Merge pull request #2800 from splunk/observablefix

Updates to Observable!

Author: patel-bhavin

detections/cloud/o365_added_service_principal.yml

@@ -1,18 +1,13 @@
 name: O365 Added Service Principal
 id: 1668812a-6047-11eb-ae93-0242ac130002
-version: 2
+version: 3
 date: '2023-08-02'
 author: Rod Soto, Splunk
 status: production
 type: TTP
-description: This search detects the creation of a new Federation setting by alerting
-  about an specific event related to its creation.
+description: The following analytic detects addition of new service principal accounts added to O365 tenants. Attackers can abuse service principals in Office 365 (now known as Microsoft 365) to gain unauthorized access and perform malicious actions within an organization's environment. Service principals are essentially non-human accounts used by applications, services, or scripts to access resources and interact with APIs on behalf of the organization. 
 data_source: []
-search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="*Add service principal*" OR (Operation = "*principal*" AND action = "created")  
-  | stats count by src_user src_user_type action Operation authentication_service Workload
-  | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)`
-  | `o365_added_service_principal_filter`'
+search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="*Add service principal*" OR (Operation = "*principal*" AND action = "created") | stats count values(ModifiedProperties{}.NewValue) as new_value by src_user src_user_type action Operation authentication_service Workload | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`'
 how_to_implement: You must install splunk Microsoft Office 365 add-on. This search
   works with o365:management:activity
 known_false_positives: The creation of a new Federation is not necessarily malicious,
@@ -30,18 +25,13 @@ tags:
   asset_type: Office 365
   confidence: 60
   impact: 70
-  message: User $Actor.ID$ created a new federation setting on $Target.ID$ and added
-    service principal credentials from IP Address $ActorIpAddress$
+  message: User $src_user$ has created new service principal $new_value$ in AzureActiveDirectory
   mitre_attack_id:
   - T1136.003
   - T1136
   observable:
-  - name: ActorIpAddress
-    type: IP Address
-    role:
-    - Attacker
-  - name: Target.ID
-    type: Endpoint
+  - name: src_user
+    type: User
     role:
     - Victim
   product:
@@ -52,11 +42,11 @@ tags:
   - _time
   - Workload
   - signature
-  - Actor{}.ID
-  - ModifiedProperties{}.Name
-  - ModifiedProperties{}.NewValue
-  - Target{}.ID
-  - ActorIpAddress
+  - src_user 
+  - src_user_type 
+  - action 
+  - Operation 
+  - authentication_service
   risk_score: 42
   security_domain: threat
 tests:

detections/cloud/o365_excessive_sso_logon_errors.yml

@@ -1,20 +1,15 @@
 name: O365 Excessive SSO logon errors
 id: 8158ccc4-6038-11eb-ae93-0242ac130002
-version: 2
+version: 3
 date: '2023-08-02'
 author: Rod Soto, Splunk
 status: production
 type: Anomaly
-description: This search detects accounts with high number of Single Sign ON (SSO)
+description: The following analytic detects accounts with high number of Single Sign ON (SSO)
   logon errors. Excessive logon errors may indicate attempts to bruteforce of password
   or single sign on token hijack or reuse.
 data_source: []
-search: '`o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed 
-  | stats count min(_time) as firstTime max(_time) as lastTime by LogonError ActorIpAddress UserAgent UserId Operation Workload
-  | where count >= 5
-  | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)`
-  | `o365_excessive_sso_logon_errors_filter`'
+search: '`o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed | stats count min(_time) as firstTime max(_time) as lastTime by user src_ip LogonError user_agent UserId Operation Workload  authentication_method authentication_service| where count >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter`'
 how_to_implement: You must install splunk Microsoft Office 365 add-on. This search
   works with o365:management:activity
 known_false_positives: Logon errors may not be malicious in nature however it may
@@ -28,16 +23,16 @@ tags:
   asset_type: Office 365
   confidence: 80
   impact: 80
-  message: User $UserId$ has caused excessive number of SSO logon errors from $ActorIpAddress$
+  message: User $user$ has caused excessive number of SSO logon errors from $src_ip$
     using UserAgent $UserAgent$.
   mitre_attack_id:
   - T1556
   observable:
-  - name: ActorIpAddress
+  - name: src_ip
     type: IP Address
     role:
     - Attacker
-  - name: UserId
+  - name: user
     type: User
     role:
     - Victim
@@ -47,11 +42,16 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
+  - user
+  - src_ip
   - Workload
   - LogonError
   - ActorIpAddress
   - UserAgent
   - UserId
+  - authentication_service
+  - authentication_method
+  - Operation
   risk_score: 64
   security_domain: threat
 tests:

detections/cloud/o365_new_federated_domain_added.yml

@@ -5,10 +5,10 @@ date: '2023-08-02'
 author: Rod Soto, Splunk
 status: production
 type: TTP
-description: This search detects the addition of a new Federated domain.
+description: The following search detects the addition of a new Federated domain in O365 environments.  If an attacker adds an unverified domain to Office 365, they may gain unauthorized access to the organization's email and other services, potentially leading to data breaches and information theft. It can be misused to set up adversary infrastruture for phishing, spoofing emails and malware distribution.
 data_source: []
-search: '`o365_management_activity` Operation IN("*add*", "*new*") AND Operation="*domain*"
-  | stats count by Workload Operation Target{}.ID Actor{}.ID
+search: '`o365_management_activity` Operation IN ("*add*", "*new*") AND Operation="*domain*"
+  | stats count values(ModifiedProperties{}.NewValue) as new_value by  user user_agent authentication_service action Workload Operation 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)`
   | `o365_new_federated_domain_added_filter`'
@@ -30,17 +30,12 @@ tags:
   asset_type: Office 365
   confidence: 80
   impact: 80
-  message: User $UserId$ has added a new federated domaain $Parameters.Value$ for
-    $OrganizationName$
+  message: User $user$ has added a new federated domain $new_value$
   mitre_attack_id:
   - T1136.003
   - T1136
   observable:
-  - name: OrganizationName
-    type: Other
-    role:
-    - Victim
-  - name: UserId
+  - name: user
     type: User
     role:
     - Victim
@@ -52,12 +47,11 @@ tags:
   - _time
   - Workload
   - Operation
-  - Parameters{}.Value
-  - ObjectId
-  - OrganizationName
-  - OriginatingServer
-  - UserId
-  - UserKey
+  - ModifiedProperties{}.NewValue
+  - authentication_service
+  - user
+  - user_agent
+  - action
   risk_score: 64
   security_domain: threat
 tests:

detections/endpoint/windows_powershell_remotesigned_file.yml

@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventCode 1
+- Sysmon Event ID 1
 description: This analytic identifies the use of "remotesigned" execution policy for a file. 
   This security setting determines whether PowerShell scripts can be executed on a computer. 
   When the execution policy is set to "remotesigned," it allows locally created scripts to run without any restrictions, 
@@ -31,16 +31,16 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: A PowerShell commandline to remotesigned a powershell script in $dest$,
+  message: A PowerShell commandline with remotesigned policy executed on $dest$
   mitre_attack_id:
   - T1059.001
   - T1059
   observable:
-  - name: Computer
+  - name: dest
     type: Hostname
     role:
     - Victim
-  - name: User
+  - name: user
     type: User
     role:
     - Victim