diff --git a/detections/cloud/detect_new_open_gcp_storage_buckets.yml b/detections/cloud/detect_new_open_gcp_storage_buckets.yml index 99cf378c78..6af80fab39 100644 --- a/detections/cloud/detect_new_open_gcp_storage_buckets.yml +++ b/detections/cloud/detect_new_open_gcp_storage_buckets.yml @@ -1,7 +1,7 @@ name: Detect New Open GCP Storage Buckets id: f6ea3466-d6bb-11ea-87d0-0242ac130003 -version: 7 -date: '2026-03-10' +version: 8 +date: '2026-03-12' author: Shannon Davis, Splunk status: experimental type: TTP @@ -23,7 +23,8 @@ how_to_implement: This search relies on the Splunk Add-on for Google Cloud Platf known_false_positives: While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the "allUsers" group. references: [] rba: - message: New Public GCP Storage Bucket Detected + message: | + "allUser" member added to $bucketName$ by $user$ making the bucket available to the public risk_objects: - field: user type: user diff --git a/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml b/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml index 0ac8905cd5..4e4621e279 100644 --- a/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml +++ b/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml @@ -1,7 +1,7 @@ name: Detect Spike in blocked Outbound Traffic from your AWS id: d3fffa37-492f-487b-a35d-c60fcb2acf01 -version: 7 -date: '2026-03-10' +version: 8 +date: '2026-03-12' author: Bhavin Patel, Splunk status: experimental type: Anomaly @@ -32,7 +32,7 @@ how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or late known_false_positives: The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections. references: [] rba: - message: Blocked outbound traffic from your AWS VPC + message: Blocked $numberOfBlockedConnections$ outbound connections from your AWS VPC $src_ip$ risk_objects: - field: src_ip type: system diff --git a/detections/cloud/gcp_detect_gcploit_framework.yml b/detections/cloud/gcp_detect_gcploit_framework.yml index 9d66e17a1a..77bf39919a 100644 --- a/detections/cloud/gcp_detect_gcploit_framework.yml +++ b/detections/cloud/gcp_detect_gcploit_framework.yml @@ -1,7 +1,7 @@ name: GCP Detect gcploit framework id: a1c5a85e-a162-410c-a5d9-99ff639e5a52 -version: 7 -date: '2026-03-10' +version: 8 +date: '2026-03-12' author: Rod Soto, Splunk status: experimental type: TTP @@ -17,7 +17,7 @@ references: - https://github.com/dxa4481/gcploit - https://www.youtube.com/watch?v=Ml09R38jpok rba: - message: Possible use of gcploit framework + message: Possible use of gcploit framework from $src$ by $src_user$ risk_objects: - field: src_user type: user diff --git a/detections/endpoint/excessive_usage_of_sc_service_utility.yml b/detections/endpoint/excessive_usage_of_sc_service_utility.yml index 870d543349..0bcc64f9e4 100644 --- a/detections/endpoint/excessive_usage_of_sc_service_utility.yml +++ b/detections/endpoint/excessive_usage_of_sc_service_utility.yml @@ -1,7 +1,7 @@ name: Excessive Usage Of SC Service Utility id: cb6b339e-d4c6-11eb-a026-acde48001122 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-12' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -35,7 +35,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Excessive Usage Of SC Service Utility + message: Excessive Usage Of SC Service Utility on $dest$ by $user$ risk_objects: - field: dest type: system diff --git a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml index d2b8906018..1ea426522e 100644 --- a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: Get DomainPolicy with Powershell Script Block id: a360d2b2-065a-11ec-b0bf-acde48001122 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-12' author: Teoderick Contreras, Splunk status: production type: TTP @@ -36,7 +36,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Powershell process with command line indicative of querying domain policy. + message: Powershell process indicative of querying domain policy, spawned by $user_id$ on $dest$ risk_objects: - field: dest type: system diff --git a/detections/endpoint/windows_adfind_exe.yml b/detections/endpoint/windows_adfind_exe.yml index ef5105d387..5bd6e839a3 100644 --- a/detections/endpoint/windows_adfind_exe.yml +++ b/detections/endpoint/windows_adfind_exe.yml @@ -1,7 +1,7 @@ name: Windows AdFind Exe id: bd3b0187-189b-46c0-be45-f52da2bae67f -version: 12 -date: '2026-03-10' +version: 13 +date: '2026-03-12' author: Jose Hernandez, Bhavin Patel, Nasreddine Bencherchali, Splunk status: production type: TTP @@ -75,7 +75,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Windows AdFind Exe detected with command-line arguments associated with Active Directory queries on machine - [dest] + message: $user$ spawned $process$ indicative of Active Directory discovery on machine - [$dest$] risk_objects: - field: user type: user diff --git a/detections/endpoint/windows_excel_activemicrosoftapp_child_process.yml b/detections/endpoint/windows_excel_activemicrosoftapp_child_process.yml index fbf37c5a62..d6eb30eeb5 100644 --- a/detections/endpoint/windows_excel_activemicrosoftapp_child_process.yml +++ b/detections/endpoint/windows_excel_activemicrosoftapp_child_process.yml @@ -1,7 +1,7 @@ name: Windows Excel ActiveMicrosoftApp Child Process id: 4dfd6a58-93b2-4012-bb33-038bb63652b3 -version: 3 -date: '2026-03-10' +version: 4 +date: '2026-03-12' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Risk Message goes here + message: $parent_process_name$ spawned $process_name$ on $dest$, indicative of ActivateMicrosoftApp() use risk_objects: - field: dest type: system diff --git a/detections/endpoint/windows_rdp_server_registry_entry_created.yml b/detections/endpoint/windows_rdp_server_registry_entry_created.yml index 18fe28edeb..b3e9ffd824 100644 --- a/detections/endpoint/windows_rdp_server_registry_entry_created.yml +++ b/detections/endpoint/windows_rdp_server_registry_entry_created.yml @@ -1,7 +1,7 @@ name: Windows RDP Server Registry Entry Created id: 61f10919-c360-4e56-9cda-f1f34500cfda -version: 2 -date: '2026-03-10' +version: 3 +date: '2026-03-12' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -24,7 +24,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Risk Message goes here + message: RDP related registry key $registry_key_name$ created on $dest$ risk_objects: - field: dest type: system diff --git a/detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml b/detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml index e7a540e810..3e3a531d86 100644 --- a/detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml +++ b/detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml @@ -1,7 +1,7 @@ name: Windows Rundll32 Load DLL in Temp Dir id: 520da6fa-7d5d-4a3b-9c61-1087517b8d0f -version: 4 -date: '2026-03-10' +version: 5 +date: '2026-03-12' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -23,7 +23,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Risk Message goes here + message: $parent_process_name$ spawned $process_name$ with a DLL from a temporary directory risk_objects: - field: dest type: system