upgrade detection with tests to production

nasbench · nasbench · commit d985dc110511 · 2025-06-10T13:56:06.000+02:00
diff --git a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml
@@ -1,9 +1,9 @@
 name: Abnormally High Number Of Cloud Infrastructure API Calls
 id: 0840ddf1-8c89-46ff-b730-c8d6722478c0
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-10'
 author: David Dorsey, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic detects a spike in the number of API calls made
   to your cloud infrastructure by a user. It leverages cloud infrastructure logs and
diff --git a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml
@@ -1,9 +1,9 @@
 name: Abnormally High Number Of Cloud Security Group API Calls
 id: d4dfb7f3-7a37-498a-b5df-f19334e871af
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-10'
 author: David Dorsey, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic detects a spike in the number of API calls made
   to cloud security groups by a user. It leverages data from the Change data model,
diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml
@@ -1,9 +1,9 @@
 name: ASL AWS New MFA Method Registered For User
 id: 33ae0931-2a03-456b-b1d7-b016c5557fbd
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-06-10'
 author: Patrick Bareiss, Splunk
-status: experimental
+status: production
 type: TTP
 description: The following analytic identifies the registration of a new Multi-Factor
   Authentication (MFA) method for an AWS account, as logged through Amazon Security
diff --git a/detections/cloud/circle_ci_disable_security_step.yml b/detections/cloud/circle_ci_disable_security_step.yml
@@ -1,9 +1,9 @@
 name: Circle CI Disable Security Step
 id: 72cb9de9-e98b-4ac9-80b2-5331bba6ea97
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-06-10'
 author: Patrick Bareiss, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic detects the disablement of security steps in a
   CircleCI pipeline. It leverages CircleCI logs, using field renaming, joining, and
diff --git a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml
@@ -1,9 +1,9 @@
 name: Cloud API Calls From Previously Unseen User Roles
 id: 2181ad1f-1e73-4d0c-9780-e8880482a08f
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-06-10'
 author: David Dorsey, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic detects cloud API calls executed by user roles
   that have not previously run these commands. It leverages the Change data model
diff --git a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml
@@ -1,9 +1,9 @@
 name: Cloud Compute Instance Created By Previously Unseen User
 id: 37a0ec8d-827e-4d6d-8025-cedf31f3a149
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-10'
 author: Rico Valdez, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic identifies the creation of cloud compute instances
   by users who have not previously created them. It leverages data from the Change
diff --git a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml
@@ -1,9 +1,9 @@
 name: Cloud Compute Instance Created In Previously Unused Region
 id: fa4089e2-50e3-40f7-8469-d2cc1564ca59
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-06-10'
 author: David Dorsey, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic detects the creation of a cloud compute instance
   in a region that has not been previously used within the last hour. It leverages
diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml
@@ -1,9 +1,9 @@
 name: Cloud Compute Instance Created With Previously Unseen Image
 id: bc24922d-987c-4645-b288-f8c73ec194c4
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-06-10'
 author: David Dorsey, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic detects the creation of cloud compute instances
   using previously unseen image IDs. It leverages cloud infrastructure logs to identify
diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml
@@ -1,9 +1,9 @@
 name: Cloud Compute Instance Created With Previously Unseen Instance Type
 id: c6ddbf53-9715-49f3-bb4c-fb2e8a309cda
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-06-10'
 author: David Dorsey, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic detects the creation of EC2 instances with previously
   unseen instance types. It leverages Splunk's tstats command to analyze data from
diff --git a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml
@@ -1,9 +1,9 @@
 name: Cloud Instance Modified By Previously Unseen User
 id: 7fb15084-b14e-405a-bd61-a6de15a40722
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-10'
 author: Rico Valdez, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic identifies cloud instances being modified by users
   who have not previously modified them. It leverages data from the Change data model,
diff --git a/detections/cloud/detect_aws_console_login_by_new_user.yml b/detections/cloud/detect_aws_console_login_by_new_user.yml
@@ -1,9 +1,9 @@
 name: Detect AWS Console Login by New User
 id: bc91a8cd-35e7-4bb2-6140-e756cc46fd71
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-06-10'
 author: Rico Valdez, Splunk
-status: experimental
+status: production
 type: Hunting
 description: The following analytic detects AWS console login events by new users.
   It leverages AWS CloudTrail events and compares them against a lookup file of previously
diff --git a/detections/cloud/gsuite_drive_share_in_external_email.yml b/detections/cloud/gsuite_drive_share_in_external_email.yml
@@ -1,9 +1,9 @@
 name: Gsuite Drive Share In External Email
 id: f6ee02d6-fea0-11eb-b2c2-acde48001122
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-10'
 author: Teoderick Contreras, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic detects Google Drive or Google Docs files shared
   externally from an internal domain. It leverages GSuite Drive logs, extracting and
diff --git a/detections/cloud/microsoft_intune_mobile_apps.yml b/detections/cloud/microsoft_intune_mobile_apps.yml
@@ -1,22 +1,22 @@
 name: Microsoft Intune Mobile Apps
 id: 98e6b389-2806-4426-a580-8a92cb0d9710
-version: 2
-date: '2025-05-02'
+version: 3
+date: '2025-06-10'
 author: Dean Luxton
-data_source:
-- Azure Monitor Activity
+status: production
 type: Hunting
-status: experimental
-description: >-
+description: |
   Microsoft Intune supports deploying packaged applications to support software deployment, this functionality can also be abused for deploying malicious payloads to intune managed devices. 
-  This detection identifies when a new packaged application has been added, updated or deleted. 
-search: >-
+  This detection identifies when a new packaged application has been added, updated or deleted.
+data_source:
+- Azure Monitor Activity
+search: |
   `azure_monitor_activity` operationName="*MobileApp*" 
   | rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin
   | rex field="operationName" "^(?P<action>\w+)\s" | replace "Patch" with "updated", "Create" with "created", "Delete", with "deleted", "assign", with "assigned" IN action
   | table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId
   | `microsoft_intune_mobile_apps_filter`
-how_to_implement: >-
+how_to_implement: |
   The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. 
   To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. 
   Deploy as a risk based alerting rule for quick deployment or perform baselining & tune accordingly. 
diff --git a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml
@@ -1,9 +1,9 @@
 name: DLLHost with no Command Line Arguments with Network
 id: f1c07594-a141-11eb-8407-acde48001122
-version: 11
-date: '2025-05-02'
+version: 12
+date: '2025-06-10'
 author: Steven Dick, Michael Haag, Splunk
-status: experimental
+status: production
 type: TTP
 description: The following analytic detects instances of DLLHost.exe running without
   command line arguments while establishing a network connection. This behavior is
diff --git a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml
@@ -1,9 +1,9 @@
 name: Linux Stdout Redirection To Dev Null File
 id: de62b809-a04d-46b5-9a15-8298d330f0c8
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-10'
 author: Teoderick Contreras, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic detects command-line activities that redirect
   stdout or stderr to the /dev/null file. It leverages data from Endpoint Detection
diff --git a/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml b/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml
@@ -1,9 +1,9 @@
 name: PaperCut NG Suspicious Behavior Debug Log
 id: 395163b8-689b-444b-86c7-9fe9ad624734
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-06-10'
 author: Michael Haag, Splunk
-status: experimental
+status: production
 type: Hunting
 data_source: []
 description: The following analytic identifies potential exploitation attempts on
diff --git a/detections/endpoint/print_processor_registry_autostart.yml b/detections/endpoint/print_processor_registry_autostart.yml
@@ -1,9 +1,9 @@
 name: Print Processor Registry Autostart
 id: 1f5b68aa-2037-11ec-898e-acde48001122
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-06-10'
 author: Teoderick Contreras, Splunk
-status: experimental
+status: production
 type: TTP
 description: The following analytic detects suspicious modifications or new entries
   in the Print Processor registry path. It leverages registry activity data from the
diff --git a/detections/endpoint/windows_ad_privileged_group_modification.yml b/detections/endpoint/windows_ad_privileged_group_modification.yml
@@ -1,9 +1,9 @@
 name: Windows AD Privileged Group Modification
 id: 187bf937-c436-4c65-bbcb-7539ffe02da1
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-06-10'
 author: Dean Luxton
-status: experimental
+status: production
 type: TTP
 data_source:
 - Windows Event Log Security 4728
diff --git a/detections/endpoint/windows_ad_suspicious_gpo_modification.yml b/detections/endpoint/windows_ad_suspicious_gpo_modification.yml
@@ -1,9 +1,9 @@
 name: Windows AD Suspicious GPO Modification
 id: 0a2afc18-a3b5-4452-b60a-2e774214f9bf
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-06-10'
 author: Dean Luxton
-status: experimental
+status: production
 type: TTP
 data_source:
 - Windows Event Log Security 5136
diff --git a/detections/endpoint/windows_driver_inventory.yml b/detections/endpoint/windows_driver_inventory.yml
@@ -1,9 +1,9 @@
 name: Windows Driver Inventory
 id: f87aa96b-369b-4a3e-9021-1bbacbfcb8fb
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-06-10'
 author: Michael Haag, Splunk
-status: experimental
+status: production
 type: Hunting
 description: The following analytic identifies drivers being loaded across the fleet.
   It leverages a PowerShell script input deployed to critical systems to capture driver
diff --git a/detections/endpoint/windows_moveit_transfer_writing_aspx.yml b/detections/endpoint/windows_moveit_transfer_writing_aspx.yml
@@ -1,9 +1,9 @@
 name: Windows MOVEit Transfer Writing ASPX
 id: c0ed2aca-5666-45b3-813f-ddfac3f3eda0
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-06-10'
 author: Michael Haag, Splunk
-status: experimental
+status: production
 type: TTP
 data_source:
 - Sysmon EventID 1 AND Sysmon EventID 11
diff --git a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml
@@ -1,10 +1,10 @@
 name: Windows Rundll32 WebDav With Network Connection
 id: f03355e0-28b5-4e9b-815a-6adffc63b38c
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-10'
 author: Michael Haag, Splunk
 type: TTP
-status: experimental
+status: production
 data_source: []
 description: The following analytic detects the execution of rundll32.exe with command-line
   arguments loading davclnt.dll and the davsetcookie function to access a remote WebDav
diff --git a/detections/endpoint/windows_vulnerable_driver_loaded.yml b/detections/endpoint/windows_vulnerable_driver_loaded.yml
@@ -1,9 +1,9 @@
 name: Windows Vulnerable Driver Loaded
 id: a2b1f1ef-221f-4187-b2a4-d4b08ec745f4
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-06-10'
 author: Michael Haag, Splunk
-status: experimental
+status: production
 type: Hunting
 description: The following analytic detects the loading of known vulnerable Windows
   drivers, which may indicate potential persistence or privilege escalation attempts.
diff --git a/detections/endpoint/windows_winlogon_with_public_network_connection.yml b/detections/endpoint/windows_winlogon_with_public_network_connection.yml
@@ -1,9 +1,9 @@
 name: Windows WinLogon with Public Network Connection
 id: 65615b3a-62ea-4d65-bb9f-6f07c17df4ea
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-06-10'
 author: Michael Haag, Splunk
-status: experimental
+status: production
 type: Hunting
 data_source:
 - Sysmon EventID 1 AND Sysmon EventID 3
diff --git a/detections/network/3cx_supply_chain_attack_network_indicators.yml b/detections/network/3cx_supply_chain_attack_network_indicators.yml
@@ -1,12 +1,10 @@
 name: 3CX Supply Chain Attack Network Indicators
 id: 791b727c-deec-4fbe-a732-756131b3c5a1
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-06-10'
 author: Michael Haag, Splunk
+status: production
 type: TTP
-status: experimental
-data_source:
-- Sysmon EventID 22
 description: The following analytic identifies DNS queries to domains associated with
   the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect
   these suspicious domain indicators. This activity is significant because it can
@@ -15,6 +13,8 @@ description: The following analytic identifies DNS queries to domains associated
   malicious, this activity could allow attackers to establish a foothold in the network,
   exfiltrate sensitive data, or further propagate malware, leading to extensive damage
   and data breaches.
+data_source:
+- Sysmon EventID 22
 search: '| tstats `security_content_summariesonly` min(_time) as firstTime from datamodel=Network_Resolution
   by DNS.answer DNS.answer_count DNS.query DNS.query_count DNS.reply_code_id DNS.src
   DNS.vendor_product | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)`
diff --git a/detections/network/detect_outbound_smb_traffic.yml b/detections/network/detect_outbound_smb_traffic.yml
@@ -1,9 +1,9 @@
 name: Detect Outbound SMB Traffic
 id: 1bed7774-304a-4e8f-9d72-d80e45ff492b
-version: 11
-date: '2025-05-22'
+version: 13
+date: '2025-06-10'
 author: Bhavin Patel, Stuart Hopkins, Patrick Bareiss
-status: experimental
+status: production
 type: TTP
 description: The following analytic detects outbound SMB (Server Message Block) connections
   from internal hosts to external servers. It identifies this activity by monitoring
@@ -21,7 +21,11 @@ search: '| tstats `security_content_summariesonly` earliest(_time) as start_time
   values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed
   All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb")
   AND All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND NOT
-  All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10")
+  All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10", 
+  "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", 
+  "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", 
+  "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24", 
+  "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")
   by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
   All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
   All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
