Merge branch 'develop' into nterl0k-t1053-suspicious-task-lookups

Author: patel-bhavin

baselines/baseline_of_open_s3_bucket_decommissioning.yml

@@ -0,0 +1,64 @@
+name: Baseline Of Open S3 Bucket Decommissioning
+id: 984e9022-b87b-499a-a260-8d0282c46ea2
+version: 1
+date: '2025-02-12'
+author: Jose Hernandez
+type: Baseline
+status: production
+description: |-
+  The following analytic identifies S3 buckets that were previously exposed to the public and have been subsequently deleted. It leverages AWS CloudTrail logs to track the lifecycle of potentially risky S3 bucket configurations. This activity is crucial for ensuring that public access to sensitive data is properly managed and decommissioned. By monitoring these events, organizations can ensure that exposed buckets are promptly deleted, reducing the risk of unauthorized access. Immediate investigation is recommended to confirm the proper decommissioning of these buckets and to ensure no sensitive data remains exposed. This baseline detection creates a lookup table of decommissioned buckets.csv and their associated events which can be used by detection searches to trigger alerts when decommissioned buckets are detected.
+
+  The  following detections searches leverage this baseline search and the lookup table.
+  * Detect DNS Query to Decommissioned S3 Bucket
+  * Detect Web Access to Decommissioned S3 Bucket
+search: '`cloudtrail` eventSource="s3.amazonaws.com"  (eventName=DeleteBucket OR eventName=PutBucketPolicy OR eventName=PutBucketWebsite)
+| spath input=_raw path=requestParameters.bucketName output=bucketName
+| spath input=_raw path=requestParameters.Host output=host
+| spath input=_raw path=requestParameters.bucketPolicy.Statement{} output=statements
+| spath input=statements output=principal path=Principal
+| spath input=statements output=effect path=Effect
+| spath input=statements output=action path=Action
+| stats values(eventName) as events, 
+        values(requestParameters.bucketPolicy) as policies, 
+        values(principal) as principals,
+        values(effect) as effects,
+        values(action) as actions,
+        min(_time) as firstEvent, 
+        max(_time) as lastEvent,
+        values(userIdentity.accountId) as accountIds,
+        values(userIdentity.arn) as userARNs,
+        values(awsRegion) as awsRegions,
+        values(host) as hosts
+    by bucketName
+| eval isPublicPolicy = if( (mvfind(principals, "\\*")>=0) AND (mvfind(effects, "Allow")>=0) AND (mvfind(actions, "s3:GetObject")>=0), 1, 0)
+| eval isWebsite = if(mvfind(events, "PutBucketWebsite")>=0, 1, 0)
+| eval is_open = if(isPublicPolicy==1 OR isWebsite==1, 1, 0)
+| where is_open==1 AND (mvfind(events, "DeleteBucket")>=0)
+| eval policy_details = if(isPublicPolicy==1, "Policy: Principal=" . mvjoin(principals, ", ") . " Effect=" . mvjoin(effects, ", ") . " Action=" . mvjoin(actions, ", "), "No Public Policy")
+| eval website_details = if(isWebsite==1, "Static Website Enabled", "No Website Hosting")
+| table bucketName, hosts, firstEvent, lastEvent, events, policy_details, website_details, accountIds, userARNs, awsRegions
+| outputlookup append=true decommissioned_buckets | `baseline_of_open_s3_bucket_decommissioning_filter`'
+how_to_implement: To implement this baseline, you need to have AWS CloudTrail logs being ingested into Splunk with the AWS Add-on properly configured. The search looks for S3 bucket events related to bucket policies, website hosting configuration, and bucket deletion. The results are stored in a lookup KVStore named decommissioned_buckets which tracks the history of deleted buckets that were previously exposed to the public.
+known_false_positives: Some buckets may be intentionally made public for legitimate business purposes before being decommissioned. Review the policy_details and website_details fields to understand the nature of the public access that was configured.
+references:
+- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
+- https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/
+- https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/
+tags:
+  analytic_story:
+  - AWS S3 Bucket Security Monitoring
+  - Suspicious AWS S3 Activities
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  detections:
+  - Detect DNS Query to Decommissioned S3 Bucket
+  - Detect Web Access to Decommissioned S3 Bucket
+  security_domain: audit
+deployment:
+  scheduling:
+    cron_schedule: 0 2 * * 0
+    earliest_time: -30d@d
+    latest_time: -1d@d
+    schedule_window: auto

contentctl.yml

@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 5.0.0
+  version: 5.1.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU
@@ -30,17 +30,23 @@ splunk_api_username: null
 post_test_behavior: pause_on_failure
 apps:
 - uid: 1621
-  title: Splunk Common Information Model (CIM)
+  title: Splunk_SA_CIM
   appid: Splunk_SA_CIM
-  version: 6.0.1
+  version: 6.0.2
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-common-information-model-cim_601.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-common-information-model-cim_602.tgz
 - uid: 6553
   title: Splunk Add-on for Okta Identity Cloud
   appid: Splunk_TA_okta_identity_cloud
   version: 3.0.0
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-okta-identity-cloud_300.tgz
+- uid: 7404
+  title: Cisco Security Cloud
+  appid: CiscoSecurityCloud
+  version: 3.1.1
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_311.tgz
 - uid: 6652
   title: Add-on for Linux Sysmon
   appid: Splunk_TA_linux_sysmon
@@ -77,9 +83,9 @@ apps:
 - uid: 5579
   title: Splunk Add-on for CrowdStrike FDR
   appid: Splunk_TA_CrowdStrike_FDR
-  version: 2.0.4
+  version: 2.0.3
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_204.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_203.tgz
 - uid: 3185
   title: Splunk Add-on for Microsoft IIS
   appid: SPLUNK_TA_FOR_IIS
@@ -137,9 +143,9 @@ apps:
 - uid: 1876
   title: Splunk Add-on for AWS
   appid: Splunk_TA_aws
-  version: 7.9.0
+  version: 7.9.1
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-amazon-web-services-aws_790.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-amazon-web-services-aws_791.tgz
 - uid: 3088
   title: Splunk Add-on for Google Cloud Platform
   appid: SPLUNK_ADD_ON_FOR_GOOGLE_CLOUD_PLATFORM
@@ -149,21 +155,21 @@ apps:
 - uid: 5556
   title: Splunk Add-on for Google Workspace
   appid: SPLUNK_ADD_ON_FOR_GOOGLE_WORKSPACE
-  version: 3.0.2
+  version: 3.0.3
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-workspace_302.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-workspace_303.tgz
 - uid: 3110
   title: Splunk Add-on for Microsoft Cloud Services
   appid: SPLUNK_TA_MICROSOFT_CLOUD_SERVICES
-  version: 5.4.2
+  version: 5.4.3
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-cloud-services_542.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-cloud-services_543.tgz
 - uid: 4055
   title: Splunk Add-on for Microsoft Office 365
   appid: SPLUNK_ADD_ON_FOR_MICROSOFT_OFFICE_365
-  version: 4.7.0
+  version: 4.8.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-office-365_470.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-office-365_480.tgz
 - uid: 2890
   title: Splunk Machine Learning Toolkit
   appid: SPLUNK_MACHINE_LEARNING_TOOLKIT
@@ -206,10 +212,17 @@ apps:
   version: 4.2.2
   description: PSC for MLTK
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/python-for-scientific-computing-for-linux-64-bit_422.tgz
+- uid: 6254
+  title: Splunk Add-on for Github
+  appid: Splunk_TA_github
+  version: 3.1.0
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-github_310.tgz
 - uid: 2882
   title: Splunk Add-on for AppDynamics
   appid: Splunk_TA_AppDynamics
   version: 3.0.0
-  description: The Splunk Add-on for AppDynamics enables you to easily configure data inputs to pull data from AppDynamics' REST APIs
+  description: The Splunk Add-on for AppDynamics enables you to easily configure data
+    inputs to pull data from AppDynamics' REST APIs
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-appdynamics_300.tgz
 githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd

data_sources/asl_aws_cloudtrail.yml

@@ -10,4 +10,4 @@ separator: api.operation
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.9.0
+  version: 7.9.1

data_sources/aws_cloudfront.yml

@@ -9,7 +9,7 @@ sourcetype: aws:cloudfront:accesslogs
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.9.0
+  version: 7.9.1
 fields:
 - _time
 - action

data_sources/aws_cloudtrail.yml

@@ -10,4 +10,4 @@ separator: eventName
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.9.0
+  version: 7.9.1

data_sources/aws_cloudtrail_assumerolewithsaml.yml

@@ -10,7 +10,7 @@ separator: eventName
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.9.0
+  version: 7.9.1
 fields:
 - _time
 - action

data_sources/aws_cloudtrail_consolelogin.yml

@@ -10,7 +10,7 @@ separator: eventName
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.9.0
+  version: 7.9.1
 fields:
 - _time
 - action

data_sources/aws_cloudtrail_copyobject.yml

@@ -10,7 +10,7 @@ separator: eventName
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.9.0
+  version: 7.9.1
 fields:
 - _time
 - additionalEventData.AuthenticationMethod

data_sources/aws_cloudtrail_createaccesskey.yml

@@ -10,7 +10,7 @@ separator: eventName
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.9.0
+  version: 7.9.1
 fields:
 - _time
 - action

data_sources/aws_cloudtrail_createkey.yml

@@ -10,7 +10,7 @@ separator: eventName
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.9.0
+  version: 7.9.1
 fields:
 - _time
 - app