Merge branch 'develop' into auditd_detection_updates

Author: nasbench

baselines/baseline_of_open_s3_bucket_decommissioning.yml

@@ -0,0 +1,64 @@
+name: Baseline Of Open S3 Bucket Decommissioning
+id: 984e9022-b87b-499a-a260-8d0282c46ea2
+version: 1
+date: '2025-02-12'
+author: Jose Hernandez
+type: Baseline
+status: production
+description: |-
+  The following analytic identifies S3 buckets that were previously exposed to the public and have been subsequently deleted. It leverages AWS CloudTrail logs to track the lifecycle of potentially risky S3 bucket configurations. This activity is crucial for ensuring that public access to sensitive data is properly managed and decommissioned. By monitoring these events, organizations can ensure that exposed buckets are promptly deleted, reducing the risk of unauthorized access. Immediate investigation is recommended to confirm the proper decommissioning of these buckets and to ensure no sensitive data remains exposed. This baseline detection creates a lookup table of decommissioned buckets.csv and their associated events which can be used by detection searches to trigger alerts when decommissioned buckets are detected.
+
+  The  following detections searches leverage this baseline search and the lookup table.
+  * Detect DNS Query to Decommissioned S3 Bucket
+  * Detect Web Access to Decommissioned S3 Bucket
+search: '`cloudtrail` eventSource="s3.amazonaws.com"  (eventName=DeleteBucket OR eventName=PutBucketPolicy OR eventName=PutBucketWebsite)
+| spath input=_raw path=requestParameters.bucketName output=bucketName
+| spath input=_raw path=requestParameters.Host output=host
+| spath input=_raw path=requestParameters.bucketPolicy.Statement{} output=statements
+| spath input=statements output=principal path=Principal
+| spath input=statements output=effect path=Effect
+| spath input=statements output=action path=Action
+| stats values(eventName) as events, 
+        values(requestParameters.bucketPolicy) as policies, 
+        values(principal) as principals,
+        values(effect) as effects,
+        values(action) as actions,
+        min(_time) as firstEvent, 
+        max(_time) as lastEvent,
+        values(userIdentity.accountId) as accountIds,
+        values(userIdentity.arn) as userARNs,
+        values(awsRegion) as awsRegions,
+        values(host) as hosts
+    by bucketName
+| eval isPublicPolicy = if( (mvfind(principals, "\\*")>=0) AND (mvfind(effects, "Allow")>=0) AND (mvfind(actions, "s3:GetObject")>=0), 1, 0)
+| eval isWebsite = if(mvfind(events, "PutBucketWebsite")>=0, 1, 0)
+| eval is_open = if(isPublicPolicy==1 OR isWebsite==1, 1, 0)
+| where is_open==1 AND (mvfind(events, "DeleteBucket")>=0)
+| eval policy_details = if(isPublicPolicy==1, "Policy: Principal=" . mvjoin(principals, ", ") . " Effect=" . mvjoin(effects, ", ") . " Action=" . mvjoin(actions, ", "), "No Public Policy")
+| eval website_details = if(isWebsite==1, "Static Website Enabled", "No Website Hosting")
+| table bucketName, hosts, firstEvent, lastEvent, events, policy_details, website_details, accountIds, userARNs, awsRegions
+| outputlookup append=true decommissioned_buckets | `baseline_of_open_s3_bucket_decommissioning_filter`'
+how_to_implement: To implement this baseline, you need to have AWS CloudTrail logs being ingested into Splunk with the AWS Add-on properly configured. The search looks for S3 bucket events related to bucket policies, website hosting configuration, and bucket deletion. The results are stored in a lookup KVStore named decommissioned_buckets which tracks the history of deleted buckets that were previously exposed to the public.
+known_false_positives: Some buckets may be intentionally made public for legitimate business purposes before being decommissioned. Review the policy_details and website_details fields to understand the nature of the public access that was configured.
+references:
+- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
+- https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/
+- https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/
+tags:
+  analytic_story:
+  - AWS S3 Bucket Security Monitoring
+  - Suspicious AWS S3 Activities
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  detections:
+  - Detect DNS Query to Decommissioned S3 Bucket
+  - Detect Web Access to Decommissioned S3 Bucket
+  security_domain: audit
+deployment:
+  scheduling:
+    cron_schedule: 0 2 * * 0
+    earliest_time: -30d@d
+    latest_time: -1d@d
+    schedule_window: auto

contentctl.yml

@@ -41,6 +41,12 @@ apps:
   version: 3.0.0
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-okta-identity-cloud_300.tgz
+- uid: 7404
+  title: Cisco Security Cloud
+  appid: CiscoSecurityCloud
+  version: 3.0.1
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_301.tgz
 - uid: 6652
   title: Add-on for Linux Sysmon
   appid: Splunk_TA_linux_sysmon
@@ -77,9 +83,9 @@ apps:
 - uid: 5579
   title: Splunk Add-on for CrowdStrike FDR
   appid: Splunk_TA_CrowdStrike_FDR
-  version: 2.0.4
+  version: 2.0.3
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_204.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_203.tgz
 - uid: 3185
   title: Splunk Add-on for Microsoft IIS
   appid: SPLUNK_TA_FOR_IIS

data_sources/cisco_ai_defense_alerts.yml

@@ -0,0 +1,14 @@
+name: Cisco AI Defense Alerts
+id: cbb06880-9dd9-4542-ac60-bd6e1d3c3e4e
+version: 1
+date: '2024-07-18'
+author: Bhavin Patel
+description: Data source object for Cisco AI Defense Alerts
+source: cisco_ai_defense
+sourcetype: cisco:ai:defense
+separator: 
+supported_TA:
+- name: Cisco Security Cloud
+  url: https://splunkbase.splunk.com/app/7404
+  version: 3.0.1
+fields:

detections/application/cisco_ai_defense_security_alerts_by_application_name.yml

@@ -0,0 +1,75 @@
+name: Cisco AI Defense Security Alerts by Application Name
+id: 105e4a69-ec55-49fc-be1f-902467435ea8
+version: 1
+date: '2025-02-14'
+author: Bhavin Patel, Splunk
+status: experimental
+type: Anomaly
+description: The search surfaces alerts from the Cisco AI Defense product for potential attacks against the AI models running in your environment. This analytic identifies security events within Cisco AI Defense by examining event messages, actions, and policy names. It focuses on connections and applications associated with specific guardrail entities and ruleset types. By aggregating and analyzing these elements, the search helps detect potential policy violations and security threats, enabling proactive defense measures and ensuring network integrity.
+data_source:
+- Cisco AI Defense Alerts
+search: |-
+  `cisco_ai_defense` 
+    | rename genai_application.application_name as application_name 
+    | rename connection.connection_name as connection_name 
+    ```Aggregating data by model name, connection name, application name, application ID, and user ID```
+    | stats count 
+        values(user_id) as user_id
+        values(event_message_type) as event_message_type
+        values(event_action) as event_action
+        values(policy.policy_name) as policy_name 
+        values(event_policy_guardrail_assocs{}.policy_guardrail_assoc.guardrail_avail_entity.guardrail_entity_name) as guardrail_entity_name 
+        values(event_policy_guardrail_assocs{}.policy_guardrail_assoc.guardrail_avail_ruleset.guardrail_ruleset_type) as guardrail_ruleset_type 
+        by model.model_name connection_name application_name application_id 
+    ```Evaluating severity based on policy name and guardrail ruleset type```
+    | eval severity=case(
+        policy_name IN ("AI Runtime Latency Testing - Prompt Injection"), "critical",
+        policy_name IN ("AI Runtime Latency Testing - Code Detection"), "high", 
+        guardrail_ruleset_type IN ("Toxicity"), "medium",
+        true(), "low"
+    ) 
+    ```Calculating risk score based on severity level```
+    | eval risk_score=case(
+        severity="critical", 100,
+        severity="high", 75,
+        severity="medium", 50,
+        severity="low", 25
+    )
+    | table model.model_name, user_id, event_action, application_id, application_name, severity, risk_score, policy_name, connection_name, guardrail_ruleset_type, guardrail_entity_name 
+    |`cisco_ai_defense_security_alerts_by_application_name_filter`'
+how_to_implement: To enable this detection, you need to ingest alerts from the Cisco AI Defense product. This can be done by using this app from splunkbase - Cisco Security Cloud and ingest alerts into the cisco:ai:defense sourcetype.
+known_false_positives: False positives may vary based on Cisco AI Defense configuration; monitor and filter out the alerts that are not relevant to your environment.
+references:
+- https://www.robustintelligence.com/blog-posts/prompt-injection-attack-on-gpt-4
+- https://docs.aws.amazon.com/prescriptive-guidance/latest/llm-prompt-engineering-best-practices/common-attacks.html
+drilldown_searches:
+- name: View risk events for the last 7 days for - "$application_id$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$application_id$" ) starthoursago=168  | stats count min(_time)
+    as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
+    as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Cisco AI Defense Security Alert has been action - [$event_action$] for the application name - [$application_name$]
+  risk_objects:
+  - field: application_name
+    type: other
+    score: 10
+  threat_objects: []
+tags:
+    analytic_story:
+    - Critical Alerts
+    asset_type: Web Application
+    product:
+    - Splunk Enterprise 
+    - Splunk Enterprise Security
+    - Splunk Cloud
+    security_domain: endpoint
+tests:
+  - name: True Positive Test
+    attack_data:
+    - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/cisco_ai_defense_alerts/cisco_ai_defense.log
+      source: cisco_ai_defense
+      sourcetype: cisco:ai:defense

detections/application/cisco_secure_application_alerts.yml

@@ -79,7 +79,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: threat
-  # manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting these to manual test since otherwise we fail integration testing. The detection is also failing on unit-testing as some of the fields set in the observables are empty.
+  manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting these to manual test since otherwise we fail integration testing. The detection is also failing on unit-testing as some of the fields set in the observables are empty.
 tests:
 - name: True Positive Test
   attack_data:

detections/endpoint/windows_process_execution_in_temp_dir.yml

@@ -14,7 +14,7 @@ data_source:
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
   where Processes.process_path IN("*\\temp\\*")
-  by Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest Processes.user 
+  by Processes.parent_process_name Processes.process_name Processes.parent_process Processes.process_path Processes.dest Processes.user 
   | `drop_dm_object_name(Processes)` 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)`

detections/endpoint/windows_security_and_backup_services_stop.yml

@@ -47,7 +47,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: Known services $param1$ terminated by a potential ransomware on $dest$
+  message: Known services $display_name$ terminated by a potential ransomware on $dest$
   risk_objects:
   - field: dest
     type: system

detections/endpoint/windows_service_created_with_suspicious_service_name.yml

@@ -5,14 +5,14 @@ date: '2025-02-07'
 author: Steven Dick
 status: production
 type: Anomaly
-description: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.
+description: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment. 
 data_source: 
 - Windows Event Log System 7045
 search: |-
   `wineventlog_system` EventCode=7045 
-  | stats values(user) as user, values(ImagePath) as process, count, min(_time) as firstTime, max(_time) as lastTime values(EventCode) as signature by Computer, ServiceName, StartType, ServiceType, UserID
+  | stats values(ImagePath) as process, count, min(_time) as firstTime, max(_time) as lastTime values(EventCode) as signature by Computer, ServiceName, StartType, ServiceType, UserID
   | eval process_name = mvindex(split(process,"\\"),-1)
-  | rename Computer as dest, ServiceName as object_name, ServiceType as object_type
+  | rename Computer as dest, ServiceName as object_name, ServiceType as object_type, UserID as user_id
   | lookup windows_suspicious_services service_name as object_name
   | where isnotnull(tool_name)
   | `security_content_ctime(firstTime)` 
@@ -44,9 +44,6 @@ rba:
   - field: dest
     type: system
     score: 75
-  - field: user
-    type: user
-    score: 75
   threat_objects: 
   - field: process
     type: process

detections/network/detect_dns_query_to_decommissioned_s3_bucket.yml

@@ -0,0 +1,60 @@
+name: Detect DNS Query to Decommissioned S3 Bucket
+id: 2f1c5fd1-4b8a-4f5d-a0e9-7d6a8e2f5e1e
+version: 1
+date: '2025-02-12'
+author: Jose Hernandez, Splunk
+status: experimental
+type: Anomaly
+description: This detection identifies DNS queries to domains that match previously decommissioned S3 buckets. This activity is significant because attackers may attempt to recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.
+data_source:
+- Sysmon EventID 22
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.query DNS.src 
+| `drop_dm_object_name("DNS")` 
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)` 
+| eval bucket_domain = lower(query) 
+| lookup decommissioned_buckets bucketName as bucket_domain OUTPUT bucketName as match 
+| where isnotnull(match) 
+| `detect_dns_query_to_decommissioned_s3_bucket_filter`'
+how_to_implement: To successfully implement this detection, you need to be ingesting DNS query logs and have them mapped to the Network_Resolution data model. Additionally, ensure that the baseline search "Baseline Of Open S3 Bucket Decommissioning" is running and populating the decommissioned_buckets KVstore lookup.
+known_false_positives: Some applications or scripts may continue to reference old S3 bucket names after they have been decommissioned. These should be investigated and updated to prevent potential security risks.
+references:
+- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
+- https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/
+drilldown_searches:
+- name: DNS Activity for Host
+  search: '| from datamodel:Network_Resolution | search src="$src$"'
+  earliest_offset: -7d@d
+  latest_offset: now
+rba:
+  message: A DNS query to decommissioned S3 bucket $query$ was detected from host $src$
+  risk_objects:
+  - field: src
+    type: system
+    score: 30
+  threat_objects:
+  - field: query
+    type: domain
+tags:
+  analytic_story:
+  - AWS S3 Bucket Security Monitoring
+  - Data Destruction
+  asset_type: Network
+  mitre_attack_id:
+  - T1485
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: Baseline Dataset Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json
+    source: cloudtrail
+    sourcetype: aws:cloudtrail
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/dns.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog