updating risk and drilldowns

Author: patel-bhavin

detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml

@@ -51,12 +51,12 @@ known_false_positives: Some intrusion events that are linked to these classifica
 references:
   - https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf
 drilldown_searches:
-- name: View the detection results for - "$src_ip$" and "$signature_id$"
-  search: '%original_detection_search% | search  src_ip = "$src_ip$" and signature_id = "$signature_id$"'
+- name: View the detection results for - "$dest_ip$" and "$src_ip$"
+  search: '%original_detection_search% | search  dest_ip = "$dest_ip$" and src_ip = "$src_ip$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$src_ip$" and "$signature_id$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$signature_id$") starthoursago=168  | stats count min(_time)
+- name: View risk events for the last 7 days for - "$dest_ip$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168  | stats count min(_time)
     as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
     as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
     as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
@@ -66,12 +66,14 @@ drilldown_searches:
 rba:
   message: A high priority intrusion event with classification ($class_desc$) was detected from $src_ip$ to $dest_ip$, indicating potential suspicious activity.
   risk_objects:
-    - field: src_ip
+    - field: dest_ip
       type: system
       score: 25
   threat_objects:
     - field: signature
       type: signature
+    - field: src_ip
+      type: ip_address
 tags:
   analytic_story: 
     - Cisco Secure Firewall Threat Defense Analytics

detections/network/cisco_secure_firewall___lumma_stealer_activity.yml

@@ -47,27 +47,29 @@ known_false_positives: False positives should be very unlikely.
 references:
   - https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
 drilldown_searches:
-- name: View the detection results for - "$src_ip$" and "$signature_id$"
-  search: '%original_detection_search% | search  src_ip = "$src_ip$" and signature_id = "$signature_id$"'
+- name: View the detection results for - "$dest_ip$" and "$src_ip$"
+  search: '%original_detection_search% | search  dest_ip = "$dest_ip$" and src_ip = "$src_ip$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$src_ip$" and "$signature_id$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$signature_id$") starthoursago=168  | stats count min(_time)
+- name: View risk events for the last 7 days for - "$dest_ip$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168  | stats count min(_time)
     as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
     as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
     as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
     by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: Lumma Stealer Activity on host $src_ip$.
+  message: Lumma Stealer Activity on host $dest_ip$ origniating from $src_ip$
   risk_objects:
-    - field: src_ip
+    - field: dest_ip
       type: system
       score: 25
   threat_objects:
     - field: signature
       type: signature
+    - field: src_ip
+      type: ip_address
 tags:
   analytic_story: 
     - Cisco Secure Firewall Threat Defense Analytics

detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml

@@ -31,27 +31,29 @@ known_false_positives: False positives should be unlikely.
 references:
   - https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
 drilldown_searches:
-- name: View the detection results for - "$src_ip$" and "$signature_id$"
-  search: '%original_detection_search% | search  src_ip = "$src_ip$" and signature_id = "$signature_id$"'
+- name: View the detection results for - "$dest_ip$" and "$src_ip$"
+  search: '%original_detection_search% | search  dest_ip = "$dest_ip$" and src_ip = "$src_ip$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$src_ip$" and "$signature_id$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$signature_id$") starthoursago=168  | stats count min(_time)
+- name: View risk events for the last 7 days for - "$dest_ip$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168  | stats count min(_time)
     as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
     as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
     as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
     by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: Lumma Stealer Download Attempt initiated by $src_ip$ from $dest_ip$.
+  message: Lumma Stealer Download Attempt detected on host $dest_ip$ origniating from $src_ip$
   risk_objects:
-    - field: src_ip
+    - field: dest_ip
       type: system
       score: 25
   threat_objects:
     - field: signature
       type: signature
+    - field: src_ip
+      type: ip_address
 tags:
   analytic_story: 
     - Cisco Secure Firewall Threat Defense Analytics

detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml

@@ -31,27 +31,29 @@ known_false_positives: False positives should be unlikely.
 references:
   - https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
 drilldown_searches:
-- name: View the detection results for - "$src_ip$" and "$signature_id$"
-  search: '%original_detection_search% | search  src_ip = "$src_ip$" and signature_id = "$signature_id$"'
+- name: View the detection results for - "$dest_ip$" and "$src_ip$"
+  search: '%original_detection_search% | search  dest_ip = "$dest_ip$" and src_ip = "$src_ip$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$src_ip$" and "$signature_id$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$signature_id$") starthoursago=168  | stats count min(_time)
+- name: View risk events for the last 7 days for - "$dest_ip$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168  | stats count min(_time)
     as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
     as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
     as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
     by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: Lumma Stealer Outbound Connection Attempt initiated by $src_ip$ to $dest_ip$.
+  message: Lumma Stealer Outbound Connection Attempt detected on host $dest_ip$ origniating from $src_ip$
   risk_objects:
-    - field: src_ip
+    - field: dest_ip
       type: system
       score: 25
   threat_objects:
     - field: signature
       type: signature
+    - field: src_ip
+      type: ip_address
 tags:
   analytic_story: 
     - Cisco Secure Firewall Threat Defense Analytics

detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml

@@ -49,12 +49,12 @@ references:
   - https://nvd.nist.gov/vuln/detail/CVE-2023-27532
   - https://www.veeam.com/kb4424
 drilldown_searches:
-- name: View the detection results for - "$src_ip$" and "$signature_id$"
-  search: '%original_detection_search% | search  src_ip = "$src_ip$" and signature_id = "$signature_id$"'
+- name: View the detection results for - "$dest_ip$" and "$src_ip$"
+  search: '%original_detection_search% | search  dest_ip = "$dest_ip$" and src_ip = "$src_ip$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$src_ip$" and "$signature_id$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$signature_id$") starthoursago=168  | stats count min(_time)
+- name: View risk events for the last 7 days for - "$dest_ip$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168  | stats count min(_time)
     as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
     as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
     as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
@@ -64,12 +64,14 @@ drilldown_searches:
 rba:
   message: Exploitation attempt of Veeam CVE-2023-27532 on host $dest_ip$ by $src_ip$.
   risk_objects:
-    - field: src_ip
+    - field: dest_ip
       type: system
       score: 25
   threat_objects:
     - field: signature
       type: signature
+    - field: src_ip
+      type: ip_address
 tags:
   analytic_story: 
     - Cisco Secure Firewall Threat Defense Analytics