-
Notifications
You must be signed in to change notification settings - Fork 353
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add critical alerts to risk index #3058
base: develop
Are you sure you want to change the base?
Conversation
can you test this locally to figure out why is it failing unit- testing? |
- T1484 | ||
observable: | ||
- name: dest | ||
type: Other |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
update : Other to Endpoint
author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk | ||
description: The rules are designed to integrate and assess critical alerts from Endpoint, DLP, and firewall sources within Splunk. By correlating these alerts and enriching them with MITRE ATT&CK annotations, it offers a nuanced perspective on alerts risk profiles. This rule actively monitors for critical alerts, and upon detection, it triggers an alert that not only preserves the original source information but also assigns a quantified risk score. | ||
narrative: This story has rules that integrates and assesses critical alerts from Endpoint, DLP, and firewall sources in Splunk. By correlating alerts and adding MITRE annotations, it provides a comprehensive view of customer risk. It triggers an alert when critical alerts are detected, preserving the source and assigning risk scores. This helps security analysts understand threats and respond effectively. | ||
references: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we add some references
how_to_implement: In order to properly run this search, Splunk needs to ingest data from other security products such as crowdstrike, microsoft defender, or carbon black. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. | ||
known_false_positives: False positives may vary by endpoint protection tool; monitor and adjust the risk scores as needed. | ||
references: | ||
- https://attack.mitre.org/tactics/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we improve references
author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk | ||
status: production | ||
type: TTP | ||
data_source: ["windows defender logs"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lets add a data source file for this data in the data sources folder and use that name in here
Details
Detection to add critical alerts to risk index
Checklist
<platform>_<mitre att&ck technique>_<short description>
nomenclatureNotes For Submitters and Reviewers
build
CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.