Merge branch 'develop' into fix_cwd_path_detections

nasbench · web-flow · commit d8ddca1a2d56 · 2025-12-03T00:25:40.000+01:00
diff --git a/contentctl.yml b/contentctl.yml
@@ -44,9 +44,9 @@ apps:
 - uid: 7404
   title: Cisco Security Cloud
   appid: CiscoSecurityCloud
-  version: 3.4.2
+  version: 3.5.1
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_342.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_351.tgz
 - uid: 6652
   title: Add-on for Linux Sysmon
   appid: Splunk_TA_linux_sysmon
@@ -254,4 +254,4 @@ apps:
 githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd
 test_data_caches:
 - base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/
-  base_directory_name: external_repos/attack_data
+  base_directory_name: external_repos/attack_data
diff --git a/data_sources/cisco_ai_defense_alerts.yml b/data_sources/cisco_ai_defense_alerts.yml
@@ -10,5 +10,5 @@ separator: null
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.2
+  version: 3.5.1
 fields: null
diff --git a/data_sources/cisco_asa_logs.yml b/data_sources/cisco_asa_logs.yml
@@ -21,7 +21,7 @@ separator: null
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.2
+  version: 3.5.1
 fields:
 - Cisco_ASA_action
 - Cisco_ASA_message_id
diff --git a/data_sources/cisco_duo_activity.yml b/data_sources/cisco_duo_activity.yml
@@ -10,7 +10,7 @@ separator: null
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.2
+  version: 3.5.1
 fields:
 - access_device.browser
 - access_device.browser_version
diff --git a/data_sources/cisco_duo_administrator.yml b/data_sources/cisco_duo_administrator.yml
@@ -10,7 +10,7 @@ separator: null
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.2
+  version: 3.5.1
 fields:
 - action
 - actionlabel
diff --git a/data_sources/cisco_secure_firewall_threat_defense_connection_event.yml b/data_sources/cisco_secure_firewall_threat_defense_connection_event.yml
@@ -10,7 +10,7 @@ sourcetype: cisco:sfw:estreamer
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.2
+  version: 3.5.1
 fields:
 - AC_RuleAction
 - action
diff --git a/data_sources/cisco_secure_firewall_threat_defense_file_event.yml b/data_sources/cisco_secure_firewall_threat_defense_file_event.yml
@@ -10,7 +10,7 @@ sourcetype: cisco:sfw:estreamer
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.2
+  version: 3.5.1
 fields:
 - app
 - Application
diff --git a/data_sources/cisco_secure_firewall_threat_defense_intrusion_event.yml b/data_sources/cisco_secure_firewall_threat_defense_intrusion_event.yml
@@ -10,7 +10,7 @@ sourcetype: cisco:sfw:estreamer
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.2
+  version: 3.5.1
 fields:
 - Application
 - Classification
diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml
@@ -1,7 +1,7 @@
 name: Azure AD High Number Of Failed Authentications For User
 id: 630b1694-210a-48ee-a450-6f79e7679f2c
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-12-01'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -15,23 +15,26 @@ description: The following analytic identifies an Azure AD account experiencing
   based on their specific environment to reduce false positives.
 data_source:
 - Azure Active Directory
-search: '`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false 
-  | rename properties.* as * 
-  | bucket span=10m _time 
-  | rename properties.userAgent as user_agent 
-  | fillnull 
-  | stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(src) as src values(user_agent) as user_agent by user _time vendor_account vendor_product 
-  | where count > 20 
-  | `security_content_ctime(firstTime)` 
-  | `security_content_ctime(lastTime)` 
-  | `azure_ad_high_number_of_failed_authentications_for_user_filter`'
+search: |
+  `azure_monitor_aad`
+  category=SignInLogs
+  properties.status.errorCode=50126
+  properties.authenticationDetails{}.succeeded=false
+  | rename properties.* as *
+  | bin span=10m _time
+  | fillnull value=null
+  | stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(src) as src values(user_agent) as user_agent by user _time vendor_account vendor_product
+  | where count > 20
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `azure_ad_high_number_of_failed_authentications_for_user_filter`
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
   You must be ingesting Azure Active Directory events into your Splunk environment
   through an EventHub. This analytic was written to be used with the azure:monitor:aad
   sourcetype leveraging the SignInLogs log category.
 known_false_positives: A user with more than 20 failed authentication attempts in
-  the span of 5 minutes may also be triggered by a broken application.
+  the span of 10 minutes may also be triggered by a broken application.
 references:
 - https://attack.mitre.org/techniques/T1110/
 - https://attack.mitre.org/techniques/T1110/001/
@@ -50,8 +53,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: User $user$ failed to authenticate more than 20 times in the span of 5
-    minutes.
+  message: User $user$ failed to authenticate more than 20 times in the span of 10 minutes.
   risk_objects:
   - field: user
     type: user
@@ -72,7 +74,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
+  - data:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log
     source: Azure AD
     sourcetype: azure:monitor:aad
diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml
@@ -1,7 +1,7 @@
 name: Azure AD High Number Of Failed Authentications From Ip
 id: e5ab41bf-745d-4f72-a393-2611151afd8e
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-12-01'
 author: Mauricio Velazco, Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -14,13 +14,19 @@ description: The following analytic detects an IP address with 20 or more failed
   within the Azure environment.
 data_source:
 - Azure Active Directory
-search: '`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false 
-  | rename properties.* as * 
-  | bucket span=10m _time 
-  | rename properties.userAgent as user_agent 
-  | fillnull 
-  | stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(user) as user values(user_agent) as user_agent by src _time vendor_account vendor_product 
-  | where count > 20  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_from_ip_filter`'
+search: |
+  `azure_monitor_aad`
+  category=SignInLogs
+  properties.status.errorCode=50126
+  properties.authenticationDetails{}.succeeded=false
+  | rename properties.* as *
+  | bin span=10m _time
+  | fillnull value=null
+  | stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(user) as user values(user_agent) as user_agent by src _time vendor_account vendor_product
+  | where count > 20
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `azure_ad_high_number_of_failed_authentications_from_ip_filter`
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
   You must be ingesting Azure Active Directory events into your Splunk environment
@@ -47,8 +53,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: $src$ failed to authenticate more than 20 times in the span of 10 minutes
-    minutes.
+  message: $src$ failed to authenticate more than 20 times in the span of 10 minutes.
   risk_objects:
   - field: user
     type: user
@@ -73,7 +78,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
+  - data:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log
     source: Azure AD
     sourcetype: azure:monitor:aad
diff --git a/detections/network/internal_horizontal_port_scan_nmap_top_20.yml b/detections/network/internal_horizontal_port_scan_nmap_top_20.yml
@@ -1,7 +1,7 @@
 name: Internal Horizontal Port Scan NMAP Top 20
 id: 3141a041-4f57-4277-9faa-9305ca1f8e5b
-version: 7
-date: '2025-10-14'
+version: 8
+date: '2025-12-02'
 author: Dean Luxton
 status: production
 type: TTP
@@ -14,21 +14,18 @@ description: This analytic identifies instances where an internal host has attem
   or scanning activities, potentially signaling malicious intent or misconfiguration.
   By monitoring network traffic logs, this detection helps detect and respond to such
   behavior promptly, enhancing network security and preventing potential threats.
-search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as action
-  values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as
-  dest_zone values(All_Traffic.src_zone) as src_zone values(All_Traffic.src_port)
-  as src_port count from datamodel=Network_Traffic where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
-  AND All_Traffic.dest_port IN (21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443,
-  445, 993, 995, 1723, 3306, 3389, 5900, 8080) by All_Traffic.src_ip All_Traffic.src
-  All_Traffic.dest_port All_Traffic.dest_ip All_Traffic.dest All_Traffic.transport All_Traffic.rule span=1s _time |
-  `drop_dm_object_name("All_Traffic")`  | eval gtime=_time  | bin span=1h gtime  |
-  stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount
-  values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone)
-  as src_zone by src_ip dest_port gtime transport  | where totalDestIPCount>=250  |
-  eval dest_port=transport + "/" + dest_port  | stats min(_time) as _time values(action)
-  as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category
-  values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone)
-  as src_zone by src_ip gtime  | fields - gtime  | `internal_horizontal_port_scan_nmap_top_20_filter`'
+search: |
+  | tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone values(All_Traffic.src_port) as src_port dc(All_Traffic.dest_ip) as totalDestIPCount count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.rule) as rule from datamodel=Network_Traffic
+  where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND All_Traffic.dest_port IN (21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5900, 8080)
+  by All_Traffic.src_ip All_Traffic.dest_port All_Traffic.transport span=1h _time
+  | `drop_dm_object_name("All_Traffic")`
+  | where totalDestIPCount>=250
+  | eval dest_port=transport + "/" + dest_port
+  | stats min(firstTime) as firstTime max(lastTime) as lastTime values(action) as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category values(dest_port) as dest_ports dc(dest_port) as num_ports_scanned values(dest_zone) as dest_zone values(src_zone) as src_zone values(rule) as rule by _time src_ip
+  | fields - _time
+  | `security_content_ctime(lastTime)`
+  | `security_content_ctime(firstTime)`
+  | `internal_horizontal_port_scan_nmap_top_20_filter`
 how_to_implement: To properly run this search, Splunk needs to ingest data from networking
   telemetry sources such as firewalls like Cisco Secure Firewall, NetFlow, or host-based networking events. Ensure
   that the Network_Traffic data model is populated to enable this search effectively.
@@ -49,15 +46,12 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination
-    IPs
+  message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination IPs
   risk_objects:
-  - field: dest_ports
-    type: system
-    score: 72
-  threat_objects:
   - field: src_ip
-    type: ip_address
+    type: system
+    score: 50
+  threat_objects: []
 tags:
   analytic_story:
   - Network Discovery
