Merge branch 'develop' into auto-ta-update-299

Author: pyth0n1c

detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml

@@ -1,9 +1,9 @@
 name: Abnormally High Number Of Cloud Infrastructure API Calls
 id: 0840ddf1-8c89-46ff-b730-c8d6722478c0
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-10'
 author: David Dorsey, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic detects a spike in the number of API calls made
   to your cloud infrastructure by a user. It leverages cloud infrastructure logs and
@@ -31,6 +31,20 @@ how_to_implement: You must be ingesting your cloud infrastructure logs. You also
   create the probability density function.
 known_false_positives: None.
 references: []
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
   message: user $user$ has made $api_calls$ api calls, violating the dynamic threshold
     of $expected_upper_threshold$ with the following command $command$.
@@ -51,6 +65,8 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: network
+  manual_test: This search needs the baseline `Baseline Of Cloud Infrastructure API Calls Per User` to be run first.
+tests:
 tests:
 - name: True Positive Test
   attack_data:

detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml

@@ -1,9 +1,9 @@
 name: Abnormally High Number Of Cloud Security Group API Calls
 id: d4dfb7f3-7a37-498a-b5df-f19334e871af
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-10'
 author: David Dorsey, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic detects a spike in the number of API calls made
   to cloud security groups by a user. It leverages data from the Change data model,
@@ -31,6 +31,20 @@ how_to_implement: You must be ingesting your cloud infrastructure logs. You also
   create the probability density function model.
 known_false_positives: None.
 references: []
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
   message: user $user$ has made $api_calls$ api calls related to security groups,
     violating the dynamic threshold of $expected_upper_threshold$ with the following
@@ -51,6 +65,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: network
+  manual_test: This search needs the baseline `Baseline Of Cloud Security Group API Calls Per User` to be run first.
 tests:
 - name: True Positive Test
   attack_data:

detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml

@@ -1,9 +1,9 @@
 name: ASL AWS New MFA Method Registered For User
 id: 33ae0931-2a03-456b-b1d7-b016c5557fbd
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-06-10'
 author: Patrick Bareiss, Splunk
-status: experimental
+status: production
 type: TTP
 description: The following analytic identifies the registration of a new Multi-Factor
   Authentication (MFA) method for an AWS account, as logged through Amazon Security
@@ -28,14 +28,28 @@ references:
 - https://attack.mitre.org/techniques/T1556/
 - https://attack.mitre.org/techniques/T1556/006/
 - https://twitter.com/jhencinski/status/1618660062352007174
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
   message: A new virtual device is added to user $user$
   risk_objects:
   - field: user
     type: user
     score: 64
   threat_objects:
-  - field: src_ip
+  - field: src
     type: ip_address
 tags:
   analytic_story:

detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml

@@ -1,9 +1,9 @@
 name: Cloud API Calls From Previously Unseen User Roles
 id: 2181ad1f-1e73-4d0c-9780-e8880482a08f
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-06-10'
 author: David Dorsey, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic detects cloud API calls executed by user roles
   that have not previously run these commands. It leverages the Change data model
@@ -34,6 +34,20 @@ how_to_implement: You must be ingesting your cloud infrastructure logs from your
   the `cloud_api_calls_from_previously_unseen_user_roles_filter`
 known_false_positives: None.
 references: []
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
   message: User $user$ of type AssumedRole attempting to execute new API calls $command$
     that have not been seen before
@@ -53,6 +67,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: threat
+  manual_test: This search needs the baseline `Previously Seen Cloud API Calls Per User Role - Initial` to be run first.
 tests:
 - name: True Positive Test
   attack_data:

detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml

@@ -1,9 +1,9 @@
 name: Cloud Compute Instance Created By Previously Unseen User
 id: 37a0ec8d-827e-4d6d-8025-cedf31f3a149
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-10'
 author: Rico Valdez, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic identifies the creation of cloud compute instances
   by users who have not previously created them. It leverages data from the Change
@@ -30,6 +30,20 @@ known_false_positives: It's possible that a user will start to create compute in
   for the first time, for any number of reasons. Verify with the user launching instances
   that this is the intended behavior.
 references: []
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
   message: User $user$ is creating a new instance $dest$ for the first time
   risk_objects:
@@ -51,6 +65,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: threat
+  manual_test: This search needs the baseline `Previously Seen Cloud Compute Creations By User` to be run first.
 tests:
 - name: True Positive Test
   attack_data:

detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml

@@ -1,9 +1,9 @@
 name: Cloud Compute Instance Created In Previously Unused Region
 id: fa4089e2-50e3-40f7-8469-d2cc1564ca59
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-06-10'
 author: David Dorsey, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic detects the creation of a cloud compute instance
   in a region that has not been previously used within the last hour. It leverages
@@ -33,6 +33,20 @@ how_to_implement: You must be ingesting your cloud infrastructure logs from your
 known_false_positives: It's possible that a user has unknowingly started an instance
   in a new region. Please verify that this activity is legitimate.
 references: []
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
   message: User $user$ is creating an instance $dest$ in a new region for the first
     time
@@ -55,6 +69,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: threat
+  manual_test: This search needs the baseline `Previously Seen Cloud Regions - Update` to be run first.
 tests:
 - name: True Positive Test
   attack_data:

detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml

@@ -1,9 +1,9 @@
 name: Cloud Compute Instance Created With Previously Unseen Image
 id: bc24922d-987c-4645-b288-f8c73ec194c4
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-06-10'
 author: David Dorsey, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic detects the creation of cloud compute instances
   using previously unseen image IDs. It leverages cloud infrastructure logs to identify
@@ -34,6 +34,20 @@ known_false_positives: After a new image is created, the first systems created w
   that image will cause this alert to fire.  Verify that the image being used was
   created by a legitimate user.
 references: []
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
   message: User $user$ is creating an instance $dest$ with an image that has not been
     previously seen.
@@ -54,6 +68,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: threat
+  manual_test: This search needs the baseline `Previously Seen Cloud Compute Images - Initial` to be run first.
 tests:
 - name: True Positive Test
   attack_data:

detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml

@@ -1,9 +1,9 @@
 name: Cloud Compute Instance Created With Previously Unseen Instance Type
 id: c6ddbf53-9715-49f3-bb4c-fb2e8a309cda
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-06-10'
 author: David Dorsey, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic detects the creation of EC2 instances with previously
   unseen instance types. It leverages Splunk's tstats command to analyze data from
@@ -35,6 +35,20 @@ known_false_positives: It is possible that an admin will create a new system usi
   a new instance type that has never been used before. Verify with the creator that
   they intended to create the system with the new instance type.
 references: []
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
   message: User $user$ is creating an instance $dest$ with an instance type $instance_type$
     that has not been previously seen.
@@ -55,6 +69,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: threat
+  manual_test: This search needs the baseline `Previously Seen Cloud Compute Instance Types - Initial` to be run first.
 tests:
 - name: True Positive Test
   attack_data:

detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml

@@ -1,9 +1,9 @@
 name: Cloud Instance Modified By Previously Unseen User
 id: 7fb15084-b14e-405a-bd61-a6de15a40722
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-10'
 author: Rico Valdez, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The following analytic identifies cloud instances being modified by users
   who have not previously modified them. It leverages data from the Change data model,
@@ -31,6 +31,20 @@ known_false_positives: It's possible that a new user will start to modify EC2 in
   when they haven't before for any number of reasons. Verify with the user that is
   modifying instances that this is the intended behavior.
 references: []
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
   message: User $user$ is modifying an instance $object_id$ for the first time.
   risk_objects:
@@ -49,6 +63,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: threat
+  manual_test: This search needs the baseline `Previously Seen Cloud Instance Modifications By User - Update` to be run first.
 tests:
 - name: True Positive Test
   attack_data: