Branch was auto-updated.

splunk · Jan 10, 2025 · 5efd265 · 5efd265
2 parents 963f94f + 6f56a46
commit 5efd265
Showing 1 changed file with 16 additions and 20 deletions.
diff --git a/detections/endpoint/detect_remote_access_software_usage_registry.yml b/detections/endpoint/detect_remote_access_software_usage_registry.yml
@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage Registry
 id: 33804986-25dd-43cf-bb6b-dc14956c7cbc
-version: 1
-date: '2024-11-21'
+version: 2
+date: '2025-01-10'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -39,6 +39,20 @@ drilldown_searches:
   search: '| from datamodel:Endpoint.Registry| search dest=$dest$ registry_path=$registry_path$'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: A process for a known remote access software [$signature$] was detected on $dest$
+  risk_objects:
+  - field: dest
+    type: system
+    score: 25
+  - field: user
+    type: user
+    score: 25
+  threat_objects:
+  - field: registry_path
+    type: registry_path
+  - field: signature
+    type: signature
 tags:
   analytic_story: 
   - Insider Threat
@@ -49,26 +63,8 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: A process for a known remote access software [$signature$] was detected on $dest$
   mitre_attack_id: 
   - T1219
-  observable: 
-  - name: dest
-    type: Hostname
-    role:
-    - Victim
-  - name: user
-    type: User
-    role:
-    - Victim
-  - name: registry_path
-    type: Other
-    role:
-    - Attacker
-  - name: signature
-    type: Other
-    role:
-    - Attacker
   product: 
   - Splunk Enterprise
   - Splunk Enterprise Security