More observable fixes, including renaming fields

in searchers.

detections/endpoint/net_profiler_uac_bypass.yml

@@ -39,7 +39,7 @@ tags:
   - T1548
   observable:
   - name: dest
-    type: Hostname
+    type: Endpoint
     role:
     - Victim
   product:

detections/endpoint/network_share_discovery_via_dir_command.yml

@@ -15,6 +15,7 @@ description: The following analytic identifies object access on Windows administ
   this behavior to try to infect other machines in the infected network.
 search: '`wineventlog_security` EventCode=5140 ShareName IN("\\\\*\\ADMIN$","\\\\*\\C$","*\\\\*\\IPC$") AccessMask= 0x1 
   | stats min(_time) as firstTime max(_time) as lastTime count by ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask Computer
+  | rename Computer as dest
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` 
   | `network_share_discovery_via_dir_command_filter`'
@@ -39,7 +40,7 @@ tags:
   mitre_attack_id:
   - T1135
   observable:
-  - name: Computer
+  - name: dest
     type: Endpoint
     role:
     - Victim

detections/endpoint/powershell_4104_hunting.yml

@@ -39,7 +39,8 @@ search: '`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i
   mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi,
   invokecmd, base64, get | stats values(Score) by UserID, Computer, DoIt, enccom, compressed, downgrade,
   iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi,
-  invokecmd, base64, get, suspcmdlet, suspkeywrd | `powershell_4104_hunting_filter`'
+  invokecmd, base64, get, suspcmdlet, suspkeywrd | rename Computer as dest, UserID as user
+  | `powershell_4104_hunting_filter`'
 how_to_implement: The following Hunting analytic requires PowerShell operational logs
   to be imported. Modify the powershell macro as needed to match the sourcetype or
   add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
@@ -63,17 +64,17 @@ tags:
   asset_type: Endpoint
   confidence: 100
   impact: 80
-  message: Powershell was identified on endpoint $Computer$ by user $UserID$ executing suspicious commands.
+  message: Powershell was identified on endpoint $host$ by user $user$ executing suspicious commands.
   mitre_attack_id:
   - T1059
   - T1059.001
   observable:
-  - name: UserID
+  - name: user
     type: User
     role:
     - Victim
-  - name: Computer
-    type: Hostname
+  - name: dest
+    type: Endpoint
     role:
     - Victim
   product:

detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml

@@ -22,7 +22,9 @@ data_source:
 - Powershell 4104
 search: '`powershell` EventCode=4104 ScriptBlockText = "*get-localgroup*" | stats
   count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode
-  ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  ScriptBlockText  | rename Computer as dest, UserID as user
+  | `security_content_ctime(firstTime)`
+  |`security_content_ctime(lastTime)`
   | `powershell_get_localgroup_discovery_with_script_block_logging_filter`'
 how_to_implement: To successfully implement this analytic, you will need to enable
   PowerShell Script Block Logging on some or all endpoints. Additional setup here
@@ -41,16 +43,16 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 30
-  message: Local group discovery on $Computer$ by $UserID$.
+  message: Local group discovery on endpoint $dest$ by user $user$.
   mitre_attack_id:
   - T1069
   - T1069.001
   observable:
-  - name: Computer
+  - name: dest
     type: Endpoint
     role:
     - Victim
-  - name: UserID
+  - name: user
     type: User
     role:
     - Victim

detections/endpoint/process_deleting_its_process_file_path.yml

@@ -42,12 +42,12 @@ tags:
   confidence: 100
   impact: 60
   message: A process $Image$ tries to delete its process path in commandline $CommandLine$
-    as part of defense evasion in host $dest$
+    as part of defense evasion in host $dest$ by user $user$
   mitre_attack_id:
   - T1070
   observable:
   - name: dest
-    type: Hostname
+    type: Endpoint
     role:
     - Victim
   - name: user

detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml

@@ -14,8 +14,11 @@ data_source:
 - Powershell 4104
 search: '`powershell` EventCode=4104 (ScriptBlockText = "*$env:UserName*" OR ScriptBlockText
   = "*[System.Environment]::UserName*") | stats count min(_time) as firstTime max(_time)
-  as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_script_block_filter`'
+  as lastTime by EventCode ScriptBlockText Computer user_id 
+  | rename Computer as dest, user_id as user
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` 
+  | `user_discovery_with_env_vars_powershell_script_block_filter`'
 how_to_implement: To successfully implement this analytic, you will need to enable
   PowerShell Script Block Logging on some or all endpoints. Additional setup here
   https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
@@ -29,14 +32,18 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 30
-  message: System user discovery on $Computer$
+  message: System user discovery on endpoint $dest$ by user $user$
   mitre_attack_id:
   - T1033
   observable:
-  - name: Computer
+  - name: dest
     type: Endpoint
     role:
     - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml

@@ -16,8 +16,9 @@ description: The following analytic identifies the use of default or publicly kn
 data_source: []
 search: '`sysmon` EventCode IN (17, 18) EventType IN ( "CreatePipe", "ConnectPipe")
   PipeName IN ("\\RManFUSServerNotify32", "\\RManFUSCallbackNotify32", "\\RMSPrint*")
-  | stats  min(_time) as firstTime max(_time) as lastTime count by Image EventType
-  ProcessId PipeName dest UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | stats  min(_time) as firstTime max(_time) as lastTime count by Image EventType ProcessId PipeName dest UserID 
+  | rename UserID as user 
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the process name, parent process, and command-line executions from your
@@ -34,7 +35,7 @@ tags:
   asset_type: Endpoint
   confidence: 90
   impact: 90
-  message: possible RMS admin tool named pipe was created in $Computer$
+  message: possible RMS admin tool named pipe was created in endpoint $dest$
   mitre_attack_id:
   - T1071
   observable:

detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml

@@ -50,7 +50,7 @@ tags:
   - T1059
   observable:
   - name: dest
-    type: Hostname
+    type: Endpoint
     role:
     - Victim
   product:

detections/endpoint/windows_identify_protocol_handlers.yml

@@ -57,7 +57,7 @@ tags:
     role:
     - Victim
   - name: dest
-    type: Hostname
+    type: Endpoint
     role:
     - Victim
   - name: parent_process_name

detections/endpoint/windows_linked_policies_in_adsi_discovery.yml

@@ -14,7 +14,9 @@ data_source:
 search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText
   = "*objectcategory=organizationalunit*" ScriptBlockText = "*findAll()*" | stats
   count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText
-  Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  Computer user_id
+  | rename Computer as dest, user_id as user 
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `windows_linked_policies_in_adsi_discovery_filter`'
 how_to_implement: The following Hunting analytic requires PowerShell operational logs
   to be imported. Modify the powershell macro as needed to match the sourcetype or
@@ -31,13 +33,13 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: powershell process having commandline $ScriptBlockText$ for user enumeration on $Computer$
+  message: Windows PowerShell [Adsisearcher] was used user enumeration on $user$
   mitre_attack_id:
   - T1087.002
   - T1087
   observable:
-  - name: Computer
-    type: Hostname
+  - name: dest
+    type: Endpoint
     role:
     - Victim
   product:

detections/endpoint/windows_nirsoft_utilities.yml

@@ -48,7 +48,7 @@ tags:
     role:
     - Victim
   - name: dest
-    type: Hostname
+    type: Endpoint
     role:
     - Victim
   - name: parent_process_name

detections/endpoint/windows_non_system_account_targeting_lsass.yml

@@ -14,8 +14,9 @@ data_source:
 - Sysmon Event ID 1
 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser="NT AUTHORITY\\*")
   | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, parent_process_path ,parent_process_id, TargetImage,
-  GrantedAccess, SourceUser, TargetUser | rename TargetUser
-  as user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
+  GrantedAccess, SourceUser, TargetUser 
+  | rename TargetUser as user 
+  | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
   | `windows_non_system_account_targeting_lsass_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the process name, parent process, and command-line executions from your
@@ -46,7 +47,7 @@ tags:
     role:
     - Victim
   - name: dest
-    type: Hostname
+    type: Endpoint
     role:
     - Victim
   - name: parent_process_path

detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml

@@ -15,6 +15,7 @@ data_source:
 search: '`sysmon` EventCode=9 Device = \\Device\\Harddisk0\\DR0 NOT (Image IN("*\\Windows\\System32\\*",
   "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as
   lastTime by dest Image Device ProcessGuid ProcessId EventDescription EventCode
+  | rename Computer as dest
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_master_boot_record_drive_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the raw access read event (like sysmon eventcode 9), process name and
@@ -40,13 +41,13 @@ tags:
   asset_type: Endpoint
   confidence: 100
   impact: 90
-  message: process accessing MBR $device$ on $Computer$
+  message: process accessing MBR $device$ on $dest$
   mitre_attack_id:
   - T1561.002
   - T1561
   observable:
   - name: dest
-    type: Hostname
+    type: Endpoint
     role:
     - Victim
   product:

detections/endpoint/windows_root_domain_linked_policies_discovery.yml

@@ -13,8 +13,11 @@ data_source:
 - Powershell 4104
 search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText
   = "*.SearchRooT*" ScriptBlockText = "*.gplink*" | stats count min(_time) as firstTime
-  max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | `windows_root_domain_linked_policies_discovery_filter`'
+  max(_time) as lastTime by EventCode ScriptBlockText Computer user_id |
+  | rename Computer as dest, user_id as user 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` 
+  | `windows_root_domain_linked_policies_discovery_filter`'
 how_to_implement: The following Hunting analytic requires PowerShell operational logs
   to be imported. Modify the powershell macro as needed to match the sourcetype or
   add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
@@ -30,13 +33,13 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: powershell process having commandline $ScriptBlockText$ for user enumeration on $Computer$
+  message: Windows PowerShell [Adsisearcher] was used user enumeration on endpoint $dest$
   mitre_attack_id:
   - T1087.002
   - T1087
   observable:
-  - name: Computer
-    type: Hostname
+  - name: dest
+    type: Endpoint
     role:
     - Victim
   product:

detections/endpoint/windows_service_stop_win_updates.yml

@@ -15,6 +15,7 @@ search: '`wineventlog_system` EventCode=7040
   (service_name IN ("Update Orchestrator Service for Windows Update", "WaaSMedicSvc", "Windows Update") OR param1 IN ("UsoSvc", "WaaSMedicSvc", "wuauserv")) AND 
   (param3=disabled OR start_mode = disabled) 
   | stats count min(_time) as firstTime max(_time) as lastTime by Computer Error_Code service_name start_mode param1 param2 param3 param4 
+  | rename Computer as dest
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` 
   | `windows_service_stop_win_updates_filter`'
@@ -30,11 +31,11 @@ tags:
   asset_type: Endpoint
   confidence: 70
   impact: 70
-  message: Windows update services $service_name$ was being disabled on $Computer$
+  message: Windows update services $service_name$ was being disabled on $dest$
   mitre_attack_id:
   - T1489
   observable:
-  - name: Computer
+  - name: dest
     type: Endpoint
     role:
     - Victim

detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml

@@ -43,7 +43,9 @@ search: ' `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc000
   as tried_accounts by _time, Workstation | eventstats avg(unique_accounts) as comp_avg
   , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3)
   | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
-  | search isOutlier=1 | `windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`'
+  | search isOutlier=1
+  | rename Workstation as src
+  |`windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`'
 status: production
 tags:
   analytic_story:
@@ -52,15 +54,15 @@ tags:
   asset_type: Endpoint
   confidence: 70
   impact: 70
-  message: Potential NTLM based password spraying attack from $Workstation$
+  message: Potential NTLM based password spraying attack from $src$
   mitre_attack_id:
   - T1110.003
   - T1110
   observable:
-  - name: Workstation
+  - name: src
+    type: Endpoint
     role:
     - Attacker
-    type: Endpoint
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

detections/endpoint/windows_wmi_impersonate_token.yml

@@ -35,12 +35,12 @@ tags:
   confidence: 50
   impact: 50
   message: wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$
-    to $TargetImage$ process in $Computer$
+    to $TargetImage$ process in $dest$
   mitre_attack_id:
   - T1047
   observable:
   - name: dest
-    type: Hostname
+    type: Endpoint
     role:
     - Victim
   product: