Merge branch 'rba_migration' into strict_yml_from_rba

Author: ljstella

data_sources/asl_aws_cloudtrail.yml

@@ -0,0 +1,13 @@
+name: ASL AWS CloudTrail
+id: 1dcf9cfb-0e91-44c6-81b3-61b2574ec898
+version: 1
+date: '2025-01-14'
+author: Patrick Bareiss, Splunk
+description: Data source object for ASL AWS CloudTrail 
+source: aws_asl
+sourcetype: aws:asl
+separator: api.operation
+supported_TA:
+- name: Splunk Add-on for AWS
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.9.0

data_sources/azure_monitor_activity.yml

@@ -0,0 +1,96 @@
+name: Azure Monitor Activity
+id: 1997a515-a61a-4f78-ada9-54af34c764f2
+version: 1
+date: '2025-01-13'
+author: Bhavin Patel, Splunk
+description: Data source object for Azure Monitor Activity.  The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub.  To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. 
+source: Azure AD
+sourcetype: azure:monitor:activity
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.4.1
+fields:
+- column
+- action
+- category
+- change_type
+- command
+- correlationId
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- eventtype
+- host
+- identity
+- image_id
+- index
+- instance_type
+- linecount
+- object
+- object_attrs
+- object_category
+- object_id
+- object_path
+- operationName
+- properties.ActivityDate
+- properties.ActivityResultStatus
+- properties.ActivityType
+- properties.Actor.ActorType
+- properties.Actor.Application
+- properties.Actor.ApplicationName
+- properties.Actor.IsDelegatedAdmin
+- properties.Actor.Name
+- properties.Actor.ObjectId
+- properties.Actor.PartnerTenantId
+- properties.Actor.UPN
+- properties.Actor.UserPermissions{}
+- properties.AdditionalDetails
+- properties.AuditEventId
+- properties.Category
+- properties.RelationId
+- properties.TargetDisplayNames{}
+- properties.TargetObjectIds{}
+- properties.Targets{}.ModifiedProperties{}.Name
+- properties.Targets{}.ModifiedProperties{}.New
+- properties.Targets{}.ModifiedProperties{}.Old
+- properties.Targets{}.Name
+- punct
+- resourceId
+- resource_provider
+- response_body
+- result
+- resultDescription
+- resultType
+- result_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- status
+- tag
+- tag::action
+- tag::eventtype
+- tag::object_category
+- tenantId
+- time
+- timeendpos
+- timestartpos
+- user
+- user_name
+- user_type
+- vendor_account
+- vendor_product
+- vendor_region
+- _time
+example_log: '{"time": "2024-04-29T13:30:28.8622000Z", "tenantId": "26db52ee-c1b5-4c96-a0d4-129e25dc0388", "category": "AuditLogs", "operationName": "createDeviceHealthScript DeviceHealthScript", "properties": {"ActivityDate": "4/29/2024 1:30:28 PM", "ActivityResultStatus": 1, "ActivityType": 0, "Actor": {"ActorType": 1, "Application": "5926fc8e-304e-4f59-8bed-58ca97cc39a4", "ApplicationName": "Microsoft Intune portal extension", "IsDelegatedAdmin": false, "Name": null, "ObjectId": "cf2ef473-7d3b-4f14-961c-2e470e9a70f2", "PartnerTenantId": "00000000-0000-0000-0000-000000000000", "UserPermissions": ["*"], "UPN": "[email protected]"}, "AdditionalDetails": "", "AuditEventId": "3e7e790e-f15a-4c2c-a91a-516483bb4e37", "Category": 3, "RelationId": null, "TargetDisplayNames": ["<null>"], "TargetObjectIds": ["b16fcad4-b9f5-46fe-9bf0-841cd9be7bc9"], "Targets": [{"ModifiedProperties": [{"Name": "DeviceManagementAPIVersion", "Old": null, "New": "5024-02-13"}], "Name": null}]}, "resultType": "Success", "resultDescription": "None", "correlationId": "949ac544-b4e5-4576-a117-915c47c0ee00", "identity": "[email protected]"}'

detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml

@@ -5,29 +5,12 @@ date: '2024-11-14'
 author: Patrick Bareiss, Splunk
 status: production
 type: Anomaly
-description: The following analytic identifies an AWS IAM account with concurrent
-  sessions originating from more than one unique IP address within a 5-minute span.
-  This detection leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates`
-  API call, to identify multiple IP addresses associated with the same user session.
-  This behavior is significant as it may indicate a session hijacking attack, where
-  an adversary uses stolen session cookies to access AWS resources from a different
-  location. If confirmed malicious, this activity could allow unauthorized access
-  to sensitive corporate resources, leading to potential data breaches or further
-  exploitation.
-data_source: []
-search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS
-  Internal" | bin span=5m _time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip)
-  as distinct_ip_count by _time identity.user.credential_uid identity.user.name |
-  where distinct_ip_count > 1 | rename identity.user.name as user | `asl_aws_concurrent_sessions_from_different_ips_filter`'
-how_to_implement: The detection is based on Amazon Security Lake events from Amazon
-  Web Services (AWS), which is a centralized data lake that provides security-related
-  data from AWS services. To use this detection, you must ingest CloudTrail logs from
-  Amazon Security Lake into Splunk. To run this search, ensure that you ingest events
-  using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876)
-  or the Federated Analytics App.
-known_false_positives: A user with concurrent sessions from different Ips may also
-  represent the legitimate use of more than one device. Filter as needed and/or customize
-  the threshold to fit your environment.
+description: The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute span. This detection leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` API call, to identify multiple IP addresses associated with the same user session. This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this activity could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation.
+data_source: 
+- ASL AWS CloudTrail
+search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" | bin span=5m _time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count by _time actor.user.uid | where distinct_ip_count > 1 | rename actor.user.uid as user | `asl_aws_concurrent_sessions_from_different_ips_filter`'
+how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
+known_false_positives: A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.
 references:
 - https://attack.mitre.org/techniques/T1185/
 - https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/
@@ -72,7 +55,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/asl_ocsf_cloudtrail.json
-    sourcetype: aws:cloudtrail:lake
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/asl_ocsf_cloudtrail.json
+    sourcetype: aws:asl
     source: aws_asl

detections/cloud/asl_aws_create_access_key.yml

@@ -0,0 +1,55 @@
+name: ASL AWS Create Access Key
+id: 81a9f2fe-1697-473c-af1d-086b0d8b63c8
+version: 1
+date: '2024-12-12'
+author: Patrick Bareiss, Splunk
+status: production
+type: Hunting
+description: The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
+data_source: 
+- ASL AWS CloudTrail
+search: '`amazon_security_lake` api.operation=CreateAccessKey | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_create_access_key_filter`'
+how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
+known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.
+references:
+- https://bishopfox.com/blog/privilege-escalation-in-aws
+- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/
+tags:
+  analytic_story:
+  - AWS IAM Privilege Escalation
+  asset_type: AWS Account
+  confidence: 90
+  impact: 70
+  message: User $user$ is attempting to create access keys
+  mitre_attack_id:
+  - T1136.003
+  - T1136
+  observable:
+  - name: src_ip
+    type: IP Address
+    role:
+    - Attacker
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - api.operation
+  - actor.user.uid
+  - actor.user.account.uid
+  - http_request.user_agent
+  - src_endpoint.ip
+  - src_endpoint.domain
+  - cloud.region
+  risk_score: 63
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/asl_ocsf_cloudtrail.json
+    sourcetype: aws:asl
+    source: aws_asl

detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml

@@ -0,0 +1,61 @@
+name: ASL AWS Create Policy Version to allow all resources
+id: 22cc7a62-3884-48c4-82da-592b8199b72f
+version: 1
+date: '2024-12-12'
+author: Patrick Bareiss, Splunk
+status: production
+type: TTP
+description: The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment.
+data_source: 
+- ASL AWS CloudTrail
+search: '`amazon_security_lake` api.operation=CreatePolicy | spath input=api.request.data | spath input=policyDocument | regex Statement{}.Action="\*" | regex Statement{}.Resource="\*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_create_policy_version_to_allow_all_resources_filter`'
+how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
+known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity.
+references:
+- https://bishopfox.com/blog/privilege-escalation-in-aws
+- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - AWS IAM Privilege Escalation
+  asset_type: AWS Account
+  confidence: 70
+  impact: 70
+  message: User $user$ created a policy version that allows them to access any resource in their account.
+  mitre_attack_id:
+  - T1078.004
+  - T1078
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - api.operation
+  - actor.user.account.uid
+  - api.request.data
+  - actor.user.uid
+  - http_request.user_agent
+  - src_endpoint.ip
+  - src_endpoint.domain
+  - cloud.region
+  risk_score: 49
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json
+    sourcetype: aws:asl
+    source: aws_asl

detections/cloud/asl_aws_credential_access_getpassworddata.yml

@@ -0,0 +1,66 @@
+name: ASL AWS Credential Access GetPasswordData
+id: a79b607a-50cc-4704-bb9d-eff280cb78c2
+version: 1
+date: '2024-12-12'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic identifiesGetPasswordData API calls in your AWS account. It leverages  CloudTrail logs from Amazon Security Lake to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment.
+data_source: 
+- ASL AWS CloudTrail
+search: '`amazon_security_lake` api.operation=GetPasswordData | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region instanceId | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_getpassworddata_filter`'
+how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
+known_false_positives: Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.
+references:
+- https://attack.mitre.org/techniques/T1552/
+- https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user_arn = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - AWS Identity and Access Management Account Takeover
+  asset_type: AWS Account
+  confidence: 70
+  impact: 70
+  message: User $user$ is seen to make `GetPasswordData` API calls 
+  mitre_attack_id:
+  - T1586
+  - T1586.003
+  - T1110
+  - T1110.001
+  observable:
+  - name: src_ip
+    type: IP Address
+    role:
+    - Attacker
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - api.operation
+  - actor.user.uid
+  - actor.user.account.uid
+  - http_request.user_agent
+  - src_endpoint.ip
+  - src_endpoint.domain
+  - cloud.region
+  risk_score: 49
+  security_domain: threat
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/aws_getpassworddata/asl_ocsf_cloudtrail.json
+    sourcetype: aws:asl
+    source: aws_asl