Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR update and fixes multiple discovered and reported issues. Below is a summary of the changes.
New Data Sources
Windows Event Log Security 4756- Added this new DS to link to a related detection.Updated Data Sources
Palo Alto Network Threat- Updated this DS to use thePalo Alto Networks Add-onPalo Alto Network Traffic- Updated this DS to use thePalo Alto Networks Add-onUpdated Analytics
-
Email Attachments With Lots Of Spaces- Added missing MITRE IDs.Suspicious Java Classes- Fix broken regex (from last YAML script application) and added missing MITRE IDs.Cloud Compute Instance Created With Previously Unseen Instance Type- Added missing MITRE IDs.Certutil exe certificate extraction- Added missing MITRE IDs.Malicious PowerShell Process - Encoded Command- Updated the broken regex with a more robus one that aims to detect most variation of theEncodedCommandflag (Fix [BUG] Malicious PowerShell Process - Encoded Command - regex doesn't make sense #3939)Outbound Network Connection from Java Using Default Ports- Remove duplicate entry forjavaw.exeand other updates to the SPL structure so that its more readable.Suspicious Rundll32 no Command Line Arguments- Remove the unnecessary usage of regex and moved the filter logic earlier for better performanceSuspicious SearchProtocolHost no Command Line Arguments- Remove the unnecessary usage of regex and moved the filter logic earlier for better performanceWindows New Deny Permission Set On Service SD Via Sc.EXE- Updated metadata info, including the FP section based on Athena telemetry.Windows New Service Security Descriptor Set Via Sc.EXE- Updated metadata info, including the FP section based on Athena telemetry.Windows Privilege Escalation Suspicious Process Elevation/Windows Privilege Escalation User Process Spawn System Process/Windows UAC Bypass Suspicious Escalation Behavior- Beautified the SPL of these 3 analytics for better reading (considerations are being made to deprecated these due to their poor performance).Detect Large ICMP Traffic/Detect Outbound LDAP Traffic- Update the logic to these by adding a more broad filter for local IPs.Detect Computer Changed with Anonymous Account- Updated the logic to be more accurate. (See explanation in [BUG] Logic Problem in Detect Computer Changed with Anonymous Account #3961)Windows Privileged Group Modification- Update logic to include EventID 4756 (Fix Add Event ID 4756 to windows_privileged_group_modification detection #3969)Windows Scheduled Task Service Spawned Shell- Update and beautify the SPL as well as other metadata and RBA related config.Possible Lateral Movement PowerShell Spawn- Fixed FP by adding exclusion for svchost with the schedule service