Add detection suspicious api / url from telegram

[zake1god]

User who's using telegram if got phishing/suspicious api/ or suspicious url will detected

Details

What does this PR have in it? Screenshots are worth 1000 words 😄

Checklist

• Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
• CI/CD jobs passed ✔️
• Validated SPL logic.
• Validated tags, description, and how to implement.
• Verified references match analytic.
• Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

• If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
• Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.
• Updates to existing lookup files can be tricky, because of how Splunk handles application updates and the differences between existing lookup files being updated vs new lookups. You can read more here but the short version is that any changes to lookup files need to bump the datestamp in the lookup CSV filename, and the reference to it in the YAML needs to be updated.

[patel-bhavin]

Hello: @zake1god - Thank you for the PR! Before we get these shipped we would like a few changes in the yaml file . I have left some comments inline!

Can you give us an attack data set to test this detection?

[patel-bhavin]

Can we re arrange the yaml keys to match the key order as the other yamls.

Eg- https://github.com/splunk/security_content/blob/develop/detections/endpoint/access_lsass_memory_for_dump_creation.yml

[patel-bhavin]

The way our drilldowns are setup currently is that we require these two drilldowns to be present by default. Can you replace the first ones with these two :

security_content/detections/endpoint/creation_of_shadow_copy.yml

Line 41 in d69dcf3

drilldown_searches:

We can keep the other two drilldowns!

[zake1god]

remove the first one and keep second and third. also change time with token $info_min_time$ $info_max_time$

[patel-bhavin]

Can you provide an attack dataset?

[zake1god]

4688201331200x80200000000000001114SecurityDESKTOP-EOFJH6ADESKTOP-EOFJH6A\zakezakeDESKTOP-EOFJH6A0x2eb52c0x117cC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe%%19380x206c"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://api.telegram.org/NULL SID--0x0C:\Users\zake\AppData\Roaming\Telegram Desktop\Telegram.exeMandatory Label\Medium Mandatory Level

[patel-bhavin]

@zake1god :In order to successfully test this detection we would need the raw logs can you export _raw logs from the Splunk instance that would trigger for this detection and add it in the appropriate location in the attack data repository?

Example PR of that attack data looks - like https://github.com/splunk/attack_data/pull/932/files.

In case you are unable to create this PR , please share the _raw data file?

[nasbench]

Going to hijack this thread. But @zake1god the event that you shared does not speak suspicious nor malicious. This is a browser opening a direct link to api.telegram.org
From the logic of your rule, you're looking for a child of telegram.exe having this argument which is expected of the telegram app itself.

A couple of general notes:

• The rule in its current logic state cannot be a TTP.
• The Telegram app accessing the API is expected from a network perspective but the reference that you cite is not actually mentioning anything about abuse of CommandLine but the abuse of telegram itself. Can you please explain the vector of abuse via the commandline that you are trying to detect?