Merge pull request #3545 from splunk/fix-issues-june25

pyth0n1c · web-flow · commit cc74c42c4d4b · 2025-06-02T13:52:05.000-07:00
Fix Issues For v5.7
diff --git a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml
@@ -1,7 +1,7 @@
 name: O365 Concurrent Sessions From Different Ips
 id: 58e034de-1f87-4812-9dc3-a4f68c7db930
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-02'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -17,7 +17,8 @@ data_source:
 - O365 UserLoggedIn
 search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoggedIn 
   | fillnull 
-  | stats count min(_time) as firstTime max(_time) as lastTime values(src) as src by signature dest user vendor_account vendor_product 
+  | stats count min(_time) as firstTime max(_time) as lastTime values(src) as src 
+    by signature dest user vendor_account vendor_product SessionId
   | where mvcount(src) > 1 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` 
diff --git a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml
@@ -1,7 +1,7 @@
 name: Windows Sensitive Registry Hive Dump Via CommandLine
 id: 5aaff29d-0cce-405b-9ee8-5d06b49d045e
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-06-02'
 author: Michael Haag, Patrick Bareiss, Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
@@ -20,8 +20,9 @@ data_source:
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where ((`process_reg` Processes.process
   IN ("*save*", "*export*")) OR (`process_regedit` Processes.process IN ("*/E *",
-  "*-E *"))) AND Processes.process IN ("*HKEY_LOCAL_MACHINE*", "*HKLM*") AND Processes.process
-  IN ("*SAM*", "*System*", "*Security*") by Processes.action Processes.dest Processes.original_file_name
+  "*-E *"))) AND Processes.process IN ("*HKEY_LOCAL_MACHINE\\SAM*", "*HKEY_LOCAL_MACHINE\\System*", 
+  "*HKEY_LOCAL_MACHINE\\Security*", "*HKLM\\SAM*", "*HKLM\\System*", "*HKLM\\Security*") 
+  by Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
   Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
