added splunk detections

Author: aring87

detections/splunk/README.md

@@ -0,0 +1,104 @@
+# Splunk Production-Tuned Conversion Pack
+
+This is the second-pass tuning package for the Sentinel-to-Splunk conversion.
+
+## Summary
+- Active converted rules: 75
+- Production-ready candidates: 70
+- Validation-required candidates: 5
+- Deprecated rules preserved separately: 22
+
+## What changed in this pass
+- Normalized first-pass SPL syntax that still contained KQL habits such as `!in~`, `!has`, `between (...)`, and unresolved `project` fragments.
+- Replaced broken time-window joins with `relative_time(...)` comparisons where appropriate.
+- Promoted reviewed rules to `status: production` and `lifecycle: production`.
+- Added consistent implementation and production tuning guidance to each active rule.
+- Kept complex cloud and Entra correlation detections in testing status when they still depend on environment-specific nested fields or multi-source joins.
+
+## Production candidates
+- browser/browser-extension-install-from-temp-or-user-profile.yml
+- collection/Clipboard-Data-Collection.yml
+- collection/data-from-local-system.yml
+- collection/graph-mail-access-burst.yml
+- collection/mass-file-enumeration-in-user-data-paths.yml
+- collection/screen-capture-utility-execution.yml
+- command-and-control/powershell-or-lolbin-external-network-traffic.yml
+- command-and-control/quick-assist-or-rmm-followed-by-script-execution.yml
+- command-and-control/sharepoint-spinstall0-or-webshell-staging-access.yml
+- command-and-control/suspicious-web-download-via-certutil-or-bitsadmin.yml
+- credential-access/device-code-phishing-followed-by-graph-mail-access.yml
+- credential-access/potential-lsass-memory-dump.yml
+- credential-access/potential-ntlm-enumeration-via-failed-logons.yml
+- credential-access/suspicious-browser-credential-store-access.yml
+- credential-access/vmware_vmdk_ntds_theft.yml
+- defense-evasion/clear-windows-event-logs.yml
+- defense-evasion/disable-script-block-logging.yml
+- defense-evasion/powershell-script-block-logging-disabled.yml
+- defense-evasion/security-tool-disable-attempt.yml
+- discovery/dns-enumeration-via-command-line-tools.yml
+- discovery/ldap-enumeration-using-powershell.yml
+- discovery/net-group-and-domain-trust-discovery.yml
+- discovery/Net-User-Enumeration.yml
+- discovery/system-and-network-configuration-discovery.yml
+- execution/fake_captcha_browser_to_script.yml
+- execution/malicious-and-paste-powershell-from-explorer.yml
+- execution/mshta-launching-script-or-powershell.yml
+- execution/oauth-redirection-abuse-followed-by-browser-download.yml
+- execution/powershell-encoded-command-execution.yml
+- execution/powershell-encoded-command-from-temp-folder.yml
+- execution/suspicious-ai-cli-noninteractive-trust-all-tools.yml
+- exfiltration/archive-creation-followed-by-external-transfer.yml
+- exfiltration/azcopy-or-cloud-cli-bulk-export.yml
+- exfiltration/exfiltration-uncommon-port.yml
+- exfiltration/Onedrive-File-Exfil.yml
+- exfiltration/onedrive-or-cloud-storage-bulk-upload-spike.yml
+- exfiltration/powershell-email-exfiltration-with-attachments.yml
+- exfiltration/quick_assist_winscp_google_drive.yml
+- exfiltration/sharepoint-or-onedrive-bulk-download-by-newly-risky-user.yml
+- impact/boot-configuration-or-recovery-tampering.yml
+- impact/mass-file-rename-or-encryption-burst.yml
+- impact/remote_smb_encryption.yml
+- impact/volume-shadow-copy-deletion.yml
+- initial-access/device-code-sign-in-followed-by-device-registration.yml
+- initial-access/multiple-user-device-code-sign-ins.yml
+- initial-access/oauth-redirection-abuse-url-click.yml
+- initial-access/potential-spearphishing-attachment-execution.yml
+- initial-access/suspicious-external-remote-service-sign-in.yml
+- initial-access/teams-external-contact-followed-by-quick-assist.yml
+- lateral-movement/remote-scheduled-task-creation.yml
+- lateral-movement/remote-service-creation.yml
+- lateral-movement/wmi-remote-process-execution.yml
+- persistence/cleanup-loader-scheduled-task-rundll32-dllregisterserver.yml
+- persistence/m365_inbox_rule_forward_delete.yml
+- persistence/nodejs-guid-installer-scheduled-task.yml
+- persistence/random-appdata-roaming-dll-drop-followed-by-task.yml
+- persistence/registry-run-key-modification.yml
+- persistence/service-binary-path-hijack.yml
+- persistence/suspicious-scheduled-task-creation.yml
+- privilege-escalation/dll-injection.yml
+- privilege-escalation/event-viewer-uac-bypass-registry-hijack.yml
+- privilege-escalation/suspicious-service-creation-for-elevation.yml
+- privilege-escalation/suspicious-token-manipulation-or-sedebug-use.yml
+- reconnaissance/External-Lookup-Tool-Usage.yml
+- reconnaissance/external-network-scanner-execution.yml
+- reconnaissance/whoami-and-net-enumeration-burst.yml
+- resource-development/bulk-mailbox-or-rule-creation.yml
+- resource-development/suspicious-azure-ad-application-registration.yml
+- resource-development/suspicious-trufflehog-secret-scanning.yml
+- resource-development/user-click-spike-to-suspicious-domain.yml
+
+## Validation-required rules
+- exfiltration/cloud-storage-public-access-or-immutability-removal.yml
+- impact/cloud-backup-or-storage-mass-delete-burst.yml
+- persistence/entra_control_plane_abuse.yml
+- resource-development/new-app-secret-added-then-service-principal-signin.yml
+- resource-development/sharepoint-third-party-integration-secret-access.yml
+
+## Deployment guidance
+1. Point each source macro to the correct index, sourcetype, or accelerated datamodel.
+2. Validate field aliases for Microsoft Defender, Office 365, Azure Activity, AuditLogs, and URL click telemetry.
+3. Start rules in a lower-noise schedule with suppression and allowlists for IT/admin activity.
+4. Promote to notable or risk-based alerting only after baseline review.
+
+## Important note
+The 5 validation-required rules are not broken, but they still need hands-on field mapping in your Splunk environment because the original Sentinel logic depends on source-specific cloud schemas and nested JSON arrays.

detections/splunk/browser/browser-extension-install-from-temp-or-user-profile.yml

@@ -0,0 +1,64 @@
+title: Browser Extension Files Created by Non-Browser Process
+id: SPLK-BROW-0001
+source_id: SENT-BROW-0001
+status: production
+description: Detects suspicious creation of browser extension files or folders in browser profile extension directories by non-browser processes, which may indicate unauthorized extension staging or installation.
+author: Adam Ring
+date: '2026-03-20'
+modified: '2026-03-20'
+platform: splunk
+query_language: spl
+logsource:
+  product: windows
+  category: file_event
+source_table: DeviceFileEvents
+search: '`microsoft_defender_device_file_events`
+
+  | where like(lower(FolderPath), "%\\chrome\\user data\\default\\extensions\\%") OR like(lower(FolderPath), "%\\chrome\\user data\\profile %") OR like(lower(FolderPath), "%\\edge\\user data\\default\\extensions\\%") OR like(lower(FolderPath), "%\\edge\\user data\\profile %") OR like(lower(FolderPath), "%\\bravesoftware\\brave-browser\\user data\\default\\extensions\\%")
+
+  | where FileName IN ("manifest.json") OR match(FolderPath, "\\Extensions\\[a-z]{32}\\")
+
+  | where NOT lower(InitiatingProcessFileName) IN ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe")
+
+  | table Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, SHA1, ReportId'
+how_to_implement:
+- Map the source macro to your production indexes, sourcetypes, or datamodel-backed acceleration.
+- Prefer Splunk CIM field aliases where possible and validate original Microsoft field names before deployment.
+- Deploy with asset- and user-based allowlists for admin tools, software distribution, sanctioned automation, and IT support activity.
+- Start as a scheduled correlation search with a limited lookback and suppression window, then raise to notable only after baselining.
+severity: medium
+risk_score: 60
+tactics:
+- Persistence
+techniques:
+- T1176
+kill_chain_phases:
+- Persistence
+data_sources:
+- DeviceFileEvents
+falsepositives:
+- Legitimate enterprise software deploying approved extensions
+- Browser migration or profile restore activity
+- Developer testing of unpacked extensions
+triage:
+- Review the extension path, manifest, and extension ID
+- Determine whether the extension is approved or enterprise-managed
+- Review the initiating process and command line for archive extraction, scripting, or installer behavior
+- Check for related browser credential theft, suspicious outbound traffic, or new persistence nearby
+validation:
+- Install a benign test extension and compare normal browser-created file patterns versus non-browser initiated writes
+lifecycle: production
+owner: Detection Engineering
+tags:
+- attack.persistence
+- attack.t1176
+- browser-extension
+- chrome
+- edge
+- sentinel
+- splunk
+- converted-from-sentinel
+production_tuning:
+- Validate macro scope, time range, and field aliases in a non-production search head first.
+- Tune known-good parent processes, service accounts, management hosts, and software deployment workflows.
+- Where count thresholds exist, baseline by business unit or asset class before enabling notable actions.

detections/splunk/collection/Clipboard-Data-Collection.yml

@@ -0,0 +1,63 @@
+title: Suspicious Clipboard Read or Clipboard Utility Execution
+id: SPLK-COLL-0001
+source_id: SENT-COLL-0001
+status: production
+description: Detects suspicious clipboard read activity or clipboard utility execution that may indicate collection of copied data, secrets, or credentials.
+author: Adam Ring
+date: '2026-03-06'
+modified: '2026-03-26'
+platform: splunk
+query_language: spl
+logsource:
+  product: windows
+  category: process_creation
+source_table: DeviceProcessEvents
+search: '`microsoft_defender_device_process_events`
+
+  | where FileName IN ("powershell.exe", "pwsh.exe", "cmd.exe", "clip.exe")
+
+  | where like(lower(ProcessCommandLine), "%get-clipboard%") OR like(lower(ProcessCommandLine), "%[windows.forms.clipboard]::gettext%") OR like(lower(ProcessCommandLine), "%gettext()%") OR like(lower(ProcessCommandLine), "%clip.exe%")
+
+  | where NOT like(lower(ProcessCommandLine), "%set-clipboard%")
+
+  | where NOT lower(InitiatingProcessFileName) IN ("code.exe", "devenv.exe", "powershell_ise.exe")
+
+  | table Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA1, ReportId'
+how_to_implement:
+- Map the source macro to your production indexes, sourcetypes, or datamodel-backed acceleration.
+- Prefer Splunk CIM field aliases where possible and validate original Microsoft field names before deployment.
+- Deploy with asset- and user-based allowlists for admin tools, software distribution, sanctioned automation, and IT support activity.
+- Start as a scheduled correlation search with a limited lookback and suppression window, then raise to notable only after baselining.
+severity: medium
+risk_score: 55
+tactics:
+- Collection
+techniques:
+- T1115
+kill_chain_phases:
+- Collection
+data_sources:
+- DeviceProcessEvents
+falsepositives:
+- Legitimate administrator or developer clipboard scripting
+- Automation workflows that intentionally read clipboard contents
+- User troubleshooting or local productivity scripts
+triage:
+- Review whether the account normally uses PowerShell or command-line clipboard access
+- Check whether clipboard reads occurred near archive creation, browser credential access, or outbound transfers
+- Review the initiating process and surrounding process tree for scripting, LOLBins, or user-writable execution paths
+validation:
+- Run Get-Clipboard in a lab PowerShell session and compare with normal admin activity
+lifecycle: production
+owner: Detection Engineering
+tags:
+- attack.collection
+- attack.t1115
+- sentinel
+- collection
+- splunk
+- converted-from-sentinel
+production_tuning:
+- Validate macro scope, time range, and field aliases in a non-production search head first.
+- Tune known-good parent processes, service accounts, management hosts, and software deployment workflows.
+- Where count thresholds exist, baseline by business unit or asset class before enabling notable actions.

detections/splunk/collection/data-from-local-system.yml

@@ -0,0 +1,65 @@
+title: Suspicious Access to Sensitive Local User Documents
+id: SPLK-COLL-0005
+source_id: SENT-COLL-0005
+status: production
+description: Detects processes accessing potentially sensitive document types in common user data paths, which may indicate collection or staging from the local system.
+author: Adam Ring
+date: '2026-03-26'
+modified: '2026-03-26'
+platform: splunk
+query_language: spl
+logsource:
+  product: windows
+  category: file_event
+source_table: DeviceFileEvents
+search: '`microsoft_defender_device_file_events`
+
+  | where ActionType IN ("FileCreated", "FileModified", "FileRead", "FileAccessed")
+
+  | where like(lower(FolderPath), "%\\users\\%") OR like(lower(FolderPath), "%\\desktop\\%") OR like(lower(FolderPath), "%\\documents\\%") OR like(lower(FolderPath), "%\\downloads\\%")
+
+  | where like(lower(FileName), "%.docx")
+
+  | where NOT lower(InitiatingProcessFileName) IN ("explorer.exe", "searchindexer.exe", "onedrive.exe", "msmpeng.exe")
+
+  | bin Timestamp span=15m | stats count as FileCount, dc(FolderPath) as DistinctPaths, values(FileName) as Files by DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, Timestamp
+
+  | where FileCount >= 25 AND DistinctPaths >= 3'
+how_to_implement:
+- Map the source macro to your production indexes, sourcetypes, or datamodel-backed acceleration.
+- Prefer Splunk CIM field aliases where possible and validate original Microsoft field names before deployment.
+- Deploy with asset- and user-based allowlists for admin tools, software distribution, sanctioned automation, and IT support activity.
+- Start as a scheduled correlation search with a limited lookback and suppression window, then raise to notable only after baselining.
+severity: medium
+risk_score: 57
+tactics:
+- Collection
+techniques:
+- T1005
+kill_chain_phases:
+- Collection
+data_sources:
+- DeviceFileEvents
+falsepositives:
+- Backup, indexing, sync, or anti-malware activity
+- Bulk document processing by IT or approved business tooling
+- User-driven search, migration, or archival workflows
+triage:
+- Identify the process and account accessing the files
+- Determine whether the host or user normally performs bulk document access
+- Review for nearby archive creation, cloud upload, email exfiltration, or removable media usage
+validation:
+- Use a benign script in a lab to access many files across user folders and tune thresholds against normal activity
+lifecycle: production
+owner: Detection Engineering
+tags:
+- attack.collection
+- attack.t1005
+- sentinel
+- collection
+- splunk
+- converted-from-sentinel
+production_tuning:
+- Validate macro scope, time range, and field aliases in a non-production search head first.
+- Tune known-good parent processes, service accounts, management hosts, and software deployment workflows.
+- Where count thresholds exist, baseline by business unit or asset class before enabling notable actions.

detections/splunk/collection/graph-mail-access-burst.yml

@@ -0,0 +1,66 @@
+title: Microsoft Graph Mail Access Burst
+id: SPLK-COLL-0004
+source_id: SENT-COLL-0004
+status: production
+description: Detects bursts of Microsoft Graph mail search or mail access activity that may indicate post-compromise mailbox collection or reconnaissance.
+author: Adam Ring
+date: '2026-03-20'
+modified: '2026-03-26'
+platform: splunk
+query_language: spl
+logsource:
+  product: m365
+  service: cloud_app
+source_table: CloudAppEvents
+search: '`microsoft_defender_cloud_app_events`
+
+  | where Application="Microsoft Graph"
+
+  | where like(lower(ActionType), "%searchqueryperformed%") OR like(lower(ActionType), "%mailitemsaccessed%") OR like(lower(ActionType), "%messagebind%")
+
+  | eval User=coalesce(AccountUpn, AccountDisplayName, AccountObjectId)
+
+  | eval ClientIP=IPAddress
+
+  | bin TimeGenerated span=30m | stats count as ActionCount, values(ActionType) as Actions, values(ClientIP) as IPs by TimeGenerated, User, Application
+
+  | where ActionCount >= 20'
+how_to_implement:
+- Map the source macro to your production indexes, sourcetypes, or datamodel-backed acceleration.
+- Prefer Splunk CIM field aliases where possible and validate original Microsoft field names before deployment.
+- Deploy with asset- and user-based allowlists for admin tools, software distribution, sanctioned automation, and IT support activity.
+- Start as a scheduled correlation search with a limited lookback and suppression window, then raise to notable only after baselining.
+severity: medium
+risk_score: 70
+tactics:
+- Collection
+techniques:
+- T1114
+kill_chain_phases:
+- Collection
+data_sources:
+- CloudAppEvents
+falsepositives:
+- Migration tools
+- eDiscovery, journaling, or approved admin search workflows
+- Application integrations that legitimately access mail at scale
+triage:
+- Validate whether the user or application normally performs high-volume Graph mail access
+- Check for nearby device code sign-ins, consent grants, OAuth abuse, or risky sign-in activity
+- Determine whether the activity targeted high-value mailboxes or was followed by mail export, forwarding, or download behavior
+validation:
+- Tune thresholds against known mail clients, admin workflows, and approved tenant applications
+lifecycle: production
+owner: Detection Engineering
+tags:
+- attack.collection
+- attack.t1114
+- graph
+- mailbox
+- sentinel
+- splunk
+- converted-from-sentinel
+production_tuning:
+- Validate macro scope, time range, and field aliases in a non-production search head first.
+- Tune known-good parent processes, service accounts, management hosts, and software deployment workflows.
+- Where count thresholds exist, baseline by business unit or asset class before enabling notable actions.