Merge branch 'develop' into nterl0k-t1110-mfasweep-detection

Author: patel-bhavin

.github/workflows/appinspect.yml

@@ -18,7 +18,7 @@ jobs:
 
       - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          pip install contentctl==5.0.0
+          pip install contentctl==${{ vars.CONTENTCTL_VERSION }}
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
           git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti
       

.github/workflows/build.yml

@@ -19,7 +19,8 @@ jobs:
 
       - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          pip install contentctl==5.0.0
+          echo "CONTENTCTL_VERSION is ${{ vars.CONTENTCTL_VERSION }}"
+          pip install contentctl==${{ vars.CONTENTCTL_VERSION }}
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
           git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti
       

.github/workflows/unit-testing.yml

@@ -23,7 +23,7 @@ jobs:
         - name: Install Python Dependencies and ContentCTL
           run: |
             python -m pip install --upgrade pip
-            pip install contentctl==5.0.0
+            pip install contentctl==${{ vars.CONTENTCTL_VERSION }}
            
         # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop
         # Make sure we check out the PR, even if it actually lives in a fork

data_sources/linux_secure.yml

@@ -6,7 +6,10 @@ author: Patrick Bareiss, Splunk
 description: Data source object for Linux Secure
 source: /var/log/secure
 sourcetype: linux_secure
-supported_TA: []
+supported_TA:
+- name: Splunk Add-on for Unix and Linux
+  url: https://splunkbase.splunk.com/app/833
+  version: 9.2.0
 fields:
 - _time
 - action

detections/application/pingid_mismatch_auth_source_and_verification_response.yml

@@ -1,6 +1,6 @@
 name: PingID Mismatch Auth Source and Verification Response
 id: 15b0694e-caa2-4009-8d83-a1f98b86d086
-version: 4
+version: 5
 date: '2025-01-21'
 author: Steven Dick
 status: production

detections/application/windows_ad_suspicious_attribute_modification.yml

@@ -1,6 +1,6 @@
 name: Windows AD Suspicious Attribute Modification
 id: 5682052e-ce55-4f9f-8d28-59191420b7e0
-version: 3
+version: 4
 date: '2025-01-21'
 author: Dean Luxton
 status: production

detections/application/windows_ad_suspicious_gpo_modification.yml

@@ -1,6 +1,6 @@
 name: Windows AD Suspicious GPO Modification
 id: 0a2afc18-a3b5-4452-b60a-2e774214f9bf
-version: 3
+version: 4
 date: '2025-01-21'
 author: Dean Luxton
 status: experimental

detections/cloud/azure_ad_application_administrator_role_assigned.yml

@@ -1,6 +1,6 @@
 name: Azure AD Application Administrator Role Assigned
 id: eac4de87-7a56-4538-a21b-277897af6d8d
-version: 6
+version: 7
 date: '2024-11-14'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production

detections/cloud/azure_ad_azurehound_useragent_detected.yml

@@ -1,6 +1,6 @@
 name: Azure AD AzureHound UserAgent Detected
 id: d62852db-a1f1-40db-a7fc-c3d56fa8bda3
-version: 1
+version: 2
 date: '2025-01-06'
 author: Dean Luxton 
 data_source:

detections/cloud/azure_ad_external_guest_user_invited.yml

@@ -1,6 +1,6 @@
 name: Azure AD External Guest User Invited
 id: c1fb4edb-cab1-4359-9b40-925ffd797fb5
-version: 5
+version: 6
 date: '2024-11-14'
 author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
 status: production