Merge branch 'develop' into aws_to_ttp

Author: pyth0n1c

contentctl.yml

@@ -167,9 +167,9 @@ apps:
 - uid: 4055
   title: Splunk Add-on for Microsoft Office 365
   appid: SPLUNK_ADD_ON_FOR_MICROSOFT_OFFICE_365
-  version: 4.8.0
+  version: 4.8.1
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-office-365_480.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-office-365_481.tgz
 - uid: 2890
   title: Splunk Machine Learning Toolkit
   appid: SPLUNK_MACHINE_LEARNING_TOOLKIT
@@ -221,8 +221,8 @@ apps:
 - uid: 3471
   title: Splunk Add-on for AppDynamics
   appid: Splunk_TA_AppDynamics
-  version: 3.1.2
+  version: 3.1.3
   description: The Splunk Add-on for AppDynamics enables you to easily configure data
     inputs to pull data from AppDynamics' REST APIs
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-splunk-add-on-for-appdynamics_312.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-splunk-add-on-for-appdynamics_313.tgz
 githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd

data_sources/cisco_secure_application_appdynamics_alerts.yml

@@ -9,7 +9,7 @@ sourcetype: appdynamics_security
 supported_TA:
 - name: Splunk Add-on for AppDynamics
   url: https://splunkbase.splunk.com/app/3471
-  version: 3.1.2
+  version: 3.1.3
 fields:
 - SourceType
 - apiServerExternal

data_sources/cisco_secure_firewall_threat_defense_connection_event.yml

@@ -1,7 +1,7 @@
 name: Cisco Secure Firewall Threat Defense Connection Event
 id: 18878597-8f8a-4bca-a805-bfbe35e00032
-version: 1
-date: '2025-04-01'
+version: 2
+date: '2025-05-22'
 author: Nasreddine Bencherchali, Splunk
 description: Data source object for raw connection events from Cisco Secure Firewall
   Threat Defense
@@ -114,7 +114,6 @@ output_fields:
 - dest_port
 - transport
 - rule
-- url
 - action
 example_log: '{"EventType":"ConnectionEvent", "FirstPacketSecond":1743500734, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63",
   "InstanceID":1, "ConnectionID":259, "AC_RuleAction":"Block", "InitiatorIP":"172.16.3.110",

data_sources/o365.yml

@@ -15,6 +15,6 @@ source: o365
 sourcetype: o365:management:activity
 separator: Operation
 supported_TA:
-  - name: Splunk Add-on for Microsoft Office 365
-    url: https://splunkbase.splunk.com/app/4055
-    version: 4.8.0
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.8.1

data_sources/o365_add_app_role_assignment_grant_to_user_.yml

@@ -15,81 +15,80 @@ sourcetype: o365:management:activity
 separator: Operation
 separator_value: Add app role assignment grant to user.
 supported_TA:
-  - name: Splunk Add-on for Microsoft Office 365
-    url: https://splunkbase.splunk.com/app/4055
-    version: 4.8.0
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.8.1
 fields:
-  - _time
-  - ActorContextId
-  - ActorIpAddress
-  - Actor{}.ID
-  - Actor{}.Type
-  - AzureActiveDirectoryEventType
-  - ClientIP
-  - CreationTime
-  - ExtendedProperties{}.Name
-  - ExtendedProperties{}.Value
-  - Id
-  - InterSystemsId
-  - IntraSystemId
-  - ModifiedProperties{}.Name
-  - ModifiedProperties{}.NewValue
-  - ModifiedProperties{}.OldValue
-  - ObjectId
-  - Operation
-  - OrganizationId
-  - RecordType
-  - ResultStatus
-  - SupportTicketId
-  - TargetContextId
-  - Target{}.ID
-  - Target{}.Type
-  - UserId
-  - UserKey
-  - UserType
-  - Version
-  - Workload
-  - additionalDetails
-  - app
-  - authentication_service
-  - command
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - dest
-  - dest_name
-  - dvc
-  - event_type
-  - extendedAuditEventCategory
-  - extended_properties
-  - host
-  - index
-  - linecount
-  - object
-  - punct
-  - record_type
-  - signature
-  - source
-  - sourcetype
-  - splunk_server
-  - src
-  - src_ip
-  - src_user
-  - status
-  - timeendpos
-  - timestartpos
-  - user
-  - user_id
-  - user_type
-  - vendor_account
-  - vendor_product
-example_log:
-  '{"Actor": [{"ID": "[email protected]", "Type": 5}, {"ID":
+- _time
+- ActorContextId
+- ActorIpAddress
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- ClientIP
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- additionalDetails
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- extendedAuditEventCategory
+- extended_properties
+- host
+- index
+- linecount
+- object
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_user
+- status
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"Actor": [{"ID": "[email protected]", "Type": 5}, {"ID":
   "10037FFEA938FB92", "Type": 3}, {"ID": "74658136-14ec-4630-ad9b-26e160ff0fc6", "Type":
   2}, {"ID": "User_bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "bfb8c366-0406-41a5-b3e3-328f4a3b4484",
   "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08",
@@ -115,8 +114,8 @@ example_log:
   "[email protected]", "UserKey": "[email protected]",
   "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}'
 output_fields:
-- dest 
-- user 
-- src 
-- vendor_account 
-- vendor_product 
+- dest
+- user
+- src
+- vendor_account
+- vendor_product

data_sources/o365_add_app_role_assignment_to_service_principal_.yml

@@ -16,80 +16,79 @@ sourcetype: o365:management:activity
 separator: Operation
 separator_value: Add app role assignment to service principal.
 supported_TA:
-  - name: Splunk Add-on for Microsoft Office 365
-    url: https://splunkbase.splunk.com/app/4055
-    version: 4.8.0
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.8.1
 fields:
-  - _time
-  - ActorContextId
-  - Actor{}.ID
-  - Actor{}.Type
-  - AzureActiveDirectoryEventType
-  - CreationTime
-  - ExtendedProperties{}.Name
-  - ExtendedProperties{}.Value
-  - Id
-  - InterSystemsId
-  - IntraSystemId
-  - ModifiedProperties{}.Name
-  - ModifiedProperties{}.NewValue
-  - ModifiedProperties{}.OldValue
-  - ObjectId
-  - Operation
-  - OrganizationId
-  - RecordType
-  - ResultStatus
-  - SupportTicketId
-  - TargetContextId
-  - Target{}.ID
-  - Target{}.Type
-  - UserId
-  - UserKey
-  - UserType
-  - Version
-  - Workload
-  - additionalDetails
-  - app
-  - authentication_service
-  - command
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - dest
-  - dest_name
-  - dvc
-  - event_type
-  - eventtype
-  - extendedAuditEventCategory
-  - host
-  - index
-  - linecount
-  - object
-  - punct
-  - record_type
-  - signature
-  - source
-  - sourcetype
-  - splunk_server
-  - status
-  - tag
-  - tag::eventtype
-  - timeendpos
-  - timestartpos
-  - user
-  - user_agent
-  - user_agent_change
-  - user_id
-  - user_type
-  - vendor_account
-  - vendor_product
-example_log:
-  '{"CreationTime": "2024-02-08T21:49:53", "Id": "a6bee61d-8b3f-42e1-b4fa-778fb05c43ac",
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- additionalDetails
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_agent_change
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"CreationTime": "2024-02-08T21:49:53", "Id": "a6bee61d-8b3f-42e1-b4fa-778fb05c43ac",
   "Operation": "Add app role assignment to service principal.", "OrganizationId":
   "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success",
   "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory",
@@ -121,8 +120,8 @@ example_log:
   "Type": 2}, {"ID": "https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com",
   "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"}'
 output_fields:
-- dest 
-- user 
-- src 
-- vendor_account 
-- vendor_product 
+- dest
+- user
+- src
+- vendor_account
+- vendor_product