Merge branch 'develop' into output_normalization_aws

Author: P4T12ICK

contentctl.yml

@@ -10,7 +10,7 @@ separator: eventName
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.9.0
+  version: 7.9.1
 fields:
 - _time
-example_log: |-
+example_log: ''

data_sources/aws_cloudtrail_deleteloggingconfiguration.yml

@@ -10,7 +10,7 @@ separator: eventName
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.9.0
+  version: 7.9.1
 fields:
 - _time
-example_log: |-
+example_log: ''

data_sources/aws_cloudtrail_deleterulegroup.yml

@@ -10,7 +10,7 @@ separator: eventName
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.9.0
+  version: 7.9.1
 fields:
 - action
 - app
@@ -133,5 +133,18 @@ fields:
 - _si
 - _sourcetype
 - _time
-example_log: |-
- {"eventVersion": "1.10", "userIdentity": {"type": "AssumedRole", "principalId": "AROAYTOGP2RLBXYPYUKBH:aws-go-sdk-1740131590946446551", "arn": "arn:aws:sts::111111111111111:assumed-role/DAFTPUNK-cloud-security-audit/aws-go-sdk-1740131590946446551", "accountId": "111111111111111", "accessKeyId": "DAFTPUNK", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLBXYPYUKBH", "arn": "arn:aws:iam::111111111111111:role/DAFTPUNK-cloud-security-audit", "accountId": "111111111111111", "userName": "DAFTPUNK-cloud-security-audit"}, "attributes": {"creationDate": "2025-02-21T10:48:43Z", "mfaAuthenticated": "false"}}}, "eventTime": "2025-02-21T11:29:27Z", "eventSource": "ec2.amazonaws.com", "eventName": "DescribeSnapshotAttribute", "awsRegion": "eu-central-1", "sourceIPAddress": "54.203.114.197", "userAgent": "m/E aws-sdk-go-v2/1.30.5 os/linux lang/go#1.22.4 md/GOOS#linux md/GOARCH#amd64 api/ec2#1.177.3", "requestParameters": {"snapshotId": "snap-082bd5016636bbd94", "attributeType": "PRODUCT_CODES"}, "responseElements": null, "requestID": "70339070-6038-40b7-9acf-5ecb85cda843", "eventID": "bcc65c3f-a997-4a01-90bf-3b85f7268e70", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ec2.eu-central-1.amazonaws.com"}}
+example_log: '{"eventVersion": "1.10", "userIdentity": {"type": "AssumedRole", "principalId":
+  "AROAYTOGP2RLBXYPYUKBH:aws-go-sdk-1740131590946446551", "arn": "arn:aws:sts::111111111111111:assumed-role/DAFTPUNK-cloud-security-audit/aws-go-sdk-1740131590946446551",
+  "accountId": "111111111111111", "accessKeyId": "DAFTPUNK", "sessionContext": {"sessionIssuer":
+  {"type": "Role", "principalId": "AROAYTOGP2RLBXYPYUKBH", "arn": "arn:aws:iam::111111111111111:role/DAFTPUNK-cloud-security-audit",
+  "accountId": "111111111111111", "userName": "DAFTPUNK-cloud-security-audit"}, "attributes":
+  {"creationDate": "2025-02-21T10:48:43Z", "mfaAuthenticated": "false"}}}, "eventTime":
+  "2025-02-21T11:29:27Z", "eventSource": "ec2.amazonaws.com", "eventName": "DescribeSnapshotAttribute",
+  "awsRegion": "eu-central-1", "sourceIPAddress": "54.203.114.197", "userAgent": "m/E
+  aws-sdk-go-v2/1.30.5 os/linux lang/go#1.22.4 md/GOOS#linux md/GOARCH#amd64 api/ec2#1.177.3",
+  "requestParameters": {"snapshotId": "snap-082bd5016636bbd94", "attributeType": "PRODUCT_CODES"},
+  "responseElements": null, "requestID": "70339070-6038-40b7-9acf-5ecb85cda843", "eventID":
+  "bcc65c3f-a997-4a01-90bf-3b85f7268e70", "readOnly": true, "eventType": "AwsApiCall",
+  "managementEvent": true, "recipientAccountId": "111111111111111", "eventCategory":
+  "Management", "tlsDetails": {"tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256",
+  "clientProvidedHostHeader": "ec2.eu-central-1.amazonaws.com"}}'

data_sources/aws_cloudtrail_describesnapshotattribute.yml

@@ -10,8 +10,25 @@ separator: operationName
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.4.2
+  version: 5.4.3
 fields:
 - _time
-example_log: |-
-  {"time": "2024-04-30T01:22:46.4948958Z", "resourceId": "/TENANTS/225E05A1-5914-4688-A404-7030E60F3143/PROVIDERS/MICROSOFT.AADIAM", "operationName": "Microsoft Graph Activity", "operationVersion": "beta", "category": "MicrosoftGraphActivityLogs", "resultSignature": "200", "durationMs": "948894", "callerIpAddress": "45.83.145.6", "correlationId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "level": "Informational", "location": "East US 2", "properties": {"__UDI_RequiredFields_TenantId": "225e05a1-5914-4688-a404-7030e60f3143", "__UDI_RequiredFields_UniqueId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "__UDI_RequiredFields_EventTime": 638500369660000000, "__UDI_RequiredFields_RegionScope": "NA", "timeGenerated": "2024-04-30T01:22:46.4948958Z", "location": "East US 2", "requestId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "operationId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "clientRequestId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "apiVersion": "beta", "requestMethod": "GET", "responseStatusCode": 200, "tenantId": "225e05a1-5914-4688-a404-7030e60f3143", "durationMs": 948894, "responseSizeBytes": 91, "signInActivityId": "KRsphQ_4s0-oHv_Br8qSAQ", "roles": "", "appId": "1950a258-227b-4e31-a9cf-717495945fc2", "UserPrincipalObjectID": "7b934539-7366-494e-a8ac-3517694d32db", "scopes": "AuditLog.Read.All Directory.AccessAsUser.All email openid profile", "identityProvider": "", "clientAuthMethod": "0", "wids": "b79fbf4d-3ef9-4689-8143-76b194e85509", "C_Idtyp": "user", "C_Iat": "1714439850", "ipAddress": "45.83.145.6", "userAgent": "azurehound/v2.1.8", "requestUri": "https://graph.microsoft.com/beta/servicePrincipals/ffe3e001-d8cf-43a4-89ab-bfce35fd7786/owners?%24top=999", "userId": "7b934539-7366-494e-a8ac-3517694d32db", "tokenIssuedAt": "2024-04-30T01:17:30.0000000Z"}, "tenantId": "225e05a1-5914-4688-a404-7030e60f3143"}
+example_log: '{"time": "2024-04-30T01:22:46.4948958Z", "resourceId": "/TENANTS/225E05A1-5914-4688-A404-7030E60F3143/PROVIDERS/MICROSOFT.AADIAM",
+  "operationName": "Microsoft Graph Activity", "operationVersion": "beta", "category":
+  "MicrosoftGraphActivityLogs", "resultSignature": "200", "durationMs": "948894",
+  "callerIpAddress": "45.83.145.6", "correlationId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b",
+  "level": "Informational", "location": "East US 2", "properties": {"__UDI_RequiredFields_TenantId":
+  "225e05a1-5914-4688-a404-7030e60f3143", "__UDI_RequiredFields_UniqueId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b",
+  "__UDI_RequiredFields_EventTime": 638500369660000000, "__UDI_RequiredFields_RegionScope":
+  "NA", "timeGenerated": "2024-04-30T01:22:46.4948958Z", "location": "East US 2",
+  "requestId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "operationId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b",
+  "clientRequestId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "apiVersion": "beta",
+  "requestMethod": "GET", "responseStatusCode": 200, "tenantId": "225e05a1-5914-4688-a404-7030e60f3143",
+  "durationMs": 948894, "responseSizeBytes": 91, "signInActivityId": "KRsphQ_4s0-oHv_Br8qSAQ",
+  "roles": "", "appId": "1950a258-227b-4e31-a9cf-717495945fc2", "UserPrincipalObjectID":
+  "7b934539-7366-494e-a8ac-3517694d32db", "scopes": "AuditLog.Read.All Directory.AccessAsUser.All
+  email openid profile", "identityProvider": "", "clientAuthMethod": "0", "wids":
+  "b79fbf4d-3ef9-4689-8143-76b194e85509", "C_Idtyp": "user", "C_Iat": "1714439850",
+  "ipAddress": "45.83.145.6", "userAgent": "azurehound/v2.1.8", "requestUri": "https://graph.microsoft.com/beta/servicePrincipals/ffe3e001-d8cf-43a4-89ab-bfce35fd7786/owners?%24top=999",
+  "userId": "7b934539-7366-494e-a8ac-3517694d32db", "tokenIssuedAt": "2024-04-30T01:17:30.0000000Z"},
+  "tenantId": "225e05a1-5914-4688-a404-7030e60f3143"}'

data_sources/azure_active_directory_microsoftgraphactivitylogs.yml

@@ -10,7 +10,7 @@ separator: operationName
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.4.2
+  version: 5.4.3
 fields:
 - action
 - additional_details
@@ -133,5 +133,40 @@ fields:
 - _sourcetype
 - _subsecond
 - _time
-example_log: |-
- {"time": "2023-01-12T19:22:14.5285742Z", "resourceId": "/tenants/95d19bda-09de-4d93-b7ae-acecd1e68186/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "95d19bda-09de-4d93-b7ae-acecd1e68186", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.3.194", "correlationId": "fc78e38c-1e61-4be3-b47d-f3e6a9724a65", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "0f94f5fb-3583-4c46-9bfa-0390c1988800", "createdDateTime": "2023-01-12T19:22:14.5285742+00:00", "userDisplayName": "User30", "userPrincipalName": "[email protected]", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome", "ipAddress": "34.1.3.194", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "Windows", "browser": "Rich Client 4.43.0.0"}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.73722839355469, "longitude": -119.81143188476562}}, "mfaDetail": {}, "correlationId": "fc78e38c-1e61-4be3-b47d-f3e6a9724a65", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "0f94f5fb-3583-4c46-9bfa-0390c1988800", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"OfficeHome.All\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 192, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "OfficeHome", "resourceId": "4765445b-32c6-49b0-83e6-1d93765276ca", "resourceTenantId": "95d19bda-09de-4d93-b7ae-acecd1e68186", "homeTenantId": "95d19bda-09de-4d93-b7ae-acecd1e68186", "authenticationDetails": [{"authenticationStepDateTime": "2023-01-12T19:22:14.5285742+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 16509, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "-_WUD4M1Rkyb-gOQwZiIAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0}}
+example_log: '{"time": "2023-01-12T19:22:14.5285742Z", "resourceId": "/tenants/95d19bda-09de-4d93-b7ae-acecd1e68186/providers/Microsoft.aadiam",
+  "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs",
+  "tenantId": "95d19bda-09de-4d93-b7ae-acecd1e68186", "resultType": "0", "resultSignature":
+  "None", "durationMs": 0, "callerIpAddress": "34.1.3.194", "correlationId": "fc78e38c-1e61-4be3-b47d-f3e6a9724a65",
+  "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "0f94f5fb-3583-4c46-9bfa-0390c1988800",
+  "createdDateTime": "2023-01-12T19:22:14.5285742+00:00", "userDisplayName": "User30",
+  "userPrincipalName": "[email protected]", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998",
+  "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome",
+  "ipAddress": "34.1.3.194", "status": {"errorCode": 0, "additionalDetails": "MFA
+  requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail":
+  {"deviceId": "", "operatingSystem": "Windows", "browser": "Rich Client 4.43.0.0"},
+  "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates":
+  {"latitude": 45.73722839355469, "longitude": -119.81143188476562}}, "mfaDetail":
+  {}, "correlationId": "fc78e38c-1e61-4be3-b47d-f3e6a9724a65", "conditionalAccessStatus":
+  "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName":
+  "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [],
+  "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences":
+  [], "originalRequestId": "0f94f5fb-3583-4c46-9bfa-0390c1988800", "isInteractive":
+  false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails":
+  [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope
+  Info", "value": "[\"OfficeHome.All\"]"}, {"key": "Is CAE Token", "value": "False"}],
+  "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds":
+  192, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn":
+  "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName":
+  "OfficeHome", "resourceId": "4765445b-32c6-49b0-83e6-1d93765276ca", "resourceTenantId":
+  "95d19bda-09de-4d93-b7ae-acecd1e68186", "homeTenantId": "95d19bda-09de-4d93-b7ae-acecd1e68186",
+  "authenticationDetails": [{"authenticationStepDateTime": "2023-01-12T19:22:14.5285742+00:00",
+  "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail":
+  "MFA requirement satisfied by claim in the token", "authenticationStepRequirement":
+  "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider":
+  "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication",
+  "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted":
+  false, "autonomousSystemNumber": 16509, "crossTenantAccessType": "none", "privateLinkDetails":
+  {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "-_WUD4M1Rkyb-gOQwZiIAA",
+  "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol":
+  "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus":
+  0}}'

data_sources/azure_active_directory_noninteractiveusersigninlogs.yml

@@ -6,9 +6,9 @@ author: Bhavin Patel
 description: Data source object for Cisco AI Defense Alerts
 source: cisco_ai_defense
 sourcetype: cisco:ai:defense
-separator: 
+separator: null
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.0.1
-fields:
+  version: 3.1.1
+fields: null

data_sources/cisco_ai_defense_alerts.yml

@@ -1,11 +1,11 @@
 name: Linux Auditd Add User
 id: 30f79353-e1d2-4585-8735-1e0359559f3f
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 description: Data source object for Linux Auditd Add User Type
-source: /var/log/audit/audit.log
-sourcetype: linux:audit
+source: auditd
+sourcetype: auditd
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux

data_sources/linux_auditd_add_user.yml

@@ -1,11 +1,11 @@
 name: Linux Auditd Execve
 id: 9ef6364d-cc67-480e-8448-3306829a6a24
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 description: Data source object for Linux Auditd Execve Type
-source: /var/log/audit/audit.log
-sourcetype: linux:audit
+source: auditd
+sourcetype: auditd
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux

data_sources/linux_auditd_execve.yml

@@ -1,11 +1,11 @@
 name: Linux Auditd Path
 id: 3d86125c-0496-4a5a-aae3-0d355a4f3d7d
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-02-20'
 author: Teoderick Contreras, Splunk
 description: Data source object for Linux Auditd Path Type
-source: /var/log/audit/audit.log
-sourcetype: linux:audit
+source: auditd
+sourcetype: auditd
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux