Merge branch 'develop' into github_detections_improvement

Author: P4T12ICK

contentctl.yml

@@ -149,9 +149,9 @@ apps:
 - uid: 5556
   title: Splunk Add-on for Google Workspace
   appid: SPLUNK_ADD_ON_FOR_GOOGLE_WORKSPACE
-  version: 3.0.1
+  version: 3.0.2
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-workspace_301.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-workspace_302.tgz
 - uid: 3110
   title: Splunk Add-on for Microsoft Cloud Services
   appid: SPLUNK_TA_MICROSOFT_CLOUD_SERVICES

data_sources/asl_aws_cloudtrail.yml

@@ -0,0 +1,13 @@
+name: ASL AWS CloudTrail
+id: 1dcf9cfb-0e91-44c6-81b3-61b2574ec898
+version: 1
+date: '2025-01-14'
+author: Patrick Bareiss, Splunk
+description: Data source object for ASL AWS CloudTrail 
+source: aws_asl
+sourcetype: aws:asl
+separator: api.operation
+supported_TA:
+- name: Splunk Add-on for AWS
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.9.0

data_sources/azure_monitor_activity.yml

@@ -0,0 +1,96 @@
+name: Azure Monitor Activity
+id: 1997a515-a61a-4f78-ada9-54af34c764f2
+version: 1
+date: '2025-01-13'
+author: Bhavin Patel, Splunk
+description: Data source object for Azure Monitor Activity.  The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub.  To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. 
+source: Azure AD
+sourcetype: azure:monitor:activity
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.4.1
+fields:
+- column
+- action
+- category
+- change_type
+- command
+- correlationId
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- eventtype
+- host
+- identity
+- image_id
+- index
+- instance_type
+- linecount
+- object
+- object_attrs
+- object_category
+- object_id
+- object_path
+- operationName
+- properties.ActivityDate
+- properties.ActivityResultStatus
+- properties.ActivityType
+- properties.Actor.ActorType
+- properties.Actor.Application
+- properties.Actor.ApplicationName
+- properties.Actor.IsDelegatedAdmin
+- properties.Actor.Name
+- properties.Actor.ObjectId
+- properties.Actor.PartnerTenantId
+- properties.Actor.UPN
+- properties.Actor.UserPermissions{}
+- properties.AdditionalDetails
+- properties.AuditEventId
+- properties.Category
+- properties.RelationId
+- properties.TargetDisplayNames{}
+- properties.TargetObjectIds{}
+- properties.Targets{}.ModifiedProperties{}.Name
+- properties.Targets{}.ModifiedProperties{}.New
+- properties.Targets{}.ModifiedProperties{}.Old
+- properties.Targets{}.Name
+- punct
+- resourceId
+- resource_provider
+- response_body
+- result
+- resultDescription
+- resultType
+- result_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- status
+- tag
+- tag::action
+- tag::eventtype
+- tag::object_category
+- tenantId
+- time
+- timeendpos
+- timestartpos
+- user
+- user_name
+- user_type
+- vendor_account
+- vendor_product
+- vendor_region
+- _time
+example_log: '{"time": "2024-04-29T13:30:28.8622000Z", "tenantId": "26db52ee-c1b5-4c96-a0d4-129e25dc0388", "category": "AuditLogs", "operationName": "createDeviceHealthScript DeviceHealthScript", "properties": {"ActivityDate": "4/29/2024 1:30:28 PM", "ActivityResultStatus": 1, "ActivityType": 0, "Actor": {"ActorType": 1, "Application": "5926fc8e-304e-4f59-8bed-58ca97cc39a4", "ApplicationName": "Microsoft Intune portal extension", "IsDelegatedAdmin": false, "Name": null, "ObjectId": "cf2ef473-7d3b-4f14-961c-2e470e9a70f2", "PartnerTenantId": "00000000-0000-0000-0000-000000000000", "UserPermissions": ["*"], "UPN": "[email protected]"}, "AdditionalDetails": "", "AuditEventId": "3e7e790e-f15a-4c2c-a91a-516483bb4e37", "Category": 3, "RelationId": null, "TargetDisplayNames": ["<null>"], "TargetObjectIds": ["b16fcad4-b9f5-46fe-9bf0-841cd9be7bc9"], "Targets": [{"ModifiedProperties": [{"Name": "DeviceManagementAPIVersion", "Old": null, "New": "5024-02-13"}], "Name": null}]}, "resultType": "Success", "resultDescription": "None", "correlationId": "949ac544-b4e5-4576-a117-915c47c0ee00", "identity": "[email protected]"}'

data_sources/g_suite_drive.yml

@@ -9,7 +9,7 @@ sourcetype: gsuite:drive:json
 supported_TA:
 - name: Splunk Add-on for Google Workspace
   url: https://splunkbase.splunk.com/app/5556
-  version: 3.0.1
+  version: 3.0.2
 fields:
 - _time
 - email

data_sources/g_suite_gmail.yml

@@ -9,7 +9,7 @@ sourcetype: gsuite:gmail:bigquery
 supported_TA:
 - name: Splunk Add-on for Google Workspace
   url: https://splunkbase.splunk.com/app/5556
-  version: 3.0.1
+  version: 3.0.2
 fields:
 - _time
 - action_type

data_sources/google_workspace_login_failure.yml

@@ -10,7 +10,7 @@ separator: event.name
 supported_TA:
 - name: Splunk Add-on for Google Workspace
   url: https://splunkbase.splunk.com/app/5556
-  version: 3.0.1
+  version: 3.0.2
 fields:
 - _time
 - actor.email

data_sources/google_workspace_login_success.yml

@@ -10,7 +10,7 @@ separator: event.name
 supported_TA:
 - name: Splunk Add-on for Google Workspace
   url: https://splunkbase.splunk.com/app/5556
-  version: 3.0.1
+  version: 3.0.2
 fields:
 - _time
 - actor.email

detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml

@@ -1,13 +1,14 @@
 name: ASL AWS Concurrent Sessions From Different Ips
 id: b3424bbe-3204-4469-887b-ec144483a336
-version: 5
+version: 6
 date: '2024-09-30'
 author: Patrick Bareiss, Splunk
 status: production
 type: Anomaly
 description: The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute span. This detection leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` API call, to identify multiple IP addresses associated with the same user session. This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this activity could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation.
-data_source: []
-search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" | bin span=5m _time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count by _time identity.user.credential_uid identity.user.name | where distinct_ip_count > 1 | rename identity.user.name as user | `asl_aws_concurrent_sessions_from_different_ips_filter`'
+data_source: 
+- ASL AWS CloudTrail
+search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" | bin span=5m _time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count by _time actor.user.uid | where distinct_ip_count > 1 | rename actor.user.uid as user | `asl_aws_concurrent_sessions_from_different_ips_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.
 references:
@@ -42,25 +43,23 @@ tags:
     type: User
     role:
     - Victim
-  product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
   required_fields:
   - api.operation
-  - actor.user.account_uid
-  - actor.user.name
   - actor.user.uid
   - http_request.user_agent
   - src_endpoint.ip
   - src_endpoint.domain
   - cloud.region
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
   risk_score: 42
   security_domain: threat
   manual_test: Can't be tested automatically because of time span.
 tests:
 - name: True Positive Test
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/asl_ocsf_cloudtrail.json
-    sourcetype: aws:cloudtrail:lake
+    sourcetype: aws:asl
     source: aws_asl

detections/cloud/asl_aws_create_access_key.yml

@@ -0,0 +1,55 @@
+name: ASL AWS Create Access Key
+id: 81a9f2fe-1697-473c-af1d-086b0d8b63c8
+version: 1
+date: '2024-12-12'
+author: Patrick Bareiss, Splunk
+status: production
+type: Hunting
+description: The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
+data_source: 
+- ASL AWS CloudTrail
+search: '`amazon_security_lake` api.operation=CreateAccessKey | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_create_access_key_filter`'
+how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
+known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.
+references:
+- https://bishopfox.com/blog/privilege-escalation-in-aws
+- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/
+tags:
+  analytic_story:
+  - AWS IAM Privilege Escalation
+  asset_type: AWS Account
+  confidence: 90
+  impact: 70
+  message: User $user$ is attempting to create access keys
+  mitre_attack_id:
+  - T1136.003
+  - T1136
+  observable:
+  - name: src_ip
+    type: IP Address
+    role:
+    - Attacker
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - api.operation
+  - actor.user.uid
+  - actor.user.account.uid
+  - http_request.user_agent
+  - src_endpoint.ip
+  - src_endpoint.domain
+  - cloud.region
+  risk_score: 63
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/asl_ocsf_cloudtrail.json
+    sourcetype: aws:asl
+    source: aws_asl

detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml

@@ -0,0 +1,61 @@
+name: ASL AWS Create Policy Version to allow all resources
+id: 22cc7a62-3884-48c4-82da-592b8199b72f
+version: 1
+date: '2024-12-12'
+author: Patrick Bareiss, Splunk
+status: production
+type: TTP
+description: The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment.
+data_source: 
+- ASL AWS CloudTrail
+search: '`amazon_security_lake` api.operation=CreatePolicy | spath input=api.request.data | spath input=policyDocument | regex Statement{}.Action="\*" | regex Statement{}.Resource="\*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_create_policy_version_to_allow_all_resources_filter`'
+how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
+known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity.
+references:
+- https://bishopfox.com/blog/privilege-escalation-in-aws
+- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - AWS IAM Privilege Escalation
+  asset_type: AWS Account
+  confidence: 70
+  impact: 70
+  message: User $user$ created a policy version that allows them to access any resource in their account.
+  mitre_attack_id:
+  - T1078.004
+  - T1078
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - api.operation
+  - actor.user.account.uid
+  - api.request.data
+  - actor.user.uid
+  - http_request.user_agent
+  - src_endpoint.ip
+  - src_endpoint.domain
+  - cloud.region
+  risk_score: 49
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json
+    sourcetype: aws:asl
+    source: aws_asl