Fix Reported Issues - April Batch

contentctl.yml

@@ -123,11 +123,11 @@ apps:
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-stream-wire-data_816.tgz
 - uid: 2757
-  title: Palo Alto Networks Add-on for Splunk
-  appid: PALO_ALTO_NETWORKS_ADD_ON_FOR_SPLUNK
-  version: 8.1.3
+  title: Splunk Add-on for Palo Alto Networks
+  appid: SPLUNK_ADD_ON_FOR_PALO_ALTO_NETWORKS
+  version: 3.0.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/palo-alto-networks-add-on-for-splunk_813.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-palo-alto-networks_300.tgz
 - uid: 3865
   title: Zscaler Technical Add-On for Splunk
   appid: Zscaler_CIM

data_sources/palo_alto_network_threat.yml

@@ -1,7 +1,7 @@
 name: Palo Alto Network Threat
 id: 375c2b0e-d216-41ad-9406-200464595209
-version: 2
-date: '2025-01-23'
+version: 3
+date: '2026-03-23'
 author: Patrick Bareiss, Splunk
 description: Logs detected threats identified by Palo Alto Networks devices, including
   details about malware, intrusion attempts, and malicious network activity.
@@ -11,12 +11,12 @@ mitre_components:
 - Network Traffic Flow
 - Application Log Content
 - Host Status
-source: pan:threat
+source: not_applicable
 sourcetype: pan:threat
 supported_TA:
 - name: Palo Alto Networks Add-on
-  url: https://splunkbase.splunk.com/app/2757
-  version: 8.1.3
+  url: https://splunkbase.splunk.com/app/7523
+  version: 3.0.0
 field_mappings:
 - data_model: cim
   data_set: Web

data_sources/palo_alto_network_traffic.yml

@@ -1,7 +1,7 @@
 name: Palo Alto Network Traffic
 id: 182a83bc-c31a-4817-8c7a-263744cec52a
-version: 2
-date: '2025-01-23'
+version: 3
+date: '2026-03-23'
 author: Patrick Bareiss, Splunk
 description: Logs network traffic events captured by Palo Alto Networks devices, including
   details about sessions, protocols, and source and destination IPs.
@@ -11,12 +11,12 @@ mitre_components:
 - Network Connection Creation
 - Response Metadata
 - Application Log Content
-source: screenconnect_palo_traffic
+source: not_applicable
 sourcetype: pan:traffic
 supported_TA:
 - name: Palo Alto Networks Add-on
-  url: https://splunkbase.splunk.com/app/2757
-  version: 8.1.3
+  url: https://splunkbase.splunk.com/app/7523
+  version: 3.0.0
 fields:
 - _time
 - date_hour

data_sources/windows_event_log_security_4756.yml

@@ -0,0 +1,18 @@
+name: Windows Event Log Security 4756
+id: b0093058-0cb6-4c73-a95b-fb0f3541e88c
+version: 1
+date: '2026-03-23'
+author: Nasreddine Bencherchali, Splunk
+description: Data source object for Windows Event Log Security 4754
+source: XmlWinEventLog:Security
+sourcetype: XmlWinEventLog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 9.1.2
+fields:
+- _time
+output_fields:
+- dest
+example_log: ''

detections/endpoint/detect_computer_changed_with_anonymous_account.yml

@@ -1,30 +1,38 @@
 name: Detect Computer Changed with Anonymous Account
 id: 1400624a-d42d-484d-8843-e6753e6e3645
-version: 9
-date: '2026-02-25'
+version: 10
+date: '2026-03-18'
 author: Rod Soto, Jose Hernandez, Splunk
-status: experimental
+status: production
 type: Hunting
-description: The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) and 4624 (Successful Logon) with the TargetUserName set to "ANONYMOUS LOGON" and LogonType 3. This activity is significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.
+description: |
+    The following analytic detects changes to computer accounts using an anonymous logon.
+    It leverages Windows Security Event Codes 4742 (Computer Change) with a SubjectUserName of a value "ANONYMOUS LOGON".
+    This activity can be significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration.
+    If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.
 data_source:
-    - Windows Event Log Security 4624
     - Windows Event Log Security 4742
 search: |-
-    `wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName="ANONYMOUS LOGON" LogonType=3
-      | stats count min(_time) as firstTime max(_time) as lastTime
-        BY action app authentication_method
-           dest dvc process
-           process_id process_name process_path
-           signature signature_id src
-           src_port status subject
-           user user_group vendor_product
-      | `security_content_ctime(firstTime)`
-      | `security_content_ctime(lastTime)`
-      | `detect_computer_changed_with_anonymous_account_filter`
-how_to_implement: This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
-known_false_positives: No false positives have been identified at this time.
+    `wineventlog_security`
+    EventCode=4742
+    SubjectUserName="ANONYMOUS LOGON"
+    PasswordLastSet="*"
+    | stats count min(_time) as firstTime max(_time) as lastTime
+        BY action app dest ProcessID PasswordLastSet
+           signature signature_id src_user status
+           SubjectDomainName user user_group vendor_product
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `detect_computer_changed_with_anonymous_account_filter`
+how_to_implement: |
+    This search requires "Audit Computer Account Management" sub-category in the audit policy to be enabled on the system in order to generate Event ID 4742, as well as "Audit Logon" to generate Event ID 4624.
+    We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs.
+    Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
+known_false_positives: Some legitimate, legacy devices may utilize this functionality and generate false positives. Apply additional tuning as needed.
 references:
     - https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/
+    - https://netwrix.com/en/cybersecurity-glossary/cyber-security-attacks/zerologon-vulnerability/
+    - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx
 tags:
     analytic_story:
         - Detect Zerologon Attack
@@ -38,3 +46,9 @@ tags:
         - Splunk Enterprise Security
         - Splunk Cloud
     security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/zerologon/zerologon.log
+          source: XmlWinEventLog:Security
+          sourcetype: XmlWinEventLog

detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml

@@ -1,56 +1,65 @@
 name: Outbound Network Connection from Java Using Default Ports
 id: d2c14d28-5c47-11ec-9892-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-18'
 author: Mauricio Velazco, Lou Stella, Splunk
 status: production
 type: TTP
-description: "The following analytic detects outbound network connections from Java processes to default ports used by LDAP and RMI protocols, which may indicate exploitation of the CVE-2021-44228-Log4j vulnerability. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs. Monitoring this activity is crucial as it can signify an attacker’s attempt to perform JNDI lookups and retrieve malicious payloads. If confirmed malicious, this activity could lead to remote code execution and further compromise of the affected server."
+description: |
+    The following analytic detects outbound network connections from Java processes to default ports used by LDAP and RMI protocols, which may indicate exploitation of the CVE-2021-44228-Log4j vulnerability.
+    This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs.
+    Monitoring this activity is crucial as it can signify an attacker's attempt to perform JNDI lookups and retrieve malicious payloads.
+    If confirmed malicious, this activity could lead to remote code execution and further compromise of the affected server.
 data_source:
     - Sysmon EventID 1 AND Sysmon EventID 3
 search: |-
-    | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
-      WHERE (
-            Processes.process_name="java.exe"
-            OR
-            Processes.process_name=javaw.exe
-            OR
-            Processes.process_name=javaw.exe
-        )
-      BY Processes.action Processes.dest Processes.original_file_name
-         Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
-         Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
-         Processes.process Processes.process_exec Processes.process_guid
-         Processes.process_hash Processes.process_id Processes.process_integrity_level
-         Processes.process_name Processes.process_path Processes.user
-         Processes.user_id Processes.vendor_product
+    | tstats `security_content_summariesonly` count
+    FROM datamodel=Endpoint.Processes WHERE
+
+    Processes.process_name IN (
+        "java.exe",
+        "javaw.exe"
+    )
+    BY Processes.action Processes.dest Processes.original_file_name
+       Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
+       Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
+       Processes.process Processes.process_exec Processes.process_guid
+       Processes.process_hash Processes.process_id Processes.process_integrity_level
+       Processes.process_name Processes.process_path Processes.user
+       Processes.user_id Processes.vendor_product
+
     | `drop_dm_object_name(Processes)`
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`
-    | join process_id [
-    | tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic
-      WHERE (
-            All_Traffic.dest_port= 389
-            OR
-            All_Traffic.dest_port= 636
-            OR
-            All_Traffic.dest_port = 1389
-            OR
-            All_Traffic.dest_port = 1099
+    | join process_id
+    [
+        | tstats `security_content_summariesonly` count
+        FROM datamodel=Network_Traffic.All_Traffic WHERE
+        All_Traffic.dest_port IN (
+                    389,
+                    636,
+                    1099,
+                    1389
         )
-      BY All_Traffic.action All_Traffic.app All_Traffic.bytes
-         All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest
-         All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc
-         All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src
-         All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport
-         All_Traffic.user All_Traffic.vendor_product All_Traffic.direction
-         All_Traffic.process_id
-    | `drop_dm_object_name(All_Traffic)`
-    | rename dest as connection_to_CNC]
-    | table _time dest parent_process_name process_name process_path process dest_port
+        BY All_Traffic.action All_Traffic.app All_Traffic.bytes
+            All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest
+            All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc
+            All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src
+            All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport
+            All_Traffic.user All_Traffic.vendor_product All_Traffic.direction
+            All_Traffic.process_id
+        | `drop_dm_object_name(All_Traffic)`
+        | rename dest as connection_to_CNC
+    ]
+    | table _time dest
+            parent_process_path parent_process_name parent_process
+            process_path process_name process process_hash
+            connection_to_CNC dest_port user
     | `outbound_network_connection_from_java_using_default_ports_filter`
-how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
-known_false_positives: Legitimate Java applications may use perform outbound connections to these ports. Filter as needed
+how_to_implement: |
+    The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: |
+    Legitimate Java applications may use perform outbound connections to these ports. Filter as needed
 references:
     - https://www.lunasec.io/docs/blog/log4j-zero-day/
     - https://www.govcert.admin.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/