Add Detection for Inactive Users with a Certain Period Who Suddenly Have Activity

[zake1god]

Details

This PR introduces a new detection for Detection for Inactive Users with a Certain Period Who Suddenly Have Activity under the Network category. The detection identifies users who have not logged in for an extended period (over 30 days), based on network traffic logs. The detection uses the Network_Traffic data model to calculate the inactivity period and flag inactive users.

No changes to lookups or additional dependencies are required for this detection.

Checklist

• [x] Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature.
  Filename: network_inactivity_detection.yml
• [ ] CI/CD jobs passed ✔️
• [x] Validated SPL logic. ✔️
• [x] Validated tags, description, and how to implement.
  • Tags: T1078, network, inactivity
  • Description: Monitors for inactive users over a 30-day period.
  • How to implement: Ensure the Network_Traffic data model is populated.
• [x] Verified references match analytic.
  • References: MITRE ATT&CK T1078 (Valid Accounts)
• [ ] Confirm updates to lookups are handled properly.
  • No lookup updates required.

Notes for Submitters and Reviewers

• The detection is focused on identifying inactive users based on extended inactivity in network traffic logs. Please validate that the SPL logic matches the expected behavior.
• No changes to lookup files were made. The detection should work without additional dependencies.

[zake1god]

Downloading latest ESCU build from Splunkbase to serve as previous build during validation... Latest release downloaded from Splunkbase to: downloads/splunk-es-content-update_4410.tgz

Detection Metadata Validation: ❌ ESCU - Detect Risky SPL using Pretrained ML Model - Rule 🔸 Detection from previous build not found in current build. ❌ ESCU - Path traversal SPL injection - Rule 🔸 Detection from previous build not found in current build. ❌ ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule 🔸 Detection from previous build not found in current build. , etc..

Anyone can help me with this issue ? i only want to contribute my logic to Research Splunk. Would you please fix this? i was download latest splunk-es-content-update_4410.tgz but i still can't found that metadata @patel-bhavin @ljstella

[ljstella]

@zake1god these issues will be fixed once we get https://github.com/splunk/security_content/pull/3149 merged. If you want to open a new PR or re-open this one, there were a few other issues in your changes that we wanted to fix up.

[zake1god]

@zake1god these issues will be fixed once we get #3149 merged. If you want to open a new PR or re-open this one, there were a few other issues in your changes that we wanted to fix up.

I will create new one, too much error since i want to fixed it alone. Thankyou for your reply, will push with the new fresh and clean one