updating dummy dataset links

Author: patel-bhavin

detections/network/detect_dns_query_to_decommissioned_s3_bucket.yml

@@ -48,8 +48,13 @@ tags:
   - Splunk Cloud
   security_domain: network
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/dns_decommissioned_bucket/dns.log
-    source: dns
-    sourcetype: dns 
+# - name: Baseline Dataset Test
+#   attack_data:
+#   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json
+#     source: cloudtrail
+#     sourcetype: aws:cloudtrail 
+# - name: True Positive Test
+#   attack_data:
+#   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/dns.log
+#     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+#     sourcetype: XmlWinEventLog

detections/web/detect_web_access_to_decommissioned_s3_bucket.yml

@@ -6,8 +6,7 @@ author: Jose Hernandez, Splunk
 status: experimental
 type: Anomaly
 description: This detection identifies web requests to domains that match previously decommissioned S3 buckets through web proxy logs. This activity is significant because attackers may attempt to access or recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.
-data_source:
-- Web proxy logs
+data_source: []
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.http_method) as http_method values(Web.http_user_agent) as http_user_agent values(Web.url) as url values(Web.user) as user from datamodel=Web where Web.url_domain!="" by Web.src Web.url_domain 
 | `drop_dm_object_name("Web")` 
 | `security_content_ctime(firstTime)` 
@@ -51,9 +50,14 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: network
-tests:
-- name: True Positive Test
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/web_decommissioned_bucket/proxy.log
-    source: proxy
-    sourcetype: web_proxy 
+# tests:
+# - name: Baseline Dataset Test
+#   attack_data:
+#   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json
+#     source: cloudtrail
+#     sourcetype: aws:cloudtrail 
+# - name: True Positive Test
+#   attack_data:
+#   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log
+#     source: aws_cloudfront_accesslogs
+#     sourcetype: aws:cloudfront:accesslogs