Skip to content

Commit 61d302d

Browse files
ljstellaljstella
authored
Merge pull request #3825 from splunk/519_integration_fixes
v5.19.0 Integration Testing Failures
2 parents 378879a + ecf5463 commit 61d302d

4 files changed

+24
-21
lines changed

detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,8 @@ drilldown_searches:
6767
earliest_offset: $info_min_time$
6868
latest_offset: $info_max_time$
6969
- name: View risk events for the last 7 days for - "$dest$"
70-
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
70+
search:
71+
'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
7172
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
7273
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
7374
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
@@ -76,7 +77,8 @@ drilldown_searches:
7677
earliest_offset: $info_min_time$
7778
latest_offset: $info_max_time$
7879
rba:
79-
message: A [$type$] event has occurred on host - [$dest$] to modify the preload
80+
message:
81+
A [$nametype$] event has occurred on host - [$dest$] to modify the preload
8082
file.
8183
risk_objects:
8284
- field: dest
@@ -100,7 +102,6 @@ tags:
100102
tests:
101103
- name: True Positive Test
102104
attack_data:
103-
- data:
104-
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/auditd_path_preload_file/path_preload.log
105-
source: auditd
106-
sourcetype: auditd
105+
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/auditd_path_preload_file/path_preload.log
106+
source: auditd
107+
sourcetype: auditd

detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -18,15 +18,15 @@ search: |
1818
`linux_auditd`
1919
(type=PATH OR type=CWD)
2020
| rex "msg=audit\([^)]*:(?<audit_id>\d+)\)"
21-
21+
2222
| stats
2323
values(type) as types
2424
values(name) as names
2525
values(nametype) as nametype
2626
values(cwd) as cwd_list
2727
values(_time) as event_times
2828
by audit_id, host
29-
29+
3030
| eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A")
3131
| eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names))
3232
| eval matched_paths = mvfilter(match(candidate_paths, "/etc/profile|/etc/shells|/etc/profile\\.d/.*|/etc/bash\\.bashrc.*|/etc/bashrc|.*/zsh/zprofile|.*/zsh/zshrc|.*/zsh/zlogin|.*/zsh/zlogout|/etc/csh\\.cshrc.*|/etc/csh\\.login.*|/root/\\.bashrc.*|/root/\\.bash_profile.*|/root/\\.profile.*|/root/\\.zshrc.*|/root/\\.zprofile.*|/home/.*/\\.bashrc.*|/home/.*/\\.zshrc.*|/home/.*/\\.bash_profile.*|/home/.*/\\.zprofile.*|/home/.*/\\.profile.*|/home/.*/\\.bash_login.*|/home/.*/\\.bash_logout.*|/home/.*/\\.zlogin.*|/home/.*/\\.zlogout.*"))
@@ -35,15 +35,15 @@ search: |
3535
| eval e_time = mvindex(event_times, 0)
3636
| where match_count > 0
3737
| rename host as dest
38-
38+
3939
| stats count min(e_time) as firstTime max(e_time) as lastTime
4040
values(nametype) as nametype
4141
by current_working_directory
4242
reconstructed_path
4343
match_count
4444
dest
4545
audit_id
46-
46+
4747
| `security_content_ctime(firstTime)`
4848
| `security_content_ctime(lastTime)`
4949
| `linux_auditd_unix_shell_configuration_modification_filter`
@@ -69,7 +69,8 @@ drilldown_searches:
6969
earliest_offset: $info_min_time$
7070
latest_offset: $info_max_time$
7171
- name: View risk events for the last 7 days for - "$dest$"
72-
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
72+
search:
73+
'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
7374
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
7475
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
7576
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
@@ -78,7 +79,8 @@ drilldown_searches:
7879
earliest_offset: $info_min_time$
7980
latest_offset: $info_max_time$
8081
rba:
81-
message: A [$type$] event occurred on host - [$dest$] to modify the unix shell configuration
82+
message:
83+
A [$nametype$] event occurred on host - [$dest$] to modify the unix shell configuration
8284
file.
8385
risk_objects:
8486
- field: dest
@@ -102,7 +104,6 @@ tags:
102104
tests:
103105
- name: True Positive Test
104106
attack_data:
105-
- data:
106-
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config//linux_path_profile_d.log
107-
source: auditd
108-
sourcetype: auditd
107+
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config//linux_path_profile_d.log
108+
source: auditd
109+
sourcetype: auditd

detections/endpoint/linux_suspicious_react_or_next_js_child_process.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -122,7 +122,8 @@ drilldown_searches:
122122
earliest_offset: $info_min_time$
123123
latest_offset: $info_max_time$
124124
- name: View risk events for the last 7 days for - "$dest$"
125-
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
125+
search:
126+
'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
126127
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
127128
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
128129
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
@@ -131,7 +132,7 @@ drilldown_searches:
131132
earliest_offset: $info_min_time$
132133
latest_offset: $info_max_time$
133134
rba:
134-
message: |
135+
message:
135136
A Node-based server process ($parent_process_name$) on Linux spawned the
136137
child process $process_name$ with command-line $process$ on host $dest$ by user $user$, which may
137138
indicate remote code execution via React Server Components (CVE-2025-55182 /

detections/endpoint/windows_suspicious_react_or_next_js_child_process.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,8 @@ drilldown_searches:
113113
earliest_offset: $info_min_time$
114114
latest_offset: $info_max_time$
115115
- name: View risk events for the last 7 days for - "$dest$"
116-
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
116+
search:
117+
'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
117118
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
118119
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
119120
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
@@ -122,8 +123,7 @@ drilldown_searches:
122123
earliest_offset: $info_min_time$
123124
latest_offset: $info_max_time$
124125
rba:
125-
message: |
126-
A Node-based server process ($parent_process_name$) spawned the child
126+
message: A Node-based server process ($parent_process_name$) spawned the child
127127
process $process_name$ with command-line $process$ on host $dest$ by user $user$, which may indicate
128128
remote code execution via React Server Components (CVE-2025-55182 /
129129
React2Shell) or abuse of a similar Node.js RCE vector.

0 commit comments

Comments
 (0)