Skip to content

Commit 6541bc7

Browse files
pyth0n1cpyth0n1c
authored
Merge branch 'develop' into innoloader
2 parents 0d361c8 + 0946ff7 commit 6541bc7

27 files changed

+301
-298
lines changed

contentctl.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -71,9 +71,9 @@ apps:
7171
- uid: 5709
7272
title: Splunk Add-on for Sysmon
7373
appid: Splunk_TA_microsoft_sysmon
74-
version: 4.0.2
74+
version: 4.0.3
7575
description: description of app
76-
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-sysmon_402.tgz
76+
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-sysmon_403.tgz
7777
- uid: 833
7878
title: Splunk Add-on for Unix and Linux
7979
appid: Splunk_TA_nix
@@ -83,9 +83,9 @@ apps:
8383
- uid: 5579
8484
title: Splunk Add-on for CrowdStrike FDR
8585
appid: Splunk_TA_CrowdStrike_FDR
86-
version: 2.0.3
86+
version: 2.0.5
8787
description: description of app
88-
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_203.tgz
88+
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_205.tgz
8989
- uid: 3185
9090
title: Splunk Add-on for Microsoft IIS
9191
appid: SPLUNK_TA_FOR_IIS
@@ -185,9 +185,9 @@ apps:
185185
- uid: 6207
186186
title: Splunk Add-on for Microsoft Security
187187
appid: Splunk_TA_MS_Security
188-
version: 2.5.0
188+
version: 2.5.2
189189
description: description of app
190-
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_250.tgz
190+
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_252.tgz
191191
- uid: 2734
192192
title: URL Toolbox
193193
appid: URL_TOOLBOX

data_sources/crowdstrike_processrollup2.yml

Lines changed: 21 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ separator_value: ProcessRollup2
1919
supported_TA:
2020
- name: Splunk Add-on for CrowdStrike FDR
2121
url: https://splunkbase.splunk.com/app/5579
22-
version: 2.0.4
22+
version: 2.0.5
2323
fields:
2424
- AuthenticationId
2525
- AuthenticationId_meaning
@@ -100,26 +100,26 @@ fields:
100100
- user_id
101101
- vendor_product
102102
output_fields:
103-
- action
104-
- dest
105-
- original_file_name
106-
- parent_process
107-
- parent_process_exec
108-
- parent_process_guid
109-
- parent_process_id
110-
- parent_process_name
111-
- parent_process_path
112-
- process
113-
- process_exec
114-
- process_guid
115-
- process_hash
116-
- process_id
117-
- process_integrity_level
118-
- process_name
119-
- process_path
120-
- user
121-
- user_id
122-
- vendor_product
103+
- action
104+
- dest
105+
- original_file_name
106+
- parent_process
107+
- parent_process_exec
108+
- parent_process_guid
109+
- parent_process_id
110+
- parent_process_name
111+
- parent_process_path
112+
- process
113+
- process_exec
114+
- process_guid
115+
- process_hash
116+
- process_id
117+
- process_integrity_level
118+
- process_name
119+
- process_path
120+
- user
121+
- user_id
122+
- vendor_product
123123
field_mappings:
124124
- data_model: cim
125125
data_set: Endpoint.Processes

data_sources/ms365_defender_incident_alerts.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ sourcetype: ms365:defender:incident:alerts
1616
supported_TA:
1717
- name: Splunk Add-on for Microsoft Security
1818
url: https://splunkbase.splunk.com/app/6207
19-
version: 2.5.0
19+
version: 2.5.2
2020
fields:
2121
- actorName
2222
- alertId

data_sources/ms_defender_atp_alerts.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ sourcetype: ms:defender:atp:alerts
1616
supported_TA:
1717
- name: Splunk Add-on for Microsoft Security
1818
url: https://splunkbase.splunk.com/app/6207
19-
version: 2.5.0
19+
version: 2.5.2
2020
fields:
2121
- column
2222
- accountName

data_sources/splunk_common_information_model_(cim).yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,4 +9,4 @@ sourcetype: not_applicable
99
supported_TA:
1010
- name: Splunk Common Information Model (CIM)
1111
url: https://splunkbase.splunk.com/app/1621
12-
version: 6.0.4
12+
version: 6.1.0

data_sources/sysmon_eventid_1.yml

Lines changed: 41 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
1818
supported_TA:
1919
- name: Splunk Add-on for Sysmon
2020
url: https://splunkbase.splunk.com/app/5709
21-
version: 4.0.2
21+
version: 4.0.3
2222
fields:
2323
- _time
2424
- Channel
@@ -118,26 +118,26 @@ fields:
118118
- user_id
119119
- vendor_product
120120
output_fields:
121-
- action
122-
- dest
123-
- original_file_name
124-
- parent_process
125-
- parent_process_exec
126-
- parent_process_guid
127-
- parent_process_id
128-
- parent_process_name
129-
- parent_process_path
130-
- process
131-
- process_exec
132-
- process_guid
133-
- process_hash
134-
- process_id
135-
- process_integrity_level
136-
- process_name
137-
- process_path
138-
- user
139-
- user_id
140-
- vendor_product
121+
- action
122+
- dest
123+
- original_file_name
124+
- parent_process
125+
- parent_process_exec
126+
- parent_process_guid
127+
- parent_process_id
128+
- parent_process_name
129+
- parent_process_path
130+
- process
131+
- process_exec
132+
- process_guid
133+
- process_hash
134+
- process_id
135+
- process_integrity_level
136+
- process_name
137+
- process_path
138+
- user
139+
- user_id
140+
- vendor_product
141141
field_mappings:
142142
- data_model: cim
143143
data_set: Endpoint.Processes
@@ -178,22 +178,23 @@ convert_to_log_source:
178178
User: UserSid
179179
ParentProcessId: ParentProcessId
180180
ParentImage: ParentBaseFileName
181-
example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
182-
Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
183-
SystemTime='2020-10-08T11:03:46.617920300Z'/><EventRecordID>4522</EventRecordID><Correlation/><Execution
184-
ProcessID='2912' ThreadID='3424'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-6764986.attackrange.local</Computer><Security
185-
UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2020-10-08
186-
11:03:46.615</Data><Data Name='ProcessGuid'>{96128EA2-F212-5F7E-E400-000000007F01}</Data><Data
187-
Name='ProcessId'>2296</Data><Data Name='Image'>C:\Windows\System32\cmd.exe</Data><Data
188-
Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>Windows
189-
Command Processor</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data
190-
Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>Cmd.Exe</Data><Data
191-
Name='CommandLine'>"C:\Windows\system32\cmd.exe" /c "reg save HKLM\sam %%temp%%\sam
192-
&amp; reg save HKLM\system %%temp%%\system &amp; reg save HKLM\security %%temp%%\security"
193-
</Data><Data Name='CurrentDirectory'>C:\Users\ADMINI~1\AppData\Local\Temp\</Data><Data
194-
Name='User'>ATTACKRANGE\Administrator</Data><Data Name='LogonGuid'>{96128EA2-F210-5F7E-ACD4-080000000000}</Data><Data
195-
Name='LogonId'>0x8d4ac</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>High</Data><Data
196-
Name='Hashes'>MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A</Data><Data
197-
Name='ParentProcessGuid'>{96128EA2-F211-5F7E-DF00-000000007F01}</Data><Data Name='ParentProcessId'>4624</Data><Data
198-
Name='ParentImage'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data
199-
Name='ParentCommandLine'>"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==</Data></EventData></Event>
181+
example_log: "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider\
182+
\ Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated\
183+
\ SystemTime='2020-10-08T11:03:46.617920300Z'/><EventRecordID>4522</EventRecordID><Correlation/><Execution\
184+
\ ProcessID='2912' ThreadID='3424'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-6764986.attackrange.local</Computer><Security\
185+
\ UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2020-10-08\
186+
\ 11:03:46.615</Data><Data Name='ProcessGuid'>{96128EA2-F212-5F7E-E400-000000007F01}</Data><Data\
187+
\ Name='ProcessId'>2296</Data><Data Name='Image'>C:\\Windows\\System32\\cmd.exe</Data><Data\
188+
\ Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>Windows\
189+
\ Command Processor</Data><Data Name='Product'>Microsoft\xAE Windows\xAE Operating\
190+
\ System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>Cmd.Exe</Data><Data\
191+
\ Name='CommandLine'>\"C:\\Windows\\system32\\cmd.exe\" /c \"reg save HKLM\\sam\
192+
\ %%temp%%\\sam &amp; reg save HKLM\\system %%temp%%\\system &amp; reg save HKLM\\\
193+
security %%temp%%\\security\" </Data><Data Name='CurrentDirectory'>C:\\Users\\ADMINI~1\\\
194+
AppData\\Local\\Temp\\</Data><Data Name='User'>ATTACKRANGE\\Administrator</Data><Data\
195+
\ Name='LogonGuid'>{96128EA2-F210-5F7E-ACD4-080000000000}</Data><Data Name='LogonId'>0x8d4ac</Data><Data\
196+
\ Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>High</Data><Data\
197+
\ Name='Hashes'>MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A</Data><Data\
198+
\ Name='ParentProcessGuid'>{96128EA2-F211-5F7E-DF00-000000007F01}</Data><Data Name='ParentProcessId'>4624</Data><Data\
199+
\ Name='ParentImage'>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</Data><Data\
200+
\ Name='ParentCommandLine'>\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==</Data></EventData></Event>"

data_sources/sysmon_eventid_10.yml

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
1818
supported_TA:
1919
- name: Splunk Add-on for Sysmon
2020
url: https://splunkbase.splunk.com/app/5709
21-
version: 4.0.2
21+
version: 4.0.3
2222
fields:
2323
- _time
2424
- CallTrace
@@ -101,16 +101,16 @@ fields:
101101
output_fields:
102102
- dest
103103
- user_id
104-
- parent_process_name
105-
- parent_process_guid
106-
- process_name
107-
- process_guid
108-
- process_id
109-
- signature
110-
- SourceImage
111-
- TargetImage
112-
- GrantedAccess
113-
- CallTrace
104+
- parent_process_name
105+
- parent_process_guid
106+
- process_name
107+
- process_guid
108+
- process_id
109+
- signature
110+
- SourceImage
111+
- TargetImage
112+
- GrantedAccess
113+
- CallTrace
114114
example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
115115
Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>10</EventID><Version>3</Version><Level>4</Level><Task>10</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
116116
SystemTime='2022-02-01T21:01:44.672666100Z'/><EventRecordID>150624412</EventRecordID><Correlation/><Execution

data_sources/sysmon_eventid_11.yml

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
1919
supported_TA:
2020
- name: Splunk Add-on for Sysmon
2121
url: https://splunkbase.splunk.com/app/5709
22-
version: 4.0.2
22+
version: 4.0.3
2323
fields:
2424
- _time
2525
- Channel
@@ -93,14 +93,14 @@ fields:
9393
- user_id
9494
- vendor_product
9595
output_fields:
96-
- action
97-
- dest
98-
- file_name
99-
- file_path
100-
- process_guid
101-
- process_id
102-
- user
103-
- vendor_product
96+
- action
97+
- dest
98+
- file_name
99+
- file_path
100+
- process_guid
101+
- process_id
102+
- user
103+
- vendor_product
104104
field_mappings:
105105
- data_model: cim
106106
data_set: Endpoint.Filesystem

data_sources/sysmon_eventid_12.yml

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
1818
supported_TA:
1919
- name: Splunk Add-on for Sysmon
2020
url: https://splunkbase.splunk.com/app/5709
21-
version: 4.0.2
21+
version: 4.0.3
2222
fields:
2323
- _time
2424
- Channel
@@ -95,15 +95,15 @@ fields:
9595
- user_id
9696
- vendor_product
9797
output_fields:
98-
- action
99-
- dest
100-
- process_guid
101-
- process_id
102-
- registry_hive
103-
- registry_path
104-
- registry_key_name
105-
- status
106-
- user
98+
- action
99+
- dest
100+
- process_guid
101+
- process_id
102+
- registry_hive
103+
- registry_path
104+
- registry_key_name
105+
- status
106+
- user
107107
- vendor_product
108108
field_mappings:
109109
- data_model: cim

data_sources/sysmon_eventid_13.yml

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
1818
supported_TA:
1919
- name: Splunk Add-on for Sysmon
2020
url: https://splunkbase.splunk.com/app/5709
21-
version: 4.0.2
21+
version: 4.0.3
2222
fields:
2323
- _time
2424
- Channel
@@ -102,17 +102,17 @@ fields:
102102
- user_id
103103
- vendor_product
104104
output_fields:
105-
- action
106-
- dest
107-
- process_guid
108-
- process_id
109-
- registry_hive
110-
- registry_path
111-
- registry_key_name
112-
- registry_value_data
113-
- registry_value_name
114-
- status
115-
- user
105+
- action
106+
- dest
107+
- process_guid
108+
- process_id
109+
- registry_hive
110+
- registry_path
111+
- registry_key_name
112+
- registry_value_data
113+
- registry_value_name
114+
- status
115+
- user
116116
- vendor_product
117117
field_mappings:
118118
- data_model: cim

0 commit comments

Comments
 (0)