Analytics Promotion & Updates

[nasbench]

This PR promotes some experimental rules to production as well as fixes data sources of others:

Promoted Rules

• DLLHost with no Command Line Arguments with Network
• Linux Stdout Redirection To Dev Null File
• PaperCut NG Suspicious Behavior Debug Log
• Print Processor Registry Autostart
• Windows AD Privileged Group Modification
• Windows Rundll32 WebDav With Network Connection
• Windows Vulnerable Driver Loaded
• Windows WinLogon with Public Network Connection
• 3CX Supply Chain Attack Network Indicators
• Windows Rundll32 WebDav With Network Connection

This first list uses the manual_test tag, since it requires the execution of a baseline first or some other configs

• Abnormally High Number Of Cloud Infrastructure API Calls
• Abnormally High Number Of Cloud Security Group API Calls
• Cloud API Calls From Previously Unseen User Roles
• Cloud Compute Instance Created By Previously Unseen User
• Cloud Compute Instance Created In Previously Unused Region
• Cloud Compute Instance Created With Previously Unseen Image
• Cloud Compute Instance Created With Previously Unseen Instance Type
• Cloud Instance Modified By Previously Unseen User
• Detect AWS Console Login by New User
• Windows Driver Inventory

The following list had its tests / logic updated to account for promotion

• Gsuite Drive Share In External Email

The following list contains rules that linked a broken test, hence the test section removed

• Microsoft Intune Mobile Apps

Deprecated Rules

• Windows AD Suspicious GPO Modification - This was deprecated as the logic was too complicated and no test was provided to accurately know the scope meant for it.

Updated Data Sources

• Detect Remote Access Software Usage Registry
• Disable Defender Enhanced Notification
• Set Default PowerShell Execution Policy To Unrestricted or Bypass
• SilentCleanup UAC Bypass
• Windows AD DSRM Account Changes
• Windows Modify Registry Qakbot Binary Data Registry
• Windows Process Executed From Removable Media
• Windows RunMRU Command Execution

Updated / Fixed Logic

• Windows MOVEit Transfer Writing ASPX - Removed the unnecessary join as we should care about any creation of those type of files not only those created by system.
• Detect Outbound SMB Traffic - Fixed an issues in the IP ranges as well as promoted the rule and removed the zeek test that was incorrect.
• Prohibited Network Traffic Allowed - Removed the incorrect zeek test link

[ljstella]

Updates:

• Macros:

  • gsuite_drive.yml -> Updated to new sourcetype

• Detections:

  • Gsuite Suspicious Shared File Name -> Swapped from Production to Experimental, test data no longer matches TA expectations, fields don't extract
  • Gsuite Drive Share In External Email -> Swapped back to Experimental, same test data issue

[ljstella]

LGTM

[pyth0n1c]

LGTM

Just updated from develop - when it passes I will merge 😄