ESCU 6 Manual Migrations

.vscode/settings.json

@@ -17,6 +17,7 @@
         "./schemas/KVStoreLookup.schema.json": "lookups/kvstore/*.yml",
         "./schemas/FilebackedMacro.schema.json": "macros/*.yml",
         "./schemas/FilebackedSchedule.schema.json": "schedules/*.yml",
+        "./schemas/Playbook.schema.json": "playbooks/*.yml",
         "./schemas/Story.schema.json": ["stories/*.yml", "!removed/stories/*.yml"]
     }
 }

baselines/baseline_of_network_acl_activity_by_arn.yml

@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: network
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: Detect Spike in Network ACL Activity'

baselines/baseline_of_security_group_activity_by_arn.yml

@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: network
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: Detect Spike in Security Group Activity'

baselines/create_a_list_of_approved_aws_service_accounts.yml

@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: network
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: Detect AWS API Activities From Unapproved Accounts'

baselines/discover_dns_records.yml

@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: network
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: DNS record changed'

baselines/dnstwist_domain_names.yml

@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: network
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: Monitor DNS For Brand Abuse'

baselines/previously_seen_command_line_arguments.yml

@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: endpoint
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: First time seen command line argument'

contentctl.yml

@@ -0,0 +1,268 @@
+path: .
+app:
+  uid: 3449
+  title: ES Content Updates
+  appid: DA-ESS-ContentUpdate
+  version: 6.0.0
+  description: Explore the Analytic Stories included with ES Content Updates.
+  prefix: ESCU
+  label: ESCU
+  author_name: Splunk Threat Research Team
+  author_email: research@splunk.com
+  author_company: Splunk
+enrichments: false
+build_app: true
+build_api: true
+build_ssa: false
+build_path: dist
+test_instance:
+  splunk_app_username: admin
+  instance_address: localhost
+  hec_port: 8088
+  web_ui_port: 8000
+  api_port: 8089
+container_settings:
+  full_image_path: registry.hub.docker.com/splunk/splunk:9.3
+  leave_running: true
+  num_containers: 1
+mode: {}
+splunk_api_username: null
+post_test_behavior: pause_on_failure
+apps:
+- uid: 1621
+  title: Splunk_SA_CIM
+  appid: Splunk_SA_CIM
+  version: 8.5.0
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-common-information-model-cim_850.tgz
+- uid: 6553
+  title: Splunk Add-on for Okta Identity Cloud
+  appid: Splunk_TA_okta_identity_cloud
+  version: 5.0.2
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-okta-identity-cloud_502.tgz
+- uid: 7404
+  title: Cisco Security Cloud
+  appid: CiscoSecurityCloud
+  version: 3.6.5
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_365.tgz
+- uid: 7569
+  title: Cisco Secure Access Add-on for Splunk
+  appid: TA-cisco-cloud-security-addon
+  version: 1.0.50
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-secure-access-add-on-for-splunk_1050.tar.gz
+- uid: 6652
+  title: Add-on for Linux Sysmon
+  appid: Splunk_TA_linux_sysmon
+  version: 1.0.0
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-sysmon-for-linux_100.tgz
+- uid: null
+  title: Splunk Fix XmlWinEventLog HEC Parsing
+  appid: Splunk_FIX_XMLWINEVENTLOG_HEC_PARSING
+  version: '0.1'
+  description: This TA is required for replaying Windows Data into the Test Environment.
+    The Default TA does not include logic for properly splitting multiple log events
+    in a single file.  In production environments, this logic is applied by the Universal
+    Forwarder.
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/Splunk_TA_fix_windows.tgz
+- uid: 742
+  title: Splunk Add-on for Microsoft Windows
+  appid: SPLUNK_ADD_ON_FOR_MICROSOFT_WINDOWS
+  version: 10.0.1
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-windows_1001.tgz
+- uid: 5709
+  title: Splunk Add-on for Sysmon
+  appid: Splunk_TA_microsoft_sysmon
+  version: 5.0.0
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-sysmon_500.tgz
+- uid: 833
+  title: Splunk Add-on for Unix and Linux
+  appid: Splunk_TA_nix
+  version: 10.2.0
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-unix-and-linux_1020.tgz
+- uid: 5579
+  title: Splunk Add-on for CrowdStrike FDR
+  appid: Splunk_TA_CrowdStrike_FDR
+  version: 2.0.5
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_205.tgz
+- uid: 3185
+  title: Splunk Add-on for Microsoft IIS
+  appid: SPLUNK_TA_FOR_IIS
+  version: 1.3.0
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-iis_130.tgz
+- uid: 6994
+  title: CCX Add-on for Suricata
+  appid: SPLUNK_TA_FOR_SURICATA
+  version: 1.0.1
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ccx-add-on-for-suricata_101.tgz
+- uid: 5466
+  title: TA for Zeek
+  appid: SPLUNK_TA_FOR_ZEEK
+  version: 1.0.11
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-for-zeek_1011.tgz
+- uid: 3258
+  title: Splunk Add-on for NGINX
+  appid: SPLUNK_ADD_ON_FOR_NGINX
+  version: 3.3.0
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-nginx_330.tgz
+- uid: 5238
+  title: Splunk Add-on for Stream Forwarders
+  appid: SPLUNK_ADD_ON_FOR_STREAM_FORWARDERS
+  version: 8.1.3
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-stream-forwarders_813.tgz
+- uid: 5234
+  title: Splunk Add-on for Stream Wire Data
+  appid: SPLUNK_ADD_ON_FOR_STREAM_WIRE_DATA
+  version: 8.1.6
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-stream-wire-data_816.tgz
+- uid: 2757
+  title: Splunk Add-on for Palo Alto Networks
+  appid: SPLUNK_ADD_ON_FOR_PALO_ALTO_NETWORKS
+  version: 3.0.1
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-palo-alto-networks_301.tgz
+- uid: 3865
+  title: Zscaler Technical Add-On for Splunk
+  appid: Zscaler_CIM
+  version: 4.0.16
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/zscaler-technical-add-on-for-splunk_4016.tgz
+- uid: 3719
+  title: Splunk Add-on for Amazon Kinesis Firehose
+  appid: SPLUNK_ADD_ON_FOR_AMAZON_KINESIS_FIREHOSE
+  version: 1.3.2
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-amazon-kinesis-firehose_132.tgz
+- uid: 1876
+  title: Splunk Add-on for AWS
+  appid: Splunk_TA_aws
+  version: 8.1.1
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-amazon-web-services-aws_811.tgz
+- uid: 3088
+  title: Splunk Add-on for Google Cloud Platform
+  appid: SPLUNK_ADD_ON_FOR_GOOGLE_CLOUD_PLATFORM
+  version: 4.7.0
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-cloud-platform_470.tgz
+- uid: 5556
+  title: Splunk Add-on for Google Workspace
+  appid: SPLUNK_ADD_ON_FOR_GOOGLE_WORKSPACE
+  version: 3.1.1
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-workspace_311.tgz
+- uid: 3110
+  title: Splunk Add-on for Microsoft Cloud Services
+  appid: SPLUNK_TA_MICROSOFT_CLOUD_SERVICES
+  version: 6.1.1
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-cloud-services_611.tgz
+- uid: 4055
+  title: Splunk Add-on for Microsoft Office 365
+  appid: SPLUNK_ADD_ON_FOR_MICROSOFT_OFFICE_365
+  version: 6.0.2
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-office-365_602.tgz
+- uid: 5518
+  title: Splunk add on for Microsoft Defender Advanced Hunting
+  appid: SPLUNK_ADD_ON_FOR_MICROSOFT_DEFENDER_ADVANCED_HUNTING
+  version: 1.4.2
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/microsoft-defender-advanced-hunting-add-on-for-splunk_142.tgz
+- uid: 6207
+  title: Splunk Add-on for Microsoft Security
+  appid: Splunk_TA_MS_Security
+  version: 3.0.0
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_300.tgz
+- uid: 2734
+  title: URL Toolbox
+  appid: URL_TOOLBOX
+  version: 1.9.4
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/url-toolbox_194.tgz
+- uid: 6853
+  title: Splunk Add-on for Admon Enrichment
+  appid: SA-admon
+  version: 1.1.2
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-admon-enrichment_112.tgz
+- uid: 5082
+  title: CrowdStrike Falcon Event Streams Technical Add-On
+  appid: TA-crowdstrike-falcon-event-streams
+  version: 3.2.1
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/crowdstrike-falcon-event-streams-technical-add-on_321.tgz
+- uid: 6254
+  title: Splunk Add-on for Github
+  appid: Splunk_TA_github
+  version: 3.2.0
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-github_320.tgz
+- uid: 3471
+  title: Splunk Add-on for AppDynamics
+  appid: Splunk_TA_AppDynamics
+  version: 3.2.1
+  description: The Splunk Add-on for AppDynamics enables you to easily configure data
+    inputs to pull data from AppDynamics' REST APIs
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-splunk-add-on-for-appdynamics_321.tgz
+- uid: 4221
+  title: Cisco NVM Add-on for Splunk
+  appid: TA-Cisco-NVM
+  version: 4.0.7
+  description: The Cisco Endpoint Security Analytics (CESA) Add-On for Splunk allows
+    IT administrators to analyze and correlate user and endpoint behavior in Splunk
+    Enterprise. This Add-on provides configuration and collection of data from the
+    Cisco AnyConnect Network Visibility Module IPFIX (nvzFlow) Collector. This module
+    collects additional context such as user, device, application, location and destination
+    for flows both on and off premise.
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-endpoint-security-analytics-cesa-add-on-for-splunk_407.tgz
+- uid: 5603
+  title: Add-on for VMware ESXi Logs
+  appid: Splunk_TA_esxilogs
+  version: 4.2.2
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-vmware-esxi-logs_422.tgz
+- uid: 5640
+  title: Splunk Add-on for VMware Indexes
+  appid: SPLUNK_ADD_ON_FOR_VMWARE_INDEXES
+  version: 4.0.3
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-vmware-indexes_403.tgz
+- uid: 1467
+  title: Cisco Networks Add-on
+  appid: TA-cisco_ios
+  version: 2.7.9
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/add-on-for-cisco-network-data_279.tgz
+- uid: 8024
+  title: TA-ollama
+  appid: ta-ollama
+  version: 0.1.5
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-ollama_015.tgz
+- uid: 8377
+  title: MCP TA
+  appid: mcp-ta
+  version: 0.1.2
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/mcp-ta_012.tgz
+- uid: 8574
+  title: TA-osquery
+  appid: ta-osquery
+  version: 1.0.4
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-osquery_104.tgz
+githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd
+test_data_caches:
+- base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/
+  base_directory_name: external_repos/attack_data

detections/application/esxi_external_root_login_activity.yml

@@ -26,11 +26,11 @@ intermediate_findings:
         - field: dest
           type: system
           score: 20
-          message: Root logged in on ESXi host $dest$ from $SrcIpAddr.
+          message: Root logged in on ESXi host $dest$ from $SrcIpAddr$.
         - field: SrcIpAddr
           type: system
           score: 20
-          message: Root logged in on ESXi host $dest$ from $SrcIpAddr.
+          message: Root logged in on ESXi host $dest$ from $SrcIpAddr$.
 analytic_story:
     - ESXi Post Compromise
     - Black Basta Ransomware
@@ -50,15 +50,3 @@ tests:
           source: vmware:esxlog
           sourcetype: vmw-syslog
       test_type: unit
-MANUAL_REVIEW:
-    rba:
-        message: Root logged in on ESXi host $dest$ from $SrcIpAddr.
-        risk_objects:
-            - field: dest
-              type: system
-              score: 20
-            - field: SrcIpAddr
-              type: system
-              score: 20
-        threat_objects: []
-    manual_review_rationale: "The following error was found while validating the intermediate finding message: 1 validation error for EsTokenString\n  Value error, Unbalanced $ delimiter in token string: 'Root logged in on ESXi host $dest$ from $SrcIpAddr.'. Each $ must be part of a $field_name$ token pair. [type=value_error, input_value='Root logged in on ESXi h...$dest$ from $SrcIpAddr.', input_type=str]\n    For further information visit https://errors.pydantic.dev/2.13/v/value_error"

detections/application/monitor_email_for_brand_abuse.yml

@@ -43,6 +43,3 @@ category: application
 security_domain: network
 baselines:
     - DNSTwist Domain Names
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Detection references baseline(s) flagged for manual review: DNSTwist Domain Names'

detections/application/okta_risk_threshold_exceeded.yml

@@ -30,6 +30,12 @@ drilldown_searches:
       search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
       earliest_offset: 7d
       latest_offset: "0"
+finding:
+    title: Multiple suspicious Okta risk events - $risk_object$
+    entity:
+        field: risk_object
+        type: user
+        score: 0
 analytic_story:
     - Okta Account Takeover
     - Okta MFA Exhaustion
@@ -51,6 +57,3 @@ tests:
           source: risk_data
           sourcetype: stash
       test_type: unit
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate.