update output fields

nasbench · nasbench · commit e4c733a3b438 · 2025-06-10T20:07:40.000+02:00
diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml
@@ -49,7 +49,7 @@ rba:
     type: user
     score: 64
   threat_objects:
-  - field: src_ip
+  - field: src
     type: ip_address
 tags:
   analytic_story:
diff --git a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml
@@ -19,7 +19,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=dllhost.exe
   Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name
   Processes.dest Processes.process_path Processes.process Processes.parent_process_name
-  Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
+  Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | regex process="(?i)(dllhost\.exe.{0,4}$)"
   | rename dest as src | join host process_id [| tstats `security_content_summariesonly`
   count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port)
@@ -64,7 +64,7 @@ rba:
     type: system
     score: 49
   threat_objects:
-  - field: parent_image
+  - field: parent_process_name
     type: process
   - field: process_name
     type: process_name
diff --git a/detections/endpoint/windows_ad_privileged_group_modification.yml b/detections/endpoint/windows_ad_privileged_group_modification.yml
@@ -10,7 +10,7 @@ data_source:
 description: Detect users added to privileged AD Groups.
 search: '`wineventlog_security` EventCode IN (4728) | stats min(_time) as _time dc(user)
   as usercount, values(user) as user values(user_category) as user_category values(src_user_category)
-  as src_user_category values(dvc) as dvc by signature, Group_Name,src_user | lookup
+  as src_user_category values(dvc) as dvc by signature, Group_Name,src_user dest | lookup
   admon_groups_def  cn as Group_Name OUTPUT category | where category="privileged"
   | `windows_ad_privileged_group_modification_filter`'
 how_to_implement: This analytic requires eventCode 4728 to be ingested along with
diff --git a/detections/endpoint/windows_ad_suspicious_gpo_modification.yml b/detections/endpoint/windows_ad_suspicious_gpo_modification.yml
@@ -26,7 +26,7 @@ search: "`wineventlog_security` EventCode=5145 ShareName=\"\\\\\\\\*\\\\SYSVOL\"
   $gpo_guid$\" \n  | stats min(_time) as _time values(eval(if(OperationType==\"%%14675\"\
   ,AttributeValue,null))) as old_value values(eval(if(OperationType==\"%%14674\",AttributeValue,null)))
   as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID
-  src_user SubjectLogonId \n  | rex field=old_value max_match=10000 \"(?P<old_values>\\\
+  src_user SubjectLogonId dest \n  | rex field=old_value max_match=10000 \"(?P<old_values>\\\
   {.*?\\})\" \n  | rex field=new_value max_match=10000 \"(?P<new_values>\\{.*?\\})\"\
   \ \n  | rex field=ObjectDN max_match=10000 \"CN=(?P<policy_guid>\\{.*?\\})\" \n\
   \  | mvexpand new_values \n  | where NOT new_values IN (old_values,\"{00000000-0000-0000-0000-000000000000}\"\
diff --git a/detections/endpoint/windows_moveit_transfer_writing_aspx.yml b/detections/endpoint/windows_moveit_transfer_writing_aspx.yml
@@ -16,8 +16,12 @@ description: The following analytic detects the creation of new ASPX files in th
   data, including user credentials and file metadata, posing a severe risk to the
   organization's security.
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
-  where Processes.process_name=System  by _time span=1h Processes.process_id Processes.process_name
-  Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [|
+  where Processes.process_name=System  by _time span=1h by Processes.action Processes.dest Processes.original_file_name
+  Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
+  Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
+  Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
+  Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
+  Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | join process_guid, _time [|
   tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\MOVEitTransfer\\wwwroot\\*")
   Filesystem.file_name IN("*.aspx", "*.ashx", "*.asp*") OR Filesystem.file_name IN
diff --git a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml
@@ -5,7 +5,8 @@ date: '2025-06-10'
 author: Michael Haag, Splunk
 type: TTP
 status: production
-data_source: []
+data_source:
+- Sysmon EventID 1 AND Sysmon EventID 3
 description: The following analytic detects the execution of rundll32.exe with command-line
   arguments loading davclnt.dll and the davsetcookie function to access a remote WebDav
   instance. It uses data from Endpoint Detection and Response (EDR) agents, correlating
@@ -16,9 +17,13 @@ description: The following analytic detects the execution of rundll32.exe with c
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe
   `process_rundll32` Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*",
-  "*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") by host _time span=1h Processes.process_id
-  Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name
-  Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
+  "*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") by host _time span=1h
+  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec 
+  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name 
+  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash 
+  Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path 
+  Processes.user Processes.user_id Processes.vendor_product 
+  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | rename dest as src | join host process_id
   [ | tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest
   latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port
