Merge pull request #2855 from splunk/sysmon_fix

Sysmon searches updated to use CIM fields

detections/deprecated/detect_mimikatz_using_loaded_images.yml

@@ -10,9 +10,8 @@ description: This search looks for reading loaded Images unique to credential du
 data_source:
 - Sysmon Event ID 7
 search: '`sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId)
-  as ProcessId by Computer, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll
-  ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | rename
-  Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
+  as ProcessId by dest, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll
+  ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
   | `detect_mimikatz_using_loaded_images_filter`'
 how_to_implement: This search needs Sysmon Logs and a sysmon configuration, which
   includes EventCode 7 with powershell.exe. This search uses an input macro named
@@ -61,7 +60,7 @@ tags:
   - EventCode
   - ImageLoaded
   - ProcessId
-  - Computer
+  - dest
   - Image
   risk_score: 64
   security_domain: endpoint

detections/deprecated/dump_lsass_via_procdump_rename.yml

@@ -17,8 +17,7 @@ description: 'Detect a renamed instance of procdump.exe dumping the lsass proces
 data_source:
 - Sysmon Event ID 1
 search: '`sysmon` OriginalFileName=procdump  process_name!=procdump*.exe  EventID=1
-  (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* | rename Computer as
-  dest |  stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,
+  (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* |  stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,
   process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_rename_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information
@@ -64,7 +63,7 @@ tags:
   - process_name
   - EventID
   - CommandLine
-  - Computer
+  - dest
   - parent_process_name
   risk_score: 80
   security_domain: endpoint

detections/deprecated/unsigned_image_loaded_by_lsass.yml

@@ -10,8 +10,8 @@ description: This search detects loading of unsigned images by LSASS. Deprecated
 data_source:
 - Sysmon Event ID 7
 search: '`sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time)
-  as firstTime max(_time) as lastTime by Computer, Image, ImageLoaded, Signed, SHA1
-  | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
+  as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SHA1
+   | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
   | `unsigned_image_loaded_by_lsass_filter` '
 how_to_implement: This search needs Sysmon Logs with a sysmon configuration, which
   includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`.

detections/endpoint/access_lsass_memory_for_dump_creation.yml

@@ -9,8 +9,8 @@ description: The following analytic is designed to detect potentially malicious
 data_source:
 - Sysmon Event ID 1
 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll*
-  | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage,
-  TargetProcessId, SourceImage, SourceProcessId | rename Computer as dest | `security_content_ctime(firstTime)`|
+  | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage,
+  TargetProcessId, SourceImage, SourceProcessId  | `security_content_ctime(firstTime)`|
   `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter` '
 how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which
   includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`.
@@ -53,7 +53,7 @@ tags:
   - EventCode
   - TargetImage
   - CallTrace
-  - Computer
+  - dest
   - TargetProcessId
   - SourceImage
   - SourceProcessId

detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml

@@ -13,7 +13,7 @@ data_source:
 search: '`sysmon` EventCode=7  ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll",
   "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*",
   "*\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime
-  by dest Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)`
+  by dest Image ImageLoaded process_name EventCode Signed ProcessId | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the process name and imageloaded executions from your endpoints. If you
@@ -49,7 +49,7 @@ tags:
   - Image
   - ImageLoaded
   - process_name
-  - Computer
+  - dest
   - EventCode
   - Signed
   - ProcessId

detections/endpoint/cobalt_strike_named_pipes.yml

@@ -22,8 +22,7 @@ data_source:
 search: '`sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\DserNamePipe*,
   \\srvsvc_*, \\postex_*, \\status_*, \\MSSE-*, \\spoolss_*, \\win_svc*, \\ntsvcs*,
   \\winsock*, \\UIA_PIPE*)  | stats count min(_time) as firstTime max(_time) as lastTime
-  by Computer, process_name, process_id process_path, PipeName | rename Computer as
-  dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  by dest, process_name, process_id process_path, PipeName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `cobalt_strike_named_pipes_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the process name, parent process, and command-line executions from your
@@ -70,7 +69,7 @@ tags:
   - _time
   - EventID
   - PipeName
-  - Computer
+  - dest
   - process_name
   - process_path
   - process_id

detections/endpoint/create_remote_thread_in_shell_application.yml

@@ -13,7 +13,7 @@ data_source:
 - Sysmon Event ID 8
 search: '`sysmon` EventCode=8 TargetImage IN ("*\\cmd.exe", "*\\powershell*") | stats
   count min(_time) as firstTime max(_time) as lastTime by  TargetImage TargetProcessId
-  SourceProcessId  EventCode StartAddress SourceImage Computer | `security_content_ctime(firstTime)`
+  SourceProcessId  EventCode StartAddress SourceImage dest | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `create_remote_thread_in_shell_application_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the process name, parent process, and command-line executions from your
@@ -31,11 +31,11 @@ tags:
   confidence: 100
   impact: 70
   message: process $SourceImage$ create a remote thread to shell app process $TargetImage$
-    in host $Computer$
+    in host $dest$
   mitre_attack_id:
   - T1055
   observable:
-  - name: Computer
+  - name: dest
     type: Hostname
     role:
     - Victim
@@ -55,7 +55,7 @@ tags:
   - SourceProcessId
   - StartAddress
   - EventCode
-  - Computer
+  - dest
   risk_score: 70
   security_domain: endpoint
 tests:

detections/endpoint/create_remote_thread_into_lsass.yml

@@ -9,8 +9,7 @@ description: The following analytic developed to detect potential credential dum
 data_source:
 - Sysmon Event ID 8
 search: '`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime
-  max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId | rename
-  Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
+  max(_time) as lastTime by dest, EventCode, TargetImage, TargetProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
   | `create_remote_thread_into_lsass_filter`'
 how_to_implement: This search needs Sysmon Logs with a Sysmon configuration, which
   includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`.
@@ -50,7 +49,7 @@ tags:
   - _time
   - EventID
   - TargetImage
-  - Computer
+  - dest
   - EventCode
   - TargetImage
   - TargetProcessId

detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml

@@ -13,8 +13,8 @@ description: Detect the hands on keyboard behavior of Windows Task Manager creat
 data_source:
 - Sysmon Event ID 1
 search: '`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp |
-  stats count min(_time) as firstTime max(_time) as lastTime by Computer, object_category,
-  process_name, TargetFilename | rename Computer as dest | `security_content_ctime(firstTime)`
+  stats count min(_time) as firstTime max(_time) as lastTime by dest, object_category,
+  process_name, TargetFilename  | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `creation_of_lsass_dump_with_taskmgr_filter`'
 how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which
   includes EventCode 11 for detecting file create of lsass.dmp. This search uses an
@@ -54,7 +54,7 @@ tags:
   - EventID
   - process_name
   - TargetFilename
-  - Computer
+  - dest
   - object_category
   risk_score: 80
   security_domain: endpoint

detections/endpoint/detect_credential_dumping_through_lsass_access.yml

@@ -10,9 +10,8 @@ description: This search looks for reading lsass memory consistent with credenti
 data_source:
 - Sysmon Event ID 1
 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410)
-  | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SourceImage,
-  SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | rename
-  Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
+  | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage,
+  SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
   | `detect_credential_dumping_through_lsass_access_filter` '
 how_to_implement: This search needs Sysmon Logs and a sysmon configuration, which
   includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`.
@@ -56,7 +55,7 @@ tags:
   - EventCode
   - TargetImage
   - GrantedAccess
-  - Computer
+  - dest
   - SourceImage
   - SourceProcessId
   - TargetImage

detections/endpoint/detect_regasm_with_network_connection.yml

@@ -18,7 +18,7 @@ description: The following analytic identifies regasm.exe with a network connect
 data_source:
 - Sysmon Event ID 3
 search: '`sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16
-  process_name=regasm.exe | rename Computer as dest | stats count min(_time) as firstTime
+  process_name=regasm.exe  | stats count min(_time) as firstTime
   max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
@@ -40,7 +40,7 @@ tags:
   confidence: 100
   impact: 80
   message: An instance of $process_name$ contacting a remote destination was identified
-    on endpoint $Computer$ by user $user$. This behavior is not normal for $process_name$.
+    on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$.
   mitre_attack_id:
   - T1218
   - T1218.009
@@ -66,7 +66,7 @@ tags:
   - EventID
   - dest_ip
   - process_name
-  - Computer
+  - dest
   - user
   - src_ip
   - dest_host

detections/endpoint/detect_regsvcs_with_network_connection.yml

@@ -18,7 +18,7 @@ description: The following analytic identifies Regsvcs.exe with a network connec
 data_source:
 - Sysmon Event ID 3
 search: '`sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16
-  process_name=regsvcs.exe | rename Computer as dest | stats count min(_time) as firstTime
+  process_name=regsvcs.exe  | stats count min(_time) as firstTime
   max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
@@ -40,7 +40,7 @@ tags:
   confidence: 100
   impact: 80
   message: An instance of $process_name$ contacting a remote destination was identified
-    on endpoint $Computer$ by user $user$. This behavior is not normal for $process_name$.
+    on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$.
   mitre_attack_id:
   - T1218
   - T1218.009
@@ -66,7 +66,7 @@ tags:
   - EventID
   - dest_ip
   - process_name
-  - Computer
+  - dest
   - user
   - src_ip
   - dest_host

detections/endpoint/detect_wmi_event_subscription_persistence.yml

@@ -64,7 +64,7 @@ tags:
   required_fields:
   - _time
   - Destination
-  - Computer
+  - dest
   - User
   risk_score: 63
   security_domain: endpoint

detections/endpoint/download_files_using_telegram.yml

@@ -13,8 +13,8 @@ description: The following analytic will identify a suspicious download by the T
 data_source:
 - Sysmon Event ID 15
 search: '`sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = "*:Zone.Identifier"
-  |stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode
-  Image process_id TargetFilename Hash | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  |stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode
+  process_name process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `download_files_using_telegram_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the process name and TargetFilename from your endpoints or Events that
@@ -45,7 +45,7 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - Computer
+  - dest
   - EventCode
   - Image
   - process_id

detections/endpoint/drop_icedid_license_dat.yml

@@ -12,7 +12,7 @@ data_source:
 - Sysmon Event ID 11
 search: '`sysmon` EventCode= 11  TargetFilename = "*\\license.dat" AND (TargetFilename="*\\appdata\\*"
   OR TargetFilename="*\\programdata\\*") |stats count min(_time) as firstTime max(_time)
-  as lastTime by TargetFilename EventCode process_id  process_name Computer | rename Computer as dest  | `security_content_ctime(firstTime)`
+  as lastTime by TargetFilename EventCode process_id  process_name dest | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `drop_icedid_license_dat_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the process name, parent process, and command-line executions from your
@@ -27,7 +27,7 @@ tags:
   asset_type: Endpoint
   confidence: 90
   impact: 70
-  message: A process $process_name$ create a file $TargetFilename$ on host $dest$
+  message: A process $process_name$ created a file $TargetFilename$ on host $dest$
   mitre_attack_id:
   - T1204
   - T1204.002
@@ -53,4 +53,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: xmlwineventlog
+    sourcetype: xmlwineventlog

detections/endpoint/excessive_file_deletion_in_windefender_folder.yml

@@ -15,7 +15,7 @@ data_source:
 - Sysmon Event ID 23
 search: '`sysmon` EventCode=23 TargetFilename = "*\\ProgramData\\Microsoft\\Windows
   Defender*" | stats values(TargetFilename) as deleted_files min(_time) as firstTime
-  max(_time) as lastTime count by user EventCode Image ProcessID Computer |where count
+  max(_time) as lastTime count by user EventCode Image ProcessID dest |where count
   >=50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `excessive_file_deletion_in_windefender_folder_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
@@ -33,15 +33,15 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: High frequency file deletion activity detected on host $Computer$
+  message: High frequency file deletion activity detected on host $dest$
   mitre_attack_id:
   - T1485
   observable:
   - name: user
     type: User
     role:
     - Victim
-  - name: Computer
+  - name: dest
     type: Endpoint
     role:
     - Victim
@@ -57,7 +57,7 @@ tags:
   - _time
   - EventCode
   - TargetFilename
-  - Computer
+  - dest
   - user
   - Image
   - ProcessID

detections/endpoint/excessive_usage_of_nslookup_app.yml

@@ -14,8 +14,8 @@ description: This search is to detect potential DNS exfiltration using nslookup
 data_source:
 - Sysmon Event ID 1
 search: '`sysmon` EventCode = 1 process_name = "nslookup.exe" | bucket _time span=1m
-  | stats count as numNsLookup by Computer, _time | eventstats avg(numNsLookup) as
-  avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots by Computer |
+  | stats count as numNsLookup by dest, _time | eventstats avg(numNsLookup) as
+  avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots by dest |
   eval upperThreshold=(avgNsLookup + stdNsLookup *3) | eval isOutlier=if(numNsLookup
   > 20 and numNsLookup >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `excessive_usage_of_nslookup_app_filter`'
@@ -37,12 +37,12 @@ tags:
   asset_type: Endpoint
   confidence: 70
   impact: 40
-  message: Excessive usage of nslookup.exe has been detected on $Computer$. This detection
+  message: Excessive usage of nslookup.exe has been detected on $dest$. This detection
     is triggered as as it violates the dynamic threshold
   mitre_attack_id:
   - T1048
   observable:
-  - name: Computer
+  - name: dest
     type: Endpoint
     role:
     - Victim
@@ -52,7 +52,7 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - Computer
+  - dest
   - process_name
   - EventCode
   risk_score: 28

detections/endpoint/excessive_usage_of_sc_service_utility.yml

@@ -12,8 +12,8 @@ description: This search is to detect a suspicious excessive usage of sc.exe in
 data_source:
 - Sysmon Event ID 1
 search: '`sysmon` EventCode = 1 process_name = "sc.exe" |  bucket _time span=15m |
-  stats values(process) as process count as numScExe by Computer, _time |  eventstats
-  avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by Computer
+  stats values(process) as process count as numScExe by dest, _time |  eventstats
+  avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by dest
   |  eval upperThreshold=(avgScExe + stdScExe *3) |  eval isOutlier=if(avgScExe >
   5 and avgScExe >= upperThreshold, 1, 0) |  search isOutlier=1 | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `excessive_usage_of_sc_service_utility_filter`'
@@ -37,7 +37,7 @@ tags:
   - T1569
   - T1569.002
   observable:
-  - name: Computer
+  - name: dest
     type: Endpoint
     role:
     - Victim