Detection: Identify New User Accounts

DEPRECATED DETECTION

This detection has been marked as deprecated by the Splunk Threat Research team. This means that it will no longer be maintained or supported. If you have any questions or concerns, please reach out to us at research@splunk.com.

Description

This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week.

1
2| from datamodel Identity_Management.All_Identities  
3| eval empStatus=case((now()-startDate)<604800, "Accounts created in last week") 
4| search empStatus="Accounts created in last week"
5| `security_content_ctime(endDate)` 
6| `security_content_ctime(startDate)`
7| table identity empStatus endDate startDate 
8| `identify_new_user_accounts_filter`

Data Source

Name Platform Sourcetype Source Supported App
N/A N/A N/A N/A N/A

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
identify_new_user_accounts_filter search *
identify_new_user_accounts_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1078.002 Domain Accounts Defense Evasion
KillChainPhase.DELIVERY
KillChainPhase.EXPLOITAITON
KillChainPhase.INSTALLATION
NistCategory.DE_AE
Cis18Value.CIS_10
APT3
APT5
Chimera
Cinnamon Tempest
Indrik Spider
Magic Hound
Naikon
Sandworm Team
TA505
Threat Group-1314
ToddyCat
Volt Typhoon
Wizard Spider

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Risk Event False
This configuration file applies to all detections of type hunting.

Implementation

To successfully implement this search, you need to be populating the Enterprise Security Identity_Management data model in the assets and identity framework.

Known False Positives

If the Identity_Management data model is not updated regularly, this search could give you false positive alerts. Please consider this and investigate appropriately.

Associated Analytic Story

No associated analytic story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
tbd 25 50 50
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Not Applicable N/A N/A N/A
Unit ❌ Failing N/A N/A N/A
Integration ❌ Failing N/A N/A N/A

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 2