Merge remote-tracking branch 'github_origin/develop' into gitlab_rele…

…ase_v4.31.1

.github/workflows/validate-and-build.yml

@@ -16,7 +16,7 @@ jobs:
 
       - uses: actions/setup-python@v4
         with:
-          python-version: '3.9' #Available versions here - https://github.com/actions/python-versions/releases  easy to change/make a matrix/use pypy
+          python-version: '3.11' #Available versions here - https://github.com/actions/python-versions/releases  easy to change/make a matrix/use pypy
           architecture: 'x64' # optional x64 or x86. Defaults to x64 if not specified
 
       - name: Install System Packages
@@ -25,24 +25,22 @@ jobs:
           sudo apt install jq -qq
       
 
-      - name: Install Python Dependencies and ContentCTL
+      - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          pip3 install poetry
-          git submodule update --init contentctl
-          cd contentctl
-          git checkout main
-          poetry install
+          python3.11 -m venv .venv
+          source .venv/bin/activate
+          pip install contentctl
+          git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git
       
       - name: content_ctl validate
         run: |
-          cd contentctl
-          poetry run contentctl -p ../ validate 
+          source .venv/bin/activate
+          contentctl validate 
 
       - name: contentctl generate
         run: |
-          cd contentctl
-          poetry run contentctl -p ../ build
-          cd ..
+          source .venv/bin/activate
+          contentctl build --enrichments
           mkdir artifacts
           mv dist/DA-ESS-ContentUpdate-latest.tar.gz artifacts/
 

.gitmodules

@@ -1,4 +1,4 @@
 [submodule "contentctl"]
 	path = contentctl
 	url = https://github.com/splunk/contentctl.git
-        ignore = all
+	ignore = all

README.md

@@ -99,4 +99,4 @@ Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
-limitations under the License.
+limitations under the License.

contentctl.yml

@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 4.31.1
+  version: 4.31.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU
@@ -183,4 +183,3 @@ apps:
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/url-toolbox_192.tgz
 githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd
-

dist/DA-ESS-ContentUpdate/app.manifest

@@ -14,7 +14,7 @@
         "company": "Splunk"
       }
     ], 
-    "releaseDate": "2024-05-08", 
+    "releaseDate": "2024-05-10", 
     "description": "Explore the Analytic Stories included with ES Content Updates.", 
     "classification": {
       "intendedAudience": null, 

dist/DA-ESS-ContentUpdate/default/analyticstories.conf

@@ -1,7 +1,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:36 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/app.conf

@@ -1,7 +1,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:36 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
@@ -11,7 +11,7 @@
 is_configured = false
 state = enabled
 state_change_requires_restart = false
-build = 20240508170600
+build = 20240510180009
 
 [triggers]
 reload.analytic_stories = simple

dist/DA-ESS-ContentUpdate/default/collections.conf

@@ -1,7 +1,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:36 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/content-version.conf

@@ -1,7 +1,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:36 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_all_backup_logs_for_host___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_amazon_eks_kubernetes_activity_by_src_ip___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_security_hub_alerts_by_dest___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_accesskeyid___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_arn___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_acl_details_from_id___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_interface_details_via_resourceid___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_s3_bucket_details_via_bucketname___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_gcp_kubernetes_activity_by_src_ip___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_city___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_country___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_ip_address___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_region___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_backup_logs_for_endpoint___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_certificate_logs_for_a_domain___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_server_history_for_a_host___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_traffic_ratio___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_instance_details_by_instanceid___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_launch_details___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_email_info___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_emails_from_specific_sender___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_first_occurrence_and_last_occurrence_of_a_mac_address___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_history_of_email_sources___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_endpoint___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_user___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_notable_history___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_parent_process_info___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_file_activity___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_info___response_task.xml

@@ -2,7 +2,7 @@
 #############
 # Automatically generated by 'contentctl build' from 
 # https://github.com/splunk/contentctl
-# On Date: 2024-05-08T17:06:43 UTC
+# On Date: 2024-05-10T18:00:37 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############