Detection: Microsoft Intune Bulk Wipe Detected#3978
Open
jakeenea51 wants to merge 2 commits intosplunk:developfrom
Open
Detection: Microsoft Intune Bulk Wipe Detected#3978jakeenea51 wants to merge 2 commits intosplunk:developfrom
jakeenea51 wants to merge 2 commits intosplunk:developfrom
Conversation
jakeenea51
requested review from
ljstella,
nasbench and
patel-bhavin
as code owners
| @@ -0,0 +1,61 @@ | |||
| name: Microsoft Intune Bulk Wipe Detected | |||
Contributor
There was a problem hiding this comment.
@jakeenea51 - can you Install pre-commit using pip install pre-commit then proceed to installing the hooks via pre-commit install. this is a pre-requisite to validate and apply the proper formatting.
| | rename identity as user, resultType as result | ||
| | table _time user tenantId signature result vendor_account vendor_product | ||
| | fillnull | ||
| | stats min(_time) as firstTime max(_time) as lastTime values(*) as * count by _time signature user tenantId vendor_account vendor_product |
Contributor
There was a problem hiding this comment.
Do we not get any src related info from the search, it will be good to add that to the output and to the threat object
| risk_objects: | ||
| - field: user | ||
| type: user | ||
| score: 80 |
Contributor
There was a problem hiding this comment.
since this is a TTP detection, lets keep this score to 50. We havent enforced this in CI yet but soon will be enforcing this in our checks.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Details
Contributing 1 new detection:
Details:
This is my first time contributing a detection, so let me know if I missed anything or if any information should be changed. Thanks!
Checklist
<platform>_<mitre att&ck technique>_<short description>nomenclatureNotes For Submitters and Reviewers
buildCI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.