LoFP LoFP / none.

Sample rules

Detect Spike in AWS API Activity

Description

This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel.

Detection logic

`cloudtrail` eventType=AwsApiCall [search `cloudtrail` eventType=AwsApiCall 
| spath output=arn path=userIdentity.arn 
| stats count as apiCalls by arn 
| inputlookup api_call_by_user_baseline append=t 
| fields - latestCount 
| stats values(*) as * by arn 
| rename apiCalls as latestCount 
| eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 
| eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) 
| eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) 
| table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls 
| outputlookup api_call_by_user_baseline 
| eval dataPointThreshold = 15, deviationThreshold = 3 
| eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) 
| where isSpike=1 
| rename arn as userIdentity.arn 
| table userIdentity.arn] 
| spath output=user userIdentity.arn 
| stats values(eventName) as eventName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user 
| `detect_spike_in_aws_api_activity_filter`

Windows AD Rogue Domain Controller Network Activity

Description

The following analytic identifies unauthorized replication RPC calls from non-domain controller devices. It leverages Zeek wire data to detect specific RPC operations like DrsReplicaAdd and DRSGetNCChanges, filtering out legitimate domain controllers. This activity is significant as it may indicate an attempt to introduce a rogue domain controller, which can compromise the integrity of the Active Directory environment. If confirmed malicious, this could allow attackers to manipulate directory data, escalate privileges, and persist within the network, posing a severe security risk.

Detection logic

`zeek_rpc` DrsReplicaAdd OR DRSGetNCChanges 
| where NOT (dest_category="Domain Controller") OR NOT (src_category="Domain Controller") 
| fillnull value="Unknown" src_category, dest_category 
| table _time endpoint operation src src_category dest dest_category 
| `windows_ad_rogue_domain_controller_network_activity_filter`

Windows AD Dangerous Deny ACL Modification

Description

This detection identifies an Active Directory access-control list (ACL) modification event, which applies permissions that deny the ability to enumerate permissions of the object.

Detection logic

`wineventlog_security` EventCode=5136 
| stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId  
| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"  
| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"  
| mvexpand new_ace  
| where NOT new_ace IN (old_values)  
| rex field=new_ace "(?P<aceType>.*?);(?P<aceFlags>.*?);(?P<aceAccessRights>.*?);(?P<aceObjectGuid>.*?);(?P<aceInheritedTypeGuid>.*?);(?P<aceSid>.*?)$"  
| rex max_match=100 field=aceAccessRights "(?P<AccessRights>[A-Z]{2})"  
| rex max_match=100 field=aceFlags "(?P<aceFlags>[A-Z]{2})"  
| lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights  
| lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value  
| lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value as aceType 
| lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution lookups 
| lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user  
| lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` 
| lookup builtin_groups_lookup builtin_group_string  as aceSid OUTPUT builtin_group_name as builtin_group 
| eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid) 
| stats values(aceType) as aceType values(aceFlags) as aceFlags values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID 
| eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights') 
| search aceType IN ("Access denied",D) AND aceAccessRights IN ("Full control","Read permissions",RC) 
| `windows_ad_dangerous_deny_acl_modification_filter`

Windows AD Hidden OU Creation

Description

This analytic is looking for when an ACL is applied to an OU which denies listing the objects residing in the OU. This activity combined with modifying the owner of the OU will hide AD objects even from domain administrators.

Detection logic

`wineventlog_security` EventCode=5136 ObjectClass=organizationalUnit 
| stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId  
| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"  
| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"  
| mvexpand new_ace  
| where NOT new_ace IN (old_values)  
| rex field=new_ace "(?P<aceType>.*?);(?P<aceFlags>.*?);(?P<aceAccessRights>.*?);(?P<aceObjectGuid>.*?);(?P<aceInheritedTypeGuid>.*?);(?P<aceSid>.*?)$"  
| rex max_match=100 field=aceAccessRights "(?P<AccessRights>[A-Z]{2})"  
| rex max_match=100 field=aceFlags "(?P<aceFlags>[A-Z]{2})"  
| lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights  
| lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value  
| lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value as aceType 
| lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution lookups 
| lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user  
| lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` 
| lookup builtin_groups_lookup builtin_group_string  as aceSid OUTPUT builtin_group_name as builtin_group 
| eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid) 
| stats values(aceType) as aceType values(aceFlags) as aceFlags values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID 
| eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights') 
| search aceType IN ("Access denied",D) AND aceAccessRights IN ("List contents","List objects",LC,LO) 
| `windows_ad_hidden_ou_creation_filter`

Windows AD Domain Controller Promotion

Description

The following analytic identifies a genuine Domain Controller (DC) promotion event by detecting when a computer assigns itself the necessary Service Principal Names (SPNs) to function as a domain controller. It leverages Windows Security Event Code 4742 to monitor existing domain controllers for these changes. This activity is significant as it can help identify rogue DCs added to the network, which could indicate a DCShadow attack. If confirmed malicious, this could allow an attacker to manipulate Active Directory, leading to potential privilege escalation and persistent access within the environment.

Detection logic

`wineventlog_security` EventCode=4742 ServicePrincipalNames IN ("*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*","*GC/*")
| stats min(_time) as _time latest(ServicePrincipalNames) as ServicePrincipalNames,values(signature) as signature, values(src_user) as src_user, values(user) as user by Logon_ID, dvc
| where src_user=user
| rename Logon_ID as TargetLogonId, user as dest 
| appendpipe [
| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$" 
| fields - dest, dvc, signature]
| stats min(_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip values(ServicePrincipalNames) as ServicePrincipalNames values(signature) as signature values(dest) as dest values(dvc) as dvc by TargetLogonId 
| eval dest=trim(dest,"$") 
| `windows_ad_domain_controller_promotion_filter`

Windows AD Short Lived Domain Controller SPN Attribute

Description

The following analytic detects the temporary addition of a global catalog SPN or a DRS RPC SPN to an Active Directory computer object, indicative of a potential DCShadow attack. This detection leverages EventCode 5136 from the wineventlog_security data source, focusing on specific SPN attribute changes. This activity is significant as DCShadow attacks allow attackers with privileged access to register rogue Domain Controllers, enabling unauthorized changes to the AD infrastructure. If confirmed malicious, this could lead to unauthorized replication of changes, including credentials and keys, compromising the entire domain’s security.

Detection logic

`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName (AttributeValue="GC/*" OR AttributeValue="E3514235-4B06-11D1-AB04-00C04FC2DCD2/*") 
| stats min(_time) as _time range(_time) as duration values(OperationType) as OperationType values(user) as user values(src_ip) as src_ip values(src_nt_domain) as src_nt_domain values(src_user) as src_user values(Computer) as dest, values(ObjectDN) as ObjectDN by Logon_ID 
| eval short_lived=case((duration<30),"TRUE") 
| where short_lived="TRUE" AND mvcount(OperationType)>1 
| replace "%%14674" with "Value Added", "%%14675" with "Value Deleted" in OperationType 
| rename Logon_ID as TargetLogonId 
| appendpipe [
| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] 
| stats min(_time) as _time, values(ObjectDN) as ObjectDN values(OperationType) as OperationType by TargetLogonId src_user dest 
| `windows_ad_short_lived_domain_controller_spn_attribute_filter`

Abnormally High Number Of Cloud Infrastructure API Calls

Description

The following analytic detects a spike in the number of API calls made to your cloud infrastructure by a user. It leverages cloud infrastructure logs and compares the current API call volume against a baseline probability density function to identify anomalies. This activity is significant because an unusual increase in API calls can indicate potential misuse or compromise of cloud resources. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of cloud services, posing a significant risk to the organization’s cloud environment.

Detection logic


| tstats count as api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h 
| `drop_dm_object_name("All_Changes")` 
| eval HourOfDay=strftime(_time, "%H") 
| eval HourOfDay=floor(HourOfDay/4)*4 
| eval DayOfWeek=strftime(_time, "%w") 
| eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) 
| join user HourOfDay isWeekend [ summary cloud_excessive_api_calls_v1] 
| where cardinality >=16 
| apply cloud_excessive_api_calls_v1 threshold=0.005 
| rename "IsOutlier(api_calls)" as isOutlier 
| where isOutlier=1 
| eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) 
| where api_calls > expected_upper_threshold 
| eval distance_from_threshold = api_calls - expected_upper_threshold 
| table _time, user, command, api_calls, expected_upper_threshold, distance_from_threshold 
| `abnormally_high_number_of_cloud_infrastructure_api_calls_filter`

Abnormally High Number Of Cloud Security Group API Calls

Description

The following analytic detects a spike in the number of API calls made to cloud security groups by a user. It leverages data from the Change data model, focusing on successful firewall-related changes. This activity is significant because an abnormal increase in security group API calls can indicate potential malicious activity, such as unauthorized access or configuration changes. If confirmed malicious, this could allow an attacker to manipulate security group settings, potentially exposing sensitive resources or disrupting network security controls.

Detection logic


| tstats count as security_group_api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.object_category=firewall AND All_Changes.status=success by All_Changes.user _time span=1h 
| `drop_dm_object_name("All_Changes")` 
| eval HourOfDay=strftime(_time, "%H") 
| eval HourOfDay=floor(HourOfDay/4)*4 
| eval DayOfWeek=strftime(_time, "%w") 
| eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) 
| join user HourOfDay isWeekend [ summary cloud_excessive_security_group_api_calls_v1] 
| where cardinality >=16 
| apply cloud_excessive_security_group_api_calls_v1 threshold=0.005 
| rename "IsOutlier(security_group_api_calls)" as isOutlier 
| where isOutlier=1 
| eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) 
| where security_group_api_calls > expected_upper_threshold 
| eval distance_from_threshold = security_group_api_calls - expected_upper_threshold 
| table _time, user, command, security_group_api_calls, expected_upper_threshold, distance_from_threshold 
| `abnormally_high_number_of_cloud_security_group_api_calls_filter`

Cloud API Calls From Previously Unseen User Roles

Description

The following analytic detects cloud API calls executed by user roles that have not previously run these commands. It leverages the Change data model in Splunk to identify commands executed by users with the user_type of AssumedRole and a status of success. This activity is significant because new commands from different user roles can indicate potential malicious activity or unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized access, data breaches, or other damaging outcomes by exploiting new or unmonitored commands within the cloud environment.

Detection logic


| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command All_Changes.object 
| `drop_dm_object_name("All_Changes")` 
| lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command OUTPUT firstTimeSeen, enough_data 
| eventstats max(enough_data) as enough_data 
| where enough_data=1 
| eval firstTimeSeenUserApiCall=min(firstTimeSeen) 
| where isnull(firstTimeSeenUserApiCall) OR firstTimeSeenUserApiCall > relative_time(now(),"-24h@h") 
| table firstTime, user, object, command 
|`security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `cloud_api_calls_from_previously_unseen_user_roles_filter`

Windows AD Privileged Group Modification

Description

Detect users added to privileged AD Groups.

Detection logic

`wineventlog_security` EventCode IN (4728) 
| stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name,src_user 
| lookup admon_groups_def  cn as Group_Name OUTPUT category 
| where category="privileged" 
| `windows_ad_privileged_group_modification_filter`

Detect Spike in AWS Security Hub Alerts for User

Description

The following analytic identifies a spike in the number of AWS Security Hub alerts for an AWS IAM User within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect significant deviations. This activity is significant as a sudden increase in alerts for a specific user may indicate suspicious behavior or a potential security incident. If confirmed malicious, this could signify an ongoing attack, unauthorized access, or misuse of IAM credentials, potentially leading to data breaches or further exploitation.

Detection logic

`aws_securityhub_finding` "findings{}.Resources{}.Type"= AwsIamUser 
| rename findings{}.Resources{}.Id as user 
| bucket span=4h _time 
| stats count AS alerts by _time user 
| eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev 
| eval threshold_value = 2 
| eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) 
| search isOutlier=1 
| table _time user alerts 
|`detect_spike_in_aws_security_hub_alerts_for_user_filter`

Detect Spike in AWS Security Hub Alerts for EC2 Instance

Description

The following analytic identifies a spike in the number of AWS Security Hub alerts for an EC2 instance within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect anomalies. This activity is significant for a SOC as a sudden increase in alerts may indicate potential security incidents or misconfigurations requiring immediate attention. If confirmed malicious, this could signify an ongoing attack, leading to unauthorized access, data exfiltration, or disruption of services on the affected EC2 instance.

Detection logic

`aws_securityhub_finding` "Resources{}.Type"=AWSEC2Instance 
| bucket span=4h _time 
| stats count AS alerts values(Title) as Title values(Types{}) as Types values(vendor_account) as vendor_account values(vendor_region) as vendor_region values(severity) as severity by _time dest 
| eventstats avg(alerts) as total_alerts_avg, stdev(alerts) as total_alerts_stdev 
| eval threshold_value = 3 
| eval isOutlier=if(alerts > total_alerts_avg+(total_alerts_stdev * threshold_value), 1, 0) 
| search isOutlier=1 
| table _time dest alerts Title Types vendor_account vendor_region severity isOutlier total_alerts_avg 
| `detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter`