Merge branch 'develop' into github_detections_improvement

Author: Patrick Bareiss

.github/labeler.yml

@@ -22,3 +22,8 @@ Lookups:
 Datasource:
 - changed-files:
   - any-glob-to-any-file: data_sources/*
+
+Baselines:
+  - changed-files:
+    - any-glob-to-any-file: baselines/*
+

.github/workflows/appinspect.yml

@@ -34,7 +34,7 @@ jobs:
           APPINSPECTPASSWORD: "${{ secrets.APPINSPECTPASSWORD }}"
         run: |
           echo $APPINSPECTUSERNAME
-          contentctl inspect --splunk-api-username "$APPINSPECTUSERNAME" --splunk-api-password "$APPINSPECTPASSWORD" --stack_type victoria --enrichments --enable-metadata-validation --suppress-missing-content-exceptions
+          contentctl inspect --splunk-api-username "$APPINSPECTUSERNAME" --splunk-api-password "$APPINSPECTPASSWORD" --enrichments --enable-metadata-validation --suppress-missing-content-exceptions
           echo "done appinspect"
           mkdir -p artifacts/app_inspect_report
           cp -r dist/*.html artifacts/app_inspect_report

README.md

@@ -138,7 +138,7 @@ Please use the [GitHub Issue Tracker](https://github.com/splunk/security_content
 If you have questions or need support, you can:
 
 * Post a question to [Splunk Answers](http://answers.splunk.com)
-* Join the [#security-research](https://splunk-usergroups.slack.com/archives/C1S5BEF38) room in the [Splunk Slack channel](http://splunk-usergroups.slack.com)
+* Join the [#security-research](https://splunkcommunity.slack.com/archives/CDNHXVBGS) channel in the [Splunk Community Slack.](https://splk.it/slack)
 
 ## License
 Copyright 2022 Splunk Inc.

app_template/default/data/ui/views/feedback.xml

@@ -6,8 +6,8 @@
       <html>
         <p5>You can contact the Splunk Threat Research team at<a href = "mailto:[email protected]">[email protected]</a> to send us support requests, bug reports, and questions.
           <br>Specify the request type and the title of any related analytic stories, detections analytics where applicable.</br>
-          You can also find us on the <b>#es-content-updates</b><a href = "http://splunk-usergroups.slack.com/"> Splunk Usergroups Slack channel.</a></p5>
+          You can also find us on the <b>#es-content-updates</b><a href = "https://splk.it/slack/"> Splunk Community Slack channel.</a></p5>
       </html>
     </panel>
   </row>
-</form>
+</form>

contentctl.yml

@@ -77,9 +77,9 @@ apps:
 - uid: 5579
   title: Splunk Add-on for CrowdStrike FDR
   appid: Splunk_TA_CrowdStrike_FDR
-  version: 2.0.3
+  version: 2.0.4
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_203.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_204.tgz
 - uid: 3185
   title: Splunk Add-on for Microsoft IIS
   appid: SPLUNK_TA_FOR_IIS

data_sources/aws_cloudtrail_consolelogin.yml

@@ -90,13 +90,13 @@ fields:
 - vendor_product
 - vendor_region
 example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "accountId":
-  "140429656527", "accessKeyId": "", "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"},
+  "111111111111", "accessKeyId": "", "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"},
   "eventTime": "2022-10-19T20:33:38Z", "eventSource": "signin.amazonaws.com", "eventName":
   "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "142.254.89.27", "userAgent":
   "Go-http-client/1.1", "errorMessage": "No username found in supplied account", "requestParameters":
   null, "responseElements": {"ConsoleLogin": "Failure"}, "additionalEventData": {"LoginTo":
   "https://console.aws.amazon.com", "MobileVersion": "No", "MFAUsed": "No"}, "eventID":
   "9fcfb8c3-3fca-48db-85d2-7b107f9d95d0", "readOnly": false, "eventType": "AwsConsoleSignIn",
-  "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory":
+  "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
   "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
   "clientProvidedHostHeader": "signin.aws.amazon.com"}}'

data_sources/aws_cloudtrail_createvirtualmfadevice.yml

@@ -88,13 +88,13 @@ fields:
 - vendor_product
 - vendor_region
 example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
-  "140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527",
+  "1111111111111111", "arn": "arn:aws:iam::1111111111111111:root", "accountId": "1111111111111111",
   "accessKeyId": "ASIASBMSCQHH2YXNXJBU", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
   {}, "attributes": {"creationDate": "2023-01-30T22:59:36Z", "mfaAuthenticated": "false"}}},
   "eventTime": "2023-01-30T23:02:23Z", "eventSource": "iam.amazonaws.com", "eventName":
   "CreateVirtualMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "23.93.193.6",
   "userAgent": "AWS Internal", "requestParameters": {"path": "/", "virtualMFADeviceName":
-  "strt_mfa_2"}, "responseElements": {"virtualMFADevice": {"serialNumber": "arn:aws:iam::140429656527:mfa/strt_mfa_2"}},
+  "strt_mfa_2"}, "responseElements": {"virtualMFADevice": {"serialNumber": "arn:aws:iam::1111111111111111:mfa/strt_mfa_2"}},
   "requestID": "2fbe2074-55f8-4ec6-ad32-0b250803cf46", "eventID": "7e1c493d-c3c3-4f4a-ae4f-8cdd38970027",
   "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
-  "140429656527", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
+  "1111111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'

data_sources/aws_cloudtrail_describeeventaggregates.yml

@@ -84,7 +84,7 @@ fields:
 - vendor_product
 - vendor_region
 example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
-  "140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527",
+  "1111111111111111", "arn": "arn:aws:iam::1111111111111111:root", "accountId": "1111111111111111",
   "accessKeyId": "ASIASBMSCQHHQQ6LB24V", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
   {}, "attributes": {"creationDate": "2023-01-31T21:58:17Z", "mfaAuthenticated": "true"}}},
   "eventTime": "2023-02-01T02:52:34Z", "eventSource": "health.amazonaws.com", "eventName":
@@ -93,5 +93,5 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip
   "filter": {"eventStatusCodes": ["open", "upcoming"], "startTimes": [{"from": "Jan
   25, 2023 2:54:32 AM"}]}}, "responseElements": null, "requestID": "d6adf050-1d7a-4c25-9d48-0319e33f6f9a",
   "eventID": "201cee69-61ab-4ffb-80b7-bd31e81e0d82", "readOnly": true, "eventType":
-  "AwsApiCall", "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory":
+  "AwsApiCall", "managementEvent": true, "recipientAccountId": "1111111111111111", "eventCategory":
   "Management", "sessionCredentialFromConsole": "true"}'

data_sources/aws_cloudtrail_modifyimageattribute.yml

@@ -101,7 +101,7 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "ec2.amazonaws.com", "eventName": "ModifyImageAttribute", "awsRegion": "us-west-2",
   "sourceIPAddress": "72.135.245.10", "userAgent": "AWS Internal", "requestParameters":
   {"imageId": "ami-06dac31db29508566", "launchPermission": {"add": {"items": [{"userId":
-  "140429656527"}]}}, "attributeType": "launchPermission"}, "responseElements": {"requestId":
+  "1111111111111111"}]}}, "attributeType": "launchPermission"}, "responseElements": {"requestId":
   "84c431ce-6268-4218-aaf8-b4cdc1cd4055", "_return": true}, "requestID": "84c431ce-6268-4218-aaf8-b4cdc1cd4055",
   "eventID": "957e1b12-ea17-4006-aefd-20677ace72b8", "readOnly": false, "eventType":
   "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":

data_sources/crowdstrike_processrollup2.yml

@@ -10,7 +10,7 @@ separator: event_simpleName
 supported_TA:
 - name: Splunk Add-on for CrowdStrike FDR
   url: https://splunkbase.splunk.com/app/5579
-  version: 2.0.3
+  version: 2.0.4
 fields:
 - AuthenticationId
 - AuthenticationId_meaning