Skip to content

Commit b156c36

Browse files
authored
Merge pull request #3683 from splunk/ctl_515
Issue - 3677
2 parents dcc0850 + e6cb8bc commit b156c36

File tree

3 files changed

+6
-8
lines changed

3 files changed

+6
-8
lines changed

contentctl.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ app:
33
uid: 3449
44
title: ES Content Updates
55
appid: DA-ESS-ContentUpdate
6-
version: 5.14.0
6+
version: 5.16.0
77
description: Explore the Analytic Stories included with ES Content Updates.
88
prefix: ESCU
99
label: ESCU

data_sources/aws_cloudwatchlogs_vpcflow.yml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,6 @@ output_fields:
7373
- action
7474
- src
7575
- src_ip
76-
- src_port
7776
- dest
7877
- dest_ip
7978
- dest_port

detections/network/internal_vertical_port_scan.yml

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
name: Internal Vertical Port Scan
22
id: 40d2dc41-9bbf-421a-a34b-8611271a6770
3-
version: 7
4-
date: '2025-08-18'
5-
author: Dean Luxton
6-
status: production
3+
version: 8
4+
date: '2025-09-18'
5+
author: Dean Luxton, Splunk
6+
status: production
77
type: TTP
88
data_source:
99
- AWS CloudWatchLogs VPCflow
@@ -16,8 +16,7 @@ description: This analytic detects instances where an internal host attempts to
1616
by identifying and mitigating potential threats promptly.
1717
search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as action
1818
values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as
19-
dest_zone values(All_Traffic.src_zone) as src_zone values(All_Traffic.src_port)
20-
as src_port count from datamodel=Network_Traffic where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
19+
dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
2120
by All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip All_Traffic.transport All_Traffic.rule
2221
span=1s _time | `drop_dm_object_name("All_Traffic")` | eval gtime=_time | bin span=1h
2322
gtime | stats min(_time) as _time values(action) as action dc(eval(if(dest_port<1024

0 commit comments

Comments
 (0)