Merge pull request #2952 from splunk/gitlab_release_v4.23.0

Gitlab release v4.23.0

contentctl.yml

@@ -6,7 +6,7 @@ build:
   path_root: dist
   prefix: ESCU
   build: 004210
-  version: 4.22.0
+  version: 4.23.0
   label: ES Content Updates
   author_name: Splunk Threat Research Team
   author_email: research@splunk.com

detections/application/splunk_information_disclosure_in_splunk_add_on_builder.yml

@@ -0,0 +1,42 @@
+name: Splunk Information Disclosure in Splunk Add-on Builder
+id: b7b82980-4a3e-412e-8661-4531d8758735
+version: 1
+date: '2024-01-30'
+author: Rod Soto, Eric McGinnis
+status: production
+type: Hunting
+data_source: []
+description: In Splunk Add-on Builder versions below 4.1.4, the application writes sensitive information to its internal log files when you visit the Splunk Add-on Builder or when you build or edit a custom app or add-on.
+search: '| rest /services/apps/local | search disabled=0 core=0 label="Splunk Add-on Builder" | dedup label | search version < 4.1.4 
+  | eval WarningMessage="Splunk Add-on Builder Versions older than v4.1.4 contain a critical vulnerability. Update to Splunk Add-on Builder v4.1.4 or higher immediately. For more information about this vulnerability, please refer to https://advisory.splunk.com/advisories/SVD-2024-0111" 
+  | table label version WarningMessage | `splunk_information_disclosure_in_splunk_add_on_builder_filter`'
+how_to_implement: This search should be run on search heads where Splunk Add-on Builder may be installed.  The results of this search will conclusively show whether or not a vulnerable version of Splunk Add-on Builder is currently installed. 
+known_false_positives: This search is highly specific for vulnerable versions of Splunk Add-on Builder. There are no known false positives. 
+references:
+- https://advisory.splunk.com/advisories/SVD-2024-0111
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: Splunk Server 
+  confidence: 100
+  impact: 100
+  message: Vulnerable $version$ of Splunk Add-on Builder found - Upgrade Immediately. 
+  mitre_attack_id:
+  - T1082
+  observable:
+  - name: version
+    type: Other
+    role:
+    - Other
+  product:
+  - Splunk Enterprise
+  risk_score: 100
+  required_fields:
+  - disabled
+  - core 
+  - version
+  - label
+  security_domain: endpoint
+  manual_test: This search uses a REST call against a running Splunk instance to fetch the versions of installed apps. 
+    It cannot be replicated with a normal test or attack data. 
+

detections/cloud/kubernetes_access_scanning.yml

@@ -1,5 +1,5 @@
 name: Kubernetes Access Scanning
-id: f5edd22d-0f3b-4c70-bcfe-5bf41150f10c
+id: 2f4abe6d-5991-464d-8216-f90f42999764
 version: 1
 date: '2023-12-07'
 author: Patrick Bareiss, Splunk

detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml

@@ -0,0 +1,82 @@
+name: Kubernetes Anomalous Inbound Network Activity from Process
+id: 10442d8b-0701-4c25-911d-d67b906e713c
+version: 1
+date: '2024-01-10'
+author: Matthew Moore, Splunk
+status: experimental
+type: Anomaly
+description: 'This detection detects inbound network traffic volume anomalies from processes running within containerised workloads. 
+  Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly.This detection 
+  leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud 
+  using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, 
+  tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for destination (receiving) workload process pairs over the last 1 hour, 
+  with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high inbound network activity. 
+  Anomalies in inbound network traffic may suggest that the container is receiving unexpected or unauthorized data, potentially indicative of a breach, 
+  a vulnerability exploitation attempt, an attempt to overload the service, or propagation of malware. Successful compromise of a containerised 
+  application resulting in the ability to upload data, can result in installation of command and control software or other malware, 
+  data integrity damage, container escape, and further compromise of the environment. Additionally this kind of activity may result in 
+  resource contention, performance degradation and disruption to the normal operation of the environment.'
+data_source: []
+search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name dest.workload.name dest.process.name  span=10s 
+  | eval key=''dest.workload.name'' + ":" + ''dest.process.name'' 
+  | join type=left key 
+    [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by dest.workload.name dest.process.name
+    | eval key=''dest.workload.name'' + ":" + ''dest.process.name''
+        ] 
+  | eval anomalies = "" 
+  | foreach stdev_* 
+    [ eval anomalies =if( ''<<MATCHSTR>>'' > (''avg_<<MATCHSTR>>'' + 3 * ''stdev_<<MATCHSTR>>''), anomalies + "<<MATCHSTR>> higher than average by " + 
+        tostring(round((''<<MATCHSTR>>'' - ''avg_<<MATCHSTR>>'')/''stdev_<<MATCHSTR>>'' ,2)) + " Standard Deviations. <<MATCHSTR>>=" + tostring(''<<MATCHSTR>>'') + " avg_<<MATCHSTR>>=" 
+        + tostring(''avg_<<MATCHSTR>>'') + " ''stdev_<<MATCHSTR>>''=" + tostring(''stdev_<<MATCHSTR>>'') + ", "
+        , anomalies)
+        ] 
+  | fillnull
+  | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") 
+  | where anomalies!="" 
+  | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name dest.workload.name dest.process.name
+  | where count > 5
+  | rename k8s.cluster.name as host
+  | `kubernetes_anomalous_inbound_network_activity_from_process_filter` '
+how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and 
+  enable Network Performance Monitoring according to instructions found in Splunk Docs 
+  https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup 
+  In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and 
+  configured on a Splunk Search Head.  Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. 
+  Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\
+  
+  * Name sim_npm_metrics_to_metrics_index \
+
+  * Org ID <Your O11y Cloud Org Id> \
+  
+  * Signal Flow Program data(''tcp.packets'').publish(label=''A''); data(''tcp.bytes'').publish(label=''B''); data(''tcp.new_sockets'').publish(label=''C''); data(''udp.packets'').publish(label=''D''); data(''udp.bytes'').publish(label=''E'') \
+  
+  * Metric Resolution 10000'
+known_false_positives: unknown
+references:
+- https://github.com/signalfx/splunk-otel-collector-chart
+tags:
+  analytic_story:
+  - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
+  asset_type: Kubernetes
+  confidence: 50
+  impact: 50
+  message: Kubernetes Anomalous Inbound Network Activity from Process in kubernetes cluster $host$
+  mitre_attack_id:
+  - T1204
+  observable:
+  - name: host
+    type: Hostname
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - tcp.*
+  - udp.*
+  - k8s.cluster.name 
+  - dest.process.name
+  - dest.workload.name 
+  risk_score: 25
+  security_domain: network

detections/cloud/kubernetes_anomalous_inbound_outbound_network_traffic_io.yml

@@ -32,18 +32,29 @@ search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8
   | where count > 5
   | rename k8s.node.name as host
   | `kubernetes_anomalous_inbound_outbound_network_traffic_io_filter` '
-how_to_implement: 'To implement this detection, follow these steps:
-  1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.
-  2. Enable the hostmetrics/process receiver in the OTEL configuration.
-  3. Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.
-  4. Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)
-  5. Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.
-  6. Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index".
-  7. In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.
-  8. Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'')
-  9. Set the Metric Resolution to 10000.
-  10. Leave all other settings at their default values.
-  11. Run the Search Baseline Of Kubernetes Container Network IO Ratio '
+how_to_implement: 'To implement this detection, follow these steps: \
+  
+  * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\
+  
+  * Enable the hostmetrics/process receiver in the OTEL configuration.\
+  
+  * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\
+  
+  * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\
+  
+  * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\
+  
+  * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index".\
+  
+  * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\
+  
+  * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'')\
+  
+  * Set the Metric Resolution to 10000.\
+  
+  * Leave all other settings at their default values.\
+  
+  * Run the Search Baseline Of Kubernetes Container Network IO Ratio '
 known_false_positives: unknown
 references:
 - https://github.com/signalfx/splunk-otel-collector-chart

detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml

@@ -34,18 +34,29 @@ search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8
   | where count > 5
   | rename k8s.node.name as host
   | `kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter` '
-how_to_implement: 'To implement this detection, follow these steps:
-  1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.
-  2. Enable the hostmetrics/process receiver in the OTEL configuration.
-  3. Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.
-  4. Install the Splunk Infrastructure Monitoring (SIM) add-on.(ref: https://splunkbase.splunk.com/app/5247)
-  5. Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.
-  6. Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index".
-  7. In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.
-  8. Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'')
-  9. Set the Metric Resolution to 10000.
-  10. Leave all other settings at their default values.
-  11. Run the search Baseline Of Kubernetes Container Network IO Ratio'
+how_to_implement: 'To implement this detection, follow these steps: \
+  
+  * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\
+  
+  * Enable the hostmetrics/process receiver in the OTEL configuration.\
+  
+  * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\
+  
+  * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\
+  
+  * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\
+  
+  * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index".\
+  
+  * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\
+  
+  * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'')\
+  
+  * Set the Metric Resolution to 10000.\
+  
+  * Leave all other settings at their default values.\
+  
+  * Run the Search Baseline Of Kubernetes Container Network IO Ratio '
 known_false_positives: unknown
 references:
 - https://github.com/signalfx/splunk-otel-collector-chart

detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml

@@ -0,0 +1,82 @@
+name: Kubernetes Anomalous Outbound Network Activity from Process
+id: dd6afee6-e0a3-4028-a089-f47dd2842c22
+version: 1
+date: '2024-01-10'
+author: Matthew Moore, Splunk
+status: experimental
+type: Anomaly
+description: 'This detection detects outbound network traffic volume anomalies from processes running within containerised workloads. 
+  Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly. This detection 
+  leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud 
+  using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, 
+  tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for source (transmitting) workload process pairs over the last 1 hout, 
+  with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high outbound network activity. 
+  Anonymously high outbound network traffic from a process running in a container is a potential indication of data exfiltration, or an indication that the process has been modified. 
+  Anomalously high outbound network activity from a process running within a container suggests the potential compromise, which may lead to unauthorized data exfiltration, 
+  communication with malicious entities, or the propagation of malware to external systems. The compromised container could also serve as a pivot point 
+  for further attacks within the containerized environment.'
+data_source: []
+search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name source.process.name  span=10s 
+  | eval key=''source.workload.name'' + ":" + ''source.process.name'' 
+  | join type=left key 
+    [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name source.process.name
+    | eval key=''source.workload.name'' + ":" + ''source.process.name''
+        ] 
+  | eval anomalies = "" 
+  | foreach stdev_* 
+    [ eval anomalies =if( ''<<MATCHSTR>>'' > (''avg_<<MATCHSTR>>'' + 3 * ''stdev_<<MATCHSTR>>''), anomalies + "<<MATCHSTR>> higher than average by " + 
+        tostring(round((''<<MATCHSTR>>'' - ''avg_<<MATCHSTR>>'')/''stdev_<<MATCHSTR>>'' ,2)) + " Standard Deviations. <<MATCHSTR>>=" + tostring(''<<MATCHSTR>>'') + " avg_<<MATCHSTR>>=" 
+        + tostring(''avg_<<MATCHSTR>>'') + " ''stdev_<<MATCHSTR>>''=" + tostring(''stdev_<<MATCHSTR>>'') + ", "
+        , anomalies)
+        ] 
+  | fillnull
+  | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") 
+  | where anomalies!="" 
+  | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name source.process.name
+  | where count > 5
+  | rename k8s.cluster.name as host
+  | `kubernetes_anomalous_outbound_network_activity_from_process_filter` '
+how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and 
+  enable Network Performance Monitoring according to instructions found in Splunk Docs 
+  https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup 
+  In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and 
+  configured on a Splunk Search Head.  Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. 
+  Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\
+  
+  * Name sim_npm_metrics_to_metrics_index \
+
+  * Org ID <Your O11y Cloud Org Id> \
+  
+  * Signal Flow Program data(''tcp.packets'').publish(label=''A''); data(''tcp.bytes'').publish(label=''B''); data(''tcp.new_sockets'').publish(label=''C''); data(''udp.packets'').publish(label=''D''); data(''udp.bytes'').publish(label=''E'') \
+  
+  * Metric Resolution 10000'
+known_false_positives: unknown
+references:
+- https://github.com/signalfx/splunk-otel-collector-chart
+tags:
+  analytic_story:
+  - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
+  asset_type: Kubernetes
+  confidence: 50
+  impact: 50
+  message: Kubernetes Anomalous Outbound Network Activity from Process in kubernetes cluster $host$
+  mitre_attack_id:
+  - T1204
+  observable:
+  - name: host
+    type: Hostname
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - tcp.*
+  - udp.*
+  - k8s.cluster.name 
+  - source.workload.name 
+  - dest.workload.name 
+  - udp.packets
+  risk_score: 25
+  security_domain: network