splunk
diff --git a/‎detections/cloud/github_enterprise_created_self_hosted_runner.yml‎
Lines changed: 7 additions & 17 deletions b/‎detections/cloud/github_enterprise_created_self_hosted_runner.yml‎
Lines changed: 7 additions & 17 deletions
diff --git a/‎detections/cloud/github_enterprise_delete_branch_ruleset.yml‎
Lines changed: 7 additions & 22 deletions b/‎detections/cloud/github_enterprise_delete_branch_ruleset.yml‎
Lines changed: 7 additions & 22 deletions
diff --git a/‎detections/cloud/github_enterprise_disable_2fa_requirement.yml‎
Lines changed: 7 additions & 17 deletions b/‎detections/cloud/github_enterprise_disable_2fa_requirement.yml‎
Lines changed: 7 additions & 17 deletions
diff --git a/‎detections/cloud/github_enterprise_disable_audit_log_event_stream.yml‎
Lines changed: 7 additions & 18 deletions b/‎detections/cloud/github_enterprise_disable_audit_log_event_stream.yml‎
Lines changed: 7 additions & 18 deletions
diff --git a/‎detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml‎
Lines changed: 7 additions & 22 deletions b/‎detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml‎
Lines changed: 7 additions & 22 deletions
diff --git a/‎detections/cloud/github_enterprise_disable_dependabot.yml‎
Lines changed: 7 additions & 24 deletions b/‎detections/cloud/github_enterprise_disable_dependabot.yml‎
Lines changed: 7 additions & 24 deletions
diff --git a/‎detections/cloud/github_enterprise_disable_ip_allow_list.yml‎
Lines changed: 7 additions & 17 deletions b/‎detections/cloud/github_enterprise_disable_ip_allow_list.yml‎
Lines changed: 7 additions & 17 deletions
diff --git a/‎detections/cloud/github_enterprise_modify_audit_log_event_stream.yml‎
Lines changed: 7 additions & 18 deletions b/‎detections/cloud/github_enterprise_modify_audit_log_event_stream.yml‎
Lines changed: 7 additions & 18 deletions
diff --git a/‎detections/cloud/github_enterprise_pause_audit_log_event_stream.yml‎
Lines changed: 7 additions & 19 deletions b/‎detections/cloud/github_enterprise_pause_audit_log_event_stream.yml‎
Lines changed: 7 additions & 19 deletions
@@ -34,33 +34,23 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: $user$ created a self-hosted runner in GitHub Enterprise
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects: []
 tags:
   analytic_story:
   - GitHub Malicious Activity
   asset_type: GitHub
-  confidence: 90
-  impact: 30
-  message: $user$ created a self-hosted runner in GitHub Enterprise
   mitre_attack_id:
   - T1562.001
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - actor
-  - actor_id
-  - actor_is_bot
-  - actor_location.country_code
-  - business
-  - business_id
-  - user_agent
-  risk_score: 27
   security_domain: network
 tests:
 - name: True Positive Test
 
@@ -35,38 +35,23 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: $user$ deleted a branch ruleset in repo $repo$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects: []
 tags:
   analytic_story:
   - GitHub Malicious Activity
   asset_type: GitHub
-  confidence: 90
-  impact: 30
-  message: $user$ deleted a branch ruleset in repo $repo$
   mitre_attack_id:
   - T1562.001
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - actor
-  - actor_id
-  - actor_is_bot
-  - actor_location.country_code
-  - business
-  - business_id
-  - org
-  - org_id
-  - repo
-  - repo_id
-  - user_agent
-  - ruleset_name
-  risk_score: 27
   security_domain: network
 tests:
 - name: True Positive Test
 
@@ -35,33 +35,23 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: $user$ disabled 2FA requirement 
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects: []
 tags:
   analytic_story:
   - GitHub Malicious Activity
   asset_type: GitHub
-  confidence: 90
-  impact: 30
-  message: $user$ disabled 2FA requirement 
   mitre_attack_id:
   - T1562.001
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - actor
-  - actor_id
-  - actor_is_bot
-  - actor_location.country_code
-  - business
-  - business_id
-  - user_agent
-  risk_score: 27
   security_domain: network
 tests:
 - name: True Positive Test
 
@@ -35,34 +35,23 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: Audit log event streaming is disabled by $user$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects: []
 tags:
   analytic_story:
   - GitHub Malicious Activity
   asset_type: GitHub
-  confidence: 90
-  impact: 30
-  message: Audit log event streaming is disabled by $user$
   mitre_attack_id:
   - T1562.008
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - actor
-  - actor_id
-  - actor_ip
-  - actor_is_bot
-  - actor_location.country_code
-  - business
-  - business_id
-  - user_agent
-  risk_score: 27
   security_domain: network
 tests:
 - name: True Positive Test
 
@@ -35,38 +35,23 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: $user$ disabled a classic branch protection rule in repo $repo$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects: []
 tags:
   analytic_story:
   - GitHub Malicious Activity
   asset_type: GitHub
-  confidence: 90
-  impact: 30
-  message: $user$ disabled a classic branch protection rule in repo $repo$
   mitre_attack_id:
   - T1562.001
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - actor
-  - actor_id
-  - actor_is_bot
-  - actor_location.country_code
-  - business
-  - business_id
-  - org
-  - org_id
-  - repo
-  - repo_id
-  - user_agent
-  - name
-  risk_score: 27
   security_domain: network
 tests:
 - name: True Positive Test
 
@@ -33,40 +33,23 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: Dependabot security features are disabled in repository $repo$ by $user$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects: []
 tags:
   analytic_story:
   - GitHub Malicious Activity
   asset_type: GitHub
-  confidence: 90
-  impact: 30
-  message: Dependabot security features are disabled in repository $repo$ by $user$
   mitre_attack_id:
   - T1562.001
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - actor
-  - actor_id
-  - actor_ip
-  - actor_is_bot
-  - actor_location.country_code
-  - business
-  - business_id
-  - org
-  - org_id
-  - repo
-  - repo_id
-  - user
-  - user_agent
-  - user_id
-  risk_score: 27
   security_domain: network
 tests:
 - name: True Positive Test
 
@@ -34,33 +34,23 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: $user$ disabled an IP allow list in GitHub Enterprise
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects: []
 tags:
   analytic_story:
   - GitHub Malicious Activity
   asset_type: GitHub
-  confidence: 90
-  impact: 30
-  message: $user$ disabled an IP allow list in GitHub Enterprise
   mitre_attack_id:
   - T1562.001
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - actor
-  - actor_id
-  - actor_is_bot
-  - actor_location.country_code
-  - business
-  - business_id
-  - user_agent
-  risk_score: 27
   security_domain: network
 tests:
 - name: True Positive Test
 
@@ -35,34 +35,23 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: Audit log event streaming is modified by $user$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects: []
 tags:
   analytic_story:
   - GitHub Malicious Activity
   asset_type: GitHub
-  confidence: 90
-  impact: 30
-  message: Audit log event streaming is modified by $user$
   mitre_attack_id:
   - T1562.008
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - actor
-  - actor_id
-  - actor_ip
-  - actor_is_bot
-  - actor_location.country_code
-  - business
-  - business_id
-  - user_agent
-  risk_score: 27
   security_domain: network
 tests:
 - name: True Positive Test
 
@@ -35,35 +35,23 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: Audit log event streaming is paused by $user$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects: []
 tags:
   analytic_story:
   - GitHub Malicious Activity
   asset_type: GitHub
-  confidence: 90
-  impact: 30
-  message: Audit log event streaming is paused by $user$
   mitre_attack_id:
   - T1562.008
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - actor
-  - actor_id
-  - actor_ip
-  - actor_is_bot
-  - actor_location.country_code
-  - business
-  - business_id
-  - user_agent
-  - reason
-  risk_score: 27
   security_domain: network
 tests:
 - name: True Positive Test