-
Notifications
You must be signed in to change notification settings - Fork 357
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
16 changed files
with
712 additions
and
316 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
############# | ||
# Automatically generated by generator.py in splunk/security_content | ||
# On Date: 2023-06-27T23:22:58 UTC | ||
# On Date: 2023-07-25T20:31:22 UTC | ||
# Author: Splunk Security Research | ||
# Contact: [email protected] | ||
############# | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,2 @@ | ||
[content-version] | ||
version = 4.6.0 | ||
version = 4.7.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
############# | ||
# Automatically generated by generator.py in splunk/security_content | ||
# On Date: 2023-06-27T23:22:58 UTC | ||
# On Date: 2023-07-25T20:31:22 UTC | ||
# Author: Splunk Security Research | ||
# Contact: [email protected] | ||
############# | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
############# | ||
# Automatically generated by generator.py in splunk/security_content | ||
# On Date: 2023-06-27T23:22:58 UTC | ||
# On Date: 2023-07-25T20:31:22 UTC | ||
# Author: Splunk Security Research | ||
# Contact: [email protected] | ||
############# | ||
|
@@ -3873,6 +3873,10 @@ description = Update this macro to limit the output results to filter out false | |
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
||
[windows_common_abused_cmd_shell_risk_behavior_filter] | ||
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
||
[windows_computer_account_created_by_computer_account_filter] | ||
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
@@ -4317,6 +4321,14 @@ description = Update this macro to limit the output results to filter out false | |
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
||
[windows_modify_registry_enablelinkedconnections_filter] | ||
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
||
[windows_modify_registry_longpathsenabled_filter] | ||
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
||
[windows_modify_registry_no_auto_reboot_with_logon_user_filter] | ||
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
@@ -4337,6 +4349,10 @@ description = Update this macro to limit the output results to filter out false | |
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
||
[windows_modify_registry_risk_behavior_filter] | ||
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
||
[windows_modify_registry_suppress_win_defender_notif_filter] | ||
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
@@ -4489,6 +4505,10 @@ description = Update this macro to limit the output results to filter out false | |
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
||
[windows_post_exploitation_risk_behavior_filter] | ||
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
||
[windows_powershell_add_module_to_global_assembly_cache_filter] | ||
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
@@ -5209,6 +5229,10 @@ description = Update this macro to limit the output results to filter out false | |
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
||
[citrix_adc_exploitation_cve_2023_3519_filter] | ||
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
||
[confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter] | ||
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
############# | ||
# Automatically generated by generator.py in splunk/security_content | ||
# On Date: 2023-06-27T23:22:58 UTC | ||
# On Date: 2023-07-25T20:31:22 UTC | ||
# Author: Splunk Security Research | ||
# Contact: [email protected] | ||
############# | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
############# | ||
# Automatically generated by generator.py in splunk/security_content | ||
# On Date: 2023-06-27T23:22:58 UTC | ||
# On Date: 2023-07-25T20:31:22 UTC | ||
# Author: Splunk Security Research | ||
# Contact: [email protected] | ||
############# | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,27 +1,26 @@ | ||
azureadrole,isprvilegedadrole,description | ||
"""Authentication Administrator""",True,Can access to view, set and reset authentication method information for any non-admin user. | ||
"""Authentication Policy Administrator""",True,Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials. | ||
"""Azure AD Joined Device Local Administrator""",True,Users assigned to this role are added to the local administrators group on Azure AD-joined devices. | ||
"""Azure DevOps Administrator""",True,Can manage Azure DevOps policies and settings. | ||
"""Azure Information Protection Administrator""",True,Can manage all aspects of the Azure Information Protection product. | ||
"""Cloud Application Administrator""",True,Can create and manage all aspects of app registrations and enterprise apps except App Proxy. | ||
"""Cloud Device Administrator""",True,Limited access to manage devices in Azure AD. | ||
"""Compliance Administrator""",True,Can read and manage compliance configuration and reports in Azure AD and Microsoft 365. | ||
"""Conditional Access Administrator""",True,Can manage Conditional Access capabilities. | ||
"""Exchange Administrator""",True,Can manage all aspects of the Exchange product. | ||
"""External Identity Provider Administrator""",True,Can configure identity providers for use in direct federation. | ||
"""Groups Administrator""",True,Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports. | ||
"""Helpdesk Administrator""",True,Can reset passwords for non-administrators and Helpdesk Administrators. | ||
"""Hybrid Identity Administrator""",True,Can manage AD to Azure AD cloud provisioning, Azure AD Connect, Pass-through Authentication (PTA), Password hash synchronization (PHS), Seamless Single sign-on (Seamless SSO), and federation settings. | ||
"""Intune Administrator""",True,Can manage all aspects of the Intune product. | ||
"""License Administrator""",True,Can manage product licenses on users and groups. | ||
"""Network Administrator""",True,Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications. | ||
"""Password Administrator""",True,Can reset passwords for non-administrators and Password Administrators. | ||
"""Privileged Role Administrator""",True,Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management. | ||
"""Security Administrator""",True,Can read security information and reports, and manage configuration in Azure AD and Office 365. | ||
"""SharePoint Administrator""",True,Can manage all aspects of the SharePoint service. | ||
"""Teams Administrator""",True,Can manage the Microsoft Teams service. | ||
"""User Administrator""",True,Can manage all aspects of users and groups, including resetting passwords for limited admins. | ||
"""Windows 365 Administrator""",True,Can provision and manage all aspects of Cloud PCs. | ||
|
||
"azureadrole","isprvilegedadrole","description" | ||
"""Authentication Administrator""","True","Can access to view, set and reset authentication method information for any non-admin user." | ||
"""Authentication Policy Administrator""","True","Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials." | ||
"""Azure AD Joined Device Local Administrator""","True","Users assigned to this role are added to the local administrators group on Azure AD-joined devices." | ||
"""Azure DevOps Administrator""","True","Can manage Azure DevOps policies and settings." | ||
"""Azure Information Protection Administrator""","True","Can manage all aspects of the Azure Information Protection product." | ||
"""Cloud Application Administrator""","True","Can create and manage all aspects of app registrations and enterprise apps except App Proxy." | ||
"""Cloud Device Administrator""","True","Limited access to manage devices in Azure AD." | ||
"""Compliance Administrator""","True","Can read and manage compliance configuration and reports in Azure AD and Microsoft 365." | ||
"""Conditional Access Administrator""","True","Can manage Conditional Access capabilities." | ||
"""Exchange Administrator""","True","Can manage all aspects of the Exchange product." | ||
"""External Identity Provider Administrator""","True","Can configure identity providers for use in direct federation." | ||
"""Groups Administrator""","True","Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports." | ||
"""Helpdesk Administrator""","True","Can reset passwords for non-administrators and Helpdesk Administrators." | ||
"""Hybrid Identity Administrator""","True","Can manage AD to Azure AD cloud provisioning, Azure AD Connect, Pass-through Authentication (PTA), Password hash synchronization (PHS), Seamless Single sign-on (Seamless SSO), and federation settings." | ||
"""Intune Administrator""","True","Can manage all aspects of the Intune product." | ||
"""License Administrator""","True","Can manage product licenses on users and groups." | ||
"""Network Administrator""","True","Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications." | ||
"""Password Administrator""","True","Can reset passwords for non-administrators and Password Administrators." | ||
"""Privileged Role Administrator""","True","Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management." | ||
"""Security Administrator""","True","Can read security information and reports, and manage configuration in Azure AD and Office 365." | ||
"""SharePoint Administrator""","True","Can manage all aspects of the SharePoint service." | ||
"""Teams Administrator""","True","Can manage the Microsoft Teams service." | ||
"""User Administrator""","True","Can manage all aspects of users and groups, including resetting passwords for limited admins." | ||
"""Windows 365 Administrator""","True","Can provision and manage all aspects of Cloud PCs." | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,11 @@ | ||
splunk_risky_command,description,vulnerable_versions,CVE,other_metadata | ||
*createrss*,createrss command overwrites existing RSS feeds without verifying permissions, 8.1.13 8.2.10,CVE-2023-22931 | ||
*pivot?seedSid=*,pivot command allows a search to bypass SPL safeguards for risky commands using a saved job,8.1.13,8.2.10,9.0.4,CVE-2023-22934 | ||
*|makeresults+&search_listener*,search_listener parameter in a Search allows for a Blind Server Side Request Forgery by an authenticated user,8.1.13 8.2.10 9.0.4,CVE-2023-22936 | ||
*| map search=*| *,map search processing language (SPL) command lets a search bypass SPL safeguards for risky commands,8.1.13 8.2.10 9.0.4,CVE-2023-22939 | ||
*|mcollect%20index*" ,collect command SPL aliases commands could potentially allow for the exposing of data to a summary index that unprivileged users could access,8.1.13,8.2.10,9.0.4,CVE-2023-22940 | ||
*|"*meventcollect*" ,collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access,8.1.13,8.2.10,9.0.4,CVE-2023-22940 | ||
*|"*summaryindex*",collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access,8.1.13,8.2.10,9.0.4,CVE-2023-22940 | ||
*|"*sumindex*",collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access,8.1.13,8.2.10,9.0.4,CVE-2023-22940 | ||
*|"*stash*",collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access,8.1.13,8.2.10,9.0.4,CVE-2023-22940 | ||
*| sendalert *,display.page.search.patterns.sensitivity search parameter allows a search to bypass SPL safeguards for risky commands using obfuscation,8.1.13 8.2.10 9.0.4,CVE-2023-22935 | ||
"splunk_risky_command","description","vulnerable_versions","CVE","other_metadata" | ||
"*createrss*","createrss command overwrites existing RSS feeds without verifying permissions","8.1.13, 8.2.10","CVE-2023-22931","" | ||
"*pivot?seedSid=*","pivot command allows a search to bypass SPL safeguards for risky commands using a saved job","8.1.13, 8.2.10, 9.0.4","CVE-2023-22934","" | ||
"*|makeresults+&search_listener*","search_listener parameter in a Search allows for a Blind Server Side Request Forgery by an authenticated user","8.1.13, 8.2.10, 9.0.4","CVE-2023-22936","" | ||
"*| map search=*| *","map search processing language (SPL) command lets a search bypass SPL safeguards for risky commands","8.1.13, 8.2.10, 9.0.4","CVE-2023-22939","" | ||
"*|mcollect%20index*","collect command SPL aliases commands could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940","" | ||
"*|""*meventcollect*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940","" | ||
"*|""*summaryindex*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940","" | ||
"*|""*sumindex*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940","" | ||
"*|""*stash*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940","" | ||
"*| sendalert *","display.page.search.patterns.sensitivity search parameter allows a search to bypass SPL safeguards for risky commands using obfuscation","8.1.13, 8.2.10, 9.0.4","CVE-2023-22935","" |
Oops, something went wrong.