updating SPL that failed integration testing

splunk · Jan 14, 2025 · 7feac89 · 7feac89
1 parent e67fb0a
commit 7feac89
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml b/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml
@@ -8,7 +8,7 @@ type: Anomaly
 description: The following analytic detects suspicious modifications to the EventLog security descriptor registry value for defense evasion. It leverages data from the Endpoint.Registry data model, focusing on changes to the "CustomSD" value within the "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\<Channel>\CustomSD" path. This activity is significant as changes to the access permissions of the event log could blind security products and help attackers evade defenses. If confirmed malicious, this could allow attackers to block users and security products from viewing, ingesting and interacting event logs.
 data_source:
 - Sysmon EventID 13
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Services\\Eventlog\\*" AND Registry.registry_value_name=CustomSD BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_custom_security_descriptor_set_on_eventlog_channel_filter`'
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Services\\Eventlog\\*" AND Registry.registry_value_name=CustomSD BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name Registry.registry_path | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_custom_security_descriptor_set_on_eventlog_channel_filter`'
 how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709
 known_false_positives: None identified, setting up the "CustomSD" value is considered a legacy option and shouldn't be a common activity.
 references:

diff --git a/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml b/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml
@@ -8,7 +8,7 @@ type: Anomaly
 description: The following analytic detects suspicious modifications to the EventLog security descriptor registry value for defense evasion. It leverages data from the Endpoint.Registry data model, focusing on changes to the "CustomSD" value within the "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\<Channel>\CustomSD" path. This activity is significant as changes to the access permissions of the event log could blind security products and help attackers evade defenses. If confirmed malicious, this could allow attackers to block users and security products from viewing, ingesting and interacting event logs.
 data_source:
 - Sysmon EventID 13
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN ("*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\*", "*\Microsoft\Windows\EventLog\*") AND Registry.registry_value_name=ChannelAccess BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_eventlog_channelaccess_registry_value_set_filter`'
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN ("*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\*", "*\Microsoft\Windows\EventLog\*") AND Registry.registry_value_name=ChannelAccess BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name Registry.registry_path | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_eventlog_channelaccess_registry_value_set_filter`'
 how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709
 known_false_positives: False positives may be triggered from newly installed event providers or windows updates, new "ChannelAccess" values must be investigated.
 references: