-
Notifications
You must be signed in to change notification settings - Fork 360
5.3 ‐ ESCU ‐ savedsearch.conf spec
Bhavin Patel edited this page Oct 9, 2024
·
2 revisions
YAML specs define the structure and required fields for various YAML configuration files used in the project. These specifications ensure consistency and validation across different types of YAML files, such as macros, lookups, and analytic stories. Each spec outlines the expected data types, descriptions, and whether the fields are mandatory, providing a clear schema for developers to follow.
-
[ESCU - <Detection Name> - Rule]- The name of the saved search. Detection Name has to be less than 67 characters (Excluding ESCU - , - Rule)
-
action.escu = 0- Disables or enables a specific ESCU action.
0indicates disabled.
- Disables or enables a specific ESCU action.
-
action.escu.enabled = 1/0- Specifically enables an ESCU action,
1for enabled.
- Specifically enables an ESCU action,
-
description- Provides a brief description and deprecation notice for the saved search.
-
disabled = true/false- Indicates that the search is currently disabled.
-
action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]}- Defines mapping to security frameworks like CIS20 and NIST.
-
action.escu.data_models = ["Authentication"]- Specifies the data models required, if any.
-
action.escu.analytic_story = ["Suspicious Okta Activity"]- Associates the search with broader analytic themes, such as "Suspicious Okta Activity".
-
action.escu.eli5 = <string>- Offers a simplified explanation of the search's purpose.
-
action.escu.how_to_implement = <string>- Provides implementation guidance, including suggested data sources.
-
action.escu.known_false_positives = <string>- Discusses potential false positives and general mitigation strategies.
-
action.escu.creation_date = <string>- The date when the search was created.
-
action.escu.modification_date = <date>- The date when the search was last modified.
-
action.escu.confidence = <string>- The confidence level in the search's effectiveness, marked as "low, medium,high".
-
action.escu.full_search_name = ESCU - <Detection Name> - Rule- The full name of the search within the ESCU framework.
-
action.escu.search_type = detection- Specifies the type of search: detection (For all ESCU searches)
-
action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"]- Lists relevant Splunk products.
-
action.escu.providing_technologies = ["Okta"]- Indicates the technologies providing data for the search.
-
cron_schedule- Defines the cron schedule for the search.
-
dispatch.earliest_timeanddispatch.latest_time- Set the time range for the search.
-
schedule_window = auto- Splunk manages scheduling windows automatically.
-
alert.digest_mode = 1- Enables alert digest mode.
-
is_visible = false- Controls the visibility of the search in the UI.
-
search- Contains the actual Splunk search query.
-
enableSched = 1- Enables scheduling for the search.
-
relation = greater than- Sets the relational condition for alert triggering.
-
quantity- Sets the threshold quantity for the relational condition.
-
realtime_schedule = 0- Disables real-time scheduling.
-
action.risk = 1- Enables risk-based actions based on the search results.
-
cron_schedule- Defines the cron schedule for the search to run, set to at the top of every hour.
-
dispatch.earliest_timeanddispatch.latest_time- Configures the time range for the search, from 70 minutes to 10 minutes before the current time.
-
action.correlationsearch.enabled = 1- Enables correlation search features, linking the search to broader analytical contexts.
-
schedule_window = auto- Allows Splunk to automatically manage scheduling windows to optimize search performance.
-
action.notable = 1- Indicates that events found by this search are to be marked as notable.
-
alert.digest_mode = 1- Enables alert digest mode, aggregating alerts for efficiency.
-
action.risk.param._risk_message = <string>- Defines the message to be displayed for a risk event, incorporating dynamic variables for user and source IP address.
-
action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 81}, {"threat_object_field": "src", "threat_object_type": "ip_address"}]- Details the risk scoring parameters, including object fields for user and source IP, along with the risk score.
-
action.risk.param._risk_score = 0- Sets the base risk score. (For older versions of ES)
-
action.risk.param.verbose = 0- Controls verbosity of the risk action’s output, with
0disabling verbose output.
- Controls verbosity of the risk action’s output, with
-
action.correlationsearch.label = ESCU - <Detection Name> - Rule- Provides a descriptive label for the correlation search.
-
action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]}- Adds metadata annotations to the correlation search, linking to analytic stories, compliance standards, and attack techniques.
-
action.notable.param.nes_fields- Specifies the fields to be included in the notable event summary.
-
action.notable.param.rule_description- Provides a detailed description of the analytic rationale behind the search, identifying failed MFA challenge attempts in Okta authentication processes.
-
action.notable.param.rule_title- Sets a concise title for the notable event generated by this search.
-
action.notable.param.security_domain- Associates the search with a security domain, in this case, identity,
-
action.notable.param.severity- Defines the severity of the notable event, marked as high.
[ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule]
action.escu = 0
action.escu.enabled = 1
description = The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.
action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]}
action.escu.data_models = ["Authentication"]
action.escu.eli5 = The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.
action.escu.how_to_implement = UPDATE_HOW_TO_IMPLEMENT
action.escu.known_false_positives = UPDATE_KNOWN_FALSE_POSITIVES
action.escu.creation_date = 2024-03-11
action.escu.modification_date = 2024-03-11
action.escu.confidence = high
action.escu.full_search_name = ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule
action.escu.search_type = detection
action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"]
action.escu.providing_technologies = ["Okta"]
action.escu.analytic_story = ["Suspicious Okta Activity"]
action.risk = 1
action.risk.param._risk_message = A user [$user$] has failed to authenticate via MFA from IP Address - [$src$]"
action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 48}, {"threat_object_field": "src", "threat_object_type": "ip_address"}]
action.risk.param._risk_score = 0
action.risk.param.verbose = 0
cron_schedule = 0 * * * *
dispatch.earliest_time = -70m@m
dispatch.latest_time = -10m@m
action.correlationsearch.enabled = 1
action.correlationsearch.label = ESCU - Okta Authentication Failed During MFA Challenge - DM - Rule
action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]}
schedule_window = auto
action.notable = 1
action.notable.param.nes_fields = user,dest
action.notable.param.rule_description = The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.
action.notable.param.rule_title = Okta Authentication Failed During MFA Challenge - DM
action.notable.param.security_domain = identity
action.notable.param.severity = high
alert.digest_mode = 1
disabled = true
enableSched = 1
allow_skew = 100%
counttype = number of events
relation = greater than
quantity = 0
realtime_schedule = 0
is_visible = false
search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Authentication.app) as app values(Authentication.reason) as reason values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.authentication.auth_via_mfa Authentication.action = failure by _time Authentication.src Authentication.user Authentication.dest Authentication.action | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| iplocation src | `okta_authentication_failed_during_mfa_challenge___dm_filter`