Merge branch 'develop' into headless_bee

Author: patel-bhavin

contentctl.yml

@@ -6,9 +6,9 @@ author: Bhavin Patel
 description: Data source object for Cisco AI Defense Alerts
 source: cisco_ai_defense
 sourcetype: cisco:ai:defense
-separator: 
+separator: null
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.0.1
-fields:
+  version: 3.1.1
+fields: null

data_sources/cisco_ai_defense_alerts.yml

@@ -0,0 +1,73 @@
+name: Office 365 Reporting Message Trace
+id: b637788e-fcf0-44fa-86ea-cab81193f939
+version: 1
+date: '2025-02-28'
+author: Steven Dick
+description: Data source object for Office 365 Reporting Message Trace
+source: o365
+sourcetype: o365:reporting:messagetrace
+separator: Organization
+supported_TA:
+- name: Splunk Microsoft Office 365 Add-on
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.8.0
+fields:
+- FromIP
+- Index
+- MessageId
+- MessageTraceId
+- Organization
+- Received
+- RecipientAddress
+- SenderAddress
+- Size
+- Status
+- Subject
+- ToIP
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _subsecond
+- _time
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- eventtype
+- host
+- index
+- internal_message_id
+- linecount
+- message_id
+- punct
+- recipient
+- recipient_count
+- recipient_domain
+- size
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_user
+- src_user_domain
+- status_code
+- subject
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor_product
+example_log: '{"Organization": "attackrange.onmicrosoft.com", "MessageId": "<BY5PR08MB62304A5BB7F9EE555B4CEA26DC1C2@BY5PR08MB6230.namprd08.prod.outlook.com>", "Received": "2025-01-16T21:06:46.832439", "SenderAddress": "victim_2@attack_range.lan", "RecipientAddress": "[email protected]", "Subject": "Accounts and Passwords", "Status": "Delivered", "ToIP": "2607:f8b0:400e:c0d::1a", "FromIP": "189.135.168.197", "Size": 33584, "MessageTraceId": "3567c8ef-cc17-4a3f-d166-08dd3161e4fc", "Index": 3035}'

data_sources/office_365_reporting_message_trace.yml

@@ -0,0 +1,99 @@
+name: Windows Event Log Application 15457
+id: 4491537e-520c-46f7-9209-f56f852aa237
+version: 1
+date: '2025-03-04'
+author: Michael Haag, Splunk
+description: Data source object for Windows Event Log Application 15457
+source: XmlWinEventLog:Application
+sourcetype: XmlWinEventLog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 9.0.1
+fields:
+- CategoryString
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Image_File_Name
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- Qualifiers
+- RecordNumber
+- RenderingInfo_Xml
+- SourceName
+- SubStatus
+- SystemTime
+- System_Props_Xml
+- Task
+- TaskCategory
+- ThreadID
+- UserData_Xml
+- UserID
+- Version
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _subsecond
+- _time
+- action
+- category
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- parent_process
+- process_name
+- punct
+- result
+- service
+- service_id
+- service_name
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- status
+- subject
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_group_id
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='16384'>15457</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2025-02-04T19:46:19.5339693Z'/><EventRecordID>15827</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data>show advanced options</Data><Data>1</Data><Data>0</Data><Binary>613C00000A00000009000000610072002D00770069006E002D0032000000070000006D00610073007400650072000000</Binary></EventData></Event>
+

data_sources/windows_event_log_application_15457.yml

@@ -0,0 +1,96 @@
+name: Windows Event Log Application 17135
+id: 4491537e-520c-46f7-9209-f56f852aa231
+version: 1
+date: '2025-02-26'
+author: Michael Haag, Splunk
+description: Data source object for Windows Event Log Application 17135
+source: XmlWinEventLog:Application
+sourcetype: XmlWinEventLog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 9.0.1
+fields:
+- CategoryString
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Image_File_Name
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- Qualifiers
+- RecordNumber
+- RenderingInfo_Xml
+- SourceName
+- SubStatus
+- SystemTime
+- System_Props_Xml
+- Task
+- TaskCategory
+- ThreadID
+- Version
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _subsecond
+- _time
+- action
+- category
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- parent_process
+- process_name
+- punct
+- result
+- service
+- service_id
+- service_name
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- status
+- subject
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_group_id
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='16384'>17135</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2025-02-10T16:38:42.6969829Z'/><EventRecordID>16509</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data>sp_add_sysadmin</Data><Binary>EF4200000A00000009000000610072002D00770069006E002D0032000000070000006D00610073007400650072000000</Binary></EventData></Event>
+

data_sources/windows_event_log_application_17135.yml

@@ -0,0 +1,88 @@
+name: Windows Event Log Application 8128
+id: 4491537e-5e0c-46f7-9209-f56f852aa237
+version: 1
+date: '2025-02-26'
+author: Michael Haag, Splunk
+description: Data source object for Windows Event Log Application 8128
+source: XmlWinEventLog:Application
+sourcetype: XmlWinEventLog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 9.0.1
+fields:
+- CategoryString
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- EventSourceName
+- Guid
+- Image_File_Name
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- Qualifiers
+- RecordNumber
+- RenderingInfo_Xml
+- SourceName
+- SubStatus
+- SystemTime
+- System_Props_Xml
+- Task
+- TaskCategory
+- ThreadID
+- UserID
+- Version
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _time
+- action
+- category
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- parent_process
+- process_name
+- punct
+- result
+- service
+- service_id
+- service_name
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- status
+- subject
+- tag
+- tag::action
+- tag::eventtype
+- user_group_id
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='16384'>8128</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2025-02-10T20:03:14.2006851Z'/><EventRecordID>16635</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data>odsole70.dll</Data><Data>2022.160.1000</Data><Data>sp_OACreate</Data><Binary>C01F00000A00000009000000610072002D00770069006E002D0032000000050000006D007300640062000000</Binary></EventData></Event>
+