splunk/security_content

Issues

• [community request] Update Ransomware Extensions Lookup

  #3131 opened 5 days ago by ljstella
  1

• [BUG] artifact_update custom function fails if cef_value passed is 0

  #2821 opened 5 days ago by ianwills-splunk
  0

• [BUG] ESCU - Detect Excessive Account Lockouts From Endpoint

  #2929 opened 9 days ago by githubonlyy
  4

• Include `tags.atomic_guid` and `tags.required_fields` into ESCU

  #2904 opened 9 days ago by ccl0utier
  1

• AppLocker Dashboard Issue - No Policy Review Data

  #3021 opened 11 days ago by matchstickboy
  2

• [BUG] Missing Wildcards in Splunk Rule for Detecting Known Services Killed by Ransomware

  #2996 opened 11 days ago by shimonShouei
  0

• pre trained Deep Learning models for ESCU - Support for DSDL Version 5.1.1

  #2939 opened a year ago by atgithub11
  2

• [BUG] Azure MFA failure detections logic flaw

  #3134 opened a month ago by 0xC0FFEEEE
  2

• [BUG] Detect Outbound LDAP Traffic, missing dm summary macro

  #3167 opened a month ago by DipsyTipsy
  2

• [BUG] research.splunk.com not showing datasources correctly when looking at a specific detection

  #3195 opened a month ago by isakhansson
  2

• Expand CIM Web Datamodel

  #3141 opened 2 months ago by dluxtron
  1

• [BUG] Missing wildcard for -type parameter detection 2452e632-9e0d-11eb-bacd-acde48001122

  #3171 opened 2 months ago by Wouter-Jansen
  0

• [BUG] Datasource is set incorrectly on this detection

  #2962 opened 4 months ago by josehelps
  1

• [BUG] Whitespace `\t` in several YAML rule files causing YAML load errors

  #3098 opened 4 months ago by brokensound77
  2

• [BUG] current detections.json has searches with unbalanced parentheses

  #3043 opened 5 months ago by tjgeorgen
  1

• Scheduled Task Initiation on Remote Endpoint - Update Analytics

  #2977 opened 5 months ago by Badoodish
  2

• Minor malicious_powershell_process___encoded_command search update

  #2982 opened 5 months ago by SirDuckly
  1

• [BUG] Broken token in `tags.message` (Risk Message) for 11 rules

  #3041 opened 5 months ago by ccl0utier
  2

• [BUG] Incorrect logic statement in detection search "Detect Renamed PSExec"

  #3009 opened 5 months ago by OberAlex
  1

• [BUG] Detections with joins failed to properly translate to Sigma

  #2987 opened 5 months ago by ajkingio
  1

• [BUG] `Message` vs. `ScriptBlockText` for Powershell rules

  #3015 opened 5 months ago by ccl0utier
  1

• [BUG] - Windows AD Domain Replication ACL Addition has unnecessary escape chars in SPL causing errors

  #3039 opened 5 months ago by livehybrid
  1

• [BUG] browser_app_list lookup doesn't exist in indexers, causing query to fail in "Windows Credential Access From Browser Password Store"

  #3014 opened 6 months ago by iso-rgomez
  1

• Custom Content Development

  #3019 opened 6 months ago by lluked
  1

• [BUG] please, fix links in wiki: https://github.com/splunk/security_content/wiki/Detection-Analytic-Types

  #3011 opened 7 months ago by yaroslav-nakonechnikov
  1

• Add custom annotation for versioning

  #2907 opened 8 months ago by TheLawsOfChaos
  4

• Azure AD Multi-Source Failed Authentications Spike - Missing ADFSSignInLogs category

  #2980 opened 9 months ago by atgithub11
  0

• [BUG] ESCU - Get ADUser with PowerShell - Rule has no Adaptive Reponse Actions

  #2965 opened 10 months ago by albertenc13
  3

• [BUG] DNS Query Length With High Standard Deviation

  #2958 opened 10 months ago by josehelps
  1

• [BUG] Windows Excessive Disabled Services Event uses ComputerName instead of src field (CIM issue)

  #2825 opened a year ago by iso-rgomez
  3

• [BUG] - Unknown Process Using The Kerberos Protocol is too noisy

  #2943 opened a year ago by wkleinhenz
  3

• Consider adding Scope for search Azure AD Tenant Wide Admin Consent Granted

  #2950 opened a year ago by atgithub11
  1

• [BUG] sourcetype macro not consistent across Azure AD correlations

  #2938 opened a year ago by atgithub11
  2

• [BUG] Build is not working

  #2948 opened a year ago by yaroslav-nakonechnikov
  6

• [BUG] Linux Service Started Or Enabled triggering on Windows events

  #2944 opened a year ago by 0xC0FFEEEE
  2

• [BUG] O365 Mailbox Inbox Folder Shared with All Users. Field "object" doesn't exist.

  #2937 opened a year ago by atgithub11
  1

• CMD Carry Out String Command Parameter - false negatives due to trailing space before wildcard in search [BUG]

  #2928 opened a year ago by cxosmo
  2

• [BUG] "Kerberos TGT Request Using RC4 Encryption" using non-CIM field "Account_Name"

  #2920 opened a year ago by iso-rgomez
  1

• [BUG] Active_Directory_Disable_Account_Dispatch

  #2769 opened a year ago by kelby-shelton
  1

• [BUG] System Processes Run From Unexpected Locations - missing field for Risk Message

  #2871 opened a year ago by ccl0utier
  2

• [BUG] ESCU CS fields LogonType and TargetUserName

  #2869 opened a year ago by cp-sn
  3

• [BUG] VirusTotal v3 Identifier Reputation Playbook failing with math domain error

  #2772 opened a year ago by gdollasigns
  2

• Build constraints based on tags

  #2767 opened a year ago by schimpy
  1

• [Feature Req] MITRE ATT&CK IDs are not versioned in published content

  #2758 opened a year ago by alexhaydock
  1

• [BUG] - Build Failing Everytime

  #2894 opened a year ago by abhinavkakku
  4

• [BUG]

  #2892 opened a year ago by cp-sn
  1

• [BUG] False positive in rule "Suspicious Copy on System32"

  #2805 opened a year ago by iso-rgomez
  2

• [BUG] `Unusually Long Command Line` Detection has incorrect Risk Message and Threat Object

  #2806 opened a year ago by ccl0utier
  1

• When trying to build attack range I get the following error 'No module named 'azure.mgmt.resource'[BUG]

  #2762 opened a year ago by Cybertooth34
  1

• Hi All, I am facing an issue when trying to configure the attack range locally.... The error I am getting is 'configuration.py, line 150, answers = questionary.prompt(questions) NameError: name 'questionary' is not defined. Did you mean: 'questions''... I cant find any answers online from people having the same issue.[BUG]

  #2761 opened a year ago by Cybertooth34
  1