fixing merge conflicts

Author: josehelps

.github/labeler.yml

@@ -22,3 +22,8 @@ Lookups:
 Datasource:
 - changed-files:
   - any-glob-to-any-file: data_sources/*
+
+Baselines:
+  - changed-files:
+    - any-glob-to-any-file: baselines/*
+

.github/workflows/appinspect.yml

@@ -34,7 +34,7 @@ jobs:
           APPINSPECTPASSWORD: "${{ secrets.APPINSPECTPASSWORD }}"
         run: |
           echo $APPINSPECTUSERNAME
-          contentctl inspect --splunk-api-username "$APPINSPECTUSERNAME" --splunk-api-password "$APPINSPECTPASSWORD" --stack_type victoria --enrichments --enable-metadata-validation --suppress-missing-content-exceptions
+          contentctl inspect --splunk-api-username "$APPINSPECTUSERNAME" --splunk-api-password "$APPINSPECTPASSWORD" --enrichments --enable-metadata-validation --suppress-missing-content-exceptions
           echo "done appinspect"
           mkdir -p artifacts/app_inspect_report
           cp -r dist/*.html artifacts/app_inspect_report

app_template/default/data/ui/nav/default.xml

@@ -2,6 +2,8 @@
   <view name="escu_summary" default="true"/>
   <view name="feedback"/>
   <view name="search"/>
-  <view name="dashboards"/>
-  <a href="http://docs.splunk.com/Documentation/ESSOC">Docs</a>
+  <collection label="Dashboards">
+    <view source="unclassified" match="__"/>
+  </collection>
+  <a href="https://docs.splunk.com/Documentation/ESCU">Docs</a>
 </nav>

baselines/baseline_of_open_s3_bucket_decommissioning.yml

@@ -1,15 +1,16 @@
-data_source: []
-mitre_attack_ids: ''
-security_domain: audit
 name: Baseline Of Open S3 Bucket Decommissioning
 id: 984e9022-b87b-499a-a260-8d0282c46ea2
 version: 1
 date: '2025-02-12'
 author: Jose Hernandez
 type: Baseline
 status: production
-description: This baseline search identifies S3 buckets that were previously exposed to the public (either through bucket policies or website hosting) and have been subsequently deleted. This helps track the lifecycle of potentially risky S3 bucket configurations and their proper decommissioning.
-kind: cloud
+description: |-
+  The following analytic identifies S3 buckets that were previously exposed to the public and have been subsequently deleted. It leverages AWS CloudTrail logs to track the lifecycle of potentially risky S3 bucket configurations. This activity is crucial for ensuring that public access to sensitive data is properly managed and decommissioned. By monitoring these events, organizations can ensure that exposed buckets are promptly deleted, reducing the risk of unauthorized access. Immediate investigation is recommended to confirm the proper decommissioning of these buckets and to ensure no sensitive data remains exposed. This baseline detection creates a lookup table of decommissioned buckets.csv and their associated events which can be used by detection searches to trigger alerts when decommissioned buckets are detected.
+
+  The  following detections searches leverage this baseline search and the lookup table.
+  * Detect DNS Query to Decommissioned S3 Bucket
+  * Detect Web Access to Decommissioned S3 Bucket
 search: '`cloudtrail` eventSource="s3.amazonaws.com"  (eventName=DeleteBucket OR eventName=PutBucketPolicy OR eventName=PutBucketWebsite)
 | spath input=_raw path=requestParameters.bucketName output=bucketName
 | spath input=_raw path=requestParameters.Host output=host
@@ -36,8 +37,8 @@ search: '`cloudtrail` eventSource="s3.amazonaws.com"  (eventName=DeleteBucket OR
 | eval policy_details = if(isPublicPolicy==1, "Policy: Principal=" . mvjoin(principals, ", ") . " Effect=" . mvjoin(effects, ", ") . " Action=" . mvjoin(actions, ", "), "No Public Policy")
 | eval website_details = if(isWebsite==1, "Static Website Enabled", "No Website Hosting")
 | table bucketName, hosts, firstEvent, lastEvent, events, policy_details, website_details, accountIds, userARNs, awsRegions
-| outputlookup append=true decommissioned_buckets.csv | `baseline_of_open_s3_bucket_decommissioning_filter`'
-how_to_implement: To implement this baseline, you need to have AWS CloudTrail logs being ingested into Splunk with the AWS Add-on properly configured. The search looks for S3 bucket events related to bucket policies, website hosting configuration, and bucket deletion. The results are stored in a lookup file named decommissioned_buckets.csv which tracks the history of deleted buckets that were previously exposed to the public.
+| outputlookup append=true decommissioned_buckets | `baseline_of_open_s3_bucket_decommissioning_filter`'
+how_to_implement: To implement this baseline, you need to have AWS CloudTrail logs being ingested into Splunk with the AWS Add-on properly configured. The search looks for S3 bucket events related to bucket policies, website hosting configuration, and bucket deletion. The results are stored in a lookup KVStore named decommissioned_buckets which tracks the history of deleted buckets that were previously exposed to the public.
 known_false_positives: Some buckets may be intentionally made public for legitimate business purposes before being decommissioned. Review the policy_details and website_details fields to understand the nature of the public access that was configured.
 references:
 - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
@@ -47,7 +48,6 @@ tags:
   analytic_story:
   - AWS S3 Bucket Security Monitoring
   - Suspicious AWS S3 Activities
-  message: An S3 bucket that was previously configured with public access has been deleted
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -61,4 +61,4 @@ deployment:
     cron_schedule: 0 2 * * 0
     earliest_time: -30d@d
     latest_time: -1d@d
-    schedule_window: auto
+    schedule_window: auto

contentctl.yml

@@ -77,9 +77,9 @@ apps:
 - uid: 5579
   title: Splunk Add-on for CrowdStrike FDR
   appid: Splunk_TA_CrowdStrike_FDR
-  version: 2.0.3
+  version: 2.0.4
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_203.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_204.tgz
 - uid: 3185
   title: Splunk Add-on for Microsoft IIS
   appid: SPLUNK_TA_FOR_IIS
@@ -206,4 +206,10 @@ apps:
   version: 4.2.2
   description: PSC for MLTK
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/python-for-scientific-computing-for-linux-64-bit_422.tgz
+- uid: 2882
+  title: Splunk Add-on for AppDynamics
+  appid: Splunk_TA_AppDynamics
+  version: 3.0.0
+  description: The Splunk Add-on for AppDynamics enables you to easily configure data inputs to pull data from AppDynamics' REST APIs
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-appdynamics_300.tgz
 githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd

data_sources/cisco_secure_application_appdynamics_alerts.yml

@@ -0,0 +1,136 @@
+name: Cisco Secure Application AppDynamics Alerts
+id: 5c963eb0-010e-4386-875f-5134879f14a7
+version: 1
+date: '2025-02-04'
+author: Bhavin Patel, Splunk
+description: Data source object for alerts from Cisco Secure Application
+source: AppDynamics Security
+sourcetype: appdynamics_security
+supported_TA:
+- name: Splunk Add-on for AppDynamics
+  url: https://splunkbase.splunk.com/app/3471
+  version: 3.0.0
+fields:
+- SourceType
+- apiServerExternal
+- app_name
+- application
+- attackEventTrigger
+- attackEvents{}.applicationName
+- attackEvents{}.attackOutcome
+- attackEvents{}.attackTypes
+- attackEvents{}.blocked
+- attackEvents{}.blockedReason
+- attackEvents{}.clientAddress
+- attackEvents{}.clientAddressType
+- attackEvents{}.clientPort
+- attackEvents{}.cveId
+- attackEvents{}.detailJson.apiServerExternal
+- attackEvents{}.detailJson.apiServerInUrl
+- attackEvents{}.detailJson.classname
+- attackEvents{}.detailJson.hostContext
+- attackEvents{}.detailJson.methodName
+- attackEvents{}.detailJson.ptype
+- attackEvents{}.detailJson.socketOut
+- attackEvents{}.eventType
+- attackEvents{}.jvmId
+- attackEvents{}.keyInfo
+- attackEvents{}.maliciousIpOut
+- attackEvents{}.maliciousIpSource
+- attackEvents{}.maliciousIpSourceOut
+- attackEvents{}.matchedCveName
+- attackEvents{}.serverAddress
+- attackEvents{}.serverName
+- attackEvents{}.serverPort
+- attackEvents{}.stackTrace
+- attackEvents{}.tierName
+- attackEvents{}.timestamp
+- attackEvents{}.vulnerabilityInfo.cveNvdUrl
+- attackEvents{}.vulnerabilityInfo.cvePublishDate
+- attackEvents{}.vulnerabilityInfo.cvssScore
+- attackEvents{}.vulnerabilityInfo.cvssSeverity
+- attackEvents{}.vulnerabilityInfo.incidentFirstDetected
+- attackEvents{}.vulnerabilityInfo.kennaActiveInternetBreach
+- attackEvents{}.vulnerabilityInfo.kennaEasilyExploitable
+- attackEvents{}.vulnerabilityInfo.kennaMalwareExploitable
+- attackEvents{}.vulnerabilityInfo.kennaPopularTarget
+- attackEvents{}.vulnerabilityInfo.kennaPredictedExploitable
+- attackEvents{}.vulnerabilityInfo.kennaScore
+- attackEvents{}.vulnerabilityInfo.library
+- attackEvents{}.vulnerabilityInfo.title
+- attackEvents{}.vulnerabilityInfo.type
+- attackEvents{}.vulnerableMethod
+- attackEvents{}.webTransactionUrl
+- attackId
+- attackLastDetected
+- attackOutcome
+- attackSource
+- attackStatus
+- attackTypes
+- blocked
+- blockedReason
+- businessTransaction
+- classname
+- clientAddressType
+- cveId
+- cveNvdUrl
+- cvePublishDate
+- cvssScore
+- cvssSeverity
+- dest_ip
+- dest_nt_host
+- dest_port
+- eventType
+- eventtype
+- host
+- incidentFirstDetected
+- index
+- jvmId
+- kennaActiveInternetBreach
+- kennaEasilyExploitable
+- kennaMalwareExploitable
+- kennaPopularTarget
+- kennaPredictedExploitable
+- kennaScore
+- keyInfo
+- linecount
+- maliciousIpOut
+- maliciousIpSource
+- maliciousIpSourceOut
+- matchedCveName
+- methodName
+- ptype
+- punct
+- signature
+- socketAddr
+- socketFromLog4j
+- socketOut
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src_category
+- src_ip
+- src_port
+- stackTrace
+- status
+- tag
+- tag::eventtype
+- tier
+- tierName
+- timestamp
+- vulnLibrary
+- vulnTitle
+- vulnType
+- vulnerableMethod
+- webTransactionUrl
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _time
+example_log: '{  "SourceType": "secure_app_attacks",  "attackId": "24815279",  "attackSource": "EXTERNAL",  "attackOutcome": "EXPLOITED",  "attackTypes": "{SSRF}",  "attackEventTrigger": "",  "application": "AD-Ecommerce",  "tier": "Order-Processing-Services",  "businessTransaction": "Checkout",  "attackStatus": "OPEN",  "attackLastDetected": "2025-01-31 12:30:22 +0000 UTC",  "attackEvents": [{"attackOutcome":"EXPLOITED","eventType":"SOCKET_RESOLVE","attackTypes":"SSRF","timestamp":"2025-01-31T12:30:22Z","applicationName":"AD-Ecommerce","tierName":"Order-Processing-Services","maliciousIpOut":"","maliciousIpSourceOut":"","detailJson":{"classname":"java.net.SocketPermission","ptype":"SOCKET","socketOut":"www.cisco.com","hostContext":"www.cisco.com","methodName":"sun.net.www.http.HttpClient.openServer","apiServerExternal":true,"apiServerInUrl":true},"blocked":false,"blockedReason":"","vulnerableMethod":"org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)","matchedCveName":"CVE-2020-13934","keyInfo":"","cveId":"a21931cd-52fa-11ec-a8b2-8e3051145156","stackTrace":"java.lang.SecurityManager.checkConnect(SecurityManager.java:1051)\nsun.net.www.http.HttpClient.openServer(HttpClient.java:510)\nsun.net.www.protocol.https.HttpsClient.\u003cinit\u003e(HttpsClient.java:264)\nsun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)\nsun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)\norg.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.login(SomeFile.java:12)\nsun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1138)\nsun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1022)\nsun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1020)\njava.security.AccessController.doPrivileged(Native Method)\njava.security.AccessController.doPrivilegedWithCombiner(AccessController.java:782)\nsun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1019)\nsun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)\nsun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)\nsun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:91)\nsun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1466)\nsun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1464)\njava.security.AccessController.doPrivileged(Native Method)\njava.security.AccessController.doPrivilegedWithCombiner(AccessController.java:782)\nsun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1463)\nsun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)\nservlet.ArgentoDemoApp$GenericExecution._executeServletCommand(ArgentoDemoApp.java:850)\nservlet.ArgentoDemoApp$GenericExecution.executeServletCommand(ArgentoDemoApp.java:778)\nservlet.ArgentoDemoApp$MyApplicationExecution.executeServletCommand(ArgentoDemoApp.java:718)\nservlet.ArgentoDemoApp._doGet(ArgentoDemoApp.java:441)\nservlet.ArgentoDemoApp.doGet(ArgentoDemoApp.java:376)\njavax.servlet.http.HttpServlet.service(HttpServlet.java:634)\njavax.servlet.http.HttpServlet.service(HttpServlet.java:741)\norg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)\norg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\norg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)\norg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\norg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\norg.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)\norg.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)\norg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)\norg.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)\norg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\norg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)\norg.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)\norg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\norg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)\norg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\norg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)\norg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)\norg.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\njava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\njava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\norg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\njava.lang.Thread.run(Thread.java:745)\n","jvmId":"EEcommerce_MS_NODE","maliciousIpSource":"","webTransactionUrl":"https://localhost:8088/argentoDemoApp/execute?upload=https://www.cisco.com/c/dam/cdc/t/ctm-core.js","clientAddressType":4,"clientAddress":"218.132.217.179","serverPort":"1047","serverAddress":"75.155.150.130","clientPort":"68389","serverName":"/usr/src/argento/prod/demo-run/tomcat-demo-app/webapps/argentoDemoApp/","vulnerabilityInfo":{"cvePublishDate":"2020-07-15T16:40:14.601976Z","cvssScore":5.3,"cvssSeverity":"MEDIUM","cveNvdUrl":"https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-584427","incidentFirstDetected":"2020-07-15T16:40:14.601976Z","kennaScore":53.0971,"library":"org.apache.tomcat.embed:tomcat-embed-core","title":"Denial of Service (DoS)","type":"java","kennaActiveInternetBreach":false,"kennaEasilyExploitable":false,"kennaMalwareExploitable":false,"kennaPredictedExploitable":true,"kennaPopularTarget":false}}]}'

data_sources/crowdstrike_processrollup2.yml

@@ -10,7 +10,7 @@ separator: event_simpleName
 supported_TA:
 - name: Splunk Add-on for CrowdStrike FDR
   url: https://splunkbase.splunk.com/app/5579
-  version: 2.0.3
+  version: 2.0.4
 fields:
 - AuthenticationId
 - AuthenticationId_meaning
@@ -96,6 +96,7 @@ field_mappings:
   mapping:
     CommandLine: Processes.process
     ImageFileName: Processes.process_path
+    ImageFileName|endswith: Processes.process_name
     ParentBaseFileName: Processes.parent_process_name
     ParentProcessId: Processes.parent_process_id
     RawProcessId: Processes.process_id

data_sources/nginx_access.yml

@@ -6,7 +6,21 @@ author: Patrick Bareiss, Splunk
 description: Data source object for Nginx Access
 source: /var/log/nginx/access.log
 sourcetype: nginx:plus:kv
-supported_TA: []
+supported_TA:
+- name: Splunk Add-on for NGINX
+  url: https://splunkbase.splunk.com/app/3258
+  version: 3.3.0
+field_mappings:
+- data_model: cim
+  data_set: Web
+  mapping:
+    server: Web.dest
+    http_method: Web.http_method
+    http_user_agent: Web.http_user_agent
+    status: Web.status
+    uri_path: Web.url
+    url_length: Web.url_length
+    src_ip: Web.src
 fields:
 - _time
 - action

data_sources/palo_alto_network_threat.yml

@@ -10,6 +10,16 @@ supported_TA:
 - name: Palo Alto Networks Add-on
   url: https://splunkbase.splunk.com/app/2757
   version: 8.1.3
+field_mappings:
+- data_model: cim
+  data_set: Web
+  mapping:
+    dest: Web.dest
+    http_method: Web.http_method
+    http_user_agent: Web.http_user_agent
+    url: Web.url
+    url_length: Web.url_length
+    src: Web.src
 fields:
 - _time
 - date_hour

data_sources/palo_alto_network_traffic.yml

@@ -29,6 +29,16 @@ fields:
 - splunk_server
 - timeendpos
 - timestartpos
+field_mappings:
+- data_model: cim
+  data_set: All_Traffic
+  mapping:
+    app: All_Traffic.app
+    action: All_Traffic.action
+    dest_ip: All_Traffic.dest_ip
+    dest_port: All_Traffic.dest_port
+    src_ip: All_Traffic.src_ip
+    src_port: All_Traffic.src_port
 example_log: 577 <14>1 2024-02-22T12:33:50-05:00 PALO220.ATTACK_RANGE.LAN - - - -
   1,2024/02/22 12:33:50,012801036556,TRAFFIC,end,2305,2024/02/22 12:33:50,192.168.1.205,147.28.146.44,201.17.96.104,147.28.146.44,No_Vuln_Filtering_OUT,,,screenconnect,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,splunk_range,2024/02/22
   12:33:50,14740,1,50624,443,11024,443,0x40005e,tcp,allow,7419,6609,810,25,2024/02/22