updating detections

detections/application/detect_password_spray_attempts.yml

@@ -22,6 +22,7 @@ search: >-
  | eval counter=src+"__"+sourcetype+"__"+signature_id 
  | eventstats values(counter) as fnscounter 
  | eval counter=coalesce(counter,fnscounter) 
+ ``` stats version of mvexpand ```
  | stats values(app) as app values(unique_user_names) as unique_user_names values(total_failures) as total_failures values(src) as src values(signature_id) as signature_id values(sourcetype) as sourcetype count by counter unique_accounts _time
  ``` remove duplicate time buckets for each unique source```
  | sort - _time unique_accounts

detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml

@@ -14,12 +14,12 @@ search: >-
  | stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services values(user_category) as user_category values(src_category) as src_category by _time, user, src
  | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by user, src
  | eval upperBound=(comp_avg+comp_std*3) 
- | eval isOutlier=if(unique_services > 5 and unique_services >= upperBound, 1, 0) 
+ | eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0) 
  | search isOutlier=1
  | `unusual_number_of_kerberos_service_tickets_requested_filter`
 how_to_implement: To successfully implement this search, you need to be ingesting
  Domain Controller and Kerberos events. The Advanced Security Audit policy setting
- `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.
+ `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. 
 known_false_positives: An single endpoint requesting a large number of kerberos service
  tickets is not common behavior. Possible false positive scenarios include but are
  not limited to vulnerability scanners, administration systems and missconfigured

detections/endpoint/windows_driver_load_non_standard_path.yml

@@ -10,7 +10,7 @@ data_source:
 - Windows Event Log System 7045
 search: >-
  `wineventlog_system` EventCode=7045 ServiceType="kernel mode driver"
- | regex ImagePath!="(?i)^(\w:\\\\Windows\\\\|\w:\\\\Program\sFile|\\\\systemroot\\\\|%SystemRoot%|system32\\\\"
+ | regex ImagePath!="(?i)^(\w:\\\\Windows\\\\|\w:\\\\Program\sFile|\\\\systemroot\\\\|%SystemRoot%|system32\\\\)"
  | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType 
  | rename Computer as dest 
  | `security_content_ctime(firstTime)` 

detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml

@@ -1,7 +1,7 @@
 name: WinEvent Windows Task Scheduler Event Action Started
 id: b3632472-310b-11ec-9aab-acde48001122
 version: 5
-date: '2024-10-17'
+date: '2024-10-24'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -17,7 +17,7 @@ data_source:
 - Windows Event Log TaskScheduler 200
 - Windows Event Log TaskScheduler 201
 search: '`wineventlog_task_scheduler` EventCode IN ("200","201") | stats count min(_time)
- as firstTime max(_time) as lastTime by TaskName dest EventCode | `security_content_ctime(firstTime)`
+ as firstTime max(_time) as lastTime by TaskName dvc EventCode | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)` | `winevent_windows_task_scheduler_event_action_started_filter`'
 how_to_implement: Task Scheduler logs are required to be collected. Enable logging
  with inputs.conf by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational]
@@ -50,11 +50,11 @@ tags:
  asset_type: Endpoint
  confidence: 100
  impact: 80
- message: A Scheduled Task was scheduled and ran on $dest$.
+ message: A Scheduled Task was scheduled and ran on $dvc$.
  mitre_attack_id:
  - T1053.005
  observable:
- - name: dest
+ - name: dvc
  type: Hostname
  role:
  - Victim
@@ -67,7 +67,7 @@ tags:
  - TaskName
  - ActionName
  - EventID
- - dest
+ - dvc
  - ProcessID
  risk_score: 80
  security_domain: endpoint