Updating Github with Content from ESCU - v4.80.1

contentctl.yml

@@ -6,7 +6,7 @@ build:
   path_root: dist
   prefix: ESCU
   build: 004210
-  version: 4.26.0
+  version: 4.80.1
   label: ES Content Updates
   author_name: Splunk Threat Research Team
   author_email: research@splunk.com

dist/DA-ESS-ContentUpdate/app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null, 
       "name": "DA-ESS-ContentUpdate", 
-      "version": "4.26.0"
+      "version": "4.80.1"
     }, 
     "author": [
       {

dist/DA-ESS-ContentUpdate/default/app.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-03-20T22:50:47 UTC
+# On Date: 2024-03-25T21:23:52 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
@@ -10,7 +10,7 @@
 is_configured = false
 state = enabled
 state_change_requires_restart = false
-build = 20240320224914
+build = 20240325212206
 
 [triggers]
 reload.analytic_stories = simple
@@ -26,7 +26,7 @@ reload.es_investigations = simple
 
 [launcher]
 author = Splunk
-version = 4.26.0 
+version = 4.80.1 
 description = Explore the Analytic Stories included with ES Content Updates.
 
 [ui]

dist/DA-ESS-ContentUpdate/default/collections.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-03-20T22:50:47 UTC
+# On Date: 2024-03-25T21:23:52 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/content-version.conf

@@ -1,8 +1,8 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-03-20T22:50:47 UTC
+# On Date: 2024-03-25T21:23:52 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
 [content-version]
-version = 4.26.0 
+version = 4.80.1 

dist/DA-ESS-ContentUpdate/default/es_investigations.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-03-20T22:50:47 UTC
+# On Date: 2024-03-25T21:23:52 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/macros.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-03-20T22:50:47 UTC
+# On Date: 2024-03-25T21:23:52 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/savedsearches.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-03-20T22:50:47 UTC
+# On Date: 2024-03-25T21:23:52 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
@@ -3516,7 +3516,7 @@ action.escu.full_search_name = ESCU - ASL AWS Concurrent Sessions From Different
 action.escu.search_type = detection
 action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"]
 action.escu.providing_technologies = ["Amazon Security Lake"]
-action.escu.analytic_story = ["Compromised User Account", "AWS Identity and Access Management Account"]
+action.escu.analytic_story = ["Compromised User Account", "AWS Identity and Access Management Account Takeover"]
 action.risk = 1
 action.risk.param._risk_message = User $identity.user.name$ has concurrent sessions from more than one unique IP address $src_endpoint.ip$ in the span of 5 minutes.
 action.risk.param._risk = [{"risk_object_field": "identity.user.credential_uid", "risk_object_type": "user", "risk_score": 42}, {"threat_object_field": "src_endpoint.ip", "threat_object_type": "ip_address"}]
@@ -3527,7 +3527,7 @@ dispatch.earliest_time = -70m@m
 dispatch.latest_time = -10m@m
 action.correlationsearch.enabled = 1
 action.correlationsearch.label = ESCU - Experimental - ASL AWS Concurrent Sessions From Different Ips - Rule
-action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.AE"]}
+action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.AE"]}
 schedule_window = auto
 alert.digest_mode = 1
 disabled = true
@@ -20624,14 +20624,14 @@ If Splunk>Phantom is also configured in your environment, a Playbook called "Exc
 (Playbook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`).\
 
 action.escu.known_false_positives = It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.
-action.escu.creation_date = 2024-02-14
-action.escu.modification_date = 2024-02-14
+action.escu.creation_date = 2024-03-19
+action.escu.modification_date = 2024-03-19
 action.escu.confidence = high
 action.escu.full_search_name = ESCU - Detect Excessive Account Lockouts From Endpoint - Rule
 action.escu.search_type = detection
 action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"]
 action.escu.providing_technologies = null
-action.escu.analytic_story = ["Account Monitoring and Controls"]
+action.escu.analytic_story = ["Active Directory Password Spraying"]
 action.risk = 1
 action.risk.param._risk_message = Multiple accounts have been locked out. Review $dest$ and results related to $user$.
 action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}]
@@ -20642,7 +20642,7 @@ dispatch.earliest_time = -70m@m
 dispatch.latest_time = -10m@m
 action.correlationsearch.enabled = 1
 action.correlationsearch.label = ESCU - Detect Excessive Account Lockouts From Endpoint - Rule
-action.correlationsearch.annotations = {"analytic_story": ["Account Monitoring and Controls"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]}
+action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]}
 schedule_window = auto
 alert.digest_mode = 1
 disabled = true
@@ -20664,14 +20664,14 @@ action.escu.data_models = ["Change"]
 action.escu.eli5 = This search detects user accounts that have been locked out a relatively high number of times in a short period.
 action.escu.how_to_implement = ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.
 action.escu.known_false_positives = It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.
-action.escu.creation_date = 2022-08-25
-action.escu.modification_date = 2022-08-25
+action.escu.creation_date = 2024-03-19
+action.escu.modification_date = 2024-03-19
 action.escu.confidence = high
 action.escu.full_search_name = ESCU - Detect Excessive User Account Lockouts - Rule
 action.escu.search_type = detection
 action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"]
 action.escu.providing_technologies = null
-action.escu.analytic_story = ["Account Monitoring and Controls"]
+action.escu.analytic_story = ["Active Directory Password Spraying"]
 action.risk = 1
 action.risk.param._risk_message = Excessive user account lockouts for $user$ in a short period of time
 action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}]
@@ -20682,7 +20682,7 @@ dispatch.earliest_time = -70m@m
 dispatch.latest_time = -10m@m
 action.correlationsearch.enabled = 1
 action.correlationsearch.label = ESCU - Detect Excessive User Account Lockouts - Rule
-action.correlationsearch.annotations = {"analytic_story": ["Account Monitoring and Controls"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.003"], "nist": ["DE.AE"]}
+action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.003"], "nist": ["DE.AE"]}
 schedule_window = auto
 alert.digest_mode = 1
 disabled = true
@@ -40934,14 +40934,14 @@ action.escu.data_models = ["Change"]
 action.escu.eli5 = The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack.
 action.escu.how_to_implement = This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs.  More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/
 action.escu.known_false_positives = It is possible that an administrator created and deleted an account in a short time period.  Verifying activity with an administrator is advised.
-action.escu.creation_date = 2020-07-06
-action.escu.modification_date = 2020-07-06
+action.escu.creation_date = 2024-03-19
+action.escu.modification_date = 2024-03-19
 action.escu.confidence = high
 action.escu.full_search_name = ESCU - Short Lived Windows Accounts - Rule
 action.escu.search_type = detection
 action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"]
 action.escu.providing_technologies = null
-action.escu.analytic_story = ["Account Monitoring and Controls"]
+action.escu.analytic_story = ["Active Directory Lateral Movement"]
 action.risk = 1
 action.risk.param._risk_message = A user account created or delete shortly in host $dest$
 action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}]
@@ -40952,7 +40952,7 @@ dispatch.earliest_time = -70m@m
 dispatch.latest_time = -10m@m
 action.correlationsearch.enabled = 1
 action.correlationsearch.label = ESCU - Short Lived Windows Accounts - Rule
-action.correlationsearch.annotations = {"analytic_story": ["Account Monitoring and Controls"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]}
+action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]}
 schedule_window = auto
 action.notable = 1
 action.notable.param.nes_fields = user,dest
@@ -47155,14 +47155,14 @@ action.escu.data_models = ["Change"]
 action.escu.eli5 = The following analytic identifies a new local user account added to a computer. Note that, this should be restricted to critical assets.
 action.escu.how_to_implement = This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs.  More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/
 action.escu.known_false_positives = It is possible that an administrator created the account. Verifying activity with an administrator is advised. This analytic is set to anomaly to allow for risk to be added. Filter and tune as needed. Restrict to critical infrastructure to reduce any volume.
-action.escu.creation_date = 2022-10-05
-action.escu.modification_date = 2022-10-05
+action.escu.creation_date = 2024-03-19
+action.escu.modification_date = 2024-03-19
 action.escu.confidence = high
 action.escu.full_search_name = ESCU - Windows Create Local Account - Rule
 action.escu.search_type = detection
 action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"]
 action.escu.providing_technologies = null
-action.escu.analytic_story = ["Account Monitoring and Controls"]
+action.escu.analytic_story = ["Active Directory Password Spraying"]
 action.risk = 1
 action.risk.param._risk_message = The following $user$ was added to $dest$ as a local account.
 action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 18}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 18}]
@@ -47173,7 +47173,7 @@ dispatch.earliest_time = -70m@m
 dispatch.latest_time = -10m@m
 action.correlationsearch.enabled = 1
 action.correlationsearch.label = ESCU - Windows Create Local Account - Rule
-action.correlationsearch.annotations = {"analytic_story": ["Account Monitoring and Controls"], "cis20": ["CIS 10"], "confidence": 90, "impact": 20, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]}
+action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying"], "cis20": ["CIS 10"], "confidence": 90, "impact": 20, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]}
 schedule_window = auto
 alert.digest_mode = 1
 disabled = true

dist/DA-ESS-ContentUpdate/default/transforms.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-03-20T22:50:47 UTC
+# On Date: 2024-03-25T21:23:52 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/workflow_actions.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-03-20T22:50:47 UTC
+# On Date: 2024-03-25T21:23:52 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/api/version.json

@@ -1 +1 @@
-{"version": {"name": "v4.26.0", "published_at": "2024-03-20T22:53:52Z"}}
+{"version": {"name": "v4.80.1", "published_at": "2024-03-25T21:27:37Z"}}