diff --git a/baselines/baseline_of_blocked_outbound_traffic_from_aws.yml b/baselines/baseline_of_blocked_outbound_traffic_from_aws.yml index c8a73d3a63..bb569450bc 100644 --- a/baselines/baseline_of_blocked_outbound_traffic_from_aws.yml +++ b/baselines/baseline_of_blocked_outbound_traffic_from_aws.yml @@ -28,8 +28,6 @@ tags: - AWS Network ACL Activity - Suspicious AWS Traffic - Command and Control - deployments: - - Daily Cache Updates detections: - Detect Spike in blocked Outbound Traffic from your AWS product: diff --git a/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml b/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml index 6f573ad0f8..00c8592839 100644 --- a/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml +++ b/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml @@ -34,8 +34,6 @@ references: [] tags: analytic_story: - Suspicious Cloud User Activities - deployments: - - Weekly Model Rebuild 90 Day Lookback detections: - Abnormally High Number Of Cloud Infrastructure API Calls product: @@ -47,3 +45,9 @@ tags: - All_Changes.user - All_Changes.status security_domain: network +deployment: + scheduling: + cron_schedule: 0 2 * * 0 + earliest_time: -90d@d + latest_time: -1d@d + schedule_window: auto \ No newline at end of file diff --git a/baselines/baseline_of_cloud_instances_destroyed.yml b/baselines/baseline_of_cloud_instances_destroyed.yml index 849525c2bb..998df09902 100644 --- a/baselines/baseline_of_cloud_instances_destroyed.yml +++ b/baselines/baseline_of_cloud_instances_destroyed.yml @@ -37,8 +37,6 @@ tags: analytic_story: - Suspicious Cloud Instance Activities - Cloud Cryptomining - deployments: - - Weekly Model Rebuild 90 Day Lookback detections: - Abnormally High Number Of Cloud Instances Destroyed product: @@ -51,3 +49,9 @@ tags: - All_Changes.status - All_Changes.object_category security_domain: network +deployment: + scheduling: + cron_schedule: 0 2 * * 0 + earliest_time: -90d@d + latest_time: -1d@d + schedule_window: auto \ No newline at end of file diff --git a/baselines/baseline_of_cloud_instances_launched.yml b/baselines/baseline_of_cloud_instances_launched.yml index 3e52c6b7ed..811b22f7cf 100644 --- a/baselines/baseline_of_cloud_instances_launched.yml +++ b/baselines/baseline_of_cloud_instances_launched.yml @@ -37,8 +37,6 @@ tags: analytic_story: - Cloud Cryptomining - Suspicious Cloud Instance Activities - deployments: - - Weekly Model Rebuild 90 Day Lookback detections: - Abnormally High Number Of Cloud Instances Launched product: @@ -51,3 +49,9 @@ tags: - All_Changes.status - All_Changes.object_category security_domain: network +deployment: + scheduling: + cron_schedule: 0 2 * * 0 + earliest_time: -90d@d + latest_time: -1d@d + schedule_window: auto \ No newline at end of file diff --git a/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml b/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml index 235ec8557c..9f8e1bad53 100644 --- a/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml +++ b/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml @@ -33,8 +33,6 @@ references: [] tags: analytic_story: - Suspicious Cloud User Activities - deployments: - - Weekly Model Rebuild 90 Day Lookback detections: - Abnormally High Number Of Cloud Security Group API Calls product: @@ -47,3 +45,9 @@ tags: - All_Changes.status - All_Changes.object_category security_domain: network +deployment: + scheduling: + cron_schedule: 0 2 * * 0 + earliest_time: -90d@d + latest_time: -1d@d + schedule_window: auto \ No newline at end of file diff --git a/baselines/baseline_of_command_line_length___mltk.yml b/baselines/baseline_of_command_line_length___mltk.yml index be1b32c2ca..ac7c7b3acb 100644 --- a/baselines/baseline_of_command_line_length___mltk.yml +++ b/baselines/baseline_of_command_line_length___mltk.yml @@ -34,8 +34,6 @@ tags: - Suspicious Command-Line Executions - Suspicious MSHTA Activity - Unusual Processes - deployments: - - Daily Cache Updates detections: - Detect Prohibited Applications Spawning cmd.exe - Unusually Long Command Line - MLTK @@ -50,3 +48,4 @@ tags: - Processes.process_name - Processes.process security_domain: endpoint + diff --git a/baselines/baseline_of_dns_query_length___mltk.yml b/baselines/baseline_of_dns_query_length___mltk.yml index d62c26dd4e..04daab4d50 100644 --- a/baselines/baseline_of_dns_query_length___mltk.yml +++ b/baselines/baseline_of_dns_query_length___mltk.yml @@ -30,8 +30,6 @@ tags: - Hidden Cobra Malware - Suspicious DNS Traffic - Command and Control - deployments: - - Daily Cache Updates detections: - DNS Query Length Outliers - MLTK product: diff --git a/baselines/baseline_of_network_acl_activity_by_arn.yml b/baselines/baseline_of_network_acl_activity_by_arn.yml index 4df783bff3..b3b816c5d4 100644 --- a/baselines/baseline_of_network_acl_activity_by_arn.yml +++ b/baselines/baseline_of_network_acl_activity_by_arn.yml @@ -23,8 +23,6 @@ references: [] tags: analytic_story: - AWS Network ACL Activity - deployments: - - Daily Cache Updates detections: - Detect Spike in Network ACL Activity product: diff --git a/baselines/baseline_of_s3_bucket_deletion_activity_by_arn.yml b/baselines/baseline_of_s3_bucket_deletion_activity_by_arn.yml index e830524f77..a48856dc77 100644 --- a/baselines/baseline_of_s3_bucket_deletion_activity_by_arn.yml +++ b/baselines/baseline_of_s3_bucket_deletion_activity_by_arn.yml @@ -22,8 +22,6 @@ references: [] tags: analytic_story: - Suspicious AWS S3 Activities - deployments: - - Daily Cache Updates detections: - Detect Spike in S3 Bucket deletion product: diff --git a/baselines/baseline_of_security_group_activity_by_arn.yml b/baselines/baseline_of_security_group_activity_by_arn.yml index 850a043ea0..43cabcd1cb 100644 --- a/baselines/baseline_of_security_group_activity_by_arn.yml +++ b/baselines/baseline_of_security_group_activity_by_arn.yml @@ -23,8 +23,6 @@ references: [] tags: analytic_story: - AWS User Monitoring - deployments: - - Daily Cache Updates detections: - Detect Spike in Security Group Activity product: diff --git a/baselines/baseline_of_smb_traffic___mltk.yml b/baselines/baseline_of_smb_traffic___mltk.yml index c4849029ba..7ea60c16d6 100644 --- a/baselines/baseline_of_smb_traffic___mltk.yml +++ b/baselines/baseline_of_smb_traffic___mltk.yml @@ -40,8 +40,6 @@ tags: - Hidden Cobra Malware - Netsh Abuse - Ransomware - deployments: - - Daily Cache Updates detections: - Processes launching netsh - SMB Traffic Spike - MLTK diff --git a/baselines/count_of_assets_by_category.yml b/baselines/count_of_assets_by_category.yml index 385aa3bb81..2e3ff8569a 100644 --- a/baselines/count_of_assets_by_category.yml +++ b/baselines/count_of_assets_by_category.yml @@ -19,8 +19,6 @@ references: [] tags: analytic_story: - Asset Tracking - deployments: - - Daily Cache Updates detections: - Detect Unauthorized Assets by MAC address product: diff --git a/baselines/count_of_unique_ips_connecting_to_ports.yml b/baselines/count_of_unique_ips_connecting_to_ports.yml index 2e23bd688e..10283d24ef 100644 --- a/baselines/count_of_unique_ips_connecting_to_ports.yml +++ b/baselines/count_of_unique_ips_connecting_to_ports.yml @@ -20,8 +20,6 @@ tags: - Prohibited Traffic Allowed or Protocol Mismatch - Ransomware - Command and Control - deployments: - - Daily Cache Updates detections: - Prohibited Network Traffic Allowed product: diff --git a/baselines/create_a_list_of_approved_aws_service_accounts.yml b/baselines/create_a_list_of_approved_aws_service_accounts.yml index 3e06e9c5bb..b60bf256a4 100644 --- a/baselines/create_a_list_of_approved_aws_service_accounts.yml +++ b/baselines/create_a_list_of_approved_aws_service_accounts.yml @@ -21,8 +21,6 @@ references: [] tags: analytic_story: - AWS User Monitoring - deployments: - - Daily Cache Updates detections: - Detect AWS API Activities From Unapproved Accounts product: diff --git a/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml b/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml index 2b99cc4fe8..662b49bef6 100644 --- a/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml +++ b/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml @@ -21,8 +21,6 @@ tags: - Monitor for Unauthorized Software - SamSam Ransomware asset_type: Endpoint - deployments: - - Daily Cache Updates detections: - Prohibited Software On Endpoint product: diff --git a/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml b/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml index c27e8beefb..02874c9c4a 100644 --- a/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml +++ b/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml @@ -22,8 +22,6 @@ references: [] tags: analytic_story: - AWS User Monitoring - deployments: - - Daily Cache Updates detections: - Detect Spike in AWS API Activity product: diff --git a/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml b/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml index 0b94c6e35a..0df12d399b 100644 --- a/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml +++ b/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml @@ -33,8 +33,6 @@ tags: analytic_story: - AWS Cryptomining - Suspicious AWS EC2 Activities - deployments: - - Daily Cache Updates detections: - Abnormally High AWS Instances Launched by User - MLTK product: diff --git a/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml b/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml index bcbcff72a3..4369184ddb 100644 --- a/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml +++ b/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml @@ -33,8 +33,6 @@ references: [] tags: analytic_story: - Suspicious AWS EC2 Activities - deployments: - - Daily Cache Updates detections: - Abnormally High AWS Instances Terminated by User - MLTK product: diff --git a/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml b/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml index 9568800eab..cfb61398a8 100644 --- a/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml +++ b/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml @@ -22,8 +22,6 @@ references: [] tags: analytic_story: - AWS User Monitoring - deployments: - - Daily Cache Updates detections: - Detect new API calls from user roles product: diff --git a/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml b/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml index 4e69e66ab7..1b62095d7d 100644 --- a/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml +++ b/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml @@ -20,8 +20,6 @@ references: [] tags: analytic_story: - AWS Suspicious Provisioning Activities - deployments: - - Daily Cache Updates detections: - AWS Cloud Provisioning From Previously Unseen IP Address - AWS Cloud Provisioning From Previously Unseen City diff --git a/baselines/deprecated/previously_seen_ec2_amis.yml b/baselines/deprecated/previously_seen_ec2_amis.yml index 859e17dfe2..2d4db54842 100644 --- a/baselines/deprecated/previously_seen_ec2_amis.yml +++ b/baselines/deprecated/previously_seen_ec2_amis.yml @@ -18,8 +18,6 @@ references: [] tags: analytic_story: - AWS Cryptomining - deployments: - - Daily Cache Updates detections: - EC2 Instance Started With Previously Unseen AMI product: diff --git a/baselines/deprecated/previously_seen_ec2_instance_types.yml b/baselines/deprecated/previously_seen_ec2_instance_types.yml index d7b4b41ac2..07f828a99f 100644 --- a/baselines/deprecated/previously_seen_ec2_instance_types.yml +++ b/baselines/deprecated/previously_seen_ec2_instance_types.yml @@ -18,8 +18,6 @@ references: [] tags: analytic_story: - AWS Cryptomining - deployments: - - Daily Cache Updates detections: - EC2 Instance Started With Previously Unseen Instance Type product: diff --git a/baselines/deprecated/previously_seen_ec2_launches_by_user.yml b/baselines/deprecated/previously_seen_ec2_launches_by_user.yml index fc7cde6810..8593df9832 100644 --- a/baselines/deprecated/previously_seen_ec2_launches_by_user.yml +++ b/baselines/deprecated/previously_seen_ec2_launches_by_user.yml @@ -19,8 +19,6 @@ tags: analytic_story: - AWS Cryptomining - Suspicious AWS EC2 Activities - deployments: - - Daily Cache Updates detections: - EC2 Instance Started With Previously Unseen User product: diff --git a/baselines/deprecated/previously_seen_users_in_cloudtrail.yml b/baselines/deprecated/previously_seen_users_in_cloudtrail.yml index 60681d4489..c10e6be865 100644 --- a/baselines/deprecated/previously_seen_users_in_cloudtrail.yml +++ b/baselines/deprecated/previously_seen_users_in_cloudtrail.yml @@ -23,8 +23,6 @@ references: [] tags: analytic_story: - Suspicious AWS Login Activities - deployments: - - Daily Cache Updates detections: - Detect AWS Console Login by User from New Country - Detect AWS Console Login by User from New Region diff --git a/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml b/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml index e9133f2cac..f7672203b6 100644 --- a/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml +++ b/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml @@ -25,8 +25,6 @@ references: [] tags: analytic_story: - Suspicious AWS Login Activities - deployments: - - Daily Cache Updates detections: - Detect AWS Console Login by User from New Country - Detect AWS Console Login by User from New Region diff --git a/baselines/discover_dns_records.yml b/baselines/discover_dns_records.yml index bfc22c151e..ea2d436f9d 100644 --- a/baselines/discover_dns_records.yml +++ b/baselines/discover_dns_records.yml @@ -27,8 +27,6 @@ references: [] tags: analytic_story: - DNS Hijacking - deployments: - - Daily Cache Updates detections: - DNS record changed product: diff --git a/baselines/dnstwist_domain_names.yml b/baselines/dnstwist_domain_names.yml index 95b3b54dbc..56d143e729 100644 --- a/baselines/dnstwist_domain_names.yml +++ b/baselines/dnstwist_domain_names.yml @@ -20,8 +20,6 @@ tags: - Brand Monitoring - Suspicious Emails asset_type: Endpoint - deployments: - - Daily Cache Updates detections: - Monitor Email For Brand Abuse - Monitor DNS For Brand Abuse diff --git a/baselines/identify_systems_creating_remote_desktop_traffic.yml b/baselines/identify_systems_creating_remote_desktop_traffic.yml index ece8d2d0d0..6ed4f0c880 100644 --- a/baselines/identify_systems_creating_remote_desktop_traffic.yml +++ b/baselines/identify_systems_creating_remote_desktop_traffic.yml @@ -21,8 +21,6 @@ tags: - Ryuk Ransomware - Hidden Cobra Malware - Active Directory Lateral Movement - deployments: - - Daily Cache Updates detections: - Remote Desktop Network Traffic product: diff --git a/baselines/identify_systems_receiving_remote_desktop_traffic.yml b/baselines/identify_systems_receiving_remote_desktop_traffic.yml index ad0dafe2b9..82ce7d8312 100644 --- a/baselines/identify_systems_receiving_remote_desktop_traffic.yml +++ b/baselines/identify_systems_receiving_remote_desktop_traffic.yml @@ -22,8 +22,6 @@ tags: - Ryuk Ransomware - Hidden Cobra Malware - Active Directory Lateral Movement - deployments: - - Daily Cache Updates detections: - Remote Desktop Network Traffic product: diff --git a/baselines/identify_systems_using_remote_desktop.yml b/baselines/identify_systems_using_remote_desktop.yml index b4ac09f901..aad6d64306 100644 --- a/baselines/identify_systems_using_remote_desktop.yml +++ b/baselines/identify_systems_using_remote_desktop.yml @@ -21,8 +21,6 @@ tags: - Ryuk Ransomware - Hidden Cobra Malware - Active Directory Lateral Movement - deployments: - - Daily Cache Updates detections: - Remote Desktop Network Traffic product: diff --git a/baselines/monitor_successful_backups.yml b/baselines/monitor_successful_backups.yml index cce8e80196..469a6b3876 100644 --- a/baselines/monitor_successful_backups.yml +++ b/baselines/monitor_successful_backups.yml @@ -18,8 +18,6 @@ references: [] tags: analytic_story: - Monitor Backup Solution - deployments: - - Daily Cache Updates detections: - Unsuccessful Netbackup backups product: diff --git a/baselines/monitor_unsuccessful_backups.yml b/baselines/monitor_unsuccessful_backups.yml index 36287b86fc..08267228d4 100644 --- a/baselines/monitor_unsuccessful_backups.yml +++ b/baselines/monitor_unsuccessful_backups.yml @@ -17,8 +17,6 @@ references: [] tags: analytic_story: - Monitor Backup Solution - deployments: - - Daily Cache Updates detections: - Unsuccessful Netbackup backups product: diff --git a/baselines/previously_seen_aws_cross_account_activity.yml b/baselines/previously_seen_aws_cross_account_activity.yml index 44fcaee040..9cac5a7a27 100644 --- a/baselines/previously_seen_aws_cross_account_activity.yml +++ b/baselines/previously_seen_aws_cross_account_activity.yml @@ -22,8 +22,6 @@ references: [] tags: analytic_story: - AWS Cross Account Activity - deployments: - - Daily Cache Updates detections: - AWS Cross Account Activity From Previously Unseen Account product: diff --git a/baselines/previously_seen_aws_cross_account_activity___initial.yml b/baselines/previously_seen_aws_cross_account_activity___initial.yml index d638bb374d..f615b6c25e 100644 --- a/baselines/previously_seen_aws_cross_account_activity___initial.yml +++ b/baselines/previously_seen_aws_cross_account_activity___initial.yml @@ -26,8 +26,6 @@ references: [] tags: analytic_story: - Suspicious Cloud Authentication Activities - deployments: - - 90 Day Baseline detections: - AWS Cross Account Activity From Previously Unseen Account product: @@ -42,3 +40,9 @@ tags: - Authentication.src - Authentication.user_role security_domain: network +deployment: + scheduling: + cron_schedule: 0 2 * * 0 + earliest_time: -90d@d + latest_time: -1d@d + schedule_window: auto \ No newline at end of file diff --git a/baselines/previously_seen_aws_cross_account_activity___update.yml b/baselines/previously_seen_aws_cross_account_activity___update.yml index 7f39a483ed..dfc483e769 100644 --- a/baselines/previously_seen_aws_cross_account_activity___update.yml +++ b/baselines/previously_seen_aws_cross_account_activity___update.yml @@ -27,8 +27,6 @@ references: [] tags: analytic_story: - Suspicious Cloud Authentication Activities - deployments: - - Daily Cache Updates detections: - AWS Cross Account Activity From Previously Unseen Account product: diff --git a/baselines/previously_seen_aws_regions.yml b/baselines/previously_seen_aws_regions.yml index 2259bcab51..39109032a1 100644 --- a/baselines/previously_seen_aws_regions.yml +++ b/baselines/previously_seen_aws_regions.yml @@ -20,8 +20,6 @@ tags: analytic_story: - AWS Cryptomining - Suspicious AWS EC2 Activities - deployments: - - Daily Cache Updates detections: - EC2 Instance Started In Previously Unseen Region product: diff --git a/baselines/previously_seen_cloud_api_calls_per_user_role___initial.yml b/baselines/previously_seen_cloud_api_calls_per_user_role___initial.yml index db887a270e..1625cba2d3 100644 --- a/baselines/previously_seen_cloud_api_calls_per_user_role___initial.yml +++ b/baselines/previously_seen_cloud_api_calls_per_user_role___initial.yml @@ -22,8 +22,6 @@ references: [] tags: analytic_story: - Suspicious Cloud User Activities - deployments: - - 90 Day Baseline detections: - Cloud API Calls From Previously Unseen User Roles product: @@ -37,3 +35,9 @@ tags: - All_Changes.user - All_Changes.command security_domain: network +deployment: + scheduling: + cron_schedule: 0 2 * * 0 + earliest_time: -90d@d + latest_time: -1d@d + schedule_window: auto \ No newline at end of file diff --git a/baselines/previously_seen_cloud_api_calls_per_user_role___update.yml b/baselines/previously_seen_cloud_api_calls_per_user_role___update.yml index 5ddbe2e8f4..5171f6a2fe 100644 --- a/baselines/previously_seen_cloud_api_calls_per_user_role___update.yml +++ b/baselines/previously_seen_cloud_api_calls_per_user_role___update.yml @@ -24,8 +24,6 @@ references: [] tags: analytic_story: - Suspicious Cloud User Activities - deployments: - - Daily Cache Updates detections: - Cloud API Calls From Previously Unseen User Roles product: diff --git a/baselines/previously_seen_cloud_compute_creations_by_user___initial.yml b/baselines/previously_seen_cloud_compute_creations_by_user___initial.yml index db0f614cdb..2be9d42b51 100644 --- a/baselines/previously_seen_cloud_compute_creations_by_user___initial.yml +++ b/baselines/previously_seen_cloud_compute_creations_by_user___initial.yml @@ -19,8 +19,6 @@ references: [] tags: analytic_story: - Cloud Cryptomining - deployments: - - Hourly Cache Updates detections: - Cloud Compute Instance Created By Previously Unseen User product: @@ -33,3 +31,9 @@ tags: - All_Changes.object_category - All_Changes.user security_domain: network +deployment: + scheduling: + cron_schedule: 55 * * * * + earliest_time: -70m@m + latest_time: -10m@m + schedule_window: auto \ No newline at end of file diff --git a/baselines/previously_seen_cloud_compute_creations_by_user___update.yml b/baselines/previously_seen_cloud_compute_creations_by_user___update.yml index 0ed37e5ef6..4896094581 100644 --- a/baselines/previously_seen_cloud_compute_creations_by_user___update.yml +++ b/baselines/previously_seen_cloud_compute_creations_by_user___update.yml @@ -22,8 +22,6 @@ references: [] tags: analytic_story: - Cloud Cryptomining - deployments: - - Daily Cache Updates detections: - Cloud Compute Instance Created By Previously Unseen User product: diff --git a/baselines/previously_seen_cloud_compute_images___initial.yml b/baselines/previously_seen_cloud_compute_images___initial.yml index 52816b728c..1e8db27323 100644 --- a/baselines/previously_seen_cloud_compute_images___initial.yml +++ b/baselines/previously_seen_cloud_compute_images___initial.yml @@ -21,8 +21,6 @@ references: [] tags: analytic_story: - Cloud Cryptomining - deployments: - - 90 Day Baseline detections: - Cloud Compute Instance Created With Previously Unseen Image product: @@ -34,3 +32,9 @@ tags: - All_Changes.action - All_Changes.Instance_Changes.image_id security_domain: network +deployment: + scheduling: + cron_schedule: 0 2 * * 0 + earliest_time: -90d@d + latest_time: -1d@d + schedule_window: auto \ No newline at end of file diff --git a/baselines/previously_seen_cloud_compute_images___update.yml b/baselines/previously_seen_cloud_compute_images___update.yml index a30c726f8a..cefb0afda5 100644 --- a/baselines/previously_seen_cloud_compute_images___update.yml +++ b/baselines/previously_seen_cloud_compute_images___update.yml @@ -22,8 +22,6 @@ references: [] tags: analytic_story: - Cloud Cryptomining - deployments: - - Daily Cache Updates detections: - Cloud Compute Instance Created With Previously Unseen Image product: diff --git a/baselines/previously_seen_cloud_compute_instance_types___initial.yml b/baselines/previously_seen_cloud_compute_instance_types___initial.yml index 1901b8974a..4dd9476dbd 100644 --- a/baselines/previously_seen_cloud_compute_instance_types___initial.yml +++ b/baselines/previously_seen_cloud_compute_instance_types___initial.yml @@ -20,8 +20,6 @@ references: [] tags: analytic_story: - Cloud Cryptomining - deployments: - - 90 Day Baseline detections: - Cloud Compute Instance Created With Previously Unseen Instance Type product: @@ -33,3 +31,9 @@ tags: - All_Changes.action - All_Changes.Instance_Changes.instance_type security_domain: network +deployment: + scheduling: + cron_schedule: 0 2 * * 0 + earliest_time: -90d@d + latest_time: -1d@d + schedule_window: auto \ No newline at end of file diff --git a/baselines/previously_seen_cloud_compute_instance_types___update.yml b/baselines/previously_seen_cloud_compute_instance_types___update.yml index daa987c47f..7a6540e378 100644 --- a/baselines/previously_seen_cloud_compute_instance_types___update.yml +++ b/baselines/previously_seen_cloud_compute_instance_types___update.yml @@ -22,8 +22,6 @@ references: [] tags: analytic_story: - Cloud Cryptomining - deployments: - - Daily Cache Updates detections: - Cloud Compute Instance Created With Previously Unseen Instance Type product: diff --git a/baselines/previously_seen_cloud_instance_modifications_by_user___initial.yml b/baselines/previously_seen_cloud_instance_modifications_by_user___initial.yml index b03acd9d3e..48b1d73252 100644 --- a/baselines/previously_seen_cloud_instance_modifications_by_user___initial.yml +++ b/baselines/previously_seen_cloud_instance_modifications_by_user___initial.yml @@ -20,8 +20,6 @@ references: [] tags: analytic_story: - Suspicious Cloud Instance Activities - deployments: - - 90 Day Baseline detections: - Cloud Instance Modified By Previously Unseen User product: @@ -35,3 +33,9 @@ tags: - All_Changes.status - All_Changes.user security_domain: network +deployment: + scheduling: + cron_schedule: 0 2 * * 0 + earliest_time: -90d@d + latest_time: -1d@d + schedule_window: auto \ No newline at end of file diff --git a/baselines/previously_seen_cloud_instance_modifications_by_user___update.yml b/baselines/previously_seen_cloud_instance_modifications_by_user___update.yml index c95a1e7a7b..b51943b350 100644 --- a/baselines/previously_seen_cloud_instance_modifications_by_user___update.yml +++ b/baselines/previously_seen_cloud_instance_modifications_by_user___update.yml @@ -24,8 +24,6 @@ references: [] tags: analytic_story: - Suspicious Cloud Instance Activities - deployments: - - Daily Cache Updates detections: - Cloud Instance Modified By Previously Unseen User product: diff --git a/baselines/previously_seen_cloud_provisioning_activity_sources___initial.yml b/baselines/previously_seen_cloud_provisioning_activity_sources___initial.yml index f103ce58ce..22542e4d13 100644 --- a/baselines/previously_seen_cloud_provisioning_activity_sources___initial.yml +++ b/baselines/previously_seen_cloud_provisioning_activity_sources___initial.yml @@ -24,8 +24,6 @@ references: [] tags: analytic_story: - Suspicious Cloud Provisioning Activities - deployments: - - 90 Day Baseline detections: - Cloud Provisioning Activity From Previously Unseen IP Address - Cloud Provisioning Activity From Previously Unseen City @@ -41,3 +39,9 @@ tags: - All_Changes.src - All_Changes.status security_domain: network +deployment: + scheduling: + cron_schedule: 0 2 * * 0 + earliest_time: -90d@d + latest_time: -1d@d + schedule_window: auto \ No newline at end of file diff --git a/baselines/previously_seen_cloud_provisioning_activity_sources___update.yml b/baselines/previously_seen_cloud_provisioning_activity_sources___update.yml index ce01a7c493..104740b59d 100644 --- a/baselines/previously_seen_cloud_provisioning_activity_sources___update.yml +++ b/baselines/previously_seen_cloud_provisioning_activity_sources___update.yml @@ -29,8 +29,6 @@ references: [] tags: analytic_story: - Suspicious Cloud Provisioning Activities - deployments: - - Daily Cache Updates detections: - Cloud Provisioning Activity From Previously Unseen IP Address - Cloud Provisioning Activity From Previously Unseen City diff --git a/baselines/previously_seen_cloud_regions___initial.yml b/baselines/previously_seen_cloud_regions___initial.yml index 1c710097d9..8c83ae3cb2 100644 --- a/baselines/previously_seen_cloud_regions___initial.yml +++ b/baselines/previously_seen_cloud_regions___initial.yml @@ -22,8 +22,6 @@ references: [] tags: analytic_story: - Cloud Cryptomining - deployments: - - 90 Day Baseline detections: - Cloud Compute Instance Created In Previously Unused Region product: @@ -35,3 +33,9 @@ tags: - All_Changes.action - All_Changes.vendor_region security_domain: network +deployment: + scheduling: + cron_schedule: 0 2 * * 0 + earliest_time: -90d@d + latest_time: -1d@d + schedule_window: auto \ No newline at end of file diff --git a/baselines/previously_seen_cloud_regions___update.yml b/baselines/previously_seen_cloud_regions___update.yml index f00ff4dc49..d51eeb25b1 100644 --- a/baselines/previously_seen_cloud_regions___update.yml +++ b/baselines/previously_seen_cloud_regions___update.yml @@ -25,8 +25,6 @@ references: [] tags: analytic_story: - Cloud Cryptomining - deployments: - - Daily Cache Updates detections: - Cloud Compute Instance Created In Previously Unused Region product: diff --git a/baselines/previously_seen_command_line_arguments.yml b/baselines/previously_seen_command_line_arguments.yml index f23a273e6c..6f29d709d1 100644 --- a/baselines/previously_seen_command_line_arguments.yml +++ b/baselines/previously_seen_command_line_arguments.yml @@ -30,8 +30,6 @@ tags: - Suspicious Command-Line Executions - Suspicious MSHTA Activity - IcedID - deployments: - - Daily Cache Updates detections: - First time seen command line argument product: diff --git a/baselines/previously_seen_ec2_modifications_by_user.yml b/baselines/previously_seen_ec2_modifications_by_user.yml index 12d35bb7e7..86e14cc330 100644 --- a/baselines/previously_seen_ec2_modifications_by_user.yml +++ b/baselines/previously_seen_ec2_modifications_by_user.yml @@ -18,8 +18,6 @@ references: [] tags: analytic_story: - Unusual AWS EC2 Modifications - deployments: - - Daily Cache Updates detections: - EC2 Instance Modified With Previously Unseen User product: diff --git a/baselines/previously_seen_running_windows_services___initial.yml b/baselines/previously_seen_running_windows_services___initial.yml index 21c9c2e00b..2a4504f319 100644 --- a/baselines/previously_seen_running_windows_services___initial.yml +++ b/baselines/previously_seen_running_windows_services___initial.yml @@ -20,8 +20,6 @@ tags: - Orangeworm Attack Group - Windows Service Abuse - NOBELIUM Group - deployments: - - 90 Day Baseline detections: - First Time Seen Running Windows Service product: @@ -33,3 +31,9 @@ tags: - EventCode - Message security_domain: endpoint +deployment: + scheduling: + cron_schedule: 0 2 * * 0 + earliest_time: -90d@d + latest_time: -1d@d + schedule_window: auto \ No newline at end of file diff --git a/baselines/previously_seen_running_windows_services___update.yml b/baselines/previously_seen_running_windows_services___update.yml index 2ba9a0d4f4..c67fa5c292 100644 --- a/baselines/previously_seen_running_windows_services___update.yml +++ b/baselines/previously_seen_running_windows_services___update.yml @@ -25,8 +25,6 @@ tags: - Orangeworm Attack Group - Windows Service Abuse - NOBELIUM Group - deployments: - - Hourly Cache Updates detections: - First Time Seen Running Windows Service product: @@ -38,3 +36,9 @@ tags: - EventCode - Message security_domain: endpoint +deployment: + scheduling: + cron_schedule: 55 * * * * + earliest_time: -70m@m + latest_time: -10m@m + schedule_window: auto \ No newline at end of file diff --git a/baselines/previously_seen_s3_bucket_access_by_remote_ip.yml b/baselines/previously_seen_s3_bucket_access_by_remote_ip.yml index 7d6bcad9b4..afff188900 100644 --- a/baselines/previously_seen_s3_bucket_access_by_remote_ip.yml +++ b/baselines/previously_seen_s3_bucket_access_by_remote_ip.yml @@ -21,8 +21,6 @@ references: [] tags: analytic_story: - Suspicious AWS S3 Activities - deployments: - - Daily Cache Updates detections: - Detect S3 access from a new IP product: diff --git a/baselines/previously_seen_users_in_cloudtrail___initial.yml b/baselines/previously_seen_users_in_cloudtrail___initial.yml index 3e428d1d28..8982ce24cb 100644 --- a/baselines/previously_seen_users_in_cloudtrail___initial.yml +++ b/baselines/previously_seen_users_in_cloudtrail___initial.yml @@ -25,8 +25,6 @@ references: [] tags: analytic_story: - Suspicious Cloud Authentication Activities - deployments: - - 90 Day Baseline detections: - Detect AWS Console Login by User from New Country - Detect AWS Console Login by User from New Region @@ -42,3 +40,9 @@ tags: - Authentication.user - Authentication.src security_domain: network +deployment: + scheduling: + cron_schedule: 0 2 * * 0 + earliest_time: -90d@d + latest_time: -1d@d + schedule_window: auto \ No newline at end of file diff --git a/baselines/previously_seen_users_in_cloudtrail___update.yml b/baselines/previously_seen_users_in_cloudtrail___update.yml index 406b44379a..60e463be04 100644 --- a/baselines/previously_seen_users_in_cloudtrail___update.yml +++ b/baselines/previously_seen_users_in_cloudtrail___update.yml @@ -25,8 +25,6 @@ references: [] tags: analytic_story: - Suspicious Cloud Authentication Activities - deployments: - - Daily Cache Updates detections: - Detect AWS Console Login by User from New Country - Detect AWS Console Login by User from New Region diff --git a/baselines/previously_seen_zoom_child_processes___initial.yml b/baselines/previously_seen_zoom_child_processes___initial.yml index a844bf188e..94e2d11d9a 100644 --- a/baselines/previously_seen_zoom_child_processes___initial.yml +++ b/baselines/previously_seen_zoom_child_processes___initial.yml @@ -22,8 +22,6 @@ references: [] tags: analytic_story: - Suspicious Zoom Child Processes - deployments: - - 90 Day Baseline detections: - First Time Seen Child Process of Zoom product: @@ -36,3 +34,9 @@ tags: - Processes.process_name - Processes.dest security_domain: endpoint +deployment: + scheduling: + cron_schedule: 0 2 * * 0 + earliest_time: -90d@d + latest_time: -1d@d + schedule_window: auto \ No newline at end of file diff --git a/baselines/previously_seen_zoom_child_processes___update.yml b/baselines/previously_seen_zoom_child_processes___update.yml index 2f6d459d7b..dc968e2e40 100644 --- a/baselines/previously_seen_zoom_child_processes___update.yml +++ b/baselines/previously_seen_zoom_child_processes___update.yml @@ -27,8 +27,6 @@ references: [] tags: analytic_story: - Suspicious Zoom Child Processes - deployments: - - Hourly Cache Updates detections: - First Time Seen Child Process of Zoom product: @@ -41,3 +39,9 @@ tags: - Processes.process_name - Processes.dest security_domain: endpoint +deployment: + scheduling: + cron_schedule: 55 * * * * + earliest_time: -70m@m + latest_time: -10m@m + schedule_window: auto \ No newline at end of file diff --git a/baselines/splunk_command_and_scripting_interpreter_risky_spl_mltk_baseline.yml b/baselines/splunk_command_and_scripting_interpreter_risky_spl_mltk_baseline.yml index b9275b04d1..47f8f861b7 100644 --- a/baselines/splunk_command_and_scripting_interpreter_risky_spl_mltk_baseline.yml +++ b/baselines/splunk_command_and_scripting_interpreter_risky_spl_mltk_baseline.yml @@ -77,4 +77,9 @@ tags: security_domain: audit detections: - Splunk Command and Scripting Interpreter Risky SPL MLTK - +deployment: + scheduling: + cron_schedule: 55 * * * * + earliest_time: -70m@m + latest_time: -10m@m + schedule_window: auto diff --git a/baselines/systems_ready_for_spectre_meltdown_windows_patch.yml b/baselines/systems_ready_for_spectre_meltdown_windows_patch.yml index 933e33e7a3..40628afaf9 100644 --- a/baselines/systems_ready_for_spectre_meltdown_windows_patch.yml +++ b/baselines/systems_ready_for_spectre_meltdown_windows_patch.yml @@ -24,8 +24,6 @@ references: [] tags: analytic_story: - Spectre And Meltdown Vulnerabilities - deployments: - - Daily Cache Updates detections: - Spectre and Meltdown Vulnerable Systems product: diff --git a/baselines/windows_updates_install_failures.yml b/baselines/windows_updates_install_failures.yml index 7404faf256..c74fffda1d 100644 --- a/baselines/windows_updates_install_failures.yml +++ b/baselines/windows_updates_install_failures.yml @@ -17,8 +17,6 @@ references: [] tags: analytic_story: - Monitor for Updates - deployments: - - Daily Cache Updates detections: - No Windows Updates in a time frame product: diff --git a/baselines/windows_updates_install_successes.yml b/baselines/windows_updates_install_successes.yml index 3786be1bc5..ea2bd56702 100644 --- a/baselines/windows_updates_install_successes.yml +++ b/baselines/windows_updates_install_successes.yml @@ -17,8 +17,6 @@ references: [] tags: analytic_story: - Monitor for Updates - deployments: - - Daily Cache Updates detections: - No Windows Updates in a time frame product: diff --git a/bin/contentctl_project/contentctl_core/domain/entities/deployment.py b/bin/contentctl_project/contentctl_core/domain/entities/deployment.py index a3292bfdb1..3fb953a6ab 100644 --- a/bin/contentctl_project/contentctl_core/domain/entities/deployment.py +++ b/bin/contentctl_project/contentctl_core/domain/entities/deployment.py @@ -13,19 +13,19 @@ from bin.contentctl_project.contentctl_core.domain.entities.deployment_slack import DeploymentSlack from bin.contentctl_project.contentctl_core.domain.entities.deployment_phantom import DeploymentPhantom -class Deployment(BaseModel, SecurityContentObject): - name: str - id: str - date: str - author: str - description: str +class Deployment(BaseModel): + name: str = None + id: str = None + date: str = None + author: str = None + description: str = None scheduling: DeploymentScheduling = None email: DeploymentEmail = None notable: DeploymentNotable = None rba: DeploymentRBA = None slack: DeploymentSlack = None phantom: DeploymentPhantom = None - tags: dict + tags: dict = None @validator('name') diff --git a/bin/contentctl_project/contentctl_core/domain/entities/detection.py b/bin/contentctl_project/contentctl_core/domain/entities/detection.py index f6f22b2b81..69178b50f0 100644 --- a/bin/contentctl_project/contentctl_core/domain/entities/detection.py +++ b/bin/contentctl_project/contentctl_core/domain/entities/detection.py @@ -20,6 +20,7 @@ from bin.contentctl_project.contentctl_core.domain.entities.baseline import Baseline from bin.contentctl_project.contentctl_core.domain.entities.playbook import Playbook from bin.contentctl_project.contentctl_core.domain.entities.link_validator import LinkValidator +from bin.contentctl_project.contentctl_core.domain.entities.deployment import Deployment import sys @@ -43,7 +44,6 @@ class Detection(BaseModel, SecurityContentObject): tags: DetectionTags tests: list[UnitTest] = None - # enrichments datamodel: list = None deprecated: bool = None diff --git a/bin/contentctl_project/contentctl_core/domain/entities/detection_tags.py b/bin/contentctl_project/contentctl_core/domain/entities/detection_tags.py index 28338d473e..3b8f8d88c3 100644 --- a/bin/contentctl_project/contentctl_core/domain/entities/detection_tags.py +++ b/bin/contentctl_project/contentctl_core/domain/entities/detection_tags.py @@ -4,6 +4,7 @@ from bin.contentctl_project.contentctl_core.domain.entities.mitre_attack_enrichment import MitreAttackEnrichment from bin.contentctl_project.contentctl_core.domain.constants.constants import * + class DetectionTags(BaseModel): # detection spec name: str @@ -28,6 +29,7 @@ class DetectionTags(BaseModel): cve: list = None supported_tas: list = None + # enrichment mitre_attack_enrichments: list[MitreAttackEnrichment] = [] confidence_id: int = None diff --git a/bin/contentctl_project/contentctl_infrastructure/builder/security_content_baseline_builder.py b/bin/contentctl_project/contentctl_infrastructure/builder/security_content_baseline_builder.py index 02c2eb7dfe..7e2acc38ab 100644 --- a/bin/contentctl_project/contentctl_infrastructure/builder/security_content_baseline_builder.py +++ b/bin/contentctl_project/contentctl_infrastructure/builder/security_content_baseline_builder.py @@ -30,35 +30,38 @@ def setObject(self, path: str) -> None: sys.exit(1) def addDeployment(self, deployments: list) -> None: - matched_deployments = [] - - for d in deployments: - d_tags = dict(d.tags) - baseline_dict = self.baseline.dict() - baseline_tags_dict = self.baseline.tags.dict() - for d_tag in d_tags.keys(): - for attr in baseline_dict.keys(): - if attr == d_tag: - if isinstance(baseline_dict[attr], str): - if baseline_dict[attr] == d_tags[d_tag]: - matched_deployments.append(d) - elif isinstance(baseline_dict[attr], list): - if d_tags[d_tag] in baseline_dict[attr]: - matched_deployments.append(d) - - for attr in baseline_tags_dict.keys(): - if attr == d_tag: - if isinstance(baseline_tags_dict[attr], str): - if baseline_tags_dict[attr] == d_tags[d_tag]: - matched_deployments.append(d) - elif isinstance(baseline_tags_dict[attr], list): - if d_tags[d_tag] in baseline_tags_dict[attr]: - matched_deployments.append(d) - - if len(matched_deployments) == 0: - raise ValueError('No deployment found for baseline: ' + self.baseline.name) - - self.baseline.deployment = matched_deployments[-1] + + if not self.baseline.deployment: + + matched_deployments = [] + + for d in deployments: + d_tags = dict(d.tags) + baseline_dict = self.baseline.dict() + baseline_tags_dict = self.baseline.tags.dict() + for d_tag in d_tags.keys(): + for attr in baseline_dict.keys(): + if attr == d_tag: + if isinstance(baseline_dict[attr], str): + if baseline_dict[attr] == d_tags[d_tag]: + matched_deployments.append(d) + elif isinstance(baseline_dict[attr], list): + if d_tags[d_tag] in baseline_dict[attr]: + matched_deployments.append(d) + + for attr in baseline_tags_dict.keys(): + if attr == d_tag: + if isinstance(baseline_tags_dict[attr], str): + if baseline_tags_dict[attr] == d_tags[d_tag]: + matched_deployments.append(d) + elif isinstance(baseline_tags_dict[attr], list): + if d_tags[d_tag] in baseline_tags_dict[attr]: + matched_deployments.append(d) + + if len(matched_deployments) == 0: + raise ValueError('No deployment found for baseline: ' + self.baseline.name) + + self.baseline.deployment = matched_deployments[-1] def reset(self) -> None: diff --git a/bin/contentctl_project/contentctl_infrastructure/builder/security_content_detection_builder.py b/bin/contentctl_project/contentctl_infrastructure/builder/security_content_detection_builder.py index a0a6c11558..f8a7679007 100644 --- a/bin/contentctl_project/contentctl_infrastructure/builder/security_content_detection_builder.py +++ b/bin/contentctl_project/contentctl_infrastructure/builder/security_content_detection_builder.py @@ -38,27 +38,30 @@ def setObject(self, path: str) -> None: def addDeployment(self, deployments: list) -> None: if self.security_content_obj: - matched_deployments = [] - - for d in deployments: - d_tags = dict(d.tags) - for d_tag in d_tags.keys(): - for attr in dir(self.security_content_obj): - if not (attr.startswith('__') or attr.startswith('_')): - if attr == d_tag: - if type(self.security_content_obj.__getattribute__(attr)) is str: - attr_values = [self.security_content_obj.__getattribute__(attr)] - else: - attr_values = self.security_content_obj.__getattribute__(attr) - - for attr_value in attr_values: - if attr_value == d_tags[d_tag]: - matched_deployments.append(d) - - if len(matched_deployments) == 0: - self.security_content_obj.deployment = None - else: - self.security_content_obj.deployment = matched_deployments[-1] + + if not self.security_content_obj.deployment: + + matched_deployments = [] + + for d in deployments: + d_tags = dict(d.tags) + for d_tag in d_tags.keys(): + for attr in dir(self.security_content_obj): + if not (attr.startswith('__') or attr.startswith('_')): + if attr == d_tag: + if type(self.security_content_obj.__getattribute__(attr)) is str: + attr_values = [self.security_content_obj.__getattribute__(attr)] + else: + attr_values = self.security_content_obj.__getattribute__(attr) + + for attr_value in attr_values: + if attr_value == d_tags[d_tag]: + matched_deployments.append(d) + + if len(matched_deployments) == 0: + self.security_content_obj.deployment = None + else: + self.security_content_obj.deployment = matched_deployments[-1] def addRBA(self) -> None: diff --git a/bin/contentctl_project/contentctl_infrastructure/tests/builder/test_data/baseline/baseline.yml b/bin/contentctl_project/contentctl_infrastructure/tests/builder/test_data/baseline/baseline.yml index b8b72bcd76..4b58627f6e 100644 --- a/bin/contentctl_project/contentctl_infrastructure/tests/builder/test_data/baseline/baseline.yml +++ b/bin/contentctl_project/contentctl_infrastructure/tests/builder/test_data/baseline/baseline.yml @@ -25,8 +25,7 @@ references: [] tags: analytic_story: - Suspicious Cloud Authentication Activities - deployments: - - Daily Cache Updates + detections: - Detect AWS Console Login by User from New Country - Detect AWS Console Login by User from New Region diff --git a/deployments/00_default_baseline.yml b/deployments/00_default_baseline.yml index 10bdc8d357..b9d5b21ced 100644 --- a/deployments/00_default_baseline.yml +++ b/deployments/00_default_baseline.yml @@ -4,8 +4,8 @@ date: '2021-12-21' author: Patrick Bareiss description: This configuration file applies to all detections of type baseline. scheduling: - cron_schedule: 0 * * * * - earliest_time: -70m@m + cron_schedule: 10 0 * * * + earliest_time: -1450m@m latest_time: -10m@m schedule_window: auto tags: diff --git a/deployments/11_detect_arp_poisoning.yml b/deployments/11_detect_arp_poisoning.yml deleted file mode 100644 index c8ab23b4e9..0000000000 --- a/deployments/11_detect_arp_poisoning.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: Detect ARP Poisoning deployment configuration -id: e1d5b4dc-4cf3-404f-905c-b478bbb20474 -date: '2020-08-14' -author: Mikael Bjerkeland -description: This configuration file applies to the Detect ARP Poisoning detection -scheduling: - cron_schedule: 59 * * * * - earliest_time: -70m@m - latest_time: -10m@m - schedule_window: auto -alert_action: - notable: - rule_description: ARP Poisoning has been detected on interface $src_interface$ - on host $orig_host$. This may be an indication of a MITM attack. - rule_title: ARP Poisoning Detected on $orig_host$ - nes_fields: - - src_interface - - firstTime - - lastTime - - count -tags: - name: Detect ARP Poisoning diff --git a/deployments/12_detect_dhcp_poisoning.yml b/deployments/12_detect_dhcp_poisoning.yml deleted file mode 100644 index eb52b57951..0000000000 --- a/deployments/12_detect_dhcp_poisoning.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: Detect Rogue DHCP Server deployment configuration -id: 6e4e20ac-e719-4ebe-a52d-d672cd451dbb -date: '2020-08-14' -author: Mikael Bjerkeland -description: This configuration file applies to the Detect Rogue DHCP Server detection -scheduling: - cron_schedule: 59 * * * * - earliest_time: -70m@m - latest_time: -10m@m - schedule_window: auto -alert_action: - notable: - rule_description: DHCP Snooping has detected a Rogue DHCP Server on $orig_host$ - from $src_mac$. This may be an indication of a MITM attack. - rule_title: Rogue DHCP Server Detected on $orig_host$ - nes_fields: - - src_mac - - firstTime - - lastTime - - count - - message_type -tags: - name: Detect Rogue DHCP Server diff --git a/deployments/20_baseline_cache_hourly_updates.yml b/deployments/20_baseline_cache_hourly_updates.yml deleted file mode 100644 index a29fb96a55..0000000000 --- a/deployments/20_baseline_cache_hourly_updates.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: Baseline Cache Hourly Updates -id: 1030c701-2acf-4b1a-9970-46c7145caf2d -date: '2020-06-24' -author: Bhavin Patel -description: This configuration file applies to all baselines with tag deployments - Hourly Cache Updates -scheduling: - cron_schedule: 55 * * * * - earliest_time: -70m@m - latest_time: -10m@m - schedule_window: auto -tags: - deployments: Hourly Cache Updates diff --git a/deployments/21_baseline_cache_daily_updates.yml b/deployments/21_baseline_cache_daily_updates.yml deleted file mode 100644 index 66b23dad71..0000000000 --- a/deployments/21_baseline_cache_daily_updates.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: Baseline Cache Daily Updates -id: 9541d6f8-fa58-4d48-bb44-6720e39b7b0d -date: '2020-08-18' -author: David Dorsey -description: This configuration file applies to all baselines with tag deployments - Daily Cache Updates -scheduling: - cron_schedule: 10 0 * * * - earliest_time: -1450m@m - latest_time: -10m@m - schedule_window: auto -tags: - deployments: Daily Cache Updates diff --git a/deployments/30_long_running_baseline_searches.yml b/deployments/30_long_running_baseline_searches.yml deleted file mode 100644 index f8d47d43ad..0000000000 --- a/deployments/30_long_running_baseline_searches.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: 90 Day Baseline Searches -id: 6eac9f8b-a35d-4b64-b57f-e5ecde43be6b -date: '2020-06-24' -author: Bhavin Patel -description: This configuration file applies to all baselines with tag deployments - Long Running Baseline -scheduling: - cron_schedule: 0 1 1 1,4,7,10 * - earliest_time: -90d@d - latest_time: -1d@d - schedule_window: auto -tags: - deployments: 90 Day Baseline diff --git a/deployments/31_weeky_model_rebuild_90_days.yml b/deployments/31_weeky_model_rebuild_90_days.yml deleted file mode 100644 index be6eaae38c..0000000000 --- a/deployments/31_weeky_model_rebuild_90_days.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: Weekly Model Rebuild 90 Day Lookback -id: 4b329568-bcff-49fa-8c85-92e95f0f270d -date: '2020-09-07' -author: David Dorsey -description: This configuration file applies to all baselines with tag deployments - Weekly Model Rebuild 90 Day Lookback -scheduling: - cron_schedule: 0 2 * * 0 - earliest_time: -90d@d - latest_time: -1d@d - schedule_window: auto -tags: - deployments: Weekly Model Rebuild 90 Day Lookback diff --git a/dist/escu/default/analyticstories.conf b/dist/escu/default/analyticstories.conf index a7fd782478..4d5113654b 100644 --- a/dist/escu/default/analyticstories.conf +++ b/dist/escu/default/analyticstories.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-01-03T12:38:50 UTC +# On Date: 2023-01-04T11:48:54 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# diff --git a/dist/escu/default/collections.conf b/dist/escu/default/collections.conf index b3665eff86..c71da7d9f0 100644 --- a/dist/escu/default/collections.conf +++ b/dist/escu/default/collections.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-01-03T12:38:50 UTC +# On Date: 2023-01-04T11:48:54 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# diff --git a/dist/escu/default/es_investigations.conf b/dist/escu/default/es_investigations.conf index 9d239b5862..65664940fc 100644 --- a/dist/escu/default/es_investigations.conf +++ b/dist/escu/default/es_investigations.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-01-03T12:38:50 UTC +# On Date: 2023-01-04T11:48:54 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# diff --git a/dist/escu/default/macros.conf b/dist/escu/default/macros.conf index 6163d52260..135a52a6e0 100644 --- a/dist/escu/default/macros.conf +++ b/dist/escu/default/macros.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-01-03T12:38:50 UTC +# On Date: 2023-01-04T11:48:54 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# diff --git a/dist/escu/default/savedsearches.conf b/dist/escu/default/savedsearches.conf index 57b4c1c93a..37599f49a1 100644 --- a/dist/escu/default/savedsearches.conf +++ b/dist/escu/default/savedsearches.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-01-03T12:38:50 UTC +# On Date: 2023-01-04T11:48:54 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# @@ -46396,7 +46396,7 @@ action.risk.param._risk_message = tbd action.risk.param._risk = [{"threat_object_field": "dest", "threat_object_type": "other"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 -cron_schedule = 59 * * * * +cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 @@ -46404,9 +46404,9 @@ action.correlationsearch.label = ESCU - Detect ARP Poisoning - Rule action.correlationsearch.annotations = {"analytic_story": ["Router and Infrastructure Security"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Actions On Objectives", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "role": ["Other"], "type": "Other"}]} schedule_window = auto action.notable = 1 -action.notable.param.nes_fields = src_interface,firstTime,lastTime,count -action.notable.param.rule_description = ARP Poisoning has been detected on interface $src_interface$ on host $orig_host$. This may be an indication of a MITM attack. -action.notable.param.rule_title = ARP Poisoning Detected on $orig_host$ +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = By enabling Dynamic ARP Inspection as a Layer 2 Security measure on the organization's network devices, we will be able to detect ARP Poisoning attacks in the Infrastructure. +action.notable.param.rule_title = Detect ARP Poisoning action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 @@ -46758,7 +46758,7 @@ action.risk.param._risk_message = tbd action.risk.param._risk = [{"threat_object_field": "dest", "threat_object_type": "other"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 -cron_schedule = 59 * * * * +cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 @@ -46766,9 +46766,9 @@ action.correlationsearch.label = ESCU - Detect Rogue DHCP Server - Rule action.correlationsearch.annotations = {"analytic_story": ["Router and Infrastructure Security"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Actions On Objectives", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557"], "nist": ["DE.CM"], "observable": [{"name": "dest", "role": ["Other"], "type": "Other"}]} schedule_window = auto action.notable = 1 -action.notable.param.nes_fields = src_mac,firstTime,lastTime,count,message_type -action.notable.param.rule_description = DHCP Snooping has detected a Rogue DHCP Server on $orig_host$ from $src_mac$. This may be an indication of a MITM attack. -action.notable.param.rule_title = Rogue DHCP Server Detected on $orig_host$ +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = By enabling DHCP Snooping as a Layer 2 Security measure on the organization's network devices, we will be able to detect unauthorized DHCP servers handing out DHCP leases to devices on the network (Man in the Middle attack). +action.notable.param.rule_title = Detect Rogue DHCP Server action.notable.param.security_domain = network action.notable.param.severity = high alert.digest_mode = 1 @@ -49652,7 +49652,7 @@ action.escu.creation_date = 2020-08-15 action.escu.modification_date = 2020-08-15 action.escu.analytic_story = ["Suspicious Cloud Authentication Activities"] action.escu.data_models = ["Authentication"] -cron_schedule = 0 1 1 1,4,7,10 * +cron_schedule = 0 2 * * 0 enableSched = 1 dispatch.earliest_time = -90d@d dispatch.latest_time = -1d@d @@ -49718,7 +49718,7 @@ action.escu.creation_date = 2020-09-03 action.escu.modification_date = 2020-09-03 action.escu.analytic_story = ["Suspicious Cloud User Activities"] action.escu.data_models = ["Change"] -cron_schedule = 0 1 1 1,4,7,10 * +cron_schedule = 0 2 * * 0 enableSched = 1 dispatch.earliest_time = -90d@d dispatch.latest_time = -1d@d @@ -49806,7 +49806,7 @@ action.escu.creation_date = 2020-10-08 action.escu.modification_date = 2020-10-08 action.escu.analytic_story = ["Cloud Cryptomining"] action.escu.data_models = ["Change"] -cron_schedule = 0 1 1 1,4,7,10 * +cron_schedule = 0 2 * * 0 enableSched = 1 dispatch.earliest_time = -90d@d dispatch.latest_time = -1d@d @@ -49850,7 +49850,7 @@ action.escu.creation_date = 2020-9-03 action.escu.modification_date = 2020-9-03 action.escu.analytic_story = ["Cloud Cryptomining"] action.escu.data_models = ["Change"] -cron_schedule = 0 1 1 1,4,7,10 * +cron_schedule = 0 2 * * 0 enableSched = 1 dispatch.earliest_time = -90d@d dispatch.latest_time = -1d@d @@ -49894,7 +49894,7 @@ action.escu.creation_date = 2020-07-29 action.escu.modification_date = 2020-07-29 action.escu.analytic_story = ["Suspicious Cloud Instance Activities"] action.escu.data_models = ["Change"] -cron_schedule = 0 1 1 1,4,7,10 * +cron_schedule = 0 2 * * 0 enableSched = 1 dispatch.earliest_time = -90d@d dispatch.latest_time = -1d@d @@ -49938,7 +49938,7 @@ action.escu.creation_date = 2020-08-19 action.escu.modification_date = 2020-08-19 action.escu.analytic_story = ["Suspicious Cloud Provisioning Activities"] action.escu.data_models = ["Change"] -cron_schedule = 0 1 1 1,4,7,10 * +cron_schedule = 0 2 * * 0 enableSched = 1 dispatch.earliest_time = -90d@d dispatch.latest_time = -1d@d @@ -49982,7 +49982,7 @@ action.escu.creation_date = 2020-09-02 action.escu.modification_date = 2020-09-02 action.escu.analytic_story = ["Cloud Cryptomining"] action.escu.data_models = ["Change"] -cron_schedule = 0 1 1 1,4,7,10 * +cron_schedule = 0 2 * * 0 enableSched = 1 dispatch.earliest_time = -90d@d dispatch.latest_time = -1d@d @@ -50070,7 +50070,7 @@ action.escu.creation_date = 2020-06-23 action.escu.modification_date = 2020-06-23 action.escu.analytic_story = ["Orangeworm Attack Group", "Windows Service Abuse", "NOBELIUM Group"] action.escu.data_models = [] -cron_schedule = 0 1 1 1,4,7,10 * +cron_schedule = 0 2 * * 0 enableSched = 1 dispatch.earliest_time = -90d@d dispatch.latest_time = -1d@d @@ -50136,7 +50136,7 @@ action.escu.creation_date = 2020-05-28 action.escu.modification_date = 2020-05-28 action.escu.analytic_story = ["Suspicious Cloud Authentication Activities"] action.escu.data_models = ["Authentication"] -cron_schedule = 0 1 1 1,4,7,10 * +cron_schedule = 0 2 * * 0 enableSched = 1 dispatch.earliest_time = -90d@d dispatch.latest_time = -1d@d @@ -50180,7 +50180,7 @@ action.escu.creation_date = 2020-05-20 action.escu.modification_date = 2020-05-20 action.escu.analytic_story = ["Suspicious Zoom Child Processes"] action.escu.data_models = ["Endpoint"] -cron_schedule = 0 1 1 1,4,7,10 * +cron_schedule = 0 2 * * 0 enableSched = 1 dispatch.earliest_time = -90d@d dispatch.latest_time = -1d@d @@ -50224,7 +50224,7 @@ action.escu.creation_date = 2022-05-27 action.escu.modification_date = 2022-05-27 action.escu.analytic_story = ["Splunk Vulnerabilities"] action.escu.data_models = ["Splunk_Audit"] -cron_schedule = 0 * * * * +cron_schedule = 55 * * * * enableSched = 1 dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m diff --git a/dist/escu/default/transforms.conf b/dist/escu/default/transforms.conf index ccd9b6a52b..4b90ca5dcf 100644 --- a/dist/escu/default/transforms.conf +++ b/dist/escu/default/transforms.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-01-03T12:38:50 UTC +# On Date: 2023-01-04T11:48:54 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# diff --git a/dist/escu/default/workflow_actions.conf b/dist/escu/default/workflow_actions.conf index 6830054909..7339bfe110 100644 --- a/dist/escu/default/workflow_actions.conf +++ b/dist/escu/default/workflow_actions.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-01-03T12:38:50 UTC +# On Date: 2023-01-04T11:48:54 UTC # Author: Splunk Security Research # Contact: research@splunk.com #############