You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The following analytic identifies S3 buckets that were previously exposed to the public and have been subsequently deleted. It leverages AWS CloudTrail logs to track the lifecycle of potentially risky S3 bucket configurations. This activity is crucial for ensuring that public access to sensitive data is properly managed and decommissioned. By monitoring these events, organizations can ensure that exposed buckets are promptly deleted, reducing the risk of unauthorized access. Immediate investigation is recommended to confirm the proper decommissioning of these buckets and to ensure no sensitive data remains exposed. This baseline detection creates a lookup table of decommissioned buckets.csv and their associated events which can be used by detection searches to trigger alerts when decommissioned buckets are detected.
10
+
11
+
The following detections searches leverage this baseline search and the lookup table.
12
+
* Detect DNS Query to Decommissioned S3 Bucket
13
+
* Detect Web Access to Decommissioned S3 Bucket
14
+
search: '`cloudtrail` eventSource="s3.amazonaws.com" (eventName=DeleteBucket OR eventName=PutBucketPolicy OR eventName=PutBucketWebsite)
how_to_implement: To implement this baseline, you need to have AWS CloudTrail logs being ingested into Splunk with the AWS Add-on properly configured. The search looks for S3 bucket events related to bucket policies, website hosting configuration, and bucket deletion. The results are stored in a lookup KVStore named decommissioned_buckets which tracks the history of deleted buckets that were previously exposed to the public.
42
+
known_false_positives: Some buckets may be intentionally made public for legitimate business purposes before being decommissioned. Review the policy_details and website_details fields to understand the nature of the public access that was configured.
name: Cisco AI Defense Security Alerts by Application Name
2
+
id: 105e4a69-ec55-49fc-be1f-902467435ea8
3
+
version: 1
4
+
date: '2025-02-14'
5
+
author: Bhavin Patel, Splunk
6
+
status: experimental
7
+
type: Anomaly
8
+
description: The search surfaces alerts from the Cisco AI Defense product for potential attacks against the AI models running in your environment. This analytic identifies security events within Cisco AI Defense by examining event messages, actions, and policy names. It focuses on connections and applications associated with specific guardrail entities and ruleset types. By aggregating and analyzing these elements, the search helps detect potential policy violations and security threats, enabling proactive defense measures and ensuring network integrity.
9
+
data_source:
10
+
- Cisco AI Defense Alerts
11
+
search: |-
12
+
`cisco_ai_defense`
13
+
| rename genai_application.application_name as application_name
14
+
| rename connection.connection_name as connection_name
15
+
```Aggregating data by model name, connection name, application name, application ID, and user ID```
16
+
| stats count
17
+
values(user_id) as user_id
18
+
values(event_message_type) as event_message_type
19
+
values(event_action) as event_action
20
+
values(policy.policy_name) as policy_name
21
+
values(event_policy_guardrail_assocs{}.policy_guardrail_assoc.guardrail_avail_entity.guardrail_entity_name) as guardrail_entity_name
22
+
values(event_policy_guardrail_assocs{}.policy_guardrail_assoc.guardrail_avail_ruleset.guardrail_ruleset_type) as guardrail_ruleset_type
23
+
by model.model_name connection_name application_name application_id
24
+
```Evaluating severity based on policy name and guardrail ruleset type```
25
+
| eval severity=case(
26
+
policy_name IN ("AI Runtime Latency Testing - Prompt Injection"), "critical",
27
+
policy_name IN ("AI Runtime Latency Testing - Code Detection"), "high",
28
+
guardrail_ruleset_type IN ("Toxicity"), "medium",
29
+
true(), "low"
30
+
)
31
+
```Calculating risk score based on severity level```
how_to_implement: To enable this detection, you need to ingest alerts from the Cisco AI Defense product. This can be done by using this app from splunkbase - Cisco Security Cloud and ingest alerts into the cisco:ai:defense sourcetype.
41
+
known_false_positives: False positives may vary based on Cisco AI Defense configuration; monitor and filter out the alerts that are not relevant to your environment.
Copy file name to clipboardExpand all lines: detections/application/cisco_secure_application_alerts.yml
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -79,7 +79,7 @@ tags:
79
79
- Splunk Enterprise Security
80
80
- Splunk Cloud
81
81
security_domain: threat
82
-
#manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting these to manual test since otherwise we fail integration testing. The detection is also failing on unit-testing as some of the fields set in the observables are empty.
82
+
manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting these to manual test since otherwise we fail integration testing. The detection is also failing on unit-testing as some of the fields set in the observables are empty.
description: The following analytic detects when an excessive number of files are access from o365 by the same user over a short period of time. A malicious actor may abuse the "open in app" functionality of SharePoint through scripted or Graph API based access to evade triggering the FileDownloaded Event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be take with any Azure Guest (#EXT#) accounts.
9
+
data_source:
10
+
- Office 365 Universal Audit Log
11
+
search: |-
12
+
`o365_management_activity` Operation IN ("fileaccessed") UserId!=app@sharepoint NOT SourceFileExtension IN (bmp,png,jpeg,jpg)
13
+
| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_")
14
+
| where NOT match(SiteUrl,user_flat)
15
+
| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl
16
+
| eventstats avg(count) as avg stdev(count) as stdev by Workload
17
+
| rename SiteUrl as file_path,Workload as app
18
+
| where count > 50 AND count > (avg + (3*(stdev)))
19
+
| `security_content_ctime(firstTime)`
20
+
| `security_content_ctime(lastTime)`
21
+
| `o365_exfiltration_via_file_access_filter`
22
+
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
23
+
known_false_positives: It is possible that certain file access scenarios may trigger this alert, specifically OneDrive syncing and users accessing personal onedrives of other users. Adjust threshold and filtering as needed.
search: '%original_detection_search% | search user = "$user$"'
31
+
earliest_offset: $info_min_time$
32
+
latest_offset: $info_max_time$
33
+
- name: View risk events for the last 7 days for - "$user$"
34
+
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
35
+
earliest_offset: $info_min_time$
36
+
latest_offset: $info_max_time$
37
+
- name: Investigate file access by $user$
38
+
search: '`o365_management_activity` Operation IN ("fileaccessed") UserId="$UserId$"'
39
+
earliest_offset: $info_min_time$
40
+
latest_offset: $info_max_time$
41
+
rba:
42
+
message: The user $user$ accessed an excessive number of files [$count$] from $file_path$ using $src$
description: The following analytic detects when an excessive number of files are downloaded from o365 by the same user over a short period of time. O365 may bundle these files together as a ZIP file, however each file will have it's own download event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts.
9
+
data_source:
10
+
- Office 365 Universal Audit Log
11
+
search: |-
12
+
`o365_management_activity` Operation IN ("filedownloaded")
13
+
| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_")
14
+
| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl
15
+
| rename SiteUrl as file_path,Workload as app
16
+
| where count > 50
17
+
| `security_content_ctime(firstTime)`
18
+
| `security_content_ctime(lastTime)`
19
+
| `o365_exfiltration_via_file_download_filter`
20
+
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
21
+
known_false_positives: It is possible that certain file download scenarios may trigger this alert, specifically OneDrive syncing. Adjust threshold and filtering as needed.
search: '%original_detection_search% | search user = "$user$"'
29
+
earliest_offset: $info_min_time$
30
+
latest_offset: $info_max_time$
31
+
- name: View risk events for the last 7 days for - "$user$"
32
+
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
33
+
earliest_offset: $info_min_time$
34
+
latest_offset: $info_max_time$
35
+
- name: Investigate file downloads by $user$
36
+
search: '`o365_management_activity` Operation IN ("filedownloaded") UserId="$UserId$"'
37
+
earliest_offset: $info_min_time$
38
+
latest_offset: $info_max_time$
39
+
rba:
40
+
message: The user $user$ downloaded an excessive number of files [$count$] from $file_path$ using $src$
0 commit comments