Merge branch 'develop' into susmailrule

splunk · Feb 26, 2025 · aedca32 · aedca32
2 parents ff747d4 + f0d60a4
commit aedca32
Show file tree

Hide file tree

Showing 119 changed files with 5,152 additions and 2,157 deletions.
diff --git a/contentctl.yml b/contentctl.yml
diff --git a/data_sources/aws_cloudtrail_deleteloggingconfiguration.yml b/data_sources/aws_cloudtrail_deleteloggingconfiguration.yml
@@ -0,0 +1,16 @@
+name: AWS CloudTrail DeleteLoggingConfiguration
+id: 24a28726-28f3-4537-a953-71bfbbc3b831
+version: 1
+date: '2025-02-21'
+author: Bhavin Patel, Splunk
+description: Data source object for AWS CloudTrail DeleteLoggingConfiguration
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for AWS
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.9.0
+fields:
+- _time
+example_log: |-
diff --git a/data_sources/aws_cloudtrail_deleterulegroup.yml b/data_sources/aws_cloudtrail_deleterulegroup.yml
@@ -0,0 +1,16 @@
+name: AWS CloudTrail DeleteRuleGroup
+id: 21c9b538-fa11-4bdf-9138-0dfe06b4d730
+version: 1
+date: '2025-02-21'
+author: Bhavin Patel, Splunk
+description: Data source object for AWS CloudTrail DeleteRuleGroup
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for AWS
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.9.0
+fields:
+- _time
+example_log: |-
diff --git a/data_sources/aws_cloudtrail_describesnapshotattribute.yml b/data_sources/aws_cloudtrail_describesnapshotattribute.yml
@@ -0,0 +1,137 @@
+name: AWS CloudTrail DescribeSnapshotAttribute
+id: f054c99b-63b8-4236-8a62-b52fbbabacba
+version: 1
+date: '2025-02-21'
+author: Bhavin Patel, Splunk
+description: Data source object for AWS CloudTrail DescribeSnapshotAttribute
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for AWS
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.9.0
+fields:
+- action
+- app
+- authentication_method
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- desc
+- dest
+- dest_ip_range
+- dest_port_range
+- direction
+- dvc
+- errorCode
+- errorMessage
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- image_id
+- index
+- instance_type
+- linecount
+- managementEvent
+- msg
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- protocol
+- protocol_code
+- punct
+- readOnly
+- reason
+- recipientAccountId
+- region
+- requestID
+- requestParameters.attributeType
+- requestParameters.snapshotId
+- responseElements
+- result
+- result_id
+- rule_action
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_ip
+- src_ip_range
+- src_port_range
+- src_user
+- src_user_id
+- src_user_name
+- src_user_role
+- src_user_type
+- start_time
+- status
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- tag::object_category
+- temp_access_key
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_role
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _time
+example_log: |-
+ {"eventVersion": "1.10", "userIdentity": {"type": "AssumedRole", "principalId": "AROAYTOGP2RLBXYPYUKBH:aws-go-sdk-1740131590946446551", "arn": "arn:aws:sts::111111111111111:assumed-role/DAFTPUNK-cloud-security-audit/aws-go-sdk-1740131590946446551", "accountId": "111111111111111", "accessKeyId": "DAFTPUNK", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLBXYPYUKBH", "arn": "arn:aws:iam::111111111111111:role/DAFTPUNK-cloud-security-audit", "accountId": "111111111111111", "userName": "DAFTPUNK-cloud-security-audit"}, "attributes": {"creationDate": "2025-02-21T10:48:43Z", "mfaAuthenticated": "false"}}}, "eventTime": "2025-02-21T11:29:27Z", "eventSource": "ec2.amazonaws.com", "eventName": "DescribeSnapshotAttribute", "awsRegion": "eu-central-1", "sourceIPAddress": "54.203.114.197", "userAgent": "m/E aws-sdk-go-v2/1.30.5 os/linux lang/go#1.22.4 md/GOOS#linux md/GOARCH#amd64 api/ec2#1.177.3", "requestParameters": {"snapshotId": "snap-082bd5016636bbd94", "attributeType": "PRODUCT_CODES"}, "responseElements": null, "requestID": "70339070-6038-40b7-9acf-5ecb85cda843", "eventID": "bcc65c3f-a997-4a01-90bf-3b85f7268e70", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ec2.eu-central-1.amazonaws.com"}}
diff --git a/data_sources/azure_active_directory_microsoftgraphactivitylogs.yml b/data_sources/azure_active_directory_microsoftgraphactivitylogs.yml
@@ -0,0 +1,17 @@
+name: Azure Active Directory MicrosoftGraphActivityLogs
+id: 63ff93ba-2bbb-4542-8773-239bf5266367
+version: 1
+date: '2025-02-21'
+author: Bhavin Patel, Splunk
+description: Data source object for Azure Active Directory MicrosoftGraphActivityLogs
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.4.2
+fields:
+- _time
+example_log: |-
+  {"time": "2024-04-30T01:22:46.4948958Z", "resourceId": "/TENANTS/225E05A1-5914-4688-A404-7030E60F3143/PROVIDERS/MICROSOFT.AADIAM", "operationName": "Microsoft Graph Activity", "operationVersion": "beta", "category": "MicrosoftGraphActivityLogs", "resultSignature": "200", "durationMs": "948894", "callerIpAddress": "45.83.145.6", "correlationId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "level": "Informational", "location": "East US 2", "properties": {"__UDI_RequiredFields_TenantId": "225e05a1-5914-4688-a404-7030e60f3143", "__UDI_RequiredFields_UniqueId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "__UDI_RequiredFields_EventTime": 638500369660000000, "__UDI_RequiredFields_RegionScope": "NA", "timeGenerated": "2024-04-30T01:22:46.4948958Z", "location": "East US 2", "requestId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "operationId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "clientRequestId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "apiVersion": "beta", "requestMethod": "GET", "responseStatusCode": 200, "tenantId": "225e05a1-5914-4688-a404-7030e60f3143", "durationMs": 948894, "responseSizeBytes": 91, "signInActivityId": "KRsphQ_4s0-oHv_Br8qSAQ", "roles": "", "appId": "1950a258-227b-4e31-a9cf-717495945fc2", "UserPrincipalObjectID": "7b934539-7366-494e-a8ac-3517694d32db", "scopes": "AuditLog.Read.All Directory.AccessAsUser.All email openid profile", "identityProvider": "", "clientAuthMethod": "0", "wids": "b79fbf4d-3ef9-4689-8143-76b194e85509", "C_Idtyp": "user", "C_Iat": "1714439850", "ipAddress": "45.83.145.6", "userAgent": "azurehound/v2.1.8", "requestUri": "https://graph.microsoft.com/beta/servicePrincipals/ffe3e001-d8cf-43a4-89ab-bfce35fd7786/owners?%24top=999", "userId": "7b934539-7366-494e-a8ac-3517694d32db", "tokenIssuedAt": "2024-04-30T01:17:30.0000000Z"}, "tenantId": "225e05a1-5914-4688-a404-7030e60f3143"}
diff --git a/data_sources/azure_active_directory_noninteractiveusersigninlogs.yml b/data_sources/azure_active_directory_noninteractiveusersigninlogs.yml
@@ -0,0 +1,137 @@
+name: Azure Active Directory NonInteractiveUserSignInLogs
+id: 11fe8a43-164d-47e4-b542-afc2f242068b
+version: 1
+date: '2025-02-21'
+author: Bhavin Patel, Splunk
+description: Data source object for Azure Active Directory NonInteractiveUserSignInLogs
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.4.2
+fields:
+- action
+- additional_details
+- app
+- authentication_method
+- authentication_service
+- callerIpAddress
+- category
+- change_type
+- command
+- correlationId
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- description
+- dest
+- dest_type
+- duration
+- durationMs
+- dvc
+- enabled
+- eventtype
+- host
+- id
+- index
+- level
+- linecount
+- location
+- object
+- object_attrs
+- object_category
+- object_id
+- object_path
+- operationName
+- operationVersion
+- path_from_resourceId
+- properties.C_Iat
+- properties.C_Idtyp
+- properties.UserPrincipalObjectID
+- properties.__UDI_RequiredFields_EventTime
+- properties.__UDI_RequiredFields_RegionScope
+- properties.__UDI_RequiredFields_TenantId
+- properties.__UDI_RequiredFields_UniqueId
+- properties.apiVersion
+- properties.appId
+- properties.clientAuthMethod
+- properties.clientRequestId
+- properties.durationMs
+- properties.identityProvider
+- properties.ipAddress
+- properties.location
+- properties.operationId
+- properties.requestId
+- properties.requestMethod
+- properties.requestUri
+- properties.responseSizeBytes
+- properties.responseStatusCode
+- properties.resultReason
+- properties.roles
+- properties.scopes
+- properties.signInActivityId
+- properties.tenantId
+- properties.timeGenerated
+- properties.tokenIssuedAt
+- properties.userAgent
+- properties.userId
+- properties.wids
+- punct
+- reason
+- resourceId
+- response_time
+- result
+- resultSignature
+- result_id
+- severity
+- signature
+- signature_id
+- signinDateTime
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_ip
+- src_user
+- src_user_name
+- src_user_type
+- status
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- tag::object_category
+- tenantId
+- time
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_id
+- user_name
+- user_role
+- user_type
+- vendor_account
+- vendor_product
+- vendor_region
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _subsecond
+- _time
+example_log: |-
+ {"time": "2023-01-12T19:22:14.5285742Z", "resourceId": "/tenants/95d19bda-09de-4d93-b7ae-acecd1e68186/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "95d19bda-09de-4d93-b7ae-acecd1e68186", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.3.194", "correlationId": "fc78e38c-1e61-4be3-b47d-f3e6a9724a65", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "0f94f5fb-3583-4c46-9bfa-0390c1988800", "createdDateTime": "2023-01-12T19:22:14.5285742+00:00", "userDisplayName": "User30", "userPrincipalName": "[email protected]", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome", "ipAddress": "34.1.3.194", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "Windows", "browser": "Rich Client 4.43.0.0"}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.73722839355469, "longitude": -119.81143188476562}}, "mfaDetail": {}, "correlationId": "fc78e38c-1e61-4be3-b47d-f3e6a9724a65", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "0f94f5fb-3583-4c46-9bfa-0390c1988800", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"OfficeHome.All\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 192, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "OfficeHome", "resourceId": "4765445b-32c6-49b0-83e6-1d93765276ca", "resourceTenantId": "95d19bda-09de-4d93-b7ae-acecd1e68186", "homeTenantId": "95d19bda-09de-4d93-b7ae-acecd1e68186", "authenticationDetails": [{"authenticationStepDateTime": "2023-01-12T19:22:14.5285742+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 16509, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "-_WUD4M1Rkyb-gOQwZiIAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0}}