convert csv lookup to kvstore lookup.

Update references in description files
as well.

Author: pyth0n1c

baselines/baseline_of_open_s3_bucket_decommissioning.yml

@@ -38,7 +38,7 @@ search: '`cloudtrail` eventSource="s3.amazonaws.com"  (eventName=DeleteBucket OR
 | eval website_details = if(isWebsite==1, "Static Website Enabled", "No Website Hosting")
 | table bucketName, hosts, firstEvent, lastEvent, events, policy_details, website_details, accountIds, userARNs, awsRegions
 | outputlookup append=true decommissioned_buckets | `baseline_of_open_s3_bucket_decommissioning_filter`'
-how_to_implement: To implement this baseline, you need to have AWS CloudTrail logs being ingested into Splunk with the AWS Add-on properly configured. The search looks for S3 bucket events related to bucket policies, website hosting configuration, and bucket deletion. The results are stored in a lookup file named decommissioned_buckets.csv which tracks the history of deleted buckets that were previously exposed to the public.
+how_to_implement: To implement this baseline, you need to have AWS CloudTrail logs being ingested into Splunk with the AWS Add-on properly configured. The search looks for S3 bucket events related to bucket policies, website hosting configuration, and bucket deletion. The results are stored in a lookup KVStore named decommissioned_buckets which tracks the history of deleted buckets that were previously exposed to the public.
 known_false_positives: Some buckets may be intentionally made public for legitimate business purposes before being decommissioned. Review the policy_details and website_details fields to understand the nature of the public access that was configured.
 references:
 - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html

detections/network/detect_dns_query_to_decommissioned_s3_bucket.yml

@@ -16,7 +16,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
 | lookup decommissioned_buckets bucketName as bucket_domain OUTPUT bucketName as match 
 | where isnotnull(match) 
 | `detect_dns_query_to_decommissioned_s3_bucket_filter`'
-how_to_implement: To successfully implement this detection, you need to be ingesting DNS query logs and have them mapped to the Network_Resolution data model. Additionally, ensure that the baseline search "Baseline Of Open S3 Bucket Decommissioning" is running and populating the decommissioned_buckets.csv lookup file.
+how_to_implement: To successfully implement this detection, you need to be ingesting DNS query logs and have them mapped to the Network_Resolution data model. Additionally, ensure that the baseline search "Baseline Of Open S3 Bucket Decommissioning" is running and populating the decommissioned_buckets KVstore lookup.
 known_false_positives: Some applications or scripts may continue to reference old S3 bucket names after they have been decommissioned. These should be investigated and updated to prevent potential security risks.
 references:
 - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
@@ -47,7 +47,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: network
-  manual_test: This search needs a lookup table to be populated -decommissioned_buckets.csv by running a baseline search `Baseline Of Open S3 Bucket Decommissioning` prior to running this detection.
+  manual_test: This search needs a lookup table to be populated in decommissioned_buckets KVStore Lookup by running a baseline search `Baseline Of Open S3 Bucket Decommissioning` prior to running this detection.
 tests:
 - name: Baseline Dataset Test
   attack_data:

detections/web/detect_web_access_to_decommissioned_s3_bucket.yml

@@ -16,7 +16,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
 | lookup decommissioned_buckets bucketName as bucket_domain OUTPUT bucketName as match 
 | where isnotnull(match) 
 | `detect_web_access_to_decommissioned_s3_bucket_filter`'
-how_to_implement: To successfully implement this detection, you need to be ingesting web proxy logs and have them mapped to the Web data model. Additionally, ensure that the baseline search "Baseline Of Open S3 Bucket Decommissioning" is running and populating the decommissioned_buckets.csv lookup file.
+how_to_implement: To successfully implement this detection, you need to be ingesting web proxy logs and have them mapped to the Web data model. Additionally, ensure that the baseline search "Baseline Of Open S3 Bucket Decommissioning" is running and populating the decommissioned_buckets KVStore Lookup.
 known_false_positives: Some applications or web pages may continue to reference old S3 bucket URLs after they have been decommissioned. These should be investigated and updated to prevent potential security risks.
 references:
 - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
@@ -51,7 +51,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: network
-  manual_test: This search needs a lookup table to be populated - decommissioned_buckets.csv by running a baseline search `Baseline Of Open S3 Bucket Decommissioning` prior to running this detection.
+  manual_test: This search needs a lookup table to be populated the decommissioned_buckets KVStore Lookup by running a baseline search `Baseline Of Open S3 Bucket Decommissioning` prior to running this detection.
 tests:
 - name: Baseline Dataset Test
   attack_data:

lookups/decommissioned_buckets.yml

@@ -3,7 +3,19 @@ date: 2025-02-14
 version: 1
 id: b3a95eff-87cf-40f3-b6e0-5b1a11eed68f
 author: Bhavin Patel
-lookup_type: csv
+lookup_type: kvstore
 default_match: false
 description: A lookup table of decommissioned S3 buckets created by baseline - Baseline of Open S3 Bucket Decommissioning. This lookup table is used by detections searches to trigger alerts when decommissioned buckets are detected.
-min_matches: 1
+min_matches: 1
+fields: 
+- _key
+- bucketName
+- hosts
+- firstEvent
+- lastEvent
+- events
+- policy_details
+- website_details
+- accountIds
+- userARNs
+- awsRegions