Skip to content

Commit

Permalink
Merge branch 'develop' into remove_detections
Browse files Browse the repository at this point in the history
  • Loading branch information
@patel-bhavin
patel-bhavin authored Feb 26, 2025
2 parents b70a474 + f0d60a4 commit 79b7f64
Show file tree
Hide file tree
Showing 25 changed files with 1,855 additions and 1,832 deletions.
391 changes: 196 additions & 195 deletions contentctl.yml
View file

Large diffs are not rendered by default.

73 changes: 37 additions & 36 deletions data_sources/g_suite_drive.yml
View file
Original file line number Diff line number Diff line change
@@ -1,48 +1,49 @@
name: G Suite Drive
id: 5f79120f-a235-4468-bd0d-55203758ac22
version: 1
date: '2024-07-18'
date: "2024-07-18"
author: Patrick Bareiss, Splunk
description: Data source object for G Suite Drive
source: http:gsuite
sourcetype: gsuite:drive:json
supported_TA:
- name: Splunk Add-on for Google Workspace
url: https://splunkbase.splunk.com/app/5556
version: 3.0.2
- name: Splunk Add-on for Google Workspace
url: https://splunkbase.splunk.com/app/5556
version: 3.0.3
fields:
- _time
- email
- host
- index
- ip_address
- linecount
- name
- parameters.actor_is_collaborator_account
- parameters.billable
- parameters.doc_id
- parameters.doc_title
- parameters.doc_type
- parameters.is_encrypted
- parameters.new_value{}
- parameters.old_value{}
- parameters.old_visibility
- parameters.originating_app_id
- parameters.owner
- parameters.owner_is_shared_drive
- parameters.owner_is_team_drive
- parameters.primary_event
- parameters.target_user
- parameters.visibility
- parameters.visibility_change
- punct
- source
- sourcetype
- splunk_server
- timestamp
- type
- unique_id
example_log: '{"type": "acl_change", "name": "change_user_access", "parameters": {"primary_event":
- _time
- email
- host
- index
- ip_address
- linecount
- name
- parameters.actor_is_collaborator_account
- parameters.billable
- parameters.doc_id
- parameters.doc_title
- parameters.doc_type
- parameters.is_encrypted
- parameters.new_value{}
- parameters.old_value{}
- parameters.old_visibility
- parameters.originating_app_id
- parameters.owner
- parameters.owner_is_shared_drive
- parameters.owner_is_team_drive
- parameters.primary_event
- parameters.target_user
- parameters.visibility
- parameters.visibility_change
- punct
- source
- sourcetype
- splunk_server
- timestamp
- type
- unique_id
example_log:
'{"type": "acl_change", "name": "change_user_access", "parameters": {"primary_event":
true, "billable": true, "visibility_change": "none", "target_user": "alberto@internal_test_email.com",
"old_value": ["none"], "new_value": ["can_edit"], "old_visibility": "private", "doc_id":
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", "doc_type": "spreadsheet", "is_encrypted":
Expand Down
151 changes: 76 additions & 75 deletions data_sources/g_suite_gmail.yml
View file
Original file line number Diff line number Diff line change
@@ -1,87 +1,88 @@
name: G Suite Gmail
id: 706c3978-41de-406b-b6e0-75bd01e12a5d
version: 1
date: '2024-07-18'
date: "2024-07-18"
author: Patrick Bareiss, Splunk
description: Data source object for G Suite Gmail
source: http:gsuite
sourcetype: gsuite:gmail:bigquery
supported_TA:
- name: Splunk Add-on for Google Workspace
url: https://splunkbase.splunk.com/app/5556
version: 3.0.2
- name: Splunk Add-on for Google Workspace
url: https://splunkbase.splunk.com/app/5556
version: 3.0.3
fields:
- _time
- action_type
- attachment{}.file_extension_type
- attachment{}.malware_family
- attachment{}.sha256
- connection_info.authenticated_domain{}.name
- connection_info.authenticated_domain{}.type
- connection_info.client_host_zone
- connection_info.client_ip
- connection_info.dkim_pass
- connection_info.dmarc_pass
- connection_info.dmarc_published_domain
- connection_info.ip_geo_city
- connection_info.ip_geo_country
- connection_info.is_internal
- connection_info.is_intra_domain
- connection_info.smtp_in_connect_ip
- connection_info.smtp_out_connect_ip
- connection_info.smtp_out_remote_host
- connection_info.smtp_reply_code
- connection_info.smtp_response_reason
- connection_info.smtp_tls_cipher
- connection_info.smtp_tls_state
- connection_info.smtp_tls_version
- connection_info.smtp_user_agent_ip
- connection_info.spf_pass
- connection_info.tls_required_but_unavailable
- description
- destination{}.address
- destination{}.rcpt_response
- destination{}.selector
- destination{}.service
- destination{}.smime_decryption_success
- destination{}.smime_extraction_success
- destination{}.smime_parsing_success
- destination{}.smime_signature_verification_success
- eventtype
- flattened_destinations
- flattened_triggered_rule_info
- host
- index
- is_policy_check_for_sender
- is_spam
- linecount
- message_set{}.type
- num_message_attachments
- payload_size
- punct
- rfc2822_message_id
- smime_content_type
- smime_encrypt_message
- smime_extraction_success
- smime_packaging_success
- smime_sign_message
- smtp_relay_error
- source
- source.address
- source.from_header_address
- source.from_header_displayname
- source.selector
- source.service
- sourcetype
- spam_info
- splunk_server
- structured_policy_log_info
- subject
- tag
- tag::eventtype
- timestamp
- upload_error_category
example_log: '{"action_type": 10, "rfc2822_message_id": "<CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC@mail.gmail.com>",
- _time
- action_type
- attachment{}.file_extension_type
- attachment{}.malware_family
- attachment{}.sha256
- connection_info.authenticated_domain{}.name
- connection_info.authenticated_domain{}.type
- connection_info.client_host_zone
- connection_info.client_ip
- connection_info.dkim_pass
- connection_info.dmarc_pass
- connection_info.dmarc_published_domain
- connection_info.ip_geo_city
- connection_info.ip_geo_country
- connection_info.is_internal
- connection_info.is_intra_domain
- connection_info.smtp_in_connect_ip
- connection_info.smtp_out_connect_ip
- connection_info.smtp_out_remote_host
- connection_info.smtp_reply_code
- connection_info.smtp_response_reason
- connection_info.smtp_tls_cipher
- connection_info.smtp_tls_state
- connection_info.smtp_tls_version
- connection_info.smtp_user_agent_ip
- connection_info.spf_pass
- connection_info.tls_required_but_unavailable
- description
- destination{}.address
- destination{}.rcpt_response
- destination{}.selector
- destination{}.service
- destination{}.smime_decryption_success
- destination{}.smime_extraction_success
- destination{}.smime_parsing_success
- destination{}.smime_signature_verification_success
- eventtype
- flattened_destinations
- flattened_triggered_rule_info
- host
- index
- is_policy_check_for_sender
- is_spam
- linecount
- message_set{}.type
- num_message_attachments
- payload_size
- punct
- rfc2822_message_id
- smime_content_type
- smime_encrypt_message
- smime_extraction_success
- smime_packaging_success
- smime_sign_message
- smtp_relay_error
- source
- source.address
- source.from_header_address
- source.from_header_displayname
- source.selector
- source.service
- sourcetype
- spam_info
- splunk_server
- structured_policy_log_info
- subject
- tag
- tag::eventtype
- timestamp
- upload_error_category
example_log:
'{"action_type": 10, "rfc2822_message_id": "<CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC@mail.gmail.com>",
"subject": "New Order DHL0000001 - Dummy email for Detection Development", "payload_size":
6733, "source": {"address": "john@external_test_email.com", "service": "gmail-for-work",
"selector": "policy", "from_header_address": "john@external_test_email.com", "from_header_displayname":
Expand Down
Loading

0 comments on commit 79b7f64

Please sign in to comment.