Merge branch 'develop' into new-research-detection-endpoint

Author: zake1god

.github/labeler.yml

@@ -22,3 +22,8 @@ Lookups:
 Datasource:
 - changed-files:
   - any-glob-to-any-file: data_sources/*
+
+Baselines:
+  - changed-files:
+    - any-glob-to-any-file: baselines/*
+

.github/workflows/appinspect.yml

@@ -18,7 +18,13 @@ jobs:
 
       - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          pip install contentctl>=4.0.0
+          if [ -n "${{ vars.CONTENTCTL_VERSION }}" ]; then
+            echo "Installing contentctl version ${{ vars.CONTENTCTL_VERSION }}"
+            pip install contentctl==${{ vars.CONTENTCTL_VERSION }}
+          else
+            echo "Installing latest contentctl version"
+            pip install contentctl
+          fi
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
           git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti
       
@@ -28,7 +34,7 @@ jobs:
           APPINSPECTPASSWORD: "${{ secrets.APPINSPECTPASSWORD }}"
         run: |
           echo $APPINSPECTUSERNAME
-          contentctl inspect --splunk-api-username "$APPINSPECTUSERNAME" --splunk-api-password "$APPINSPECTPASSWORD" --stack_type victoria --enrichments --enable-metadata-validation --suppress-missing-content-exceptions
+          contentctl inspect --splunk-api-username "$APPINSPECTUSERNAME" --splunk-api-password "$APPINSPECTPASSWORD" --enrichments --enable-metadata-validation --suppress-missing-content-exceptions
           echo "done appinspect"
           mkdir -p artifacts/app_inspect_report
           cp -r dist/*.html artifacts/app_inspect_report

.github/workflows/auto-update.yml

@@ -19,7 +19,13 @@ jobs:
 
       - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          pip install contentctl>=4.0.0
+          if [ -n "${{ vars.CONTENTCTL_VERSION }}" ]; then
+            echo "Installing contentctl version ${{ vars.CONTENTCTL_VERSION }}"
+            pip install contentctl==${{ vars.CONTENTCTL_VERSION }}
+          else
+            echo "Installing latest contentctl version"
+            pip install contentctl
+          fi
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
           git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti
       

.github/workflows/build.yml

@@ -23,7 +23,13 @@ jobs:
         - name: Install Python Dependencies and ContentCTL
           run: |
             python -m pip install --upgrade pip
-            pip install contentctl>=4.0.0
+            if [ -n "${{ vars.CONTENTCTL_VERSION }}" ]; then
+              echo "Installing contentctl version ${{ vars.CONTENTCTL_VERSION }}"
+              pip install contentctl==${{ vars.CONTENTCTL_VERSION }}
+            else
+              echo "Installing latest contentctl version"
+              pip install contentctl
+            fi
            
         # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop
         # Make sure we check out the PR, even if it actually lives in a fork

.github/workflows/unit-testing.yml

@@ -138,7 +138,7 @@ Please use the [GitHub Issue Tracker](https://github.com/splunk/security_content
 If you have questions or need support, you can:
 
 * Post a question to [Splunk Answers](http://answers.splunk.com)
-* Join the [#security-research](https://splunk-usergroups.slack.com/archives/C1S5BEF38) room in the [Splunk Slack channel](http://splunk-usergroups.slack.com)
+* Join the [#security-research](https://splunkcommunity.slack.com/archives/CDNHXVBGS) channel in the [Splunk Community Slack.](https://splk.it/slack)
 
 ## License
 Copyright 2022 Splunk Inc.

README.md

@@ -6,8 +6,8 @@
       <html>
         <p5>You can contact the Splunk Threat Research team at<a href = "mailto:[email protected]">[email protected]</a> to send us support requests, bug reports, and questions.
           <br>Specify the request type and the title of any related analytic stories, detections analytics where applicable.</br>
-          You can also find us on the <b>#es-content-updates</b><a href = "http://splunk-usergroups.slack.com/"> Splunk Usergroups Slack channel.</a></p5>
+          You can also find us on the <b>#es-content-updates</b><a href = "https://splk.it/slack/"> Splunk Community Slack channel.</a></p5>
       </html>
     </panel>
   </row>
-</form>
+</form>

app_template/default/data/ui/views/feedback.xml

@@ -4,7 +4,7 @@ version: 1
 date: '2018-05-07'
 author: Bhavin Patel, Splunk
 type: Baseline
-datamodel: []
+status: production
 description: This search establishes, on a per-hour basis, the average and the standard
   deviation of the number of outbound connections blocked in your VPC flow logs by
   each source IP address (IP address of your EC2 instances). Also recorded is the
@@ -34,9 +34,4 @@ tags:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - _time
-  - action
-  - src_ip
-  - dest_ip
   security_domain: network

baselines/baseline_of_blocked_outbound_traffic_from_aws.yml

@@ -4,8 +4,7 @@ version: 1
 date: '2020-09-07'
 author: David Dorsey, Splunk
 type: Baseline
-datamodel:
-- Change
+status: production
 description: This search is used to build a Machine Learning Toolkit (MLTK) model
   for how many API calls are performed by each user. By default, the search uses the
   last 90 days of data to build the model and the model is rebuilt weekly. The model
@@ -40,14 +39,10 @@ tags:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - _time
-  - All_Changes.user
-  - All_Changes.status
   security_domain: network
 deployment:
   scheduling:
     cron_schedule: 0 2 * * 0
     earliest_time: -90d@d
     latest_time: -1d@d
-    schedule_window: auto
+    schedule_window: auto

baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml

@@ -4,8 +4,7 @@ version: 1
 date: '2020-08-25'
 author: David Dorsey, Splunk
 type: Baseline
-datamodel:
-- Change
+status: production
 description: This search is used to build a Machine Learning Toolkit (MLTK) model
   for how many instances are destroyed in the environment. By default, the search
   uses the last 90 days of data to build the model and the model is rebuilt weekly.
@@ -20,17 +19,16 @@ search: '| tstats count as instances_destroyed from datamodel=Change where All_C
   <= 5, 0, 1) | table _time instances_destroyed, HourOfDay, isWeekend | fit DensityFunction
   instances_destroyed by "HourOfDay,isWeekend" into cloud_excessive_instances_destroyed_v1
   dist=expon show_density=true'
-how_to_implement: 'You must have Enterprise Security 6.0 or later, if not you will
+how_to_implement: "You must have Enterprise Security 6.0 or later, if not you will
   need to verify that the Machine Learning Toolkit (MLTK) version 4.2 or later is
   installed, along with any required dependencies. Depending on the number of users
   in your environment, you may also need to adjust the value for max_inputs in the
   MLTK settings for the DensityFunction algorithm, then ensure that the search completes
   in a reasonable timeframe. By default, the search builds the model using the past
   30 days of data. You can modify the search window to build the model over a longer
   period of time, which may give you better results. You may also want to periodically
-  re-run this search to rebuild the model with the latest data.
-
-  More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.'
+  re-run this search to rebuild the model with the latest data.\nMore information
+  on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`."
 known_false_positives: none
 references: []
 tags:
@@ -43,15 +41,10 @@ tags:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - _time
-  - All_Changes.action
-  - All_Changes.status
-  - All_Changes.object_category
   security_domain: network
 deployment:
   scheduling:
     cron_schedule: 0 2 * * 0
     earliest_time: -90d@d
     latest_time: -1d@d
-    schedule_window: auto
+    schedule_window: auto