - https://d3fend.mitre.org/technique/d3f:DNSDenylisting/ app_list: [] -tags: - platform_tags: - - D3-DNSDL - playbook_type: Automation - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - - Endpoint - defend_technique_id: - - D3-DNSDL \ No newline at end of file +platform_tags: + - D3-DNSDL +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing + - Endpoint +defend_technique_id: + - D3-DNSDL diff --git a/playbooks/Dynamic_Analysis_Dispatch.yml b/playbooks/Dynamic_Analysis_Dispatch.yml index 4141959bb1..add1323285 100644 --- a/playbooks/Dynamic_Analysis_Dispatch.yml +++ b/playbooks/Dynamic_Analysis_Dispatch.yml @@ -1,30 +1,29 @@ name: Dynamic Analysis Dispatch id: a15da934-1f59-4672-b98c-ec1bbfd80885 -version: 1 -date: '2023-03-30' +version: 2 +creation_date: '2023-03-30' +modification_date: '2026-05-19' author: Teoderick Contreras, Splunk type: Investigation -description: Automatically dispatches input playbooks with the 'sandbox' tag. - This will produce a merge report and indicator tag for each inputs. +description: Automatically dispatches input playbooks with the 'sandbox' tag. This will produce a merge report and indicator tag for each inputs. playbook: Dynamic_Analysis_Dispatch how_to_implement: This automatic playbook requires "sandbox" tag be present on each input playbook you want to launch. references: [] app_list: [] -tags: - platform_tags: +platform_tags: - url - domain - sandbox - ip - vault_id - playbook_type: Automation - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment - - Phishing - - Endpoint - defend_technique_id: - - D3-DA \ No newline at end of file +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment + - Phishing + - Endpoint +defend_technique_id: + - D3-DA diff --git a/playbooks/G_Suite_for_GMail_Message_Identifier_Activity_Analysis.yml b/playbooks/G_Suite_for_GMail_Message_Identifier_Activity_Analysis.yml index 8af7f2fe9d..c0e46bfd1b 100644 --- a/playbooks/G_Suite_for_GMail_Message_Identifier_Activity_Analysis.yml +++ b/playbooks/G_Suite_for_GMail_Message_Identifier_Activity_Analysis.yml @@ -1,26 +1,26 @@ name: G Suite for GMail Message Identifier Activity Analysis id: 5299d6dd-e9c4-4afa-b051-928ace0ff816 -version: 1 -date: '2023-05-12' +version: 2 +creation_date: '2023-05-14' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Investigation description: "Accepts an internet message id, and asks Gmail for a list of mailboxes to search, and then searches each one to look for records that have a matching internet message id. It then produces a normalized output and summary table." playbook: G_Suite_for_GMail_Message_Identifier_Acitivity_Analysis -how_to_implement: This input playbook requires the G Suite for GMail connector to be configured. It is designed to work in environments that posess a maximum of 500 mailboxes at this time, due to a limitation in the G Suite for GMail connector. +how_to_implement: This input playbook requires the G Suite for GMail connector to be configured. It is designed to work in environments that posess a maximum of 500 mailboxes at this time, due to a limitation in the G Suite for GMail connector. references: [] -app_list: - - G Suite for GMail -tags: - platform_tags: - - message_identifier_activity +app_list: + - G Suite for GMail +platform_tags: + - message_identifier_activity - internet_message_id - gsuite_for_gmail - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - defend_technique_id: - - D3-IAA +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing +defend_technique_id: + - D3-IAA diff --git a/playbooks/G_Suite_for_Gmail_Message_Eviction.yml b/playbooks/G_Suite_for_Gmail_Message_Eviction.yml index 01466b8f0e..73dce41fd0 100644 --- a/playbooks/G_Suite_for_Gmail_Message_Eviction.yml +++ b/playbooks/G_Suite_for_Gmail_Message_Eviction.yml @@ -1,26 +1,26 @@ name: G Suite for Gmail Message Eviction id: 5299d3ad-e9c4-4afa-b051-92cacd0ff916 -version: 1 -date: '2024-01-21' +version: 2 +creation_date: '2024-03-06' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Response description: Accepts a gmail email ID, and then attempts to delete the email from the mailbox. GMail does not have a "soft-delete" option, messages run through the Message Eviction playbook will be permanently deleted. playbook: G_Suite_for_Gmail_Message_Eviction -how_to_implement: This input playbook requires the G Suite for GMail connector to be configured. It is designed to work in environments that posess a maximum of 500 mailboxes at this time, due to a limitation in the G Suite for GMail connector. +how_to_implement: This input playbook requires the G Suite for GMail connector to be configured. It is designed to work in environments that posess a maximum of 500 mailboxes at this time, due to a limitation in the G Suite for GMail connector. references: [] -app_list: - - G Suite for GMail -tags: - platform_tags: +app_list: + - G Suite for GMail +platform_tags: - message_eviction - gmail_email_id - gsuite_for_gmail - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - defend_technique_id: - - D3-ER +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing +defend_technique_id: + - D3-ER diff --git a/playbooks/G_Suite_for_Gmail_Search_and_Purge.yml b/playbooks/G_Suite_for_Gmail_Search_and_Purge.yml index bc99239828..aa53b1ab60 100644 --- a/playbooks/G_Suite_for_Gmail_Search_and_Purge.yml +++ b/playbooks/G_Suite_for_Gmail_Search_and_Purge.yml @@ -1,29 +1,29 @@ name: G Suite for Gmail Search and Purge id: 5294d3bd-e9c4-4bfa-b051-92cacd0ff925 -version: 1 -date: '2024-02-19' +version: 2 +creation_date: '2024-03-06' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Response description: Accepts an Internet Message ID, searches for its presence in up to 500 mailboxes, and then deletes the ones it finds. GMail does not have a "soft-delete" option, messages run through the Message Eviction playbook will be permanently deleted. playbook: G_Suite_for_Gmail_Search_and_Purge -how_to_implement: This input playbook requires the G Suite for GMail connector to be configured. It is designed to work in environments that posess a maximum of 500 mailboxes at this time, due to a limitation in the G Suite for GMail connector. +how_to_implement: This input playbook requires the G Suite for GMail connector to be configured. It is designed to work in environments that posess a maximum of 500 mailboxes at this time, due to a limitation in the G Suite for GMail connector. references: [] -app_list: - - G Suite for GMail -tags: - platform_tags: +app_list: + - G Suite for GMail +platform_tags: - message_eviction - message_identifier_activity - gmail_email_id - internet_message_id - gsuite_for_gmail - playbook_type: Automation - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - defend_technique_id: +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing +defend_technique_id: - D3-ER - D3-IAA diff --git a/playbooks/Identifier_Activity_Analysis_Dispatch.yml b/playbooks/Identifier_Activity_Analysis_Dispatch.yml index 4221031ad4..67c063c6d1 100644 --- a/playbooks/Identifier_Activity_Analysis_Dispatch.yml +++ b/playbooks/Identifier_Activity_Analysis_Dispatch.yml @@ -1,22 +1,22 @@ name: Identifier Activity Analysis Dispatch id: fc0edc96-ab1f-48b9-1b4d-63da52dbfa74 -version: 1 -date: '2023-02-28' +version: 2 +creation_date: '2023-02-27' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Investigation description: "Detects available indicators and routes them to related identifier activity analysis playbooks. The output of the analysis will update any artifacts, tasks, and indicator tags." playbook: Identifier_Activity_Analysis_Dispatch -how_to_implement: This playbook looks for artifacts and then dispatches the community Related Tickets playbooks. This playbook takes the output of those playbooks and nicely formats them into notes and tags indicators with their results. +how_to_implement: This playbook looks for artifacts and then dispatches the community Related Tickets playbooks. This playbook takes the output of those playbooks and nicely formats them into notes and tags indicators with their results. references: [] app_list: [] -tags: - platform_tags: [] - playbook_type: Automation - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment - defend_technique_id: - - D3-IAA \ No newline at end of file +platform_tags: [] +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment +defend_technique_id: + - D3-IAA diff --git a/playbooks/Identifier_Reputation_Analysis_Dispatch.yml b/playbooks/Identifier_Reputation_Analysis_Dispatch.yml index 26f9bf3b88..c7bf97346b 100644 --- a/playbooks/Identifier_Reputation_Analysis_Dispatch.yml +++ b/playbooks/Identifier_Reputation_Analysis_Dispatch.yml @@ -1,24 +1,24 @@ name: Identifier Reputation Analysis Dispatch id: fc0edc96-ff2b-48b0-9b4d-63da6783fd64 -version: 1 -date: '2023-01-11' +version: 2 +creation_date: '2023-01-11' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Investigation description: "Detects available indicators and routes them to indicator reputation analysis playbooks. The output of the analysis will update any artifacts, tasks, and indicator tags. https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/" playbook: Identifier_Reputation_Analysis_Dispatch -how_to_implement: This playbook looks for artifacts and then dispatches the community Reputation playbooks. This playbook takes the output of those playbooks and nicely formats them into notes and tags indicators with their results. +how_to_implement: This playbook looks for artifacts and then dispatches the community Reputation playbooks. This playbook takes the output of those playbooks and nicely formats them into notes and tags indicators with their results. references: - - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ + - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ app_list: [] -tags: - platform_tags: +platform_tags: + - D3-IRA +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment +defend_technique_id: - D3-IRA - playbook_type: Automation - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment - defend_technique_id: - - D3-IRA diff --git a/playbooks/Jira_Related_Tickets_Search.yml b/playbooks/Jira_Related_Tickets_Search.yml index 74d540aaa5..30b91cc68b 100644 --- a/playbooks/Jira_Related_Tickets_Search.yml +++ b/playbooks/Jira_Related_Tickets_Search.yml @@ -1,27 +1,27 @@ name: Jira Related Tickets Search id: bd20698c-42d6-45ec-b7a0-fc356d624bdf -version: 1 -date: '2023-08-22' +version: 2 +creation_date: '2023-08-09' +modification_date: '2026-05-19' author: Eric Li, Splunk type: Investigation description: "Accepts a user or device and identifies if related tickets exists in a timeframe of last 30 days. Generates a global report and list of observables." playbook: Jira_Related_Tickets_Search how_to_implement: This input playbook requires the Jira connector to be configured. It is designed to work in conjunction with the Dynamic Related Tickets Search playbook or other playbooks in the same style. references: - - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ + - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ app_list: - - Jira -tags: - platform_tags: + - Jira +platform_tags: - user - device - host name - ticket - Jira - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - defend_technique_id: - - D3-IRA \ No newline at end of file +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +defend_technique_id: + - D3-IRA diff --git a/playbooks/MS_Graph_for_Office_365_Message_Eviction.yml b/playbooks/MS_Graph_for_Office_365_Message_Eviction.yml index a022b7bf39..d0771d45b6 100644 --- a/playbooks/MS_Graph_for_Office_365_Message_Eviction.yml +++ b/playbooks/MS_Graph_for_Office_365_Message_Eviction.yml @@ -1,26 +1,26 @@ name: MS Graph for Office 365 Message Eviction id: 5299d6dd-e9c4-4bfd-b031-928acd1ff816 -version: 1 -date: '2024-01-21' +version: 2 +creation_date: '2024-03-06' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Response description: Accepts message ID that needs to be evicted from provided email mailbox in Microsoft Office365. Generates an observable output based on the status of message eviction. playbook: MS_Graph_for_Office_365_Message_Eviction -how_to_implement: This input playbook requires the MS Graph for Office 365 connector to be configured. +how_to_implement: This input playbook requires the MS Graph for Office 365 connector to be configured. references: [] -app_list: - - MS Graph for Office 365 -tags: - platform_tags: - - message_eviction +app_list: + - MS Graph for Office 365 +platform_tags: + - message_eviction - internet_message_id - ms_graph_for_o365 - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - defend_technique_id: - - D3-ER +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing +defend_technique_id: + - D3-ER diff --git a/playbooks/MS_Graph_for_Office_365_Message_Identifier_Activity_Analysis.yml b/playbooks/MS_Graph_for_Office_365_Message_Identifier_Activity_Analysis.yml index 22a6f23e80..c99269f40e 100644 --- a/playbooks/MS_Graph_for_Office_365_Message_Identifier_Activity_Analysis.yml +++ b/playbooks/MS_Graph_for_Office_365_Message_Identifier_Activity_Analysis.yml @@ -1,26 +1,26 @@ name: MS Graph for Office 365 Message Identifier Activity Analysis id: 5292d6ad-e9c4-4bfd-b831-928ac1dff816 -version: 1 -date: '2024-02-03' +version: 2 +creation_date: '2024-03-06' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Investigation description: "Accepts an internet message id, and asks Microsoft for a list of users with mailboxes to search, and then searches each one to look for records that have a matching internet message id. It then produces a normalized output and summary table." playbook: MS_Graph_for_Office_365_Message_Identifier_Activity_Analysis -how_to_implement: This input playbook requires the MS Graph for Office 365 connector to be configured. +how_to_implement: This input playbook requires the MS Graph for Office 365 connector to be configured. references: [] -app_list: - - MS Graph for Office 365 -tags: - platform_tags: - - message_identifier_activity +app_list: + - MS Graph for Office 365 +platform_tags: + - message_identifier_activity - internet_message_id - ms_graph_for_o365 - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - defend_technique_id: - - D3-IAA +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing +defend_technique_id: + - D3-IAA diff --git a/playbooks/MS_Graph_for_Office_365_Message_Restore.yml b/playbooks/MS_Graph_for_Office_365_Message_Restore.yml index 2f1286c459..944c77d658 100644 --- a/playbooks/MS_Graph_for_Office_365_Message_Restore.yml +++ b/playbooks/MS_Graph_for_Office_365_Message_Restore.yml @@ -1,27 +1,27 @@ name: MS Graph for Office 365 Message Restore id: 5299d6dd-e9c4-4bad-b041-928ace1ff811 -version: 1 -date: '2024-02-15' +version: 2 +creation_date: '2024-03-06' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Response description: Accepts message ID that needs to be restored to the provided email mailbox in Microsoft Office365. Generates an observable output based on the status of message restoration. playbook: MS_Graph_for_Office_365_Message_Restore -how_to_implement: This input playbook requires the MS Graph for Office 365 connector to be configured. +how_to_implement: This input playbook requires the MS Graph for Office 365 connector to be configured. references: [] -app_list: - - MS Graph for Office 365 -tags: - platform_tags: - - message_restore +app_list: + - MS Graph for Office 365 +platform_tags: + - message_restore - internet_message_id - email - ms_graph_for_o365 - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - defend_technique_id: - - D3-RE \ No newline at end of file +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing +defend_technique_id: + - D3-RE diff --git a/playbooks/MS_Graph_for_Office_365_Search_and_Purge.yml b/playbooks/MS_Graph_for_Office_365_Search_and_Purge.yml index 8a9a2aa08e..4aa65e319a 100644 --- a/playbooks/MS_Graph_for_Office_365_Search_and_Purge.yml +++ b/playbooks/MS_Graph_for_Office_365_Search_and_Purge.yml @@ -1,28 +1,28 @@ name: MS Graph for Office 365 Search and Purge id: 5112d6ad-a8c4-47ed-b831-928ac1dff716 -version: 1 -date: '2024-02-03' +version: 2 +creation_date: '2024-03-06' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Response description: Accepts an Internet Message ID, searches for its presence in each mailbox in the tenant, and then deletes the ones it finds. Microsoft does have a "soft-delete" option, messages run through the Message Eviction playbook will be recoverable. playbook: MS_Graph_for_Office_365_Search_and_Purge how_to_implement: This input playbook requires the MS Graph for Office365 connector to be configured. Careful attention should be paid to the documentation for this connector's required permissions. references: [] -app_list: - - MS Graph for Office 365 -tags: - platform_tags: +app_list: + - MS Graph for Office 365 +platform_tags: - message_eviction - message_identifier_activity - internet_message_id - ms_graph_for_office_365 - playbook_type: Automation - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - defend_technique_id: +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing +defend_technique_id: - D3-ER - - D3-IAA \ No newline at end of file + - D3-IAA diff --git a/playbooks/MS_Graph_for_Office_365_Search_and_Restore.yml b/playbooks/MS_Graph_for_Office_365_Search_and_Restore.yml index 47161c7ac6..a54ef611ae 100644 --- a/playbooks/MS_Graph_for_Office_365_Search_and_Restore.yml +++ b/playbooks/MS_Graph_for_Office_365_Search_and_Restore.yml @@ -1,27 +1,27 @@ name: MS Graph for Office 365 Search and Restore id: 511236ad-a8c4-47ed-b631-928ab1dff71a -version: 1 -date: '2024-02-15' +version: 2 +creation_date: '2024-03-06' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Response -description: Accepts an Internet Message ID and an email mailbox, searches for the Message ID's presence in each mailbox's recoverable deleted items, and then restores the ones it finds. +description: Accepts an Internet Message ID and an email mailbox, searches for the Message ID's presence in each mailbox's recoverable deleted items, and then restores the ones it finds. playbook: MS_Graph_for_Office_365_Search_and_Restore how_to_implement: This input playbook requires the MS Graph for Office365 connector to be configured. Careful attention should be paid to the documentation for this connector's required permissions. references: [] -app_list: - - MS Graph for Office 365 -tags: - platform_tags: +app_list: + - MS Graph for Office 365 +platform_tags: - message_restore - message_identifier_activity - internet_message_id - ms_graph_for_office_365 - playbook_type: Automation - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - defend_technique_id: +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing +defend_technique_id: - D3-RE diff --git a/playbooks/Panorama_Outbound_Traffic_Filtering.yml b/playbooks/Panorama_Outbound_Traffic_Filtering.yml index 1e5fc2e911..4dffeb472e 100644 --- a/playbooks/Panorama_Outbound_Traffic_Filtering.yml +++ b/playbooks/Panorama_Outbound_Traffic_Filtering.yml @@ -1,28 +1,28 @@ name: Panorama Outbound Traffic Filtering id: 5e3e061f-5206-49ac-88f4-4e818a20b2a9 -version: 1 -date: '2023-05-19' +version: 2 +creation_date: '2023-05-19' +modification_date: '2026-05-19' author: Patrick Bareiss, Splunk type: Response description: Accepts a URL or list of URLs as input. Uses Panorama to block the given URLs in Palo Alto Firewall. playbook: Panorama_Outbound_Traffic_Filtering how_to_implement: This input playbook requires the Panorama connector to be configured. It is designed to work in conjunction with the Dynamic URL Outbound Traffic Filtering Analysis playbook or other playbooks in the same style. -references: -- https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering/ -app_list: - - Panorama -tags: - platform_tags: +references: + - https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering/ +app_list: + - Panorama +platform_tags: - denylist - url - Panorama - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - - Endpoint - defend_technique_id: - - D3-OTF +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing + - Endpoint +defend_technique_id: + - D3-OTF diff --git a/playbooks/PhishTank_URL_Reputation_Analysis.yml b/playbooks/PhishTank_URL_Reputation_Analysis.yml index 2399c4a2f7..29b60d794f 100644 --- a/playbooks/PhishTank_URL_Reputation_Analysis.yml +++ b/playbooks/PhishTank_URL_Reputation_Analysis.yml @@ -1,30 +1,30 @@ name: PhishTank URL Reputation Analysis id: fc0eab96-ff1b-45b0-9b4d-63ca4783fd64 -version: 1 -date: '2023-01-11' +version: 2 +creation_date: '2023-01-11' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Investigation description: "Accepts a URL and does reputation analysis on the objects. Generates a global report and a per observable sub-report and normalized score. The score can be customized as desired." playbook: PhishTank_URL_Reputation_Analysis -how_to_implement: This input playbook requires the PhishTank connector to be configured. It is designed to work in conjunction with the Dynamic Identifier Reputation Analysis playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the PhishTank connector to be configured. It is designed to work in conjunction with the Dynamic Identifier Reputation Analysis playbook or other playbooks in the same style. references: - - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ -app_list: - - PhishTank -tags: - platform_tags: + - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ +app_list: + - PhishTank +platform_tags: - D3-IRA - D3-URA - - reputation + - reputation - url - PhishTank - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment - - Phishing - defend_technique_id: - - D3-IRA +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment + - Phishing +defend_technique_id: + - D3-IRA diff --git a/playbooks/Related_Tickets_Search_Dispatch.yml b/playbooks/Related_Tickets_Search_Dispatch.yml index 93e1f8165c..fe2fe0ab9d 100644 --- a/playbooks/Related_Tickets_Search_Dispatch.yml +++ b/playbooks/Related_Tickets_Search_Dispatch.yml @@ -1,21 +1,21 @@ name: Related Tickets Search Dispatch id: fc0edc96-ab1f-48b9-9b4d-63da61bafe74 -version: 1 -date: '2023-02-28' +version: 2 +creation_date: '2023-02-27' +modification_date: '2026-05-19' author: Patrick Bareiss, Splunk type: Investigation description: "Detects available indicators and routes them to dispatch related ticket search playbooks. The output of the analysis will update any artifacts, tasks, and indicator tags." playbook: Related_Tickets_Search_Dispatch -how_to_implement: This playbook looks for artifacts and then dispatches the community Related Tickets playbooks. This playbook takes the output of those playbooks and nicely formats them into notes and tags indicators with their results. +how_to_implement: This playbook looks for artifacts and then dispatches the community Related Tickets playbooks. This playbook takes the output of those playbooks and nicely formats them into notes and tags indicators with their results. references: - - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ + - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ app_list: [] -tags: - platform_tags: [] - playbook_type: Automation - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment \ No newline at end of file +platform_tags: [] +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment diff --git a/playbooks/ServiceNow_Related_Tickets_Search.yml b/playbooks/ServiceNow_Related_Tickets_Search.yml index 2a2f54c8df..7ef1f46b64 100644 --- a/playbooks/ServiceNow_Related_Tickets_Search.yml +++ b/playbooks/ServiceNow_Related_Tickets_Search.yml @@ -1,28 +1,28 @@ name: ServiceNow Related Tickets Search id: fc0edc96-ff2b-48b0-9b4d-63da61bafe74 -version: 1 -date: '2023-02-28' +version: 2 +creation_date: '2023-02-27' +modification_date: '2026-05-19' author: Patrick Bareiss, Splunk type: Investigation description: "Accepts a user or device and identifies if related tickets exists in a timeframe of last 30 days. Generates a global report and list of observables." playbook: ServiceNow_Related_Tickets_Search -how_to_implement: This input playbook requires the ServiceNow connector to be configured. It is designed to work in conjunction with the Dynamic Related Tickets Search playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the ServiceNow connector to be configured. It is designed to work in conjunction with the Dynamic Related Tickets Search playbook or other playbooks in the same style. references: - - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ -app_list: - - ServiceNow -tags: - platform_tags: + - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ +app_list: + - ServiceNow +platform_tags: - user - - device - - ServiceNow - - ticket - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment - defend_technique_id: - - D3-IRA \ No newline at end of file + - device + - ServiceNow + - ticket +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment +defend_technique_id: + - D3-IRA diff --git a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.yml b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.yml index 29ace5bef4..003e9eb7c0 100644 --- a/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.yml +++ b/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.yml @@ -1,17 +1,17 @@ name: Splunk Attack Analyzer Dynamic Analysis id: c77faffe-1339-43b0-b870-86582da9063e -version: 1 -date: '2023-03-24' +version: 2 +creation_date: '2023-03-24' +modification_date: '2026-05-19' author: Teoderick Contreras, Splunk; Kelby Shelton, Splunk type: Investigation description: "Accepts url link, domain or vault_id (hash) to be detonated using Splunk Attacker (SAA) API connector. This playbook produces a normalized output for each user and device." playbook: Splunk_Attack_Analyzer_Dynamic_Analysis -how_to_implement: This input playbook requires the SAA API connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the SAA API connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. references: [] -app_list: - - Splunk Attack Analyzer Connector for Splunk SOAR -tags: - platform_tags: +app_list: + - Splunk Attack Analyzer Connector for Splunk SOAR +platform_tags: - "url" - "ip" - "domain" @@ -19,14 +19,14 @@ tags: - "D3-DA" - "vault_id" - "splunk_attack_analyzer" - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment - - Phishing - - Endpoint - defend_technique_id: - - D3-DA +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment + - Phishing + - Endpoint +defend_technique_id: + - D3-DA diff --git a/playbooks/Splunk_Automated_Email_Investigation.yml b/playbooks/Splunk_Automated_Email_Investigation.yml index 5ffdabe301..1a20502d03 100644 --- a/playbooks/Splunk_Automated_Email_Investigation.yml +++ b/playbooks/Splunk_Automated_Email_Investigation.yml @@ -1,7 +1,8 @@ name: Splunk Automated Email Investigation id: c69e3310-a819-4d16-a615-348fa8d88b0b -version: 1 -date: '2023-12-23' +version: 2 +creation_date: '2024-01-30' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Investigation description: "Leverages Splunk technologies to determine if a .eml or .msg file in the vault is malicious, whether or not it contained suspect URLs or Files, and who may have interacted with the IoCs (email, URLs, or Files)." @@ -9,18 +10,16 @@ playbook: Splunk_Automated_Email_Investigation how_to_implement: "Ensure the four input playbooks are loaded onto the system. The input playbooks are designed to be swappable within the same category (e.g., Message Activity Analysis) with minimal to no changes downstream." references: [] app_list: [] -tags: - platform_tags: +platform_tags: - "D3-DA" - "D3-SRA" - playbook_type: Automation - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - defend_technique_id: - - D3-DA - - D3-SRA - \ No newline at end of file +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing +defend_technique_id: + - D3-DA + - D3-SRA diff --git a/playbooks/Splunk_Identifier_Activity_Analysis.yml b/playbooks/Splunk_Identifier_Activity_Analysis.yml index 982ea2ffba..f011279077 100644 --- a/playbooks/Splunk_Identifier_Activity_Analysis.yml +++ b/playbooks/Splunk_Identifier_Activity_Analysis.yml @@ -1,28 +1,28 @@ name: Splunk Identifier Activity Analysis id: 5299b9dc-e8c4-46ba-d942-92ace0ff816d -version: 1 -date: '2023-03-31' +version: 2 +creation_date: '2023-04-02' +modification_date: '2026-05-19' author: Lou Stella, Splunk; Kelby Shelton, Splunk type: Investigation description: "Accepts a file_hash, domain, IP address, or URL, and asks Splunk for a list of devices that have interacted with each. It then produces a normalized output and summary table." playbook: Splunk_Identifier_Activity_Analysis -how_to_implement: This input playbook requires the Splunk connector to be configured. It is designed to work in conjunction with the Dynamic Identifier Activity Analysis playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the Splunk connector to be configured. It is designed to work in conjunction with the Dynamic Identifier Activity Analysis playbook or other playbooks in the same style. references: [] -app_list: - - Splunk -tags: - platform_tags: - - identifier_activity +app_list: + - Splunk +platform_tags: + - identifier_activity - domain - file_hash - url - ip_address - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment - defend_technique_id: - - D3-IAA \ No newline at end of file +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment +defend_technique_id: + - D3-IAA diff --git a/playbooks/Splunk_Message_Identifier_Activity_Analysis.yml b/playbooks/Splunk_Message_Identifier_Activity_Analysis.yml index 6a762a43b0..c91e40370f 100644 --- a/playbooks/Splunk_Message_Identifier_Activity_Analysis.yml +++ b/playbooks/Splunk_Message_Identifier_Activity_Analysis.yml @@ -1,27 +1,26 @@ name: Splunk Message Identifier Activity Analysis id: 5299b9dc-e8c4-46ba-d942-98dae0fa816d -version: 1 -date: '2023-01-26' +version: 2 +creation_date: '2023-05-16' +modification_date: '2026-05-19' author: Lou Stella, Splunk; Kelby Shelton, Splunk type: Investigation -description: "Accepts an internet message id, and asks Splunk - to look for records that have a matching internet message id. It then produces a normalized output and summary table." +description: "Accepts an internet message id, and asks Splunk to look for records that have a matching internet message id. It then produces a normalized output and summary table." playbook: Splunk_Message_Identifier_Activity_Analysis how_to_implement: This input playbook requires the Splunk connector to be configured. You will also need data populating the Email.All_Email datamodel in the out-of-the-box configuration of this playbook. references: [] -app_list: - - Splunk -tags: - platform_tags: - - message_identifier_activity +app_list: + - Splunk +platform_tags: + - message_identifier_activity - internet_message_id - splunk - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - defend_technique_id: - - D3-IAA +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing +defend_technique_id: + - D3-IAA diff --git a/playbooks/Splunk_Notable_Related_Tickets_Search.yml b/playbooks/Splunk_Notable_Related_Tickets_Search.yml index 5c880045aa..54c3fd4340 100644 --- a/playbooks/Splunk_Notable_Related_Tickets_Search.yml +++ b/playbooks/Splunk_Notable_Related_Tickets_Search.yml @@ -1,26 +1,26 @@ name: Splunk Notable Related Tickets Search id: fc0edc96-ff2b-58b0-9b4d-43bc61bafe74 -version: 1 -date: '2023-02-28' +version: 2 +creation_date: '2023-02-27' +modification_date: '2026-05-19' author: Patrick Bareiss, Splunk type: Investigation description: "Accepts a user or device and identifies if related notables exists in a timeframe of last 24 hours. Generates a global report and list of observables." playbook: Splunk_Notable_Related_Tickets_Search -how_to_implement: This input playbook requires the Splunk connector to be configured. It is designed to work in conjunction with the Dynamic Related Tickets Seach playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the Splunk connector to be configured. It is designed to work in conjunction with the Dynamic Related Tickets Seach playbook or other playbooks in the same style. references: - - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ -app_list: - - Splunk -tags: - platform_tags: + - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ +app_list: + - Splunk +platform_tags: - user - - device - - splunk - - ticket - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment \ No newline at end of file + - device + - splunk + - ticket +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment diff --git a/playbooks/URL_Outbound_Traffic_Filtering_Dispatch.yml b/playbooks/URL_Outbound_Traffic_Filtering_Dispatch.yml index 1ea2a0efb2..9fb8a27ccd 100644 --- a/playbooks/URL_Outbound_Traffic_Filtering_Dispatch.yml +++ b/playbooks/URL_Outbound_Traffic_Filtering_Dispatch.yml @@ -1,24 +1,24 @@ name: URL Outbound Traffic Filtering Dispatch id: 83bbe505-4636-4f60-a37b-86f1234d8567 -version: 1 -date: '2023-05-22' +version: 2 +creation_date: '2023-05-22' +modification_date: '2026-05-19' author: Patrick Bareiss, Splunk type: Response description: Accepts a list of URLs and blocks them. Generates a global report and list of observables. playbook: URL_Outbound_Traffic_Filtering_Dispatch -how_to_implement: This playbook looks for artifacts and then dispatches the community denylisting playbooks. This playbook takes the output of those playbooks and nicely formats them into notes and tags indicators with their results. +how_to_implement: This playbook looks for artifacts and then dispatches the community denylisting playbooks. This playbook takes the output of those playbooks and nicely formats them into notes and tags indicators with their results. references: - - https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering/ + - https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering/ app_list: [] -tags: - platform_tags: [] - playbook_type: Automation - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - - Endpoint - defend_technique_id: - - D3-OTF \ No newline at end of file +platform_tags: [] +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing + - Endpoint +defend_technique_id: + - D3-OTF diff --git a/playbooks/UrlScan_IO_Dynamic_Analysis.yml b/playbooks/UrlScan_IO_Dynamic_Analysis.yml index ed9db104e8..a72e70d29a 100644 --- a/playbooks/UrlScan_IO_Dynamic_Analysis.yml +++ b/playbooks/UrlScan_IO_Dynamic_Analysis.yml @@ -1,30 +1,29 @@ name: UrlScan IO Dynamic Analysis id: a1173c28-7b33-4a56-9d7f-5dbbca595cb0 -version: 1 -date: '2023-03-23' +version: 2 +creation_date: '2023-03-23' +modification_date: '2026-05-19' author: Teoderick Contreras, Splunk type: Investigation description: "Accepts a url link, IP, or domain to be detonated using urlscan.io API connector." playbook: UrlScan_IO_Dynamic_Analysis -how_to_implement: This input playbook requires the urlscan.io API connector to be configured. - It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the urlscan.io API connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. references: [] -app_list: - - urlscan.io -tags: - platform_tags: +app_list: + - urlscan.io +platform_tags: - url - domain - sandbox - - ip - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment - - Phishing - - Endpoint - defend_technique_id: - - D3-DA + - ip +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment + - Phishing + - Endpoint +defend_technique_id: + - D3-DA diff --git a/playbooks/VirusTotal_v3_Dynamic_Analysis.yml b/playbooks/VirusTotal_v3_Dynamic_Analysis.yml index 14d9c4eef1..df16a54206 100644 --- a/playbooks/VirusTotal_v3_Dynamic_Analysis.yml +++ b/playbooks/VirusTotal_v3_Dynamic_Analysis.yml @@ -1,32 +1,31 @@ name: VirusTotal V3 Dynamic Analysis id: 388ed434-a498-4d55-8de4-b2657825cb67 -version: 1 -date: '2023-03-23' +version: 2 +creation_date: '2023-03-23' +modification_date: '2026-05-19' author: Teoderick Contreras, Splunk type: Investigation description: "Accepts a url link, domain or vault_id (hash) to be detonated using Virustotal V3 connector." playbook: VirusTotal_v3_Dynamic_Analysis -how_to_implement: This input playbook requires the Virustotal V3 API connector to be configured. - It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the Virustotal V3 API connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. references: [] -app_list: - - VirusTotal v3 -tags: - platform_tags: +app_list: + - VirusTotal v3 +platform_tags: - url - domain - sandbox - ip - file_hash - virustotal_v3 - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment - - Phishing - - Endpoint - defend_technique_id: - - D3-DA +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment + - Phishing + - Endpoint +defend_technique_id: + - D3-DA diff --git a/playbooks/VirusTotal_v3_Identifier_Reputation_Analysis.yml b/playbooks/VirusTotal_v3_Identifier_Reputation_Analysis.yml index aab675428b..77b7406875 100644 --- a/playbooks/VirusTotal_v3_Identifier_Reputation_Analysis.yml +++ b/playbooks/VirusTotal_v3_Identifier_Reputation_Analysis.yml @@ -1,39 +1,39 @@ name: VirusTotal v3 Identifier Reputation Analysis id: fc0edc96-ff2b-48b0-9b4d-63da67d3fe74 -version: 1 -date: '2023-01-11' +version: 2 +creation_date: '2023-01-11' +modification_date: '2026-05-19' author: Kelby Shelton, Lou Stella, Splunk type: Investigation description: "Accepts a URL, IP, Domain, or File_Hash and does reputation analysis on the objects. Generates a global report and a per observable sub-report and normalized score. The score can be customized based on a variety of factors." playbook: VirusTotal_v3_Identifier_Reputation_Analysis -how_to_implement: This input playbook requires the VirusTotal v3 connector to be configured. It is designed to work in conjunction with the Dynamic Identifier Reputation Analysis playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the VirusTotal v3 connector to be configured. It is designed to work in conjunction with the Dynamic Identifier Reputation Analysis playbook or other playbooks in the same style. references: - - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ -app_list: - - VirusTotal v3 -tags: - platform_tags: - - reputation + - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ +app_list: + - VirusTotal v3 +platform_tags: + - reputation - url - - ip - - domain - - file_hash + - ip + - domain + - file_hash - D3-IRA - D3-URA - D3-DNRA - D3-IPRA - D3-FHRA - VirusTotal_v3 - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment - defend_technique_id: - - D3-IRA - - D3-URA - - D3-DNRA - - D3-IPRA - - D3-FHRA \ No newline at end of file +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment +defend_technique_id: + - D3-IRA + - D3-URA + - D3-DNRA + - D3-IPRA + - D3-FHRA diff --git a/playbooks/Windows_Defender_ATP_Identifier_Activity_Analysis.yml b/playbooks/Windows_Defender_ATP_Identifier_Activity_Analysis.yml index 39c9574dac..cec9a22ae1 100644 --- a/playbooks/Windows_Defender_ATP_Identifier_Activity_Analysis.yml +++ b/playbooks/Windows_Defender_ATP_Identifier_Activity_Analysis.yml @@ -1,27 +1,27 @@ name: Windows Defender ATP Identifier Activity Analysis id: 5299d9dc-e9c4-46fa-da42-92ace0ff816d -version: 1 -date: '2023-03-30' +version: 2 +creation_date: '2023-03-30' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Investigation description: "Accepts a file_hash or domain name, and asks Windows Defender ATP for a list of devices that have interacted with each. It then produces a normalized output and summary table." playbook: Windows_Defender_ATP_Identifier_Activity_Analysis -how_to_implement: This input playbook requires the Windows Defender ATP connector to be configured. It is designed to work in conjunction with the Dynamic Identifier Activity Analysis playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the Windows Defender ATP connector to be configured. It is designed to work in conjunction with the Dynamic Identifier Activity Analysis playbook or other playbooks in the same style. references: [] -app_list: - - Windows Defender ATP -tags: - platform_tags: - - identifier_activity +app_list: + - Windows Defender ATP +platform_tags: + - identifier_activity - domain - file_hash - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Enrichment - - Endpoint - defend_technique_id: - - D3-IAA +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Enrichment + - Endpoint +defend_technique_id: + - D3-IAA diff --git a/playbooks/Zscaler_Outbound_Traffic_Filtering.yml b/playbooks/Zscaler_Outbound_Traffic_Filtering.yml index 8565283001..f2bf86815e 100644 --- a/playbooks/Zscaler_Outbound_Traffic_Filtering.yml +++ b/playbooks/Zscaler_Outbound_Traffic_Filtering.yml @@ -1,29 +1,29 @@ name: ZScaler Outbound Traffic Filtering id: 3e0df448-0546-4b2b-9143-365161cf40f9 -version: 1 -date: '2023-03-31' +version: 2 +creation_date: '2023-03-31' +modification_date: '2026-05-19' author: Patrick Bareiss, Splunk type: Response description: Accepts a URL or list of URLs and block them in ZScaler. Generates a list of observables with the blocked URLs. playbook: ZScaler_Outbound_Traffic_Filtering -how_to_implement: This input playbook requires the ZScaler connector to be configured. It is designed to work in conjunction with the Dynamic URL Outbound Traffic Filtering Analysis playbook or other playbooks in the same style. +how_to_implement: This input playbook requires the ZScaler connector to be configured. It is designed to work in conjunction with the Dynamic URL Outbound Traffic Filtering Analysis playbook or other playbooks in the same style. references: - - https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering/ -app_list: - - Zscaler -tags: - platform_tags: + - https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering/ +app_list: + - Zscaler +platform_tags: - denylist - url - D3-OTF - Zscaler - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR - use_cases: - - Phishing - - Endpoint - defend_technique_id: - - D3-OTF \ No newline at end of file +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +use_cases: + - Phishing + - Endpoint +defend_technique_id: + - D3-OTF diff --git a/playbooks/activedirectory_reset_password.yml b/playbooks/activedirectory_reset_password.yml index f0fb837f99..ec83e1cde8 100644 --- a/playbooks/activedirectory_reset_password.yml +++ b/playbooks/activedirectory_reset_password.yml @@ -1,7 +1,8 @@ name: ActiveDirectory Reset password id: fc0edc96-ff2b-48b0-9f6f-63da6783fd63 -version: 1 -date: '2020-12-08' +version: 2 +creation_date: '2021-12-08' +modification_date: '2026-05-19' author: Philip Royer, Splunk type: Response description: This playbook resets the password of a potentially compromised user account. First, an analyst is prompted to evaluate the situation and choose whether to reset the account. If they approve, a strong password is generated and the password is reset. @@ -9,12 +10,11 @@ playbook: activedirectory_reset_password how_to_implement: This playbook works on artifacts with artifact:*.cef.compromisedUserName which can be created as shown in the playbook "recorded_future_handle_leaked_credentials" - The prompt is hard-coded to use "admin" as the user, so change it to the correct user or role references: [] app_list: -- AD LDAP -tags: - platform_tags: [] - playbook_type: Automation - vpe_type: Classic - playbook_fields: - - compromisedUserName - product: - - Splunk SOAR \ No newline at end of file + - AD LDAP +platform_tags: [] +playbook_type: Automation +vpe_type: Classic +playbook_fields: + - compromisedUserName +product: + - Splunk SOAR diff --git a/playbooks/aws_disable_user_accounts.yml b/playbooks/aws_disable_user_accounts.yml index 2fdfeff1e8..f19d2ec71a 100644 --- a/playbooks/aws_disable_user_accounts.yml +++ b/playbooks/aws_disable_user_accounts.yml @@ -1,22 +1,22 @@ name: AWS Disable User Accounts id: fc0edc75-ff2b-48c0-5f6f-63da6423fd63 -version: 1 -date: '2021-11-01' +version: 2 +creation_date: '2022-02-02' +modification_date: '2026-05-19' author: Philip Royer, Splunk type: Response description: "Disable a list of AWS IAM user accounts. After checking the list of accounts against an allowlist and confirming with an analyst, each account is disabled. The change can be reversed with the `enable user` action." playbook: aws_disable_user_accounts how_to_implement: "This playbook works with the community playbook aws_find_inactive_users using the usernames discovered by that playbook. Change the prompt block from admin to the correct analyst user or role. You should create a custom list called aws_inactive_user_allowlist. Any user names in that list will be ignored by this playbook." -references: -- https://www.splunk.com/en_us/blog/security/splunk-soar-playbooks-finding-and-disabling-inactive-users-on-aws.html +references: + - https://www.splunk.com/en_us/blog/security/splunk-soar-playbooks-finding-and-disabling-inactive-users-on-aws.html app_list: -- AWS IAM -tags: - platform_tags: - - Cloud - playbook_type: Input - vpe_type: Modern - playbook_fields: - - aws_username - product: - - Splunk SOAR \ No newline at end of file + - AWS IAM +platform_tags: + - Cloud +playbook_type: Input +vpe_type: Modern +playbook_fields: + - aws_username +product: + - Splunk SOAR diff --git a/playbooks/aws_find_inactive_users.yml b/playbooks/aws_find_inactive_users.yml index 13f484a9b2..3d06173d73 100644 --- a/playbooks/aws_find_inactive_users.yml +++ b/playbooks/aws_find_inactive_users.yml @@ -1,22 +1,22 @@ name: AWS Find Inactive Users id: fc0edc76-ff2b-48b0-5f6f-63da6423fd63 -version: 1 -date: '2021-11-01' +version: 2 +creation_date: '2022-02-01' +modification_date: '2026-05-19' author: Philip Royer, Splunk type: Investigation description: "Find AWS accounts that have not been used for a long time (90 days by default). For each unused account, gather additional group and policy information and create an artifact to enable further automation or manual action." playbook: aws_find_inactive_users how_to_implement: "This playbook is meant to run on a Timer, such as once per week. To adjust the lookback period away from the default, change the number of days to a different negative number in the 'calculate_start_time' block. Note that this playbook will ignore accounts where the password has never been used. These could be unused human accounts or they could be API accounts where the access keys are actively used." -references: -- https://www.splunk.com/en_us/blog/security/splunk-soar-playbooks-finding-and-disabling-inactive-users-on-aws.html +references: + - https://www.splunk.com/en_us/blog/security/splunk-soar-playbooks-finding-and-disabling-inactive-users-on-aws.html app_list: -- AWS IAM -- Phantom -tags: - platform_tags: - - Cloud - playbook_type: Automation - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR \ No newline at end of file + - AWS IAM + - Phantom +platform_tags: + - Cloud +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR diff --git a/playbooks/block_indicators.yml b/playbooks/block_indicators.yml index f73b4f363f..77e257b1e7 100644 --- a/playbooks/block_indicators.yml +++ b/playbooks/block_indicators.yml @@ -1,7 +1,8 @@ name: Block Indicators id: fc0edc76-ff2b-48b0-5f6f-63da6783fd63 -version: 1 -date: '2021-01-21' +version: 2 +creation_date: '2022-01-05' +modification_date: '2026-05-19' author: Philip Royer, Splunk type: Response description: This playbook retrieves IP addresses, domains, and file hashes, blocks them on various services, and adds them to specific blocklists as custom lists. @@ -9,16 +10,15 @@ playbook: block_indicators how_to_implement: "This playbook uses the following custom lists: ip_address_blocklist, domain_blocklist, filehash_blocklist. This playbook provides an easy, automated, and straightforward solution to maintaining up-to-date IP address, file, and domain blocklists. The playbook looks for any of the required CEF fields within the container. The CEF value is then cross-referenced with their respective Custom Lists. IP addresses are blocked on a Firewall, while domains are blocked using a blocklist service. The blocking of these two will prevent access to the IOCs. Finally, file hashes are blocked using an endpoint protection service, which will prevent the process from running on affected endpoints within a network. After the IOCs are blocked using various apps, they are added to their respective custom lists as to maintain a running blocklist record." references: [] app_list: -- "Palo Alto Networks Firewall" -- "Carbon Black Response" -- "Cisco Umbrella" -tags: - platform_tags: [] - playbook_type: Automation - vpe_type: Classic - playbook_fields: - - destinationDnsDomain - - destinationAddress - - fileHash - product: - - Splunk SOAR \ No newline at end of file + - "Palo Alto Networks Firewall" + - "Carbon Black Response" + - "Cisco Umbrella" +platform_tags: [] +playbook_type: Automation +vpe_type: Classic +playbook_fields: + - destinationDnsDomain + - destinationAddress + - fileHash +product: + - Splunk SOAR diff --git a/playbooks/crowdstrike_malware_triage.yml b/playbooks/crowdstrike_malware_triage.yml index a95db53441..83892c5e86 100644 --- a/playbooks/crowdstrike_malware_triage.yml +++ b/playbooks/crowdstrike_malware_triage.yml @@ -1,7 +1,8 @@ name: Crowdstrike Malware Triage id: fc0edc96-fa2b-48b0-9a6f-63da6783fd63 -version: 1 -date: '2021-02-25' +version: 2 +creation_date: '2021-12-08' +modification_date: '2026-05-19' author: Philip Royer, Splunk type: Response description: This playbook is used to enrich and respond to a CrowdStrike Falcon detection involving a potentially malicious executable on an endpoint. Check for previous sightings of the same executable, hunt across other endpoints for the file, gather details about all processes associated with the file, and collect all the gathered information into a prompt for an analyst to review. Based on the analyst's choice, the file can be added to the custom indicators list in CrowdStrike with a detection policy of "detect" or "none", and the endpoint can be optionally quarantined from the network. @@ -9,13 +10,12 @@ playbook: crowdstrike_malware_triage how_to_implement: This playbook uses the Crowdstrike OAuth app. Change the target user of the prompt from admin to the appropriate user or role. references: [] app_list: -- CrowdStrike OAuth API -tags: - platform_tags: [] - playbook_type: Automation - vpe_type: Classic - playbook_fields: - - filePath - - destinationAddress - product: - - Splunk SOAR + - CrowdStrike OAuth API +platform_tags: [] +playbook_type: Automation +vpe_type: Classic +playbook_fields: + - filePath + - destinationAddress +product: + - Splunk SOAR diff --git a/playbooks/delete_detected_files.yml b/playbooks/delete_detected_files.yml index 2b3a782086..d1c42cdb59 100644 --- a/playbooks/delete_detected_files.yml +++ b/playbooks/delete_detected_files.yml @@ -1,7 +1,8 @@ name: Delete Detected Files id: fc0edc96-ff2b-48b0-9a6f-63da6783fd63 -version: 1 -date: '2021-03-29' +version: 2 +creation_date: '2021-12-08' +modification_date: '2026-05-19' author: Philip Royer, Splunk type: Response description: This playbook acts upon events where a file has been determined to be malicious (ie webshells being dropped on an end host). Before deleting the file, we run a "more" command on the file in question to extract its contents. We then run a delete on the file in question. @@ -9,17 +10,16 @@ playbook: delete_detected_files how_to_implement: This playbook reads and then deletes files stored with artifact:*.cef.filePath from hosts stored in artifact:*.cef.destinationAddress. Windows Remote Management must be enabled on the remote computer. references: [] app_list: -- "Windows Remote Management" -tags: - analytic_story: - - Active Directory Lateral Movement - detections: - - Executable File Written in Administrative SMB Share - platform_tags: [] - playbook_type: Automation - vpe_type: Classic - playbook_fields: - - filePath - - destinationAddress - product: - - Splunk SOAR + - "Windows Remote Management" +platform_tags: [] +playbook_type: Automation +vpe_type: Classic +playbook_fields: + - filePath + - destinationAddress +product: + - Splunk SOAR +analytic_story: + - Active Directory Lateral Movement +detections: + - Executable File Written in Administrative SMB Share diff --git a/playbooks/email_notification_for_malware.yml b/playbooks/email_notification_for_malware.yml index 154d804900..c18c6acdce 100644 --- a/playbooks/email_notification_for_malware.yml +++ b/playbooks/email_notification_for_malware.yml @@ -1,7 +1,8 @@ name: Email Notification for Malware id: fb3edc76-ff2b-48b0-5f6f-63da6483fd63 -version: 1 -date: '2021-01-19' +version: 2 +creation_date: '2022-01-05' +modification_date: '2026-05-19' author: Philip Royer, Splunk type: Response description: This playbook tries to determine if a file is malware and whether or not the file is present on any managed machines. VirusTotal "file reputation" and PAN WildFire "detonate file" are used to determine if a file is malware, and CarbonBlack Response "hunt file" is used to search managed machines for the file. The results of these investigations are summarized in an email to the incident response team. @@ -9,16 +10,15 @@ playbook: email_notification_for_malware how_to_implement: "Be sure to update asset naming to reflect the asset names configured in your environment." references: [] app_list: -- "VirusTotal" -- "WildFire" -- "Carbon Black Response" -- "SMTP" -tags: - platform_tags: [] - playbook_type: Automation - vpe_type: Classic - playbook_fields: - - fileHash - - vaultId - product: - - Splunk SOAR \ No newline at end of file + - "VirusTotal" + - "WildFire" + - "Carbon Black Response" + - "SMTP" +platform_tags: [] +playbook_type: Automation +vpe_type: Classic +playbook_fields: + - fileHash + - vaultId +product: + - Splunk SOAR diff --git a/playbooks/hunting.yml b/playbooks/hunting.yml index 8c91a9e0e7..91a76a5bf3 100644 --- a/playbooks/hunting.yml +++ b/playbooks/hunting.yml @@ -1,7 +1,8 @@ name: Hunting id: fb3edc76-ff2b-48b0-5f6f-63da6351ad63 -version: 1 -date: '2021-01-21' +version: 2 +creation_date: '2022-07-29' +modification_date: '2026-05-19' author: Philip Royer, Splunk type: Investigation description: The hunting Playbook queries a number of internal security technologies in order to determine if any of the artifacts present in your data source have been observed in your environment. @@ -9,17 +10,16 @@ playbook: hunting how_to_implement: "Be sure to update asset naming to reflect the asset names configured in your environment." references: [] app_list: -- "Splunk" -- "Reversing Labs" -- "Carbon Black Response" -- "Threat Grid" -- "Falcon Host API" -tags: - platform_tags: [] - playbook_type: Automation - vpe_type: Classic - playbook_fields: - - fileHash - - vault_id - product: - - Splunk SOAR \ No newline at end of file + - "Splunk" + - "Reversing Labs" + - "Carbon Black Response" + - "Threat Grid" + - "Falcon Host API" +platform_tags: [] +playbook_type: Automation +vpe_type: Classic +playbook_fields: + - fileHash + - vault_id +product: + - Splunk SOAR diff --git a/playbooks/internal_host_splunk_investigate_log4j.yml b/playbooks/internal_host_splunk_investigate_log4j.yml index 1c2f78aa91..b06a95b746 100644 --- a/playbooks/internal_host_splunk_investigate_log4j.yml +++ b/playbooks/internal_host_splunk_investigate_log4j.yml @@ -1,24 +1,24 @@ name: Internal Host Splunk Investigate log4j id: fc0adc66-ff2b-48b0-9a6f-63da6783fd63 -version: 1 -date: '2021-12-14' +version: 2 +creation_date: '2020-01-19' +modification_date: '2026-05-19' author: Lou Stella, Splunk type: Investigation description: Published in response to CVE-2021-44228, this playbook utilizes data already in your Splunk environment to help investigate and remediate impacts caused by this vulnerability in your environment. playbook: internal_host_splunk_investigate_log4j how_to_implement: This playbook presumes you have Enterprise Security and have configured Assets & Identities, as well as the Endpoint.Processes datamodel -references: -- https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html +references: + - https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html app_list: -- "Splunk" -tags: - analytic_story: - - Log4Shell CVE-2021-44228 - platform_tags: [] - playbook_type: Input - vpe_type: Modern - playbook_fields: - - hostName - - destinationAddress - product: - - Splunk SOAR + - "Splunk" +platform_tags: [] +playbook_type: Input +vpe_type: Modern +playbook_fields: + - hostName + - destinationAddress +product: + - Splunk SOAR +analytic_story: + - Log4Shell CVE-2021-44228 diff --git a/playbooks/internal_host_ssh_investigate.yml b/playbooks/internal_host_ssh_investigate.yml index 97f8129549..006f968c40 100644 --- a/playbooks/internal_host_ssh_investigate.yml +++ b/playbooks/internal_host_ssh_investigate.yml @@ -1,7 +1,8 @@ name: Internal Host SSH Investigate id: fdb65816-6688-41d8-8698-755b7b4ec44e -version: 1 -date: '2021-12-14' +version: 2 +creation_date: '2020-01-19' +modification_date: '2026-05-19' author: Philip Royer, Splunk type: Investigation description: Investigate an internal unix host using SSH. This pushes a bash script to the endpoint and runs it, collecting generic information about the processes, user activity, and network activity. This includes the process list, login history, cron jobs, and open sockets. The results are zipped up in .csv files and added to the vault for an analyst to review. @@ -9,11 +10,10 @@ playbook: internal_host_ssh_investigate how_to_implement: The ssh asset requires sudo access to view the processes with open sockets. references: ["https://github.com/Neo23x0/Fenrir/blob/master/fenrir.sh"] app_list: -- "SSH" -tags: - platform_tags: [] - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR + - "SSH" +platform_tags: [] +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR diff --git a/playbooks/internal_host_ssh_log4j_investigate.yml b/playbooks/internal_host_ssh_log4j_investigate.yml index b8f18b921f..87c7fe4fc0 100644 --- a/playbooks/internal_host_ssh_log4j_investigate.yml +++ b/playbooks/internal_host_ssh_log4j_investigate.yml @@ -1,7 +1,8 @@ name: Internal Host SSH Log4j Investigate id: 49b2b88c-8e22-48a6-8808-ace1efcb194b -version: 1 -date: '2021-12-14' +version: 2 +creation_date: '2020-01-19' +modification_date: '2026-05-19' author: Philip Royer, Splunk type: Investigation description: Investigate an internal unix host using SSH. This pushes a bash script to the endpoint and runs it, collecting information specific to the December 2021 log4j vulnerability disclosure. This includes the java version installed on the host, any running java processes, and the results of a scan for the affected JndiLookup.class file or log4j .jar files. @@ -9,11 +10,10 @@ playbook: internal_host_ssh_log4j_investigate how_to_implement: The ssh asset requires sudo access to scan the whole file system. references: ["https://github.com/Neo23x0/Fenrir/blob/master/fenrir.sh"] app_list: -- "SSH" -tags: - platform_tags: [] - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR + - "SSH" +platform_tags: [] +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR diff --git a/playbooks/internal_host_ssh_log4j_respond.yml b/playbooks/internal_host_ssh_log4j_respond.yml index da5d9364ed..01a84b5e8d 100644 --- a/playbooks/internal_host_ssh_log4j_respond.yml +++ b/playbooks/internal_host_ssh_log4j_respond.yml @@ -1,7 +1,8 @@ name: Internal Host SSH Log4j Respond id: 6ea2007c-8ef8-4647-a4a4-7825cfee3866 -version: 1 -date: '2021-12-14' +version: 2 +creation_date: '2021-12-14' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Response description: Published in response to CVE-2021-44228, this playbook accepts a list of hosts and filenames to remediate on the endpoint. If filenames are provided, the endpoints will be searched and then the user can approve deletion. Then the user is prompted to quarantine the endpoint. @@ -9,11 +10,10 @@ playbook: internal_host_ssh_log4j_respond how_to_implement: The ssh asset may require ssh access to delete some files depending on their permissions. references: ["https://github.com/Neo23x0/Fenrir/blob/master/fenrir.sh"] app_list: -- "SSH" -tags: - platform_tags: [] - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR + - "SSH" +platform_tags: [] +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR diff --git a/playbooks/internal_host_winrm_investigate.yml b/playbooks/internal_host_winrm_investigate.yml index 911640e028..78dfb897d3 100644 --- a/playbooks/internal_host_winrm_investigate.yml +++ b/playbooks/internal_host_winrm_investigate.yml @@ -1,7 +1,8 @@ name: Internal Host WinRM Investigate id: 32fd9db5-5201-4a2f-b2c2-9299c7b3495d -version: 1 -date: '2021-12-14' +version: 2 +creation_date: '2020-01-19' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Investigation description: Performs a general investigation on key aspects of a windows device using windows remote management. Important files related to the endpoint are generated, bundled into a zip, and copied to the container vault. @@ -9,11 +10,10 @@ playbook: internal_host_winrm_investigate how_to_implement: The winrm asset requires Administrator access to gather certain files. references: [] app_list: -- "Windows Remote Management" -tags: - platform_tags: [] - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR + - "Windows Remote Management" +platform_tags: [] +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR diff --git a/playbooks/internal_host_winrm_log4j_investigate.yml b/playbooks/internal_host_winrm_log4j_investigate.yml index ae68917be0..a5210df742 100644 --- a/playbooks/internal_host_winrm_log4j_investigate.yml +++ b/playbooks/internal_host_winrm_log4j_investigate.yml @@ -1,7 +1,8 @@ name: Internal Host WinRM Log4j Investigate id: 2cf7c9f4-b273-44f6-a27c-e0db668ff05a -version: 1 -date: '2021-12-14' +version: 2 +creation_date: '2020-01-19' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Investigation description: Published in response to CVE-2021-44228, this playbook uses WinRM to scan Windows endpoints for the presence of "jndilookup.class" in all .jar files. The presence of that string could indicate a log4j vulnerability. @@ -9,11 +10,10 @@ playbook: internal_host_winrm_log4j_investigate how_to_implement: The winrm asset requires Administrator access to scan the whole file system. references: ["https://twitter.com/CyberRaiju/status/1469505677580124160"] app_list: -- "Windows Remote Management" -tags: - platform_tags: [] - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR + - "Windows Remote Management" +platform_tags: [] +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR diff --git a/playbooks/internal_host_winrm_log4j_respond.yml b/playbooks/internal_host_winrm_log4j_respond.yml index 62c2b67aa0..23d43c2749 100644 --- a/playbooks/internal_host_winrm_log4j_respond.yml +++ b/playbooks/internal_host_winrm_log4j_respond.yml @@ -1,7 +1,8 @@ name: Internal Host WinRM log4j Respond id: 32fd9db5-5201-4b2f-b2c2-9299c7b3495d -version: 1 -date: '2021-12-14' +version: 2 +creation_date: '2021-12-14' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Response description: Published in response to CVE-2021-44228, this playbook accepts a list of hosts and filenames to remediate on the endpoint. If filenames are provided, the endpoints will be searched and then the user can approve deletion. Then the user is prompted to quarantine the endpoint. @@ -9,11 +10,10 @@ playbook: internal_host_winrm_log4j_respond how_to_implement: The winrm asset requires Administrator access to gather certain files. references: [] app_list: -- "Windows Remote Management" -tags: - platform_tags: [] - playbook_type: Input - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR + - "Windows Remote Management" +platform_tags: [] +playbook_type: Input +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR diff --git a/playbooks/log4j_investigate.yml b/playbooks/log4j_investigate.yml index ef1fe43747..1c7a4450c4 100644 --- a/playbooks/log4j_investigate.yml +++ b/playbooks/log4j_investigate.yml @@ -1,35 +1,33 @@ name: Log4j Investigate id: e609d729-0076-421a-b8f7-9e545d000381 -version: 2 -date: '2021-12-14' +version: 3 +creation_date: '2020-01-19' +modification_date: '2026-05-19' author: Philip Royer, Splunk type: Investigation description: Published in response to CVE-2021-44228, this playbook and its sub-playbooks can be used to investigate and respond to attacks against hosts running vulnerable Java applications which use log4j. Between the parent playbook and seven sub-playbooks, each potentially compromised host found in Splunk Enteprise can be investigated and the risk can be mitigated using SSH for unix systems and WinRM for Windows systems. playbook: log4j_investigate how_to_implement: To start this playbook, create a custom list called "log4j_hosts" with a format in which the first column should be an IP or hostname of a potentially affected log4j host, the second should be the operating system family (either unix or windows). If the operating system is unknown it can be left blank. In the block called "fetch_hosts_from_custom_list", change the custom list name from "log4j_hosts" if needed. If the operating system family ("windows" or "unix") is not known, both ssh and winrm will be attempted. If ssh and/or winrm are not the preferred endpoint management methods, these playbooks could be ported to use Google's GRR, osquery, CrowdStrike's RTR, Carbon Black's EDR API, or similar tools. The artifact scope "all" is used throughout this playbook because the artifact list can be added to as the playbook progresses. references: -- "https://github.com/Neo23x0/Fenrir/blob/master/fenrir.sh" -- "https://isc.sans.edu/diary/Log4j++Log4Shell+Followup%3A+What+we+see+and+how+to+defend+%28and+how+to+access+our+data%29/28122" -- "https://twitter.com/ElektroWolle/status/1469962895849140224?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1469962895849140224%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fpublish.twitter.com%2F%3Fquery%3Dhttps3A2F2Ftwitter.com2FElektroWolle2Fstatus2F1469962895849140224widget%3DTweet" -- "https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/" + - "https://github.com/Neo23x0/Fenrir/blob/master/fenrir.sh" + - "https://isc.sans.edu/diary/Log4j++Log4Shell+Followup%3A+What+we+see+and+how+to+defend+%28and+how+to+access+our+data%29/28122" + - "https://twitter.com/ElektroWolle/status/1469962895849140224?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1469962895849140224%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fpublish.twitter.com%2F%3Fquery%3Dhttps3A2F2Ftwitter.com2FElektroWolle2Fstatus2F1469962895849140224widget%3DTweet" + - "https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/" app_list: [] -tags: - platform_tags: - - Log4J - analytic_story: - - Log4Shell CVE-2021-44228 - detections: - - Curl Download and Bash Execution - - Wget Download and Bash Execution - - Linux Java Spawning Shell - - Windows Java Spawning Shells - - Java Class File download by Java User Agent - - Outbound Network Connection from Java Using Default Ports - - Log4Shell JNDI Payload Injection Attempt - - Log4Shell JNDI Payload Injection with Outbound Connection - - Detect Outbound LDAP Traffic - playbook_fields: [] - playbook_type: Automation - vpe_type: Modern - product: - - Splunk SOAR +platform_tags: + - Log4J +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +analytic_story: + - Log4Shell CVE-2021-44228 +detections: + - File Download or Read to Pipe Execution + - Web or Application Server Spawning a Shell + - Java Class File download by Java User Agent + - Outbound Network Connection from Java Using Default Ports + - Log4Shell JNDI Payload Injection Attempt + - Log4Shell JNDI Payload Injection with Outbound Connection + - Detect Outbound LDAP Traffic diff --git a/playbooks/log4j_respond.yml b/playbooks/log4j_respond.yml index abf4e879f3..53280cef11 100644 --- a/playbooks/log4j_respond.yml +++ b/playbooks/log4j_respond.yml @@ -1,35 +1,33 @@ name: Log4j Respond id: e609d729-4076-421a-b8f7-9e545d000381 -version: 1 -date: '2021-12-14' +version: 2 +creation_date: '2021-12-15' +modification_date: '2026-05-19' author: Philip Royer, Splunk type: Response -description: Published in response to CVE-2021-44228, this playbook is meant to be launched after log4j_investigate. In this playbook, the risk from exploited hosts can be mitigated by optionally deleting malicious files from the hosts, blocking outbound network connections from the hosts, and/or shutting down the hosts +description: Published in response to CVE-2021-44228, this playbook is meant to be launched after log4j_investigate. In this playbook, the risk from exploited hosts can be mitigated by optionally deleting malicious files from the hosts, blocking outbound network connections from the hosts, and/or shutting down the hosts playbook: log4j_respond how_to_implement: To use this playbook, create a custom list called "log4j_hosts_and_files" with a format in which the first column should be an IP or hostname of a potentially affected log4j host, the second should be the operating system family (either unix or windows), and the third should be a full path to a file to delete if there are any. The first two are mandatory and the file is optional. In the block called "enumerate_files_to_delete", change the custom list name from "log4j_hosts_and_files" if needed. If ssh and/or winrm are not the preferred endpoint management methods, these playbooks could be ported to use Google's GRR, osquery, CrowdStrike's RTR, Carbon Black's EDR API, or similar tools. The artifact scope "all" is used throughout this playbook because the artifact list can be added to as the playbook progresses. references: -- "https://github.com/Neo23x0/Fenrir/blob/master/fenrir.sh" -- "https://isc.sans.edu/diary/Log4j++Log4Shell+Followup%3A+What+we+see+and+how+to+defend+%28and+how+to+access+our+data%29/28122" -- "https://twitter.com/ElektroWolle/status/1469962895849140224?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1469962895849140224%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fpublish.twitter.com%2F%3Fquery%3Dhttps3A2F2Ftwitter.com2FElektroWolle2Fstatus2F1469962895849140224widget%3DTweet" -- "https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/" + - "https://github.com/Neo23x0/Fenrir/blob/master/fenrir.sh" + - "https://isc.sans.edu/diary/Log4j++Log4Shell+Followup%3A+What+we+see+and+how+to+defend+%28and+how+to+access+our+data%29/28122" + - "https://twitter.com/ElektroWolle/status/1469962895849140224?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1469962895849140224%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fpublish.twitter.com%2F%3Fquery%3Dhttps3A2F2Ftwitter.com2FElektroWolle2Fstatus2F1469962895849140224widget%3DTweet" + - "https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/" app_list: [] -tags: - platform_tags: - - Log4J - analytic_story: - - Log4Shell CVE-2021-44228 - detections: - - Curl Download and Bash Execution - - Wget Download and Bash Execution - - Linux Java Spawning Shell - - Windows Java Spawning Shells - - Java Class File download by Java User Agent - - Outbound Network Connection from Java Using Default Ports - - Log4Shell JNDI Payload Injection Attempt - - Log4Shell JNDI Payload Injection with Outbound Connection - - Detect Outbound LDAP Traffic - playbook_fields: [] - playbook_type: Automation - vpe_type: Modern - product: - - Splunk SOAR +platform_tags: + - Log4J +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR +analytic_story: + - Log4Shell CVE-2021-44228 +detections: + - File Download or Read to Pipe Execution + - Web or Application Server Spawning a Shell + - Java Class File download by Java User Agent + - Outbound Network Connection from Java Using Default Ports + - Log4Shell JNDI Payload Injection Attempt + - Log4Shell JNDI Payload Injection with Outbound Connection + - Detect Outbound LDAP Traffic diff --git a/playbooks/malware_hunt_and_contain.yml b/playbooks/malware_hunt_and_contain.yml index e3254ce67a..e2d42367cb 100644 --- a/playbooks/malware_hunt_and_contain.yml +++ b/playbooks/malware_hunt_and_contain.yml @@ -1,7 +1,8 @@ name: Malware Hunt and Contain id: fb3edc76-ff2b-43c0-5f6f-63da4483fd63 -version: 1 -date: '2021-01-21' +version: 2 +creation_date: '2022-01-05' +modification_date: '2026-05-19' author: Philip Royer, Splunk type: Response description: This playbook investigates and remediates malware infections on the endpoint. @@ -9,15 +10,14 @@ playbook: malware_hunt_and_contain how_to_implement: "Be sure to update asset naming to reflect the asset names configured in your environment." references: [] app_list: -- "LDAP" -- "ServiceNow" -- "Carbon Black Response" -- "VirusTotal" -tags: - platform_tags: [] - playbook_type: Automation - vpe_type: Classic - playbook_fields: - - fileHash - product: - - Splunk SOAR \ No newline at end of file + - "LDAP" + - "ServiceNow" + - "Carbon Black Response" + - "VirusTotal" +platform_tags: [] +playbook_type: Automation +vpe_type: Classic +playbook_fields: + - fileHash +product: + - Splunk SOAR diff --git a/playbooks/ransomware_investigate_and_contain.yml b/playbooks/ransomware_investigate_and_contain.yml index c25fbc1162..d366236d44 100644 --- a/playbooks/ransomware_investigate_and_contain.yml +++ b/playbooks/ransomware_investigate_and_contain.yml @@ -1,31 +1,30 @@ name: Ransomware Investigate and Contain id: fc0edc96-ff2b-48b0-9f6f-63da3783fd63 -version: 1 -date: '2018-02-04' +version: 2 +creation_date: '2021-09-16' +modification_date: '2026-05-19' author: Philip Royer, Splunk type: Response description: This playbook investigates and contains ransomware detected on endpoints. playbook: ransomware_investigate_and_contain -how_to_implement: This playbook requires the Splunk SOAR apps for Palo Alto - Networks Firewalls, Palo Alto Wildfire, LDAP, and Carbon Black Response. +how_to_implement: This playbook requires the Splunk SOAR apps for Palo Alto Networks Firewalls, Palo Alto Wildfire, LDAP, and Carbon Black Response. references: [] app_list: -- "Carbon Black Response" -- "LDAP" -- "Palo Alto Networks Firewall" -- "WildFire" -- "Cylance" -tags: - analytic_story: - - Ransomware - detections: - - Conti Common Exec parameter - platform_tags: - - Ransomware - playbook_type: Automation - vpe_type: Classic - playbook_fields: - - ComputerName - - Username - product: - - Splunk SOAR \ No newline at end of file + - "Carbon Black Response" + - "LDAP" + - "Palo Alto Networks Firewall" + - "WildFire" + - "Cylance" +platform_tags: + - Ransomware +playbook_type: Automation +vpe_type: Classic +playbook_fields: + - ComputerName + - Username +product: + - Splunk SOAR +analytic_story: + - Ransomware +detections: + - Conti Common Exec parameter diff --git a/playbooks/risk_notable_block_indicators.yml b/playbooks/risk_notable_block_indicators.yml index 90cd98c33e..803dc6ec73 100644 --- a/playbooks/risk_notable_block_indicators.yml +++ b/playbooks/risk_notable_block_indicators.yml @@ -1,25 +1,25 @@ name: Risk Notable Block Indicators id: 000edc96-ff2b-48b0-9f6f-83da3783fd63 -version: 1 -date: '2021-10-22' +version: 2 +creation_date: '2021-11-10' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Response description: This playbook handles locating indicators marked for blocking and determining if any blocking playbooks exist. If there is a match to the appropriate tags in the playbook, a filter block routes the name of the playbook to launch to a code block. playbook: risk_notable_block_indicators how_to_implement: For detailed implementation see https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar references: - - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/build-playbooks-compatible-with-the-dispatch_input_playbooks-utility - - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/use-the-tagging-system-with-the-playbook-pack-for-splunk-soar + - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/build-playbooks-compatible-with-the-dispatch_input_playbooks-utility + - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/use-the-tagging-system-with-the-playbook-pack-for-splunk-soar app_list: [] -tags: - labels: +labels: - risk_notable - playbook_outputs: +playbook_outputs: - note_title - note_content - playbook_type: Automation - vpe_type: Modern - platform_tags: +platform_tags: - Risk Notable - product: +playbook_type: Automation +vpe_type: Modern +product: - Splunk SOAR diff --git a/playbooks/risk_notable_enrich.yml b/playbooks/risk_notable_enrich.yml index a0c631ef20..80a940ba3e 100644 --- a/playbooks/risk_notable_enrich.yml +++ b/playbooks/risk_notable_enrich.yml @@ -1,24 +1,24 @@ name: Risk Notable Enrich id: 010edc96-ff2b-48b0-9f6f-43da3783fd63 -version: 1 -date: '2021-10-22' +version: 2 +creation_date: '2021-11-10' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Investigation description: This playbook collects the available Indicator data types within the event as well as available investigative playbooks. It will launch any playbooks that meet the filtered criteria. playbook: risk_notable_enrich how_to_implement: For detailed implementation see https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar references: - - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/build-playbooks-compatible-with-the-dispatch_input_playbooks-utility + - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/build-playbooks-compatible-with-the-dispatch_input_playbooks-utility app_list: [] -tags: - labels: +labels: - risk_notable - playbook_outputs: +playbook_outputs: - note_title - note_content - playbook_type: Automation - vpe_type: Modern - platform_tags: +platform_tags: - Risk Notable - product: +playbook_type: Automation +vpe_type: Modern +product: - Splunk SOAR diff --git a/playbooks/risk_notable_import_data.yml b/playbooks/risk_notable_import_data.yml index bcadf1311a..93bc3ec683 100644 --- a/playbooks/risk_notable_import_data.yml +++ b/playbooks/risk_notable_import_data.yml @@ -1,32 +1,32 @@ name: Risk Notable Import Data id: 020edc96-ff2b-48b0-9f6f-23da3783fd63 -version: 1 -date: '2021-10-22' +version: 2 +creation_date: '2021-11-10' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Investigation description: This playbook gathers all of the events associated with the risk notable and imports them as artifacts. It also generates a custom markdown formatted note. playbook: risk_notable_import_data how_to_implement: For detailed implementation see https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar references: - - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar - - http://docs.splunk.com/Documentation/ES/6.6.2/Admin/Configurecorrelationsearches#Use_security_framework_annotations_in_correlation_searches + - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar + - http://docs.splunk.com/Documentation/ES/6.6.2/Admin/Configurecorrelationsearches#Use_security_framework_annotations_in_correlation_searches app_list: - - Splunk -tags: - labels: + - Splunk +labels: - risk_notable - playbook_outputs: +playbook_outputs: - note_title - note_content - platform_tags: +platform_tags: - Risk Notable - playbook_type: Automation - vpe_type: Modern - playbook_fields: +playbook_type: Automation +vpe_type: Modern +playbook_fields: - event_id - info_min_time - info_max_time - risk_object - risk_object_type - product: +product: - Splunk SOAR diff --git a/playbooks/risk_notable_investigate.yml b/playbooks/risk_notable_investigate.yml index 22e5c5dc71..58f521a114 100644 --- a/playbooks/risk_notable_investigate.yml +++ b/playbooks/risk_notable_investigate.yml @@ -1,21 +1,21 @@ name: Risk Notable Investigate id: 030edc96-ff2b-48b0-9f6f-03da3783fd63 -version: 1 -date: '2021-10-22' +version: 2 +creation_date: '2021-11-10' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Investigation description: This playbook checks for the presence of the Risk Investigation workbook and updates tasks or leaves generic notes. playbook: risk_notable_investigate how_to_implement: For detailed implementation see https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar references: - - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar + - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar app_list: [] -tags: - labels: +labels: - risk_notable - playbook_type: Automation - vpe_type: Modern - platform_tags: +platform_tags: - Risk Notable - product: +playbook_type: Automation +vpe_type: Modern +product: - Splunk SOAR diff --git a/playbooks/risk_notable_merge_events.yml b/playbooks/risk_notable_merge_events.yml index 788c403198..fabf9dd488 100644 --- a/playbooks/risk_notable_merge_events.yml +++ b/playbooks/risk_notable_merge_events.yml @@ -1,24 +1,24 @@ name: Risk Notable Merge Events id: 040edc96-ff2b-48b0-9f6f-53da3783fd63 -version: 1 -date: '2021-10-22' +version: 2 +creation_date: '2021-11-10' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Investigation description: This playbook finds related events based on key fields in a risk notable and allows the user to process the results and decide which events to merge into the current investigation. playbook: risk_notable_merge_events how_to_implement: For detailed implementation see https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar references: - - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar + - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar app_list: [] -tags: - labels: +labels: - risk_notable - playbook_outputs: +playbook_outputs: - note_title - note_content - playbook_type: Automation - vpe_type: Modern - platform_tags: +platform_tags: - Risk Notable - product: +playbook_type: Automation +vpe_type: Modern +product: - Splunk SOAR diff --git a/playbooks/risk_notable_mitigate.yml b/playbooks/risk_notable_mitigate.yml index 6013f96e0a..be6f3cdc26 100644 --- a/playbooks/risk_notable_mitigate.yml +++ b/playbooks/risk_notable_mitigate.yml @@ -1,21 +1,21 @@ name: Risk Notable Mitigate id: 050edc96-ff2b-48b0-9f6f-63da3783fd63 -version: 1 -date: '2021-10-22' +version: 2 +creation_date: '2021-11-10' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Response description: This playbook checks for the presence of the Risk Response workbook and updates tasks or leaves generic notes. The risk_notable_verdict playbooks recommends this playbook as a second phase of the investigation. Additionally, this playbook can be used in ad-hoc investigations or incorporated into custom workbooks. playbook: risk_notable_mitigate how_to_implement: For detailed implementation see https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar references: - - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar + - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar app_list: [] -tags: - labels: +labels: - risk_notable - playbook_type: Automation - vpe_type: Modern - platform_tags: +platform_tags: - Risk Notable - product: +playbook_type: Automation +vpe_type: Modern +product: - Splunk SOAR diff --git a/playbooks/risk_notable_preprocess.yml b/playbooks/risk_notable_preprocess.yml index fa6a35883a..89d47725d8 100644 --- a/playbooks/risk_notable_preprocess.yml +++ b/playbooks/risk_notable_preprocess.yml @@ -1,30 +1,30 @@ name: Risk Notable Preprocess id: 060edc96-ff2b-48b0-9f6f-13da3783fd63 -version: 1 -date: '2021-10-22' +version: 2 +creation_date: '2021-11-10' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Investigation description: >- - "This playbook prepares a risk notable for investigation by performing the following tasks: - 1. Ensures that a risk notable links back to the original notable event with a card pinned to the HUD. - 2. Posts a link to this container in the comment field of Splunk ES. - 3. Updates the container name, description, and severity to reflect the data in the notable artifact." + "This playbook prepares a risk notable for investigation by performing the following tasks: + 1. Ensures that a risk notable links back to the original notable event with a card pinned to the HUD. + 2. Posts a link to this container in the comment field of Splunk ES. + 3. Updates the container name, description, and severity to reflect the data in the notable artifact." playbook: risk_notable_preprocess how_to_implement: For detailed implementation see https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar references: - - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar + - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar app_list: - - 'Splunk' -tags: - labels: + - 'Splunk' +labels: - risk_notable - platform_tags: +platform_tags: - Risk Notable - playbook_type: Automation - vpe_type: Modern - playbook_fields: +playbook_type: Automation +vpe_type: Modern +playbook_fields: - event_id - info_min_time - info_max_time - product: +product: - Splunk SOAR diff --git a/playbooks/risk_notable_protect_assets_and_users.yml b/playbooks/risk_notable_protect_assets_and_users.yml index 3749224db6..0aa8cfcb41 100644 --- a/playbooks/risk_notable_protect_assets_and_users.yml +++ b/playbooks/risk_notable_protect_assets_and_users.yml @@ -1,24 +1,24 @@ name: Risk Notable Protect Assets and Users id: 070edc96-ff2b-48b0-9f6f-93da3783fd63 -version: 1 -date: '2021-10-22' +version: 2 +creation_date: '2021-11-10' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Response description: This playbook attempts to find assets and users from the notable event and match those with assets and identities from Splunk ES. If a match was found and the user has playbooks available to contain entities, the analyst decides which entities to disable or quarantine. playbook: risk_notable_protect_assets_and_users how_to_implement: For detailed implementation see https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar references: - - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/build-playbooks-compatible-with-the-dispatch_input_playbooks-utility + - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/build-playbooks-compatible-with-the-dispatch_input_playbooks-utility app_list: [] -tags: - labels: +labels: - risk_notable - playbook_outputs: +playbook_outputs: - note_title - note_content - playbook_type: Automation - vpe_type: Modern - platform_tags: +platform_tags: - Risk Notable - product: +playbook_type: Automation +vpe_type: Modern +product: - Splunk SOAR diff --git a/playbooks/risk_notable_review_indicators.yml b/playbooks/risk_notable_review_indicators.yml index 367ae9fbbe..2661c34816 100644 --- a/playbooks/risk_notable_review_indicators.yml +++ b/playbooks/risk_notable_review_indicators.yml @@ -1,21 +1,21 @@ name: Risk Notable Review Indicators id: 080edc96-ff2b-48b0-9f6f-73da3783fd63 -version: 1 -date: '2021-10-22' +version: 2 +creation_date: '2021-11-10' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Response description: This playbook was designed to be called by a user to process indicators that are marked as suspicious within the SOAR platform. Analysts will review indicators in a prompt and mark them as blocked or safe. playbook: risk_notable_review_indicators how_to_implement: For detailed implementation see https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar references: - - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/use-the-tagging-system-with-the-playbook-pack-for-splunk-soar + - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/use-the-tagging-system-with-the-playbook-pack-for-splunk-soar app_list: [] -tags: - labels: +labels: - risk_notable - platform_tags: +platform_tags: - Risk Notable - playbook_type: Automation - vpe_type: Modern - product: +playbook_type: Automation +vpe_type: Modern +product: - Splunk SOAR diff --git a/playbooks/risk_notable_verdict.yml b/playbooks/risk_notable_verdict.yml index ae6a3a48dd..9ab53cc8a1 100644 --- a/playbooks/risk_notable_verdict.yml +++ b/playbooks/risk_notable_verdict.yml @@ -1,21 +1,21 @@ name: Risk Notable Verdict id: 090edc96-ff2b-48b0-9f6f-33da3783fd63 -version: 1 -date: '2021-10-22' +version: 2 +creation_date: '2021-11-10' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Response description: This playbook locates available playbooks with the response tag and presents them to the analyst. Based on the analyst selection, it will launch its chosen playbook. playbook: risk_notable_verdict how_to_implement: For detailed implementation see https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/get-started-with-the-risk-notable-playbook-pack-for-splunk-soar references: - - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/build-playbooks-compatible-with-the-dispatch_input_playbooks-utility + - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/how-to-use-splunk-security-content/5.8/use-splunk-soar-playbooks-and-workbooks-from-the-risk-notable-playbook-pack/build-playbooks-compatible-with-the-dispatch_input_playbooks-utility app_list: [] -tags: - labels: +labels: - risk_notable - platform_tags: +platform_tags: - Risk Notable - playbook_type: Automation - vpe_type: Modern - product: +playbook_type: Automation +vpe_type: Modern +product: - Splunk SOAR diff --git a/playbooks/start_investigation.yml b/playbooks/start_investigation.yml index 1a77d56771..75e0d16b67 100644 --- a/playbooks/start_investigation.yml +++ b/playbooks/start_investigation.yml @@ -1,7 +1,8 @@ name: Start Investigation id: fc5adc76-f3ab-4cb0-5f6f-63bc3493fd46 -version: 1 -date: '2021-10-07' +version: 2 +creation_date: '2022-02-02' +modification_date: '2026-05-19' author: Kelby Shelton, Splunk type: Investigation description: Handle cases in Splunk SOAR with consistency that only automation can provide. This playbook ensures that cases are being assigned to analysts, and follow on work gets started. @@ -9,10 +10,9 @@ playbook: start_investigation how_to_implement: "This is a playbook that is designed to be recommended within a workbook. If used in this manner, the playbook will assign the user that launched the playbook as the owner of the event, move the event status to \"Open\", and complete the workbook task where this playbook appears. If there is a task after the one where the playbook appears (within the same phase), it will set the next task to \"In Progress.\"" references: [] app_list: [] -tags: - platform_tags: [] - playbook_fields: [] - playbook_type: Automation - vpe_type: Modern - product: - - Splunk SOAR \ No newline at end of file +platform_tags: [] +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR diff --git a/playbooks/threat_intel_investigate.yml b/playbooks/threat_intel_investigate.yml index 39549a4343..51aadc6958 100644 --- a/playbooks/threat_intel_investigate.yml +++ b/playbooks/threat_intel_investigate.yml @@ -1,20 +1,20 @@ name: Threat Intel Investigate id: fc5adc76-fd2b-48b0-5f6f-63bc3493fd46 -version: 1 -date: '2021-11-30' +version: 2 +creation_date: '2022-02-02' +modification_date: '2026-05-19' author: Philip Royer, Splunk type: Investigation description: "This parent playbook collects data and launches appropriate child playbooks to gather threat intelligence information about indicators. After the child playbooks have run, this playbook posts the notes to the container and prompts the analyst to add tags to each enriched indicator based on the intelligence provided." playbook: threat_intel_investigate how_to_implement: "The prompt is currently sent to the Administrator role, but should be changed to the appropriate user and role. The \"list_investigate_playbooks\" block fetches playbooks from the local repository with the tags \"investigate\" and \"threat_intel\" by default. The playbook \"trustar_enrich_indicators\" is meant to be used by this playbook, and others can be created to replace it or work alongside it. To add a new input playbook, copy it to the local repository and give it the necessary tags. Define a playbook input with the name \"indicators\" and the data type matching the types of indicators the playbook can process. To add a new tag to the preconfigured list, add it to the \"choices\" array in the \"threat_intel_indicator_review\" prompt block, and add it to the \"response_to_tag_map\" in \"process_indicators\"." -references: -- https://www.splunk.com/en_us/blog/security/TruSTAR-Enrich-Indicators-soar-in-seconds.html +references: + - https://www.splunk.com/en_us/blog/security/TruSTAR-Enrich-Indicators-soar-in-seconds.html app_list: [] -tags: - platform_tags: - - threat_intel - playbook_type: Automation - vpe_type: Modern - playbook_fields: [] - product: - - Splunk SOAR \ No newline at end of file +platform_tags: + - threat_intel +playbook_type: Automation +vpe_type: Modern +playbook_fields: [] +product: + - Splunk SOAR diff --git a/playbooks/trustar_enrich_indicators.yml b/playbooks/trustar_enrich_indicators.yml index 543c6d1bd1..668a3d9f48 100644 --- a/playbooks/trustar_enrich_indicators.yml +++ b/playbooks/trustar_enrich_indicators.yml @@ -1,23 +1,23 @@ name: TruSTAR Enrich Indicators id: fc5adc76-fd2b-48b0-5f6f-63da6423fd63 -version: 1 -date: '2021-11-24' +version: 2 +creation_date: '2022-02-02' +modification_date: '2026-05-19' author: Philip Royer, Splunk type: Investigation description: "Use TruSTAR to gather threat information about indicators in a SOAR event. Tag the indicators with the normalized priority score from TruSTAR and summarize the findings in an analyst note. This playbook is meant to be used as a child playbook executed by a parent playbook such as \"threat_intel_investigate\"." playbook: trustar_enrich_indicators how_to_implement: "To use this playbook as a sub-playbook of \"threat_intel_investigate\", copy it to the local git repository and make sure it has the tags \"investigate\" and \"threat_intel\". To use this playbook as a sub-playbook of \"risk_notable_enrich\", copy it to local and make sure it has the tags \"investigate\" and \"risk_notable\" To control the types of indicators processed by this playbook, change the data types of the \"indicators\" input\"" -references: -- https://www.splunk.com/en_us/blog/security/TruSTAR-Enrich-Indicators-soar-in-seconds.html +references: + - https://www.splunk.com/en_us/blog/security/TruSTAR-Enrich-Indicators-soar-in-seconds.html app_list: -- "TruSTAR" -tags: - platform_tags: - - threat_intel - - risk_notable - playbook_type: Input - vpe_type: Modern - playbook_fields: - - indicators - product: - - Splunk SOAR \ No newline at end of file + - "TruSTAR" +platform_tags: + - threat_intel + - risk_notable +playbook_type: Input +vpe_type: Modern +playbook_fields: + - indicators +product: + - Splunk SOAR diff --git a/schemas/EventBasedDetection.schema.json b/schemas/EventBasedDetection.schema.json index 2efb42da18..a5ea1e4619 100644 --- a/schemas/EventBasedDetection.schema.json +++ b/schemas/EventBasedDetection.schema.json @@ -133,7 +133,9 @@ "Baseline Of Kubernetes Process Resource", "Baseline Of Kubernetes Process Resource Ratio", "Baseline Of Open S3 Bucket Decommissioning", + "Baseline of Network ACL Activity by ARN", "Baseline of S3 Bucket deletion activity by ARN", + "Baseline of Security Group Activity by ARN", "Baseline of blocked outbound traffic from AWS", "BishopFox Sliver Adversary Emulation Framework", "Black Basta Ransomware", @@ -216,6 +218,7 @@ "ConnectWise ScreenConnect Vulnerabilities", "Count of Unique IPs Connecting to Ports", "Count of assets by category", + "Create a list of approved AWS service accounts", "Credential Dumping", "Critical Alerts", "CrowdStrike Falcon Stream Alert", @@ -227,6 +230,7 @@ "DHS Report TA18-074A", "DNS Amplification Attacks", "DNS Hijacking", + "DNSTwist Domain Names", "DarkCrystal RAT", "DarkGate Malware", "DarkSide Ransomware", @@ -241,6 +245,7 @@ "Detect Zerologon Attack", "Dev Sec Ops", "Disabling Security Tools", + "Discover DNS records", "Disk Wiper", "Domain Trust Discovery", "Double Zero Destructor", @@ -439,6 +444,7 @@ "Previously Seen Zoom Child Processes - Initial", "Previously Seen Zoom Child Processes - Update", "Previously seen S3 bucket access by remote IP", + "Previously seen command line arguments", "PrintNightmare CVE-2021-34527", "Prohibited Traffic Allowed or Protocol Mismatch", "PromptFlux", @@ -2892,10 +2898,15 @@ "Baseline Of Kubernetes Process Resource", "Baseline Of Kubernetes Process Resource Ratio", "Baseline Of Open S3 Bucket Decommissioning", + "Baseline of Network ACL Activity by ARN", "Baseline of S3 Bucket deletion activity by ARN", + "Baseline of Security Group Activity by ARN", "Baseline of blocked outbound traffic from AWS", "Count of Unique IPs Connecting to Ports", "Count of assets by category", + "Create a list of approved AWS service accounts", + "DNSTwist Domain Names", + "Discover DNS records", "Identify Systems Creating Remote Desktop Traffic", "Identify Systems Receiving Remote Desktop Traffic", "Identify Systems Using Remote Desktop", @@ -2920,6 +2931,7 @@ "Previously Seen Zoom Child Processes - Initial", "Previously Seen Zoom Child Processes - Update", "Previously seen S3 bucket access by remote IP", + "Previously seen command line arguments", "Windows Updates Install Failures", "Windows Updates Install Successes" ], diff --git a/schemas/Playbook.schema.json b/schemas/Playbook.schema.json new file mode 100644 index 0000000000..aa4da253b5 --- /dev/null +++ b/schemas/Playbook.schema.json @@ -0,0 +1,2948 @@ +{ + "$defs": { + "DefendTechnique": { + "description": "List of Supported D3FEND Techniques.", + "enum": [ + "D3-AA", + "D3-ABPI", + "D3-ACA", + "D3-ACH", + "D3-AH", + "D3-AI", + "D3-AL", + "D3-ALLM", + "D3-AM", + "D3-AMED", + "D3-ANAA", + "D3-ANCI", + "D3-ANET", + "D3-APA", + "D3-APLM", + "D3-AVE", + "D3-AZET", + "D3-BA", + "D3-BAN", + "D3-BDI", + "D3-BSE", + "D3-CA", + "D3-CAA", + "D3-CBAN", + "D3-CCSA", + "D3-CE", + "D3-CERO", + "D3-CF", + "D3-CFC", + "D3-CH", + "D3-CHN", + "D3-CI", + "D3-CIA", + "D3-CM", + "D3-CNE", + "D3-CNR", + "D3-CNS", + "D3-CP", + "D3-CQ", + "D3-CR", + "D3-CRO", + "D3-CS", + "D3-CSPP", + "D3-CTS", + "D3-CV", + "D3-DA", + "D3-DAM", + "D3-DCE", + "D3-DE", + "D3-DEM", + "D3-DENCR", + "D3-DF", + "D3-DI", + "D3-DKE", + "D3-DKF", + "D3-DKP", + "D3-DLIC", + "D3-DNR", + "D3-DNRA", + "D3-DNSAL", + "D3-DNSCE", + "D3-DNSDL", + "D3-DNSTA", + "D3-DO", + "D3-DP", + "D3-DPLM", + "D3-DPR", + "D3-DQSA", + "D3-DRT", + "D3-DST", + "D3-DTP", + "D3-DUC", + "D3-EAL", + "D3-EBWSAM", + "D3-EDL", + "D3-EF", + "D3-EFA", + "D3-EHB", + "D3-EHPV", + "D3-EI", + "D3-ER", + "D3-ET", + "D3-FA", + "D3-FAPA", + "D3-FBA", + "D3-FC", + "D3-FCA", + "D3-FCDC", + "D3-FCOA", + "D3-FCR", + "D3-FE", + "D3-FEMC", + "D3-FEV", + "D3-FFV", + "D3-FH", + "D3-FHRA", + "D3-FIM", + "D3-FISV", + "D3-FMBV", + "D3-FMCV", + "D3-FMVV", + "D3-FRDDL", + "D3-FRIDL", + "D3-FV", + "D3-HBPI", + "D3-HCI", + "D3-HD", + "D3-HDDL", + "D3-HDL", + "D3-HR", + "D3-HS", + "D3-IAA", + "D3-IBCA", + "D3-ID", + "D3-IDA", + "D3-IHN", + "D3-IOPR", + "D3-IPCTA", + "D3-IPRA", + "D3-IRA", + "D3-IRV", + "D3-ISVA", + "D3-ITF", + "D3-JFAPA", + "D3-KBPI", + "D3-LAM", + "D3-LAMED", + "D3-LFAM", + "D3-LFP", + "D3-LLM", + "D3-MA", + "D3-MAN", + "D3-MBSV", + "D3-MBT", + "D3-MENCR", + "D3-MFA", + "D3-MH", + "D3-NAM", + "D3-NI", + "D3-NM", + "D3-NNI", + "D3-NPC", + "D3-NRAM", + "D3-NTA", + "D3-NTCD", + "D3-NTF", + "D3-NTPM", + "D3-NTSA", + "D3-NVA", + "D3-OAM", + "D3-ODM", + "D3-OE", + "D3-OM", + "D3-ORA", + "D3-OSM", + "D3-OTF", + "D3-OTP", + "D3-PA", + "D3-PAM", + "D3-PAN", + "D3-PBWSAM", + "D3-PCA", + "D3-PCSV", + "D3-PE", + "D3-PFV", + "D3-PH", + "D3-PHDURA", + "D3-PLA", + "D3-PLLM", + "D3-PLM", + "D3-PM", + "D3-PMAD", + "D3-PR", + "D3-PS", + "D3-PSA", + "D3-PSEP", + "D3-PSMD", + "D3-PT", + "D3-PV", + "D3-PWA", + "D3-RA", + "D3-RAM", + "D3-RAPA", + "D3-RC", + "D3-RD", + "D3-RDI", + "D3-RE", + "D3-RF", + "D3-RFAM", + "D3-RFS", + "D3-RIC", + "D3-RKD", + "D3-RN", + "D3-RNA", + "D3-RO", + "D3-RPA", + "D3-RRID", + "D3-RS", + "D3-RTA", + "D3-RTSD", + "D3-RUAA", + "D3-SAOR", + "D3-SBV", + "D3-SCA", + "D3-SCF", + "D3-SCH", + "D3-SCP", + "D3-SDA", + "D3-SDM", + "D3-SEA", + "D3-SFA", + "D3-SFCV", + "D3-SFV", + "D3-SHN", + "D3-SICA", + "D3-SJA", + "D3-SMRA", + "D3-SPP", + "D3-SRA", + "D3-SSC", + "D3-ST", + "D3-SU", + "D3-SVCDM", + "D3-SWI", + "D3-SYSDM", + "D3-SYSM", + "D3-SYSVA", + "D3-TAAN", + "D3-TB", + "D3-TBA", + "D3-TBI", + "D3-TL", + "D3-UA", + "D3-UAP", + "D3-UBA", + "D3-UDTA", + "D3-UGLPA", + "D3-ULA", + "D3-URA", + "D3-USICA", + "D3-VI", + "D3-VTV", + "D3-WSAA", + "D3-WSAM" + ], + "title": "DefendTechnique", + "type": "string" + }, + "EventBasedDetectionEnum": { + "description": "Empty Placeholder Enum for baselines.\n\nNOTE: This enum is dynamically populated at runtime by the EventBasedDetection.UpdateDynamicEnum method.", + "enum": [ + "3CX Supply Chain Attack Network Indicators", + "7zip CommandLine To SMB Share Path", + "ASL AWS Concurrent Sessions From Different Ips", + "ASL AWS Create Access Key", + "ASL AWS Create Policy Version to allow all resources", + "ASL AWS Credential Access GetPasswordData", + "ASL AWS Credential Access RDS Password reset", + "ASL AWS Defense Evasion Delete CloudWatch Log Group", + "ASL AWS Defense Evasion Delete Cloudtrail", + "ASL AWS Defense Evasion Impair Security Services", + "ASL AWS Defense Evasion PutBucketLifecycle", + "ASL AWS Defense Evasion Stop Logging Cloudtrail", + "ASL AWS Defense Evasion Update Cloudtrail", + "ASL AWS Detect Users creating keys with encrypt policy without MFA", + "ASL AWS Disable Bucket Versioning", + "ASL AWS EC2 Snapshot Shared Externally", + "ASL AWS ECR Container Upload Outside Business Hours", + "ASL AWS ECR Container Upload Unknown User", + "ASL AWS IAM AccessDenied Discovery Events", + "ASL AWS IAM Assume Role Policy Brute Force", + "ASL AWS IAM Delete Policy", + "ASL AWS IAM Failure Group Deletion", + "ASL AWS IAM Successful Group Deletion", + "ASL AWS Multi-Factor Authentication Disabled", + "ASL AWS Network Access Control List Created with All Open Ports", + "ASL AWS Network Access Control List Deleted", + "ASL AWS New MFA Method Registered For User", + "ASL AWS SAML Update identity provider", + "ASL AWS UpdateLoginProfile", + "AWS AMI Attribute Modification for Exfiltration", + "AWS Bedrock Delete GuardRails", + "AWS Bedrock Delete Knowledge Base", + "AWS Bedrock Delete Model Invocation Logging Configuration", + "AWS Bedrock High Number List Foundation Model Failures", + "AWS Bedrock Invoke Model Access Denied", + "AWS Concurrent Sessions From Different Ips", + "AWS Console Login Failed During MFA Challenge", + "AWS Create Policy Version to allow all resources", + "AWS CreateAccessKey", + "AWS CreateLoginProfile", + "AWS Credential Access Failed Login", + "AWS Credential Access GetPasswordData", + "AWS Credential Access RDS Password reset", + "AWS Defense Evasion Delete CloudWatch Log Group", + "AWS Defense Evasion Delete Cloudtrail", + "AWS Defense Evasion Impair Security Services", + "AWS Defense Evasion PutBucketLifecycle", + "AWS Defense Evasion Stop Logging Cloudtrail", + "AWS Defense Evasion Update Cloudtrail", + "AWS Detect Users creating keys with encrypt policy without MFA", + "AWS Detect Users with KMS keys performing encryption S3", + "AWS Disable Bucket Versioning", + "AWS EC2 Snapshot Shared Externally", + "AWS ECR Container Scanning Findings High", + "AWS ECR Container Scanning Findings Low Informational Unknown", + "AWS ECR Container Scanning Findings Medium", + "AWS ECR Container Upload Outside Business Hours", + "AWS ECR Container Upload Unknown User", + "AWS Excessive Security Scanning", + "AWS Exfiltration via Anomalous GetObject API Activity", + "AWS Exfiltration via Batch Service", + "AWS Exfiltration via Bucket Replication", + "AWS Exfiltration via DataSync Task", + "AWS Exfiltration via EC2 Snapshot", + "AWS High Number Of Failed Authentications For User", + "AWS High Number Of Failed Authentications From Ip", + "AWS IAM AccessDenied Discovery Events", + "AWS IAM Assume Role Policy Brute Force", + "AWS IAM Delete Policy", + "AWS IAM Failure Group Deletion", + "AWS IAM Successful Group Deletion", + "AWS Lambda UpdateFunctionCode", + "AWS Multi-Factor Authentication Disabled", + "AWS Multiple Failed MFA Requests For User", + "AWS Multiple Users Failing To Authenticate From Ip", + "AWS Network Access Control List Created with All Open Ports", + "AWS Network Access Control List Deleted", + "AWS New MFA Method Registered For User", + "AWS Password Policy Changes", + "AWS S3 Exfiltration Behavior Identified", + "AWS SAML Update identity provider", + "AWS SetDefaultPolicyVersion", + "AWS Successful Console Authentication From Multiple IPs", + "AWS Successful Single-Factor Authentication", + "AWS Unusual Number of Failed Authentications From Ip", + "AWS UpdateLoginProfile", + "Access LSASS Memory for Dump Creation", + "Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint", + "Active Directory Lateral Movement Identified", + "Active Directory Privilege Escalation Identified", + "Active Setup Registry Autostart", + "Add DefaultUser And Password In Registry", + "Add or Set Windows Defender Exclusion", + "Adobe ColdFusion Access Control Bypass", + "Adobe ColdFusion Unauthenticated Arbitrary File Read", + "AdsiSearcher Account Discovery", + "Advanced IP or Port Scanner Execution", + "Allow File And Printing Sharing In Firewall", + "Allow Inbound Traffic By Firewall Rule Registry", + "Allow Inbound Traffic In Firewall Rule", + "Allow Network Discovery In Firewall", + "Allow Operation with Consent Admin", + "Amazon EKS Kubernetes Pod scan detection", + "Amazon EKS Kubernetes cluster scan detection", + "Anomalous usage of 7zip", + "Attacker Tools On Endpoint", + "Attempt To Add Certificate To Untrusted Store", + "Auto Admin Logon Registry Entry", + "Azure AD Admin Consent Bypassed by Service Principal", + "Azure AD Application Administrator Role Assigned", + "Azure AD Authentication Failed During MFA Challenge", + "Azure AD AzureHound UserAgent Detected", + "Azure AD Block User Consent For Risky Apps Disabled", + "Azure AD Concurrent Sessions From Different Ips", + "Azure AD Device Code Authentication", + "Azure AD External Guest User Invited", + "Azure AD FullAccessAsApp Permission Assigned", + "Azure AD Global Administrator Role Assigned", + "Azure AD High Number Of Failed Authentications For User", + "Azure AD High Number Of Failed Authentications From Ip", + "Azure AD Multi-Factor Authentication Disabled", + "Azure AD Multi-Source Failed Authentications Spike", + "Azure AD Multiple AppIDs and UserAgents Authentication Spike", + "Azure AD Multiple Denied MFA Requests For User", + "Azure AD Multiple Failed MFA Requests For User", + "Azure AD Multiple Service Principals Created by SP", + "Azure AD Multiple Service Principals Created by User", + "Azure AD Multiple Users Failing To Authenticate From Ip", + "Azure AD New Custom Domain Added", + "Azure AD New Federated Domain Added", + "Azure AD New MFA Method Registered", + "Azure AD New MFA Method Registered For User", + "Azure AD OAuth Application Consent Granted By User", + "Azure AD PIM Role Assigned", + "Azure AD PIM Role Assignment Activated", + "Azure AD Privileged Authentication Administrator Role Assigned", + "Azure AD Privileged Graph API Permission Assigned", + "Azure AD Privileged Role Assigned", + "Azure AD Privileged Role Assigned to Service Principal", + "Azure AD Service Principal Authentication", + "Azure AD Service Principal Created", + "Azure AD Service Principal Enumeration", + "Azure AD Service Principal New Client Credentials", + "Azure AD Service Principal Owner Added", + "Azure AD Service Principal Privilege Escalation", + "Azure AD Successful Authentication From Different Ips", + "Azure AD Successful PowerShell Authentication", + "Azure AD Successful Single-Factor Authentication", + "Azure AD Tenant Wide Admin Consent Granted", + "Azure AD Unusual Number of Failed Authentications From Ip", + "Azure AD User Consent Blocked for Risky Application", + "Azure AD User Consent Denied for OAuth Application", + "Azure AD User Enabled And Password Reset", + "Azure AD User ImmutableId Attribute Updated", + "Azure Active Directory High Risk Sign-in", + "Azure Automation Account Created", + "Azure Automation Runbook Created", + "Azure Runbook Webhook Created", + "BCDEdit Failure Recovery Modification", + "BITS Job Persistence", + "BITSAdmin Download File", + "Batch File Write to System32", + "Bcdedit Command Back To Normal Mode Boot", + "CHCP Command Execution", + "CMD Carry Out String Command Parameter", + "CMD Echo Pipe - Escalation", + "CMLUA Or CMSTPLUA UAC Bypass", + "CSC Net On The Fly Compilation", + "CertUtil With Decode Argument", + "Certutil exe certificate extraction", + "Change To Safe Mode With Network Config", + "Check Elevated CMD using whoami", + "Child Processes of Spoolsv exe", + "Circle CI Disable Security Job", + "Circle CI Disable Security Step", + "Cisco AI Defense Security Alerts by Application Name", + "Cisco ASA - AAA Policy Tampering", + "Cisco ASA - Core Syslog Message Volume Drop", + "Cisco ASA - Device File Copy Activity", + "Cisco ASA - Device File Copy to Remote Location", + "Cisco ASA - Logging Disabled via CLI", + "Cisco ASA - Logging Filters Configuration Tampering", + "Cisco ASA - Logging Message Suppression", + "Cisco ASA - New Local User Account Created", + "Cisco ASA - Packet Capture Activity", + "Cisco ASA - Reconnaissance Command Activity", + "Cisco ASA - User Account Deleted From Local Database", + "Cisco ASA - User Account Lockout Threshold Exceeded", + "Cisco ASA - User Privilege Level Change", + "Cisco Configuration Archive Logging Analysis", + "Cisco Duo Admin Login Unusual Browser", + "Cisco Duo Admin Login Unusual Country", + "Cisco Duo Admin Login Unusual Os", + "Cisco Duo Bulk Policy Deletion", + "Cisco Duo Bypass Code Generation", + "Cisco Duo Policy Allow Devices Without Screen Lock", + "Cisco Duo Policy Allow Network Bypass 2FA", + "Cisco Duo Policy Allow Old Flash", + "Cisco Duo Policy Allow Old Java", + "Cisco Duo Policy Allow Tampered Devices", + "Cisco Duo Policy Bypass 2FA", + "Cisco Duo Policy Deny Access", + "Cisco Duo Policy Skip 2FA for Other Countries", + "Cisco Duo Set User Status to Bypass 2FA", + "Cisco IOS Suspicious Privileged Account Creation", + "Cisco IOS XE Implant Access", + "Cisco Isovalent - Access To Cloud Metadata Service", + "Cisco Isovalent - Cron Job Creation", + "Cisco Isovalent - Curl Execution With Insecure Flags", + "Cisco Isovalent - Kprobe Spike", + "Cisco Isovalent - Late Process Execution", + "Cisco Isovalent - Non Allowlisted Image Use", + "Cisco Isovalent - Nsenter Usage in Kubernetes Pod", + "Cisco Isovalent - Pods Running Offensive Tools", + "Cisco Isovalent - Potential Escape to Host", + "Cisco Isovalent - Shell Execution", + "Cisco NVM - Curl Execution With Insecure Flags", + "Cisco NVM - Installation of Typosquatted Python Package", + "Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI", + "Cisco NVM - Non-Network Binary Making Network Connection", + "Cisco NVM - Outbound Connection to Suspicious Port", + "Cisco NVM - Rclone Execution With Network Activity", + "Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download", + "Cisco NVM - Susp Script From Archive Triggering Network Activity", + "Cisco NVM - Suspicious Download From File Sharing Website", + "Cisco NVM - Suspicious File Download via Headless Browser", + "Cisco NVM - Suspicious Network Connection From Process With No Args", + "Cisco NVM - Suspicious Network Connection Initiated via MsXsl", + "Cisco NVM - Suspicious Network Connection to IP Lookup Service API", + "Cisco NVM - Webserver Download From File Sharing Website", + "Cisco Network Interface Modifications", + "Cisco Privileged Account Creation with HTTP Command Execution", + "Cisco Privileged Account Creation with Suspicious SSH Activity", + "Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity", + "Cisco SD-WAN - Low Frequency Rogue Peer", + "Cisco SD-WAN - Peering Activity", + "Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity", + "Cisco SNMP Community String Configuration Changes", + "Cisco Secure Firewall - Binary File Type Download", + "Cisco Secure Firewall - Bits Network Activity", + "Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint", + "Cisco Secure Firewall - Blocked Connection", + "Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt", + "Cisco Secure Firewall - Communication Over Suspicious Ports", + "Cisco Secure Firewall - Connection to File Sharing Domain", + "Cisco Secure Firewall - File Download Over Uncommon Port", + "Cisco Secure Firewall - High EVE Threat Confidence", + "Cisco Secure Firewall - High Priority Intrusion Classification", + "Cisco Secure Firewall - High Volume of Intrusion Events Per Host", + "Cisco Secure Firewall - Intrusion Events by Threat Activity", + "Cisco Secure Firewall - Lumma Stealer Activity", + "Cisco Secure Firewall - Lumma Stealer Download Attempt", + "Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt", + "Cisco Secure Firewall - Malware File Downloaded", + "Cisco Secure Firewall - Oracle E-Business Suite Correlation", + "Cisco Secure Firewall - Oracle E-Business Suite Exploitation", + "Cisco Secure Firewall - Possibly Compromised Host", + "Cisco Secure Firewall - Potential Data Exfiltration", + "Cisco Secure Firewall - Privileged Command Execution via HTTP", + "Cisco Secure Firewall - Rare Snort Rule Triggered", + "Cisco Secure Firewall - React Server Components RCE Attempt", + "Cisco Secure Firewall - Remote Access Software Usage Traffic", + "Cisco Secure Firewall - Repeated Blocked Connections", + "Cisco Secure Firewall - Repeated Malware Downloads", + "Cisco Secure Firewall - SSH Connection to Non-Standard Port", + "Cisco Secure Firewall - SSH Connection to sshd_operns", + "Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts", + "Cisco Secure Firewall - Static Tundra Smart Install Abuse", + "Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity", + "Cisco Secure Firewall - Wget or Curl Download", + "Cisco Smart Install Oversized Packet Detection", + "Cisco Smart Install Port Discovery and Status", + "Cisco TFTP Server Configuration for Data Exfiltration", + "Citrix ADC Exploitation CVE-2023-3519", + "Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure", + "Citrix ADC and Gateway Unauthorized Data Disclosure", + "Citrix ShareFile Exploitation CVE-2023-24489", + "Clear Unallocated Sector Using Cipher App", + "Clop Common Exec Parameter", + "Clop Ransomware Known Service Name", + "Cloud API Calls From Previously Unseen User Roles", + "Cloud Compute Instance Created By Previously Unseen User", + "Cloud Compute Instance Created In Previously Unused Region", + "Cloud Compute Instance Created With Previously Unseen Image", + "Cloud Compute Instance Created With Previously Unseen Instance Type", + "Cloud Instance Modified By Previously Unseen User", + "Cloud Provisioning Activity From Previously Unseen City", + "Cloud Provisioning Activity From Previously Unseen Country", + "Cloud Provisioning Activity From Previously Unseen IP Address", + "Cloud Provisioning Activity From Previously Unseen Region", + "Cloud Security Groups Modifications by User", + "Common Ransomware Extensions", + "Common Ransomware Notes", + "Confluence CVE-2023-22515 Trigger Vulnerability", + "Confluence Data Center and Server Privilege Escalation", + "Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527", + "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", + "ConnectWise ScreenConnect Authentication Bypass", + "ConnectWise ScreenConnect Path Traversal", + "ConnectWise ScreenConnect Path Traversal Windows SACL", + "Conti Common Exec parameter", + "Control Loading from World Writable Directory", + "Create Remote Thread In Shell Application", + "Create Remote Thread into LSASS", + "Create or delete windows shares using net exe", + "Creation of Shadow Copy", + "Creation of Shadow Copy with wmic and powershell", + "Creation of lsass Dump with Taskmgr", + "Credential Dumping via Copy Command from Shadow Copy", + "Credential Dumping via Symlink to Shadow Copy", + "CrowdStrike Falcon Stream Alerts", + "Crowdstrike Admin Weak Password Policy", + "Crowdstrike Admin With Duplicate Password", + "Crowdstrike High Identity Risk Severity", + "Crowdstrike Medium Identity Risk Severity", + "Crowdstrike Medium Severity Alert", + "Crowdstrike Multiple LOW Severity Alerts", + "Crowdstrike Privilege Escalation For Non-Admin User", + "Crowdstrike User Weak Password Policy", + "Crowdstrike User with Duplicate Password", + "CrushFTP Authentication Bypass Exploitation", + "CrushFTP Max Simultaneous Users From IP", + "CrushFTP Server Side Template Injection", + "Curl Execution with Percent Encoded URL", + "DLLHost with no Command Line Arguments with Network", + "DNS Exfiltration Using Nslookup App", + "DNS Kerberos Coercion", + "DNS Query Length With High Standard Deviation", + "DSQuery Domain Discovery", + "Delete ShadowCopy With PowerShell", + "Deleting Shadow Copies", + "Detect ARP Poisoning", + "Detect AWS Console Login by New User", + "Detect AWS Console Login by User from New City", + "Detect AWS Console Login by User from New Country", + "Detect AWS Console Login by User from New Region", + "Detect AzureHound Command-Line Arguments", + "Detect AzureHound File Modifications", + "Detect Baron Samedit CVE-2021-3156", + "Detect Baron Samedit CVE-2021-3156 Segfault", + "Detect Baron Samedit CVE-2021-3156 via OSQuery", + "Detect Certify Command Line Arguments", + "Detect Certify With PowerShell Script Block Logging", + "Detect Certipy File Modifications", + "Detect Computer Changed with Anonymous Account", + "Detect Copy of ShadowCopy with Script Block Logging", + "Detect Credential Dumping through LSASS access", + "Detect DNS Query to Decommissioned S3 Bucket", + "Detect Distributed Password Spray Attempts", + "Detect Empire with PowerShell Script Block Logging", + "Detect Excessive Account Lockouts From Endpoint", + "Detect Excessive User Account Lockouts", + "Detect Exchange Web Shell", + "Detect F5 TMUI RCE CVE-2020-5902", + "Detect GCP Storage access from a new IP", + "Detect HTML Help Renamed", + "Detect HTML Help Spawn Child Process", + "Detect HTML Help URL in Command Line", + "Detect HTML Help Using InfoTech Storage Handlers", + "Detect IPv6 Network Infrastructure Threats", + "Detect Large ICMP Traffic", + "Detect MSHTA Url in Command Line", + "Detect Mimikatz With PowerShell Script Block Logging", + "Detect New Local Admin account", + "Detect New Login Attempts to Routers", + "Detect New Open GCP Storage Buckets", + "Detect New Open S3 Buckets over AWS CLI", + "Detect New Open S3 buckets", + "Detect Outbound LDAP Traffic", + "Detect Outbound SMB Traffic", + "Detect Outlook exe writing a zip file", + "Detect Password Spray Attack Behavior From Source", + "Detect Password Spray Attack Behavior On User", + "Detect Password Spray Attempts", + "Detect Path Interception By Creation Of program exe", + "Detect Port Security Violation", + "Detect Prohibited Applications Spawning cmd exe", + "Detect PsExec With accepteula Flag", + "Detect RClone Command-Line Usage", + "Detect RTLO In File Name", + "Detect RTLO In Process", + "Detect Rare Executables", + "Detect Regasm Spawning a Process", + "Detect Regasm with Network Connection", + "Detect Regasm with no Command Line Arguments", + "Detect Regsvcs Spawning a Process", + "Detect Regsvcs with Network Connection", + "Detect Regsvcs with No Command Line Arguments", + "Detect Regsvr32 Application Control Bypass", + "Detect Remote Access Software Usage DNS", + "Detect Remote Access Software Usage File", + "Detect Remote Access Software Usage FileInfo", + "Detect Remote Access Software Usage Process", + "Detect Remote Access Software Usage Registry", + "Detect Remote Access Software Usage Traffic", + "Detect Remote Access Software Usage URL", + "Detect Renamed 7-Zip", + "Detect Renamed PSExec", + "Detect Renamed RClone", + "Detect Renamed WinRAR", + "Detect Rogue DHCP Server", + "Detect Rundll32 Inline HTA Execution", + "Detect S3 access from a new IP", + "Detect SNICat SNI Exfiltration", + "Detect SharpHound Command-Line Arguments", + "Detect SharpHound File Modifications", + "Detect SharpHound Usage", + "Detect Software Download To Network Device", + "Detect Spike in AWS Security Hub Alerts for EC2 Instance", + "Detect Spike in AWS Security Hub Alerts for User", + "Detect Spike in S3 Bucket deletion", + "Detect Spike in blocked Outbound Traffic from your AWS", + "Detect Traffic Mirroring", + "Detect Unauthorized Assets by MAC address", + "Detect Use of cmd exe to Launch Script Interpreters", + "Detect WMI Event Subscription Persistence", + "Detect Web Access to Decommissioned S3 Bucket", + "Detect Windows DNS SIGRed via Splunk Stream", + "Detect Windows DNS SIGRed via Zeek", + "Detect Zerologon via Zeek", + "Detect attackers scanning for vulnerable JBoss servers", + "Detect hosts connecting to dynamic domain providers", + "Detect malicious requests to exploit JBoss servers", + "Detect mshta inline hta execution", + "Detect mshta renamed", + "Detection of tools built by NirSoft", + "Disable AMSI Through Registry", + "Disable Defender AntiVirus Registry", + "Disable Defender BlockAtFirstSeen Feature", + "Disable Defender Enhanced Notification", + "Disable Defender MpEngine Registry", + "Disable Defender Spynet Reporting", + "Disable Defender Submit Samples Consent Feature", + "Disable ETW Through Registry", + "Disable Logs Using WevtUtil", + "Disable Registry Tool", + "Disable Schedule Task", + "Disable Security Logs Using MiniNt Registry", + "Disable Show Hidden Files", + "Disable UAC Remote Restriction", + "Disable Windows App Hotkeys", + "Disable Windows Behavior Monitoring", + "Disable Windows SmartScreen Protection", + "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", + "Disabled Kerberos Pre-Authentication Discovery With PowerView", + "Disabling CMD Application", + "Disabling ControlPanel", + "Disabling Defender Services", + "Disabling Firewall with Netsh", + "Disabling FolderOptions Windows Feature", + "Disabling NoRun Windows App", + "Disabling Remote User Account Control", + "Disabling SystemRestore In Registry", + "Disabling Task Manager", + "Disabling Windows Local Security Authority Defences via Registry", + "Domain Account Discovery with Dsquery", + "Domain Account Discovery with Wmic", + "Domain Controller Discovery with Nltest", + "Domain Controller Discovery with Wmic", + "Domain Group Discovery With Dsquery", + "Domain Group Discovery With Wmic", + "Domain Group Discovery with Adsisearcher", + "Download Files Using Telegram", + "Drop IcedID License dat", + "Dump LSASS via comsvcs DLL", + "Dump LSASS via procdump", + "ESXi Account Modified", + "ESXi Audit Tampering", + "ESXi Bulk VM Termination", + "ESXi Download Errors", + "ESXi Encryption Settings Modified", + "ESXi External Root Login Activity", + "ESXi Firewall Disabled", + "ESXi Lockdown Mode Disabled", + "ESXi Loghost Config Tampering", + "ESXi Malicious VIB Forced Install", + "ESXi Reverse Shell Patterns", + "ESXi SSH Brute Force", + "ESXi SSH Enabled", + "ESXi Sensitive Files Accessed", + "ESXi Shared or Stolen Root Account", + "ESXi Shell Access Enabled", + "ESXi Syslog Config Change", + "ESXi System Clock Manipulation", + "ESXi System Information Discovery", + "ESXi User Granted Admin Role", + "ESXi VIB Acceptance Level Tampering", + "ESXi VM Discovery", + "ESXi VM Exported via Remote Tool", + "ETW Registry Disabled", + "Elevated Group Discovery With Wmic", + "Elevated Group Discovery with PowerView", + "Email Attachments With Lots Of Spaces", + "Email files written outside of the Outlook directory", + "Email servers sending high volume traffic to hosts", + "Enable RDP In Other Port Number", + "Enable WDigest UseLogonCredential Registry", + "Enumerate Users Local Group Using Telegram", + "Esentutl SAM Copy", + "Eventvwr UAC Bypass", + "Excessive Attempt To Disable Services", + "Excessive DNS Failures", + "Excessive File Deletion In WinDefender Folder", + "Excessive Usage Of Cacls App", + "Excessive Usage Of SC Service Utility", + "Excessive Usage Of Taskkill", + "Excessive Usage of NSLOOKUP App", + "Excessive distinct processes from Windows Temp", + "Excessive number of service control start as disabled", + "Excessive number of taskhost processes", + "Exchange PowerShell Abuse via SSRF", + "Exchange PowerShell Module Usage", + "Executable File Written in Administrative SMB Share", + "Executables Or Script Creation In Suspicious Path", + "Executables Or Script Creation In Temp Path", + "Execute Javascript With Jscript COM CLSID", + "Execution of File with Multiple Extensions", + "Exploit Public Facing Application via Apache Commons Text", + "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", + "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", + "F5 TMUI Authentication Bypass", + "File Download or Read to Pipe Execution", + "File with Samsam Extension", + "Firewall Allowed Program Enable", + "First Time Seen Child Process of Zoom", + "First Time Seen Running Windows Service", + "FodHelper UAC Bypass", + "Fortinet Appliance Auth bypass", + "Fsutil Zeroing File", + "GCP Authentication Failed During MFA Challenge", + "GCP Detect gcploit framework", + "GCP Kubernetes cluster pod scan detection", + "GCP Multi-Factor Authentication Disabled", + "GCP Multiple Failed MFA Requests For User", + "GCP Multiple Users Failing To Authenticate From Ip", + "GCP Successful Single-Factor Authentication", + "GCP Unusual Number of Failed Authentications From Ip", + "GPUpdate with no Command Line Arguments with Network", + "GSuite Email Suspicious Attachment", + "Gdrive suspicious file sharing", + "Geographic Improbable Location", + "Get ADDefaultDomainPasswordPolicy with Powershell", + "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", + "Get ADUser with PowerShell", + "Get ADUser with PowerShell Script Block", + "Get ADUserResultantPasswordPolicy with Powershell", + "Get ADUserResultantPasswordPolicy with Powershell Script Block", + "Get DomainPolicy with Powershell", + "Get DomainPolicy with Powershell Script Block", + "Get DomainUser with PowerShell", + "Get DomainUser with PowerShell Script Block", + "Get WMIObject Group Discovery", + "Get WMIObject Group Discovery with Script Block Logging", + "Get-DomainTrust with PowerShell", + "Get-DomainTrust with PowerShell Script Block", + "Get-ForestTrust with PowerShell", + "Get-ForestTrust with PowerShell Script Block", + "GetAdComputer with PowerShell", + "GetAdComputer with PowerShell Script Block", + "GetAdGroup with PowerShell", + "GetAdGroup with PowerShell Script Block", + "GetCurrent User with PowerShell", + "GetCurrent User with PowerShell Script Block", + "GetDomainComputer with PowerShell", + "GetDomainComputer with PowerShell Script Block", + "GetDomainController with PowerShell", + "GetDomainController with PowerShell Script Block", + "GetDomainGroup with PowerShell", + "GetDomainGroup with PowerShell Script Block", + "GetLocalUser with PowerShell", + "GetLocalUser with PowerShell Script Block", + "GetNetTcpconnection with PowerShell", + "GetNetTcpconnection with PowerShell Script Block", + "GetWmiObject DS User with PowerShell", + "GetWmiObject DS User with PowerShell Script Block", + "GetWmiObject Ds Computer with PowerShell", + "GetWmiObject Ds Computer with PowerShell Script Block", + "GetWmiObject Ds Group with PowerShell", + "GetWmiObject Ds Group with PowerShell Script Block", + "GetWmiObject User Account with PowerShell", + "GetWmiObject User Account with PowerShell Script Block", + "GitHub Enterprise Delete Branch Ruleset", + "GitHub Enterprise Disable 2FA Requirement", + "GitHub Enterprise Disable Audit Log Event Stream", + "GitHub Enterprise Disable Classic Branch Protection Rule", + "GitHub Enterprise Disable Dependabot", + "GitHub Enterprise Disable IP Allow List", + "GitHub Enterprise Modify Audit Log Event Stream", + "GitHub Enterprise Pause Audit Log Event Stream", + "GitHub Enterprise Register Self Hosted Runner", + "GitHub Enterprise Remove Organization", + "GitHub Enterprise Repository Archived", + "GitHub Enterprise Repository Deleted", + "GitHub Organizations Delete Branch Ruleset", + "GitHub Organizations Disable 2FA Requirement", + "GitHub Organizations Disable Classic Branch Protection Rule", + "GitHub Organizations Disable Dependabot", + "GitHub Organizations Repository Archived", + "GitHub Organizations Repository Deleted", + "GitHub Workflow File Creation or Modification", + "Gsuite Drive Share In External Email", + "Gsuite Email Suspicious Subject With Attachment", + "Gsuite Email With Known Abuse Web Service Link", + "Gsuite Outbound Email With Attachment To External Domain", + "Gsuite Suspicious Shared File Name", + "Gsuite suspicious calendar invite", + "HTTP C2 Framework User Agent", + "HTTP Duplicated Header", + "HTTP Malware User Agent", + "HTTP PUA User Agent", + "HTTP Possible Request Smuggling", + "HTTP RMM User Agent", + "HTTP Rapid POST with Mixed Status Codes", + "HTTP Request to Reserved Name on IIS Server", + "HTTP Scripting Tool User Agent", + "Headless Browser Mockbin or Mocky Request", + "Headless Browser Usage", + "Hide User Account From Sign-In Screen", + "Hiding Files And Directories With Attrib exe", + "High Frequency Copy Of Files In Network Share", + "High Number of Login Failures from a single source", + "High Process Termination Frequency", + "High Volume of Bytes Out to Url", + "Hosts receiving high volume of network traffic from email server", + "Hunting 3CXDesktopApp Software", + "Hunting for Log4Shell", + "ICACLS Grant Command", + "Icacls Deny Command", + "IcedID Exfiltrated Archived File Creation", + "Impacket Lateral Movement Commandline Parameters", + "Impacket Lateral Movement WMIExec Commandline Parameters", + "Impacket Lateral Movement smbexec CommandLine Parameters", + "Interactive Session on Remote Endpoint with PowerShell", + "Internal Horizontal Port Scan", + "Internal Horizontal Port Scan NMAP Top 20", + "Internal Vertical Port Scan", + "Internal Vulnerability Scan", + "Ivanti Connect Secure Command Injection Attempts", + "Ivanti Connect Secure SSRF in SAML Component", + "Ivanti Connect Secure System Information Access via Auth Bypass", + "Ivanti EPM SQL Injection Remote Code Execution", + "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", + "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", + "Ivanti Sentry Authentication Bypass", + "Ivanti VTM New Account Creation", + "Java Class File download by Java User Agent", + "Java Writing JSP File", + "Jenkins Arbitrary File Read CVE-2024-23897", + "JetBrains TeamCity Authentication Bypass CVE-2024-27198", + "JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198", + "JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199", + "JetBrains TeamCity RCE Attempt", + "Jscript Execution Using Cscript App", + "Juniper Networks Remote Code Execution Exploit Detection", + "Kerberoasting spn request with RC4 encryption", + "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", + "Kerberos Pre-Authentication Flag Disabled with PowerShell", + "Kerberos Service Ticket Request Using RC4 Encryption", + "Kerberos TGT Request Using RC4 Encryption", + "Kerberos User Enumeration", + "Kubernetes AWS detect suspicious kubectl calls", + "Kubernetes Abuse of Secret by Unusual Location", + "Kubernetes Abuse of Secret by Unusual User Agent", + "Kubernetes Abuse of Secret by Unusual User Group", + "Kubernetes Abuse of Secret by Unusual User Name", + "Kubernetes Access Scanning", + "Kubernetes Anomalous Inbound Network Activity from Process", + "Kubernetes Anomalous Inbound Outbound Network IO", + "Kubernetes Anomalous Inbound to Outbound Network IO Ratio", + "Kubernetes Anomalous Outbound Network Activity from Process", + "Kubernetes Anomalous Traffic on Network Edge", + "Kubernetes Create or Update Privileged Pod", + "Kubernetes Cron Job Creation", + "Kubernetes DaemonSet Deployed", + "Kubernetes Falco Shell Spawned", + "Kubernetes Nginx Ingress LFI", + "Kubernetes Nginx Ingress RFI", + "Kubernetes Node Port Creation", + "Kubernetes Pod Created in Default Namespace", + "Kubernetes Pod With Host Network Attachment", + "Kubernetes Previously Unseen Container Image Name", + "Kubernetes Previously Unseen Process", + "Kubernetes Process Running From New Path", + "Kubernetes Process with Anomalous Resource Utilisation", + "Kubernetes Process with Resource Ratio Anomalies", + "Kubernetes Scanner Image Pulling", + "Kubernetes Scanning by Unauthenticated IP Address", + "Kubernetes Shell Running on Worker Node", + "Kubernetes Shell Running on Worker Node with CPU Activity", + "Kubernetes Suspicious Image Pulling", + "Kubernetes Unauthorized Access", + "Kubernetes newly seen TCP edge", + "Kubernetes newly seen UDP edge", + "LLM Model File Creation", + "LOLBAS With Network Traffic", + "Large Volume of DNS ANY Queries", + "Linux APT Privilege Escalation", + "Linux AWK Privilege Escalation", + "Linux Account Manipulation Of SSH Config and Keys", + "Linux Add Files In Known Crontab Directories", + "Linux Add User Account", + "Linux Adding Crontab Using List Parameter", + "Linux At Allow Config File Creation", + "Linux At Application Execution", + "Linux Auditd AI CLI Permission Override Activated", + "Linux Auditd Add User Account", + "Linux Auditd Add User Account Type", + "Linux Auditd At Application Execution", + "Linux Auditd Auditd Daemon Abort", + "Linux Auditd Auditd Daemon Shutdown", + "Linux Auditd Auditd Daemon Start", + "Linux Auditd Auditd Service Stop", + "Linux Auditd Base64 Decode Files", + "Linux Auditd Change File Owner To Root", + "Linux Auditd Clipboard Data Copy", + "Linux Auditd Copy Fail Privilege Escalation", + "Linux Auditd Data Destruction Command", + "Linux Auditd Data Transfer Size Limits Via Split", + "Linux Auditd Data Transfer Size Limits Via Split Syscall", + "Linux Auditd Database File And Directory Discovery", + "Linux Auditd Dd File Overwrite", + "Linux Auditd Disable Or Modify System Firewall", + "Linux Auditd Doas Conf File Creation", + "Linux Auditd Doas Tool Execution", + "Linux Auditd Edit Cron Table Parameter", + "Linux Auditd File And Directory Discovery", + "Linux Auditd File Permission Modification Via Chmod", + "Linux Auditd File Permissions Modification Via Chattr", + "Linux Auditd Find Credentials From Password Managers", + "Linux Auditd Find Credentials From Password Stores", + "Linux Auditd Find Ssh Private Keys", + "Linux Auditd Hardware Addition Swapoff", + "Linux Auditd Hidden Files And Directories Creation", + "Linux Auditd Insert Kernel Module Using Insmod Utility", + "Linux Auditd Install Kernel Module Using Modprobe Utility", + "Linux Auditd Kernel Module Enumeration", + "Linux Auditd Kernel Module Using Rmmod Utility", + "Linux Auditd Nopasswd Entry In Sudoers File", + "Linux Auditd Osquery Service Stop", + "Linux Auditd Possible Access Or Modification Of Sshd Config File", + "Linux Auditd Possible Access To Credential Files", + "Linux Auditd Possible Access To Sudoers File", + "Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File", + "Linux Auditd Preload Hijack Library Calls", + "Linux Auditd Preload Hijack Via Preload File", + "Linux Auditd Private Keys and Certificate Enumeration", + "Linux Auditd Service Restarted", + "Linux Auditd Service Started", + "Linux Auditd Setuid Using Chmod Utility", + "Linux Auditd Setuid Using Setcap Utility", + "Linux Auditd Shred Overwrite Command", + "Linux Auditd Stop Services", + "Linux Auditd Sudo Or Su Execution", + "Linux Auditd Sysmon Service Stop", + "Linux Auditd System Network Configuration Discovery", + "Linux Auditd Unix Shell Configuration Modification", + "Linux Auditd Unload Module Via Modprobe", + "Linux Auditd Virtual Disk File And Directory Discovery", + "Linux Auditd Whoami User Discovery", + "Linux Busybox Privilege Escalation", + "Linux Change File Owner To Root", + "Linux Clipboard Data Copy", + "Linux Common Process For Elevation Control", + "Linux Composer Privilege Escalation", + "Linux Cpulimit Privilege Escalation", + "Linux Csvtool Privilege Escalation", + "Linux Curl Upload File", + "Linux DD File Overwrite", + "Linux Data Destruction Command", + "Linux Decode Base64 to Shell", + "Linux Deleting Critical Directory Using RM Command", + "Linux Deletion Of Cron Jobs", + "Linux Deletion Of Init Daemon Script", + "Linux Deletion Of Services", + "Linux Deletion of SSL Certificate", + "Linux Disable Services", + "Linux Doas Conf File Creation", + "Linux Doas Tool Execution", + "Linux Docker Root Directory Mount", + "Linux Docker Shell Execution", + "Linux Edit Cron Table Parameter", + "Linux Emacs Privilege Escalation", + "Linux File Created In Kernel Driver Directory", + "Linux File Creation In Init Boot Directory", + "Linux File Creation In Profile Directory", + "Linux Find Privilege Escalation", + "Linux GDB Privilege Escalation", + "Linux GNU Awk Privilege Escalation", + "Linux Gdrive Binary Activity", + "Linux Gem Privilege Escalation", + "Linux Hardware Addition SwapOff", + "Linux High Frequency Of File Deletion In Boot Folder", + "Linux High Frequency Of File Deletion In Etc Folder", + "Linux Impair Defenses Process Kill", + "Linux Indicator Removal Clear Cache", + "Linux Indicator Removal Service File Deletion", + "Linux Ingress Tool Transfer Hunting", + "Linux Ingress Tool Transfer with Curl", + "Linux Insert Kernel Module Using Insmod Utility", + "Linux Install Kernel Module Using Modprobe Utility", + "Linux Iptables Firewall Modification", + "Linux Kernel Module Enumeration", + "Linux Kworker Process In Writable Process Path", + "Linux Magic SysRq Key Abuse", + "Linux Make Privilege Escalation", + "Linux Medusa Rootkit", + "Linux MySQL Privilege Escalation", + "Linux NOPASSWD Entry In Sudoers File", + "Linux Ngrok Reverse Proxy Usage", + "Linux Node Privilege Escalation", + "Linux Obfuscated Files or Information Base64 Decode", + "Linux Octave Privilege Escalation", + "Linux OpenVPN Privilege Escalation", + "Linux PHP Privilege Escalation", + "Linux Persistence and Privilege Escalation Risk Behavior", + "Linux Possible Access Or Modification Of sshd Config File", + "Linux Possible Access To Credential Files", + "Linux Possible Access To Sudoers File", + "Linux Possible Append Command To At Allow Config File", + "Linux Possible Append Command To Profile Config File", + "Linux Possible Append Cronjob Entry on Existing Cronjob File", + "Linux Possible Cronjob Modification With Editor", + "Linux Possible Ssh Key File Creation", + "Linux Preload Hijack Library Calls", + "Linux Proxy Socks Curl", + "Linux Puppet Privilege Escalation", + "Linux RPM Privilege Escalation", + "Linux Ruby Privilege Escalation", + "Linux SSH Authorized Keys Modification", + "Linux SSH Remote Services Script Execute", + "Linux Service File Created In Systemd Directory", + "Linux Service Restarted", + "Linux Service Started Or Enabled", + "Linux Setuid Using Chmod Utility", + "Linux Setuid Using Setcap Utility", + "Linux Shred Overwrite Command", + "Linux Sqlite3 Privilege Escalation", + "Linux Stdout Redirection To Dev Null File", + "Linux Stop Services", + "Linux Sudo OR Su Execution", + "Linux Sudoers Tmp File Creation", + "Linux Suspicious React or Next.js Child Process", + "Linux System Network Discovery", + "Linux System Reboot Via System Request Key", + "Linux Telnet Authentication Bypass", + "Linux Unix Shell Enable All SysRq Functions", + "Linux Visudo Utility Execution", + "Linux c89 Privilege Escalation", + "Linux c99 Privilege Escalation", + "Linux pkexec Privilege Escalation", + "Living Off The Land Detection", + "Loading Of Dynwrapx Module", + "Local Account Discovery With Wmic", + "Local LLM Framework DNS Query", + "Log4Shell CVE-2021-44228 Exploitation", + "Log4Shell JNDI Payload Injection Attempt", + "Log4Shell JNDI Payload Injection with Outbound Connection", + "Logon Script Event Trigger Execution", + "M365 Copilot Agentic Jailbreak Attack", + "M365 Copilot Application Usage Pattern Anomalies", + "M365 Copilot Failed Authentication Patterns", + "M365 Copilot Impersonation Jailbreak Attack", + "M365 Copilot Information Extraction Jailbreak Attack", + "M365 Copilot Jailbreak Attempts", + "M365 Copilot Non Compliant Devices Accessing M365 Copilot", + "M365 Copilot Session Origin Anomalies", + "MCP Filesystem Server Suspicious Extension Write", + "MCP Github Suspicious Operation", + "MCP Postgres Suspicious Query", + "MCP Prompt Injection", + "MCP Sensitive System File Search", + "MOVEit Certificate Store Access Failure", + "MOVEit Empty Key Fingerprint Authentication Attempt", + "MS Exchange Mailbox Replication service writing Active Server Pages", + "MS Scripting Process Loading Ldap Module", + "MS Scripting Process Loading WMI Module", + "MSBuild Suspicious Spawned By Script Process", + "MSI Module Loaded by Non-System Binary", + "MacOS - Re-opened Applications", + "MacOS AMOS Stealer - Virtual Machine Check Activity", + "MacOS Account Created", + "MacOS Data Chunking", + "MacOS Gatekeeper Bypass", + "MacOS Hidden Files and Directories", + "MacOS Kextload Usage", + "MacOS Keychains Dumped", + "MacOS LOLbin", + "MacOS List Firewall Rules", + "MacOS Log Removal", + "MacOS LoginHook Persistence", + "MacOS Network Share Discovery", + "MacOS plutil", + "Mailsniper Invoke functions", + "Malicious InProcServer32 Modification", + "Malicious PowerShell Process - Encoded Command", + "Malicious PowerShell Process - Execution Policy Bypass", + "Malicious PowerShell Process With Obfuscation Techniques", + "Malicious Powershell Executed As A Service", + "Microsoft Defender ATP Alerts", + "Microsoft Defender Incident Alerts", + "Microsoft Intune Bulk Wipe", + "Microsoft Intune Device Health Scripts", + "Microsoft Intune DeviceManagementConfigurationPolicies", + "Microsoft Intune Manual Device Management", + "Microsoft Intune Mobile Apps", + "Microsoft SharePoint Server Elevation of Privilege", + "Mimikatz PassTheTicket CommandLine Parameters", + "Mmc LOLBAS Execution Process Spawn", + "Modification Of Wallpaper", + "Modify ACL permission To Files Or Folder", + "Monitor Email For Brand Abuse", + "Monitor Registry Keys for Print Monitors", + "Monitor Web Traffic For Brand Abuse", + "Mshta spawning Rundll32 OR Regsvr32 Process", + "Msmpeng Application DLL Side Loading", + "Multiple Archive Files Http Post Traffic", + "NET Profiler UAC bypass", + "NLTest Domain Trust Discovery", + "Network Connection Discovery With Arp", + "Network Connection Discovery With Netstat", + "Network Discovery Using Route Windows App", + "Network Share Discovery Via Dir Command", + "Network Traffic to Active Directory Web Services Protocol", + "Nginx ConnectWise ScreenConnect Authentication Bypass", + "Ngrok Reverse Proxy on Network", + "Nishang PowershellTCPOneLine", + "No Windows Updates in a time frame", + "Non Chrome Process Accessing Chrome Default Dir", + "Non Firefox Process Access Firefox Profile Dir", + "Notepad with no Command Line Arguments", + "Ntdsutil Export NTDS", + "O365 Add App Role Assignment Grant User", + "O365 Added Service Principal", + "O365 Admin Consent Bypassed by Service Principal", + "O365 Advanced Audit Disabled", + "O365 Application Available To Other Tenants", + "O365 Application Registration Owner Added", + "O365 ApplicationImpersonation Role Assigned", + "O365 BEC Email Hiding Rule Created", + "O365 Block User Consent For Risky Apps Disabled", + "O365 Bypass MFA via Trusted IP", + "O365 Compliance Content Search Exported", + "O365 Compliance Content Search Started", + "O365 Concurrent Sessions From Different Ips", + "O365 Cross-Tenant Access Change", + "O365 DLP Rule Triggered", + "O365 Disable MFA", + "O365 Elevated Mailbox Permission Assigned", + "O365 Email Access By Security Administrator", + "O365 Email Hard Delete Excessive Volume", + "O365 Email New Inbox Rule Created", + "O365 Email Password and Payroll Compromise Behavior", + "O365 Email Receive and Hard Delete Takeover Behavior", + "O365 Email Reported By Admin Found Malicious", + "O365 Email Reported By User Found Malicious", + "O365 Email Security Feature Changed", + "O365 Email Send Attachments Excessive Volume", + "O365 Email Send and Hard Delete Exfiltration Behavior", + "O365 Email Send and Hard Delete Suspicious Behavior", + "O365 Email Suspicious Behavior Alert", + "O365 Email Suspicious Search Behavior", + "O365 Email Transport Rule Changed", + "O365 Excessive Authentication Failures Alert", + "O365 Excessive SSO logon errors", + "O365 Exfiltration via File Access", + "O365 Exfiltration via File Download", + "O365 Exfiltration via File Sync Download", + "O365 External Guest User Invited", + "O365 External Identity Policy Changed", + "O365 File Permissioned Application Consent Granted by User", + "O365 FullAccessAsApp Permission Assigned", + "O365 High Number Of Failed Authentications for User", + "O365 High Privilege Role Granted", + "O365 Mail Permissioned Application Consent Granted by User", + "O365 Mailbox Email Forwarding Enabled", + "O365 Mailbox Folder Read Permission Assigned", + "O365 Mailbox Folder Read Permission Granted", + "O365 Mailbox Inbox Folder Shared with All Users", + "O365 Mailbox Read Access Granted to Application", + "O365 Multi-Source Failed Authentications Spike", + "O365 Multiple AppIDs and UserAgents Authentication Spike", + "O365 Multiple Failed MFA Requests For User", + "O365 Multiple Mailboxes Accessed via API", + "O365 Multiple OS Vendors Authenticating From User", + "O365 Multiple Service Principals Created by SP", + "O365 Multiple Service Principals Created by User", + "O365 Multiple Users Failing To Authenticate From Ip", + "O365 New Email Forwarding Rule Created", + "O365 New Email Forwarding Rule Enabled", + "O365 New Federated Domain Added", + "O365 New Forwarding Mailflow Rule Created", + "O365 New MFA Method Registered", + "O365 OAuth App Mailbox Access via EWS", + "O365 OAuth App Mailbox Access via Graph API", + "O365 PST export alert", + "O365 Privileged Graph API Permission Assigned", + "O365 Privileged Role Assigned", + "O365 Privileged Role Assigned To Service Principal", + "O365 Safe Links Detection", + "O365 Security And Compliance Alert Triggered", + "O365 Service Principal New Client Credentials", + "O365 Service Principal Privilege Escalation", + "O365 SharePoint Allowed Domains Policy Changed", + "O365 SharePoint Malware Detection", + "O365 SharePoint Suspicious Search Behavior", + "O365 Tenant Wide Admin Consent Granted", + "O365 Threat Intelligence Suspicious Email Delivered", + "O365 Threat Intelligence Suspicious File Detected", + "O365 User Consent Blocked for Risky Application", + "O365 User Consent Denied for OAuth Application", + "O365 ZAP Activity Detection", + "Okta Authentication Failed During MFA Challenge", + "Okta IDP Lifecycle Modifications", + "Okta MFA Exhaustion Hunt", + "Okta Mismatch Between Source and Response for Verify Push Request", + "Okta Multi-Factor Authentication Disabled", + "Okta Multiple Accounts Locked Out", + "Okta Multiple Failed MFA Requests For User", + "Okta Multiple Failed Requests to Access Applications", + "Okta Multiple Users Failing To Authenticate From Ip", + "Okta New API Token Created", + "Okta New Device Enrolled on Account", + "Okta Non-Standard VPN Usage", + "Okta Phishing Detection with FastPass Origin Check", + "Okta Risk Threshold Exceeded", + "Okta Successful Single Factor Authentication", + "Okta Suspicious Activity Reported", + "Okta Suspicious Use of a Session Cookie", + "Okta ThreatInsight Threat Detected", + "Okta Unauthorized Access to Application", + "Okta User Logins from Multiple Cities", + "Ollama Abnormal Network Connectivity", + "Ollama Abnormal Service Crash Availability Attack", + "Ollama Excessive API Requests", + "Ollama Possible API Endpoint Scan Reconnaissance", + "Ollama Possible Memory Exhaustion Resource Abuse", + "Ollama Possible Model Exfiltration Data Leakage", + "Ollama Possible RCE via Model Loading", + "Ollama Suspicious Prompt Injection Jailbreak", + "Outbound Network Connection from Java Using Default Ports", + "Overwriting Accessibility Binaries", + "PaperCut NG Remote Web Access Attempt", + "PaperCut NG Suspicious Behavior Debug Log", + "Permission Modification using Takeown App", + "PetitPotam Network Share Access Request", + "PetitPotam Suspicious Kerberos TGT Request", + "Ping Sleep Batch Command", + "PingID Mismatch Auth Source and Verification Response", + "PingID Multiple Failed MFA Requests For User", + "PingID New MFA Method After Credential Reset", + "PingID New MFA Method Registered For User", + "Plain HTTP POST Exfiltrated Data", + "Possible Browser Pass View Parameter", + "Possible Lateral Movement PowerShell Spawn", + "Potential System Network Configuration Discovery Activity", + "Potential Telegram API Request Via CommandLine", + "Potential password in username", + "PowerShell - Connect To Internet With Hidden Window", + "PowerShell 4104 Hunting", + "PowerShell Domain Enumeration", + "PowerShell Enable PowerShell Remoting", + "PowerShell Environment Variable Execution", + "PowerShell Get LocalGroup Discovery", + "PowerShell Invoke CIMMethod CIMSession", + "PowerShell Invoke WmiExec Usage", + "PowerShell Loading DotNET into Memory via Reflection", + "PowerShell PInvoke Process Injection API Chain", + "PowerShell Script Block With URL Chain", + "PowerShell Start or Stop Service", + "PowerShell Start-BitsTransfer", + "PowerShell WebRequest Using Memory Stream", + "Powershell COM Hijacking InprocServer32 Modification", + "Powershell Creating Thread Mutex", + "Powershell Disable Security Monitoring", + "Powershell Enable SMB1Protocol Feature", + "Powershell Execute COM Object", + "Powershell Fileless Process Injection via GetProcAddress", + "Powershell Fileless Script Contains Base64 Encoded Content", + "Powershell Get LocalGroup Discovery with Script Block Logging", + "Powershell Load Module in Meterpreter", + "Powershell Processing Stream Of Data", + "Powershell Remote Services Add TrustedHost", + "Powershell Remote Thread To Known Windows Process", + "Powershell Remove Windows Defender Directory", + "Powershell Using memory As Backing Store", + "Powershell Windows Defender Exclusion Commands", + "Prevent Automatic Repair Mode using Bcdedit", + "Print Processor Registry Autostart", + "Print Spooler Adding A Printer Driver", + "Print Spooler Failed to Load a Plug-in", + "Process Creating LNK file in Suspicious Location", + "Process Deleting Its Process File Path", + "Process Execution via WMI", + "Process Kill Base On File Path", + "Process Writing DynamicWrapperX", + "Processes Tapping Keyboard Events", + "Processes launching netsh", + "Prohibited Network Traffic Allowed", + "Protocol or Port Mismatch", + "Protocols passing authentication in cleartext", + "ProxyShell ProxyNotShell Behavior Detected", + "Randomly Generated Scheduled Task Name", + "Randomly Generated Windows Service Name", + "Ransomware Notes bulk creation", + "Recon AVProduct Through Pwh or WMI", + "Recon Using WMI Class", + "Recursive Delete of Directory In Batch CMD", + "Reg exe Manipulating Windows Services Registry Keys", + "Registry Keys Used For Persistence", + "Registry Keys Used For Privilege Escalation", + "Registry Keys for Creating SHIM Databases", + "Regsvr32 Silent and Install Param Dll Loading", + "Regsvr32 with Known Silent Switch Cmdline", + "Remcos RAT File Creation in Remcos Folder", + "Remcos client registry install entry", + "Remote Desktop Network Traffic", + "Remote Desktop Process Running On System", + "Remote Process Instantiation via DCOM and PowerShell", + "Remote Process Instantiation via DCOM and PowerShell Script Block", + "Remote Process Instantiation via WMI", + "Remote Process Instantiation via WMI and PowerShell", + "Remote Process Instantiation via WMI and PowerShell Script Block", + "Remote Process Instantiation via WinRM and PowerShell", + "Remote Process Instantiation via WinRM and PowerShell Script Block", + "Remote Process Instantiation via WinRM and Winrs", + "Remote System Discovery with Adsisearcher", + "Remote System Discovery with Dsquery", + "Remote System Discovery with Wmic", + "Remote WMI Command Attempt", + "Resize ShadowStorage volume", + "Revil Common Exec Parameter", + "Revil Registry Entry", + "Risk Rule for Dev Sec Ops by Repository", + "Rubeus Command Line Parameters", + "Rubeus Kerberos Ticket Exports Through Winlogon Access", + "RunDLL Loading DLL By Ordinal", + "Runas Execution in CommandLine", + "Rundll32 Control RunDLL Hunt", + "Rundll32 Control RunDLL World Writable Directory", + "Rundll32 Create Remote Thread To A Process", + "Rundll32 CreateRemoteThread In Browser", + "Rundll32 DNSQuery", + "Rundll32 LockWorkStation", + "Rundll32 Process Creating Exe Dll Files", + "Rundll32 Shimcache Flush", + "Rundll32 with no Command Line Arguments with Network", + "Ryuk Test Files Detected", + "Ryuk Wake on LAN Command", + "SAM Database File Access Attempt", + "SAP NetWeaver Visual Composer Exploitation Attempt", + "SLUI RunAs Elevated", + "SLUI Spawning a Process", + "SMB Traffic Spike", + "SQL Injection with Long URLs", + "SSL Certificates with Punycode", + "Samsam Test File Write", + "Sc exe Manipulating Windows Services", + "SchCache Change By App Connect And Create ADSI Object", + "Schedule Task with HTTP Command Arguments", + "Schedule Task with Rundll32 Command Trigger", + "Scheduled Task Creation on Remote Endpoint using At", + "Scheduled Task Deleted Or Created via CMD", + "Scheduled Task Initiation on Remote Endpoint", + "Schtasks Run Task On Demand", + "Schtasks scheduling job on remote system", + "Schtasks used for forcing a reboot", + "Screensaver Event Trigger Execution", + "Script Execution via WMI", + "Sdclt UAC Bypass", + "Sdelete Application Execution", + "SearchProtocolHost with no Command Line with Network", + "SecretDumps Offline NTDS Dumping Tool", + "ServicePrincipalNames Discovery with PowerShell", + "ServicePrincipalNames Discovery with SetSPN", + "Services Escalate Exe", + "Services LOLBAS Execution Process Spawn", + "Set Default PowerShell Execution Policy To Unrestricted or Bypass", + "Shai-Hulud 2 Exfiltration Artifact Files", + "Shai-Hulud Workflow File Creation or Modification", + "Shim Database File Creation", + "Shim Database Installation With Suspicious Parameters", + "Short Lived Scheduled Task", + "Short Lived Windows Accounts", + "SilentCleanup UAC Bypass", + "Single Letter Process On Endpoint", + "Spike in File Writes", + "Splunk AppDynamics Secure Application Alerts", + "Spoolsv Spawning Rundll32", + "Spoolsv Suspicious Loaded Modules", + "Spoolsv Suspicious Process Access", + "Spoolsv Writing a DLL", + "Spoolsv Writing a DLL - Sysmon", + "Spring4Shell Payload URL Request", + "Sqlite Module In Temp Folder", + "Steal or Forge Authentication Certificates Behavior Identified", + "Sunburst Correlation DLL and Network Event", + "Supernova Webshell", + "Suspicious Computer Account Name Change", + "Suspicious Copy on System32", + "Suspicious Curl Network Connection", + "Suspicious DLLHost no Command Line Arguments", + "Suspicious Email Attachment Extensions", + "Suspicious GPUpdate no Command Line Arguments", + "Suspicious IcedID Rundll32 Cmdline", + "Suspicious Image Creation In Appdata Folder", + "Suspicious Java Classes", + "Suspicious Kerberos Service Ticket Request", + "Suspicious Linux Discovery Commands", + "Suspicious MSBuild Rename", + "Suspicious MSBuild Spawn", + "Suspicious PlistBuddy Usage", + "Suspicious PlistBuddy Usage via OSquery", + "Suspicious Process DNS Query Known Abuse Web Services", + "Suspicious Process Executed From Container File", + "Suspicious Process With Discord DNS Query", + "Suspicious Reg exe Process", + "Suspicious Regsvr32 Register Suspicious Path", + "Suspicious Rundll32 PluginInit", + "Suspicious Rundll32 StartW", + "Suspicious Rundll32 dllregisterserver", + "Suspicious Rundll32 no Command Line Arguments", + "Suspicious SQLite3 LSQuarantine Behavior", + "Suspicious Scheduled Task from Public Directory", + "Suspicious SearchProtocolHost no Command Line Arguments", + "Suspicious Ticket Granting Ticket Request", + "Suspicious WAV file in Appdata Folder", + "Suspicious microsoft workflow compiler rename", + "Suspicious microsoft workflow compiler usage", + "Suspicious msbuild path", + "Suspicious mshta child process", + "Suspicious mshta spawn", + "Suspicious wevtutil Usage", + "Suspicious writes to windows Recycle Bin", + "Svchost LOLBAS Execution Process Spawn", + "System Info Gathering Using Dxdiag Application", + "System Information Discovery Detection", + "System Processes Run From Unexpected Locations", + "System User Discovery With Query", + "System User Discovery With Whoami", + "TOR Traffic", + "Time Provider Persistence Registry", + "Tomcat Session Deserialization Attempt", + "Tomcat Session File Upload Attempt", + "Trickbot Named Pipe", + "UAC Bypass MMC Load Unsigned Dll", + "UAC Bypass With Colorui COM Object", + "USN Journal Deletion", + "Uninstall App Using MsiExec", + "Unknown Process Using The Kerberos Protocol", + "Unload Sysmon Filter Driver", + "Unloading AMSI via Reflection", + "Unusual Number of Computer Service Tickets Requested", + "Unusual Number of Kerberos Service Tickets Requested", + "Unusual Number of Remote Endpoint Authentication Events", + "Unusually Long Command Line", + "Unusually Long Content-Type Length", + "User Discovery With Env Vars PowerShell", + "User Discovery With Env Vars PowerShell Script Block", + "VMWare Aria Operations Exploit Attempt", + "VMware Server Side Template Injection Hunt", + "VMware Workspace ONE Freemarker Server-side Template Injection", + "Vbscript Execution Using Wscript App", + "Verclsid CLSID Execution", + "WBAdmin Delete System Backups", + "WMI Permanent Event Subscription", + "WMI Permanent Event Subscription - Sysmon", + "WMI Recon Running Process Or Services", + "WMI Temporary Event Subscription", + "WMIC XSL Execution via URL", + "WS FTP Remote Code Execution", + "WSReset UAC Bypass", + "Wbemprox COM Object Execution", + "Web JSP Request via URL", + "Web Remote ShellServlet Access", + "Web Servers Executing Suspicious Processes", + "Web Spring Cloud Function FunctionRouter", + "Web Spring4Shell HTTP Request Class Module", + "Web or Application Server Spawning a Shell", + "Wermgr Process Connecting To IP Check Web Services", + "Wermgr Process Create Executable File", + "Wermgr Process Spawned CMD Or Powershell Process", + "WinEvent Scheduled Task Created Within Public Path", + "WinEvent Scheduled Task Created to Spawn Shell", + "WinEvent Windows Task Scheduler Event Action Started", + "WinRAR Spawning Shell Application", + "WinRM Spawning a Process", + "Windows .Key File Creation in Root Directory", + "Windows AD Abnormal Object Access Activity", + "Windows AD AdminSDHolder ACL Modified", + "Windows AD Cross Domain SID History Addition", + "Windows AD DCShadow Privileges ACL Addition", + "Windows AD DSRM Account Changes", + "Windows AD DSRM Password Reset", + "Windows AD Dangerous Deny ACL Modification", + "Windows AD Dangerous Group ACL Modification", + "Windows AD Dangerous User ACL Modification", + "Windows AD Domain Controller Audit Policy Disabled", + "Windows AD Domain Controller Promotion", + "Windows AD Domain Replication ACL Addition", + "Windows AD Domain Root ACL Deletion", + "Windows AD Domain Root ACL Modification", + "Windows AD GPO Deleted", + "Windows AD GPO Disabled", + "Windows AD GPO New CSE Addition", + "Windows AD Hidden OU Creation", + "Windows AD Object Owner Updated", + "Windows AD Privileged Account SID History Addition", + "Windows AD Privileged Group Modification", + "Windows AD Privileged Object Access Activity", + "Windows AD Replication Request Initiated by User Account", + "Windows AD Replication Request Initiated from Unsanctioned Location", + "Windows AD Replication Service Traffic", + "Windows AD Rogue Domain Controller Network Activity", + "Windows AD SID History Attribute Modified", + "Windows AD Same Domain SID History Addition", + "Windows AD Self DACL Assignment", + "Windows AD ServicePrincipalName Added To Domain Account", + "Windows AD Short Lived Domain Account ServicePrincipalName", + "Windows AD Short Lived Domain Controller SPN Attribute", + "Windows AD Short Lived Server Object", + "Windows AD Suspicious Attribute Modification", + "Windows AD add Self to Group", + "Windows AI Platform DNS Query", + "Windows Abused Web Services", + "Windows Access Token Manipulation SeDebugPrivilege", + "Windows Access Token Manipulation Winlogon Duplicate Token Handle", + "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", + "Windows Account Access Removal via Logoff Exec", + "Windows Account Discovery With NetUser PreauthNotRequire", + "Windows Account Discovery for None Disable User Account", + "Windows Account Discovery for Sam Account Name", + "Windows AdFind Exe", + "Windows Admin Permission Discovery", + "Windows Administrative Shares Accessed On Multiple Hosts", + "Windows Admon Default Group Policy Object Modified", + "Windows Admon Group Policy Object Created", + "Windows Advanced Installer MSIX with AI_STUBS Execution", + "Windows Alternate DataStream - Base64 Content", + "Windows Alternate DataStream - Executable Content", + "Windows Alternate DataStream - Process Execution", + "Windows Anomalous Registry Value Length in Environment Key", + "Windows Anonymous Pipe Activity", + "Windows Apache Benchmark Binary", + "Windows App Layer Protocol Qakbot NamedPipe", + "Windows App Layer Protocol Wermgr Connect To NamedPipe", + "Windows AppCertDLL Modification Via Command Line", + "Windows AppLocker Block Events", + "Windows AppLocker Execution from Uncommon Locations", + "Windows AppLocker Privilege Escalation via Unauthorized Bypass", + "Windows AppLocker Rare Application Launch Detection", + "Windows AppX Deployment Full Trust Package Installation", + "Windows AppX Deployment Package Installation Success", + "Windows AppX Deployment Unsigned Package Installation", + "Windows Application Layer Protocol RMS Radmin Tool Namedpipe", + "Windows Application Whitelisting Bypass Attempt via Rundll32", + "Windows Archive Collected Data via Powershell", + "Windows Archive Collected Data via Rar", + "Windows Archived Collected Data In TEMP Folder", + "Windows Attempt To Stop Security Service", + "Windows Audit Policy Auditing Option Disabled via Auditpol", + "Windows Audit Policy Auditing Option Modified - Registry", + "Windows Audit Policy Cleared via Auditpol", + "Windows Audit Policy Disabled via Auditpol", + "Windows Audit Policy Disabled via Legacy Auditpol", + "Windows Audit Policy Excluded Category via Auditpol", + "Windows Audit Policy Restored via Auditpol", + "Windows Audit Policy Security Descriptor Tampering via Auditpol", + "Windows AutoIt3 Execution", + "Windows Autostart Execution LSASS Driver Registry Modification", + "Windows Azure PowerShell Module Installation Via PowerShell Script", + "Windows Azure Storage Utility Execution Via CLI", + "Windows Binary Execution from an Archive", + "Windows Binary Proxy Execution Mavinject DLL Injection", + "Windows BitDefender Submission Wizard DLL Sideloading", + "Windows BitLocker Suspicious Command Usage", + "Windows BitLockerToGo Process Execution", + "Windows BitLockerToGo with Network Activity", + "Windows Bluetooth Service Installed From Uncommon Location", + "Windows Boot or Logon Autostart Execution In Startup Folder", + "Windows BootLoader Inventory", + "Windows Browser Process Launched with Unusual Flags", + "Windows Bypass UAC via Pkgmgr Tool", + "Windows CAB File on Disk", + "Windows COM Hijacking InprocServer32 Modification", + "Windows Cabinet File Extraction Via Expand", + "Windows Cached Domain Credentials Reg Query", + "Windows Certutil Root Certificate Addition", + "Windows Change File Association Command To Notepad", + "Windows Chrome Auto-Update Disabled via Registry", + "Windows Chrome Enable Extension Loading via Command-Line", + "Windows Chrome Extension Allowed Registry Modification", + "Windows Chromium Browser Launched with Small Window Size", + "Windows Chromium Browser No Security Sandbox Process", + "Windows Chromium Browser with Custom User Data Directory", + "Windows Chromium Process Launched with Logging Disabled", + "Windows Chromium Process Loaded Extension via Command-Line", + "Windows Chromium Process with Disabled Extensions", + "Windows Chromium process Launched with Disable Popup Blocking", + "Windows Cisco Secure Endpoint Related Service Stopped", + "Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc", + "Windows Cisco Secure Endpoint Unblock File Via Sfc", + "Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc", + "Windows ClipBoard Data via Get-ClipBoard", + "Windows Cmdline Tool Execution From Non-Shell Process", + "Windows Cobalt Strike PowerShell Loader", + "Windows Command Obfuscation with Environment Variable Substrings", + "Windows Command Shell DCRat ForkBomb Payload", + "Windows Command and Scripting Interpreter Hunting Path Traversal", + "Windows Command and Scripting Interpreter Path Traversal Exec", + "Windows Common Abused Cmd Shell Risk Behavior", + "Windows Compatibility Telemetry Suspicious Child Process", + "Windows Compatibility Telemetry Tampering Through Registry", + "Windows Computer Account Changed to Domain Controller", + "Windows Computer Account Created by Computer Account", + "Windows Computer Account Requesting Kerberos Ticket", + "Windows Computer Account With SPN", + "Windows ComputerDefaults Spawning a Process", + "Windows ConHost with Headless Argument", + "Windows ConsoleHost History File Deletion", + "Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script", + "Windows Create Local Account", + "Windows Create Local Administrator Account Via Net", + "Windows Credential Access From Browser Password Store", + "Windows Credential Dumping LSASS Memory Createdump", + "Windows Credential Target Information Structure in Commandline", + "Windows Credentials Access via VaultCli Module", + "Windows Credentials from Password Stores Chrome Copied in TEMP Dir", + "Windows Credentials from Password Stores Chrome Extension Access", + "Windows Credentials from Password Stores Chrome LocalState Access", + "Windows Credentials from Password Stores Chrome Login Data Access", + "Windows Credentials from Password Stores Creation", + "Windows Credentials from Password Stores Deletion", + "Windows Credentials from Password Stores Query", + "Windows Credentials from Web Browsers Saved in TEMP Folder", + "Windows Credentials in Registry Reg Query", + "Windows CrowdStrike Agent Registry Key Removal", + "Windows Crowdstrike RTR Script Execution", + "Windows Curl Download to Suspicious Path", + "Windows Curl Upload to Remote Destination", + "Windows DISM Install PowerShell Web Access", + "Windows DISM Remove Defender", + "Windows DLL Module Loaded in Temp Dir", + "Windows DLL Search Order Hijacking Hunt with Sysmon", + "Windows DLL Search Order Hijacking with iscsicpl", + "Windows DLL Side-Loading In Calc", + "Windows DLL Side-Loading Process Child Of Calc", + "Windows DNS Gather Network Info", + "Windows DNS Query Request To TinyUrl", + "Windows DNS Query Request by Telegram Bot API", + "Windows Data Destruction Recursive Exec Files Deletion", + "Windows Debugger Tool Execution", + "Windows Defacement Modify Transcodedwallpaper File", + "Windows Default Cobalt Strike PowerShell Beacon", + "Windows Default Group Policy Object Modified", + "Windows Default Group Policy Object Modified with GPME", + "Windows Default RDP File Creation By Non MSTSC Process", + "Windows Default Rdp File Deletion", + "Windows Default Rdp File Unhidden", + "Windows Defender ASR Audit Events", + "Windows Defender ASR Block Events", + "Windows Defender ASR Registry Modification", + "Windows Defender ASR Rule Disabled", + "Windows Defender ASR Rules Stacking", + "Windows Defender ASR or Threat Configuration Tamper", + "Windows Defender Exclusion Registry Entry", + "Windows Delete or Modify System Firewall", + "Windows Deleted Registry By A Non Critical Process File Path", + "Windows Detect Network Scanner Behavior", + "Windows Developer-Signed MSIX Package Installation", + "Windows Devtunnels Execution", + "Windows Devtunnels Image Loaded", + "Windows Disable Change Password Through Registry", + "Windows Disable Internet Explorer Addons", + "Windows Disable Lock Workstation Feature Through Registry", + "Windows Disable LogOff Button Through Registry", + "Windows Disable Memory Crash Dump", + "Windows Disable Notification Center", + "Windows Disable Shutdown Button Through Registry", + "Windows Disable Windows Event Logging Disable HTTP Logging", + "Windows Disable Windows Group Policy Features Through Registry", + "Windows Disable or Modify Tools Via Taskkill", + "Windows Disable or Stop Browser Process", + "Windows DisableAntiSpyware Registry", + "Windows DiskCryptor Usage", + "Windows Diskshadow Proxy Execution", + "Windows DnsAdmins New Member Added", + "Windows Domain Account Discovery Via Get-NetComputer", + "Windows Domain Admin Impersonation Indicator", + "Windows DotNet Binary in Non Standard Path", + "Windows Downdate Registry Activity", + "Windows Driver Inventory", + "Windows Driver Load Non-Standard Path", + "Windows Drivers Loaded by Signature", + "Windows EDRSilencer Execution", + "Windows EFI Bootloader File Modification", + "Windows EFI Volume Mount Attempt Via Mountvol", + "Windows ESX Admins Group Creation Security Event", + "Windows ESX Admins Group Creation via Net", + "Windows ESX Admins Group Creation via PowerShell", + "Windows Enable PowerShell Web Access", + "Windows Enable Win32 ScheduledJob via Registry", + "Windows Entra User Management Via Azure CLI", + "Windows Event For Service Disabled", + "Windows Event Log Cleared", + "Windows Event Logging Service Has Shutdown", + "Windows Event Triggered Image File Execution Options Injection", + "Windows EventLog Recon Activity Using Log Query Utilities", + "Windows Eventlog Cleared Via Wevtutil", + "Windows Excel Spawning Microsoft Project Application", + "Windows Excessive Disabled Services Event", + "Windows Excessive Service Stop Attempt", + "Windows Excessive Usage Of Net App", + "Windows Exchange Autodiscover SSRF Abuse", + "Windows Executable Masquerading as Benign File Types", + "Windows Executable in Loaded Modules", + "Windows Execute Arbitrary Commands with MSDT", + "Windows Execution of Microsoft MSC File In Suspicious Path", + "Windows Exfiltration Over C2 Via Invoke RestMethod", + "Windows Exfiltration Over C2 Via Powershell UploadString", + "Windows Explorer LNK Exploit Process Launch With Padding", + "Windows Explorer.exe Spawning PowerShell or Cmd", + "Windows Export Certificate", + "Windows File Association Modification via Ftype", + "Windows File Collection Via Copy Utilities", + "Windows File Download Via CertUtil", + "Windows File Download Via PowerShell", + "Windows File Share Discovery With Powerview", + "Windows File Transfer Protocol In Non-Common Process Path", + "Windows File Without Extension In Critical Folder", + "Windows File and Directory Enable ReadOnly Permissions", + "Windows File and Directory Permissions Enable Inheritance", + "Windows File and Directory Permissions Remove Inheritance", + "Windows Files and Dirs Access Rights Modification Via Icacls", + "Windows Filtering Platform Policy Added to Block EDR Process", + "Windows Find Domain Organizational Units with GetDomainOU", + "Windows Find Interesting ACL with FindInterestingDomainAcl", + "Windows Findstr GPP Discovery", + "Windows Firewall Rule Added", + "Windows Firewall Rule Deletion", + "Windows Firewall Rule Modification", + "Windows Forest Discovery with GetForestDomain", + "Windows Gather Victim Host Information Camera", + "Windows Gather Victim Identity SAM Info", + "Windows Gather Victim Network Info Through Ip Check Web Services", + "Windows Gdrive Binary Activity", + "Windows Get Local Admin with FindLocalAdminAccess", + "Windows Get-AdComputer Unconstrained Delegation Discovery", + "Windows Get-Variable.EXE Execution from WindowsApps Folder", + "Windows Global Object Access Audit List Cleared Via Auditpol", + "Windows GrimResource - MMC Process Accessing APDS DLL", + "Windows Group Discovery Via Net", + "Windows Group Policy Object Created", + "Windows Guest Account Enabled Via Net.EXE", + "Windows HTTP Network Communication From MSIExec", + "Windows Handle Duplication in Known UAC-Bypass Binaries", + "Windows Hidden Schedule Task Settings", + "Windows Hide Notification Features Through Registry", + "Windows High File Deletion Frequency", + "Windows Hijack Execution Flow Version Dll Side Load", + "Windows Hosts File Access", + "Windows Hunting System Account Targeting Lsass", + "Windows IIS Components Add New Module", + "Windows IIS Components Get-WebGlobalModule Module Query", + "Windows IIS Components Module Failed to Load", + "Windows IIS Components New Module Added", + "Windows IIS Server PSWA Console Access", + "Windows IOBit Unlocker Extension DLL Registration via Regsvr32", + "Windows ISO LNK File Creation", + "Windows Identify PowerShell Web Access IIS Pool", + "Windows Identify Protocol Handlers", + "Windows Impair Defense Add Xml Applocker Rules", + "Windows Impair Defense Change Win Defender Health Check Intervals", + "Windows Impair Defense Change Win Defender Quick Scan Interval", + "Windows Impair Defense Change Win Defender Throttle Rate", + "Windows Impair Defense Change Win Defender Tracing Level", + "Windows Impair Defense Configure App Install Control", + "Windows Impair Defense Define Win Defender Threat Action", + "Windows Impair Defense Delete Win Defender Context Menu", + "Windows Impair Defense Delete Win Defender Profile Registry", + "Windows Impair Defense Deny Security Software With Applocker", + "Windows Impair Defense Disable Controlled Folder Access", + "Windows Impair Defense Disable Defender Firewall And Network", + "Windows Impair Defense Disable Defender Protocol Recognition", + "Windows Impair Defense Disable PUA Protection", + "Windows Impair Defense Disable Realtime Signature Delivery", + "Windows Impair Defense Disable Web Evaluation", + "Windows Impair Defense Disable Win Defender App Guard", + "Windows Impair Defense Disable Win Defender Compute File Hashes", + "Windows Impair Defense Disable Win Defender Gen reports", + "Windows Impair Defense Disable Win Defender Network Protection", + "Windows Impair Defense Disable Win Defender Report Infection", + "Windows Impair Defense Disable Win Defender Scan On Update", + "Windows Impair Defense Disable Win Defender Signature Retirement", + "Windows Impair Defense Overide Win Defender Phishing Filter", + "Windows Impair Defense Override SmartScreen Prompt", + "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", + "Windows Impair Defenses Disable AV AutoStart via Registry", + "Windows Impair Defenses Disable Auto Logger Session", + "Windows Impair Defenses Disable HVCI", + "Windows Impair Defenses Disable Win Defender Auto Logging", + "Windows Important Audit Policy Disabled", + "Windows InProcServer32 New Outlook Form", + "Windows Increase in Group or Object Modification Activity", + "Windows Increase in User Modification Activity", + "Windows Indicator Removal Via Rmdir", + "Windows Indirect Command Execution Via Series Of Forfiles", + "Windows Indirect Command Execution Via forfiles", + "Windows Indirect Command Execution Via pcalua", + "Windows Information Discovery Fsutil", + "Windows Ingress Tool Transfer Using Explorer", + "Windows Input Capture Using Credential UI Dll", + "Windows InstallUtil Credential Theft", + "Windows InstallUtil Remote Network Connection", + "Windows InstallUtil URL in Command Line", + "Windows InstallUtil Uninstall Option", + "Windows InstallUtil in Non Standard Path", + "Windows Kerberos Coercion via DNS", + "Windows Kerberos Local Successful Logon", + "Windows Known Abused DLL Created", + "Windows Known Abused DLL Loaded Suspiciously", + "Windows Known GraphicalProton Loaded Modules", + "Windows KrbRelayUp Service Creation", + "Windows LAPS Password Gathering Via PowerShell Script", + "Windows LOLBAS Executed As Renamed File", + "Windows LOLBAS Executed Outside Expected Path", + "Windows LSA Secrets NoLMhash Registry", + "Windows Large Number of Computer Service Tickets Requested", + "Windows Ldifde Directory Object Behavior", + "Windows Level RMM PowerShell Script Installer", + "Windows Level RMM Watchdog Task Created", + "Windows Linked Policies In ADSI Discovery", + "Windows List ENV Variables Via SET Command From Uncommon Parent", + "Windows Local Administrator Credential Stuffing", + "Windows Local LLM Framework Execution", + "Windows MMC Loaded Script Engine DLL", + "Windows MOF Event Triggered Execution via WMI", + "Windows MOVEit Transfer Writing ASPX", + "Windows MSC EvilTwin Directory Path Manipulation", + "Windows MSExchange Management Mailbox Cmdlet Usage", + "Windows MSHTA Writing to World Writable Path", + "Windows MSI Rollback Script Deleted By Non-Msiexec Process", + "Windows MSIExec DLLRegisterServer", + "Windows MSIExec Remote Download", + "Windows MSIExec Spawn Discovery Command", + "Windows MSIExec Spawn WinDBG", + "Windows MSIExec Unregister DLLRegisterServer", + "Windows MSIX Package Interaction", + "Windows MSTSC RDP Commandline", + "Windows Mail Protocol In Non-Common Process Path", + "Windows Mark Of The Web Bypass", + "Windows Masquerading Explorer As Child Process", + "Windows Masquerading Msdtc Process", + "Windows Metasploit Confluence Plugin Execution", + "Windows Mimikatz Binary Execution", + "Windows Mimikatz Crypto Export File Extensions", + "Windows Mock Trusted Directory MSC File Creation", + "Windows Modify Registry AuthenticationLevelOverride", + "Windows Modify Registry Auto Minor Updates", + "Windows Modify Registry Auto Update Notif", + "Windows Modify Registry Configure BitLocker", + "Windows Modify Registry Default Icon Setting", + "Windows Modify Registry Delete Firewall Rules", + "Windows Modify Registry DisAllow Windows App", + "Windows Modify Registry Disable RDP", + "Windows Modify Registry Disable Restricted Admin", + "Windows Modify Registry Disable Toast Notifications", + "Windows Modify Registry Disable Win Defender Raw Write Notif", + "Windows Modify Registry Disable WinDefender Notifications", + "Windows Modify Registry Disable Windows Security Center Notif", + "Windows Modify Registry DisableRemoteDesktopAntiAlias", + "Windows Modify Registry DisableSecuritySettings", + "Windows Modify Registry Disabling WER Settings", + "Windows Modify Registry Do Not Connect To Win Update", + "Windows Modify Registry DontShowUI", + "Windows Modify Registry EnableLinkedConnections", + "Windows Modify Registry LongPathsEnabled", + "Windows Modify Registry MaxConnectionPerServer", + "Windows Modify Registry No Auto Reboot With Logon User", + "Windows Modify Registry No Auto Update", + "Windows Modify Registry NoChangingWallPaper", + "Windows Modify Registry ProxyEnable", + "Windows Modify Registry ProxyServer", + "Windows Modify Registry Qakbot Binary Data Registry", + "Windows Modify Registry Regedit Silent Reg Import", + "Windows Modify Registry Risk Behavior", + "Windows Modify Registry Suppress Win Defender Notif", + "Windows Modify Registry Tamper Protection", + "Windows Modify Registry USeWuServer", + "Windows Modify Registry UpdateServiceUrlAlternate", + "Windows Modify Registry Utilize ProgIDs", + "Windows Modify Registry ValleyRAT C2 Config", + "Windows Modify Registry ValleyRat PWN Reg Entry", + "Windows Modify Registry With MD5 Reg Key Name", + "Windows Modify Registry WuServer", + "Windows Modify Registry on Smart Card Group Policy", + "Windows Modify Registry to Add or Modify Firewall Rule", + "Windows Modify Registry wuStatusServer", + "Windows Modify Show Compress Color And Info Tip Registry", + "Windows Modify System Firewall with Notable Process Path", + "Windows MpCmdRun RemoveDefinitions Execution", + "Windows Mshta Execution In Registry", + "Windows MsiExec HideWindow Rundll32 Execution", + "Windows Multi hop Proxy TOR Website Query", + "Windows Multiple Account Passwords Changed", + "Windows Multiple Accounts Deleted", + "Windows Multiple Accounts Disabled", + "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", + "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", + "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", + "Windows Multiple NTLM Null Domain Authentications", + "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", + "Windows Multiple Users Failed To Authenticate From Host Using NTLM", + "Windows Multiple Users Failed To Authenticate From Process", + "Windows Multiple Users Failed To Authenticate Using Kerberos", + "Windows Multiple Users Remotely Failed To Authenticate From Host", + "Windows Mustang Panda USB Tool Execution", + "Windows Net System Service Discovery", + "Windows NetSupport RMM DLL Loaded By Uncommon Process", + "Windows Netspy Network Scanner Execution", + "Windows Network Connection Discovery Via Net", + "Windows Network Connection From Program In Suspect Location", + "Windows Network Share Interaction Via Net", + "Windows New Custom Security Descriptor Set On EventLog Channel", + "Windows New Default File Association Value Set", + "Windows New Deny Permission Set On Service SD Via Sc.EXE", + "Windows New EventLog ChannelAccess Registry Value Set", + "Windows New InProcServer32 Added", + "Windows New Service Security Descriptor Set Via Sc.EXE", + "Windows Ngrok Reverse Proxy Usage", + "Windows NirSoft AdvancedRun", + "Windows NirSoft Tool Bundle File Created", + "Windows NirSoft Utilities", + "Windows Njrat Fileless Storage via Registry", + "Windows Non Discord App Access Discord LevelDB", + "Windows Non-System Account Targeting Lsass", + "Windows NorthStar C2 Agent Execution", + "Windows Obfuscated Files or Information via RAR SFX", + "Windows Odbcconf Hunting", + "Windows Odbcconf Load DLL", + "Windows Odbcconf Load Response File", + "Windows Office Product Dropped Cab or Inf File", + "Windows Office Product Dropped Uncommon File", + "Windows Office Product Loaded MSHTML Module", + "Windows Office Product Loading Taskschd DLL", + "Windows Office Product Loading VBE7 DLL", + "Windows Office Product Spawned Child Process For Download", + "Windows Office Product Spawned Control", + "Windows Office Product Spawned MSDT", + "Windows Office Product Spawned Rundll32 With No DLL", + "Windows Office Product Spawned Uncommon Process", + "Windows OneDrive Share Mounted via Net", + "Windows Outlook Dialogs Disabled from Unusual Process", + "Windows Outlook LoadMacroProviderOnBoot Persistence", + "Windows Outlook Macro Created by Suspicious Process", + "Windows Outlook Macro Security Modified", + "Windows Outlook WebView Registry Modification", + "Windows PUA Named Pipe", + "Windows PaperCut NG Spawn Shell", + "Windows Parent PID Spoofing with Explorer", + "Windows Password Managers Discovery", + "Windows Password Policy Discovery with Net", + "Windows Phishing Outlook Drop Dll In FORM Dir", + "Windows Phishing PDF File Executes URL Link", + "Windows Phishing Recent ISO Exec Registry", + "Windows Possible Credential Dumping", + "Windows Post Exploitation Risk Behavior", + "Windows Potato Privilege Escalation Tool Execution", + "Windows Potential AppDomainManager Hijack Artifacts Creation", + "Windows Potential Cloudflared Network Connection", + "Windows Potential Cloudflared Tunnel Execution", + "Windows Potential Web Shell Creation For VMware Workspace ONE", + "Windows PowGoop Beacon Decoding", + "Windows PowerShell Add Module to Global Assembly Cache", + "Windows PowerShell Disable HTTP Logging", + "Windows PowerShell Export Certificate", + "Windows PowerShell Export PfxCertificate", + "Windows PowerShell FakeCAPTCHA Clipboard Execution", + "Windows PowerShell Get CIMInstance Remote Computer", + "Windows PowerShell IIS Components WebGlobalModule Usage", + "Windows PowerShell Invoke-RestMethod IP Information Collection", + "Windows PowerShell Invoke-Sqlcmd Execution", + "Windows PowerShell MSIX Package Installation", + "Windows PowerShell Module File Created", + "Windows PowerShell Process Implementing Manual Base64 Decoder", + "Windows PowerShell Process With Malicious String", + "Windows PowerShell ScheduleTask", + "Windows PowerShell Script Block With Malicious String", + "Windows PowerShell Script From WindowsApps Directory", + "Windows PowerShell Script TabExpansion Direct Call", + "Windows PowerShell WMI Win32 ScheduledJob", + "Windows PowerSploit GPP Discovery", + "Windows PowerView AD Access Control List Enumeration", + "Windows PowerView Constrained Delegation Discovery", + "Windows PowerView Kerberos Service Ticket Request", + "Windows PowerView SPN Discovery", + "Windows PowerView Unconstrained Delegation Discovery", + "Windows Powershell Cryptography Namespace", + "Windows Powershell History File Deletion", + "Windows Powershell Import Applocker Policy", + "Windows Powershell Logoff User via Quser", + "Windows Powershell RemoteSigned File", + "Windows Private Keys Discovery", + "Windows Privilege Escalation Attempt Via MSI Rollback", + "Windows Privilege Escalation Suspicious Process Elevation", + "Windows Privilege Escalation System Process Without System Parent", + "Windows Privilege Escalation User Process Spawn System Process", + "Windows Privileged Group Modification", + "Windows Process Accessing Windows Recall Directory", + "Windows Process Commandline Discovery", + "Windows Process Executed From Removable Media", + "Windows Process Execution From ProgramData", + "Windows Process Execution From RDP Share", + "Windows Process Execution in Temp Dir", + "Windows Process Injection In Non-Service SearchIndexer", + "Windows Process Injection Of Wermgr to Known Browser", + "Windows Process Injection Remote Thread", + "Windows Process Injection Wermgr Child Process", + "Windows Process Injection With Public Source Path", + "Windows Process Injection into Commonly Abused Processes", + "Windows Process Injection into Notepad", + "Windows Process With NamedPipe CommandLine", + "Windows Process With NetExec Command Line Parameters", + "Windows Process Writing File to World Writable Path", + "Windows Processes Killed By Industroyer2 Malware", + "Windows Product Key Registry Query", + "Windows Protocol Tunneling with Plink", + "Windows Proxy Execution of .NET Utilities via Scripts", + "Windows Proxy Via Netsh", + "Windows Proxy Via Registry", + "Windows PsTools Recon Usage", + "Windows PuTTY Suite Utility Execution", + "Windows Query Registry Browser List Application", + "Windows Query Registry UnInstall Program List", + "Windows RDP Bitmap Cache File Creation", + "Windows RDP Cache File Deletion", + "Windows RDP Client Launched with Admin Session", + "Windows RDP Connection Successful", + "Windows RDP File Execution", + "Windows RDP Login Session Was Established", + "Windows RDP Server Registry Deletion", + "Windows RDP Server Registry Entry Created", + "Windows RDPClient Connection Sequence Events", + "Windows RMM Named Pipe", + "Windows RMM Tool Execution", + "Windows Raccine Scheduled Task Deletion", + "Windows Rapid Authentication On Multiple Hosts", + "Windows Rasautou DLL Execution", + "Windows Raw Access To Disk Volume Partition", + "Windows Raw Access To Master Boot Record Drive", + "Windows Rdp AutomaticDestinations Deletion", + "Windows Registry BootExecute Modification", + "Windows Registry Certificate Added", + "Windows Registry Delete Task SD", + "Windows Registry Dotnet ETW Disabled Via ENV Variable", + "Windows Registry Entries Exported Via Reg", + "Windows Registry Entries Restored Via Reg", + "Windows Registry Modification for Safe Mode Persistence", + "Windows Registry Payload Injection", + "Windows Registry SIP Provider Modification", + "Windows Regsvr32 Renamed Binary", + "Windows Remote Access Software BRC4 Loaded Dll", + "Windows Remote Access Software RMS Registry", + "Windows Remote Assistance Spawning Process", + "Windows Remote Create Service", + "Windows Remote Desktop Network Bruteforce Attempt", + "Windows Remote Host Computer Management Access", + "Windows Remote Image Load", + "Windows Remote Management Execute Shell", + "Windows Remote Service Rdpwinst Tool Execution", + "Windows Remote Services Allow Rdp In Firewall", + "Windows Remote Services Allow Remote Assistance", + "Windows Remote Services Rdp Enable", + "Windows Renamed Powershell Execution", + "Windows Replication Through Removable Media", + "Windows Root Domain linked policies Discovery", + "Windows Routing and Remote Access Service Registry Key Change", + "Windows RunMRU Command Execution", + "Windows RunMRU Registry Key or Value Deleted", + "Windows Rundll32 Apply User Settings Changes", + "Windows Rundll32 Execution With Log.DLL", + "Windows Rundll32 Load DLL in Temp Dir", + "Windows Rundll32 WebDAV Request", + "Windows Rundll32 WebDav With Network Connection", + "Windows Rundll32 with Non-Standard File Extension", + "Windows SIP Provider Inventory", + "Windows SIP WinVerifyTrust Failed Trust Validation", + "Windows SOAPHound Binary Execution", + "Windows SQL Server Configuration Option Hunt", + "Windows SQL Server Critical Procedures Enabled", + "Windows SQL Server Extended Procedure DLL Loading Hunt", + "Windows SQL Server Startup Procedure", + "Windows SQL Server xp_cmdshell Config Change", + "Windows SQL Spawning CertUtil", + "Windows SQLCMD Execution", + "Windows SSH Proxy Command", + "Windows ScManager Security Descriptor Tampering Via Sc.EXE", + "Windows Scheduled Task Created Via XML", + "Windows Scheduled Task Created in a Group Policy Object", + "Windows Scheduled Task DLL Module Loaded", + "Windows Scheduled Task Service Spawned Shell", + "Windows Scheduled Task with Highest Privileges", + "Windows Scheduled Task with Suspicious Command", + "Windows Scheduled Task with Suspicious Name", + "Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr", + "Windows Schtasks Create Run As System", + "Windows Screen Capture Via Powershell", + "Windows Screen Capture in TEMP folder", + "Windows Security Account Manager Stopped", + "Windows Security And Backup Services Stop", + "Windows Security Support Provider Reg Query", + "Windows Sensitive Group Discovery With Net", + "Windows Sensitive Registry Hive Dump Via CommandLine", + "Windows Server Software Component GACUtil Install to GAC", + "Windows Service Create Kernel Mode Driver", + "Windows Service Create RemComSvc", + "Windows Service Create SliverC2", + "Windows Service Create with Tscon", + "Windows Service Created with Suspicious Service Name", + "Windows Service Created with Suspicious Service Path", + "Windows Service Creation Using Registry Entry", + "Windows Service Creation on Remote Endpoint", + "Windows Service Deletion In Registry", + "Windows Service Execution RemCom", + "Windows Service Initiation on Remote Endpoint", + "Windows Service Stop Attempt", + "Windows Service Stop By Deletion", + "Windows Service Stop Win Updates", + "Windows Set Account Password Policy To Unlimited Via Net", + "Windows Set Custom DNS ServerLevelPlugin Via Dnscmd", + "Windows Set Network Profile Category to Private via Registry", + "Windows SharePoint Spinstall0 GET Request", + "Windows SharePoint Spinstall0 Webshell File Creation", + "Windows SharePoint ToolPane Endpoint Exploitation Attempt", + "Windows Shell Process from CrushFTP", + "Windows Shell or Script Execution From IIS Directory", + "Windows Short Lived DNS Record", + "Windows Snake Malware File Modification Crmlog", + "Windows Snake Malware Kernel Driver Comadmin", + "Windows Snake Malware Registry Modification wav OpenWithProgIds", + "Windows Snake Malware Service Create", + "Windows SnappyBee Create Test Registry", + "Windows SoftEther VPN Masquerading as Legitimate Binary", + "Windows Software Discovery Via PowerShell", + "Windows Spearphishing Attachment Connect To None MS Office Domain", + "Windows Spearphishing Attachment Onenote Spawn Mshta", + "Windows Special Privileged Logon On Multiple Hosts", + "Windows SpeechRuntime COM Hijacking DLL Load", + "Windows SpeechRuntime Suspicious Child Process", + "Windows SqlWriter SQLDumper DLL Sideload", + "Windows Sqlservr Spawning Shell", + "Windows Steal Authentication Certificates - ESC1 Abuse", + "Windows Steal Authentication Certificates - ESC1 Authentication", + "Windows Steal Authentication Certificates CS Backup", + "Windows Steal Authentication Certificates CertUtil Backup", + "Windows Steal Authentication Certificates Certificate Issued", + "Windows Steal Authentication Certificates Certificate Request", + "Windows Steal Authentication Certificates CryptoAPI", + "Windows Steal Authentication Certificates Export Certificate", + "Windows Steal Authentication Certificates Export PfxCertificate", + "Windows Steal or Forge Kerberos Tickets Klist", + "Windows SubInAcl Execution", + "Windows Suspect Process With Authentication Traffic", + "Windows Suspicious C2 Named Pipe", + "Windows Suspicious Child Process Spawned From WebServer", + "Windows Suspicious Driver Loaded Path", + "Windows Suspicious File in EFI Volume", + "Windows Suspicious Named Pipe", + "Windows Suspicious Process File Path", + "Windows Suspicious QEMU Execution", + "Windows Suspicious React or Next.js Child Process", + "Windows Suspicious VMWare Tools Child Process", + "Windows Svchost.exe Parent Process Anomaly", + "Windows SymbolicLink-Testing-Tools Utility Execution", + "Windows Symlink Evaluation Change via Fsutil", + "Windows System Binary Proxy Execution Compiled HTML File Decompile", + "Windows System Discovery Using Qwinsta", + "Windows System Discovery Using ldap Nslookup", + "Windows System File on Disk", + "Windows System LogOff Commandline", + "Windows System Network Config Discovery Display DNS", + "Windows System Network Connections Discovery Netsh", + "Windows System Reboot CommandLine", + "Windows System Remote Discovery With Query", + "Windows System Script Proxy Execution Syncappvpublishingserver", + "Windows System Shutdown CommandLine", + "Windows System Time Discovery W32tm Delay", + "Windows System User Discovery Via Quser", + "Windows System User Privilege Discovery", + "Windows TOR Client Execution", + "Windows TeamCity Payload Execution from Temp Directory", + "Windows TeamCity Plugin Installed", + "Windows Terminating Lsass Process", + "Windows Theme File Creation in Unusual Location", + "Windows Time Based Evasion", + "Windows Time Based Evasion via Choice Exec", + "Windows TinyCC Shellcode Execution", + "Windows UAC Bypass Suspicious Child Process", + "Windows UAC Bypass Suspicious Escalation Behavior", + "Windows USBSTOR Registry Key Modification", + "Windows Universal Data Link File Creation", + "Windows Unsecured Outlook Credentials Access In Registry", + "Windows Unsigned DLL Side-Loading", + "Windows Unsigned DLL Side-Loading In Same Process Path", + "Windows Unsigned MS DLL Side-Loading", + "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", + "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", + "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", + "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", + "Windows Unusual Count Of Users Failed To Auth Using Kerberos", + "Windows Unusual Count Of Users Failed To Authenticate From Process", + "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", + "Windows Unusual Count Of Users Remotely Failed To Auth From Host", + "Windows Unusual File Creation in Confluence Directory", + "Windows Unusual FileZilla XML Config Access", + "Windows Unusual Intelliform Storage Registry Access", + "Windows Unusual NTLM Authentication Destinations By Source", + "Windows Unusual NTLM Authentication Destinations By User", + "Windows Unusual NTLM Authentication Users By Destination", + "Windows Unusual NTLM Authentication Users By Source", + "Windows Unusual Process Load Mozilla NSS-Mozglue Module", + "Windows Unusual SysWOW64 Process Run System32 Executable", + "Windows User Deletion Via Net", + "Windows User Disabled Via Net", + "Windows User Discovery Via Net", + "Windows User Execution Malicious URL Shortcut File", + "Windows Visual Basic Commandline Compiler DNSQuery", + "Windows Vulnerable 3CX Software", + "Windows Vulnerable Driver Installed", + "Windows Vulnerable Driver Loaded", + "Windows WBAdmin File Recovery From Backup", + "Windows WMI Impersonate Token", + "Windows WMI Process And Service List", + "Windows WMI Process Call Create", + "Windows WMI Reconnaissance Class Query", + "Windows WMIC Shadowcopy Delete", + "Windows WPDBusEnum Registry Key Modification", + "Windows WSUS Spawning Shell", + "Windows WinDBG Spawning AutoIt3", + "Windows WinLogon with Public Network Connection", + "Windows WinPEAS PowerShell Script Execution", + "Windows WinRAR Launched Outside Default Installation Directory", + "Windows Wmic CPU Discovery", + "Windows Wmic DiskDrive Discovery", + "Windows Wmic Memory Chip Discovery", + "Windows Wmic Network Discovery", + "Windows Wmic Systeminfo Discovery", + "Windows XLL File Creation Outside of Typical Location", + "Winhlp32 Spawning a Process", + "Wmic Group Discovery", + "Wmic NonInteractive App Uninstallation", + "Wmiprvse LOLBAS Execution Process Spawn", + "WordPress Bricks Builder plugin RCE", + "Wscript Or Cscript Suspicious Child Process", + "Wsmprovhost LOLBAS Execution Process Spawn", + "XMRIG Driver Loaded", + "XSL Script Execution With WMIC", + "Zeek x509 Certificate with Punycode", + "Zoom High Video Latency", + "Zoom Rare Audio Devices", + "Zoom Rare Input Devices", + "Zoom Rare Video Devices", + "Zscaler Adware Activities Threat Blocked", + "Zscaler Behavior Analysis Threat Blocked", + "Zscaler CryptoMiner Downloaded Threat Blocked", + "Zscaler Employment Search Web Activity", + "Zscaler Exploit Threat Blocked", + "Zscaler Legal Liability Threat Blocked", + "Zscaler Malware Activity Threat Blocked", + "Zscaler Phishing Activity Threat Blocked", + "Zscaler Potentially Abused File Download", + "Zscaler Privacy Risk Destinations Threat Blocked", + "Zscaler Scam Destinations Threat Blocked", + "Zscaler Virus Download threat blocked" + ], + "title": "EventBasedDetectionEnum", + "type": "string" + }, + "PlaybookLabel": { + "description": "List of Supported Playbook Labels.", + "enum": [ + "risk_notable" + ], + "title": "PlaybookLabel", + "type": "string" + }, + "PlaybookOutput": { + "description": "List of Supported Playbook Output Types.", + "enum": [ + "note_title", + "note_content" + ], + "title": "PlaybookOutput", + "type": "string" + }, + "PlaybookProduct": { + "description": "List of Supported Playbook Products.", + "enum": [ + "Splunk SOAR", + "Splunk Enterprise Security" + ], + "title": "PlaybookProduct", + "type": "string" + }, + "PlaybookType": { + "description": "PlayBook Type field.\n\nThis is intentionally different than the Type Enum\nabove due to legacy naming in the playbook files.", + "enum": [ + "Automation", + "Input", + "Enterprise Security" + ], + "title": "PlaybookType", + "type": "string" + }, + "PlaybookUseCase": { + "description": "List of Supported Playbook Use Cases.", + "enum": [ + "Collection", + "Endpoint", + "Enrichment", + "Malware", + "Phishing", + "Response", + "Utility" + ], + "title": "PlaybookUseCase", + "type": "string" + }, + "StoryEnum": { + "description": "Empty Placeholder Enum for stories.\n\nNOTE: This enum is dynamically populated at runtime by the Story.UpdateDynamicEnum method.", + "enum": [ + "0bj3ctivity Stealer", + "3CX Supply Chain Attack", + "AMOS Stealer", + "APT29 Diplomatic Deceptions with WINELOADER", + "APT37 Rustonotto and FadeStealer", + "AWS Bedrock Security", + "AWS Defense Evasion", + "AWS IAM Privilege Escalation", + "AWS Identity and Access Management Account Takeover", + "AWS Network ACL Activity", + "AWS S3 Bucket Security Monitoring", + "AWS Security Hub Alerts", + "AWS User Monitoring", + "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring", + "AcidPour", + "AcidRain", + "Active Directory Discovery", + "Active Directory Kerberos Attacks", + "Active Directory Lateral Movement", + "Active Directory Password Spraying", + "Active Directory Privilege Escalation", + "Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360", + "AgentTesla", + "Amadey", + "Apache Struts Vulnerability", + "Apache Tomcat Session Deserialization Attacks", + "ArcaneDoor", + "Asset Tracking", + "AsyncRAT", + "Atlassian Confluence Server and Data Center CVE-2022-26134", + "AwfulShred", + "Axios Supply Chain Post Compromise", + "Azorult", + "Azure Active Directory Account Takeover", + "Azure Active Directory Persistence", + "Azure Active Directory Privilege Escalation", + "BITS Jobs", + "Backdoor Pingpong", + "Baron Samedit CVE-2021-3156", + "BishopFox Sliver Adversary Emulation Framework", + "Black Basta Ransomware", + "BlackByte Ransomware", + "BlackLotus Campaign", + "BlackMatter Ransomware", + "BlackSuit Ransomware", + "BlankGrabber Stealer", + "Brand Monitoring", + "Braodo Stealer", + "Browser Hijacking", + "Brute Ratel C4", + "CISA AA22-257A", + "CISA AA22-264A", + "CISA AA22-277A", + "CISA AA22-320A", + "CISA AA23-347A", + "CISA AA24-241A", + "CVE-2022-40684 Fortinet Appliance Auth bypass", + "CVE-2023-21716 Word RTF Heap Corruption", + "CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", + "CVE-2023-23397 Outlook Elevation of Privilege", + "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", + "Cactus Ransomware", + "Caddy Wiper", + "Castle RAT", + "Chaos Ransomware", + "China-Nexus Threat Activity", + "Cisco Catalyst SD-WAN Analytics", + "Cisco Duo Suspicious Activity", + "Cisco IOS XE Software Web Management User Interface vulnerability", + "Cisco Isovalent Suspicious Activity", + "Cisco Network Visibility Module Analytics", + "Cisco Secure Access Analytics", + "Cisco Secure Firewall Threat Defense Analytics", + "Cisco Smart Install Remote Code Execution CVE-2018-0171", + "Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966", + "Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777", + "Citrix Netscaler ADC CVE-2023-3519", + "Citrix ShareFile RCE CVE-2023-24489", + "Cleo File Transfer Software", + "Clop Ransomware", + "Cloud Cryptomining", + "Cloud Federated Credential Abuse", + "Cobalt Strike", + "ColdRoot MacOS RAT", + "Collection and Staging", + "Command And Control", + "Compromised Linux Host", + "Compromised User Account", + "Compromised Windows Host", + "Confluence Data Center and Confluence Server Vulnerabilities", + "ConnectWise ScreenConnect Vulnerabilities", + "Credential Dumping", + "Critical Alerts", + "CrushFTP Vulnerabilities", + "Crypto Stealer", + "Cyclops Blink", + "DHS Report TA18-074A", + "DNS Amplification Attacks", + "DNS Hijacking", + "DarkCrystal RAT", + "DarkGate Malware", + "DarkSide Ransomware", + "Data Destruction", + "Data Exfiltration", + "Data Protection", + "Defense Evasion or Unauthorized Access Via SDDL Tampering", + "Deobfuscate-Decode Files or Information", + "Derusbi", + "Detect Zerologon Attack", + "Dev Sec Ops", + "Disabling Security Tools", + "Disk Wiper", + "Domain Trust Discovery", + "Double Zero Destructor", + "Dynamic DNS", + "DynoWiper", + "ESXi Post Compromise", + "Earth Alux", + "Emotet Malware DHS Report TA18-201A", + "F5 Authentication Bypass with TMUI", + "F5 BIG-IP Vulnerability CVE-2022-1388", + "F5 TMUI RCE CVE-2020-5902", + "FIN7", + "Fake CAPTCHA Campaigns", + "Flax Typhoon", + "Forest Blizzard", + "Fortinet FortiNAC CVE-2022-39952", + "GCP Account Takeover", + "GCP Cross Account Activity", + "Gh0st RAT", + "GhostRedirector IIS Module and Rungan Backdoor", + "GitHub Malicious Activity", + "Gomir", + "Gozi Malware", + "Graceful Wipe Out Attack", + "HAFNIUM Group", + "HTTP Request Smuggling", + "Handala Wiper", + "Hellcat Ransomware", + "Hermetic Wiper", + "Hidden Cobra Malware", + "IIS Components", + "IcedID", + "Industroyer2", + "Information Sabotage", + "Ingress Tool Transfer", + "Insider Threat", + "Interlock Ransomware", + "Interlock Rat", + "Ivanti Connect Secure VPN Vulnerabilities", + "Ivanti EPM Vulnerabilities", + "Ivanti EPMM Remote Unauthenticated Access", + "Ivanti Sentry Authentication Bypass CVE-2023-38035", + "Ivanti Virtual Traffic Manager CVE-2024-7593", + "JBoss Vulnerability", + "Jenkins Server Vulnerabilities", + "JetBrains TeamCity Unauthenticated RCE", + "JetBrains TeamCity Vulnerabilities", + "Juniper JunOS Remote Code Execution", + "Kerberos Coercion with DNS", + "Kubernetes Scanning Activity", + "Kubernetes Security", + "Kubernetes Sensitive Object Access Activity", + "LAMEHUG", + "Linux Living Off The Land", + "Linux Persistence Techniques", + "Linux Post-Exploitation", + "Linux Privilege Escalation", + "Linux Rootkit", + "Living Off The Land", + "Local Privilege Escalation With KrbRelayUp", + "LockBit Ransomware", + "Log4Shell CVE-2021-44228", + "Lokibot", + "Lotus Blossom Chrysalis Backdoor", + "Lumma Stealer", + "MOVEit Transfer Authentication Bypass", + "MOVEit Transfer Critical Vulnerability", + "MSIX Package Abuse", + "MacOS Persistence Techniques", + "MacOS Post-Exploitation", + "MacOS Privilege Escalation", + "Malicious Inno Setup Loader", + "Malicious PowerShell", + "Masquerading - Rename System Utilities", + "Medusa Ransomware", + "Medusa Rootkit", + "Meduza Stealer", + "MetaSploit", + "Meterpreter", + "Microsoft MSHTML Remote Code Execution CVE-2021-40444", + "Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357", + "Microsoft SharePoint Vulnerabilities", + "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", + "Microsoft WSUS CVE-2025-59287", + "Monitor for Updates", + "MoonPeak", + "MuddyWater", + "NOBELIUM Group", + "NPM Supply Chain Compromise", + "NailaoLocker Ransomware", + "NetSupport RMM Tool Abuse", + "Netsh Abuse", + "Network Discovery", + "NjRAT", + "NotDoor Malware", + "Office 365 Account Takeover", + "Office 365 Collection Techniques", + "Office 365 Persistence Mechanisms", + "Okta Account Takeover", + "Okta MFA Exhaustion", + "OpenSSL CVE-2022-3602", + "Oracle E-Business Suite Exploitation", + "Orangeworm Attack Group", + "Outlook RCE CVE-2024-21378", + "PHP-CGI RCE Attack on Japanese Organizations", + "PXA Stealer", + "PaperCut MF NG Vulnerability", + "PathWiper", + "PetitPotam NTLM Relay on Active Directory Certificate Services", + "Phemedrone Stealer", + "PlugX", + "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", + "Prestige Ransomware", + "PrintNightmare CVE-2021-34527", + "Prohibited Traffic Allowed or Protocol Mismatch", + "PromptFlux", + "PromptLock", + "ProxyNotShell", + "ProxyShell", + "Qakbot", + "Quasar RAT", + "QuietVault", + "Ransomware", + "Ransomware Cloud", + "React2Shell", + "RedLine Stealer", + "Remcos", + "Remote Employment Fraud", + "Remote Monitoring and Management Software", + "Reverse Network Proxy", + "Revil Ransomware", + "Rhysida Ransomware", + "Router and Infrastructure Security", + "Ryuk Ransomware", + "SAP NetWeaver Exploitation", + "SQL Injection", + "SQL Server Abuse", + "Salt Typhoon", + "SamSam Ransomware", + "Sandworm Tools", + "Scattered Lapsus$ Hunters", + "Scattered Spider", + "Scheduled Tasks", + "Seashell Blizzard", + "Secret Blizzard", + "Security Solution Tampering", + "SesameOp", + "ShrinkLocker", + "Signed Binary Proxy Execution InstallUtil", + "Silver Sparrow", + "Snake Keylogger", + "Snake Malware", + "SnappyBee", + "Sneaky Active Directory Persistence Tricks", + "SolarWinds WHD RCE Post Exploitation", + "Spearphishing Attachments", + "Spring4Shell CVE-2022-22965", + "StealC Stealer", + "Storm-0501 Ransomware", + "Storm-2460 CLFS Zero Day Exploitation", + "Subvert Trust Controls SIP and Trust Provider Hijacking", + "Suspicious AWS Login Activities", + "Suspicious AWS S3 Activities", + "Suspicious AWS Traffic", + "Suspicious Cisco Adaptive Security Appliance Activity", + "Suspicious Cloud Authentication Activities", + "Suspicious Cloud Instance Activities", + "Suspicious Cloud Provisioning Activities", + "Suspicious Cloud User Activities", + "Suspicious Command-Line Executions", + "Suspicious Compiled HTML Activity", + "Suspicious DNS Traffic", + "Suspicious Emails", + "Suspicious GCP Storage Activities", + "Suspicious Local LLM Frameworks", + "Suspicious MCP Activities", + "Suspicious MSHTA Activity", + "Suspicious Microsoft 365 Copilot Activities", + "Suspicious Okta Activity", + "Suspicious Ollama Activities", + "Suspicious Regsvcs Regasm Activity", + "Suspicious Regsvr32 Activity", + "Suspicious Rundll32 Activity", + "Suspicious User Agents", + "Suspicious WMI Use", + "Suspicious Windows Registry Activities", + "Suspicious Zoom Child Processes", + "Swift Slicer", + "SysAid On-Prem Software CVE-2023-47246 Vulnerability", + "SystemBC", + "Telnetd CVE-2026-24061", + "Termite Ransomware", + "Text4Shell CVE-2022-42889", + "Trickbot", + "Trusted Developer Utilities Proxy Execution", + "Trusted Developer Utilities Proxy Execution MSBuild", + "Tuoni", + "Unusual Processes", + "Use of Cleartext Protocols", + "VIP Keylogger", + "VMware Aria Operations vRealize CVE-2023-20887", + "VMware ESXi AD Integration Authentication Bypass CVE-2024-37085", + "VMware Server Side Injection and Privilege Escalation", + "ValleyRAT", + "VanHelsing Ransomware", + "Void Manticore", + "VoidLink Cloud-Native Linux Malware", + "Volt Typhoon", + "WS FTP Server Critical Vulnerabilities", + "Warzone RAT", + "Water Gamayun", + "WhisperGate", + "WinDealer RAT", + "WinRAR Spoofing Attack CVE-2023-38831", + "Windows AppLocker", + "Windows Attack Surface Reduction", + "Windows Audit Policy Tampering", + "Windows BootKits", + "Windows Certificate Services", + "Windows DNS SIGRed CVE-2020-1350", + "Windows Defense Evasion Tactics", + "Windows Discovery Techniques", + "Windows Drivers", + "Windows Error Reporting Service Elevation of Privilege Vulnerability", + "Windows File Extension and Association Abuse", + "Windows Log Manipulation", + "Windows Persistence Techniques", + "Windows Post-Exploitation", + "Windows Privilege Escalation", + "Windows RDP Artifacts and Defense Evasion", + "Windows Registry Abuse", + "Windows Service Abuse", + "Windows System Binary Proxy Execution MSIExec", + "Winter Vivern", + "WordPress Vulnerabilities", + "XML Runner Loader", + "XMRig", + "XWorm", + "XorDDos", + "ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day", + "ZOVWiper", + "Zscaler Browser Proxy Threats", + "sAMAccountName Spoofing and Domain Controller Impersonation" + ], + "title": "StoryEnum", + "type": "string" + }, + "Type": { + "description": "List of Supported Playbook Types.\n\nThis is intentionally different than the PlaybookType Enum\nabove due to legacy naming in the playbook files.", + "enum": [ + "Investigation", + "Response" + ], + "title": "Type", + "type": "string" + }, + "VpeType": { + "description": "List of Supported VPE Types.", + "enum": [ + "Modern", + "Classic" + ], + "title": "VpeType", + "type": "string" + } + }, + "additionalProperties": false, + "description": "Represents a Playbook object for Splunk SOAR.\n\nPlaybooks define automated response and investigation workflows that run\nin Splunk SOAR. The tags section from legacy contentctl is flattened\nso that all fields live directly on this object.", + "properties": { + "name": { + "description": "Each Security Content Object must have a unique name. Due to issues with how local/default stanzas are merged in the Splunk products, these names MUST NOT change between subsequent releases of content packs.", + "title": "Name", + "type": "string" + }, + "id": { + "description": "Each Security Content Object must have a unique identifier. This is particularly important when leveraging many of the Content Versioning features built into Enterprise Security 8+. Unique ids may be generated with a python command such as `uuid.uuid4()` or similar.", + "format": "uuid", + "title": "Id", + "type": "string" + }, + "version": { + "description": "The version of this object. This number MUST be incremented in the following circumstances:\n1. Any time the object in this file is modified\n2. Any time that the serialization logic for this object changes, changing what is written in its conf file stanza(s)\n3. Any time that an object this object references, for example via enrichment, causes a change in its associated conf file stanzas(s).\nThis final determination is challenging to make manually, so the `contentctl inspect command` will help identify when this a version increment is required.", + "exclusiveMinimum": 0, + "title": "Version", + "type": "integer" + }, + "creation_date": { + "description": "The date that this object was created. This should NEVER be updated.", + "format": "date", + "title": "Creation Date", + "type": "string" + }, + "modification_date": { + "description": "The date that this object was last modified. This should be updated whenever the object is modified.", + "format": "date", + "title": "Modification Date", + "type": "string" + }, + "author": { + "description": "The author of this object. This is a freeform string that can be used to identify the author of the object. It will eventually be replaced by a more detailed Contributors list.", + "title": "Author", + "type": "string" + }, + "description": { + "description": "A description of the Security Content Object. This should be a human-readable description of the object, including its purpose.", + "title": "Description", + "type": "string" + }, + "references": { + "description": "A list of references to external resources that are relevant to this object. This can include links to documentation, blog posts, or other resources that provide additional context or information about the object.", + "items": { + "format": "uri", + "maxLength": 2083, + "minLength": 1, + "type": "string" + }, + "minItems": 0, + "title": "References", + "type": "array", + "uniqueItems": true + }, + "playbook": { + "description": "The name of the SOAR playbook as it appears in the SOAR platform. While most playbooks declare this field as lower-cased version of the name field with spaces replaced by underscores, this is not true for all playbooks. As such, there is no further validation on this field, it is just treated as a string.", + "title": "Playbook", + "type": "string" + }, + "how_to_implement": { + "description": "Instructions for configuring or deploying the playbook.", + "minLength": 4, + "title": "How To Implement", + "type": "string" + }, + "app_list": { + "description": "SOAR apps required by this playbook. This is broad, so it is intentionally not backed by an enum. Please use special care when updating this field since validation is limited.", + "items": { + "type": "string" + }, + "title": "App List", + "type": "array" + }, + "platform_tags": { + "description": "Free-form tags describing the observable types and platform context that this playbook operates on (e.g. 'user', 'endpoint', 'D3-AL').", + "items": { + "type": "string" + }, + "title": "Platform Tags", + "type": "array" + }, + "type": { + "$ref": "#/$defs/Type", + "description": "The functional role of this playbook: Input, Automation, or Enterprise Security." + }, + "vpe_type": { + "$ref": "#/$defs/VpeType", + "description": "The Visual Playbook Editor type used to build this playbook: Modern or Classic." + }, + "playbook_fields": { + "description": "Input fields exposed by this playbook.", + "items": { + "type": "string" + }, + "title": "Playbook Fields", + "type": "array" + }, + "labels": { + "description": "Labels for the playbook", + "items": { + "$ref": "#/$defs/PlaybookLabel" + }, + "title": "Labels", + "type": "array" + }, + "product": { + "description": "Splunk products this playbook targets.", + "items": { + "$ref": "#/$defs/PlaybookProduct" + }, + "title": "Product", + "type": "array" + }, + "use_cases": { + "description": "Security use cases addressed by this playbook.", + "items": { + "$ref": "#/$defs/PlaybookUseCase" + }, + "title": "Use Cases", + "type": "array" + }, + "defend_technique_id": { + "anyOf": [ + { + "items": { + "$ref": "#/$defs/DefendTechnique" + }, + "type": "array" + }, + { + "type": "null" + } + ], + "default": null, + "description": "D3FEND technique IDs that describe the defensive action taken by this playbook.", + "title": "Defend Technique Id" + }, + "analytic_story": { + "description": "Analytic Stories that reference this playbook.", + "items": { + "$ref": "#/$defs/StoryEnum" + }, + "title": "Analytic Story", + "type": "array" + }, + "detections": { + "description": "Event-based detections that reference this playbook.", + "items": { + "$ref": "#/$defs/EventBasedDetectionEnum" + }, + "title": "Detections", + "type": "array" + }, + "playbook_outputs": { + "description": "Descriptions of the output artifacts generated by this playbook.", + "items": { + "$ref": "#/$defs/PlaybookOutput" + }, + "title": "Playbook Outputs", + "type": "array" + }, + "playbook_type": { + "$ref": "#/$defs/PlaybookType", + "description": "Legacy playbook type field. This is intentionally different than the 'type' field." + } + }, + "required": [ + "name", + "id", + "version", + "creation_date", + "modification_date", + "author", + "description", + "playbook", + "how_to_implement", + "platform_tags", + "type", + "vpe_type", + "playbook_type" + ], + "title": "Playbook", + "type": "object" +} \ No newline at end of file diff --git a/schemas/RemovedContent.schema.json b/schemas/RemovedContent.schema.json index 284dc3d038..da74df0347 100644 --- a/schemas/RemovedContent.schema.json +++ b/schemas/RemovedContent.schema.json @@ -8,6 +8,9 @@ "3CX Supply Chain Attack Network Indicators", "3cx_ioc_domains", "7zip CommandLine To SMB Share Path", + "AD LDAP Account Locking", + "AD LDAP Account Unlocking", + "AD LDAP Entity Attribute Lookup", "AMOS Stealer", "APT29 Diplomatic Deceptions with WINELOADER", "APT37 Rustonotto and FadeStealer", @@ -123,6 +126,7 @@ "AWS Detect Users creating keys with encrypt policy without MFA", "AWS Detect Users with KMS keys performing encryption S3", "AWS Disable Bucket Versioning", + "AWS Disable User Accounts", "AWS EC2 Snapshot Shared Externally", "AWS ECR Container Scanning Findings High", "AWS ECR Container Scanning Findings Low Informational Unknown", @@ -135,9 +139,12 @@ "AWS Exfiltration via Bucket Replication", "AWS Exfiltration via DataSync Task", "AWS Exfiltration via EC2 Snapshot", + "AWS Find Inactive Users", "AWS High Number Of Failed Authentications For User", "AWS High Number Of Failed Authentications From Ip", "AWS IAM AccessDenied Discovery Events", + "AWS IAM Account Locking", + "AWS IAM Account Unlocking", "AWS IAM Assume Role Policy Brute Force", "AWS IAM Delete Policy", "AWS IAM Failure Group Deletion", @@ -154,6 +161,7 @@ "AWS New MFA Method Registered For User", "AWS Password Policy Changes", "AWS S3 Bucket Security Monitoring", + "AWS S3 Exfiltration Behavior Identified", "AWS SAML Update identity provider", "AWS Security Hub", "AWS Security Hub Alerts", @@ -168,12 +176,17 @@ "Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint", "AcidPour", "AcidRain", + "Active Directory Disable Account Dispatch", "Active Directory Discovery", + "Active Directory Enable Account Dispatch", "Active Directory Kerberos Attacks", "Active Directory Lateral Movement", + "Active Directory Lateral Movement Identified", "Active Directory Password Spraying", "Active Directory Privilege Escalation", + "Active Directory Privilege Escalation Identified", "Active Setup Registry Autostart", + "ActiveDirectory Reset password", "Add DefaultUser And Password In Registry", "Add or Set Windows Defender Exclusion", "Adobe ColdFusion Access Control Bypass", @@ -200,17 +213,25 @@ "Atlassian Confluence Server and Data Center CVE-2022-26134", "Attacker Tools On Endpoint", "Attempt To Add Certificate To Untrusted Store", + "Attribute Lookup Dispatch", "Auto Admin Logon Registry Entry", + "Automated Enrichment", "AwfulShred", "Axios Supply Chain Post Compromise", "Azorult", + "Azure AD Account Locking", + "Azure AD Account Unlocking", + "Azure AD Admin Consent Bypassed by Service Principal", "Azure AD Application Administrator Role Assigned", "Azure AD Authentication Failed During MFA Challenge", "Azure AD AzureHound UserAgent Detected", "Azure AD Block User Consent For Risky Apps Disabled", "Azure AD Concurrent Sessions From Different Ips", "Azure AD Device Code Authentication", + "Azure AD External Guest User Invited", "Azure AD FullAccessAsApp Permission Assigned", + "Azure AD Global Administrator Role Assigned", + "Azure AD Graph User Attribute Lookup", "Azure AD High Number Of Failed Authentications For User", "Azure AD High Number Of Failed Authentications From Ip", "Azure AD Multi-Factor Authentication Disabled", @@ -228,12 +249,15 @@ "Azure AD OAuth Application Consent Granted By User", "Azure AD PIM Role Assigned", "Azure AD PIM Role Assignment Activated", + "Azure AD Privileged Authentication Administrator Role Assigned", "Azure AD Privileged Graph API Permission Assigned", + "Azure AD Privileged Role Assigned", "Azure AD Privileged Role Assigned to Service Principal", "Azure AD Service Principal Authentication", "Azure AD Service Principal Created", "Azure AD Service Principal Enumeration", "Azure AD Service Principal New Client Credentials", + "Azure AD Service Principal Owner Added", "Azure AD Service Principal Privilege Escalation", "Azure AD Successful Authentication From Different Ips", "Azure AD Successful PowerShell Authentication", @@ -242,6 +266,8 @@ "Azure AD Unusual Number of Failed Authentications From Ip", "Azure AD User Consent Blocked for Risky Application", "Azure AD User Consent Denied for OAuth Application", + "Azure AD User Enabled And Password Reset", + "Azure AD User ImmutableId Attribute Updated", "Azure Active Directory", "Azure Active Directory Account Takeover", "Azure Active Directory Add app role assignment to service principal", @@ -283,7 +309,9 @@ "Baseline Of Kubernetes Process Resource", "Baseline Of Kubernetes Process Resource Ratio", "Baseline Of Open S3 Bucket Decommissioning", + "Baseline of Network ACL Activity by ARN", "Baseline of S3 Bucket deletion activity by ARN", + "Baseline of Security Group Activity by ARN", "Baseline of blocked outbound traffic from AWS", "Batch File Write to System32", "Bcdedit Command Back To Normal Mode Boot", @@ -294,6 +322,7 @@ "BlackMatter Ransomware", "BlackSuit Ransomware", "BlankGrabber Stealer", + "Block Indicators", "Brand Monitoring", "Braodo Stealer", "Bro conn", @@ -408,6 +437,8 @@ "Cisco Network Visibility Module Analytics", "Cisco Network Visibility Module Flow Data", "Cisco Network Visibility Module OSquery", + "Cisco Privileged Account Creation with HTTP Command Execution", + "Cisco Privileged Account Creation with Suspicious SSH Activity", "Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity", "Cisco SD-WAN - Low Frequency Rogue Peer", "Cisco SD-WAN - Peering Activity", @@ -457,6 +488,8 @@ "Cisco Smart Install Port Discovery and Status", "Cisco Smart Install Remote Code Execution CVE-2018-0171", "Cisco TFTP Server Configuration for Data Exfiltration", + "Cisco Umbrella DNS Denylisting", + "CiscoTalosIntelligence Identifier Reputation Analysis", "Citrix ADC Exploitation CVE-2023-3519", "Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure", "Citrix ADC and Gateway Unauthorized Data Disclosure", @@ -507,6 +540,7 @@ "Count of assets by category", "Create Remote Thread In Shell Application", "Create Remote Thread into LSASS", + "Create a list of approved AWS service accounts", "Create or delete windows shares using net exe", "Creation of Shadow Copy", "Creation of Shadow Copy with wmic and powershell", @@ -517,10 +551,23 @@ "Critical Alerts", "CrowdStrike Falcon Stream Alert", "CrowdStrike Falcon Stream Alerts", + "CrowdStrike OAuth API Device Attribute Lookup", + "CrowdStrike OAuth API Dynamic Analysis", + "CrowdStrike OAuth API Endpoint Analysis", + "CrowdStrike OAuth API Executable Denylisting", + "CrowdStrike OAuth API File Collection", + "CrowdStrike OAuth API File Eviction", + "CrowdStrike OAuth API File Restore", + "CrowdStrike OAuth API Get Device Info", + "CrowdStrike OAuth API Identifier Activity Analysis", + "CrowdStrike OAuth API Network Isolation", + "CrowdStrike OAuth API Network Restore", + "CrowdStrike OAuth API Process Termination", "CrowdStrike ProcessRollup2", "Crowdstrike Admin Weak Password Policy", "Crowdstrike Admin With Duplicate Password", "Crowdstrike High Identity Risk Severity", + "Crowdstrike Malware Triage", "Crowdstrike Medium Identity Risk Severity", "Crowdstrike Medium Severity Alert", "Crowdstrike Multiple LOW Severity Alerts", @@ -538,10 +585,12 @@ "DHS Report TA18-074A", "DLLHost with no Command Line Arguments with Network", "DNS Amplification Attacks", + "DNS Denylisting Dispatch", "DNS Exfiltration Using Nslookup App", "DNS Hijacking", "DNS Kerberos Coercion", "DNS Query Length With High Standard Deviation", + "DNSTwist Domain Names", "DSQuery Domain Discovery", "DarkCrystal RAT", "DarkGate Malware", @@ -552,6 +601,7 @@ "Default Baseline", "Default EventBasedDetection", "Defense Evasion or Unauthorized Access Via SDDL Tampering", + "Delete Detected Files", "Delete ShadowCopy With PowerShell", "Deleting Shadow Copies", "Deobfuscate-Decode Files or Information", @@ -578,12 +628,14 @@ "Detect Excessive Account Lockouts From Endpoint", "Detect Excessive User Account Lockouts", "Detect Exchange Web Shell", + "Detect F5 TMUI RCE CVE-2020-5902", "Detect GCP Storage access from a new IP", "Detect HTML Help Renamed", "Detect HTML Help Spawn Child Process", "Detect HTML Help URL in Command Line", "Detect HTML Help Using InfoTech Storage Handlers", "Detect IPv6 Network Infrastructure Threats", + "Detect Large ICMP Traffic", "Detect MSHTA Url in Command Line", "Detect Mimikatz With PowerShell Script Block Logging", "Detect New Local Admin account", @@ -636,11 +688,17 @@ "Detect Spike in S3 Bucket deletion", "Detect Spike in blocked Outbound Traffic from your AWS", "Detect Traffic Mirroring", + "Detect Unauthorized Assets by MAC address", "Detect Use of cmd exe to Launch Script Interpreters", "Detect WMI Event Subscription Persistence", "Detect Web Access to Decommissioned S3 Bucket", + "Detect Windows DNS SIGRed via Splunk Stream", + "Detect Windows DNS SIGRed via Zeek", "Detect Zerologon Attack", + "Detect Zerologon via Zeek", + "Detect attackers scanning for vulnerable JBoss servers", "Detect hosts connecting to dynamic domain providers", + "Detect malicious requests to exploit JBoss servers", "Detect mshta inline hta execution", "Detect mshta renamed", "Detection of tools built by NirSoft", @@ -675,6 +733,7 @@ "Disabling SystemRestore In Registry", "Disabling Task Manager", "Disabling Windows Local Security Authority Defences via Registry", + "Discover DNS records", "Disk Wiper", "Domain Account Discovery with Dsquery", "Domain Account Discovery with Wmic", @@ -689,6 +748,7 @@ "Drop IcedID License dat", "Dump LSASS via comsvcs DLL", "Dump LSASS via procdump", + "Dynamic Analysis Dispatch", "Dynamic DNS", "DynoWiper", "ESXi Account Modified", @@ -696,6 +756,7 @@ "ESXi Bulk VM Termination", "ESXi Download Errors", "ESXi Encryption Settings Modified", + "ESXi External Root Login Activity", "ESXi Firewall Disabled", "ESXi Lockdown Mode Disabled", "ESXi Loghost Config Tampering", @@ -719,6 +780,7 @@ "Elevated Group Discovery With Wmic", "Elevated Group Discovery with PowerView", "Email Attachments With Lots Of Spaces", + "Email Notification for Malware", "Email files written outside of the Outlook directory", "Email servers sending high volume traffic to hosts", "Emotet Malware DHS Report TA18-201A", @@ -766,11 +828,15 @@ "Fsutil Zeroing File", "G Suite Drive", "G Suite Gmail", + "G Suite for GMail Message Identifier Activity Analysis", + "G Suite for Gmail Message Eviction", + "G Suite for Gmail Search and Purge", "GCP Account Takeover", "GCP Authentication Failed During MFA Challenge", "GCP Cross Account Activity", "GCP Detect gcploit framework", "GCP Kubernetes cluster pod scan detection", + "GCP Multi-Factor Authentication Disabled", "GCP Multiple Failed MFA Requests For User", "GCP Multiple Users Failing To Authenticate From Ip", "GCP Successful Single-Factor Authentication", @@ -880,6 +946,7 @@ "High Process Termination Frequency", "High Volume of Bytes Out to Url", "Hosts receiving high volume of network traffic from email server", + "Hunting", "Hunting 3CXDesktopApp Software", "Hunting for Log4Shell", "ICACLS Grant Command", @@ -887,6 +954,8 @@ "Icacls Deny Command", "IcedID", "IcedID Exfiltrated Archived File Creation", + "Identifier Activity Analysis Dispatch", + "Identifier Reputation Analysis Dispatch", "Identify Systems Creating Remote Desktop Traffic", "Identify Systems Receiving Remote Desktop Traffic", "Identify Systems Using Remote Desktop", @@ -902,6 +971,13 @@ "Interlock Rat", "Internal Horizontal Port Scan", "Internal Horizontal Port Scan NMAP Top 20", + "Internal Host SSH Investigate", + "Internal Host SSH Log4j Investigate", + "Internal Host SSH Log4j Respond", + "Internal Host Splunk Investigate log4j", + "Internal Host WinRM Investigate", + "Internal Host WinRM Log4j Investigate", + "Internal Host WinRM log4j Respond", "Internal Vertical Port Scan", "Internal Vulnerability Scan", "Ivanti Connect Secure Command Injection Attempts", @@ -929,6 +1005,7 @@ "JetBrains TeamCity RCE Attempt", "JetBrains TeamCity Unauthenticated RCE", "JetBrains TeamCity Vulnerabilities", + "Jira Related Tickets Search", "Jscript Execution Using Cscript App", "Juniper JunOS Remote Code Execution", "Juniper Networks Remote Code Execution Exploit Detection", @@ -1111,6 +1188,7 @@ "Linux OpenVPN Privilege Escalation", "Linux PHP Privilege Escalation", "Linux Persistence Techniques", + "Linux Persistence and Privilege Escalation Risk Behavior", "Linux Possible Access Or Modification Of sshd Config File", "Linux Possible Access To Credential Files", "Linux Possible Access To Sudoers File", @@ -1151,14 +1229,18 @@ "Linux c99 Privilege Escalation", "Linux pkexec Privilege Escalation", "Living Off The Land", + "Living Off The Land Detection", "Loading Of Dynwrapx Module", "Local Account Discovery With Wmic", "Local LLM Framework DNS Query", "Local Privilege Escalation With KrbRelayUp", "LockBit Ransomware", "Log4Shell CVE-2021-44228", + "Log4Shell CVE-2021-44228 Exploitation", "Log4Shell JNDI Payload Injection Attempt", "Log4Shell JNDI Payload Injection with Outbound Connection", + "Log4j Investigate", + "Log4j Respond", "Logon Script Event Trigger Execution", "Lokibot", "Lotus Blossom Chrysalis Backdoor", @@ -1185,6 +1267,11 @@ "MOVEit Transfer Critical Vulnerability", "MS Defender ATP Alerts", "MS Exchange Mailbox Replication service writing Active Server Pages", + "MS Graph for Office 365 Message Eviction", + "MS Graph for Office 365 Message Identifier Activity Analysis", + "MS Graph for Office 365 Message Restore", + "MS Graph for Office 365 Search and Purge", + "MS Graph for Office 365 Search and Restore", "MS Scripting Process Loading Ldap Module", "MS Scripting Process Loading WMI Module", "MS365 Defender Incident Alerts", @@ -1216,6 +1303,7 @@ "Malicious PowerShell Process - Execution Policy Bypass", "Malicious PowerShell Process With Obfuscation Techniques", "Malicious Powershell Executed As A Service", + "Malware Hunt and Contain", "Masquerading - Rename System Utilities", "Medusa Ransomware", "Medusa Rootkit", @@ -1239,7 +1327,9 @@ "Mmc LOLBAS Execution Process Spawn", "Modification Of Wallpaper", "Modify ACL permission To Files Or Folder", + "Monitor Email For Brand Abuse", "Monitor Registry Keys for Print Monitors", + "Monitor Web Traffic For Brand Abuse", "Monitor for Updates", "MoonPeak", "Mshta spawning Rundll32 OR Regsvr32 Process", @@ -1286,6 +1376,8 @@ "O365 Advanced Audit Disabled", "O365 Application Available To Other Tenants", "O365 Application Registration Owner Added", + "O365 ApplicationImpersonation Role Assigned", + "O365 BEC Email Hiding Rule Created", "O365 Block User Consent For Risky Apps Disabled", "O365 Bypass MFA via Trusted IP", "O365 Change user license.", @@ -1298,10 +1390,13 @@ "O365 Disable MFA", "O365 Disable Strong Authentication.", "O365 Elevated Mailbox Permission Assigned", + "O365 Email Access By Security Administrator", "O365 Email Hard Delete Excessive Volume", "O365 Email New Inbox Rule Created", "O365 Email Password and Payroll Compromise Behavior", "O365 Email Receive and Hard Delete Takeover Behavior", + "O365 Email Reported By Admin Found Malicious", + "O365 Email Reported By User Found Malicious", "O365 Email Security Feature Changed", "O365 Email Send Attachments Excessive Volume", "O365 Email Send and Hard Delete Exfiltration Behavior", @@ -1314,6 +1409,7 @@ "O365 Exfiltration via File Access", "O365 Exfiltration via File Download", "O365 Exfiltration via File Sync Download", + "O365 External Guest User Invited", "O365 External Identity Policy Changed", "O365 File Permissioned Application Consent Granted by User", "O365 FullAccessAsApp Permission Assigned", @@ -1344,8 +1440,11 @@ "O365 OAuth App Mailbox Access via Graph API", "O365 PST export alert", "O365 Privileged Graph API Permission Assigned", + "O365 Privileged Role Assigned", + "O365 Privileged Role Assigned To Service Principal", "O365 Safe Links Detection", "O365 Security And Compliance Alert Triggered", + "O365 Service Principal New Client Credentials", "O365 Service Principal Privilege Escalation", "O365 Set Company Information.", "O365 Set-Mailbox", @@ -1384,6 +1483,7 @@ "Okta New Device Enrolled on Account", "Okta Non-Standard VPN Usage", "Okta Phishing Detection with FastPass Origin Check", + "Okta Risk Threshold Exceeded", "Okta Successful Single Factor Authentication", "Okta Suspicious Activity Reported", "Okta Suspicious Use of a Session Cookie", @@ -1410,6 +1510,7 @@ "PXA Stealer", "Palo Alto Network Threat", "Palo Alto Network Traffic", + "Panorama Outbound Traffic Filtering", "PaperCut MF NG Vulnerability", "PaperCut NG Remote Web Access Attempt", "PaperCut NG Suspicious Behavior Debug Log", @@ -1419,6 +1520,7 @@ "PetitPotam Network Share Access Request", "PetitPotam Suspicious Kerberos TGT Request", "Phemedrone Stealer", + "PhishTank URL Reputation Analysis", "Ping Sleep Batch Command", "PingID", "PingID Mismatch Auth Source and Verification Response", @@ -1488,6 +1590,7 @@ "Previously Seen Zoom Child Processes - Initial", "Previously Seen Zoom Child Processes - Update", "Previously seen S3 bucket access by remote IP", + "Previously seen command line arguments", "Print Processor Registry Autostart", "Print Spooler Adding A Printer Driver", "Print Spooler Failed to Load a Plug-in", @@ -1499,12 +1602,15 @@ "Process Writing DynamicWrapperX", "Processes Tapping Keyboard Events", "Processes launching netsh", + "Prohibited Network Traffic Allowed", "Prohibited Traffic Allowed or Protocol Mismatch", "PromptFlux", "PromptLock", + "Protocol or Port Mismatch", "Protocols passing authentication in cleartext", "ProxyNotShell", "ProxyShell", + "ProxyShell ProxyNotShell Behavior Detected", "Qakbot", "Quasar RAT", "QuietVault", @@ -1513,6 +1619,7 @@ "Randomly Generated Windows Service Name", "Ransomware", "Ransomware Cloud", + "Ransomware Investigate and Contain", "Ransomware Notes bulk creation", "React2Shell", "Recon AVProduct Through Pwh or WMI", @@ -1525,6 +1632,7 @@ "Registry Keys for Creating SHIM Databases", "Regsvr32 Silent and Install Param Dll Loading", "Regsvr32 with Known Silent Switch Cmdline", + "Related Tickets Search Dispatch", "Remcos", "Remcos RAT File Creation in Remcos Folder", "Remcos client registry install entry", @@ -1550,6 +1658,17 @@ "Revil Ransomware", "Revil Registry Entry", "Rhysida Ransomware", + "Risk Notable Block Indicators", + "Risk Notable Enrich", + "Risk Notable Import Data", + "Risk Notable Investigate", + "Risk Notable Merge Events", + "Risk Notable Mitigate", + "Risk Notable Preprocess", + "Risk Notable Protect Assets and Users", + "Risk Notable Review Indicators", + "Risk Notable Verdict", + "Risk Rule for Dev Sec Ops by Repository", "Router and Infrastructure Security", "Rubeus Command Line Parameters", "Rubeus Kerberos Ticket Exports Through Winlogon Access", @@ -1570,6 +1689,7 @@ "SAM Database File Access Attempt", "SAP NetWeaver Exploitation", "SAP NetWeaver Visual Composer Exploitation Attempt", + "SLUI RunAs Elevated", "SLUI Spawning a Process", "SMB Traffic Spike", "SQL Injection", @@ -1602,6 +1722,7 @@ "Secret Blizzard", "SecretDumps Offline NTDS Dumping Tool", "Security Solution Tampering", + "ServiceNow Related Tickets Search", "ServicePrincipalNames Discovery with PowerShell", "ServicePrincipalNames Discovery with SetSPN", "Services Escalate Exe", @@ -1629,7 +1750,12 @@ "Splunk", "Splunk AppDynamics Secure Application Alert", "Splunk AppDynamics Secure Application Alerts", + "Splunk Attack Analyzer Dynamic Analysis", + "Splunk Automated Email Investigation", "Splunk Common Information Model (CIM)", + "Splunk Identifier Activity Analysis", + "Splunk Message Identifier Activity Analysis", + "Splunk Notable Related Tickets Search", "Splunk Stream HTTP", "Splunk Stream IP", "Splunk Stream TCP", @@ -1641,6 +1767,8 @@ "Spring4Shell CVE-2022-22965", "Spring4Shell Payload URL Request", "Sqlite Module In Temp Folder", + "Start Investigation", + "Steal or Forge Authentication Certificates Behavior Identified", "StealC Stealer", "Storm-0501 Ransomware", "Storm-2460 CLFS Zero Day Exploitation", @@ -1747,16 +1875,19 @@ "Termite Ransomware", "Text4Shell CVE-2022-42889", "Threat Activity by Snort IDs", + "Threat Intel Investigate", "Time Provider Persistence Registry", "Tomcat Session Deserialization Attempt", "Tomcat Session File Upload Attempt", "Trickbot", "Trickbot Named Pipe", + "TruSTAR Enrich Indicators", "Trusted Developer Utilities Proxy Execution", "Trusted Developer Utilities Proxy Execution MSBuild", "Tuoni", "UAC Bypass MMC Load Unsigned Dll", "UAC Bypass With Colorui COM Object", + "URL Outbound Traffic Filtering Dispatch", "USN Journal Deletion", "Uninstall App Using MsiExec", "Unknown Process Using The Kerberos Protocol", @@ -1768,6 +1899,7 @@ "Unusual Processes", "Unusually Long Command Line", "Unusually Long Content-Type Length", + "UrlScan IO Dynamic Analysis", "Use of Cleartext Protocols", "User Discovery With Env Vars PowerShell", "User Discovery With Env Vars PowerShell Script Block", @@ -1783,6 +1915,8 @@ "VanHelsing Ransomware", "Vbscript Execution Using Wscript App", "Verclsid CLSID Execution", + "VirusTotal V3 Dynamic Analysis", + "VirusTotal v3 Identifier Reputation Analysis", "Void Manticore", "VoidLink Cloud-Native Linux Malware", "Volt Typhoon", @@ -1817,13 +1951,24 @@ "WinRM Spawning a Process", "Windows .Key File Creation in Root Directory", "Windows AD Abnormal Object Access Activity", + "Windows AD AdminSDHolder ACL Modified", + "Windows AD Cross Domain SID History Addition", + "Windows AD DCShadow Privileges ACL Addition", "Windows AD DSRM Account Changes", "Windows AD DSRM Password Reset", + "Windows AD Dangerous Deny ACL Modification", + "Windows AD Dangerous Group ACL Modification", + "Windows AD Dangerous User ACL Modification", "Windows AD Domain Controller Audit Policy Disabled", "Windows AD Domain Controller Promotion", + "Windows AD Domain Replication ACL Addition", + "Windows AD Domain Root ACL Deletion", + "Windows AD Domain Root ACL Modification", "Windows AD GPO Deleted", "Windows AD GPO Disabled", "Windows AD GPO New CSE Addition", + "Windows AD Hidden OU Creation", + "Windows AD Object Owner Updated", "Windows AD Privileged Account SID History Addition", "Windows AD Privileged Group Modification", "Windows AD Privileged Object Access Activity", @@ -1832,7 +1977,9 @@ "Windows AD Replication Service Traffic", "Windows AD Rogue Domain Controller Network Activity", "Windows AD SID History Attribute Modified", + "Windows AD Same Domain SID History Addition", "Windows AD Self DACL Assignment", + "Windows AD ServicePrincipalName Added To Domain Account", "Windows AD Short Lived Domain Account ServicePrincipalName", "Windows AD Short Lived Domain Controller SPN Attribute", "Windows AD Short Lived Server Object", @@ -1905,6 +2052,7 @@ "Windows Bypass UAC via Pkgmgr Tool", "Windows CAB File on Disk", "Windows COM Hijacking InprocServer32 Modification", + "Windows Cabinet File Extraction Via Expand", "Windows Cached Domain Credentials Reg Query", "Windows Certificate Services", "Windows Certutil Root Certificate Addition", @@ -1930,6 +2078,7 @@ "Windows Command Shell DCRat ForkBomb Payload", "Windows Command and Scripting Interpreter Hunting Path Traversal", "Windows Command and Scripting Interpreter Path Traversal Exec", + "Windows Common Abused Cmd Shell Risk Behavior", "Windows Compatibility Telemetry Suspicious Child Process", "Windows Compatibility Telemetry Tampering Through Registry", "Windows Computer Account Changed to Domain Controller", @@ -1985,6 +2134,7 @@ "Windows Defender ASR Rule Disabled", "Windows Defender ASR Rules Stacking", "Windows Defender ASR or Threat Configuration Tamper", + "Windows Defender ATP Identifier Activity Analysis", "Windows Defender Alerts", "Windows Defender Exclusion Registry Entry", "Windows Defense Evasion Tactics", @@ -2305,6 +2455,7 @@ "Windows Modify Registry ProxyServer", "Windows Modify Registry Qakbot Binary Data Registry", "Windows Modify Registry Regedit Silent Reg Import", + "Windows Modify Registry Risk Behavior", "Windows Modify Registry Suppress Win Defender Notif", "Windows Modify Registry Tamper Protection", "Windows Modify Registry USeWuServer", @@ -2386,6 +2537,7 @@ "Windows Phishing PDF File Executes URL Link", "Windows Phishing Recent ISO Exec Registry", "Windows Possible Credential Dumping", + "Windows Post Exploitation Risk Behavior", "Windows Post-Exploitation", "Windows Potato Privilege Escalation Tool Execution", "Windows Potential AppDomainManager Hijack Artifacts Creation", @@ -2425,6 +2577,7 @@ "Windows Private Keys Discovery", "Windows Privilege Escalation", "Windows Privilege Escalation Attempt Via MSI Rollback", + "Windows Privilege Escalation Suspicious Process Elevation", "Windows Privilege Escalation System Process Without System Parent", "Windows Privilege Escalation User Process Spawn System Process", "Windows Privileged Group Modification", @@ -2511,8 +2664,10 @@ "Windows SIP WinVerifyTrust Failed Trust Validation", "Windows SOAPHound Binary Execution", "Windows SQL Server Configuration Option Hunt", + "Windows SQL Server Critical Procedures Enabled", "Windows SQL Server Extended Procedure DLL Loading Hunt", "Windows SQL Server Startup Procedure", + "Windows SQL Server xp_cmdshell Config Change", "Windows SQL Spawning CertUtil", "Windows SQLCMD Execution", "Windows SSH Proxy Command", @@ -2573,6 +2728,7 @@ "Windows SqlWriter SQLDumper DLL Sideload", "Windows Sqlservr Spawning Shell", "Windows Steal Authentication Certificates - ESC1 Abuse", + "Windows Steal Authentication Certificates - ESC1 Authentication", "Windows Steal Authentication Certificates CS Backup", "Windows Steal Authentication Certificates CertUtil Backup", "Windows Steal Authentication Certificates Certificate Issued", @@ -2688,6 +2844,7 @@ "XorDDos", "ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day", "ZOVWiper", + "ZScaler Outbound Traffic Filtering", "Zeek Conn", "Zeek x509 Certificate with Punycode", "Zoom High Video Latency",