updating yamls

Author: patel-bhavin

baselines/baseline_of_open_s3_bucket_decommissioning.yml

@@ -62,3 +62,10 @@ deployment:
     earliest_time: -30d@d
     latest_time: -1d@d
     schedule_window: auto
+# Baselines usually dont have tests, but there was no good place to store this information explicitly, adding it as a comment.
+# tests:
+# - name: Baseline Dataset Test
+#   attack_data:
+#   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json
+#     source: cloudtrail
+#     sourcetype: aws:cloudtrail

detections/network/detect_dns_query_to_decommissioned_s3_bucket.yml

@@ -7,7 +7,7 @@ status: experimental
 type: Anomaly
 description: This detection identifies DNS queries to domains that match previously decommissioned S3 buckets. This activity is significant because attackers may attempt to recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.
 data_source:
-- DNS logs
+- Sysmon EventID 22
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.query DNS.src 
 | `drop_dm_object_name("DNS")` 
 | `security_content_ctime(firstTime)` 
@@ -47,14 +47,10 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: network
-# tests:
-# - name: Baseline Dataset Test
-#   attack_data:
-#   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json
-#     source: cloudtrail
-#     sourcetype: aws:cloudtrail 
-# - name: True Positive Test
-#   attack_data:
-#   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/dns.log
-#     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-#     sourcetype: XmlWinEventLog
+  manual_test: This search needs a lookup table to be populated -decommissioned_buckets.csv by running a baseline search `Baseline Of Open S3 Bucket Decommissioning` prior to running this detection.
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/dns.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

detections/web/detect_web_access_to_decommissioned_s3_bucket.yml

@@ -6,7 +6,8 @@ author: Jose Hernandez, Splunk
 status: experimental
 type: Anomaly
 description: This detection identifies web requests to domains that match previously decommissioned S3 buckets through web proxy logs. This activity is significant because attackers may attempt to access or recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.
-data_source: []
+data_source:
+- AWS Cloudfront
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.http_method) as http_method values(Web.http_user_agent) as http_user_agent values(Web.url) as url values(Web.user) as user from datamodel=Web where Web.url_domain!="" by Web.src Web.url_domain 
 | `drop_dm_object_name("Web")` 
 | `security_content_ctime(firstTime)` 
@@ -50,14 +51,10 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: network
-# tests:
-# - name: Baseline Dataset Test
-#   attack_data:
-#   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json
-#     source: cloudtrail
-#     sourcetype: aws:cloudtrail 
-# - name: True Positive Test
-#   attack_data:
-#   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log
-#     source: aws_cloudfront_accesslogs
-#     sourcetype: aws:cloudfront:accesslogs
+  manual_test: This search needs a lookup table to be populated -decommissioned_buckets.csv by running a baseline search `Baseline Of Open S3 Bucket Decommissioning` prior to running this detection.
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log
+    source: aws_cloudfront_accesslogs
+    sourcetype: aws:cloudfront:accesslogs