splunk
diff --git a/‎contentctl‎ b/‎contentctl‎
diff --git a/‎contentctl.yml‎
Lines changed: 3 additions & 3 deletions b/‎contentctl.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎detections/cloud/aws_iam_failure_group_deletion.yml‎
Lines changed: 3 additions & 8 deletions b/‎detections/cloud/aws_iam_failure_group_deletion.yml‎
Lines changed: 3 additions & 8 deletions
diff --git a/‎detections/cloud/aws_s3_exfiltration_behavior_identified.yml‎
Lines changed: 3 additions & 3 deletions b/‎detections/cloud/aws_s3_exfiltration_behavior_identified.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml‎
Lines changed: 11 additions & 13 deletions b/‎detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml‎
Lines changed: 11 additions & 13 deletions
diff --git a/‎detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml‎
Lines changed: 6 additions & 6 deletions b/‎detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎detections/cloud/azure_ad_pim_role_assigned.yml‎
Lines changed: 6 additions & 5 deletions b/‎detections/cloud/azure_ad_pim_role_assigned.yml‎
Lines changed: 6 additions & 5 deletions
diff --git a/‎detections/cloud/azure_ad_pim_role_assignment_activated.yml‎
Lines changed: 4 additions & 4 deletions b/‎detections/cloud/azure_ad_pim_role_assignment_activated.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎detections/cloud/azure_automation_runbook_created.yml‎
Lines changed: 3 additions & 3 deletions b/‎detections/cloud/azure_automation_runbook_created.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎detections/cloud/azure_runbook_webhook_created.yml‎
Lines changed: 3 additions & 3 deletions b/‎detections/cloud/azure_runbook_webhook_created.yml‎
Lines changed: 3 additions & 3 deletions
@@ -5,8 +5,8 @@ build:
   name: DA-ESS-ContentUpdate
   path_root: dist
   prefix: ESCU
-  build: 004161
-  version: 4.16.1
+  build: 004170
+  version: 4.17.0
   label: ES Content Updates
   author_name: Splunk Threat Research Team
   author_email: [email protected]
@@ -22,4 +22,4 @@ build_api:
 enrichments:
   attack_enrichment: true
   cve_enrichment: true
-  splunk_app_enrichment: false
+  splunk_app_enrichment: false
@@ -1,7 +1,7 @@
 name: AWS IAM Failure Group Deletion
 id: 723b861a-92eb-11eb-93b8-acde48001122
-version: 1
-date: '2021-04-01'
+version: 2
+date: '2023-11-07'
 author: Michael Haag, Splunk
 status: production
 type: Anomaly
@@ -32,8 +32,7 @@ tags:
   asset_type: AWS Account
   confidence: 50
   impact: 10
-  message: User $user_arn$ has had mulitple failures while attempting to delete groups
-    from $src$
+  message: User $user_arn$ has had mulitple failures while attempting to delete groups from $src$
   mitre_attack_id:
   - T1098
   observable:
@@ -45,10 +44,6 @@ tags:
     type: User
     role:
     - Victim
-  - name: group_name
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
 
@@ -1,7 +1,7 @@
 name: AWS S3 Exfiltration Behavior Identified
 id: 85096389-a443-42df-b89d-200efbb1b560
-version: 1
-date: '2023-05-04'
+version: 2
+date: '2023-11-07'
 author: Bhavin Patel, Splunk
 status: production
 type: Correlation
@@ -24,7 +24,7 @@ tags:
   asset_type: AWS Account
   confidence: 90
   impact: 90
-  message: Multiple AWS Exfiltration detections $source$ and techniques $All_Risk.annotations.mitre_attack.mitre_tactic_id$ trigged for risk object $risk_object$
+  message: Multiple AWS Exfiltration detections $source$ and techniques $annotations.mitre_attack.mitre_tactic_id$ trigged for risk object $risk_object$
   mitre_attack_id:
   - T1537
   observable:
 
@@ -1,7 +1,7 @@
 name: AWS Successful Console Authentication From Multiple IPs
 id: 395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb
-version: 1
-date: '2023-01-19'
+version: 2
+date: '2023-11-07'
 author: Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -12,8 +12,8 @@ description: The following analytic identifies an AWS account successfully authe
   time as a legitimate user. As users may behave differently across organizations,
   security teams should test and customize this detection to fit their environments.
 data_source: []
-search: ' `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent)
-  values(eventName) values(src_ip) dc(src_ip) as distinct_ip_count by _time user_arn
+search: ' `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) as userAgent
+  values(eventName) as eventName values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn
   | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter`'
 how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This
   search works when AWS CloudTrail events are normalized use the Authentication datamodel.
@@ -30,16 +30,16 @@ tags:
   confidence: 80
   impact: 90
   message: User $user_arn$ has successfully logged into the AWS Console from different
-    IP addresses $src$ within 5 mins
+    IP addresses $src_ip$ within 5 mins
   mitre_attack_id:
   - T1586
   - T1535
   observable:
-  - name: src
+  - name: src_ip
     type: IP Address
     role:
     - Attacker
-  - name: user
+  - name: user_arn
     type: User
     role:
     - Victim
@@ -49,12 +49,10 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - Authentication.src
-  - Authentication.user
-  - Authentication.signature
-  - Authentication.user_agent
-  - Authentication.action
-  - Authentication.user_type
+  - eventName
+  - userAgent
+  - src_ip
+  - user_arn
   risk_score: 72
   security_domain: threat
 tests:
 
@@ -1,7 +1,7 @@
 name: AWS Unusual Number of Failed Authentications From Ip
 id: 0b5c9c2b-e2cb-4831-b4f1-af125ceb1386
-version: 1
-date: '2022-09-26'
+version: 2
+date: '2023-11-07'
 author: Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -19,10 +19,10 @@ description: The following analytic identifies one source IP failing to authenti
   Multiple Users Failing To Authenticate From Ip`.
 data_source: []
 search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time
-  | stats  dc(_raw) AS unique_accounts values(user_name) as tried_accounts by _time,
-  src_ip | eventstats  avg(unique_accounts) as ip_avg , stdev(unique_accounts) as
-  ip_std by _time | eval  upperBound=(ip_avg+ip_std*3) | eval  isOutlier=if(unique_accounts
-  > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter`'
+  | stats  dc(_raw) AS distinct_attempts values(user_name) as tried_accounts by _time,
+  src_ip | eventstats  avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) as
+  ip_std by _time | eval  upperBound=(avg_attempts+ip_std*3) | eval  isOutlier=if(distinct_attempts
+  > 10 and distinct_attempts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter`'
 how_to_implement: You must install Splunk Add-on for AWS in order to ingest Cloudtrail.
   We recommend the users to try different combinations of the bucket span time and
   the calculation of the upperBound field to tune this search according to their environment
 
@@ -1,7 +1,7 @@
 name: Azure AD PIM Role Assigned
 id: fcd6dfeb-191c-46a0-a29c-c306382145ab
-version: 1
-date: '2023-04-26'
+version: 2
+date: '2023-11-07'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -15,7 +15,8 @@ description: The following analytic identifies the assignment of the Azure AD PI
 search: ' `azuread` operationName="Add eligible member to role in PIM completed*"
   | rename properties.* as * 
   | rename targetResources{}.userPrincipalName as userPrincipalName 
-  | stats values(userPrincipalName) values(targetResources{}.displayName) by _time, result, operationName, initiatedBy.user.displayName
+  | rename initiatedBy.user.userPrincipalName as initiatedBy
+  | stats values(userPrincipalName) as userPrincipalName values(targetResources{}.displayName) as target_display_name by _time, result, operationName, initiatedBy
   | `azure_ad_pim_role_assigned_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details).
@@ -33,12 +34,12 @@ tags:
   asset_type: Azure Active Directory
   confidence: 50
   impact: 70
-  message: An Azure AD PIM role assignment was assiged to $userPrincipalName$
+  message: An Azure AD PIM role assignment was assiged to $userPrincipalName$ by $initiatedBy$
   mitre_attack_id:
   - T1098
   - T1098.003
   observable:
-  - name: userPrincipalName
+  - name: initiatedBy
     type: User
     role:
     - Attacker
 
@@ -1,7 +1,7 @@
 name: Azure AD PIM Role Assignment Activated
 id: 952e80d0-e343-439b-83f4-808c3e6fbf2e
-version: 1
-date: '2023-04-26'
+version: 2
+date: '2023-11-07'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -15,7 +15,7 @@ description: The following analytic identifies the assignment of the Azure AD PI
 search: ' `azuread` operationName="Add member to role completed (PIM activation)"
   | rename properties.* as * 
   | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy
-  | stats values(userPrincipalName) values(targetResources{}.displayName) by _time, initiatedBy, result, operationName,
+  | stats values(userPrincipalName) as userPrincipalName values(targetResources{}.displayName) as target_display_name by _time, initiatedBy, result, operationName,
   | `azure_ad_pim_role_assignment_activated_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details).
@@ -38,7 +38,7 @@ tags:
   - T1098
   - T1098.003
   observable:
-  - name: userPrincipalName
+  - name: initiatedBy
     type: User
     role:
     - Attacker
 
@@ -1,7 +1,7 @@
 name: Azure Automation Runbook Created
 id: 178d696d-6dc6-4ee8-9d25-93fee34eaf5b
-version: 1
-date: '2022-08-22'
+version: 2
+date: '2023-11-07'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -17,7 +17,7 @@ description: The following analytic identifies the creation of a new Azure Autom
 data_source: []
 search: ' `azure_audit` operationName.localizedValue="Create or Update an Azure Automation
   Runbook" object!=AzureAutomationTutorial* status.value=Succeeded | dedup object
-  | stats values(object) by _time, caller, claims.ipaddr, resourceGroupName, object_path
+  | stats values(object) as object by _time, caller, claims.ipaddr, resourceGroupName, object_path
   | `azure_automation_runbook_created_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
 
@@ -1,7 +1,7 @@
 name: Azure Runbook Webhook Created
 id: e98944a9-92e4-443c-81b8-a322e33ce75a
-version: 1
-date: '2022-08-23'
+version: 2
+date: '2023-11-07'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -17,7 +17,7 @@ description: The following analytic identifies the creation of a new Automation
   on a VM. This provides a persistent foothold on the environment.
 data_source: []
 search: ' `azure_audit` operationName.localizedValue="Create or Update an Azure Automation
-  webhook" status.value=Succeeded | stats values(object) by _time, caller, claims.ipaddr,
+  webhook" status.value=Succeeded | stats values(object) as object by _time, caller, claims.ipaddr,
   resourceGroupName, object_path | `azure_runbook_webhook_created_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).