browser_hijacking_2

[tccontre]

New Detections

    new file:   detections/endpoint/windows_chromium_browser_launched_with_small_window_size.yml
    new file:   detections/endpoint/windows_chromium_process_launched_with_disable_popup_blocking.yml
    new file:   detections/endpoint/windows_chromium_process_launched_with_logging_disabled.yml
    new file:   detections/endpoint/windows_chromium_process_with_disabled_extensions.yml
    new file:   detections/endpoint/windows_headless_chromium_browser_execution.yml

Telemetry INFO:

windows_chromium_browser_launched_with_small_window_size.yml :
windows_chromium_process_launched_with_disable_popup_blocking.yml :
windows_chromium_process_launched_with_logging_disabled.yml : NO Telemetry
windows_chromium_process_with_disabled_extensions.yml :
windows_headless_chromium_browser_execution.yml: N/A

What does this PR have in it? Screenshots are worth 1000 words 😄

Checklist

• Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
• CI/CD jobs passed ✔️
• Validated SPL logic.
• Validated tags, description, and how to implement.
• Verified references match analytic.
• Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

• If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
• Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.
• Updates to existing lookup files can be tricky, because of how Splunk handles application updates and the differences between existing lookup files being updated vs new lookups. You can read more here but the short version is that any changes to lookup files need to bump the the date and version in the associated YAML file.

[tccontre]

for detection "Windows Chromium Browser Launched with Small Window Size" we cant use the $windows_width$ and $windows_height$, because the validation CI didn't manage to see those fields in search maybe in "by" clause. so I just removed the reference "$" to those field name even it will make it a normal string.

[nasbench]

for detection "Windows Chromium Browser Launched with Small Window Size" we cant use the w i n d o w s w i d t h and w i n d o w s h e i g h t , because the validation CI didn't manage to see those fields in search maybe in "by" clause. so I just removed the reference "$" to those field name even it will make it a normal string.

The reason for that is because RBA message takes fields that in the output only (the CI validates this). Anyway I have added them and improved the message.

@patel-bhavin just FYI the analytic Headless Browser Usage has changed from Hunting to Anomaly which means it will now generate risk/ intermediate findings when it triggers. Something to keep track of in the release notes