Skip to content

Commit ddf3ed0

Browse files
patel-bhavinpatel-bhavin
committed
adding baseline key to test
1 parent 43c9994 commit ddf3ed0

File tree

3 files changed

+12
-9
lines changed

3 files changed

+12
-9
lines changed

baselines/baseline_of_open_s3_bucket_decommissioning.yml

Lines changed: 1 addition & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -61,11 +61,4 @@ deployment:
6161
cron_schedule: 0 2 * * 0
6262
earliest_time: -30d@d
6363
latest_time: -1d@d
64-
schedule_window: auto
65-
# Baselines usually dont have tests, but there was no good place to store this information explicitly, adding it as a comment.
66-
# tests:
67-
# - name: Baseline Dataset Test
68-
# attack_data:
69-
# - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json
70-
# source: cloudtrail
71-
# sourcetype: aws:cloudtrail
64+
schedule_window: auto

detections/network/detect_dns_query_to_decommissioned_s3_bucket.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,11 @@ tags:
4949
security_domain: network
5050
manual_test: This search needs a lookup table to be populated -decommissioned_buckets.csv by running a baseline search `Baseline Of Open S3 Bucket Decommissioning` prior to running this detection.
5151
tests:
52+
- name: Baseline Dataset Test
53+
attack_data:
54+
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json
55+
source: cloudtrail
56+
sourcetype: aws:cloudtrail
5257
- name: True Positive Test
5358
attack_data:
5459
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/dns.log

detections/web/detect_web_access_to_decommissioned_s3_bucket.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,8 +51,13 @@ tags:
5151
- Splunk Enterprise Security
5252
- Splunk Cloud
5353
security_domain: network
54-
manual_test: This search needs a lookup table to be populated -decommissioned_buckets.csv by running a baseline search `Baseline Of Open S3 Bucket Decommissioning` prior to running this detection.
54+
manual_test: This search needs a lookup table to be populated - decommissioned_buckets.csv by running a baseline search `Baseline Of Open S3 Bucket Decommissioning` prior to running this detection.
5555
tests:
56+
- name: Baseline Dataset Test
57+
attack_data:
58+
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json
59+
source: cloudtrail
60+
sourcetype: aws:cloudtrail
5661
- name: True Positive Test
5762
attack_data:
5863
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log

0 commit comments

Comments
 (0)