Merge branch 'develop' into github_detections_improvement

Author: Patrick Bareiss

.github/workflows/appinspect.yml

@@ -18,7 +18,13 @@ jobs:
 
       - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          pip install contentctl==5.0.0
+          if [ -n "${{ vars.CONTENTCTL_VERSION }}" ]; then
+            echo "Installing contentctl version ${{ vars.CONTENTCTL_VERSION }}"
+            pip install contentctl==${{ vars.CONTENTCTL_VERSION }}
+          else
+            echo "Installing latest contentctl version"
+            pip install contentctl
+          fi
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
           git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti
       

.github/workflows/build.yml

@@ -19,7 +19,13 @@ jobs:
 
       - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          pip install contentctl==5.0.0
+          if [ -n "${{ vars.CONTENTCTL_VERSION }}" ]; then
+            echo "Installing contentctl version ${{ vars.CONTENTCTL_VERSION }}"
+            pip install contentctl==${{ vars.CONTENTCTL_VERSION }}
+          else
+            echo "Installing latest contentctl version"
+            pip install contentctl
+          fi
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
           git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti
       

.github/workflows/unit-testing.yml

@@ -23,7 +23,13 @@ jobs:
         - name: Install Python Dependencies and ContentCTL
           run: |
             python -m pip install --upgrade pip
-            pip install contentctl==5.0.0
+            if [ -n "${{ vars.CONTENTCTL_VERSION }}" ]; then
+              echo "Installing contentctl version ${{ vars.CONTENTCTL_VERSION }}"
+              pip install contentctl==${{ vars.CONTENTCTL_VERSION }}
+            else
+              echo "Installing latest contentctl version"
+              pip install contentctl
+            fi
            
         # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop
         # Make sure we check out the PR, even if it actually lives in a fork

contentctl.yml

@@ -71,9 +71,9 @@ apps:
 - uid: 833
   title: Splunk Add-on for Unix and Linux
   appid: Splunk_TA_nix
-  version: 9.2.0
+  version: 10.0.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-unix-and-linux_920.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-unix-and-linux_1000.tgz
 - uid: 5579
   title: Splunk Add-on for CrowdStrike FDR
   appid: Splunk_TA_CrowdStrike_FDR

data_sources/linux_auditd_add_user.yml

@@ -10,7 +10,7 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux
   url: https://splunkbase.splunk.com/app/833
-  version: 9.2.0
+  version: 10.0.0
 fields:
 - msg
 - type
@@ -30,4 +30,6 @@ fields:
 - UID
 - AUID
 - ID
-example_log: 'type=ADD_USER msg=audit(1722950859.266:6994): pid=1788 uid=0 auid=1000 ses=1 subj=unconfined msg=''op=adding user id=1002 exe="/usr/sbin/useradd" hostname=ar-linux1 addr=? terminal=pts/1 res=success''UID="root" AUID="ubuntu" ID="unknown(1002)"'
+example_log: 'type=ADD_USER msg=audit(1722950859.266:6994): pid=1788 uid=0 auid=1000
+  ses=1 subj=unconfined msg=''op=adding user id=1002 exe="/usr/sbin/useradd" hostname=ar-linux1
+  addr=? terminal=pts/1 res=success''UID="root" AUID="ubuntu" ID="unknown(1002)"'

data_sources/linux_auditd_execve.yml

@@ -10,10 +10,11 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux
   url: https://splunkbase.splunk.com/app/833
-  version: 9.2.0
+  version: 10.0.0
 fields:
 - msg
 - type
 - msg
 - argc
-example_log: 'type=EXECVE msg=audit(1723044684.257:15795): argc=3 a0="sudo" a1="LD_PRELOAD=./myfopen.so" a2="./prog"'
+example_log: 'type=EXECVE msg=audit(1723044684.257:15795): argc=3 a0="sudo" a1="LD_PRELOAD=./myfopen.so"
+  a2="./prog"'

data_sources/linux_auditd_path.yml

@@ -10,7 +10,7 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux
   url: https://splunkbase.splunk.com/app/833
-  version: 9.2.0
+  version: 10.0.0
 fields:
 - msg
 - type
@@ -30,4 +30,6 @@ fields:
 - cap_frootid
 - OUID
 - OGID
-example_log: 'type=PATH msg=audit(1723043687.149:14898): item=1 name="/etc/ssh/ssh_config~" inode=1292 dev=103:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"'
+example_log: 'type=PATH msg=audit(1723043687.149:14898): item=1 name="/etc/ssh/ssh_config~"
+  inode=1292 dev=103:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0
+  cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"'

data_sources/linux_auditd_proctitle.yml

@@ -10,7 +10,7 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux
   url: https://splunkbase.splunk.com/app/833
-  version: 9.2.0
+  version: 10.0.0
 fields:
 - proctitle
 - msg

data_sources/linux_auditd_service_stop.yml

@@ -10,7 +10,7 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux
   url: https://splunkbase.splunk.com/app/833
-  version: 9.2.0
+  version: 10.0.0
 fields:
 - msg
 - type
@@ -28,4 +28,6 @@ fields:
 - res
 - UID
 - AUID
-example_log: 'type=SERVICE_STOP msg=audit(1722957155.494:4802): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg=''unit=atd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success''UID="root" AUID="unset"'
+example_log: 'type=SERVICE_STOP msg=audit(1722957155.494:4802): pid=1 uid=0 auid=4294967295
+  ses=4294967295 subj=unconfined msg=''unit=atd comm="systemd" exe="/usr/lib/systemd/systemd"
+  hostname=? addr=? terminal=? res=success''UID="root" AUID="unset"'

data_sources/linux_auditd_syscall.yml

@@ -10,7 +10,7 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux
   url: https://splunkbase.splunk.com/app/833
-  version: 9.2.0
+  version: 10.0.0
 fields:
 - msg
 - type
@@ -20,7 +20,7 @@ fields:
 - success
 - exit
 - a1
-- a2 
+- a2
 - a3
 - items
 - ppid
@@ -51,4 +51,9 @@ fields:
 - EGID
 - SGID
 - FSGID
-example_log: 'type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59 success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2 ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="lsmod" exe="/usr/bin/kmod" subj=unconfined key="rootcmd" ARCH=x86_64 SYSCALL=execve AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"'
+example_log: 'type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59
+  success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2
+  ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
+  tty=pts1 ses=1 comm="lsmod" exe="/usr/bin/kmod" subj=unconfined key="rootcmd" ARCH=x86_64
+  SYSCALL=execve AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root"
+  EGID="root" SGID="root" FSGID="root"'