update powershell analytics

Author: nasbench

detections/endpoint/detect_critical_alerts_from_security_tools.yml

@@ -1,14 +1,14 @@
 name: Detect Critical Alerts from Security Tools
 id: 483e8a68-f2f7-45be-8fc9-bf725f0e22fd
-version: 1
-date: '2024-10-09'
+version: 2
+date: '2025-01-13'
 author: Gowthamaraj Rajendran, Patrick Bareiss, Bhavin Patel, Bryan Pluta, Splunk
-status: production
+status: deprecated
 type: TTP
 data_source:
 - Windows Defender Alerts
 - MS365 Defender Incident Alerts
-description: The following analytics is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model. **Note** - We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection.
+description: The following analytic has been deprecated in favour of specific and dedicated product analytics such as "Microsoft Defender ATP Alerts". The following analytic is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model. **Note** - We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Alerts.description) as description values(Alerts.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id values(Alerts.severity) as severity values(Alerts.type) as type values(Alerts.severity_id) as severity_id values(Alerts.signature) as signature values(Alerts.signature_id) as signature_id values(Alerts.dest) as dest from datamodel=Alerts where  Alerts.severity IN ("high","critical") by Alerts.src Alerts.user Alerts.id Alerts.vendor sourcetype | `drop_dm_object_name("Alerts")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval risk_score=case(severity="informational", 2, severity="low", 5, severity="medium", 10, severity="high", 50, severity="critical" , 100) | `detect_critical_alerts_from_security_tools_filter`'
 how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. The risk_score field is used to calculate the risk score for the alerts and the mitre_technique_id field is used to map the alerts to the MITRE ATT&CK framework is dynamically created by the detection when this is triggered. These fields need not be set in the adaptive response actions.
 known_false_positives: False positives may vary by endpoint protection tool; monitor and filter out the alerts that are not relevant to your environment.

detections/endpoint/excel_spawning_powershell.yml

@@ -1,11 +1,12 @@
 name: Excel Spawning PowerShell
 id: 42d40a22-9be3-11eb-8f08-acde48001122
-version: '6'
-date: '2024-11-28'
+version: 7
+date: '2025-01-13'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects Microsoft Excel spawning PowerShell, an
+description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process".
+  The following analytic detects Microsoft Excel spawning PowerShell, an
   uncommon and suspicious behavior. This detection leverages data from Endpoint Detection
   and Response (EDR) agents, focusing on process creation events where the parent
   process is "excel.exe" and the child process is PowerShell. This activity is significant

detections/endpoint/excel_spawning_windows_script_host.yml

@@ -1,11 +1,12 @@
 name: Excel Spawning Windows Script Host
 id: 57fe880a-9be3-11eb-9bf3-acde48001122
-version: '6'
-date: '2024-11-28'
+version: 7
+date: '2025-01-13'
 author: Michael Haag, Splunk
 status: production
 type: TTP
-description: The following analytic identifies instances where Microsoft Excel spawns
+description: The following analytic has been deprecated in favour of a more generic approach. 
+  The following analytic identifies instances where Microsoft Excel spawns
   Windows Script Host processes (`cscript.exe` or `wscript.exe`). This behavior is
   detected using Endpoint Detection and Response (EDR) telemetry, focusing on process
   creation events where the parent process is `excel.exe`. This activity is significant

detections/endpoint/microsoft_defender_atp_alerts.yml

@@ -15,7 +15,7 @@ search: ' `ms_defender_atp_alerts` (dest=* OR user=*)| eval tmp_evidence=json_ex
 | stats count min(_time) as firstTime max(_time) as lastTime values(fileName) as file_name values(severity) as severity values(processCommandLine) as process values(ipAddress) as ip_address values(registryKey) as registry_key values(url) as url values(mitreTechniques{}) as annotations.mitre_attack.mitre_technique_id values(signature) as signature values(user) as user values(risk_score) as risk_score by id description src 
 | `security_content_ctime(firstTime)` 
 | `security_content_ctime(lastTime)` | `microsoft_defender_atp_alerts_filter`'
-how_to_implement: In order to properly run this search, you need to ingest alerts data from Microsoft Defender, specifcally using the Splunk add-on for Microsoft Security. This add-on will collect alerts using the ms:defender:atp:alerts sourcetype. You will need to define the `ms_defender_atp_alerts` macro to point to the proper index that contains the ms:defender:atp:alerts sourcetype. **NOTE** - We also have a detection named `Detect Critical Alerts from Security Tools` that triggers on the same data and is written against the Alerts datamodel. Enabling both of these detections will result in duplicate risk/notable events, we recommend enabling only one of these detections.
+how_to_implement: In order to properly run this search, you need to ingest alerts data from Microsoft Defender, specifcally using the Splunk add-on for Microsoft Security. This add-on will collect alerts using the ms:defender:atp:alerts sourcetype. You will need to define the `ms_defender_atp_alerts` macro to point to the proper index that contains the ms:defender:atp:alerts sourcetype.
 known_false_positives: False positives may vary based on Microsfot Defender configuration; monitor and filter out the alerts that are not relevant to your environment.
 references:
 - https://learn.microsoft.com/en-us/defender-xdr/api-list-incidents?view=o365-worldwide

detections/endpoint/microsoft_defender_incident_alerts.yml

@@ -21,7 +21,7 @@ url = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "url"))
 | eval tmp_filtered_mv=mvfilter(json_extract(tmp_filtered_mv, "entityType") = "File"), fileName = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "fileName"))
 | eval risk_score=case(severity="informational", 5, severity="low", 15, severity="medium", 25, severity="high", 50, true(), 2)
 | stats count  min(_time) as firstTime max(_time) as lastTime values(fileName) as file_name values(severity) as severity values(processCommandLine) as process values(ipAddress) as ip_address values(registryKey) as registry_key values(url) as url values(mitreTechniques{}) as annotations.mitre_attack.mitre_technique_id values(signature) as signature values(user) as user values(risk_score) as risk_score by id description dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `microsoft_defender_incident_alerts_filter`'
-how_to_implement: In order to properly run this search, you need to ingest alerts data from Microsoft Defender, specifcally using the Splunk add-on for Microsfot Security. This add-on will collect alerts using the ms365:defender:incident:alerts sourcetype. You will need to define the `ms365_defender_incident_alerts` macro to point to the proper index that contains the ms365:defender:incident:alerts sourcetype. **NOTE** - We also have a detection named `Detect Critical Alerts from Security Tools` that triggers on the same data and is written against the Alerts datamodel. Enabling both of these detections will result in duplicate risk/notable events, we recommend enabling only one of these detections.
+how_to_implement: In order to properly run this search, you need to ingest alerts data from Microsoft Defender, specifcally using the Splunk add-on for Microsfot Security. This add-on will collect alerts using the ms365:defender:incident:alerts sourcetype. You will need to define the `ms365_defender_incident_alerts` macro to point to the proper index that contains the ms365:defender:incident:alerts sourcetype.
 known_false_positives: False positives may vary based on Microsfot Defender configuration; monitor and filter out the alerts that are not relevant to your environment.
 references:
 - https://learn.microsoft.com/en-us/defender-xdr/api-list-incidents?view=o365-worldwide

detections/endpoint/office_application_spawn_regsvr32_process.yml

@@ -1,11 +1,12 @@
 name: Office Application Spawn Regsvr32 process
 id: 2d9fc90c-f11f-11eb-9300-acde48001122
-version: '7'
-date: '2024-11-28'
+version: 8
+date: '2025-01-13'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic identifies instances where an Office application
+description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process".
+  The following analytic identifies instances where an Office application
   spawns a Regsvr32 process, which is often indicative of macro execution or malicious
   code. This detection leverages data from Endpoint Detection and Response (EDR) agents,
   focusing on process creation events where the parent process is a known Office application.

detections/endpoint/office_application_spawn_rundll32_process.yml

@@ -1,11 +1,12 @@
 name: Office Application Spawn rundll32 process
 id: 958751e4-9c5f-11eb-b103-acde48001122
-version: '7'
-date: '2024-11-28'
+version: 8
+date: '2025-01-13'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic identifies instances where an Office application
+description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process".
+  The following analytic identifies instances where an Office application
   spawns a rundll32 process, which is often indicative of macro execution or malicious
   code. This detection leverages data from Endpoint Detection and Response (EDR) agents,
   focusing on process creation events where the parent process is a known Office application.

detections/endpoint/office_product_spawn_cmd_process.yml

@@ -1,11 +1,12 @@
 name: Office Product Spawn CMD Process
 id: b8b19420-e892-11eb-9244-acde48001122
-version: 7
-date: '2024-09-30'
+version: 8
+date: '2025-01-13'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects an Office product spawning a CMD process, which is indicative of a macro executing shell commands to download or run malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it often signals the execution of malicious payloads, such as those seen in Trickbot spear-phishing campaigns. If confirmed malicious, this behavior could lead to unauthorized code execution, potentially compromising the system and allowing further malicious activities.
+description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process".
+  The following analytic detects an Office product spawning a CMD process, which is indicative of a macro executing shell commands to download or run malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it often signals the execution of malicious payloads, such as those seen in Trickbot spear-phishing campaigns. If confirmed malicious, this behavior could lead to unauthorized code execution, potentially compromising the system and allowing further malicious activities.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688

detections/endpoint/office_product_spawning_bitsadmin.yml

@@ -1,11 +1,12 @@
 name: Office Product Spawning BITSAdmin
 id: e8c591f4-a6d7-11eb-8cf7-acde48001122
-version: '8'
-date: '2024-11-28'
+version: 9
+date: '2025-01-13'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects any Windows Office Product spawning `bitsadmin.exe`,
+description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process".
+  The following analytic detects any Windows Office Product spawning `bitsadmin.exe`,
   a behavior often associated with malware families like TA551 and IcedID. This detection
   leverages data from Endpoint Detection and Response (EDR) agents, focusing on process
   and parent process relationships. This activity is significant because `bitsadmin.exe`

detections/endpoint/office_product_spawning_certutil.yml

@@ -1,11 +1,12 @@
 name: Office Product Spawning CertUtil
 id: 6925fe72-a6d5-11eb-9e17-acde48001122
-version: '8'
-date: '2024-11-28'
+version: 9
+date: '2025-01-13'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects any Windows Office Product spawning `certutil.exe`,
+description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process".
+  The following analytic detects any Windows Office Product spawning `certutil.exe`,
   a behavior often associated with malware families like TA551 and IcedID. This detection
   leverages Endpoint Detection and Response (EDR) data, focusing on process relationships
   and command-line executions. The significance lies in the fact that `certutil.exe`