security-content/detections/new_user_accounts.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
asset_type: Domain Server
confidence: medium
creation_date: '2017-08-05'
data_metadata:
  data_models:
    - Identity_Management
  data_source:
    - Active Directory logs
  providing_technologies:
    - Active Directory
description: This detection search will help profile user accounts in your environment
  by identifying newly created accounts that have been added to your network in the
  past week.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: user
        rule_description: Using the identities lookup and macro from Enterprise Security
          to identify (report) new users (6 month period) and temp users (3 months
          until account expiration)
        rule_title: Identify Temporary Users
      risk:
        risk_object: user
        risk_object_type:
          - system
        risk_score: 40
      schedule:
        cron_schedule: 0 0 * * *
        earliest_time: -24h@h
        latest_time: -10m@m
      search: '| from datamodel Identity_Management.All_Identities  | eval empStatus=case((now()-startDate)<604800,
        "Accounts created in last week") | search empStatus="Accounts created in last
        week"| `security_content_ctime(endDate)` | `security_content_ctime(startDate)`| table identity empStatus endDate
        startDate'
      suppress:
        suppress_fields: identity
        suppress_period: 86400s
eli5: Adversaries will often seek to create new user accounts as a means of maintaining
  access to a target environment. Using this search, we identify accounts created
  in the last week by comparing the start date in the Identity_Management data model
  against the current time.
entities:
  - user
how_to_implement: To successfully implement this search, you need to be populating
  the Enterprise Security Identity_Management data model in the assets and identity
  framework.
id: 475b9e27-17e4-46e2-b7e2-648221be3b89
investigations:
  - id: 552bc86c-f72c-4d44-b3f2-06ede13af7bb
    name: Get Logon Rights Modifications For User
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
known_false_positives: If the Identity_Management data model is not updated regularly,
  this search could give you false positive alerts. Please consider this and investigate
  appropriately.
maintainers:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
mappings:
  cis20:
    - CIS 16
  mitre_attack:
    - Persistence
    - Create Account
  nist:
    - PR.IP
modification_date: '2017-09-12'
name: Identify New User Accounts
original_authors:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
references: []
security_domain: access
spec_version: 2
type: splunk
version: '1.0'