From 1d98293bdb71bafb1ef78ce013091396088184bb Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Tue, 25 Jun 2024 12:23:25 +1000 Subject: [PATCH] Updating detections --- ...yml => detect_distributed_password_spray_attempts.yml} | 8 ++++---- ...sword_spray.yml => detect_password_spray_attempts.yml} | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) rename detections/application/{authentication_dm_distributed_password_spray.yml => detect_distributed_password_spray_attempts.yml} (90%) rename detections/application/{authentication_dm_password_spray.yml => detect_password_spray_attempts.yml} (97%) diff --git a/detections/application/authentication_dm_distributed_password_spray.yml b/detections/application/detect_distributed_password_spray_attempts.yml similarity index 90% rename from detections/application/authentication_dm_distributed_password_spray.yml rename to detections/application/detect_distributed_password_spray_attempts.yml index f52035b60c..be4c070da1 100644 --- a/detections/application/authentication_dm_distributed_password_spray.yml +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -1,4 +1,4 @@ -name: Authentication DM Distributed Password Spray +name: Detect Distributed Password Spray Attempts id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57 version: 1 date: '2023-11-01' @@ -28,9 +28,9 @@ search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS un | foreach * [ eval <> = if(<>="null",null(),<>)] | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id - | sort - total_failures | `authentication_dm_distributed_password_spray_filter`' + | sort - total_failures | `detect_distributed_password_spray_attempts_filter`' how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. -known_false_positives: Mondays. +known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings. references: - https://attack.mitre.org/techniques/T1110/003/ tags: @@ -42,7 +42,7 @@ tags: - 90bc2e54-6c84-47a5-9439-0a2a92b4b175 confidence: 70 impact: 70 - message: This is not a risk rule + message: Distributed Password Spray Attempt Detected mitre_attack_id: - T1110.003 - T1110 diff --git a/detections/application/authentication_dm_password_spray.yml b/detections/application/detect_password_spray_attempts.yml similarity index 97% rename from detections/application/authentication_dm_password_spray.yml rename to detections/application/detect_password_spray_attempts.yml index b1aa04a48b..9c0ea37da0 100644 --- a/detections/application/authentication_dm_password_spray.yml +++ b/detections/application/detect_password_spray_attempts.yml @@ -1,4 +1,4 @@ -name: Authentication DM Password Spray +name: Detect Password Spray Attempts id: 086ab581-8877-42b3-9aee-4a7ecb0923af version: 1 date: '2023-11-01' @@ -26,7 +26,7 @@ search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS un | where isOutlier=1 | foreach * [ eval <> = if(<>="null",null(),<>)] | table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id - | `authentication_dm_password_spray_filter`' + | `detect_password_spray_attempts_filter`' how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. known_false_positives: Unknown references: