Merge branch 'develop' into nterl0k-t1053-suspicious-task-lookups

app_template/default/data/ui/nav/default.xml

@@ -2,6 +2,8 @@
   <view name="escu_summary" default="true"/>
   <view name="feedback"/>
   <view name="search"/>
-  <view name="dashboards"/>
-  <a href="http://docs.splunk.com/Documentation/ESSOC">Docs</a>
+  <collection label="Dashboards">
+    <view source="unclassified" match="__"/>
+  </collection>
+  <a href="https://docs.splunk.com/Documentation/ESCU">Docs</a>
 </nav>

contentctl.yml

@@ -77,9 +77,9 @@ apps:
 - uid: 5579
   title: Splunk Add-on for CrowdStrike FDR
   appid: Splunk_TA_CrowdStrike_FDR
-  version: 2.0.3
+  version: 2.0.4
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_203.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_204.tgz
 - uid: 3185
   title: Splunk Add-on for Microsoft IIS
   appid: SPLUNK_TA_FOR_IIS
@@ -206,4 +206,10 @@ apps:
   version: 4.2.2
   description: PSC for MLTK
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/python-for-scientific-computing-for-linux-64-bit_422.tgz
+- uid: 2882
+  title: Splunk Add-on for AppDynamics
+  appid: Splunk_TA_AppDynamics
+  version: 3.0.0
+  description: The Splunk Add-on for AppDynamics enables you to easily configure data inputs to pull data from AppDynamics' REST APIs
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-appdynamics_300.tgz
 githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd

data_sources/cisco_secure_application_appdynamics_alerts.yml

@@ -0,0 +1,136 @@
+name: Cisco Secure Application AppDynamics Alerts
+id: 5c963eb0-010e-4386-875f-5134879f14a7
+version: 1
+date: '2025-02-04'
+author: Bhavin Patel, Splunk
+description: Data source object for alerts from Cisco Secure Application
+source: AppDynamics Security
+sourcetype: appdynamics_security
+supported_TA:
+- name: Splunk Add-on for AppDynamics
+  url: https://splunkbase.splunk.com/app/3471
+  version: 3.0.0
+fields:
+- SourceType
+- apiServerExternal
+- app_name
+- application
+- attackEventTrigger
+- attackEvents{}.applicationName
+- attackEvents{}.attackOutcome
+- attackEvents{}.attackTypes
+- attackEvents{}.blocked
+- attackEvents{}.blockedReason
+- attackEvents{}.clientAddress
+- attackEvents{}.clientAddressType
+- attackEvents{}.clientPort
+- attackEvents{}.cveId
+- attackEvents{}.detailJson.apiServerExternal
+- attackEvents{}.detailJson.apiServerInUrl
+- attackEvents{}.detailJson.classname
+- attackEvents{}.detailJson.hostContext
+- attackEvents{}.detailJson.methodName
+- attackEvents{}.detailJson.ptype
+- attackEvents{}.detailJson.socketOut
+- attackEvents{}.eventType
+- attackEvents{}.jvmId
+- attackEvents{}.keyInfo
+- attackEvents{}.maliciousIpOut
+- attackEvents{}.maliciousIpSource
+- attackEvents{}.maliciousIpSourceOut
+- attackEvents{}.matchedCveName
+- attackEvents{}.serverAddress
+- attackEvents{}.serverName
+- attackEvents{}.serverPort
+- attackEvents{}.stackTrace
+- attackEvents{}.tierName
+- attackEvents{}.timestamp
+- attackEvents{}.vulnerabilityInfo.cveNvdUrl
+- attackEvents{}.vulnerabilityInfo.cvePublishDate
+- attackEvents{}.vulnerabilityInfo.cvssScore
+- attackEvents{}.vulnerabilityInfo.cvssSeverity
+- attackEvents{}.vulnerabilityInfo.incidentFirstDetected
+- attackEvents{}.vulnerabilityInfo.kennaActiveInternetBreach
+- attackEvents{}.vulnerabilityInfo.kennaEasilyExploitable
+- attackEvents{}.vulnerabilityInfo.kennaMalwareExploitable
+- attackEvents{}.vulnerabilityInfo.kennaPopularTarget
+- attackEvents{}.vulnerabilityInfo.kennaPredictedExploitable
+- attackEvents{}.vulnerabilityInfo.kennaScore
+- attackEvents{}.vulnerabilityInfo.library
+- attackEvents{}.vulnerabilityInfo.title
+- attackEvents{}.vulnerabilityInfo.type
+- attackEvents{}.vulnerableMethod
+- attackEvents{}.webTransactionUrl
+- attackId
+- attackLastDetected
+- attackOutcome
+- attackSource
+- attackStatus
+- attackTypes
+- blocked
+- blockedReason
+- businessTransaction
+- classname
+- clientAddressType
+- cveId
+- cveNvdUrl
+- cvePublishDate
+- cvssScore
+- cvssSeverity
+- dest_ip
+- dest_nt_host
+- dest_port
+- eventType
+- eventtype
+- host
+- incidentFirstDetected
+- index
+- jvmId
+- kennaActiveInternetBreach
+- kennaEasilyExploitable
+- kennaMalwareExploitable
+- kennaPopularTarget
+- kennaPredictedExploitable
+- kennaScore
+- keyInfo
+- linecount
+- maliciousIpOut
+- maliciousIpSource
+- maliciousIpSourceOut
+- matchedCveName
+- methodName
+- ptype
+- punct
+- signature
+- socketAddr
+- socketFromLog4j
+- socketOut
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src_category
+- src_ip
+- src_port
+- stackTrace
+- status
+- tag
+- tag::eventtype
+- tier
+- tierName
+- timestamp
+- vulnLibrary
+- vulnTitle
+- vulnType
+- vulnerableMethod
+- webTransactionUrl
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _time
+example_log: '{  "SourceType": "secure_app_attacks",  "attackId": "24815279",  "attackSource": "EXTERNAL",  "attackOutcome": "EXPLOITED",  "attackTypes": "{SSRF}",  "attackEventTrigger": "",  "application": "AD-Ecommerce",  "tier": "Order-Processing-Services",  "businessTransaction": "Checkout",  "attackStatus": "OPEN",  "attackLastDetected": "2025-01-31 12:30:22 +0000 UTC",  "attackEvents": [{"attackOutcome":"EXPLOITED","eventType":"SOCKET_RESOLVE","attackTypes":"SSRF","timestamp":"2025-01-31T12:30:22Z","applicationName":"AD-Ecommerce","tierName":"Order-Processing-Services","maliciousIpOut":"","maliciousIpSourceOut":"","detailJson":{"classname":"java.net.SocketPermission","ptype":"SOCKET","socketOut":"www.cisco.com","hostContext":"www.cisco.com","methodName":"sun.net.www.http.HttpClient.openServer","apiServerExternal":true,"apiServerInUrl":true},"blocked":false,"blockedReason":"","vulnerableMethod":"org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)","matchedCveName":"CVE-2020-13934","keyInfo":"","cveId":"a21931cd-52fa-11ec-a8b2-8e3051145156","stackTrace":"java.lang.SecurityManager.checkConnect(SecurityManager.java:1051)\nsun.net.www.http.HttpClient.openServer(HttpClient.java:510)\nsun.net.www.protocol.https.HttpsClient.\u003cinit\u003e(HttpsClient.java:264)\nsun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)\nsun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)\norg.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.login(SomeFile.java:12)\nsun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1138)\nsun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1022)\nsun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1020)\njava.security.AccessController.doPrivileged(Native Method)\njava.security.AccessController.doPrivilegedWithCombiner(AccessController.java:782)\nsun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1019)\nsun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)\nsun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)\nsun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:91)\nsun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1466)\nsun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1464)\njava.security.AccessController.doPrivileged(Native Method)\njava.security.AccessController.doPrivilegedWithCombiner(AccessController.java:782)\nsun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1463)\nsun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)\nservlet.ArgentoDemoApp$GenericExecution._executeServletCommand(ArgentoDemoApp.java:850)\nservlet.ArgentoDemoApp$GenericExecution.executeServletCommand(ArgentoDemoApp.java:778)\nservlet.ArgentoDemoApp$MyApplicationExecution.executeServletCommand(ArgentoDemoApp.java:718)\nservlet.ArgentoDemoApp._doGet(ArgentoDemoApp.java:441)\nservlet.ArgentoDemoApp.doGet(ArgentoDemoApp.java:376)\njavax.servlet.http.HttpServlet.service(HttpServlet.java:634)\njavax.servlet.http.HttpServlet.service(HttpServlet.java:741)\norg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)\norg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\norg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)\norg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\norg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\norg.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)\norg.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)\norg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)\norg.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)\norg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\norg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)\norg.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)\norg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\norg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)\norg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\norg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)\norg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)\norg.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\njava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\njava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\norg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\njava.lang.Thread.run(Thread.java:745)\n","jvmId":"EEcommerce_MS_NODE","maliciousIpSource":"","webTransactionUrl":"https://localhost:8088/argentoDemoApp/execute?upload=https://www.cisco.com/c/dam/cdc/t/ctm-core.js","clientAddressType":4,"clientAddress":"218.132.217.179","serverPort":"1047","serverAddress":"75.155.150.130","clientPort":"68389","serverName":"/usr/src/argento/prod/demo-run/tomcat-demo-app/webapps/argentoDemoApp/","vulnerabilityInfo":{"cvePublishDate":"2020-07-15T16:40:14.601976Z","cvssScore":5.3,"cvssSeverity":"MEDIUM","cveNvdUrl":"https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-584427","incidentFirstDetected":"2020-07-15T16:40:14.601976Z","kennaScore":53.0971,"library":"org.apache.tomcat.embed:tomcat-embed-core","title":"Denial of Service (DoS)","type":"java","kennaActiveInternetBreach":false,"kennaEasilyExploitable":false,"kennaMalwareExploitable":false,"kennaPredictedExploitable":true,"kennaPopularTarget":false}}]}'

data_sources/crowdstrike_processrollup2.yml

@@ -10,7 +10,7 @@ separator: event_simpleName
 supported_TA:
 - name: Splunk Add-on for CrowdStrike FDR
   url: https://splunkbase.splunk.com/app/5579
-  version: 2.0.3
+  version: 2.0.4
 fields:
 - AuthenticationId
 - AuthenticationId_meaning
@@ -96,6 +96,7 @@ field_mappings:
   mapping:
     CommandLine: Processes.process
     ImageFileName: Processes.process_path
+    ImageFileName|endswith: Processes.process_name
     ParentBaseFileName: Processes.parent_process_name
     ParentProcessId: Processes.parent_process_id
     RawProcessId: Processes.process_id

data_sources/nginx_access.yml

@@ -6,7 +6,21 @@ author: Patrick Bareiss, Splunk
 description: Data source object for Nginx Access
 source: /var/log/nginx/access.log
 sourcetype: nginx:plus:kv
-supported_TA: []
+supported_TA:
+- name: Splunk Add-on for NGINX
+  url: https://splunkbase.splunk.com/app/3258
+  version: 3.3.0
+field_mappings:
+- data_model: cim
+  data_set: Web
+  mapping:
+    server: Web.dest
+    http_method: Web.http_method
+    http_user_agent: Web.http_user_agent
+    status: Web.status
+    uri_path: Web.url
+    url_length: Web.url_length
+    src_ip: Web.src
 fields:
 - _time
 - action

data_sources/palo_alto_network_threat.yml

@@ -10,6 +10,16 @@ supported_TA:
 - name: Palo Alto Networks Add-on
   url: https://splunkbase.splunk.com/app/2757
   version: 8.1.3
+field_mappings:
+- data_model: cim
+  data_set: Web
+  mapping:
+    dest: Web.dest
+    http_method: Web.http_method
+    http_user_agent: Web.http_user_agent
+    url: Web.url
+    url_length: Web.url_length
+    src: Web.src
 fields:
 - _time
 - date_hour

data_sources/palo_alto_network_traffic.yml

@@ -29,6 +29,16 @@ fields:
 - splunk_server
 - timeendpos
 - timestartpos
+field_mappings:
+- data_model: cim
+  data_set: All_Traffic
+  mapping:
+    app: All_Traffic.app
+    action: All_Traffic.action
+    dest_ip: All_Traffic.dest_ip
+    dest_port: All_Traffic.dest_port
+    src_ip: All_Traffic.src_ip
+    src_port: All_Traffic.src_port
 example_log: 577 <14>1 2024-02-22T12:33:50-05:00 PALO220.ATTACK_RANGE.LAN - - - -
   1,2024/02/22 12:33:50,012801036556,TRAFFIC,end,2305,2024/02/22 12:33:50,192.168.1.205,147.28.146.44,201.17.96.104,147.28.146.44,No_Vuln_Filtering_OUT,,,screenconnect,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,splunk_range,2024/02/22
   12:33:50,14740,1,50624,443,11024,443,0x40005e,tcp,allow,7419,6609,810,25,2024/02/22

data_sources/suricata.yml

@@ -6,7 +6,21 @@ author: Patrick Bareiss, Splunk
 description: Data source object for Suricata
 source: suricata
 sourcetype: suricata
-supported_TA: []
+supported_TA:
+- name: Splunk TA for Suricata
+  url: https://splunkbase.splunk.com/app/2760
+  version: 2.3.3
+field_mappings:
+- data_model: cim
+  data_set: Web
+  mapping:
+    http.hostname: Web.dest
+    http.http_method: Web.http_method
+    http.http_user_agent: Web.http_user_agent
+    http.status: Web.status
+    http.url: Web.url
+    http.length: Web.url_length
+    src_ip: Web.src
 fields:
 - _time
 - app_proto

data_sources/sysmon_eventid_1.yml

@@ -125,7 +125,7 @@ field_mappings:
     Hashes: Processes.process_hash
     ParentProcessGuid: Processes.parent_process_guid
     ParentProcessId: Processes.parent_process_id
-    ParentImage: Processes.parent_process_name
+    ParentImage|endswith: Processes.parent_process_name
     ParentCommandLine: Processes.parent_process
     Computer: Processes.dest
     OriginalFileName: Processes.original_file_name

data_sources/sysmon_eventid_11.yml

@@ -92,6 +92,7 @@ field_mappings:
     ProcessGuid: Filesystem.process_guid
     ProcessId: Filesystem.process_id
     TargetFilename: Filesystem.file_path
+    TargetFilename|endswith: Filesystem.file_name
 example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
   Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>11</EventID><Version>2</Version><Level>4</Level><Task>11</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
   SystemTime='2023-02-08T13:01:11.065939500Z'/><EventRecordID>7712490</EventRecordID><Correlation/><Execution

data_sources/sysmon_eventid_12.yml

@@ -87,6 +87,14 @@ fields:
 - timestartpos
 - user_id
 - vendor_product
+field_mappings:
+- data_model: cim
+  data_set: Endpoint.Registry
+  mapping:
+    Computer: Registry.dest
+    ProcessGuid: Registry.process_guid
+    ProcessId: Registry.process_id
+    TargetObject: Registry.registry_path
 example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
   Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>12</EventID><Version>2</Version><Level>4</Level><Task>12</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
   SystemTime='2021-07-12T08:10:32.607068200Z'/><EventRecordID>1055579</EventRecordID><Correlation/><Execution

data_sources/sysmon_eventid_13.yml

@@ -102,7 +102,10 @@ field_mappings:
     ProcessGuid: Registry.process_guid
     ProcessId: Registry.process_id
     TargetObject: Registry.registry_path
-    Details: Registry.registry_value_data
+    Details|in: Registry.registry_value_data
+    action: Registry.action
+    TargetObject|startswith: Registry.registry_key_name
+    TargetObject|endswith: Registry.registry_value_name
 example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
   Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>13</EventID><Version>2</Version><Level>4</Level><Task>13</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
   SystemTime='2021-07-12T08:11:04.548083500Z'/><EventRecordID>810987</EventRecordID><Correlation/><Execution

data_sources/sysmon_eventid_22.yml

@@ -12,6 +12,13 @@ supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
   version: 4.0.2
+field_mappings:
+- data_model: cim
+  data_set: DNS
+  mapping:
+    QueryResults: DNS.answer
+    QueryName: DNS.query
+    Computer: DNS.src
 fields:
 - _time
 - Channel

data_sources/sysmon_for_linux_eventid_1.yml

@@ -100,6 +100,25 @@ fields:
 - timestartpos
 - user
 - vendor_product
+field_mappings:
+- data_model: cim
+  data_set: Endpoint.Processes
+  mapping:
+    ProcessGuid: Processes.process_guid
+    ProcessId: Processes.process_id
+    Image: Processes.process_path
+    Image|endswith: Processes.process_name
+    CommandLine: Processes.process
+    CurrentDirectory: Processes.process_current_directory
+    User: Processes.user
+    IntegrityLevel: Processes.process_integrity_level
+    Hashes: Processes.process_hash
+    ParentProcessGuid: Processes.parent_process_guid
+    ParentProcessId: Processes.parent_process_id
+    ParentImage: Processes.parent_process_name
+    ParentCommandLine: Processes.parent_process
+    Computer: Processes.dest
+    OriginalFileName: Processes.original_file_name
 example_log: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
   SystemTime="2022-08-09T10:42:47.749450000Z"/><EventRecordID>1926574</EventRecordID><Correlation/><Execution
   ProcessID="1465" ThreadID="1465"/><Channel>Linux-Sysmon/Operational</Channel><Computer>ar-linux</Computer><Security

data_sources/sysmon_for_linux_eventid_11.yml

@@ -78,6 +78,14 @@ fields:
 - timestartpos
 - user
 - vendor_product
+field_mappings:
+- data_model: cim
+  data_set: Endpoint.Filesystem
+  mapping:
+    Computer: Filesystem.dest
+    ProcessGuid: Filesystem.process_guid
+    ProcessId: Filesystem.process_id
+    TargetFilename: Filesystem.file_path
 example_log: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>11</EventID><Version>2</Version><Level>4</Level><Task>11</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
   SystemTime="2021-12-20T16:07:17.927963000Z"/><EventRecordID>792913</EventRecordID><Correlation/><Execution
   ProcessID="4372" ThreadID="4372"/><Channel>Linux-Sysmon/Operational</Channel><Computer>sysmonlinux-tcontreras-attack-range-4134</Computer><Security