Skip to content

Commit c46c948

Browse files
nasbenchnasbench
committed
more fixes
1 parent 6c5aa91 commit c46c948

File tree

2 files changed

+4
-16
lines changed

2 files changed

+4
-16
lines changed

detections/network/detect_outbound_smb_traffic.yml

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,6 @@ description: The following analytic detects outbound SMB (Server Message Block)
1414
this activity could lead to unauthorized access to sensitive data and potential
1515
full system compromise.
1616
data_source:
17-
- Zeek Conn
1817
- Cisco Secure Firewall Threat Defense Connection Event
1918
search: |
2019
| tstats `security_content_summariesonly`
@@ -94,11 +93,6 @@ tags:
9493
- Splunk Cloud
9594
security_domain: network
9695
tests:
97-
- name: Zeek True Positive Test
98-
attack_data:
99-
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.002/outbound_smb_traffic/zeek_conn.log
100-
sourcetype: bro:conn:json
101-
source: conn.log
10296
- name: Cisco Secure Firewall True Positive Test
10397
attack_data:
10498
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log

detections/network/prohibited_network_traffic_allowed.yml

Lines changed: 4 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Prohibited Network Traffic Allowed
22
id: ce5a0962-849f-4720-a678-753fe6674479
3-
version: 8
4-
date: '2025-05-27'
3+
version: 9
4+
date: '2025-06-17'
55
author: Rico Valdez, Splunk
66
status: production
77
type: TTP
@@ -14,7 +14,6 @@ description: The following analytic detects instances where network traffic, ide
1414
allow attackers to bypass network defenses, leading to potential data breaches and
1515
compromising the organization's security posture.
1616
data_source:
17-
- Zeek Conn
1817
- Cisco Secure Firewall Threat Defense Connection Event
1918
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
2019
as lastTime from datamodel=Network_Traffic where All_Traffic.action IN ("allowed", "allow") by
@@ -28,7 +27,7 @@ how_to_implement: In order to properly run this search, Splunk needs to ingest d
2827
into an environment. This is necessary so that the search can identify an 'action'
2928
taken on the traffic of interest. The search requires the Network_Traffic data model
3029
be populated.
31-
known_false_positives: None identified
30+
known_false_positives: Unknown
3231
references: []
3332
drilldown_searches:
3433
- name: View the detection results for - "$src_ip$"
@@ -67,13 +66,8 @@ tags:
6766
- Splunk Enterprise Security
6867
- Splunk Cloud
6968
security_domain: network
70-
manual_test: This detection uses builtin lookup from Enterprise Security.
69+
manual_test: This detection uses a builtin lookup from Enterprise Security.
7170
tests:
72-
- name: Zeek Conn True Positive Test
73-
attack_data:
74-
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048/ftp_connection/zeek_conn.log
75-
sourcetype: bro:conn:json
76-
source: conn.log
7771
- name: Cisco Secure Firewall True Positive Test
7872
attack_data:
7973
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log

0 commit comments

Comments
 (0)