Repos
Description
DeepHunter analytics can be directly imported from a GitHub or BitBucket repository.
You can access the list repos view from the menu (Admin > Manage repos) to manage your repositories.
Default values can be set in the settings:
Expected format for repositories
JSON files
Repositories currently supported are public GitHub and BitBucket repositories.
Analytics should be JSON files, with the following structure:
Key |
Description |
M/O* |
|---|---|---|
|
Version of the analytic (it won’t be used by DeepHunter) |
O |
|
Analytic name (usually the same name as the JSON file, but without the |
M |
|
Description of the analytic |
O |
|
Threat hunting notes |
O |
|
Confidence level of the analytic (1-5). Default to 1 if out-of-band, or if nor present. |
O |
|
Relevance level of the analytic (1-5). Default to 1 if out-of-band, or if nor present. |
O |
|
Category of the analytic (e.g. “detect”, “triage”, “threat hunting”). |
O |
|
Connector type (e.g. “sentinelone”, “microsoftsentinel”). |
M |
|
Analytic’s query |
M |
|
Optional columns associated to the analytic’s query |
O |
|
Emulation plan validation |
O |
|
List of html links, separated by commas |
O |
|
List of MITRE techniques, separated by commas |
O |
|
List of threats, separated by commas |
O |
|
List of threat actors, separated by commas |
O |
|
List of target operating systems, separated by commas |
O |
|
List of vulnerabilities, separated by commas |
O |
(*) Optional/Mandatory
Example
Below is an example of a valid analytic JSON file:
{
"version": 1,
"name": "psexec_connect",
"description": "Detects use of psexec",
"notes": "- To move around freely without attracting too much attention, attackers often use reliable software (one of the favorites is psexec) that looks normal in an enterprise environment.\r\n- Use the following aggregate to easily group by endpoint: `| group array_agg_distinct(dst.ip.address) by endpoint.name, src.process.cmdline`",
"confidence": 2,
"relevance": 3,
"category": "detect",
"connector": "sentinelone",
"query": "endpoint.os = 'windows'\r\nand event.type = 'IP Connect'\r\nand src.process.name matches 'psexec\\\\.exe'",
"columns": "| columns event.time, event.type, site.name, agent.uuid, src.process.storyline.id, src.process.user, src.process.uid, src.process.cmdline, src.ip.address, src.port.number, dst.ip.address, dst.port.number, src.process.parent.cmdline, tgt.process.cmdline",
"emulation_validation": "",
"references": "https://theitbros.com/using-psexec-to-run-commands-remotely/\r\nhttps://redcanary.com/blog/threat-hunting-psexec-lateral-movement/",
"mitre_techniques": [
"T1569.002",
"T1570"
],
"threats": [],
"actors": [],
"target_os": [
"windows"
],
"vulnerabilities": []
}