From 8fddfc06c8cdf639444a53830e06d2656275d3c8 Mon Sep 17 00:00:00 2001
From: junk <junk@noreply.localhost>
Date: Tue, 15 Apr 2025 15:37:12 -0400
Subject: [PATCH] Update splunk/rules_to_add_to_github.md

---
 splunk/rules_to_add_to_github.md | 69 ++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)

diff --git a/splunk/rules_to_add_to_github.md b/splunk/rules_to_add_to_github.md
index 562f05b..23f7d17 100644
--- a/splunk/rules_to_add_to_github.md
+++ b/splunk/rules_to_add_to_github.md
@@ -94,4 +94,73 @@ fields:
   - icmp_type
   - icmp_code
 level: high
+```
+
+IPsec from outside
+
+```
+`indextime` sourcetype=syslog
+| where NOT cidrmatch("10.0.0.0/8", src_ip) AND NOT cidrmatch("192.168.0.0/16", src_ip) AND NOT cidrmatch("172.16.0.0/12", src_ip)
+| where cidrmatch("137.0.0.0/16", src_ip) OR src_port=500 OR dest_port=500
+| stats count by src_ip, dest_ip, src_port, dest_port
+| sort - count
+| eval hash_sha256=if(isnull(hash_sha256), "N/A", lower(hash_sha256)),
+hunting_trigger="Detects suspicious connections to non-private IPs or port 500 usage.",
+mitre_category="Discovery",
+mitre_technique="Network Service Scanning",
+mitre_technique_id="T1046",
+mitre_subtechnique="",
+mitre_subtechnique_id="",
+apt="Volt Typhoon",
+mitre_link="https://attack.mitre.org/techniques/T1046/",
+creator="Sgt Iverson",
+last_tested="",
+upload_date="2025-04-15",
+last_modify_date="2025-04-15",
+mitre_version="v16",
+priority="high"
+| eval indextime = _indextime
+| convert ctime(indextime)
+| table _time, indextime, event_description, hash_sha256, src_ip, dest_ip, src_port, dest_port, http_header, mitre_category, mitre_technique, mitre_technique_id, hunting_trigger, mitre_subtechnique, mitre_subtechnique_id, apt, mitre_link, creator, last_tested, upload_date, last_modify_date, mitre_version, priority
+| collect `jarvis_index`
+```
+
+```
+title: Detect Suspicious Connections to Non-Private IPs or Port 500 Usage
+id: b4a8cfa4-7a21-4f8a-9383-1234abcd5678
+description: Detects connections from non-private IPs or IPs in the 137.0.0.0/16 range, with usage of port 500, including data enrichment fields.
+author: Sgt Iverson
+logsource:
+  product: network
+  service: syslog
+detection:
+  selection:
+    src_ip:
+      - "!10.0.0.0/8"
+      - "!192.168.0.0/16"
+      - "!172.16.0.0/12"
+      - "137.0.0.0/16"
+    src_port: 500
+    dest_port: 500
+  condition: selection
+fields:
+  - src_ip
+  - dest_ip
+  - src_port
+  - dest_port
+  - hash_sha256
+  - http_header
+enrichment:
+  hunting_trigger: "Detects suspicious connections to non-private IPs or port 500 usage."
+  mitre_category: "Discovery"
+  mitre_technique: "Network Service Scanning"
+  mitre_technique_id: "T1046"
+  apt: "Volt Typhoon"
+  mitre_link: "https://attack.mitre.org/techniques/T1046/"
+  creator: "Sgt Iverson"
+  upload_date: "2025-04-15"
+  last_modify_date: "2025-04-15"
+  mitre_version: "v16"
+  priority: "high"
+level: high
 ```
\ No newline at end of file