|
1 | 1 | name: Detect Critical Alerts from Security Tools |
2 | 2 | id: 483e8a68-f2f7-45be-8fc9-bf725f0e22fd |
3 | 3 | version: 2 |
4 | | -date: '2024-11-13' |
| 4 | +date: '2025-01-13' |
5 | 5 | author: Gowthamaraj Rajendran, Patrick Bareiss, Bhavin Patel, Bryan Pluta, Splunk |
6 | | -status: production |
| 6 | +status: deprecated |
7 | 7 | type: TTP |
8 | 8 | data_source: |
9 | 9 | - Windows Defender Alerts |
10 | 10 | - MS365 Defender Incident Alerts |
11 | | -description: The following analytics is to detect high and critical alerts from endpoint |
12 | | - security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query |
13 | | - aggregates and summarizes critical severity alerts from the Alerts data model, providing |
14 | | - details such as the alert signature, application, description, source, destination, |
15 | | - and timestamps, while applying custom filters and formatting for enhanced analysis |
16 | | - in a SIEM environment.This capability allows security teams to efficiently allocate |
17 | | - resources and maintain a strong security posture, while also supporting compliance |
18 | | - with regulatory requirements by providing a clear record of critical security events. |
19 | | - We tested these detections with logs from Microsoft Defender, however this detection |
20 | | - should work for any security alerts that are ingested into the alerts data model. |
21 | | - **Note** - We are dynamically creating the risk_score field based on the severity |
22 | | - of the alert in the SPL and that supersedes the risk score set in the detection. |
23 | | -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) |
24 | | - as lastTime values(Alerts.description) as description values(Alerts.mitre_technique_id) |
25 | | - as annotations.mitre_attack.mitre_technique_id values(Alerts.severity) as severity |
26 | | - values(Alerts.type) as type values(Alerts.severity_id) as severity_id values(Alerts.signature) |
27 | | - as signature values(Alerts.signature_id) as signature_id values(Alerts.dest) as |
28 | | - dest from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.src |
29 | | - Alerts.user Alerts.id Alerts.vendor sourcetype | `drop_dm_object_name("Alerts")` |
30 | | - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval |
31 | | - risk_score=case(severity="informational", 2, severity="low", 5, severity="medium", |
32 | | - 10, severity="high", 50, severity="critical" , 100) | `detect_critical_alerts_from_security_tools_filter`' |
33 | | -how_to_implement: In order to properly run this search, you to ingest alerts data |
34 | | - from other security products such as Crowdstrike, Microsoft Defender, or Carbon |
35 | | - Black using appropriate TAs for that technology. Once ingested, the fields should |
36 | | - be mapped to the Alerts data model. Make sure to apply transformation on the data |
37 | | - if necessary. The risk_score field is used to calculate the risk score for the alerts |
38 | | - and the mitre_technique_id field is used to map the alerts to the MITRE ATT&CK framework |
39 | | - is dynamically created by the detection when this is triggered. These fields need |
40 | | - not be set in the adaptive response actions. |
41 | | -known_false_positives: False positives may vary by endpoint protection tool; monitor |
42 | | - and filter out the alerts that are not relevant to your environment. |
| 11 | +description: The following analytic has been deprecated in favour of specific and dedicated product analytics such as "Microsoft Defender ATP Alerts". The following analytic is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model. **Note** - We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. |
| 12 | +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Alerts.description) as description values(Alerts.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id values(Alerts.severity) as severity values(Alerts.type) as type values(Alerts.severity_id) as severity_id values(Alerts.signature) as signature values(Alerts.signature_id) as signature_id values(Alerts.dest) as dest from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.src Alerts.user Alerts.id Alerts.vendor sourcetype | `drop_dm_object_name("Alerts")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval risk_score=case(severity="informational", 2, severity="low", 5, severity="medium", 10, severity="high", 50, severity="critical" , 100) | `detect_critical_alerts_from_security_tools_filter`' |
| 13 | +how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. The risk_score field is used to calculate the risk score for the alerts and the mitre_technique_id field is used to map the alerts to the MITRE ATT&CK framework is dynamically created by the detection when this is triggered. These fields need not be set in the adaptive response actions. |
| 14 | +known_false_positives: False positives may vary by endpoint protection tool; monitor and filter out the alerts that are not relevant to your environment. |
43 | 15 | references: |
44 | 16 | - https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/accessing-microsoft-defender-for-cloud-alerts-in-splunk-using/ba-p/938228 |
45 | 17 | - https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts |
|
0 commit comments