splunk
diff --git a/‎bin/replay.py‎
Lines changed: 71 additions & 3 deletions b/‎bin/replay.py‎
Lines changed: 71 additions & 3 deletions
diff --git a/‎total_replay/assets/banner.png‎
107 KB b/‎total_replay/assets/banner.png‎
107 KB
diff --git a/‎total_replay/assets/usage.png‎
417 KB b/‎total_replay/assets/usage.png‎
417 KB
diff --git a/‎total_replay/configuration/config.yml‎
Lines changed: 12 additions & 0 deletions b/‎total_replay/configuration/config.yml‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎total_replay/poetry.lock‎
Lines changed: 740 additions & 0 deletions b/‎total_replay/poetry.lock‎
Lines changed: 740 additions & 0 deletions
diff --git a/‎total_replay/pyproject.toml‎
Lines changed: 24 additions & 0 deletions b/‎total_replay/pyproject.toml‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎total_replay/readme.md‎
Lines changed: 87 additions & 0 deletions b/‎total_replay/readme.md‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎total_replay/test/test_names.txt‎
Lines changed: 13 additions & 0 deletions b/‎total_replay/test/test_names.txt‎
Lines changed: 13 additions & 0 deletions
@@ -10,7 +10,7 @@
 from urllib3 import disable_warnings
 import yaml
 from pathlib import Path
-
+from urllib.parse import urlparse, urlunparse, unquote
 
 def load_environment_variables():
     """Load required environment variables for Splunk connection."""
@@ -114,6 +114,70 @@ def send_data_to_splunk(file_path, splunk_host, hec_token, event_host_uuid,
         except Exception as e:
             print(f":x: Error sending {file_path} to Splunk HEC: {e}")
 
+def parse_old_attack_yml_data_file(yml_file_path, 
+                                   index_override, 
+                                   source_override, 
+                                   sourcetype_override, 
+                                   host_uuid):
+    ### handling possible empty inputs
+    print("Processing old attack data yml file")
+    if source_override == "" or sourcetype_override == "" or index_override == "":
+        return None, [], {}
+    
+    try:
+        with open(yml_file_path, 'r') as file:
+            data = yaml.safe_load(file)
+
+        # Extract required fields
+        file_id = host_uuid
+        d = data.get('dataset')
+        ### if the instance is list
+        if isinstance(d, list):
+            dataset_val = d[0]
+        if isinstance(d, str):
+            dataset_val = d
+
+        name_value = os.path.basename(dataset_val).split(".")[0]
+        p = urlparse(dataset_val)
+        if not p.scheme or not p.netloc:
+            raise ValueError(f"Unsupported GitHub URL format: {dataset_val}")
+
+        m, path_value = str(p.path).split("master")
+        ### generate our own datasets data
+        ### "datasets": [
+        ###     {
+        ###        "name": "windows-sysmon_creddump",
+        ###        "path": "/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log",
+        ###        "sourcetype": "XmlWinEventLog",
+        ###        "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
+        ###    }
+        ### ]
+        # Extract required fields
+
+        datasets = [
+            {
+                "name": name_value,
+                "path": path_value,
+                "sourcetype":sourcetype_override,
+                "source":source_override
+            }
+        ]
+        #print(datasets)
+        # Extract default metadata from YAML file
+        default_index = index_override  
+        default_source = source_override
+        default_sourcetype = sourcetype_override
+
+        # Return tuple of (id, datasets_list, default_metadata)
+        return file_id, datasets, {
+            'index': default_index,
+            'source': default_source,
+            'sourcetype': default_sourcetype
+        }
+
+    except Exception as e:
+        print(f"Error parsing {yml_file_path}: {e}")
+        return None, [], {}
 
 def main():
     parser = argparse.ArgumentParser(
@@ -205,8 +269,12 @@ def main():
             file_id, datasets, defaults = parse_data_yml(yml_file)
 
             if not file_id or not datasets:
-                print(f"Skipping {yml_file} - no valid data found")
-                continue
+                
+                file_id, datasets, defaults = parse_old_attack_yml_data_file(yml_file, args.index_override, args.source_override, args.sourcetype_override, args.host_uuid)
+                
+                if not file_id or not datasets:
+                    print(f"Skipping {yml_file} - no valid data found")
+                    continue
 
             # Use the id from YAML file as host field (unless user provided one)
             event_host_uuid = args.host_uuid or file_id
 
@@ -0,0 +1,12 @@
+settings:
+  security_content_detection_path: ~/path/to/your/security_content/detections
+  attack_range_dir_path: ~/path/to/your/attack_range
+  attack_data_dir_path: ~/path/to/your/attack_data
+  attack_range_py_name: attack_range.py
+  output_dir_name : output
+  cache_replay_yaml_name : cache_replay_data.yml
+  replayed_yaml_cache_dir_name: replayed_yaml_cache
+  python_interpreter_name: python3
+  attack_range_version_on: False
+  attack_data_version_on: True
+  debug_print: True
@@ -0,0 +1,24 @@
+[project]
+name = "total-replay"
+version = "0.1.0"
+description = "Attack Data Replay Amplifier"
+authors = [
+    {name = "Teoderick Contreras",email = "[email protected]"}
+]
+license = {text = "Apache License"}
+requires-python = ">=3.13"
+dependencies = [
+    "rich (>=14.2.0,<15.0.0)",
+    "typer (>=0.20.0,<0.21.0)",
+    "pyyaml (>=6.0.3,<7.0.0)",
+    "requests (>=2.32.5,<3.0.0)",
+    "urllib3 (>=2.5.0,<3.0.0)",
+    "pandas (>=2.3.3,<3.0.0)",
+    "colorama (>=0.4.6,<0.5.0)",
+    "ansible-runner (>=2.4.2,<3.0.0)"
+]
+
+
+[build-system]
+requires = ["poetry-core>=2.0.0,<3.0.0"]
+build-backend = "poetry.core.masonry.api"
@@ -0,0 +1,87 @@
+# TOTAL-REPLAY
+
+![TOTAL-REPLAY](assets/banner.png)
+
+## Description
+
+This lightweight tool helps you make the most of Splunk’s [Security Content](https://github.com/splunk/security_content) metadata, such as detection names, analytic stories, and more, by replaying relevant test event logs or attack data from either the [Splunk Attack Data](https://github.com/splunk/attack_data) or [Splunk Attack Range](https://github.com/splunk/attack_range) projects.
+
+## Installation
+
+### MAC/LINUX
+#### TOTAL-REPLAY IN SPLUNK ATTACK-DATA REPO
+1. Clone the Splunk Security Content github repo. We recommend to follow this steps [Security Content Getting Started](https://github.com/splunk/security_content).
+
+2. Install Poetry (if not already installed)
+```
+curl -sSL https://install.python-poetry.org/ | python3 -
+```
+3. Navigate to your project directory
+```
+cd /path/to/your/total-replay-project
+```
+4. Create a virtual environment and activate it
+```
+poetry shell
+```
+5. Install project dependencies
+
+6. In total_replay->configuration->config.yml, add the folder path of the Splunk Attack Data repo and the detection folder path in Splunk Security Content.
+
+```
+settings:
+  security_content_detection_path: ~/path/to/your/security_content/detections
+  attack_data_dir_path: ~/path/to/your/attack_data
+```
+7. make sure you setup the required environment variables for splunk server connection
+
+    | Environment Variables.     | Description             |
+    |----------------------------|-------------------------|
+    | **SPLUNK_HOST**            | SPLUNK HOST IP ADDRESS  |
+    | **SPLUNK_HEC_TOKEN**       | SPLUNK SERVER HEC TOKEN |
+
+    you can use the `export` commandline function for adding these environment variables
+
+    ```
+    export SPLUNK_HOST= <IP_ADDRESS>
+    export SPLUNK_HEC_TOKEN= <SPLUNK_HEC_TOKEN>
+    ```
+
+### Windows
+We recommend using the Windows Subsystem for Linux (WSL). You can find a tutorial [here](https://learn.microsoft.com/en-us/windows/wsl/install). After installing WSL, you can follow the steps described in the Linux section.
+
+
+## Usage
+
+![TOTAL-REPLAY-USAGE](assets/usage.png)
+
+### Features
+
+A. This tool accepts the following types of metadata as input:
+
+    - **Splunk detection names**
+    - **MITRE ATT&CK tactic and technique IDs**
+    - **Splunk detection GUIDs**
+    - **Analytic stories**
+
+It then uses these inputs to identify and replay the attack data associated with them.
+
+B. Or for automation purposes, you can use a simple .txt file like:
+
+```
+wsreset_uac_bypass.yml
+wscript_or_cscript_suspicious_child_process.yml
+windows_user_deletion_via_net.yml
+Windows User Disabled Via Net
+Windows Chromium Browser No Security Sandbox Process
+004e32e2-146d-11ec-a83f-acde48001122
+01d29b48-ff6f-11eb-b81e-acde48001123
+#T1014
+T1589.001
+Amos Stealer
+PromptLock
+f64579c0-203f-11ec-abcc-acde48001122
+004e32e2-146d-11ec-a83f-acde48001122  
+```
+
+ that contains all the Security Content metadata you want to replay and then choose if you want to replay them all 
@@ -0,0 +1,13 @@
+wsreset_uac_bypass.yml
+wscript_or_cscript_suspicious_child_process.yml
+windows_user_deletion_via_net.yml
+Windows User Disabled Via Net
+Windows Chromium Browser No Security Sandbox Process
+004e32e2-146d-11ec-a83f-acde48001122
+01d29b48-ff6f-11eb-b81e-acde48001123
+#T1014
+T1589.001
+Amos Stealer
+PromptLock
+f64579c0-203f-11ec-abcc-acde48001122
+004e32e2-146d-11ec-a83f-acde48001122