update to fix ci errors

Author: nasbench

detections/cloud/circle_ci_disable_security_step.yml

@@ -15,14 +15,23 @@ description: The following analytic detects the disablement of security steps in
   with the disablement, and examine any relevant artifacts and concurrent processes.
 data_source:
 - CircleCI
-search: '`circleci` | rename workflows.job_id AS job_id | join job_id [ | search `circleci`
-  | stats values(name) as step_names count by job_id job_name ] | stats count by step_names
-  job_id job_name vcs.committer_name vcs.subject vcs.url owners{} | rename vcs.* as
-  * , owners{} as user | lookup mandatory_step_for_job job_name OUTPUTNEW step_name
-  AS mandatory_step | search mandatory_step=* | eval mandatory_step_executed=if(like(step_names,
-  "%".mandatory_step."%"), 1, 0) | where mandatory_step_executed=0 | rex field=url
-  "(?<repository>[^\/]*\/[^\/]*)$" | eval phase="build"  | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | `circle_ci_disable_security_step_filter`'
+search: '`circleci` 
+  | rename workflows.job_id AS job_id 
+  | join job_id [ 
+    | search `circleci`
+    | stats values(name) as step_names count by job_id job_name 
+    ] 
+  | stats count by 
+    step_names job_id job_name vcs.committer_name vcs.subject vcs.url owners{} 
+  | rename vcs.* as * , owners{} as user 
+  | lookup mandatory_step_for_job job_name OUTPUTNEW step_name AS mandatory_step 
+  | search mandatory_step=* 
+  | eval mandatory_step_executed=if(like(step_names, "%".mandatory_step."%"), 1, 0) 
+  | where mandatory_step_executed=0 | rex field=url "(?<repository>[^\/]*\/[^\/]*)$" 
+  | eval phase="build" 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` 
+  | `circle_ci_disable_security_step_filter`'
 how_to_implement: You must index CircleCI logs.
 known_false_positives: unknown
 references: []

detections/cloud/gsuite_drive_share_in_external_email.yml

@@ -14,15 +14,25 @@ description: The following analytic detects Google Drive or Google Docs files sh
   this behavior helps in early detection and mitigation of data breaches.
 data_source:
 - G Suite Drive
-search: '`gsuite_drive` NOT (email IN("", "null")) | rex field=parameters.owner "[^@]+@(?<src_domain>[^@]+)"
-  | rex field=email "[^@]+@(?<dest_domain>[^@]+)" | where src_domain = "internal_test_email.com"
-  and not dest_domain = "internal_test_email.com" | eval phase="plan" | eval severity="low"
-  | stats values(parameters.doc_title) as doc_title, values(parameters.doc_type) as
-  doc_types, values(email) as dst_email_list, values(parameters.visibility) as visibility,
-  values(parameters.doc_id) as doc_id, count min(_time) as firstTime max(_time) as
-  lastTime by parameters.owner ip_address phase severity  | rename parameters.owner
-  as user ip_address as src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `gsuite_drive_share_in_external_email_filter`'
+search: |
+  `gsuite_drive` NOT (email IN("", "null"))
+  | spath path=parameters.owner output=owner
+  | rex field=owner "[^@]+@(?<src_domain>[^@]+)"
+  | rex field=email "[^@]+@(?<dest_domain>[^@]+)" 
+  | where src_domain = "internal_test_email.com" and not dest_domain = "internal_test_email.com" 
+  | eval phase="plan" 
+  | eval severity="low"
+  | stats values(parameters.doc_title) as doc_title, 
+    values(parameters.doc_type) as doc_types, 
+    values(email) as dst_email_list, 
+    values(parameters.visibility) as visibility,
+    values(parameters.doc_id) as doc_id, 
+    count min(_time) as firstTime max(_time) as lastTime 
+    by parameters.owner ip_address phase severity 
+  | rename parameters.owner as user ip_address as src_ip 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `gsuite_drive_share_in_external_email_filter`
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs related to gsuite having the file attachment metadata like file type, file
   extension, source email, destination email, num of attachment and etc. In order

detections/cloud/microsoft_intune_mobile_apps.yml

@@ -3,7 +3,7 @@ id: 98e6b389-2806-4426-a580-8a92cb0d9710
 version: 3
 date: '2025-06-10'
 author: Dean Luxton
-status: production
+status: experimental
 type: Hunting
 description: |
   Microsoft Intune supports deploying packaged applications to support software deployment, this functionality can also be abused for deploying malicious payloads to intune managed devices. 
@@ -39,9 +39,3 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: audit
-tests:
-- name: True Positive Test
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log
-    sourcetype: azure:monitor:activity
-    source: Azure AD

detections/endpoint/windows_ad_suspicious_gpo_modification.yml

@@ -8,7 +8,8 @@ type: TTP
 data_source:
 - Windows Event Log Security 5136
 - Windows Event Log Security 5145
-description: This analytic looks for a the creation of potentially harmful GPO which
+description: |
+  This analytic looks for a the creation of potentially harmful GPO which
   could lead to persistence or code execution on remote hosts. Note, this analyic
   is looking for the absence of the corresponding 5136 events which is evidence of
   the GPOs being manually edited (using a tool like PowerView) or potentially missing
@@ -40,13 +41,13 @@ search: "`wineventlog_security` EventCode=5145 ShareName=\"\\\\\\\\*\\\\SYSVOL\"
   values(Logon_ID) as Logon_ID values(newPolicy) as newPolicy values(OpCorrelationID)
   as OpCorrelationID values(folder) as folder values(file) as file by gpo_guid  |
   mvexpand folder  | where NOT folder IN (newPolicy) | `windows_ad_suspicious_gpo_modification_filter`"
-how_to_implement: Ingest EventCodes 5145 and 5136 from domain controllers. Additional
+how_to_implement: |
+  Ingest EventCodes 5145 and 5136 from domain controllers. Additional
   SACLs required to capture EventCode 5136, see references for further information
   on how to configure this. The Group Policy - Audit Detailed File Share will need
   to be enabled on the DCs to generate event code 5145, this event is very noisy on
   DCs, consider tuning out sysvol events which do not match access mask 0x2.
-known_false_positives: When a GPO is manually edited and 5136 events are not logging
-  to Splunk.
+known_false_positives: When a GPO is manually edited and 5136 events are not logging to Splunk.
 references:
 - https://github.com/PowerShellMafia/PowerSploit/blob/26a0757612e5654b4f792b012ab8f10f95d391c9/Recon/PowerView.ps1#L5907-L6122
 - https://github.com/X-C3LL/GPOwned

detections/endpoint/windows_moveit_transfer_writing_aspx.yml

@@ -1,12 +1,12 @@
 name: Windows MOVEit Transfer Writing ASPX
 id: c0ed2aca-5666-45b3-813f-ddfac3f3eda0
 version: 7
-date: '2025-06-10'
+date: '2025-06-16'
 author: Michael Haag, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 1 AND Sysmon EventID 11
+- Sysmon EventID 11
 description: The following analytic detects the creation of new ASPX files in the
   MOVEit Transfer application's "wwwroot" directory. It leverages endpoint data on
   process and filesystem activity to identify processes responsible for creating these
@@ -15,26 +15,26 @@ description: The following analytic detects the creation of new ASPX files in th
   ASPX files. If confirmed malicious, this could lead to exfiltration of sensitive
   data, including user credentials and file metadata, posing a severe risk to the
   organization's security.
-search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
-  where Processes.process_name=System  by _time span=1h by Processes.action Processes.dest Processes.original_file_name
-  Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
-  Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
-  Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
-  Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
-  Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | join process_guid, _time [|
-  tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\MOVEitTransfer\\wwwroot\\*")
-  Filesystem.file_name IN("*.aspx", "*.ashx", "*.asp*") OR Filesystem.file_name IN
-  ("human2.aspx","_human2.aspx") by _time span=1h Filesystem.dest Filesystem.file_create_time
-  Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` |
-  fields _time dest file_create_time file_name file_path process_name process_path
-  process] | dedup file_create_time | table dest file_create_time, file_name, file_path,
-  process_name | `windows_moveit_transfer_writing_aspx_filter`'
-how_to_implement: To successfully implement this search you need to be ingesting information
+search: |
+  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime FROM datamodel=Endpoint.Filesystem where 
+    Filesystem.file_path IN ("*\\MOVEitTransfer\\wwwroot\\*") AND 
+    Filesystem.file_name IN("*.ashx", "*.asp*")
+  by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time 
+  Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path 
+  Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id 
+  Filesystem.user Filesystem.vendor_product 
+  | `drop_dm_object_name(Filesystem)` 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` 
+  | `windows_moveit_transfer_writing_aspx_filter`
+how_to_implement: |
+  To successfully implement this search you need to be ingesting information
   on process that include the name of the process responsible for the changes from
   your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem`
   node.
-known_false_positives: The query is structured in a way that `action` (read, create)
+known_false_positives: |
+  The query is structured in a way that `action` (read, create)
   is not defined. Review the results of this query, filter, and tune as necessary.
   It may be necessary to generate this query specific to your endpoint product.
 references:
@@ -58,12 +58,14 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: The MOVEit application on $dest$ has written a new ASPX file to disk.
+  message: The MOVEit application on $dest$ has written a new ASPX file $file_name$ to disk.
   risk_objects:
   - field: dest
     type: system
     score: 100
-  threat_objects: []
+  threat_objects:
+  - field: file_name
+    type: file_name
 tags:
   analytic_story:
   - MOVEit Transfer Critical Vulnerability

detections/endpoint/windows_winlogon_with_public_network_connection.yml

@@ -16,14 +16,14 @@ description: The following analytic detects instances of Winlogon.exe, a critica
   integrity breaches. If confirmed malicious, attackers could maintain persistence,
   bypass security measures, and compromise the system at a fundamental level.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (winlogon.exe)  Processes.process!=unknown
+  as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (winlogon.exe) Processes.process!=unknown
   by Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
   Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
   Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
   Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)`
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join  process_id
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id
   [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic
   where All_Traffic.dest_port != 0 NOT (All_Traffic.dest IN (127.0.0.1,10.0.0.0/8,172.16.0.0/12,
   192.168.0.0/16, 0:0:0:0:0:0:0:1)) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port