search

splunk / security_content

Splunk Security Content
https://research.splunk.com
Apache License 2.0
1.24k stars 346 forks source link

[BUG] #2892

Closed cp-sn closed 10 months ago

cp-sn commented 10 months ago

Describe the bug

Hello,

In ESCU there are some CS with out any "Adaptive Response Actions".

For example [ESCU - Windows Event Log Cleared - Rule] have actions for risk and notable but not the following: [ESCU - Windows Event For Service Disabled - Rule] [ESCU - Windows Event Triggered Image File Execution Options Injection - Rule]

Is it expected from the client to create those actions?

App Version:

ESCU 4.14.0

ljstella commented 10 months ago

Hi, this is intended.

ESCU - Windows Event Log Cleared - Rule is an analytic of type "TTP", while ESCU - Windows Event for Service Disabled - Rule and ESCU - Windows Event Triggered Image File Execution Options Injection - Rule are analytics of type "Hunting". These are two of the possible types, which are most visible in-product from the pre-configured alert actions, but can be seen in this repo or on research.splunk.com on the individual detections pages.

In summary, TTP analytics receive both the Notable and Risk actions, Anomaly analytics receive the Risk Action, Correlation analytics receive the Notable action, and Hunting analytics do not receive one. Hunting searches are written specifically for someone to manually run and review the results as part of threat hunting activities, or to power a dashboard.

For more details about the types, you can check out this page in the repo's wiki.