removing allowed contraint and new name

Author: patel-bhavin

detections/deprecated/remote_desktop_network_bruteforce.yml

@@ -0,0 +1,71 @@
+name: Remote Desktop Network Bruteforce
+id: a98727cc-286b-4ff2-b898-41df64695923
+version: 6  
+date: '2025-01-10'
+author: Jose Hernandez, Bhavin Patel, Splunk
+status: deprecated
+type: TTP
+description: The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. This query detects potential RDP brute force attacks by identifying source IPs that have made more than 10 successful connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity.
+data_source:
+- Sysmon EventID 3
+search: >-
+  | tstats `security_content_summariesonly` count, min(_time) as firstTime, max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=rdp OR All_Traffic.dest_port=3389) AND All_Traffic.action=allowed by All_Traffic.src, All_Traffic.dest, All_Traffic.dest_port All_Traffic.user All_Traffic.vendor_product 
+  | `drop_dm_object_name("All_Traffic")` 
+  | eval duration=lastTime-firstTime 
+  | where count > 10 AND duration < 3600 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `remote_desktop_network_bruteforce_filter`
+how_to_implement: You must ensure that your network traffic data is populating the Network_Traffic data model. Adjust the count and duration thresholds as necessary to tune the sensitivity of your detection.
+known_false_positives: RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network.Any legitimate RDP traffic using wrong/expired credentials will be also detected as a false positive.
+references:
+- https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack
+- https://www.reliaquest.com/blog/rdp-brute-force-attacks/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - SamSam Ransomware
+  - Ryuk Ransomware
+  - Compromised User Account
+  asset_type: Endpoint
+  confidence: 50
+  impact: 50
+  message: $dest$ may be the target of an RDP Bruteforce from $src$
+  mitre_attack_id:
+  - T1110.001
+  - T1110
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  - name: src
+    type: IP Address
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - All_Traffic.app
+  - All_Traffic.src
+  - All_Traffic.dest
+  - All_Traffic.dest_port
+  risk_score: 25
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog