splunk / security_content Goto Github PK

This detection failed automated testing. Please review.

This detection failed automated testing. Please review.

This detection failed automated testing. Please review.

ESCU 1.0.49, Content Library view/page, Analytics Story Details, Last updated column.
The latest date is 2019-12-11. This doesn't seem right.

the story version should be bumped as well

This detection failed automated testing. Please review.

This detection failed automated testing. Please review.

https://github.com/splunk/security-content/blob/fc62a736fa257f97a3fa2075572777ae9d5a0e23/tests/T1003_001.yml#L21-L29

It is a bit confusing since it is not clear which test file matches what detection given

This detection failed automated testing. Please review.

This detection failed automated testing. Please review.

Update KC and mitre labels.
update how to implement with instructions for how to use the macro in the SPL

This search needs an OR in the existing Syntax and also needs to detect processes run from new folders inside of System32 or SysWOW64. Potential Spl fix suggested:

| tstats security_content_summariesonlycount min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where (Processes.process_path !="C:\\Windows\\System32\\*" OR Processes.process_path !="C:\\Windows\\SysWOW64*") OR (Processes.process_path = "C:\\Windows\\System32\\*\\*" OR Processes.process_path ="C:\\Windows\\SysWOW64\\*\\*") by Processes.user Processes.dest Processes.process_name Processes.process_id Processes.process_path Processes.parent_process_name Processes.process_hash|drop_dm_object_name("Processes")|security_content_ctime(firstTime)| security_content_ctime(lastTime)| is_windows_system_file|system_processes_run_from_unexpected_locations_filter

This detection failed automated testing. Please review.

NO risk alert action in the yml

This detection failed automated testing. Please review.

https://github.com/splunk/security-content/blob/c06702a7f4a9923e5105b1815e1cd6cc615cb857/spec/v2/detections.spec.json#L1464

https://github.com/splunk/security-content/blob/074955617db539696a1c5ccf49d2db9e5cd08346/detections/processes_launching_netsh.yml#L16

From slack

 believe ESCU - Processes launching netsh - Rule is broken.  ES version 6.2.0 ESCU version 3.0.3.  The where clause is looking in Processes.process but that is the full cmd line.  Using Processes.process_name works.

tested with attack range technique: https://github.com/redcanaryco/atomic-red-team/blob/7e4580a1e80310ca5e6652a3e54a633143290526/atomics/T1562.004/T1562.004.yaml

Reported by Josef Kuepker

Iplocation and filter events that have Country field defined has no sense for this use case:

Remove next form the rule:

| iplocation sourceIPAddress | search Country=*

Hi ESCU Team,

I think there may have been an inadvertent bug introduced in: f9bdf7e

The rule from detections/aws_activity_in_new_region.yml no longer runs in Splunk, as | convert security_content_ctime(earliest) security_content_ctime(latest) is not a valid usage of the convert command.

I am guessing that this is an instance where sed or another replacing tool caught some "real" ctime invocations while looking for instances of the old macro name.

Thanks,
Tomasz

Right now the CLI has a set of tests and they work well, but the API has a handful more tests and that is what splunkbase is using at the moment.

With the latest ESCU build https://repo.splunk.com/artifactory/Solutions/DA/da-ess-contentupdate/builds/develop/latest/DA-ESS-ContentUpdate-3.0.6-7947.spl we are unable to load the ES content management UI page.

This can be reproduced in nightly6, nightly1 etc - https://soln-esnightly6.sv.splunk.com:8000/splunk-es/en-US/app/SplunkEnterpriseSecuritySuite/search?q=search%20index%3D%22_internal%22%20TypeError&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&sid=1600716139.2224

This happens after this latest version of ESCU gets installed whereas the previous version works with the content management. Also seeing these errors while trying to load this page -
09-21-2020 12:22:16.524 -0700 ERROR AdminManagerExternal [2453 TcpChannelThread] - Unexpected error "<class 'TypeError'>" from python handler: "the JSON object must be str, bytes or bytearray, not NoneType". See splunkd.log for more details.
09-21-2020 12:22:16.524 -0700 ERROR AdminManagerExternal [2453 TcpChannelThread] - Stack trace from python handler:\nTraceback (most recent call last):\n File "/usr/local/bamboo/splunk-install/current/lib/python3.7/site-packages/splunk/admin.py", line 114, in init_persistent\n hand.execute(info)\n File "/usr/local/bamboo/splunk-install/current/lib/python3.7/site-packages/splunk/admin.py", line 637, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/usr/local/bamboo/splunk-install/current/etc/apps/SplunkEnterpriseSecuritySuite/lib/SplunkEnterpriseSecuritySuite/rest_handler.py", line 369, in wrapper\n r = f(self, *args, **kwargs)\n File "/usr/local/bamboo/splunk-install/current/etc/apps/SplunkEnterpriseSecuritySuite/bin/es_investigations_rest_handler.py", line 244, in handleList\n stanza_name, stanza_attributes, klass))\n File "/usr/local/bamboo/splunk-install/current/etc/apps/SplunkEnterpriseSecuritySuite/bin/es_investigations_rest_handler.py", line 527, in get_panels_from_stanza\n panel_list = json.loads(stanza_attributes.get('panels', '[]'))\n File "/usr/local/bamboo/splunk-install/current/lib/python3.7/json/init.py", line 341, in loads\n raise TypeError(f'the JSON object must be str, bytes or bytearray, '\nTypeError: the JSON object must be str, bytes or bytearray, not NoneType\n

This is not seen with older builds - https://repo.splunk.com/artifactory/Solutions/DA/da-ess-contentupdate/builds/develop/7931/

Dependabot couldn't authenticate with https://pypi.python.org/simple/.

You can provide authentication details in your Dependabot dashboard by clicking into the account menu (in the top right) and selecting 'Config variables'.

View the update logs.

Linked ES Issue: https://jira.splunk.com/browse/SOLNESS-24192

Workbench panel 'Get Parent Process Info' and the prebuilt panel 'workbench_panel_get_parent_process_info' which it uses don't function correctly when the multiple artifacts of an ES investigation are explored. The search query in the panel 'workbench_panel_get_parent_process_info' doesn't consider that the tokens used in the query may have multiple values which may need to be 'AND'ed or 'OR'ed. Along with that, the 'Get Parent Process Info' workbench panel also needs to be modified to correctly use 'Value Prefix', 'Value Suffix' and delimiters taking multiple values for the tokens into account.

There are other workbench panels like 'Get Authentication Logs For Endpoint' and 'Get Process Information For Port Activity' which also face the same issue.

There are a couple of syntax issues with unusual commandline detection:

• use label instead of output since Streaming ML has migrated the schema of Adaptive Thresholding to use label as the output column. Also, output = "True" is incorrect as it compares a boolean with a string. instead use | label
• There was an extra comma in eval cmd_line_norm= line leading to parsing issues

This should be the right syntax

| eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null))
| eval cmd_line=ucast(map_get(input_event, "process"), "string", null),
dest_user_id=ucast(map_get(input_event, "dest_user_id"), "string", null),
dest_device_id=ucast(map_get(input_event, "dest_device_id"), "string", null),
process_name=ucast(map_get(input_event, "process_name"), "string", null)
| where cmd_line!=null and dest_user_id!=null
| eval cmd_line_norm=replace(cast(cmd_line, "string"), /\s(--?\w+)|(\/\w+)/, " ARG"),
cmd_line_norm=replace(cmd_line_norm, /\w:\\[^\s]+/, "PATH"),
cmd_line_norm=replace(cmd_line_norm, /\d+/, "N"),
input=parse_double(len(coalesce(cmd_line_norm, "")))
| adaptive_threshold algorithm="quantile" entity="process_name" window=60480000
| where label AND quantile>0.99
| first_time_event cache_partitions=1 input_columns="dest_device_id,cmd_line"
| where first_time_dest_device_id_cmd_line
| eval start_time = timestamp,
end_time = timestamp,
entities = mvappend(dest_device_id, dest_user_id),
body = "TBD";

This detection failed automated testing. Please review.

This detection failed automated testing. Please review.

This ESCU scheduled search is failing with tons of error messages like this -
09-28-2020 20:15:36.450 +0000 INFO SavedSplunker - savedsearch_id="nobody;DA-ESS-ContentUpdate;ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule", search_type="scheduled", user="admin", app="DA-ESS-ContentUpdate", savedsearch_name="ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule", priority=default, status=continued, reason="Error in 'SearchParser': Mismatched ']'.", scheduled_time=1601316074, window_time=-1
1:17
Seeing 1500 failure events like this in last 15 mins in /opt/splunk/var/log/splunk/scheduler.log

| tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | rex field=Authentication.user_role arn:aws:sts::(?<dest_account>.*): | where 'Authentication.vendor_account'!='dest_account' | rename Authentication.vendor_account as requestingAccountId dest_account as requestedAccountId | lookup previously_seen_aws_cross_account_activity requestingAccountId, requestedAccountId, OUTPUTNEW firstTime as earliest | eval firstTime=(if (firstTime>earliest, earliest,firstTime)) | where firstTime >= relative_time(now(), '-70m@m')] | security_content_ctime(firstTime) | security_content_ctime(lastTime) | rename Authentication.user as src_user Authentication.src as src_ip | table requestingAccountId, requestedAccountId, src_user, src_ip, Authentication.user_role, firstTime, lastTime | aws_cross_account_activity_from_previously_unseen_account_filter
1:22
Error in 'SearchParser': Mismatched ']'.
1:22
That is the expanded search. Search is invalid.

Version: https://repo.splunk.com/artifactory/Solutions/DA/da-ess-contentupdate/builds/escu_mustang/DA-ESS-ContentUpdate-3.0.7.tar.gz

This detection failed automated testing. Please review.

"panels = " without stanza in es_investigations.conf causing error message :

[panel_group://workbench_panel_group_]
label = Detect Zerologon Attack
description = Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.
disabled = 0

panels =

deleting this entry ("panels=") solves problem

This detection failed automated testing. Please review.

first_time_seen_commandline.txt
unusual_commandline.txt

Dependabot couldn't find a Pipfile for this project.

Dependabot requires a Pipfile to evaluate your project's current Python dependencies. It had expected to find one at the path: /requirements.txt/Pipfile.

If this isn't a Python project, or if it is a library, you may wish to disable updates for it in the .dependabot/config.yml file in this repo.

View the update logs.

This detection failed automated testing. Please review.

This fixed the issue and runs much faster due to tstats with the Endpoint data model. It did lose parent_process and sha256 in search results which were helpful during investigation.

In spec 3.0 branch It's analytic story, not analytics story

There is currently an issue where multiple layers do not work for some users. mitre-attack/attack-navigator#199

This detection failed automated testing. Please review.

We are shipping empty macros in our app and that breaks the detection. We need to figure out a better solution for shipping macros that we expect our users to customize

Point raised by Dimitri McKay principal security specialist. We should have matching rules from Azure.

The search should use dest_mac instead of src_mac.

| tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.signature=DHCPREQUEST by All_Sessions.src_ip All_Sessions.src_mac
| dedup All_Sessions.src_mac| `drop_dm_object_name("Network_Sessions")`
|`drop_dm_object_name("All_Sessions")` 
| search NOT [| inputlookup asset_lookup_by_str |rename mac as src_mac 
| fields + src_mac] 
| `detect_unauthorized_assets_by_mac_address_filter` 

The CIM Network Sessions Data Model says for src_mac:

The MAC address of the client initializing a network session.

Not applicable for DHCP events. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.

For dest_mac:

The internal MAC address of the network session client.

For DHCP events, this is the MAC address of the client acquiring an IP address lease.

Hi, documentation mentions the possibility to write content and a "Developping" section but https://github.com/splunk/security-content#developing leads to nothing. It would be nice to get a link on how to create its own content or create its own app to manage custom content under the same format.
Thanks !

This detection failed automated testing. Please review.

This detection failed automated testing. Please review.

This detection failed automated testing. Please review.

Sometimes if a description has multiple lines and they are not escaped the converted output is not packagable and slim fails. See the following error as an example:

https://app.circleci.com/jobs/github/splunk/security-content/3002

We should introduce a validate.py check for lines with empty spaces so this does not flow through the pipeline.

The following story for example has the correct escaped new line chars https://github.com/splunk/security-content/blob/develop/stories/apache_struts.yml

The lookup table 'previously_seen_users_console_logins.csv' requires a .csv or KV store lookup definition.

Reported via email by Robert Toloczko, Qualcomm