TheLawsOfChaos
TheLawsOfChaos
https://github.com/splunk/security_content/blob/aeceacc7378e501c4fd3b01816e1d6dc1e34de8c/detections/endpoint/registry_keys_used_for_persistence.yml#L29-L32 Joined subsearch needs to have `Processes.user` & `Processes.process_path` added into it, as the fields at the end is trying to use them and they aren't grabbed from the tstats....
https://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_new_local_admin_account.yml The intention per documentation of this query is to locate user account creations (EventCode 4720) followed by being raised to Local Admin (EventCode 4732) in a short period. The...
**Is your feature request related to a problem? Please describe.** Near impossible without manual validation to compare updated correlation searches to existing ones. **Describe the solution you'd like** Add custom...
When creating a correlation search manually via the GUI in Splunk Enterprise Security, the annotations are created without spaces. An example: `{"cis20":["CIS 10"],"kill_chain_phases":["Exploitation"],"mitre_attack":["T1003.001","T1003"],"nist":["DE.CM"],"confidence":90,"impact":90,"analytic_story":["Credential Dumping"]}` The same query done via ESCU...
The `configure` option of attack_range.py contains some of the options and going through the actual code showcases many other good options that are available. Is it possible to provide some...