splunk
diff --git a/‎.github/labeler.yml‎
Lines changed: 5 additions & 0 deletions b/‎.github/labeler.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.github/workflows/appinspect.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/appinspect.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎app_template/default/data/ui/views/feedback.xml‎
Lines changed: 2 additions & 2 deletions b/‎app_template/default/data/ui/views/feedback.xml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎contentctl.yml‎
Lines changed: 10 additions & 4 deletions b/‎contentctl.yml‎
Lines changed: 10 additions & 4 deletions
diff --git a/‎data_sources/aws_cloudtrail_consolelogin.yml‎
Lines changed: 2 additions & 2 deletions b/‎data_sources/aws_cloudtrail_consolelogin.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎data_sources/aws_cloudtrail_createvirtualmfadevice.yml‎
Lines changed: 3 additions & 3 deletions b/‎data_sources/aws_cloudtrail_createvirtualmfadevice.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎data_sources/aws_cloudtrail_describeeventaggregates.yml‎
Lines changed: 2 additions & 2 deletions b/‎data_sources/aws_cloudtrail_describeeventaggregates.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎data_sources/aws_cloudtrail_modifyimageattribute.yml‎
Lines changed: 1 addition & 1 deletion b/‎data_sources/aws_cloudtrail_modifyimageattribute.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎data_sources/cisco_secure_application_appdynamics_alerts.yml‎
Lines changed: 136 additions & 0 deletions b/‎data_sources/cisco_secure_application_appdynamics_alerts.yml‎
Lines changed: 136 additions & 0 deletions
@@ -22,3 +22,8 @@ Lookups:
 Datasource:
 - changed-files:
   - any-glob-to-any-file: data_sources/*
+
+Baselines:
+  - changed-files:
+    - any-glob-to-any-file: baselines/*
+
@@ -34,7 +34,7 @@ jobs:
           APPINSPECTPASSWORD: "${{ secrets.APPINSPECTPASSWORD }}"
         run: |
           echo $APPINSPECTUSERNAME
-          contentctl inspect --splunk-api-username "$APPINSPECTUSERNAME" --splunk-api-password "$APPINSPECTPASSWORD" --stack_type victoria --enrichments --enable-metadata-validation --suppress-missing-content-exceptions
+          contentctl inspect --splunk-api-username "$APPINSPECTUSERNAME" --splunk-api-password "$APPINSPECTPASSWORD" --enrichments --enable-metadata-validation --suppress-missing-content-exceptions
           echo "done appinspect"
           mkdir -p artifacts/app_inspect_report
           cp -r dist/*.html artifacts/app_inspect_report
 
@@ -138,7 +138,7 @@ Please use the [GitHub Issue Tracker](https://github.com/splunk/security_content
 If you have questions or need support, you can:
 
 * Post a question to [Splunk Answers](http://answers.splunk.com)
-* Join the [#security-research](https://splunk-usergroups.slack.com/archives/C1S5BEF38) room in the [Splunk Slack channel](http://splunk-usergroups.slack.com)
+* Join the [#security-research](https://splunkcommunity.slack.com/archives/CDNHXVBGS) channel in the [Splunk Community Slack.](https://splk.it/slack)
 
 ## License
 Copyright 2022 Splunk Inc.
 
@@ -6,8 +6,8 @@
       <html>
         <p5>You can contact the Splunk Threat Research team at<a href = "mailto:[email protected]">[email protected]</a> to send us support requests, bug reports, and questions.
           <br>Specify the request type and the title of any related analytic stories, detections analytics where applicable.</br>
-          You can also find us on the <b>#es-content-updates</b><a href = "http://splunk-usergroups.slack.com/"> Splunk Usergroups Slack channel.</a></p5>
+          You can also find us on the <b>#es-content-updates</b><a href = "https://splk.it/slack/"> Splunk Community Slack channel.</a></p5>
       </html>
     </panel>
   </row>
-</form>
+</form>
@@ -71,15 +71,15 @@ apps:
 - uid: 833
   title: Splunk Add-on for Unix and Linux
   appid: Splunk_TA_nix
-  version: 9.2.0
+  version: 10.0.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-unix-and-linux_920.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-unix-and-linux_1000.tgz
 - uid: 5579
   title: Splunk Add-on for CrowdStrike FDR
   appid: Splunk_TA_CrowdStrike_FDR
-  version: 2.0.3
+  version: 2.0.4
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_203.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_204.tgz
 - uid: 3185
   title: Splunk Add-on for Microsoft IIS
   appid: SPLUNK_TA_FOR_IIS
@@ -206,4 +206,10 @@ apps:
   version: 4.2.2
   description: PSC for MLTK
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/python-for-scientific-computing-for-linux-64-bit_422.tgz
+- uid: 2882
+  title: Splunk Add-on for AppDynamics
+  appid: Splunk_TA_AppDynamics
+  version: 3.0.0
+  description: The Splunk Add-on for AppDynamics enables you to easily configure data inputs to pull data from AppDynamics' REST APIs
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-appdynamics_300.tgz
 githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd
@@ -90,13 +90,13 @@ fields:
 - vendor_product
 - vendor_region
 example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "accountId":
-  "140429656527", "accessKeyId": "", "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"},
+  "111111111111", "accessKeyId": "", "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"},
   "eventTime": "2022-10-19T20:33:38Z", "eventSource": "signin.amazonaws.com", "eventName":
   "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "142.254.89.27", "userAgent":
   "Go-http-client/1.1", "errorMessage": "No username found in supplied account", "requestParameters":
   null, "responseElements": {"ConsoleLogin": "Failure"}, "additionalEventData": {"LoginTo":
   "https://console.aws.amazon.com", "MobileVersion": "No", "MFAUsed": "No"}, "eventID":
   "9fcfb8c3-3fca-48db-85d2-7b107f9d95d0", "readOnly": false, "eventType": "AwsConsoleSignIn",
-  "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory":
+  "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
   "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
   "clientProvidedHostHeader": "signin.aws.amazon.com"}}'
@@ -88,13 +88,13 @@ fields:
 - vendor_product
 - vendor_region
 example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
-  "140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527",
+  "1111111111111111", "arn": "arn:aws:iam::1111111111111111:root", "accountId": "1111111111111111",
   "accessKeyId": "ASIASBMSCQHH2YXNXJBU", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
   {}, "attributes": {"creationDate": "2023-01-30T22:59:36Z", "mfaAuthenticated": "false"}}},
   "eventTime": "2023-01-30T23:02:23Z", "eventSource": "iam.amazonaws.com", "eventName":
   "CreateVirtualMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "23.93.193.6",
   "userAgent": "AWS Internal", "requestParameters": {"path": "/", "virtualMFADeviceName":
-  "strt_mfa_2"}, "responseElements": {"virtualMFADevice": {"serialNumber": "arn:aws:iam::140429656527:mfa/strt_mfa_2"}},
+  "strt_mfa_2"}, "responseElements": {"virtualMFADevice": {"serialNumber": "arn:aws:iam::1111111111111111:mfa/strt_mfa_2"}},
   "requestID": "2fbe2074-55f8-4ec6-ad32-0b250803cf46", "eventID": "7e1c493d-c3c3-4f4a-ae4f-8cdd38970027",
   "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
-  "140429656527", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
+  "1111111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
@@ -84,7 +84,7 @@ fields:
 - vendor_product
 - vendor_region
 example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
-  "140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527",
+  "1111111111111111", "arn": "arn:aws:iam::1111111111111111:root", "accountId": "1111111111111111",
   "accessKeyId": "ASIASBMSCQHHQQ6LB24V", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
   {}, "attributes": {"creationDate": "2023-01-31T21:58:17Z", "mfaAuthenticated": "true"}}},
   "eventTime": "2023-02-01T02:52:34Z", "eventSource": "health.amazonaws.com", "eventName":
@@ -93,5 +93,5 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip
   "filter": {"eventStatusCodes": ["open", "upcoming"], "startTimes": [{"from": "Jan
   25, 2023 2:54:32 AM"}]}}, "responseElements": null, "requestID": "d6adf050-1d7a-4c25-9d48-0319e33f6f9a",
   "eventID": "201cee69-61ab-4ffb-80b7-bd31e81e0d82", "readOnly": true, "eventType":
-  "AwsApiCall", "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory":
+  "AwsApiCall", "managementEvent": true, "recipientAccountId": "1111111111111111", "eventCategory":
   "Management", "sessionCredentialFromConsole": "true"}'
@@ -101,7 +101,7 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "ec2.amazonaws.com", "eventName": "ModifyImageAttribute", "awsRegion": "us-west-2",
   "sourceIPAddress": "72.135.245.10", "userAgent": "AWS Internal", "requestParameters":
   {"imageId": "ami-06dac31db29508566", "launchPermission": {"add": {"items": [{"userId":
-  "140429656527"}]}}, "attributeType": "launchPermission"}, "responseElements": {"requestId":
+  "1111111111111111"}]}}, "attributeType": "launchPermission"}, "responseElements": {"requestId":
   "84c431ce-6268-4218-aaf8-b4cdc1cd4055", "_return": true}, "requestID": "84c431ce-6268-4218-aaf8-b4cdc1cd4055",
   "eventID": "957e1b12-ea17-4006-aefd-20677ace72b8", "readOnly": false, "eventType":
   "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
 
@@ -0,0 +1,136 @@
+name: Cisco Secure Application AppDynamics Alerts
+id: 5c963eb0-010e-4386-875f-5134879f14a7
+version: 1
+date: '2025-02-04'
+author: Bhavin Patel, Splunk
+description: Data source object for alerts from Cisco Secure Application
+source: AppDynamics Security
+sourcetype: appdynamics_security
+supported_TA:
+- name: Splunk Add-on for AppDynamics
+  url: https://splunkbase.splunk.com/app/3471
+  version: 3.0.0
+fields:
+- SourceType
+- apiServerExternal
+- app_name
+- application
+- attackEventTrigger
+- attackEvents{}.applicationName
+- attackEvents{}.attackOutcome
+- attackEvents{}.attackTypes
+- attackEvents{}.blocked
+- attackEvents{}.blockedReason
+- attackEvents{}.clientAddress
+- attackEvents{}.clientAddressType
+- attackEvents{}.clientPort
+- attackEvents{}.cveId
+- attackEvents{}.detailJson.apiServerExternal
+- attackEvents{}.detailJson.apiServerInUrl
+- attackEvents{}.detailJson.classname
+- attackEvents{}.detailJson.hostContext
+- attackEvents{}.detailJson.methodName
+- attackEvents{}.detailJson.ptype
+- attackEvents{}.detailJson.socketOut
+- attackEvents{}.eventType
+- attackEvents{}.jvmId
+- attackEvents{}.keyInfo
+- attackEvents{}.maliciousIpOut
+- attackEvents{}.maliciousIpSource
+- attackEvents{}.maliciousIpSourceOut
+- attackEvents{}.matchedCveName
+- attackEvents{}.serverAddress
+- attackEvents{}.serverName
+- attackEvents{}.serverPort
+- attackEvents{}.stackTrace
+- attackEvents{}.tierName
+- attackEvents{}.timestamp
+- attackEvents{}.vulnerabilityInfo.cveNvdUrl
+- attackEvents{}.vulnerabilityInfo.cvePublishDate
+- attackEvents{}.vulnerabilityInfo.cvssScore
+- attackEvents{}.vulnerabilityInfo.cvssSeverity
+- attackEvents{}.vulnerabilityInfo.incidentFirstDetected
+- attackEvents{}.vulnerabilityInfo.kennaActiveInternetBreach
+- attackEvents{}.vulnerabilityInfo.kennaEasilyExploitable
+- attackEvents{}.vulnerabilityInfo.kennaMalwareExploitable
+- attackEvents{}.vulnerabilityInfo.kennaPopularTarget
+- attackEvents{}.vulnerabilityInfo.kennaPredictedExploitable
+- attackEvents{}.vulnerabilityInfo.kennaScore
+- attackEvents{}.vulnerabilityInfo.library
+- attackEvents{}.vulnerabilityInfo.title
+- attackEvents{}.vulnerabilityInfo.type
+- attackEvents{}.vulnerableMethod
+- attackEvents{}.webTransactionUrl
+- attackId
+- attackLastDetected
+- attackOutcome
+- attackSource
+- attackStatus
+- attackTypes
+- blocked
+- blockedReason
+- businessTransaction
+- classname
+- clientAddressType
+- cveId
+- cveNvdUrl
+- cvePublishDate
+- cvssScore
+- cvssSeverity
+- dest_ip
+- dest_nt_host
+- dest_port
+- eventType
+- eventtype
+- host
+- incidentFirstDetected
+- index
+- jvmId
+- kennaActiveInternetBreach
+- kennaEasilyExploitable
+- kennaMalwareExploitable
+- kennaPopularTarget
+- kennaPredictedExploitable
+- kennaScore
+- keyInfo
+- linecount
+- maliciousIpOut
+- maliciousIpSource
+- maliciousIpSourceOut
+- matchedCveName
+- methodName
+- ptype
+- punct
+- signature
+- socketAddr
+- socketFromLog4j
+- socketOut
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src_category
+- src_ip
+- src_port
+- stackTrace
+- status
+- tag
+- tag::eventtype
+- tier
+- tierName
+- timestamp
+- vulnLibrary
+- vulnTitle
+- vulnType
+- vulnerableMethod
+- webTransactionUrl
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _time
+example_log: '{  "SourceType": "secure_app_attacks",  "attackId": "24815279",  "attackSource": "EXTERNAL",  "attackOutcome": "EXPLOITED",  "attackTypes": "{SSRF}",  "attackEventTrigger": "",  "application": "AD-Ecommerce",  "tier": "Order-Processing-Services",  "businessTransaction": "Checkout",  "attackStatus": "OPEN",  "attackLastDetected": "2025-01-31 12:30:22 +0000 UTC",  "attackEvents": [{"attackOutcome":"EXPLOITED","eventType":"SOCKET_RESOLVE","attackTypes":"SSRF","timestamp":"2025-01-31T12:30:22Z","applicationName":"AD-Ecommerce","tierName":"Order-Processing-Services","maliciousIpOut":"","maliciousIpSourceOut":"","detailJson":{"classname":"java.net.SocketPermission","ptype":"SOCKET","socketOut":"www.cisco.com","hostContext":"www.cisco.com","methodName":"sun.net.www.http.HttpClient.openServer","apiServerExternal":true,"apiServerInUrl":true},"blocked":false,"blockedReason":"","vulnerableMethod":"org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)","matchedCveName":"CVE-2020-13934","keyInfo":"","cveId":"a21931cd-52fa-11ec-a8b2-8e3051145156","stackTrace":"java.lang.SecurityManager.checkConnect(SecurityManager.java:1051)\nsun.net.www.http.HttpClient.openServer(HttpClient.java:510)\nsun.net.www.protocol.https.HttpsClient.\u003cinit\u003e(HttpsClient.java:264)\nsun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)\nsun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)\norg.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.login(SomeFile.java:12)\nsun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1138)\nsun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1022)\nsun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1020)\njava.security.AccessController.doPrivileged(Native Method)\njava.security.AccessController.doPrivilegedWithCombiner(AccessController.java:782)\nsun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1019)\nsun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)\nsun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)\nsun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:91)\nsun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1466)\nsun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1464)\njava.security.AccessController.doPrivileged(Native Method)\njava.security.AccessController.doPrivilegedWithCombiner(AccessController.java:782)\nsun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1463)\nsun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)\nservlet.ArgentoDemoApp$GenericExecution._executeServletCommand(ArgentoDemoApp.java:850)\nservlet.ArgentoDemoApp$GenericExecution.executeServletCommand(ArgentoDemoApp.java:778)\nservlet.ArgentoDemoApp$MyApplicationExecution.executeServletCommand(ArgentoDemoApp.java:718)\nservlet.ArgentoDemoApp._doGet(ArgentoDemoApp.java:441)\nservlet.ArgentoDemoApp.doGet(ArgentoDemoApp.java:376)\njavax.servlet.http.HttpServlet.service(HttpServlet.java:634)\njavax.servlet.http.HttpServlet.service(HttpServlet.java:741)\norg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)\norg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\norg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)\norg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\norg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\norg.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)\norg.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)\norg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)\norg.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)\norg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\norg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)\norg.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)\norg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\norg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)\norg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\norg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)\norg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)\norg.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\njava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\njava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\norg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\njava.lang.Thread.run(Thread.java:745)\n","jvmId":"EEcommerce_MS_NODE","maliciousIpSource":"","webTransactionUrl":"https://localhost:8088/argentoDemoApp/execute?upload=https://www.cisco.com/c/dam/cdc/t/ctm-core.js","clientAddressType":4,"clientAddress":"218.132.217.179","serverPort":"1047","serverAddress":"75.155.150.130","clientPort":"68389","serverName":"/usr/src/argento/prod/demo-run/tomcat-demo-app/webapps/argentoDemoApp/","vulnerabilityInfo":{"cvePublishDate":"2020-07-15T16:40:14.601976Z","cvssScore":5.3,"cvssSeverity":"MEDIUM","cveNvdUrl":"https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-584427","incidentFirstDetected":"2020-07-15T16:40:14.601976Z","kennaScore":53.0971,"library":"org.apache.tomcat.embed:tomcat-embed-core","title":"Denial of Service (DoS)","type":"java","kennaActiveInternetBreach":false,"kennaEasilyExploitable":false,"kennaMalwareExploitable":false,"kennaPredictedExploitable":true,"kennaPopularTarget":false}}]}'