remove hunting drilldowns and fixing others

Author: patel-bhavin

detections/endpoint/windows_powershell_invoke_sqlcmd_execution.yml

@@ -110,15 +110,6 @@ references:
 - https://learn.microsoft.com/en-us/powershell/module/sqlserver/invoke-sqlcmd
 - https://attack.mitre.org/techniques/T1059.001/
 - https://attack.mitre.org/techniques/T1059.003/
-drilldown_searches:
-- name: View process details for suspicious Invoke-Sqlcmd execution
-  search: '%original_detection_search% | search dest="$dest$" user="$user$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$dest$" and "$user$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - SQL Server Abuse

detections/endpoint/windows_sql_server_configuration_option_hunt.yml

@@ -31,15 +31,6 @@ references:
 - https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/server-configuration-options-sql-server
 - https://attack.mitre.org/techniques/T1505/001/
 - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
-drilldown_searches:
-- name: View configuration changes on this host
-  search: '%original_detection_search% | search dest="$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View all SQL Server configuration changes in the last 7 days
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: -7d
-  latest_offset: now
 tags:
   analytic_story:
   - SQL Server Abuse

detections/endpoint/windows_sql_server_critical_procedures_enabled.yml

@@ -36,14 +36,19 @@ references:
 - https://www.netspi.com/blog/technical/network-penetration-testing/enumerating-domain-accounts-via-sql-server-using-adsi/
 - https://attack.mitre.org/techniques/T1505/001/
 drilldown_searches:
-- name: View critical procedure configuration changes on this host
-  search: '%original_detection_search% | search host="$dest$"'
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: View all SQL Server configuration changes on this host in the last 7 days
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: -7d
-  latest_offset: now
 rba:
   message: SQL Server critical procedure "$config_name$" was $change_type$ on host $dest$, which could indicate an attempt to gain code execution or perform reconnaissance
   risk_objects:

detections/endpoint/windows_sql_server_extended_procedure_dll_loading_hunt.yml

@@ -28,15 +28,6 @@ references:
 - https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/general-extended-stored-procedures-transact-sql
 - https://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2008-r2/ms175543(v=sql.105)
 - https://learn.microsoft.com/en-us/sql/relational-databases/extended-stored-procedures-programming/using-extended-stored-procedures
-drilldown_searches:
-- name: View DLL loading details for this host
-  search: '%original_detection_search% | search host="$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View all SQL Server DLL loads on this host in the last 7 days
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: -7d
-  latest_offset: now
 tags:
   analytic_story:
   - SQL Server Abuse

detections/endpoint/windows_sql_server_startup_procedure.yml

@@ -26,14 +26,19 @@ references:
 - https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
 - https://attack.mitre.org/techniques/T1505/001/
 drilldown_searches:
-- name: View startup procedure executions on this host
-  search: '%original_detection_search% | search host="$dest$"'
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: View all SQL Server events on this host in the last 7 days
-  search: '`wineventlog_application` source="WinEventLog:Application" EventCode=17* dest="$dest$" | stats count values(Message) as Messages by _time dest EventCode'
-  earliest_offset: -7d
-  latest_offset: now
 rba:
   message: A SQL Server startup procedure "$startup_procedure$" was executed on host $dest$, which could indicate an attempt to establish persistence
   risk_objects:

detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml

@@ -33,18 +33,23 @@ references:
     - https://attack.mitre.org/techniques/T1505/003/
     - https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option
 drilldown_searches:
-- name: View xp_cmdshell configuration changes on this host
-  search: '%original_detection_search% | search host="$dest$"'
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 - name: View all SQL Server configuration changes on this host in the last 7 days
   search: '`wineventlog_application` EventCode=15457 host="$dest$" | rex field=EventData_Xml "<Data>(?<config_name>[^<]+)</Data><Data>(?<new_value>[^<]+)</Data><Data>(?<old_value>[^<]+)</Data>" | stats count values(config_name) as "Changed Settings" values(new_value) as "New Values" by _time dest'
   earliest_offset: -7d
   latest_offset: now
-- name: View all high-risk events for this host
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$dest$" starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(risk_score) as "Risk Score" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: -7d
-  latest_offset: now
 rba:
   message: SQL Server xp_cmdshell configuration was $change_type$ on host $dest$, which could indicate an attempt to gain operating system command execution capabilities
   risk_objects:

detections/endpoint/windows_sqlcmd_execution.yml

@@ -177,19 +177,6 @@ references:
     - https://attack.mitre.org/techniques/T1213/
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md#atomic-test-32---file-download-with-sqlcmdexe
     - https://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/
-drilldown_searches:
-- name: View process details for suspicious SQLCMD execution
-  search: '%original_detection_search% | search dest="$dest$" user="$user$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View all SQLCMD activity for this host in the last 7 days
-  search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_sqlcmd` by Processes.dest Processes.user Processes.process Processes.parent_process_name | search dest="$dest$" | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: -7d
-  latest_offset: now
-- name: View all high-risk events for this host/user
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(risk_score) as "Risk Score" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: -7d
-  latest_offset: now
 tags:
   analytic_story:
   - SQL Server Abuse