Updating detections

splunk · Jun 25, 2024 · 1d98293 · 1d98293
1 parent 8598be7
commit 1d98293
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/...ication_dm_distributed_password_spray.yml → ...t_distributed_password_spray_attempts.yml b/...ication_dm_distributed_password_spray.yml → ...t_distributed_password_spray_attempts.yml
@@ -1,4 +1,4 @@
-name: Authentication DM Distributed Password Spray
+name: Detect Distributed Password Spray Attempts
 id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57
 version: 1
 date: '2023-11-01'
@@ -28,9 +28,9 @@ search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS un
   | foreach * 
       [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] 
   | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id
-  | sort - total_failures | `authentication_dm_distributed_password_spray_filter`'
+  | sort - total_failures | `detect_distributed_password_spray_attempts_filter`'
 how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. 
-known_false_positives: Mondays.
+known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings.
 references:
 - https://attack.mitre.org/techniques/T1110/003/
 tags:
@@ -42,7 +42,7 @@ tags:
   - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
   confidence: 70
   impact: 70
-  message: This is not a risk rule 
+  message: Distributed Password Spray Attempt Detected
   mitre_attack_id:
   - T1110.003
   - T1110

diff --git a/...tion/authentication_dm_password_spray.yml → ...cation/detect_password_spray_attempts.yml b/...tion/authentication_dm_password_spray.yml → ...cation/detect_password_spray_attempts.yml
@@ -1,4 +1,4 @@
-name: Authentication DM Password Spray
+name: Detect Password Spray Attempts
 id: 086ab581-8877-42b3-9aee-4a7ecb0923af
 version: 1
 date: '2023-11-01'
@@ -26,7 +26,7 @@ search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS un
   | where isOutlier=1
   | foreach * [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] 
   | table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id
-  | `authentication_dm_password_spray_filter`'
+  | `detect_password_spray_attempts_filter`'
 how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. 
 known_false_positives: Unknown
 references: