Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add "Inactive Account Have Activity Detected" #3160

Closed
Closed
Changes from 13 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
name: Detect Network Traffic From Inactive Accounts
id: e08aa2f6-7d90-4ab8-af11-da4df38bb7ff
version: 1
date: '2024-10-14'
author: Zaki Zarkasih Al Mustafa
data_sources:
- Windows Event Log Security 4624
- Windows Event Log Security 4625
type: Anomaly
status: production
description: This detection identifies users who have been inactive for more than 30 days and suddenly have activity based on network traffic logs.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we improve the detection description to better explain how this search logic works?

search: '| tstats summariesonly=true fillnull_value=null count min(_time) as firstTime
max(_time) as lastTime from

datamodel=Network_Traffic.All_Traffic by All_Traffic.authserver, All_Traffic.vendor_product,

All_Traffic.user, All_Traffic.action

| `drop_dm_object_name("All_Traffic")`

| eval inactivityPeriodByDay = (now() - lastTime) / 86400

| eval lastTimeLogin = relative_time(now(), "-4h")

| eval status = if(inactivityPeriodByDay > 29, "inactive", "active")

| eval inactivityPeriodByDay = round(inactivityPeriodByDay, 0) . " Days"

| search status = "inactive" AND lastTime <= lastTimeLogin

| rename authserver as "auth server", vendor_product as "vendor product"

| eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S"), lastTimeLogin=strftime(lastTimeLogin,
"%Y-%m-%d

%H:%M:%S")

| table "auth server", "vendor product", user, firstTime, lastTimeLogin, inactivityPeriodByDay,
status,

action | `detect_network_traffic_from_inactive_accounts_filter`'
how_to_implement: Ensure that the Network Traffic data model is properly populated and includes logs from relevant sources (e.g., firewalls, proxies, or other network monitoring tools). Configure the data model acceleration to ensure performance and availability for this detection. Make sure to adjust any environment-specific filter macros for false positive reduction.
known_false_positives: False positives may include legitimate users returning to the network after extended vacations or periods of inactivity. System accounts or service accounts that are seldom used but have routine tasks may also trigger this detection.
references:
- https://attack.mitre.org/techniques/T1078/
- https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Useaccelerateddatamodels
- https://www.sans.org/white-papers/monitoring-inactive-accounts/
drilldown_searches:
- name: View network activity for $user$
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View detailed inactivity and action history for $user$
search: '%original_detection_search% | search All_Traffic.user="$user$" | eval inactivityPeriodByDay = (now() - lastTime) / 86400 | eval status = if(inactivityPeriodByDay > 29, "inactive", "active") | eval inactivityPeriodByDay = round(inactivityPeriodByDay, 0) . " Days" | table user, action, firstTime, lastTime, inactivityPeriodByDay, status'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View associated risk events for $user$
search: '%original_detection_search% | from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
patel-bhavin marked this conversation as resolved.
Show resolved Hide resolved
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
tags:
analytic_story:
- Insider Threat
asset_type: Network
confidence: 85
impact: 70
message: This detection identifies users who have been inactive for an extended period and suddenly have activity on the network.
patel-bhavin marked this conversation as resolved.
Show resolved Hide resolved
mitre_attack_id:
- T1078
- T1110
- T1040
observable:
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- user
- authserver
- vendor_product
- action
risk_score: "{{ (impact * confidence) / 100 }}"
patel-bhavin marked this conversation as resolved.
Show resolved Hide resolved
security_domain: identity
cve: []
tests:
- name: True Positive Test
attack_data:
- data: https://github.com/splunk/contentctl/wiki
sourcetype: WinEventLog:Security
source: Active Directory
Loading