splunk / security_content Goto Github PK
View Code? Open in Web Editor NEWSplunk Security Content
Home Page: https://research.splunk.com
License: Apache License 2.0
Splunk Security Content
Home Page: https://research.splunk.com
License: Apache License 2.0
This detection failed automated testing. Please review.
This detection failed automated testing. Please review.
From slack
believe ESCU - Processes launching netsh - Rule is broken. ES version 6.2.0 ESCU version 3.0.3. The where clause is looking in Processes.process but that is the full cmd line. Using Processes.process_name works.
tested with attack range technique: https://github.com/redcanaryco/atomic-red-team/blob/7e4580a1e80310ca5e6652a3e54a633143290526/atomics/T1562.004/T1562.004.yaml
Reported by Josef Kuepker
NO risk alert action in the yml
This detection failed automated testing. Please review.
This detection failed automated testing. Please review.
We are shipping empty macros in our app and that breaks the detection. We need to figure out a better solution for shipping macros that we expect our users to customize
This detection failed automated testing. Please review.
This detection failed automated testing. Please review.
There are a couple of syntax issues with unusual commandline detection:
This should be the right syntax
| eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null))
| eval cmd_line=ucast(map_get(input_event, "process"), "string", null),
dest_user_id=ucast(map_get(input_event, "dest_user_id"), "string", null),
dest_device_id=ucast(map_get(input_event, "dest_device_id"), "string", null),
process_name=ucast(map_get(input_event, "process_name"), "string", null)
| where cmd_line!=null and dest_user_id!=null
| eval cmd_line_norm=replace(cast(cmd_line, "string"), /\s(--?\w+)|(\/\w+)/, " ARG"),
cmd_line_norm=replace(cmd_line_norm, /\w:\\[^\s]+/, "PATH"),
cmd_line_norm=replace(cmd_line_norm, /\d+/, "N"),
input=parse_double(len(coalesce(cmd_line_norm, "")))
| adaptive_threshold algorithm="quantile" entity="process_name" window=60480000
| where label AND quantile>0.99
| first_time_event cache_partitions=1 input_columns="dest_device_id,cmd_line"
| where first_time_dest_device_id_cmd_line
| eval start_time = timestamp,
end_time = timestamp,
entities = mvappend(dest_device_id, dest_user_id),
body = "TBD";
"panels = " without stanza in es_investigations.conf causing error message :
[panel_group://workbench_panel_group_]
label = Detect Zerologon Attack
description = Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.
disabled = 0panels =
deleting this entry ("panels=") solves problem
This detection failed automated testing. Please review.
Sometimes if a description has multiple lines and they are not escaped the converted output is not packagable and slim fails. See the following error as an example:
https://app.circleci.com/jobs/github/splunk/security-content/3002
We should introduce a validate.py check for lines with empty spaces so this does not flow through the pipeline.
The following story for example has the correct escaped new line chars https://github.com/splunk/security-content/blob/develop/stories/apache_struts.yml
This detection failed automated testing. Please review.
With the latest ESCU build https://repo.splunk.com/artifactory/Solutions/DA/da-ess-contentupdate/builds/develop/latest/DA-ESS-ContentUpdate-3.0.6-7947.spl we are unable to load the ES content management UI page.
This can be reproduced in nightly6, nightly1 etc - https://soln-esnightly6.sv.splunk.com:8000/splunk-es/en-US/app/SplunkEnterpriseSecuritySuite/search?q=search%20index%3D%22_internal%22%20TypeError&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&sid=1600716139.2224
This happens after this latest version of ESCU gets installed whereas the previous version works with the content management. Also seeing these errors while trying to load this page -
09-21-2020 12:22:16.524 -0700 ERROR AdminManagerExternal [2453 TcpChannelThread] - Unexpected error "<class 'TypeError'>" from python handler: "the JSON object must be str, bytes or bytearray, not NoneType". See splunkd.log for more details.
09-21-2020 12:22:16.524 -0700 ERROR AdminManagerExternal [2453 TcpChannelThread] - Stack trace from python handler:\nTraceback (most recent call last):\n File "/usr/local/bamboo/splunk-install/current/lib/python3.7/site-packages/splunk/admin.py", line 114, in init_persistent\n hand.execute(info)\n File "/usr/local/bamboo/splunk-install/current/lib/python3.7/site-packages/splunk/admin.py", line 637, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/usr/local/bamboo/splunk-install/current/etc/apps/SplunkEnterpriseSecuritySuite/lib/SplunkEnterpriseSecuritySuite/rest_handler.py", line 369, in wrapper\n r = f(self, *args, **kwargs)\n File "/usr/local/bamboo/splunk-install/current/etc/apps/SplunkEnterpriseSecuritySuite/bin/es_investigations_rest_handler.py", line 244, in handleList\n stanza_name, stanza_attributes, klass))\n File "/usr/local/bamboo/splunk-install/current/etc/apps/SplunkEnterpriseSecuritySuite/bin/es_investigations_rest_handler.py", line 527, in get_panels_from_stanza\n panel_list = json.loads(stanza_attributes.get('panels', '[]'))\n File "/usr/local/bamboo/splunk-install/current/lib/python3.7/json/init.py", line 341, in loads\n raise TypeError(f'the JSON object must be str, bytes or bytearray, '\nTypeError: the JSON object must be str, bytes or bytearray, not NoneType\n
This is not seen with older builds - https://repo.splunk.com/artifactory/Solutions/DA/da-ess-contentupdate/builds/develop/7931/
Dependabot couldn't find a Pipfile for this project.
Dependabot requires a Pipfile to evaluate your project's current Python dependencies. It had expected to find one at the path: /requirements.txt/Pipfile
.
If this isn't a Python project, or if it is a library, you may wish to disable updates for it in the .dependabot/config.yml
file in this repo.
Right now the CLI has a set of tests and they work well, but the API has a handful more tests and that is what splunkbase is using at the moment.
This detection failed automated testing. Please review.
Dependabot couldn't authenticate with https://pypi.python.org/simple/.
You can provide authentication details in your Dependabot dashboard by clicking into the account menu (in the top right) and selecting 'Config variables'.
This detection failed automated testing. Please review.
This detection failed automated testing. Please review.
Point raised by Dimitri McKay principal security specialist. We should have matching rules from Azure.
Hi ESCU Team,
I think there may have been an inadvertent bug introduced in: f9bdf7e
The rule from detections/aws_activity_in_new_region.yml no longer runs in Splunk, as | convert security_content_ctime(earliest) security_content_ctime(latest)
is not a valid usage of the convert
command.
I am guessing that this is an instance where sed
or another replacing tool caught some "real" ctime
invocations while looking for instances of the old macro name.
Thanks,
Tomasz
The search should use dest_mac
instead of src_mac
.
| tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.signature=DHCPREQUEST by All_Sessions.src_ip All_Sessions.src_mac
| dedup All_Sessions.src_mac| `drop_dm_object_name("Network_Sessions")`
|`drop_dm_object_name("All_Sessions")`
| search NOT [| inputlookup asset_lookup_by_str |rename mac as src_mac
| fields + src_mac]
| `detect_unauthorized_assets_by_mac_address_filter`
The CIM Network Sessions Data Model says for src_mac
:
The MAC address of the client initializing a network session.
Not applicable for DHCP events. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
For dest_mac
:
The internal MAC address of the network session client.
For DHCP events, this is the MAC address of the client acquiring an IP address lease.
This detection failed automated testing. Please review.
This detection failed automated testing. Please review.
This detection failed automated testing. Please review.
This ESCU scheduled search is failing with tons of error messages like this -
09-28-2020 20:15:36.450 +0000 INFO SavedSplunker - savedsearch_id="nobody;DA-ESS-ContentUpdate;ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule", search_type="scheduled", user="admin", app="DA-ESS-ContentUpdate", savedsearch_name="ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule", priority=default, status=continued, reason="Error in 'SearchParser': Mismatched ']'.", scheduled_time=1601316074, window_time=-1
1:17
Seeing 1500 failure events like this in last 15 mins in /opt/splunk/var/log/splunk/scheduler.log
| tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | rex field=Authentication.user_role arn:aws:sts::(?<dest_account>.*): | where 'Authentication.vendor_account'!='dest_account' | rename Authentication.vendor_account as requestingAccountId dest_account as requestedAccountId | lookup previously_seen_aws_cross_account_activity requestingAccountId, requestedAccountId, OUTPUTNEW firstTime as earliest | eval firstTime=(if (firstTime>earliest, earliest,firstTime)) | where firstTime >= relative_time(now(), '-70m@m')] | security_content_ctime(firstTime)
| security_content_ctime(lastTime)
| rename Authentication.user as src_user Authentication.src as src_ip | table requestingAccountId, requestedAccountId, src_user, src_ip, Authentication.user_role, firstTime, lastTime | aws_cross_account_activity_from_previously_unseen_account_filter
1:22
Error in 'SearchParser': Mismatched ']'.
1:22
That is the expanded search. Search is invalid.
This search needs an OR in the existing Syntax and also needs to detect processes run from new folders inside of System32 or SysWOW64. Potential Spl fix suggested:
| tstats
security_content_summariesonlycount min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where (Processes.process_path !="C:\\Windows\\System32\\*" OR Processes.process_path !="C:\\Windows\\SysWOW64*") OR (Processes.process_path = "C:\\Windows\\System32\\*\\*" OR Processes.process_path ="C:\\Windows\\SysWOW64\\*\\*") by Processes.user Processes.dest Processes.process_name Processes.process_id Processes.process_path Processes.parent_process_name Processes.process_hash|
drop_dm_object_name("Processes")|
security_content_ctime(firstTime)|
security_content_ctime(lastTime)|
is_windows_system_file|
system_processes_run_from_unexpected_locations_filter
In spec 3.0 branch It's analytic story, not analytics story
This detection failed automated testing. Please review.
Update KC and mitre labels.
update how to implement with instructions for how to use the macro in the SPL
Hi, documentation mentions the possibility to write content and a "Developping" section but https://github.com/splunk/security-content#developing leads to nothing. It would be nice to get a link on how to create its own content or create its own app to manage custom content under the same format.
Thanks !
This detection failed automated testing. Please review.
This detection failed automated testing. Please review.
Iplocation and filter events that have Country field defined has no sense for this use case:
Remove next form the rule:
| iplocation sourceIPAddress | search Country=*
It is a bit confusing since it is not clear which test file matches what detection given
This detection failed automated testing. Please review.
The lookup table 'previously_seen_users_console_logins.csv' requires a .csv or KV store lookup definition.
There is currently an issue where multiple layers do not work for some users. mitre-attack/attack-navigator#199
Linked ES Issue: https://jira.splunk.com/browse/SOLNESS-24192
Workbench panel 'Get Parent Process Info' and the prebuilt panel 'workbench_panel_get_parent_process_info' which it uses don't function correctly when the multiple artifacts of an ES investigation are explored. The search query in the panel 'workbench_panel_get_parent_process_info' doesn't consider that the tokens used in the query may have multiple values which may need to be 'AND'ed or 'OR'ed. Along with that, the 'Get Parent Process Info' workbench panel also needs to be modified to correctly use 'Value Prefix', 'Value Suffix' and delimiters taking multiple values for the tokens into account.
There are other workbench panels like 'Get Authentication Logs For Endpoint' and 'Get Process Information For Port Activity' which also face the same issue.
ESCU 1.0.49, Content Library view/page, Analytics Story Details, Last updated column.
The latest date is 2019-12-11. This doesn't seem right.
the story version should be bumped as well
This fixed the issue and runs much faster due to tstats with the Endpoint data model. It did lose parent_process and sha256 in search results which were helpful during investigation.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.