update risk object

nasbench · nasbench · commit e7f59f1ffcfd · 2025-06-02T11:36:04.000+02:00
diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml
@@ -50,7 +50,7 @@ rba:
   message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination
     IPs
   risk_objects:
-  - field: dest_port
+  - field: dest_ports
     type: system
     score: 64
   threat_objects:
diff --git a/detections/network/internal_horizontal_port_scan_nmap_top_20.yml b/detections/network/internal_horizontal_port_scan_nmap_top_20.yml
@@ -23,14 +23,14 @@ search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as
   All_Traffic.dest_port All_Traffic.dest_ip All_Traffic.dest All_Traffic.transport All_Traffic.rule span=1s _time |
   `drop_dm_object_name("All_Traffic")`  | eval gtime=_time  | bin span=1h gtime  |
   stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount
-  values(src_category) as src_category values(dest_zone)  as dest_zone values(src_zone)
+  values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone)
   as src_zone by src_ip dest_port gtime transport  | where totalDestIPCount>=250  |
   eval dest_port=transport + "/" + dest_port  | stats min(_time) as _time values(action)
   as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category
   values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone)
   as src_zone by src_ip gtime  | fields - gtime  | `internal_horizontal_port_scan_nmap_top_20_filter`'
 how_to_implement: To properly run this search, Splunk needs to ingest data from networking
-  telemetry sources such as firewalls, NetFlow, or host-based networking events. Ensure
+  telemetry sources such as firewalls like Cisco Secure Firewall, NetFlow, or host-based networking events. Ensure
   that the Network_Traffic data model is populated to enable this search effectively.
 known_false_positives: Unknown
 references: []
