-
Notifications
You must be signed in to change notification settings - Fork 354
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nterl0k - [T1566++] - A bunch of O365 built-in / premium security content #2995
Nterl0k - [T1566++] - A bunch of O365 built-in / premium security content #2995
Conversation
Okay, status update:
|
Understandable... i'm probably causing all kinds of fun problems for you.
My "development" process is a bit different in that I design my submissions in a production Enterprise Security environment then once I've fire tested them a bit, I backport them to ESCU PRs
I'm sure that leaves some errors or odd qualities on them
Thanks for all the feedback!
…________________________________
From: Lou Stella ***@***.***>
Sent: Thursday, July 25, 2024 2:00 PM
To: splunk/security_content ***@***.***>
Cc: Steven Dick ***@***.***>; Author ***@***.***>
Subject: Re: [splunk/security_content] Nterl0k - [T1566++] - A bunch of O365 built-in / premium security content (PR #2995)
Okay, status update:
1. Handful of small tweaks made to each yaml for formatting and to pass validation. All set and passing build now.
2. Currently, a single detection is failing to pass unit testing (O365 ZAP Activity Detection). The search actually works fine, but as part of that validation, we make sure that the fields specified in the observable: section (which gets translated into RBA) exists in the results. In the sample dataset, they don't all exist in all of the events. Two of the three events have a URL, and one of the three has a filename. Creating threat objects out of those is a great idea, I just need to confirm that it works properly in-product and that we don't have this limitation in the testing to guard against some other issue.
—
Reply to this email directly, view it on GitHub<#2995 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJIYP7VA5BZVWIFWOKWUJ5DZOE4LTAVCNFSM6AAAAABF3NRHRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJRGA4TGOJVGI>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Follow up: currently blocking this PR on the completion of splunk/contentctl#204 This, particularly the ZAP analytic and its dataset gave us a chance to deep dive on ES and the risk events created in it. The Secondly, and the reason this was failing testing- |
Status update: the required changes landed in splunk/contentctl's |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is now passing with the release of contentctl 4.3.1 which allows for threat objects to be present in only some of the risk events.
Thanks again for this awesome contribution @nterl0k !
Details
Mostly focused on bubbling up the various O365 security alerting for both built-in and premium features.
ZAP, DLP, Safe Links, Safe Attachments
Security & Compliance alerting
Report A Message function
Some insider threat behaviors for the 0365 platform.
Pending splunk/attack_data#888
Checklist
<platform>_<mitre att&ck technique>_<short description>
nomenclature