-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathsavedsearches_detections.j2
119 lines (117 loc) · 6.52 KB
/
savedsearches_detections.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
### {{app.label}} DETECTIONS ###
{% for detection in objects %}
{% if (detection.type == 'TTP' or detection.type == 'Anomaly' or detection.type == 'Hunting' or detection.type == 'Correlation') %}
[{{ detection.get_conf_stanza_name(app) }}]
action.escu = 0
action.escu.enabled = 1
{% if detection.status == "deprecated" %}
description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. {{ detection.description | escapeNewlines() }}
{% elif detection.status == "experimental" %}
description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. {{ detection.description | escapeNewlines() }}
{% else %}
description = {{ detection.description | escapeNewlines() }}
{% endif %}
action.escu.mappings = {{ detection.mappings | tojson }}
action.escu.data_models = {{ detection.datamodel | tojson }}
action.escu.eli5 = {{ detection.description | escapeNewlines() }}
{% if detection.how_to_implement %}
action.escu.how_to_implement = {{ detection.how_to_implement | escapeNewlines() }}
{% else %}
action.escu.how_to_implement = none
{% endif %}
{% if detection.known_false_positives %}
action.escu.known_false_positives = {{ detection.known_false_positives | escapeNewlines() }}
{% else %}
action.escu.known_false_positives = None
{% endif %}
action.escu.creation_date = {{ detection.date }}
action.escu.modification_date = {{ detection.date }}
action.escu.confidence = high
action.escu.search_type = detection
{% if detection.tags.product is defined %}
action.escu.product = {{ detection.tags.product | tojson }}
{% endif %}
{% if detection.tags.atomic_guid %}
action.escu.atomic_red_team_guids = {{ detection.tags.getAtomicGuidStringArray() | tojson }}
{% endif %}
{% if detection.providing_technologies | length > 0 %}
action.escu.providing_technologies = {{ detection.providing_technologies | tojson }}
{% else %}
action.escu.providing_technologies = null
{% endif %}
{% if detection.tags.analytic_story %}
action.escu.analytic_story = {{ objectListToNameList(detection.tags.analytic_story) | tojson }}
{% if detection.deployment.alert_action.rba.enabled%}
action.risk = 1
action.risk.param._risk_message = {{ detection.tags.message | escapeNewlines() }}
action.risk.param._risk = {{ detection.risk | tojson }}
action.risk.param._risk_score = 0
action.risk.param.verbose = 0
{% endif %}
{% else %}
action.escu.analytic_story = []
{% endif %}
cron_schedule = {{ detection.deployment.scheduling.cron_schedule }}
dispatch.earliest_time = {{ detection.deployment.scheduling.earliest_time }}
dispatch.latest_time = {{ detection.deployment.scheduling.latest_time }}
action.correlationsearch.enabled = 1
action.correlationsearch.label = {{ detection.get_action_dot_correlationsearch_dot_label(app) }}
action.correlationsearch.annotations = {{ detection.annotations | tojson }}
action.correlationsearch.metadata = {{ detection.metadata | tojson }}
{% if detection.deployment.scheduling.schedule_window is defined %}
schedule_window = {{ detection.deployment.scheduling.schedule_window }}
{% endif %}
{% if detection.deployment is defined %}
{% if detection.deployment.alert_action.notable %}
action.notable = 1
{% if detection.nes_fields %}
action.notable.param.nes_fields = {{ detection.nes_fields }}
{% endif %}
action.notable.param.rule_description = {{ detection.deployment.alert_action.notable.rule_description | custom_jinja2_enrichment_filter(detection) | escapeNewlines()}}
action.notable.param.rule_title = {% if detection.type | lower == "correlation" %}RBA: {{ detection.deployment.alert_action.notable.rule_title | custom_jinja2_enrichment_filter(detection) }}{% else %}{{ detection.deployment.alert_action.notable.rule_title | custom_jinja2_enrichment_filter(detection) }}{% endif +%}
action.notable.param.security_domain = {{ detection.tags.security_domain.value }}
action.notable.param.severity = {{ detection.tags.severity.value }}
{% endif %}
{% if detection.deployment.alert_action.email %}
action.email.subject.alert = {{ detection.deployment.alert_action.email.subject | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }}
action.email.to = {{ detection.deployment.alert_action.email.to }}
action.email.message.alert = {{ detection.deployment.alert_action.email.message | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }}
action.email.useNSSubject = 1
{% endif %}
{% if detection.deployment.alert_action.slack %}
action.slack = 1
action.slack.param.channel = {{ detection.deployment.alert_action.slack.channel | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }}
action.slack.param.message = {{ detection.deployment.alert_action.slack.message | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }}
{% endif %}
{% if detection.deployment.alert_action.phantom%}
action.sendtophantom = 1
action.sendtophantom.param._cam_workers = {{ detection.deployment.alert_action.phantom.cam_workers | custom_jinja2_enrichment_filter(detection) }}
action.sendtophantom.param.label = {{ detection.deployment.alert_action.phantom.label | custom_jinja2_enrichment_filter(detection) }}
action.sendtophantom.param.phantom_server = {{ detection.deployment.alert_action.phantom.phantom_server | custom_jinja2_enrichment_filter(detection) }}
action.sendtophantom.param.sensitivity = {{ detection.deployment.alert_action.phantom.sensitivity | custom_jinja2_enrichment_filter(detection) }}
action.sendtophantom.param.severity = {{ detection.deployment.alert_action.phantom.severity | custom_jinja2_enrichment_filter(detection) }}
{% endif %}
{% endif %}
alert.digest_mode = 1
{% if detection.enabled_by_default %}
disabled = false
{% else %}
disabled = true
{% endif %}
enableSched = 1
allow_skew = 100%
counttype = number of events
relation = greater than
quantity = 0
realtime_schedule = 0
is_visible = false
{% if detection.tags.throttling %}
alert.suppress = true
alert.suppress.fields = {{ detection.tags.throttling.conf_formatted_fields() }}
alert.suppress.period = {{ detection.tags.throttling.period }}
{% endif %}
search = {{ detection.search | escapeNewlines() }}
action.notable.param.drilldown_searches = {{ detection.drilldowns_in_JSON | tojson | escapeNewlines() }}
{% endif %}
{% endfor %}
### END {{ app.label }} DETECTIONS ###