Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nterl0k - T1595 - Generic Scanning Behavior #3253

Merged
merged 6 commits into from
Jan 6, 2025
Merged

Nterl0k - T1595 - Generic Scanning Behavior #3253

merged 6 commits into from
Jan 6, 2025

Conversation

nterl0k
Copy link
Contributor

@nterl0k nterl0k commented Dec 26, 2024

Details

Just a simple generic scanning behavior detection from Sysmon EID3 events. Optimized using Traffic datamodel.

Pending - splunk/attack_data#922

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.
  • Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

  • If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
  • Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.
  • Updates to existing lookup files can be tricky, because of how Splunk handles application updates and the differences between existing lookup files being updated vs new lookups. You can read more here but the short version is that any changes to lookup files need to bump the datestamp in the lookup CSV filename, and the reference to it in the YAML needs to be updated.

@patel-bhavin
minor update to data_source
a0e6f0f
@patel-bhavin
build error fixes
39842b9 
Updated the yaml file name and other meta data to ensure it builds succesfully
@patel-bhavin
update mitre
9ee8526 
Removed T1423 since that id is for Mobile
@patel-bhavin
Copy link
Contributor

Hello @nterl0k : Long time no see! Happy new year there! Thank you for the PR, i made a minor update to the data_source key and other minor fixes : 39842b9

I have merged the corresponding attack data PR to continue with unit-testing!

@nterl0k
Copy link
Contributor Author

nterl0k commented Jan 3, 2025 via email

@patel-bhavin
Copy link
Contributor

There is some bug in our testing pipeline. Testing the search locally works great! Will get this shipped soon!
image

@patel-bhavin
Copy link
Contributor

The testing looks good! Thank you @nterl0k!

@patel-bhavin patel-bhavin merged commit d69dcf3 into splunk:develop Jan 6, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patel-bhavin patel-bhavin patel-bhavin approved these changes

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

Assignees
No one assigned
Labels
Detections
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nterl0k @patel-bhavin @ljstella