more updates

nasbench · nasbench · commit 6c5aa91dbf1f · 2025-06-16T23:38:10.000+02:00
diff --git a/detections/cloud/circle_ci_disable_security_step.yml b/detections/cloud/circle_ci_disable_security_step.yml
@@ -1,9 +1,9 @@
 name: Circle CI Disable Security Step
 id: 72cb9de9-e98b-4ac9-80b2-5331bba6ea97
-version: 6
-date: '2025-06-10'
+version: 5
+date: '2025-05-02'
 author: Patrick Bareiss, Splunk
-status: production
+status: experimental
 type: Anomaly
 description: The following analytic detects the disablement of security steps in a
   CircleCI pipeline. It leverages CircleCI logs, using field renaming, joining, and
@@ -15,40 +15,17 @@ description: The following analytic detects the disablement of security steps in
   with the disablement, and examine any relevant artifacts and concurrent processes.
 data_source:
 - CircleCI
-search: '`circleci` 
-  | rename workflows.job_id AS job_id 
-  | join job_id [ 
-    | search `circleci`
-    | stats values(name) as step_names count by job_id job_name 
-    ] 
-  | stats count by 
-    step_names job_id job_name vcs.committer_name vcs.subject vcs.url owners{} 
-  | rename vcs.* as * , owners{} as user 
-  | lookup mandatory_step_for_job job_name OUTPUTNEW step_name AS mandatory_step 
-  | search mandatory_step=* 
-  | eval mandatory_step_executed=if(like(step_names, "%".mandatory_step."%"), 1, 0) 
-  | where mandatory_step_executed=0 | rex field=url "(?<repository>[^\/]*\/[^\/]*)$" 
-  | eval phase="build" 
-  | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` 
-  | `circle_ci_disable_security_step_filter`'
+search: '`circleci` | rename workflows.job_id AS job_id | join job_id [ | search `circleci`
+  | stats values(name) as step_names count by job_id job_name ] | stats count by step_names
+  job_id job_name vcs.committer_name vcs.subject vcs.url owners{} | rename vcs.* as
+  * , owners{} as user | lookup mandatory_step_for_job job_name OUTPUTNEW step_name
+  AS mandatory_step | search mandatory_step=* | eval mandatory_step_executed=if(like(step_names,
+  "%".mandatory_step."%"), 1, 0) | where mandatory_step_executed=0 | rex field=url
+  "(?<repository>[^\/]*\/[^\/]*)$" | eval phase="build"  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` | `circle_ci_disable_security_step_filter`'
 how_to_implement: You must index CircleCI logs.
 known_false_positives: unknown
 references: []
-drilldown_searches:
-- name: View the detection results for - "$dest$"
-  search: '%original_detection_search% | search  dest = "$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
-    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-    | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
 rba:
   message: Disable security step $mandatory_step$ in job $job_name$ from user $user$
   risk_objects:
diff --git a/detections/cloud/gsuite_drive_share_in_external_email.yml b/detections/cloud/gsuite_drive_share_in_external_email.yml
@@ -57,12 +57,12 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$
+  message: Suspicious share gdrive from $owner$ to $email$ namely as $doc_title$
   risk_objects:
   - field: email
     type: user
     score: 72
-  - field: parameters.owner
+  - field: owner
     type: user
     score: 72
   threat_objects: []
diff --git a/detections/deprecated/windows_ad_suspicious_gpo_modification.yml b/detections/deprecated/windows_ad_suspicious_gpo_modification.yml
@@ -1,15 +1,14 @@
 name: Windows AD Suspicious GPO Modification
 id: 0a2afc18-a3b5-4452-b60a-2e774214f9bf
 version: 7
-date: '2025-06-10'
+date: '2025-06-16'
 author: Dean Luxton
-status: production
+status: deprecated
 type: TTP
 data_source:
 - Windows Event Log Security 5136
 - Windows Event Log Security 5145
-description: |
-  This analytic looks for a the creation of potentially harmful GPO which
+description: This analytic looks for a the creation of potentially harmful GPO which
   could lead to persistence or code execution on remote hosts. Note, this analyic
   is looking for the absence of the corresponding 5136 events which is evidence of
   the GPOs being manually edited (using a tool like PowerView) or potentially missing
@@ -27,7 +26,7 @@ search: "`wineventlog_security` EventCode=5145 ShareName=\"\\\\\\\\*\\\\SYSVOL\"
   $gpo_guid$\" \n  | stats min(_time) as _time values(eval(if(OperationType==\"%%14675\"\
   ,AttributeValue,null))) as old_value values(eval(if(OperationType==\"%%14674\",AttributeValue,null)))
   as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID
-  src_user SubjectLogonId dest \n  | rex field=old_value max_match=10000 \"(?P<old_values>\\\
+  src_user SubjectLogonId \n  | rex field=old_value max_match=10000 \"(?P<old_values>\\\
   {.*?\\})\" \n  | rex field=new_value max_match=10000 \"(?P<new_values>\\{.*?\\})\"\
   \ \n  | rex field=ObjectDN max_match=10000 \"CN=(?P<policy_guid>\\{.*?\\})\" \n\
   \  | mvexpand new_values \n  | where NOT new_values IN (old_values,\"{00000000-0000-0000-0000-000000000000}\"\
@@ -41,34 +40,20 @@ search: "`wineventlog_security` EventCode=5145 ShareName=\"\\\\\\\\*\\\\SYSVOL\"
   values(Logon_ID) as Logon_ID values(newPolicy) as newPolicy values(OpCorrelationID)
   as OpCorrelationID values(folder) as folder values(file) as file by gpo_guid  |
   mvexpand folder  | where NOT folder IN (newPolicy) | `windows_ad_suspicious_gpo_modification_filter`"
-how_to_implement: |
-  Ingest EventCodes 5145 and 5136 from domain controllers. Additional
+how_to_implement: Ingest EventCodes 5145 and 5136 from domain controllers. Additional
   SACLs required to capture EventCode 5136, see references for further information
   on how to configure this. The Group Policy - Audit Detailed File Share will need
   to be enabled on the DCs to generate event code 5145, this event is very noisy on
   DCs, consider tuning out sysvol events which do not match access mask 0x2.
-known_false_positives: When a GPO is manually edited and 5136 events are not logging to Splunk.
+known_false_positives: When a GPO is manually edited and 5136 events are not logging
+  to Splunk.
 references:
 - https://github.com/PowerShellMafia/PowerSploit/blob/26a0757612e5654b4f792b012ab8f10f95d391c9/Recon/PowerView.ps1#L5907-L6122
 - https://github.com/X-C3LL/GPOwned
 - https://rastamouse.me/ous-and-gpos-and-wmi-filters-oh-my/
 - https://wald0.com/?p=179
 - https://github.com/FSecureLABS/SharpGPOAbuse
 - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
-drilldown_searches:
-- name: View the detection results for - "$dest$"
-  search: '%original_detection_search% | search  dest = "$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
-    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-    | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
 rba:
   message: $src_user$ has added new GPO Client Side Extensions $folder$ to the policy
     $gpo_guid$
@@ -98,4 +83,4 @@ tests:
   - data: 
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log
     source: XmlWinEventLog:Security
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog
diff --git a/detections/endpoint/windows_driver_inventory.yml b/detections/endpoint/windows_driver_inventory.yml
@@ -32,6 +32,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: endpoint
+  manual_test: Cannot be tested automatically, as it needs additional transforms and props to make the data ready.
 tests:
 - name: True Positive Test
   attack_data:
diff --git a/detections/network/detect_outbound_smb_traffic.yml b/detections/network/detect_outbound_smb_traffic.yml
@@ -16,15 +16,15 @@ description: The following analytic detects outbound SMB (Server Message Block)
 data_source:
 - Zeek Conn
 - Cisco Secure Firewall Threat Defense Connection Event
-search: '
+search: |
   | tstats `security_content_summariesonly` 
   earliest(_time) as start_time 
   latest(_time) as end_time 
   values(All_Traffic.action) as action 
   values(All_Traffic.app) as app
   values(sourcetype) as sourcetype count 
   from datamodel=Network_Traffic where
-    All_Traffic.action=allowed AND
+    All_Traffic.action IN ("allowed", "allow") AND
     (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb")
   AND All_Traffic.src_ip IN (
     "10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"
@@ -39,9 +39,12 @@ search: '
   by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
   All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
   All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
-  All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.rule | `drop_dm_object_name("All_Traffic")`  |
-  `security_content_ctime(start_time)`  | `security_content_ctime(end_time)`  | iplocation
-  dest_ip | `detect_outbound_smb_traffic_filter`'
+  All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.rule 
+  | `drop_dm_object_name("All_Traffic")`  
+  | `security_content_ctime(start_time)`  
+  | `security_content_ctime(end_time)` 
+  | iplocation dest_ip 
+  | `detect_outbound_smb_traffic_filter`
 how_to_implement: This search requires you to be ingesting your network traffic
   and populating the Network_Traffic data model.
 known_false_positives: It is likely that the outbound Server Message Block (SMB) traffic
diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML
@@ -1,4 +1,7 @@
 detections:
+  - content: Windows AD Suspicious GPO Modification
+    removed_in_version: 5.10.0
+    reason: Detection deprecated due to lack of data and consistency. Research is being done to create potential replacement in a future release.
   - content: Windows Remote Access Software Hunt
     removed_in_version: 5.8.0
     reason: Detection has been replaced by a new detection with a more specific name and logic
