-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add "Inactive Account Have Activity Detected" #3160
Closed
Closed
Changes from 13 commits
Commits
Show all changes
15 commits
Select commit
Hold shift + click to select a range
2ba7c71
Add Inactive User Have Activity Detected
zake1god 2463307
Add Inactive User Have Activity Detected
zake1god d82503c
Change title to make it easy understand
zake1god 25feea4
Merge branch 'develop' into new-research-detection-network
zake1god ff0436e
Merge branch 'develop' into new-research-detection-network
patel-bhavin 1bd91ee
Merge branch 'develop' into new-research-detection-network
ljstella d751c4a
Merge branch 'develop' into new-research-detection-network
patel-bhavin e6b0f4e
Update inactive_account_have_activity_detected.yml
zake1god 63ac611
Merge branch 'develop' into new-research-detection-network
patel-bhavin 37e56b9
Rename inactive_account_have_activity_detected.yml to detect_network_…
zake1god 6cf6a7b
Rename detect_network_traffic_from_inactive_accounts_filter.yml to de…
zake1god 5cf3b99
Update detect_network_traffic_from_inactive_accounts.yml
zake1god 93942e0
Merge branch 'develop' into new-research-detection-network
zake1god 189d8f0
Update detect_network_traffic_from_inactive_accounts.yml
zake1god 56384f1
Merge branch 'develop' into new-research-detection-network
zake1god File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
94 changes: 94 additions & 0 deletions
94
detections/network/detect_network_traffic_from_inactive_accounts.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
name: Detect Network Traffic From Inactive Accounts | ||
id: e08aa2f6-7d90-4ab8-af11-da4df38bb7ff | ||
version: 1 | ||
date: '2024-10-14' | ||
author: Zaki Zarkasih Al Mustafa | ||
data_sources: | ||
- Windows Event Log Security 4624 | ||
- Windows Event Log Security 4625 | ||
type: Anomaly | ||
status: production | ||
description: This detection identifies users who have been inactive for more than 30 days and suddenly have activity based on network traffic logs. | ||
search: '| tstats summariesonly=true fillnull_value=null count min(_time) as firstTime | ||
max(_time) as lastTime from | ||
|
||
datamodel=Network_Traffic.All_Traffic by All_Traffic.authserver, All_Traffic.vendor_product, | ||
|
||
All_Traffic.user, All_Traffic.action | ||
|
||
| `drop_dm_object_name("All_Traffic")` | ||
|
||
| eval inactivityPeriodByDay = (now() - lastTime) / 86400 | ||
|
||
| eval lastTimeLogin = relative_time(now(), "-4h") | ||
|
||
| eval status = if(inactivityPeriodByDay > 29, "inactive", "active") | ||
|
||
| eval inactivityPeriodByDay = round(inactivityPeriodByDay, 0) . " Days" | ||
|
||
| search status = "inactive" AND lastTime <= lastTimeLogin | ||
|
||
| rename authserver as "auth server", vendor_product as "vendor product" | ||
|
||
| eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S"), lastTimeLogin=strftime(lastTimeLogin, | ||
"%Y-%m-%d | ||
|
||
%H:%M:%S") | ||
|
||
| table "auth server", "vendor product", user, firstTime, lastTimeLogin, inactivityPeriodByDay, | ||
status, | ||
|
||
action | `detect_network_traffic_from_inactive_accounts_filter`' | ||
how_to_implement: Ensure that the Network Traffic data model is properly populated and includes logs from relevant sources (e.g., firewalls, proxies, or other network monitoring tools). Configure the data model acceleration to ensure performance and availability for this detection. Make sure to adjust any environment-specific filter macros for false positive reduction. | ||
known_false_positives: False positives may include legitimate users returning to the network after extended vacations or periods of inactivity. System accounts or service accounts that are seldom used but have routine tasks may also trigger this detection. | ||
references: | ||
- https://attack.mitre.org/techniques/T1078/ | ||
- https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Useaccelerateddatamodels | ||
- https://www.sans.org/white-papers/monitoring-inactive-accounts/ | ||
drilldown_searches: | ||
- name: View network activity for $user$ | ||
search: '%original_detection_search% | search user = "$user$"' | ||
earliest_offset: $info_min_time$ | ||
latest_offset: $info_max_time$ | ||
- name: View detailed inactivity and action history for $user$ | ||
search: '%original_detection_search% | search All_Traffic.user="$user$" | eval inactivityPeriodByDay = (now() - lastTime) / 86400 | eval status = if(inactivityPeriodByDay > 29, "inactive", "active") | eval inactivityPeriodByDay = round(inactivityPeriodByDay, 0) . " Days" | table user, action, firstTime, lastTime, inactivityPeriodByDay, status' | ||
earliest_offset: $info_min_time$ | ||
latest_offset: $info_max_time$ | ||
- name: View associated risk events for $user$ | ||
search: '%original_detection_search% | from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
patel-bhavin marked this conversation as resolved.
Show resolved
Hide resolved
|
||
earliest_offset: $info_min_time$ | ||
latest_offset: $info_max_time$ | ||
tags: | ||
analytic_story: | ||
- Insider Threat | ||
asset_type: Network | ||
confidence: 85 | ||
impact: 70 | ||
message: This detection identifies users who have been inactive for an extended period and suddenly have activity on the network. | ||
patel-bhavin marked this conversation as resolved.
Show resolved
Hide resolved
|
||
mitre_attack_id: | ||
- T1078 | ||
- T1110 | ||
- T1040 | ||
observable: | ||
- name: user | ||
type: User | ||
role: | ||
- Victim | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
required_fields: | ||
- user | ||
- authserver | ||
- vendor_product | ||
- action | ||
risk_score: "{{ (impact * confidence) / 100 }}" | ||
patel-bhavin marked this conversation as resolved.
Show resolved
Hide resolved
|
||
security_domain: identity | ||
cve: [] | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://github.com/splunk/contentctl/wiki | ||
sourcetype: WinEventLog:Security | ||
source: Active Directory |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we improve the detection description to better explain how this search logic works?