Add critical alerts to risk index #3058
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
can you test this locally to figure out why is it failing unit- testing? |
| - T1484 | ||
| observable: | ||
| - name: dest | ||
| type: Other |
There was a problem hiding this comment.
update : Other to Endpoint
| author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk | ||
| description: The rules are designed to integrate and assess critical alerts from Endpoint, DLP, and firewall sources within Splunk. By correlating these alerts and enriching them with MITRE ATT&CK annotations, it offers a nuanced perspective on alerts risk profiles. This rule actively monitors for critical alerts, and upon detection, it triggers an alert that not only preserves the original source information but also assigns a quantified risk score. | ||
| narrative: This story has rules that integrates and assesses critical alerts from Endpoint, DLP, and firewall sources in Splunk. By correlating alerts and adding MITRE annotations, it provides a comprehensive view of customer risk. It triggers an alert when critical alerts are detected, preserving the source and assigning risk scores. This helps security analysts understand threats and respond effectively. | ||
| references: |
There was a problem hiding this comment.
can we add some references
| how_to_implement: In order to properly run this search, Splunk needs to ingest data from other security products such as crowdstrike, microsoft defender, or carbon black. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. | ||
| known_false_positives: False positives may vary by endpoint protection tool; monitor and adjust the risk scores as needed. | ||
| references: | ||
| - https://attack.mitre.org/tactics/ |
There was a problem hiding this comment.
can we improve references
| author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk | ||
| status: production | ||
| type: TTP | ||
| data_source: ["windows defender logs"] |
There was a problem hiding this comment.
lets add a data source file for this data in the data sources folder and use that name in here
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Details
Detection to add critical alerts to risk index
Checklist
<platform>_<mitre att&ck technique>_<short description>nomenclatureNotes For Submitters and Reviewers
buildCI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.