Fix a large number of searches with observable issues. Discuss with t…

…eam before merging changes.

detections/endpoint/net_profiler_uac_bypass.yml

@@ -33,7 +33,7 @@ tags:
   confidence: 90
   impact: 70
   message: Suspicious modification of registry $registry_path$ with possible payload
-    path $registry_value_name$ in $dest$
+    path $registry_path$ and key $registry_key_name$ in $dest$
   mitre_attack_id:
   - T1548.002
   - T1548

detections/endpoint/network_share_discovery_via_dir_command.yml

@@ -35,7 +35,7 @@ tags:
   confidence: 50
   impact: 50
   message: $user$ list executable files or directory in known sensitive SMB share.  Share
-    name=$Share_Name$, Access mask=$Access_Mask$
+    name=$ShareName$, Access mask=$AccessMask$
   mitre_attack_id:
   - T1135
   observable:

detections/endpoint/powershell_4104_hunting.yml

@@ -37,7 +37,7 @@ search: '`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i
   | eval invokecmd = if(match(lower(ScriptBlockText),"invoke-command"), "4", 0) |
   addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade,
   mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi,
-  invokecmd, base64, get | stats values(Score) by DoIt, enccom, compressed, downgrade,
+  invokecmd, base64, get | stats values(Score) by UserID, Computer, DoIt, enccom, compressed, downgrade,
   iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi,
   invokecmd, base64, get, suspcmdlet, suspkeywrd | `powershell_4104_hunting_filter`'
 how_to_implement: The following Hunting analytic requires PowerShell operational logs
@@ -63,8 +63,7 @@ tags:
   asset_type: Endpoint
   confidence: 100
   impact: 80
-  message: An instance of $parent_process_name$ spawning $process_name$ was identified
-    on endpoint $Computer$ by user $user$ executing suspicious commands.
+  message: Powershell was identified on endpoint $Computer$ by user $UserID$ executing suspicious commands.
   mitre_attack_id:
   - T1059
   - T1059.001
@@ -77,14 +76,6 @@ tags:
     type: Hostname
     role:
     - Victim
-  - name: parent_process_name
-    type: Process
-    role:
-    - Parent Process
-  - name: process_name
-    type: Process
-    role:
-    - Child Process
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml

@@ -41,16 +41,16 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 30
-  message: Local group discovery on $dest$ by $user$.
+  message: Local group discovery on $Computer$ by $UserID$.
   mitre_attack_id:
   - T1069
   - T1069.001
   observable:
-  - name: dest
+  - name: Computer
     type: Endpoint
     role:
     - Victim
-  - name: user
+  - name: UserID
     type: User
     role:
     - Victim

detections/endpoint/process_deleting_its_process_file_path.yml

@@ -37,7 +37,7 @@ tags:
   asset_type: Endpoint
   confidence: 100
   impact: 60
-  message: A process $Image$ tries to delete its process path in commandline $cmdline$
+  message: A process $Image$ tries to delete its process path in commandline $CommandLine$
     as part of defense evasion in host $Computer$
   mitre_attack_id:
   - T1070

detections/endpoint/spoolsv_spawning_rundll32.yml

@@ -15,7 +15,7 @@ data_source:
 - Sysmon Event ID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe
-  `process_rundll32` by Processes.dest Processes.user Processes.parent_process Processes.original_file_name
+  `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name
   Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
   | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `spoolsv_spawning_rundll32_filter`'
@@ -42,7 +42,7 @@ tags:
   cve:
   - CVE-2021-34527
   impact: 80
-  message: $parent_process$ has spawned $process_name$ on endpoint $ComputerName$.
+  message: $parent_process_name$ has spawned $process_name$ on endpoint $dest$.
     This behavior is suspicious and related to PrintNightmare.
   mitre_attack_id:
   - T1547.012

detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml

@@ -29,11 +29,11 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 30
-  message: System user discovery on $dest$
+  message: System user discovery on $Computer$
   mitre_attack_id:
   - T1033
   observable:
-  - name: dest
+  - name: Computer
     type: Endpoint
     role:
     - Victim

detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml

@@ -34,7 +34,7 @@ tags:
   asset_type: Endpoint
   confidence: 90
   impact: 90
-  message: possible RMS admin tool named pipe was created in $dest$
+  message: possible RMS admin tool named pipe was created in $Computer$
   mitre_attack_id:
   - T1071
   observable:

detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml

@@ -17,7 +17,7 @@ data_source:
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes  by Processes.original_file_name Processes.process_id
   Processes.parent_process_id Processes.process_hash Processes.dest Processes.user
-  Processes.parent_process Processes.process_name Processes.process | `drop_dm_object_name("Processes")`
+  Processes.parent_process_name Processes.process_name Processes.process | `drop_dm_object_name("Processes")`
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval
   count_of_pattern1 = (mvcount(split(process,"/.."))-1) | eval count_of_pattern2 =
   (mvcount(split(process,"\.."))-1) | eval count_of_pattern3 = (mvcount(split(process,"\\.."))-1)

detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml

@@ -16,7 +16,7 @@ data_source:
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes where  Processes.process="*\/..\/..\/..\/*"
   OR Processes.process="*\\..\\..\\..\\*" OR Processes.process="*\/\/..\/\/..\/\/..\/\/*"
-  by Processes.dest Processes.user Processes.parent_process Processes.process_name
+  by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
   Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id
   Processes.process_hash | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `windows_command_and_scripting_interpreter_path_traversal_exec_filter`'

detections/endpoint/windows_identify_protocol_handlers.yml

@@ -16,7 +16,7 @@ data_source:
 - Sysmon Event ID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime values(Processes.process) as process values(Processes.parent_process)
-  as parent_process from datamodel=Endpoint.Processes  by Processes.dest Processes.user
+  as parent_process from datamodel=Endpoint.Processes  by Processes.dest Processes.parent_process_name Processes.user
   Processes.process_name Processes.process | `security_content_ctime(firstTime)` |
   `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup windows_protocol_handlers
   handler AS process OUTPUT handler ishandler | where ishandler="TRUE" | `windows_identify_protocol_handlers_filter`'

detections/endpoint/windows_linked_policies_in_adsi_discovery.yml

@@ -31,7 +31,7 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: powershell process having commandline $Message$ for user enumeration
+  message: powershell process having commandline $ScriptBlockText$ for user enumeration on $Computer$
   mitre_attack_id:
   - T1087.002
   - T1087

detections/endpoint/windows_nirsoft_utilities.yml

@@ -11,7 +11,7 @@ description: The following hunting analytic assists with identifying the proces
 data_source:
 - Sysmon Event ID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime FROM datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.parent_process
+  as lastTime FROM datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.parent_process_name
   Processes.process_name Processes.process Processes.original_file_name Processes.process_path
   Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")`
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_nirsoft_software`

detections/endpoint/windows_non_system_account_targeting_lsass.yml

@@ -35,7 +35,7 @@ tags:
   asset_type: Endpoint
   confidence: 80
   impact: 80
-  message: A process, $parent_process_path$, has loaded $ImageLoaded$ that are typically related
+  message: A process, $parent_process_path$, has loaded $TargetImage$ that are typically related
     to credential dumping on $dest$. Review for further details.
   mitre_attack_id:
   - T1003.001

detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml

@@ -39,7 +39,7 @@ tags:
   asset_type: Endpoint
   confidence: 100
   impact: 90
-  message: process accessing MBR $device$ in $dest$
+  message: process accessing MBR $device$ on $Computer$
   mitre_attack_id:
   - T1561.002
   - T1561

detections/endpoint/windows_replication_through_removable_media.yml

@@ -24,7 +24,7 @@ search: '|tstats `security_content_summariesonly` count min(_time) as firstTime
   = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name
   = *.js  OR Filesystem.file_name= *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name
   = *.pif) by Filesystem.file_create_time Filesystem.process_id  Filesystem.file_name
-  Filesystem.file_path Filesystem.user | `drop_dm_object_name(Filesystem)` | eval
+  Filesystem.file_path Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` | eval
   dropped_file_path = split(file_path, "\\") | eval dropped_file_path_split_count
   = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) |
   where LIKE(root_drive, "%:") AND dropped_file_path_split_count = 2  AND root_drive!=
@@ -44,7 +44,7 @@ tags:
   asset_type: Endpoint
   confidence: 80
   impact: 80
-  message: executable or script $file_path$ was drop in root drive $root_drive$ in
+  message: executable or script $file_path$ was dropped in root drive $root_drive$ in
     $dest$
   mitre_attack_id:
   - T1091

detections/endpoint/windows_root_domain_linked_policies_discovery.yml

@@ -30,7 +30,7 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: powershell process having commandline $Message$ for user enumeration
+  message: powershell process having commandline $ScriptBlockText$ for user enumeration on $Computer$
   mitre_attack_id:
   - T1087.002
   - T1087

detections/endpoint/windows_security_account_manager_stopped.yml

@@ -34,7 +34,7 @@ tags:
   confidence: 100
   impact: 70
   message: 'The Windows Security Account Manager (SAM) was stopped via cli by $user$
-    on $dest$ by this command: $processs$'
+    on $dest$ by this command: $process$'
   mitre_attack_id:
   - T1489
   observable:

detections/endpoint/windows_service_stop_by_deletion.yml

@@ -15,7 +15,7 @@ data_source:
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where (Processes.process_name = sc.exe OR Processes.original_file_name = sc.exe)
-  Processes.process="* delete *" by Processes.dest Processes.user Processes.parent_process
+  Processes.process="* delete *" by Processes.dest Processes.user Processes.parent_process_name
   Processes.process_name Processes.original_file_name Processes.process Processes.process_id
   Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `windows_service_stop_by_deletion_filter`'

detections/endpoint/windows_service_stop_win_updates.yml

@@ -30,7 +30,7 @@ tags:
   asset_type: Endpoint
   confidence: 70
   impact: 70
-  message: Windows update services $service_name$ was being disabled on $dest$
+  message: Windows update services $service_name$ was being disabled on $Computer$
   mitre_attack_id:
   - T1489
   observable:

detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml

@@ -52,7 +52,7 @@ tags:
   asset_type: Endpoint
   confidence: 70
   impact: 70
-  message: Potential NTLM based password spraying attack from $Source_Workstation$
+  message: Potential NTLM based password spraying attack from $Workstation$
   mitre_attack_id:
   - T1110.003
   - T1110

detections/endpoint/windows_valid_account_with_never_expires_password.yml

@@ -16,7 +16,7 @@ data_source:
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where `process_net` AND Processes.process="* accounts *" AND Processes.process="*
-  /maxpwage:unlimited" by Processes.dest Processes.user Processes.parent_process Processes.process_name
+  /maxpwage:unlimited" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
   Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
   | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `windows_valid_account_with_never_expires_password_filter`'

detections/endpoint/windows_wmi_impersonate_token.yml

@@ -35,7 +35,7 @@ tags:
   confidence: 50
   impact: 50
   message: wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$
-    to $TargetImage$ process in $dest$
+    to $TargetImage$ process in $Computer$
   mitre_attack_id:
   - T1047
   observable:

detections/network/splunk_identified_ssl_tls_certificates.yml

@@ -35,11 +35,11 @@ tags:
   - CVE-2022-32151
   - CVE-2022-32152
   impact: 60
-  message: The following $dest$ is using the self signed Splunk certificate.
+  message: The following $host$ is using the self signed Splunk certificate.
   mitre_attack_id:
   - T1040
   observable:
-  - name: dest
+  - name: host
     type: Hostname
     role:
     - Victim