From aa7112d6bc4621be487f887a691ad2569f05fe0c Mon Sep 17 00:00:00 2001
From: delgado-jacob <29643013+delgado-jacob@users.noreply.github.com>
Date: Tue, 21 Jan 2025 13:40:35 -0700
Subject: [PATCH 1/6] Add descriptions and mitre components to data sources
---
data_sources/asl_aws_cloudtrail.yml | 15 ++++++++++++++-
data_sources/aws_cloudfront.yml | 9 ++++++++-
data_sources/aws_cloudtrail.yml | 2 +-
.../aws_cloudtrail_assumerolewithsaml.yml | 10 +++++++++-
data_sources/aws_cloudtrail_consolelogin.yml | 9 ++++++++-
data_sources/aws_cloudtrail_copyobject.yml | 8 +++++++-
data_sources/aws_cloudtrail_createaccesskey.yml | 8 +++++++-
data_sources/aws_cloudtrail_createkey.yml | 8 +++++++-
.../aws_cloudtrail_createloginprofile.yml | 8 +++++++-
.../aws_cloudtrail_createnetworkaclentry.yml | 8 +++++++-
.../aws_cloudtrail_createpolicyversion.yml | 8 +++++++-
data_sources/aws_cloudtrail_createsnapshot.yml | 8 +++++++-
data_sources/aws_cloudtrail_createtask.yml | 8 +++++++-
.../aws_cloudtrail_createvirtualmfadevice.yml | 8 +++++++-
.../aws_cloudtrail_deactivatemfadevice.yml | 8 +++++++-
...aws_cloudtrail_deleteaccountpasswordpolicy.yml | 6 +++++-
data_sources/aws_cloudtrail_deletealarms.yml | 8 +++++++-
data_sources/aws_cloudtrail_deletedetector.yml | 8 +++++++-
data_sources/aws_cloudtrail_deletegroup.yml | 8 +++++++-
data_sources/aws_cloudtrail_deleteipset.yml | 7 ++++++-
data_sources/aws_cloudtrail_deleteloggroup.yml | 8 +++++++-
data_sources/aws_cloudtrail_deletelogstream.yml | 8 +++++++-
.../aws_cloudtrail_deletenetworkaclentry.yml | 7 ++++++-
data_sources/aws_cloudtrail_deletepolicy.yml | 6 +++++-
data_sources/aws_cloudtrail_deleterule.yml | 8 +++++++-
data_sources/aws_cloudtrail_deletesnapshot.yml | 8 +++++++-
data_sources/aws_cloudtrail_deletetrail.yml | 8 +++++++-
.../aws_cloudtrail_deletevirtualmfadevice.yml | 6 +++++-
data_sources/aws_cloudtrail_deletewebacl.yml | 6 +++++-
.../aws_cloudtrail_describeeventaggregates.yml | 6 +++++-
.../aws_cloudtrail_describeimagescanfindings.yml | 7 ++++++-
.../aws_cloudtrail_getaccountpasswordpolicy.yml | 6 +++++-
data_sources/aws_cloudtrail_getobject.yml | 7 ++++++-
data_sources/aws_cloudtrail_getpassworddata.yml | 6 +++++-
data_sources/aws_cloudtrail_jobcreated.yml | 6 +++++-
data_sources/aws_cloudtrail_modifydbinstance.yml | 7 ++++++-
.../aws_cloudtrail_modifyimageattribute.yml | 6 +++++-
.../aws_cloudtrail_modifysnapshotattribute.yml | 5 ++++-
data_sources/aws_cloudtrail_putbucketacl.yml | 6 +++++-
.../aws_cloudtrail_putbucketlifecycle.yml | 6 +++++-
.../aws_cloudtrail_putbucketreplication.yml | 5 ++++-
.../aws_cloudtrail_putbucketversioning.yml | 5 ++++-
data_sources/aws_cloudtrail_putimage.yml | 6 +++++-
data_sources/aws_cloudtrail_putkeypolicy.yml | 4 +++-
.../aws_cloudtrail_replacenetworkaclentry.yml | 6 +++++-
.../aws_cloudtrail_setdefaultpolicyversion.yml | 6 +++++-
data_sources/aws_cloudtrail_stoplogging.yml | 5 ++++-
...aws_cloudtrail_updateaccountpasswordpolicy.yml | 6 +++++-
.../aws_cloudtrail_updateloginprofile.yml | 6 +++++-
.../aws_cloudtrail_updatesamlprovider.yml | 7 ++++++-
data_sources/aws_cloudtrail_updatetrail.yml | 6 +++++-
data_sources/aws_cloudwatchlogs_vpcflow.yml | 6 ++++--
data_sources/aws_security_hub.yml | 7 ++++++-
data_sources/azure_active_directory.yml | 2 +-
...d_app_role_assignment_to_service_principal.yml | 9 +++++++--
.../azure_active_directory_add_member_to_role.yml | 8 +++++++-
..._active_directory_add_owner_to_application.yml | 8 +++++++-
...ure_active_directory_add_service_principal.yml | 8 +++++++-
...ure_active_directory_add_unverified_domain.yml | 8 +++++++-
...re_active_directory_consent_to_application.yml | 8 +++++++-
...ve_directory_disable_strong_authentication.yml | 7 ++++++-
.../azure_active_directory_enable_account.yml | 7 ++++++-
...zure_active_directory_invite_external_user.yml | 7 ++++++-
...active_directory_reset_password_(by_admin).yml | 7 ++++++-
...active_directory_set_domain_authentication.yml | 7 ++++++-
.../azure_active_directory_sign_in_activity.yml | 7 ++++++-
.../azure_active_directory_update_application.yml | 7 ++++++-
...tive_directory_update_authorization_policy.yml | 7 ++++++-
.../azure_active_directory_update_user.yml | 6 +++++-
...ve_directory_user_registered_security_info.yml | 7 +++++--
...eate_or_update_an_azure_automation_account.yml | 8 ++++++--
...eate_or_update_an_azure_automation_runbook.yml | 7 +++++--
...eate_or_update_an_azure_automation_webhook.yml | 8 ++++++--
data_sources/bro.yml | 9 ---------
data_sources/bro_conn.yml | 15 +++++++++++++++
data_sources/bro_dns.yml | 15 +++++++++++++++
data_sources/bro_files.yml | 15 +++++++++++++++
data_sources/bro_http.yml | 15 +++++++++++++++
data_sources/bro_loaded_scripts.yml | 14 ++++++++++++++
data_sources/bro_ntp.yml | 14 ++++++++++++++
data_sources/bro_ocsp.yml | 15 +++++++++++++++
data_sources/bro_ssl.yml | 15 +++++++++++++++
data_sources/bro_weird.yml | 15 +++++++++++++++
data_sources/bro_x509.yml | 15 +++++++++++++++
data_sources/circleci.yml | 8 +++++++-
data_sources/crowdstrike_processrollup2.yml | 9 ++++++++-
data_sources/crushftp.yml | 8 +++++++-
data_sources/g_suite_drive.yml | 8 +++++++-
data_sources/g_suite_gmail.yml | 7 ++++++-
data_sources/github.yml | 8 +++++++-
data_sources/google_workspace_login_failure.yml | 8 +++++++-
data_sources/google_workspace_login_success.yml | 8 +++++++-
data_sources/ivanti_vtm_audit.yml | 8 +++++++-
data_sources/kubernetes_audit.yml | 9 ++++++++-
data_sources/kubernetes_falco.yml | 9 ++++++++-
data_sources/linux_auditd_add_user.yml | 9 ++++++++-
data_sources/linux_auditd_execve.yml | 10 +++++++++-
data_sources/linux_auditd_path.yml | 10 +++++++++-
data_sources/linux_auditd_proctitle.yml | 9 ++++++++-
data_sources/linux_auditd_service_stop.yml | 9 ++++++++-
data_sources/linux_auditd_syscall.yml | 9 ++++++++-
data_sources/linux_secure.yml | 8 +++++++-
data_sources/ms365_defender_incident_alerts.yml | 8 +++++++-
data_sources/ms_defender_atp_alerts.yml | 8 +++++++-
data_sources/nginx_access.yml | 8 +++++++-
data_sources/o365.yml | 8 +++++++-
...365_add_app_role_assignment_grant_to_user_.yml | 8 +++++++-
..._app_role_assignment_to_service_principal_.yml | 8 +++++++-
data_sources/o365_add_mailboxpermission.yml | 8 +++++++-
data_sources/o365_add_member_to_role_.yml | 8 +++++++-
data_sources/o365_add_owner_to_application_.yml | 8 +++++++-
data_sources/o365_add_service_principal_.yml | 8 +++++++-
data_sources/o365_change_user_license_.yml | 8 +++++++-
data_sources/o365_consent_to_application_.yml | 8 +++++++-
.../o365_disable_strong_authentication_.yml | 8 +++++++-
data_sources/o365_mailitemsaccessed.yml | 8 +++++++-
data_sources/o365_modifyfolderpermissions.yml | 8 +++++++-
data_sources/o365_set_company_information_.yml | 8 +++++++-
data_sources/o365_set_mailbox.yml | 8 +++++++-
data_sources/o365_update_application_.yml | 8 +++++++-
.../o365_update_authorization_policy_.yml | 8 +++++++-
data_sources/o365_update_user_.yml | 8 +++++++-
data_sources/o365_userloggedin.yml | 8 +++++++-
data_sources/o365_userloginfailed.yml | 8 +++++++-
data_sources/okta.yml | 8 +++++++-
data_sources/osquery.yml | 8 +++++++-
data_sources/palo_alto_network_threat.yml | 8 +++++++-
data_sources/palo_alto_network_traffic.yml | 8 +++++++-
data_sources/pingid.yml | 8 +++++++-
data_sources/powershell_installed_iis_modules.yml | 7 ++++++-
.../powershell_script_block_logging_4104.yml | 10 +++++++++-
data_sources/powershell_sip_inventory.yml | 7 ++++++-
data_sources/splunk.yml | 8 +++++++-
data_sources/splunk_stream_http.yml | 8 +++++++-
data_sources/splunk_stream_ip.yml | 8 +++++++-
data_sources/splunk_stream_tcp.yml | 8 +++++++-
data_sources/suricata.yml | 8 +++++++-
data_sources/sysmon_eventid_1.yml | 8 +++++++-
data_sources/sysmon_eventid_10.yml | 8 +++++++-
data_sources/sysmon_eventid_11.yml | 9 ++++++++-
data_sources/sysmon_eventid_12.yml | 8 +++++++-
data_sources/sysmon_eventid_13.yml | 8 +++++++-
data_sources/sysmon_eventid_15.yml | 9 ++++++++-
data_sources/sysmon_eventid_17.yml | 5 ++++-
data_sources/sysmon_eventid_18.yml | 8 +++++++-
data_sources/sysmon_eventid_20.yml | 7 ++++++-
data_sources/sysmon_eventid_21.yml | 8 +++++++-
data_sources/sysmon_eventid_22.yml | 9 ++++++++-
data_sources/sysmon_eventid_23.yml | 9 ++++++++-
data_sources/sysmon_eventid_3.yml | 9 ++++++++-
data_sources/sysmon_eventid_5.yml | 8 +++++++-
data_sources/sysmon_eventid_6.yml | 8 +++++++-
data_sources/sysmon_eventid_7.yml | 9 ++++++++-
data_sources/sysmon_eventid_8.yml | 8 +++++++-
data_sources/sysmon_eventid_9.yml | 9 ++++++++-
data_sources/sysmon_for_linux_eventid_1.yml | 9 ++++++++-
data_sources/sysmon_for_linux_eventid_11.yml | 8 +++++++-
data_sources/windows_active_directory_admon.yml | 8 +++++++-
data_sources/windows_defender_alerts.yml | 8 +++++++-
.../windows_event_log_application_2282.yml | 7 ++++++-
.../windows_event_log_application_3000.yml | 8 +++++++-
data_sources/windows_event_log_capi2_70.yml | 9 ++++++++-
data_sources/windows_event_log_capi2_81.yml | 9 ++++++++-
...s_event_log_certificateservicesclient_1007.yml | 9 ++++++++-
data_sources/windows_event_log_defender_1121.yml | 7 ++++++-
data_sources/windows_event_log_defender_1122.yml | 7 ++++++-
data_sources/windows_event_log_defender_1129.yml | 7 ++++++-
data_sources/windows_event_log_defender_5007.yml | 5 ++++-
...ft_windows_terminalservices_rdpclient_1024.yml | 5 ++++-
.../windows_event_log_printservice_316.yml | 6 +++++-
.../windows_event_log_printservice_808.yml | 7 ++++++-
...ows_event_log_remoteconnectionmanager_1149.yml | 7 ++++++-
data_sources/windows_event_log_security_1100.yml | 6 +++++-
data_sources/windows_event_log_security_1102.yml | 7 ++++++-
data_sources/windows_event_log_security_4624.yml | 7 ++++++-
data_sources/windows_event_log_security_4625.yml | 6 +++++-
data_sources/windows_event_log_security_4627.yml | 7 ++++++-
data_sources/windows_event_log_security_4648.yml | 6 +++++-
data_sources/windows_event_log_security_4662.yml | 6 +++++-
data_sources/windows_event_log_security_4663.yml | 6 +++++-
data_sources/windows_event_log_security_4672.yml | 6 +++++-
data_sources/windows_event_log_security_4688.yml | 6 +++++-
data_sources/windows_event_log_security_4698.yml | 6 +++++-
data_sources/windows_event_log_security_4699.yml | 6 +++++-
data_sources/windows_event_log_security_4703.yml | 6 +++++-
data_sources/windows_event_log_security_4719.yml | 6 +++++-
data_sources/windows_event_log_security_4720.yml | 5 ++++-
data_sources/windows_event_log_security_4724.yml | 5 ++++-
data_sources/windows_event_log_security_4725.yml | 5 ++++-
data_sources/windows_event_log_security_4726.yml | 5 ++++-
data_sources/windows_event_log_security_4732.yml | 5 ++++-
data_sources/windows_event_log_security_4738.yml | 5 ++++-
data_sources/windows_event_log_security_4739.yml | 6 +++++-
data_sources/windows_event_log_security_4741.yml | 8 +++++++-
data_sources/windows_event_log_security_4742.yml | 7 ++++++-
data_sources/windows_event_log_security_4768.yml | 8 +++++++-
data_sources/windows_event_log_security_4769.yml | 8 +++++++-
data_sources/windows_event_log_security_4771.yml | 8 +++++++-
data_sources/windows_event_log_security_4776.yml | 8 +++++++-
data_sources/windows_event_log_security_4781.yml | 8 +++++++-
data_sources/windows_event_log_security_4794.yml | 8 +++++++-
data_sources/windows_event_log_security_4798.yml | 7 ++++++-
data_sources/windows_event_log_security_4876.yml | 8 +++++++-
data_sources/windows_event_log_security_4886.yml | 8 +++++++-
data_sources/windows_event_log_security_4887.yml | 8 +++++++-
data_sources/windows_event_log_security_5136.yml | 8 +++++++-
data_sources/windows_event_log_security_5137.yml | 8 +++++++-
data_sources/windows_event_log_security_5140.yml | 8 +++++++-
data_sources/windows_event_log_security_5141.yml | 8 +++++++-
data_sources/windows_event_log_security_5145.yml | 8 +++++++-
data_sources/windows_event_log_system_4720.yml | 8 +++++++-
data_sources/windows_event_log_system_4726.yml | 8 +++++++-
data_sources/windows_event_log_system_4728.yml | 8 +++++++-
data_sources/windows_event_log_system_7036.yml | 8 +++++++-
data_sources/windows_event_log_system_7040.yml | 8 +++++++-
data_sources/windows_event_log_system_7045.yml | 8 +++++++-
.../windows_event_log_taskscheduler_200.yml | 8 +++++++-
data_sources/windows_iis.yml | 7 ++++++-
data_sources/windows_iis_29.yml | 8 +++++++-
219 files changed, 1482 insertions(+), 223 deletions(-)
delete mode 100644 data_sources/bro.yml
create mode 100644 data_sources/bro_conn.yml
create mode 100644 data_sources/bro_dns.yml
create mode 100644 data_sources/bro_files.yml
create mode 100644 data_sources/bro_http.yml
create mode 100644 data_sources/bro_loaded_scripts.yml
create mode 100644 data_sources/bro_ntp.yml
create mode 100644 data_sources/bro_ocsp.yml
create mode 100644 data_sources/bro_ssl.yml
create mode 100644 data_sources/bro_weird.yml
create mode 100644 data_sources/bro_x509.yml
diff --git a/data_sources/asl_aws_cloudtrail.yml b/data_sources/asl_aws_cloudtrail.yml
index 743e34d3eb..8311be25cc 100644
--- a/data_sources/asl_aws_cloudtrail.yml
+++ b/data_sources/asl_aws_cloudtrail.yml
@@ -3,7 +3,20 @@ id: 1dcf9cfb-0e91-44c6-81b3-61b2574ec898
version: 1
date: '2025-01-14'
author: Patrick Bareiss, Splunk
-description: Data source object for ASL AWS CloudTrail
+description: Represents AWS API dataset data collection from Amazon Security Lake.
+mitre_components:
+- Cloud Service Metadata
+- Cloud Service Modification
+- Cloud Storage Access
+- Instance Creation
+- Instance Deletion
+- Instance Start
+- Instance Stop
+- Instance Modification
+- Cloud Storage Creation
+- Cloud Storage Deletion
+- Cloud Service Enumeration
+- Cloud Storage Enumeration
source: aws_asl
sourcetype: aws:asl
separator: api.operation
diff --git a/data_sources/aws_cloudfront.yml b/data_sources/aws_cloudfront.yml
index c4f146026d..bc4196951d 100644
--- a/data_sources/aws_cloudfront.yml
+++ b/data_sources/aws_cloudfront.yml
@@ -3,7 +3,14 @@ id: 780086dc-2384-45b6-ade7-56cb00105464
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS Cloudfront
+description: Logs requests made to AWS CloudFront distributions, including details on client access, response data, and performance metrics.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Response Metadata
+- Response Content
+- Logon Session Metadata
+- Cloud Service Metadata
source: aws
sourcetype: aws:cloudfront:accesslogs
supported_TA:
diff --git a/data_sources/aws_cloudtrail.yml b/data_sources/aws_cloudtrail.yml
index af1afc59c0..1cdd7ac821 100644
--- a/data_sources/aws_cloudtrail.yml
+++ b/data_sources/aws_cloudtrail.yml
@@ -3,7 +3,7 @@ id: e8ace6db-1dbd-4c72-a1fb-334684619a38
version: 1
date: '2024-07-24'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail
+description: All AWS CloudTrail events
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
diff --git a/data_sources/aws_cloudtrail_assumerolewithsaml.yml b/data_sources/aws_cloudtrail_assumerolewithsaml.yml
index ef4041930f..acd5a6247f 100644
--- a/data_sources/aws_cloudtrail_assumerolewithsaml.yml
+++ b/data_sources/aws_cloudtrail_assumerolewithsaml.yml
@@ -3,10 +3,18 @@ id: 1e28f2a6-2db9-405f-b298-18734a293f77
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail AssumeRoleWithSAML
+description: Logs attempts to assume roles via SAML authentication in AWS, including
+ details of identity provider and role mapping.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Cloud Service Metadata
+- Instance Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: AssumeRoleWithSAML
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_consolelogin.yml b/data_sources/aws_cloudtrail_consolelogin.yml
index 0ddc77ce93..934d502f32 100644
--- a/data_sources/aws_cloudtrail_consolelogin.yml
+++ b/data_sources/aws_cloudtrail_consolelogin.yml
@@ -3,10 +3,17 @@ id: b68b3f26-bd21-4fa8-b593-616fe75ac0ae
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail ConsoleLogin
+description: Logs attempts to sign in to the AWS Management Console, including successful and failed login events.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Logon Session Metadata
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: ConsoleLogin
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_copyobject.yml b/data_sources/aws_cloudtrail_copyobject.yml
index 44fabed1bb..72a9c6af4b 100644
--- a/data_sources/aws_cloudtrail_copyobject.yml
+++ b/data_sources/aws_cloudtrail_copyobject.yml
@@ -3,10 +3,16 @@ id: 965083f4-64a8-403f-99cc-252e1a6bd3b6
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CopyObject
+description: Logs operations that copy objects within or between AWS S3 buckets, including details of source and destination.
+mitre_components:
+- Cloud Storage Access
+- Cloud Storage Modification
+- Cloud Storage Metadata
+- Instance Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_values: CopyObject
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createaccesskey.yml b/data_sources/aws_cloudtrail_createaccesskey.yml
index 4834e03b5d..6e95f8ab0f 100644
--- a/data_sources/aws_cloudtrail_createaccesskey.yml
+++ b/data_sources/aws_cloudtrail_createaccesskey.yml
@@ -3,10 +3,16 @@ id: 0460f7da-3254-4d90-b8c0-2ca657d0cea0
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateAccessKey
+description: Logs the creation of new AWS access keys, including details of the associated user and permissions.
+mitre_components:
+- User Account Creation
+- User Account Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: CreateAccessKey
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createkey.yml b/data_sources/aws_cloudtrail_createkey.yml
index 8c2aa289b1..655ce8762f 100644
--- a/data_sources/aws_cloudtrail_createkey.yml
+++ b/data_sources/aws_cloudtrail_createkey.yml
@@ -3,10 +3,16 @@ id: fcfc1593-b6b5-4a0f-91c5-3c395116a8b9
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateKey
+description: Logs the creation of new AWS KMS keys, including details of key properties and associated metadata.
+mitre_components:
+- Cloud Service Creation
+- Cloud Service Metadata
+- Instance Creation
+- Volume Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: CreateKey
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createloginprofile.yml b/data_sources/aws_cloudtrail_createloginprofile.yml
index 7f09482a94..7c272ab23f 100644
--- a/data_sources/aws_cloudtrail_createloginprofile.yml
+++ b/data_sources/aws_cloudtrail_createloginprofile.yml
@@ -3,10 +3,16 @@ id: 0024fdb1-0d62-4449-970a-746952cf80b6
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateLoginProfile
+description: Logs the creation of login profiles for IAM users, including associated metadata and authentication settings.
+mitre_components:
+- User Account Creation
+- User Account Metadata
+- Logon Session Metadata
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: CreateLoginProfile
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createnetworkaclentry.yml b/data_sources/aws_cloudtrail_createnetworkaclentry.yml
index b9eb2d9e66..65830e0d0c 100644
--- a/data_sources/aws_cloudtrail_createnetworkaclentry.yml
+++ b/data_sources/aws_cloudtrail_createnetworkaclentry.yml
@@ -3,10 +3,16 @@ id: 45934028-10ec-4ab5-a7b1-a6349b833e67
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateNetworkAclEntry
+description: Logs the creation of new entries in a network ACL, including rules to allow or deny specific network traffic.
+mitre_components:
+- Firewall Rule Modification
+- Network Connection Creation
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: CreateNetworkAclEntry
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createpolicyversion.yml b/data_sources/aws_cloudtrail_createpolicyversion.yml
index 49b4ea9e54..cc6b2d03f0 100644
--- a/data_sources/aws_cloudtrail_createpolicyversion.yml
+++ b/data_sources/aws_cloudtrail_createpolicyversion.yml
@@ -3,10 +3,16 @@ id: f9f0f3da-37ec-4164-9ea0-0ae46645a86b
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreatePolicyVersion
+description: Logs the creation of new versions of IAM policies, including changes to permissions and attached roles or resources.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- User Account Metadata
+- Group Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: CreatePolicyVersion
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createsnapshot.yml b/data_sources/aws_cloudtrail_createsnapshot.yml
index d8140341e4..db7c828449 100644
--- a/data_sources/aws_cloudtrail_createsnapshot.yml
+++ b/data_sources/aws_cloudtrail_createsnapshot.yml
@@ -3,10 +3,16 @@ id: 514135a2-f4b2-4d32-8f31-d87824887f9f
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateSnapshot
+description: Logs the creation of a new snapshot of a cloud resource, such as an Amazon EBS volume, including details about the snapshot ID and resource type.
+mitre_components:
+- Snapshot Creation
+- Snapshot Metadata
+- Volume Metadata
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: CreateSnapshot
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createtask.yml b/data_sources/aws_cloudtrail_createtask.yml
index 64c885e902..ee7394b6e4 100644
--- a/data_sources/aws_cloudtrail_createtask.yml
+++ b/data_sources/aws_cloudtrail_createtask.yml
@@ -3,10 +3,16 @@ id: 6501e4fe-05b2-45f1-bd51-9e06a94fa7d9
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateTask
+description: Logs the creation of a new task in AWS services, such as ECS, including details about the task definition and resource allocation.
+mitre_components:
+- Scheduled Job Creation
+- Scheduled Job Metadata
+- Cloud Service Metadata
+- Instance Creation
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_name: CreateTask
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
index 579ea87956..ba978e3343 100644
--- a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
+++ b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
@@ -3,10 +3,16 @@ id: 13e6e952-0dad-4190-865c-fb5911725f7a
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateVirtualMFADevice
+description: Logs the creation of a new virtual multi-factor authentication (MFA) device, including details about the associated user and configuration.
+mitre_components:
+- User Account Creation
+- User Account Metadata
+- Cloud Service Creation
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: CreateVirtualMFADevice
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deactivatemfadevice.yml b/data_sources/aws_cloudtrail_deactivatemfadevice.yml
index bfef68070f..a62bdde87c 100644
--- a/data_sources/aws_cloudtrail_deactivatemfadevice.yml
+++ b/data_sources/aws_cloudtrail_deactivatemfadevice.yml
@@ -3,10 +3,16 @@ id: 7397a10b-1150-4de9-8062-a96454ae53b2
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeactivateMFADevice
+description: Logs the deactivation of a multi-factor authentication (MFA) device, including details about the associated user and the device.
+mitre_components:
+- User Account Modification
+- User Account Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DeactivateMFADevice
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
index 3998089a44..631ac8d253 100644
--- a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
+++ b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
@@ -3,10 +3,14 @@ id: b0730ac8-0992-4de8-b000-2c7d0fc7a67f
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteAccountPasswordPolicy
+description: Logs the deletion of an account-level password policy in AWS, including details about the account and policy being removed.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DeleteAccountPasswordPolicy
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletealarms.yml b/data_sources/aws_cloudtrail_deletealarms.yml
index d7b436d019..2fdf221e51 100644
--- a/data_sources/aws_cloudtrail_deletealarms.yml
+++ b/data_sources/aws_cloudtrail_deletealarms.yml
@@ -3,10 +3,16 @@ id: b0730ac8-0992-4de8-b000-2c7d0fc7a61f
version: 1
date: '2024-07-18'
author: Bhavin Patel, Splunk
-description: Data source object for AWS CloudTrail DeleteAlarms
+description: Logs the deletion of CloudWatch alarms, including details about the alarm names and associated monitoring configurations.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- Application Log Content
+- Host Status
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DeleteAlarms
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletedetector.yml b/data_sources/aws_cloudtrail_deletedetector.yml
index df3b6cea4e..f467d9348d 100644
--- a/data_sources/aws_cloudtrail_deletedetector.yml
+++ b/data_sources/aws_cloudtrail_deletedetector.yml
@@ -3,10 +3,16 @@ id: 5d8bd475-c8bc-4447-b27f-efa508728b90
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteDetector
+description: Logs the deletion of an Amazon GuardDuty detector, including details about the detector ID and associated configurations.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- Host Status
+- Application Log Content
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DeleteDetector
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletegroup.yml b/data_sources/aws_cloudtrail_deletegroup.yml
index f383f21440..a683fd2697 100644
--- a/data_sources/aws_cloudtrail_deletegroup.yml
+++ b/data_sources/aws_cloudtrail_deletegroup.yml
@@ -3,10 +3,16 @@ id: c95308a4-a943-42ca-b112-f90a05c21bd3
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteGroup
+description: Logs the deletion of an IAM group in AWS, including details about the group name and its associated policies or members.
+mitre_components:
+- Group Modification
+- Group Metadata
+- User Account Metadata
+- Cloud Service Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DeleteGroup
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deleteipset.yml b/data_sources/aws_cloudtrail_deleteipset.yml
index 9e70698a5f..4c8770dcb2 100644
--- a/data_sources/aws_cloudtrail_deleteipset.yml
+++ b/data_sources/aws_cloudtrail_deleteipset.yml
@@ -3,10 +3,15 @@ id: ebdeeb63-77a0-4808-a6fe-549956731377
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteIPSet
+description: Logs the deletion of an IP set in AWS WAF or GuardDuty, including details about the IP set ID and its associated configurations.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- Firewall Rule Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DeleteIPSet
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deleteloggroup.yml b/data_sources/aws_cloudtrail_deleteloggroup.yml
index 936f52788a..04895c5bab 100644
--- a/data_sources/aws_cloudtrail_deleteloggroup.yml
+++ b/data_sources/aws_cloudtrail_deleteloggroup.yml
@@ -3,10 +3,16 @@ id: 60cf6a69-fa43-4a6c-8808-e9fb46bf387f
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteLogGroup
+description: Logs the deletion of a CloudWatch log group, including details about the log group name and associated resources.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- Application Log Content
+- Host Status
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DeleteLogGroup
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletelogstream.yml b/data_sources/aws_cloudtrail_deletelogstream.yml
index 591ea64693..998218f3d2 100644
--- a/data_sources/aws_cloudtrail_deletelogstream.yml
+++ b/data_sources/aws_cloudtrail_deletelogstream.yml
@@ -3,10 +3,16 @@ id: 6f8bb808-89f8-465e-a34d-229df2f46402
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteLogStream
+description: Logs the deletion of a log stream within a CloudWatch log group, including details about the stream name and associated log group.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- Application Log Content
+- Host Status
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DeleteLogStream
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
index 7c0003f08b..ce7ac268b0 100644
--- a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
+++ b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
@@ -3,10 +3,15 @@ id: a0dd0f10-cc03-425d-bd5a-e1e0d954b856
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteNetworkAclEntry
+description: Logs the deletion of a network ACL entry in AWS, including details about the rule number and associated network ACL.
+mitre_components:
+- Firewall Rule Modification
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DeleteNetworkAclEntry
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletepolicy.yml b/data_sources/aws_cloudtrail_deletepolicy.yml
index 44cd10188c..fd3dbe18c2 100644
--- a/data_sources/aws_cloudtrail_deletepolicy.yml
+++ b/data_sources/aws_cloudtrail_deletepolicy.yml
@@ -3,10 +3,14 @@ id: d190d23a-2c59-4a0e-9c55-a53ebef28ee5
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeletePolicy
+description: Logs the deletion of an IAM policy in AWS, including details about the policy name and its associated roles or users.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DeletePolicy
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deleterule.yml b/data_sources/aws_cloudtrail_deleterule.yml
index 545fbcec9a..b5bf81865b 100644
--- a/data_sources/aws_cloudtrail_deleterule.yml
+++ b/data_sources/aws_cloudtrail_deleterule.yml
@@ -3,10 +3,16 @@ id: b5760623-f3ca-492d-a372-d5c2b3567dfc
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteRule
+description: Logs the deletion of an event rule in AWS EventBridge, including details about the rule name and its associated targets or schedules.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- Scheduled Job Modification
+- Application Log Content
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DeleteRule
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletesnapshot.yml b/data_sources/aws_cloudtrail_deletesnapshot.yml
index 6b586a2a3e..dc157cb6bd 100644
--- a/data_sources/aws_cloudtrail_deletesnapshot.yml
+++ b/data_sources/aws_cloudtrail_deletesnapshot.yml
@@ -3,10 +3,16 @@ id: b0731ac8-0992-4de8-b000-2c7d0fc2a61f
version: 1
date: '2024-07-18'
author: Bhavin Patel, Splunk
-description: Data source object for AWS CloudTrail DeleteSnapshot
+description: Logs the deletion of a cloud resource snapshot, such as an Amazon EBS snapshot, including details about the snapshot ID and associated resource.
+mitre_components:
+- Snapshot Deletion
+- Snapshot Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DeleteSnapshot
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletetrail.yml b/data_sources/aws_cloudtrail_deletetrail.yml
index 1555fafdac..50d8ba5c17 100644
--- a/data_sources/aws_cloudtrail_deletetrail.yml
+++ b/data_sources/aws_cloudtrail_deletetrail.yml
@@ -3,10 +3,16 @@ id: a5af09ff-07b6-4df6-92a0-2146bfe402c8
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteTrail
+description: Logs the deletion of an AWS CloudTrail trail, including details about the trail name and its associated logging configurations.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- Application Log Content
+- Host Status
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DeleteTrail
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
index e03ef28b7d..64de0ba5eb 100644
--- a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
+++ b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
@@ -3,10 +3,14 @@ id: 84a08d6b-3d59-4260-8cab-84278ada262f
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteVirtualMFADevice
+description: Logs an event when a virtual Multi-Factor Authentication (MFA) device is deleted in AWS CloudTrail.
+mitre_components:
+- User Account Authentication
+- User Account Deletion
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DeleteVirtualMFADevice
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletewebacl.yml b/data_sources/aws_cloudtrail_deletewebacl.yml
index 2368ae2314..8d9c4b1cb9 100644
--- a/data_sources/aws_cloudtrail_deletewebacl.yml
+++ b/data_sources/aws_cloudtrail_deletewebacl.yml
@@ -3,10 +3,14 @@ id: 90da5f08-7961-4c29-8de8-01364982aadf
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteWebACL
+description: Logs an event when a Web Access Control List (WebACL) is deleted in AWS CloudTrail.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DeleteWebACL
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_describeeventaggregates.yml b/data_sources/aws_cloudtrail_describeeventaggregates.yml
index ae72fb9931..68042cdaa6 100644
--- a/data_sources/aws_cloudtrail_describeeventaggregates.yml
+++ b/data_sources/aws_cloudtrail_describeeventaggregates.yml
@@ -3,10 +3,14 @@ id: 7efe4afe-62ae-4f96-81d1-76598ea37fc2
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DescribeEventAggregates
+description: Logs an event when aggregate details about AWS events are queried, often for analysis.
+mitre_components:
+- Cloud Service Enumeration
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DescribeEventAggregates
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_describeimagescanfindings.yml b/data_sources/aws_cloudtrail_describeimagescanfindings.yml
index 79696cbffc..d29dc3e798 100644
--- a/data_sources/aws_cloudtrail_describeimagescanfindings.yml
+++ b/data_sources/aws_cloudtrail_describeimagescanfindings.yml
@@ -3,10 +3,15 @@ id: 688ea789-9ba2-4970-90a2-17e541e273c9
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DescribeImageScanFindings
+description: Logs an event when findings from an image vulnerability scan are described using the DescribeImageScanFindings operation in AWS CloudTrail.
+mitre_components:
+- Image Metadata
+- Image Modification
+- Malware Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: DescribeImageScanFindings
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
index 376fecc828..d4abfd2473 100644
--- a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
+++ b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
@@ -3,10 +3,14 @@ id: 439bdc53-6e4b-4cd7-b326-86c7317fd396
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail GetAccountPasswordPolicy
+description: Logs an event when a request is made to get the account password policy in AWS CloudTrail.
+mitre_components:
+- User Account Authentication
+- User Account Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: GetAccountPasswordPolicy
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_getobject.yml b/data_sources/aws_cloudtrail_getobject.yml
index 27d29dea5d..3a3c9a6e10 100644
--- a/data_sources/aws_cloudtrail_getobject.yml
+++ b/data_sources/aws_cloudtrail_getobject.yml
@@ -3,10 +3,15 @@ id: 5063cb10-84c0-44af-ade4-ab9ecad11dfe
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail GetObject
+description: Logs an event when a request is made to access an object stored in an AWS S3 bucket.
+mitre_components:
+- Cloud Storage Access
+- Cloud Storage Metadata
+- Cloud Storage Enumeration
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: GetObject
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_getpassworddata.yml b/data_sources/aws_cloudtrail_getpassworddata.yml
index fc6857d804..7b86ddd0fe 100644
--- a/data_sources/aws_cloudtrail_getpassworddata.yml
+++ b/data_sources/aws_cloudtrail_getpassworddata.yml
@@ -3,10 +3,14 @@ id: 6ff2ce99-85b1-4c17-888a-56dbc3570671
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail GetPasswordData
+description: Logs an event when a request is made to retrieve the administrator password of an EC2 instance.
+mitre_components:
+- Instance Metadata
+- User Account Authentication
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: GetPasswordData
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_jobcreated.yml b/data_sources/aws_cloudtrail_jobcreated.yml
index b33710f139..fb86a52163 100644
--- a/data_sources/aws_cloudtrail_jobcreated.yml
+++ b/data_sources/aws_cloudtrail_jobcreated.yml
@@ -3,10 +3,14 @@ id: 6473289b-d097-4c86-a837-3cc5ae408155
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail JobCreated
+description: Logs an event when a new job is created in AWS CloudTrail.
+mitre_components:
+- Scheduled Job Creation
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: JobCreated
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_modifydbinstance.yml b/data_sources/aws_cloudtrail_modifydbinstance.yml
index 813b021c40..df5c25ffe5 100644
--- a/data_sources/aws_cloudtrail_modifydbinstance.yml
+++ b/data_sources/aws_cloudtrail_modifydbinstance.yml
@@ -3,10 +3,15 @@ id: bfa2912d-1a33-4b05-be46-543874d68241
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail ModifyDBInstance
+description: Logs an event when a modification is made to an AWS database instance, such as parameters or configurations.
+mitre_components:
+- Instance Modification
+- Cloud Service Modification
+- Instance Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: ModifyDBInstance
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_modifyimageattribute.yml b/data_sources/aws_cloudtrail_modifyimageattribute.yml
index e73a70ec35..3d415b44b9 100644
--- a/data_sources/aws_cloudtrail_modifyimageattribute.yml
+++ b/data_sources/aws_cloudtrail_modifyimageattribute.yml
@@ -3,10 +3,14 @@ id: 667c2115-8082-419e-b541-8150066bda4d
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail ModifyImageAttribute
+description: Logs an event when the attributes of an Amazon Machine Image (AMI) are modified.
+mitre_components:
+- Image Modification
+- Image Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: ModifyImageAttribute
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
index 373a15ede9..211ccdf1dc 100644
--- a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
+++ b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
@@ -3,10 +3,13 @@ id: 7e5aa947-3a0d-4ee5-b800-0c10b555da05
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail ModifySnapshotAttribute
+description: Logs an event when modifications are made to the attributes of a snapshot in AWS CloudTrail.
+mitre_components:
+- Snapshot Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: ModifySnapshotAttribute
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_putbucketacl.yml b/data_sources/aws_cloudtrail_putbucketacl.yml
index 10765a8703..24be91aea5 100644
--- a/data_sources/aws_cloudtrail_putbucketacl.yml
+++ b/data_sources/aws_cloudtrail_putbucketacl.yml
@@ -3,10 +3,14 @@ id: 28fffbfd-d98d-4a42-990b-b04ab47422eb
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail PutBucketAcl
+description: Logs an event when an ACL is set or modified for an S3 bucket in AWS CloudTrail.
+mitre_components:
+- Cloud Storage Modification
+- Cloud Storage Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: PutBucketAcl
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_putbucketlifecycle.yml b/data_sources/aws_cloudtrail_putbucketlifecycle.yml
index c9d8491a16..a01d2b76d2 100644
--- a/data_sources/aws_cloudtrail_putbucketlifecycle.yml
+++ b/data_sources/aws_cloudtrail_putbucketlifecycle.yml
@@ -3,10 +3,14 @@ id: 1c73e954-87b6-4bd7-ac6a-5db7c4082b22
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail PutBucketLifecycle
+description: Logs an event when a lifecycle configuration is added to an S3 bucket in AWS CloudTrail.
+mitre_components:
+- Cloud Storage Modification
+- Cloud Storage Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: PutBucketLifecycle
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_putbucketreplication.yml b/data_sources/aws_cloudtrail_putbucketreplication.yml
index 50c9bb4051..b16eec7546 100644
--- a/data_sources/aws_cloudtrail_putbucketreplication.yml
+++ b/data_sources/aws_cloudtrail_putbucketreplication.yml
@@ -3,10 +3,13 @@ id: 0e1362eb-e592-419f-8fa5-556d3a122417
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail PutBucketReplication
+description: Logs an event when replication configurations are added or modified for an S3 bucket.
+mitre_components:
+- Cloud Storage Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: PutBucketReplication
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_putbucketversioning.yml b/data_sources/aws_cloudtrail_putbucketversioning.yml
index 4d928ee0d2..1fcc3c6668 100644
--- a/data_sources/aws_cloudtrail_putbucketversioning.yml
+++ b/data_sources/aws_cloudtrail_putbucketversioning.yml
@@ -3,10 +3,13 @@ id: 17b2fc7d-c8ce-487c-8815-f9a65a09e980
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail PutBucketVersioning
+description: Logs an event when the bucket versioning state is modified in an AWS S3 bucket.
+mitre_components:
+- Cloud Storage Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: PutBucketVersioning
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_putimage.yml b/data_sources/aws_cloudtrail_putimage.yml
index 707c03fcf6..263b630172 100644
--- a/data_sources/aws_cloudtrail_putimage.yml
+++ b/data_sources/aws_cloudtrail_putimage.yml
@@ -3,10 +3,14 @@ id: bb13f10d-0d8c-4fde-9136-b7cfd930e87c
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail PutImage
+description: Logs an event when a container image is uploaded to a repository in AWS CloudTrail.
+mitre_components:
+- Image Creation
+- Image Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: PutImage
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_putkeypolicy.yml b/data_sources/aws_cloudtrail_putkeypolicy.yml
index 9b2786fadb..edac5877b5 100644
--- a/data_sources/aws_cloudtrail_putkeypolicy.yml
+++ b/data_sources/aws_cloudtrail_putkeypolicy.yml
@@ -3,7 +3,7 @@ id: 9c54c86b-43b9-4bb8-915d-6838beb7f07c
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail PutKeyPolicy
+description: Logs changes made to AWS Key Management Service (KMS) key policies, including updates and permission assignments.
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
@@ -94,6 +94,8 @@ fields:
- vendor_account
- vendor_product
- vendor_region
+mitre_components:
+- Cloud Service Modification
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLK74OPBDR", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
index 4ce1405960..af51b981b1 100644
--- a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
+++ b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
@@ -3,10 +3,14 @@ id: db0c240e-3754-40e4-86ef-cde018ee9f65
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail ReplaceNetworkAclEntry
+description: Logs an event when a network ACL entry is replaced within the AWS CloudTrail.
+mitre_components:
+- Firewall Rule Modification
+- Cloud Service Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: ReplaceNetworkAclEntry
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
index 9797971379..df1e0b4657 100644
--- a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
+++ b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
@@ -3,10 +3,14 @@ id: 06e0b5a0-8d36-485e-befc-4ae79d77ef6c
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail SetDefaultPolicyVersion
+description: Logs an event when the default version of a resource policy in AWS is set or changed.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: SetDefaultPolicyVersion
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_stoplogging.yml b/data_sources/aws_cloudtrail_stoplogging.yml
index f285ce143e..69859da19d 100644
--- a/data_sources/aws_cloudtrail_stoplogging.yml
+++ b/data_sources/aws_cloudtrail_stoplogging.yml
@@ -3,10 +3,13 @@ id: c5de7c54-4809-4659-bf9f-3bacf8bdfd35
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail StopLogging
+description: Logs an event when a cloud service in AWS, such as CloudTrail, is deactivated or stopped.
+mitre_components:
+- Cloud Service Disable
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: StopLogging
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
index de90a002fe..3959397892 100644
--- a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
+++ b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
@@ -3,10 +3,14 @@ id: 35a8cc97-3600-40e1-a5d1-1c2ad5060be0
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail UpdateAccountPasswordPolicy
+description: Logs an event when an AWS account's password policy is updated.
+mitre_components:
+- User Account Modification
+- Cloud Service Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: UpdateAccountPasswordPolicy
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_updateloginprofile.yml b/data_sources/aws_cloudtrail_updateloginprofile.yml
index 6978637a08..e8d28c061a 100644
--- a/data_sources/aws_cloudtrail_updateloginprofile.yml
+++ b/data_sources/aws_cloudtrail_updateloginprofile.yml
@@ -3,10 +3,14 @@ id: 1db79158-e5d3-4d35-9d3c-586e44e09f1c
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail UpdateLoginProfile
+description: Logs an event when an IAM user's login profile is updated.
+mitre_components:
+- User Account Modification
+- User Account Authentication
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: UpdateLoginProfile
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_updatesamlprovider.yml b/data_sources/aws_cloudtrail_updatesamlprovider.yml
index 2f2cd5b188..9477d6a455 100644
--- a/data_sources/aws_cloudtrail_updatesamlprovider.yml
+++ b/data_sources/aws_cloudtrail_updatesamlprovider.yml
@@ -3,10 +3,15 @@ id: e5eb628d-711e-499c-87d9-8fa5dee419ec
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail UpdateSAMLProvider
+description: Logs an event when a SAML provider is updated in AWS.
+mitre_components:
+- Cloud Service Modification
+- User Account Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: UpdateSAMLProvider
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_updatetrail.yml b/data_sources/aws_cloudtrail_updatetrail.yml
index f22ec6b7ba..edc2d3ff2a 100644
--- a/data_sources/aws_cloudtrail_updatetrail.yml
+++ b/data_sources/aws_cloudtrail_updatetrail.yml
@@ -3,10 +3,14 @@ id: d5b7a1eb-711a-4c96-aa93-235fe3c8a939
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail UpdateTrail
+description: Logs an event when an AWS CloudTrail trail is updated, typically involving changes to settings or configuration.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
+separator_value: UpdateTrail
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudwatchlogs_vpcflow.yml b/data_sources/aws_cloudwatchlogs_vpcflow.yml
index b20242046f..bec254d4fa 100644
--- a/data_sources/aws_cloudwatchlogs_vpcflow.yml
+++ b/data_sources/aws_cloudwatchlogs_vpcflow.yml
@@ -3,10 +3,12 @@ id: 38a34fc4-e128-4478-a8f4-7835d51d5135
version: 1
author: Bhavin Patel, Splunk
date: '2024-07-18'
-description: Data source object for AWS CloudWatchLogs VPCflow
+description: Logs an event when network traffic flow information such as source and destination IPs, ports, protocol, and action (allow/deny) is captured for VPC in AWS.
+mitre_components:
+- Network Traffic Flow
+- Network Connection Creation
source: aws_cloudwatchlogs_vpcflow
sourcetype: aws:cloudwatchlogs:vpcflow
-separator: eventName
supported_TA:
- name: Splunk Add-on for AWS
version: 7.9.0
diff --git a/data_sources/aws_security_hub.yml b/data_sources/aws_security_hub.yml
index 5d4d52b2e7..5d72ddeb75 100644
--- a/data_sources/aws_security_hub.yml
+++ b/data_sources/aws_security_hub.yml
@@ -3,7 +3,12 @@ id: b02bfbf3-294f-478e-99a1-e24b8c692d7e
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for AWS Security Hub
+description: Logs an event when AWS Security Hub identifies potential security risks or deviations from configured best practices across AWS accounts.
+mitre_components:
+- Cloud Service Metadata
+- Cloud Service Enumeration
+- Cloud Service Modification
+- Cloud Service Disable
source: aws_securityhub_finding
sourcetype: aws:securityhub:finding
supported_TA:
diff --git a/data_sources/azure_active_directory.yml b/data_sources/azure_active_directory.yml
index 5acf9c76b5..20f8362da1 100644
--- a/data_sources/azure_active_directory.yml
+++ b/data_sources/azure_active_directory.yml
@@ -3,7 +3,7 @@ id: 51ca21e5-bda2-4652-bb29-27c7bc18a81c
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory
+description: All Azure Active Directory events
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
diff --git a/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml b/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
index 9db213655d..2afbd8e4ba 100644
--- a/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
+++ b/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
@@ -3,11 +3,16 @@ id: 8b2e84cd-6db0-47e9-badc-75c17df1995f
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Add app role assignment
- to service principal
+description: Logs the addition of an application role assignment to a service principal in Azure Active Directory, including details about the role, service principal, and the user or process performing the action.
+mitre_components:
+- User Account Modification
+- Group Modification
+- Cloud Service Modification
+- Cloud Service Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
+separator_value: Add app role assignment to service principal
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_add_member_to_role.yml b/data_sources/azure_active_directory_add_member_to_role.yml
index c62d91a8c2..c2dfa64ecb 100644
--- a/data_sources/azure_active_directory_add_member_to_role.yml
+++ b/data_sources/azure_active_directory_add_member_to_role.yml
@@ -3,10 +3,16 @@ id: 1660d196-127f-4678-81b2-472d51711b07
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Add member to role
+description: Logs the addition of a member to a directory role in Azure Active Directory, including details about the role, the member added, and the user or process performing the action.
+mitre_components:
+- Group Modification
+- Group Metadata
+- User Account Metadata
+- Cloud Service Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
+separator_value: Add member to role
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_add_owner_to_application.yml b/data_sources/azure_active_directory_add_owner_to_application.yml
index 6e3b00d39a..f174ee00b6 100644
--- a/data_sources/azure_active_directory_add_owner_to_application.yml
+++ b/data_sources/azure_active_directory_add_owner_to_application.yml
@@ -3,10 +3,16 @@ id: e895ed56-7be4-4b3a-b782-ecd0f594ec4c
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Add owner to application
+description: Logs the addition of an owner to an application in Azure Active Directory, including details about the application, the owner added, and the user or process performing the action.
+mitre_components:
+- User Account Modification
+- Group Modification
+- Cloud Service Modification
+- Cloud Service Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
+separator_value: Add owner to application
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_add_service_principal.yml b/data_sources/azure_active_directory_add_service_principal.yml
index 798a1dd0c9..d100855262 100644
--- a/data_sources/azure_active_directory_add_service_principal.yml
+++ b/data_sources/azure_active_directory_add_service_principal.yml
@@ -3,10 +3,16 @@ id: fd89d337-e4c0-4162-ad13-bca36f096fe6
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Add service principal
+description: Logs the creation of a new service principal in Azure Active Directory, including details about the service principal, associated application, and the user or process performing the action.
+mitre_components:
+- Cloud Service Creation
+- Cloud Service Metadata
+- User Account Metadata
+- Active Directory Object Creation
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
+separator_value: Add service principal
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_add_unverified_domain.yml b/data_sources/azure_active_directory_add_unverified_domain.yml
index 2cb8e93738..1b06002e40 100644
--- a/data_sources/azure_active_directory_add_unverified_domain.yml
+++ b/data_sources/azure_active_directory_add_unverified_domain.yml
@@ -3,10 +3,16 @@ id: d4c01fb1-3b88-46d3-bd12-9b9e256450f7
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Add unverified domain
+description: Logs the addition of an unverified domain to Azure Active Directory, including details about the domain name and the user or process performing the action.
+mitre_components:
+- Domain Registration
+- Cloud Service Modification
+- Cloud Service Metadata
+- Configuration Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
+separator_value: Add unverified domain
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_consent_to_application.yml b/data_sources/azure_active_directory_consent_to_application.yml
index 9464b69c7a..cc0ee34156 100644
--- a/data_sources/azure_active_directory_consent_to_application.yml
+++ b/data_sources/azure_active_directory_consent_to_application.yml
@@ -3,10 +3,16 @@ id: 4c5d6c49-53e3-4980-a4de-c63e26291ed0
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Consent to application
+description: Logs user or admin consent to an application's permissions in Azure Active Directory, including details about the application, granted permissions, and the consenting user or process.
+mitre_components:
+- User Account Modification
+- Cloud Service Modification
+- Cloud Service Metadata
+- Configuration Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
+separator_value: Consent to application
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_disable_strong_authentication.yml b/data_sources/azure_active_directory_disable_strong_authentication.yml
index 2b1fd79f79..c32bf6b639 100644
--- a/data_sources/azure_active_directory_disable_strong_authentication.yml
+++ b/data_sources/azure_active_directory_disable_strong_authentication.yml
@@ -3,10 +3,15 @@ id: 8f31966d-c496-496d-8837-f7fd11f31255
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Disable Strong Authentication
+description: Logs an event when strong authentication methods are disabled in Azure Active Directory.
+mitre_components:
+- User Account Authentication
+- User Account Modification
+- Cloud Service Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
+separator_value: Disable Strong Authentication
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_enable_account.yml b/data_sources/azure_active_directory_enable_account.yml
index 710007e9f8..d335c79ffc 100644
--- a/data_sources/azure_active_directory_enable_account.yml
+++ b/data_sources/azure_active_directory_enable_account.yml
@@ -3,10 +3,15 @@ id: cb49f3cd-04ad-415c-a5ed-9b27b2829fa7
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Enable account
+description: Logs an event when an Azure Active Directory account is enabled.
+mitre_components:
+- User Account Modification
+- User Account Authentication
+- User Account Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
+separator_value: Enable account
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_invite_external_user.yml b/data_sources/azure_active_directory_invite_external_user.yml
index ebb0a4dea9..d7cb59bbba 100644
--- a/data_sources/azure_active_directory_invite_external_user.yml
+++ b/data_sources/azure_active_directory_invite_external_user.yml
@@ -3,10 +3,15 @@ id: d3818bd5-f283-4518-8b67-df19240c3e40
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Invite external user
+description: Logs an event when an external user is invited to join an Azure Active Directory tenant.
+mitre_components:
+- Active Directory Object Creation
+- User Account Creation
+- User Account Authentication
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
+separator_value: Invite external user
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_reset_password_(by_admin).yml b/data_sources/azure_active_directory_reset_password_(by_admin).yml
index 1247baa3b5..9c4db01f1f 100644
--- a/data_sources/azure_active_directory_reset_password_(by_admin).yml
+++ b/data_sources/azure_active_directory_reset_password_(by_admin).yml
@@ -3,10 +3,15 @@ id: dcd0e4dc-68f8-4b77-a66f-89c57b3afa6b
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Reset password (by admin)
+description: Logs an event when an admin resets a user's password in Azure Active Directory.
+mitre_components:
+- User Account Authentication
+- User Account Modification
+- Active Directory Object Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
+separator_value: Reset password (by admin)
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_set_domain_authentication.yml b/data_sources/azure_active_directory_set_domain_authentication.yml
index 07fbd4945f..c20d10043c 100644
--- a/data_sources/azure_active_directory_set_domain_authentication.yml
+++ b/data_sources/azure_active_directory_set_domain_authentication.yml
@@ -3,10 +3,15 @@ id: e7bcdab9-908c-40ab-ba38-5db54fa87750
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Set domain authentication
+description: Logs an event when the authentication method for a domain in Azure Active Directory is set or modified.
+mitre_components:
+- Active Directory Object Modification
+- User Account Authentication
+- Cloud Service Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
+separator_value: Set domain authentication
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_sign_in_activity.yml b/data_sources/azure_active_directory_sign_in_activity.yml
index 71e28dc986..3fca810c95 100644
--- a/data_sources/azure_active_directory_sign_in_activity.yml
+++ b/data_sources/azure_active_directory_sign_in_activity.yml
@@ -3,10 +3,15 @@ id: f9ed0a3a-9e20-4198-a035-d0a29593fbe0
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Sign-in activity
+description: Logs an event when a user attempts to sign into Azure Active Directory, capturing authentication details and outcomes.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
+separator_value: Sign-in activity
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_update_application.yml b/data_sources/azure_active_directory_update_application.yml
index 821d432ecf..cc9da95340 100644
--- a/data_sources/azure_active_directory_update_application.yml
+++ b/data_sources/azure_active_directory_update_application.yml
@@ -3,10 +3,15 @@ id: 2c08188a-ba25-496e-87c7-803cf28b6c90
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Update application
+description: Logs an event when an application in Azure Active Directory is updated, such as changes to its settings or permissions.
+mitre_components:
+- Service Modification
+- User Account Modification
+- Cloud Service Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
+separator_value: Update application
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_update_authorization_policy.yml b/data_sources/azure_active_directory_update_authorization_policy.yml
index 6d43b471e6..37b2c7c4be 100644
--- a/data_sources/azure_active_directory_update_authorization_policy.yml
+++ b/data_sources/azure_active_directory_update_authorization_policy.yml
@@ -3,10 +3,15 @@ id: c5b7ffcd-73d8-4fe5-afd8-b1218d715c0c
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Update authorization policy
+description: Logs an event when an authorization policy is updated in Azure Active Directory.
+mitre_components:
+- User Account Modification
+- Group Modification
+- Active Directory Object Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
+separator_value: Update authorization policy
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_update_user.yml b/data_sources/azure_active_directory_update_user.yml
index 4efa2a3816..a37a792233 100644
--- a/data_sources/azure_active_directory_update_user.yml
+++ b/data_sources/azure_active_directory_update_user.yml
@@ -3,10 +3,14 @@ id: 5495c90a-047c-4b8e-b2fe-1db6282d3872
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Update user
+description: Logs an event when a user account is updated in Azure Active Directory.
+mitre_components:
+- User Account Modification
+- User Account Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
+separator_value: Update user
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_user_registered_security_info.yml b/data_sources/azure_active_directory_user_registered_security_info.yml
index f7bef825fe..ae651e960d 100644
--- a/data_sources/azure_active_directory_user_registered_security_info.yml
+++ b/data_sources/azure_active_directory_user_registered_security_info.yml
@@ -3,11 +3,14 @@ id: b63240de-8a01-4ba8-8987-89d18d4b375d
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory User registered security
- info
+description: Logs an event when a user registers or updates their security information in Azure Active Directory.
+mitre_components:
+- User Account Modification
+- User Account Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
+separator_value: User registered security info
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
index 8e30686b23..290688b816 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
@@ -3,11 +3,15 @@ id: 2ab182e7-feda-4249-9418-32710b55a885
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Audit Create or Update an Azure Automation
- account
+description: Logs an event when an Azure Automation account is created or updated.
+mitre_components:
+- Cloud Service Creation
+- Cloud Service Modification
+- Cloud Service Metadata
source: mscs:azure:audit
sourcetype: mscs:azure:audit
separator: operationName.localizedValue
+separator_value: Create or Update an Azure Automation account
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
index 024427c038..e7ee46661a 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
@@ -3,11 +3,14 @@ id: 2bd83221-7a8b-436f-9b2b-efa1d44d009e
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Audit Create or Update an Azure Automation
- Runbook
+description: Logs an event when a new Azure Automation Runbook is created or an existing one is updated.
+mitre_components:
+- Scheduled Job Modification
+- Scheduled Job Creation
source: mscs:azure:audit
sourcetype: mscs:azure:audit
separator: operationName.localizedValue
+separator_value: Create or Update an Azure Automation Runbook
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
index 35fccd817e..584e44aaff 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
@@ -3,11 +3,15 @@ id: 575faeb2-09d0-4849-b1f6-eae241f26ff2
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Azure Audit Create or Update an Azure Automation
- webhook
+description: Logs an event when a webhook is created or updated in Azure Automation.
+mitre_components:
+- Scheduled Job Modification
+- Cloud Service Modification
+- Scheduled Job Metadata
source: mscs:azure:audit
sourcetype: mscs:azure:audit
separator: operationName.localizedValue
+separator_value: Create or Update an Azure Automation webhook
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/bro.yml b/data_sources/bro.yml
deleted file mode 100644
index 72d2cd5415..0000000000
--- a/data_sources/bro.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-name: Bro
-id: c5d9612b-0ffd-44d3-8247-3cf3486ec5e2
-version: 1
-date: '2024-07-18'
-author: Patrick Bareiss, Splunk
-description: Data source object for Bro
-source: bro:http:json
-sourcetype: bro:http:json
-supported_TA: []
diff --git a/data_sources/bro_conn.yml b/data_sources/bro_conn.yml
new file mode 100644
index 0000000000..d4ed14b382
--- /dev/null
+++ b/data_sources/bro_conn.yml
@@ -0,0 +1,15 @@
+name: Bro conn
+id: c5a7e93b-2172-45a7-a7e9-3b217255a7f5
+version: 1
+date: '2025-20-01'
+author: Jacob Delgado, SnapAttack
+description: Logs network connection metadata captured by Zeek (formerly Bro), including details such as source and destination IPs, ports, connection state, and protocol.
+mitre_components:
+- Network Connection Creation
+- Network Traffic Flow
+- Response Metadata
+- Application Log Content
+source: bro:conn:json
+sourcetype: bro:conn:json
+supported_TA: []
+
diff --git a/data_sources/bro_dns.yml b/data_sources/bro_dns.yml
new file mode 100644
index 0000000000..2b7cf87568
--- /dev/null
+++ b/data_sources/bro_dns.yml
@@ -0,0 +1,15 @@
+name: Bro dns
+id: a4576cbf-06cc-4ed0-976c-bf06ccaed011
+version: 1
+date: '2025-20-01'
+author: Jacob Delgado, SnapAttack
+description: Logs DNS queries and responses captured by Zeek (formerly Bro), including details such as queried domains, resolved IPs, query types, and response codes.
+mitre_components:
+- Active DNS
+- Passive DNS
+- Network Traffic Content
+- Network Traffic Flow
+- Response Metadata
+source: bro:dns:json
+sourcetype: bro:dns:json
+supported_TA: []
diff --git a/data_sources/bro_files.yml b/data_sources/bro_files.yml
new file mode 100644
index 0000000000..b8b0f83dc8
--- /dev/null
+++ b/data_sources/bro_files.yml
@@ -0,0 +1,15 @@
+name: Bro files
+id: f72d34d0-3495-4826-ad34-d03495782633
+version: 1
+date: '2025-20-01'
+author: Jacob Delgado, SnapAttack
+description: Logs metadata about files transferred over the network captured by Zeek (formerly Bro), including details such as file names, hashes, MIME types, and transfer protocols.
+mitre_components:
+- File Metadata
+- Network Traffic Content
+- Network Traffic Flow
+- Response Metadata
+- Application Log Content
+source: bro:files:json
+sourcetype: bro:files:json
+supported_TA: []
diff --git a/data_sources/bro_http.yml b/data_sources/bro_http.yml
new file mode 100644
index 0000000000..f0e879954e
--- /dev/null
+++ b/data_sources/bro_http.yml
@@ -0,0 +1,15 @@
+name: Bro http
+id: c5d9612b-0ffd-44d3-8247-3cf3486ec5e2
+version: 2
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Logs HTTP traffic analyzed by Zeek (formerly Bro), including details such as request methods, URLs, user agents, response codes, and headers.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Response Content
+- Response Metadata
+- Application Log Content
+source: bro:http:json
+sourcetype: bro:http:json
+supported_TA: []
diff --git a/data_sources/bro_loaded_scripts.yml b/data_sources/bro_loaded_scripts.yml
new file mode 100644
index 0000000000..e6f2764604
--- /dev/null
+++ b/data_sources/bro_loaded_scripts.yml
@@ -0,0 +1,14 @@
+name: Bro loaded_scripts
+id: 81e08a21-a735-42b1-a08a-21a73582b1bf
+version: 1
+date: '2025-20-01'
+author: Jacob Delgado, SnapAttack
+description: Logs details about the scripts loaded by Zeek (formerly Bro) during initialization, including script names and paths.
+mitre_components:
+- Application Log Content
+- Configuration Modification
+- Script Execution
+- OS API Execution
+source: bro:loaded_scripts:json
+sourcetype: bro:loaded_scripts:json
+supported_TA: []
diff --git a/data_sources/bro_ntp.yml b/data_sources/bro_ntp.yml
new file mode 100644
index 0000000000..15ea709585
--- /dev/null
+++ b/data_sources/bro_ntp.yml
@@ -0,0 +1,14 @@
+name: Bro ntp
+id: 3f64a544-47a4-4958-a4a5-4447a47958df
+version: 1
+date: '2025-20-01'
+author: Jacob Delgado, SnapAttack
+description: Logs Network Time Protocol (NTP) activity captured by Zeek (formerly Bro), including details such as NTP requests, responses, and server metadata.
+mitre_components:
+- Network Traffic Flow
+- Network Traffic Content
+- Response Metadata
+- Application Log Content
+source: bro:ntp:json
+sourcetype: bro:ntp:json
+supported_TA: []
diff --git a/data_sources/bro_ocsp.yml b/data_sources/bro_ocsp.yml
new file mode 100644
index 0000000000..c0da63d49e
--- /dev/null
+++ b/data_sources/bro_ocsp.yml
@@ -0,0 +1,15 @@
+name: Bro ocsp
+id: d20909ab-70be-409a-8909-ab70be609af1
+version: 1
+date: '2025-20-01'
+author: Jacob Delgado, SnapAttack
+description: Logs Online Certificate Status Protocol (OCSP) activity captured by Zeek (formerly Bro), including details such as certificate validation requests and responses.
+mitre_components:
+- Certificate Registration
+- Network Traffic Flow
+- Network Traffic Content
+- Response Metadata
+- Application Log Content
+source: bro:ocsp:json
+sourcetype: bro:ocsp:json
+supported_TA: []
\ No newline at end of file
diff --git a/data_sources/bro_ssl.yml b/data_sources/bro_ssl.yml
new file mode 100644
index 0000000000..2616ce8186
--- /dev/null
+++ b/data_sources/bro_ssl.yml
@@ -0,0 +1,15 @@
+name: Bro ssl
+id: 22c637eb-f62e-41f0-8637-ebf62e11f0a8
+version: 1
+date: '2025-20-01'
+author: Jacob Delgado, SnapAttack
+description: Logs SSL/TLS handshake and session details captured by Zeek (formerly Bro), including certificates, cipher suites, and session information.
+mitre_components:
+- Certificate Registration
+- Network Traffic Flow
+- Network Traffic Content
+- Response Metadata
+- Application Log Content
+source: bro:ssl:json
+sourcetype: bro:ssl:json
+supported_TA: []
\ No newline at end of file
diff --git a/data_sources/bro_weird.yml b/data_sources/bro_weird.yml
new file mode 100644
index 0000000000..346236e53d
--- /dev/null
+++ b/data_sources/bro_weird.yml
@@ -0,0 +1,15 @@
+name: Bro weird
+id: e03762c5-c4b8-44e3-b762-c5c4b8e4e3b6
+version: 1
+date: '2025-20-01'
+author: Jacob Delgado, SnapAttack
+description: Logs anomalous or unexpected network behaviors identified by Zeek (formerly Bro), including protocol violations and unusual traffic patterns.
+mitre_components:
+- Network Traffic Flow
+- Network Traffic Content
+- Response Metadata
+- Application Log Content
+- Host Status
+source: bro:weird:json
+sourcetype: bro:weird:json
+supported_TA: []
diff --git a/data_sources/bro_x509.yml b/data_sources/bro_x509.yml
new file mode 100644
index 0000000000..8c41ee6ac1
--- /dev/null
+++ b/data_sources/bro_x509.yml
@@ -0,0 +1,15 @@
+name: Bro x509
+id: e8792367-64b0-47e9-b923-6764b0f7e936
+version: 1
+date: '2025-20-01'
+author: Jacob Delgado, SnapAttack
+description: Logs details about X.509 certificates observed in network traffic captured by Zeek (formerly Bro), including certificate fields, validity periods, and issuers.
+mitre_components:
+- Certificate Registration
+- Network Traffic Content
+- Response Metadata
+- Application Log Content
+- Host Status
+source: bro:x509:json
+sourcetype: bro:x509:json
+supported_TA: []
\ No newline at end of file
diff --git a/data_sources/circleci.yml b/data_sources/circleci.yml
index 9dfcb06b20..6cf9ff1092 100644
--- a/data_sources/circleci.yml
+++ b/data_sources/circleci.yml
@@ -3,7 +3,13 @@ id: 34ad06fc-a296-4ab5-8315-2f07714948e3
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for CircleCI
+description: Logs activities related to CI/CD pipelines executed in CircleCI, including job execution, workflow progress, and configuration changes.
+mitre_components:
+- Scheduled Job Execution
+- Scheduled Job Metadata
+- Application Log Content
+- Configuration Modification
+- Host Status
source: circleci
sourcetype: circleci
supported_TA:
diff --git a/data_sources/crowdstrike_processrollup2.yml b/data_sources/crowdstrike_processrollup2.yml
index 83b05821b9..e9074afdd5 100644
--- a/data_sources/crowdstrike_processrollup2.yml
+++ b/data_sources/crowdstrike_processrollup2.yml
@@ -3,10 +3,17 @@ id: cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for CrowdStrike ProcessRollup2
+description: Logs process-related activities captured by CrowdStrike, including process creation, termination, and metadata such as hashes, parent processes, and command-line arguments.
+mitre_components:
+- Process Creation
+- Process Termination
+- Process Metadata
+- Command Execution
+- OS API Execution
source: crowdstrike
sourcetype: crowdstrike:events:sensor
separator: event_simpleName
+separator_value: ProcessRollup2
supported_TA:
- name: Splunk Add-on for CrowdStrike FDR
url: https://splunkbase.splunk.com/app/5579
diff --git a/data_sources/crushftp.yml b/data_sources/crushftp.yml
index 7c3f19a528..04a5b0827c 100644
--- a/data_sources/crushftp.yml
+++ b/data_sources/crushftp.yml
@@ -3,7 +3,13 @@ id: 8a42ace5-e4c8-4653-80cf-1b8e7e6024ef
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for CrushFTP
+description: Logs activities related to file transfers and user interactions in CrushFTP, including file uploads, downloads, user authentication, and session details.
+mitre_components:
+- File Access
+- File Metadata
+- User Account Authentication
+- Logon Session Metadata
+- Network Traffic Content
source: crushftp
sourcetype: crushftp:sessionlogs
supported_TA: []
diff --git a/data_sources/g_suite_drive.yml b/data_sources/g_suite_drive.yml
index 0b3b02e79e..a07ee5cd8c 100644
--- a/data_sources/g_suite_drive.yml
+++ b/data_sources/g_suite_drive.yml
@@ -3,7 +3,13 @@ id: 5f79120f-a235-4468-bd0d-55203758ac22
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for G Suite Drive
+description: Logs activities related to Google Drive in G Suite, including file creation, modification, sharing, and access details.
+mitre_components:
+- File Access
+- File Creation
+- File Modification
+- Cloud Storage Access
+- Cloud Storage Metadata
source: http:gsuite
sourcetype: gsuite:drive:json
supported_TA:
diff --git a/data_sources/g_suite_gmail.yml b/data_sources/g_suite_gmail.yml
index 7f628c7174..0a6ddc9596 100644
--- a/data_sources/g_suite_gmail.yml
+++ b/data_sources/g_suite_gmail.yml
@@ -3,7 +3,12 @@ id: 706c3978-41de-406b-b6e0-75bd01e12a5d
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for G Suite Gmail
+description: Logs Gmail activities in G Suite, including email sending, receiving, and access details, as well as potential security-related events.
+mitre_components:
+- Application Log Content
+- User Account Metadata
+- Email Metadata
+- Cloud Service Metadata
source: http:gsuite
sourcetype: gsuite:gmail:bigquery
supported_TA:
diff --git a/data_sources/github.yml b/data_sources/github.yml
index 2c5c88084d..e9125f7f07 100644
--- a/data_sources/github.yml
+++ b/data_sources/github.yml
@@ -3,7 +3,13 @@ id: 88aa4632-3c3e-43f6-a00a-998d71f558e3
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for GitHub
+description: Logs activities on GitHub repositories, including push events, pull requests, issue creation, and user authentication events.
+mitre_components:
+- User Account Authentication
+- Configuration Modification
+- Application Log Content
+- User Account Metadata
+- Scheduled Job Metadata
source: github
sourcetype: aws:firehose:json
supported_TA:
diff --git a/data_sources/google_workspace_login_failure.yml b/data_sources/google_workspace_login_failure.yml
index 11f79d2ad5..4f49e2a565 100644
--- a/data_sources/google_workspace_login_failure.yml
+++ b/data_sources/google_workspace_login_failure.yml
@@ -3,10 +3,16 @@ id: cabec7cf-4008-4899-b47e-39c34a9a1255
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Google Workspace login_failure
+description: Logs failed login attempts to Google Workspace accounts, including details about the user, IP address, and reason for failure.
+mitre_components:
+- User Account Authentication
+- Logon Session Metadata
+- User Account Metadata
+- Application Log Content
source: gws:reports:admin
sourcetype: gws:reports:admin
separator: event.name
+separator_value: login_failure
supported_TA:
- name: Splunk Add-on for Google Workspace
url: https://splunkbase.splunk.com/app/5556
diff --git a/data_sources/google_workspace_login_success.yml b/data_sources/google_workspace_login_success.yml
index 4a2bd0308c..723b1b2724 100644
--- a/data_sources/google_workspace_login_success.yml
+++ b/data_sources/google_workspace_login_success.yml
@@ -3,10 +3,16 @@ id: bffe8013-9cdf-4fe6-9c1b-6784391a4951
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Google Workspace login_success
+description: Logs successful login attempts to Google Workspace accounts, including details about the user, IP address, and session metadata.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Logon Session Metadata
source: gws:reports:admin
sourcetype: gws:reports:admin
separator: event.name
+separator_value: login_success
supported_TA:
- name: Splunk Add-on for Google Workspace
url: https://splunkbase.splunk.com/app/5556
diff --git a/data_sources/ivanti_vtm_audit.yml b/data_sources/ivanti_vtm_audit.yml
index 0bdb54223a..a10ae34f02 100644
--- a/data_sources/ivanti_vtm_audit.yml
+++ b/data_sources/ivanti_vtm_audit.yml
@@ -3,7 +3,13 @@ id: b04be6e5-2002-4a49-8722-52285635b8f5
version: 1
date: '2024-08-19'
author: Michael Haag, Splunk
-description: Data source object for Ivanti Virtual Traffic Manager (vTM)
+description: Logs administrative and operational activities in Ivanti Virtual Traffic Manager (VTM), including configuration changes, user actions, and system events.
+mitre_components:
+- Configuration Modification
+- Application Log Content
+- User Account Metadata
+- Host Status
+- Service Modification
source: ivanti_vtm
sourcetype: ivanti_vtm_audit
supported_TA: []
diff --git a/data_sources/kubernetes_audit.yml b/data_sources/kubernetes_audit.yml
index 9ca3815448..9035f6c381 100644
--- a/data_sources/kubernetes_audit.yml
+++ b/data_sources/kubernetes_audit.yml
@@ -3,7 +3,14 @@ id: 6c25181a-0c07-4aaf-90e6-77ab1f0e6699
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Kubernetes Audit
+description: Logs activities within a Kubernetes cluster, including API server requests, resource access, configuration changes, and user authentication events.
+mitre_components:
+- Pod Metadata
+- Pod Modification
+- Cluster Metadata
+- User Account Authentication
+- Configuration Modification
+- Application Log Content
source: kubernetes
sourcetype: _json
supported_TA: []
diff --git a/data_sources/kubernetes_falco.yml b/data_sources/kubernetes_falco.yml
index 568d4be771..6b21e39781 100644
--- a/data_sources/kubernetes_falco.yml
+++ b/data_sources/kubernetes_falco.yml
@@ -3,7 +3,14 @@ id: 23c0eeed-840a-4711-a41b-6819c1ffbba5
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Kubernetes Falco
+description: Logs suspicious or anomalous activities within a Kubernetes environment detected by Falco, including system calls, file access, and network activity.
+mitre_components:
+- File Access
+- Network Traffic Content
+- Process Creation
+- Process Modification
+- Application Log Content
+- Host Status
source: kubernetes
sourcetype: kube:container:falco
supported_TA: []
diff --git a/data_sources/linux_auditd_add_user.yml b/data_sources/linux_auditd_add_user.yml
index c1d4736a2e..1b6bb6ba17 100644
--- a/data_sources/linux_auditd_add_user.yml
+++ b/data_sources/linux_auditd_add_user.yml
@@ -3,9 +3,16 @@ id: 30f79353-e1d2-4585-8735-1e0359559f3f
version: 1
date: '2024-08-08'
author: Teoderick Contreras, Splunk
-description: Data source object for Linux Auditd Add User Type
+description: Logs activities related to the addition of a new user account on a Linux system, including details about the username, UID, and the process initiating the action.
+mitre_components:
+- User Account Creation
+- User Account Metadata
+- OS API Execution
+- Application Log Content
source: /var/log/audit/audit.log
sourcetype: linux:audit
+separator: type
+separator_value: ADD_USER
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
- name: Splunk Add-on for Unix and Linux
diff --git a/data_sources/linux_auditd_execve.yml b/data_sources/linux_auditd_execve.yml
index 0752725a0f..f70b98a8f9 100644
--- a/data_sources/linux_auditd_execve.yml
+++ b/data_sources/linux_auditd_execve.yml
@@ -3,9 +3,17 @@ id: 9ef6364d-cc67-480e-8448-3306829a6a24
version: 1
date: '2024-08-08'
author: Teoderick Contreras, Splunk
-description: Data source object for Linux Auditd Execve Type
+description: Logs the execution of processes on a Linux system, including details about the executed command, arguments, and the initiating process.
+mitre_components:
+- Command Execution
+- Process Creation
+- Process Metadata
+- OS API Execution
+- Application Log Content
source: /var/log/audit/audit.log
sourcetype: linux:audit
+separator: type
+separator_value: EXECVE
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
- name: Splunk Add-on for Unix and Linux
diff --git a/data_sources/linux_auditd_path.yml b/data_sources/linux_auditd_path.yml
index 03703ad47b..3dd0c9d22a 100644
--- a/data_sources/linux_auditd_path.yml
+++ b/data_sources/linux_auditd_path.yml
@@ -3,9 +3,17 @@ id: 3d86125c-0496-4a5a-aae3-0d355a4f3d7d
version: 1
date: '2024-08-08'
author: Teoderick Contreras, Splunk
-description: Data source object for Linux Auditd Path Type
+description: Logs file system access events on a Linux system, including details about file paths, permissions, and associated processes.
+mitre_components:
+- File Access
+- File Metadata
+- Process Metadata
+- OS API Execution
+- Application Log Content
source: /var/log/audit/audit.log
sourcetype: linux:audit
+separator: type
+separator_value: PATH
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
- name: Splunk Add-on for Unix and Linux
diff --git a/data_sources/linux_auditd_proctitle.yml b/data_sources/linux_auditd_proctitle.yml
index 4831ba4585..e0038b6a94 100644
--- a/data_sources/linux_auditd_proctitle.yml
+++ b/data_sources/linux_auditd_proctitle.yml
@@ -3,7 +3,14 @@ id: 5a25984a-2789-400a-858b-d75c923e06b1
version: 1
date: '2024-08-08'
author: Teoderick Contreras, Splunk
-description: Data source object for Linux Auditd Proctitle Type
+description: Logs the full command-line arguments of a process execution on a Linux system, providing visibility into the executed command and its parameters.
+mitre_components:
+- Command Execution
+- Process Metadata
+- OS API Execution
+- Application Log Content
+separator: type
+separator_value: PROCTITLE
source: /var/log/audit/audit.log
sourcetype: linux:audit
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
diff --git a/data_sources/linux_auditd_service_stop.yml b/data_sources/linux_auditd_service_stop.yml
index 151da0bdca..3c4f41bcbf 100644
--- a/data_sources/linux_auditd_service_stop.yml
+++ b/data_sources/linux_auditd_service_stop.yml
@@ -3,7 +3,14 @@ id: 0643483c-bc62-455c-8d6e-1630e5f0e00d
version: 1
date: '2024-08-08'
author: Teoderick Contreras, Splunk
-description: Data source object for Linux Auditd Service Stop Type
+description: Logs events related to the stoppage of a service on a Linux system, including details about the service name, the process initiating the stop, and associated timestamps.
+mitre_components:
+- Service Modification
+- Service Metadata
+- OS API Execution
+- Application Log Content
+separator: type
+separator_value: SERVICE_STOP
source: /var/log/audit/audit.log
sourcetype: linux:audit
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
diff --git a/data_sources/linux_auditd_syscall.yml b/data_sources/linux_auditd_syscall.yml
index 73a300e2be..46f043e357 100644
--- a/data_sources/linux_auditd_syscall.yml
+++ b/data_sources/linux_auditd_syscall.yml
@@ -3,9 +3,16 @@ id: 4dff7047-0d43-4096-bb3f-b756c889bbad
version: 1
date: '2024-08-08'
author: Teoderick Contreras, Splunk
-description: Data source object for Linux Auditd Syscall Type
+description: Logs system calls made by processes on a Linux system, including details about the syscall number, arguments, return values, and associated process metadata.
+mitre_components:
+- OS API Execution
+- Process Metadata
+- Application Log Content
+- Host Status
source: /var/log/audit/audit.log
sourcetype: linux:audit
+separator: type
+separator_value: syscall
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
- name: Splunk Add-on for Unix and Linux
diff --git a/data_sources/linux_secure.yml b/data_sources/linux_secure.yml
index cd08575aa2..1f1c1917e3 100644
--- a/data_sources/linux_secure.yml
+++ b/data_sources/linux_secure.yml
@@ -3,7 +3,13 @@ id: 9a47d88b-1b17-49ce-a0ef-b440ddbd98bb
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Linux Secure
+description: Logs authentication and authorization events on a Linux system, including login attempts, SSH connections, and privilege escalation activities.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- Logon Session Metadata
+- User Account Metadata
+- Application Log Content
source: /var/log/secure
sourcetype: linux_secure
supported_TA: []
diff --git a/data_sources/ms365_defender_incident_alerts.yml b/data_sources/ms365_defender_incident_alerts.yml
index 3fd9ba4555..d8114c0151 100644
--- a/data_sources/ms365_defender_incident_alerts.yml
+++ b/data_sources/ms365_defender_incident_alerts.yml
@@ -3,7 +3,13 @@ id: 12345678-90ab-cdef-1234-567890abcdef
version: 1
date: '2024-07-18'
author: Bhavin Patel, Splunk
-description: Data source object for MS365 Defender Incident Alerts
+description: Logs security incidents and correlated alerts in Microsoft 365 Defender, including details about affected assets, threat types, and remediation steps.
+mitre_components:
+- Host Status
+- User Account Metadata
+- Application Log Content
+- Malware Metadata
+- Active Directory Object Access
source: ms365_defender_incident_alerts
sourcetype: ms365:defender:incident:alerts
supported_TA:
diff --git a/data_sources/ms_defender_atp_alerts.yml b/data_sources/ms_defender_atp_alerts.yml
index 92d4452143..09026a67d5 100644
--- a/data_sources/ms_defender_atp_alerts.yml
+++ b/data_sources/ms_defender_atp_alerts.yml
@@ -3,7 +3,13 @@ id: 38f034ed-1598-46c8-95e8-14edf01fdf5d
version: 1
date: '2024-10-30'
author: Bryan Pluta, Bhavin Patel, Splunk
-description: Data source object for Microsoft Defender ATP Alerts
+description: Logs security alerts generated by Microsoft Defender for Endpoint, including information about detected threats, impacted devices, and recommended actions.
+mitre_components:
+- Host Status
+- Malware Metadata
+- Process Metadata
+- User Account Metadata
+- Application Log Content
source: ms_defender_atp_alerts
sourcetype: ms:defender:atp:alerts
supported_TA:
diff --git a/data_sources/nginx_access.yml b/data_sources/nginx_access.yml
index 87238e5c67..052bfc81e4 100644
--- a/data_sources/nginx_access.yml
+++ b/data_sources/nginx_access.yml
@@ -3,7 +3,13 @@ id: c716a418-eab3-4df5-9dff-5420174e3068
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Nginx Access
+description: Logs HTTP/S access events on an Nginx server, including details such as client IP, request method, URI, response status, and user agent.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Response Metadata
+- Application Log Content
+- User Account Metadata
source: /var/log/nginx/access.log
sourcetype: nginx:plus:kv
supported_TA: []
diff --git a/data_sources/o365.yml b/data_sources/o365.yml
index 8102ea7c9f..efbfc3ee05 100644
--- a/data_sources/o365.yml
+++ b/data_sources/o365.yml
@@ -3,7 +3,13 @@ id: b32de97d-0074-4cca-853c-db22c392b6c0
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365.
+description: Logs management activities in Microsoft 365, including administrative actions, user activities, and configuration changes across various services.
+mitre_components:
+- User Account Metadata
+- Cloud Service Modification
+- Application Log Content
+- Configuration Modification
+- Active Directory Object Modification
source: o365
sourcetype: o365:management:activity
separator: Operation
diff --git a/data_sources/o365_add_app_role_assignment_grant_to_user_.yml b/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
index 89ececa0d0..4c64614e57 100644
--- a/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
+++ b/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
@@ -3,10 +3,16 @@ id: ce1d7849-a1d2-47fd-b6eb-d7ef854a860c
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 Add app role assignment grant to user.
+description: Logs the assignment of an application role grant to a user in Microsoft 365, including details about the role, user, and application involved.
+mitre_components:
+- User Account Modification
+- Group Modification
+- Cloud Service Modification
+- Cloud Service Metadata
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: Add app role assignment grant to user.
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_add_app_role_assignment_to_service_principal_.yml b/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
index 365604ba84..1549f8b091 100644
--- a/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
+++ b/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
@@ -3,10 +3,16 @@ id: 785ba57a-ba7b-474e-97c8-9474e6e00b3a
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 Add app role assignment to service principal.
+description: Logs the assignment of an application role to a service principal in Microsoft 365, including details about the role, service principal, and application involved.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- User Account Metadata
+- Group Modification
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: Add app role assignment to service principal.
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_add_mailboxpermission.yml b/data_sources/o365_add_mailboxpermission.yml
index c4869abc7a..e98765f07b 100644
--- a/data_sources/o365_add_mailboxpermission.yml
+++ b/data_sources/o365_add_mailboxpermission.yml
@@ -3,10 +3,16 @@ id: 9c0babdb-bb15-449e-abba-0a9cdb3fc061
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 Add-MailboxPermission
+description: Logs the addition of mailbox permissions in Microsoft 365, including details about the mailbox, granted permissions, and the user or administrator performing the action.
+mitre_components:
+- User Account Modification
+- User Account Metadata
+- Active Directory Object Modification
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: Add-MailboxPermission
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_add_member_to_role_.yml b/data_sources/o365_add_member_to_role_.yml
index c2403e0b25..3fc466dba1 100644
--- a/data_sources/o365_add_member_to_role_.yml
+++ b/data_sources/o365_add_member_to_role_.yml
@@ -3,10 +3,16 @@ id: 8b949f7c-4b5d-404f-9694-d7403c4ec096
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 Add member to role.
+description: Logs the addition of a member to a role in Microsoft 365, including details about the role, the added member, and the user or administrator performing the action.
+mitre_components:
+- Group Modification
+- Group Metadata
+- User Account Metadata
+- Cloud Service Modification
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: Add member to role.
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_add_owner_to_application_.yml b/data_sources/o365_add_owner_to_application_.yml
index fdeccc791b..71caf3f806 100644
--- a/data_sources/o365_add_owner_to_application_.yml
+++ b/data_sources/o365_add_owner_to_application_.yml
@@ -3,10 +3,16 @@ id: da012cbf-af6e-40ee-a1ba-32a5f8da8f8a
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 Add owner to application.
+description: Logs the addition of an owner to an application in Microsoft 365, including details about the application, the new owner, and the user or administrator performing the action.
+mitre_components:
+- User Account Modification
+- Group Modification
+- Cloud Service Modification
+- Cloud Service Metadata
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: Add owner to application.
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_add_service_principal_.yml b/data_sources/o365_add_service_principal_.yml
index ae338dcc71..8511ac4c76 100644
--- a/data_sources/o365_add_service_principal_.yml
+++ b/data_sources/o365_add_service_principal_.yml
@@ -3,10 +3,16 @@ id: 9c1ef9f5-bc30-4a47-a1bd-cb34484ee778
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 Add service principal.
+description: Logs the addition of a new service principal in Microsoft 365, including details about the associated application and the action initiator.
+mitre_components:
+- Cloud Service Creation
+- Cloud Service Metadata
+- User Account Metadata
+- Active Directory Object Creation
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: Add service principal.
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_change_user_license_.yml b/data_sources/o365_change_user_license_.yml
index 17222c9261..2cceff2f8a 100644
--- a/data_sources/o365_change_user_license_.yml
+++ b/data_sources/o365_change_user_license_.yml
@@ -3,10 +3,16 @@ id: 1029a20d-3d0d-4fb9-b5e2-22ac5380b20a
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 Change user license.
+description: Logs changes to user licenses in Microsoft 365, including additions, removals, or updates to service plans associated with a user account.
+mitre_components:
+- User Account Modification
+- User Account Metadata
+- Cloud Service Modification
+- Configuration Modification
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: Change user license.
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_consent_to_application_.yml b/data_sources/o365_consent_to_application_.yml
index 4b96c68d96..a5df3bc9f2 100644
--- a/data_sources/o365_consent_to_application_.yml
+++ b/data_sources/o365_consent_to_application_.yml
@@ -3,10 +3,16 @@ id: 0a15a464-ef51-4614-9a07-a216eb9817db
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 Consent to application.
+description: Logs user or administrator consent to an application's permissions in Microsoft 365, including details about the application, granted permissions, and the consenting user or process.
+mitre_components:
+- User Account Modification
+- Cloud Service Modification
+- Cloud Service Metadata
+- Configuration Modification
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: Consent to application.
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_disable_strong_authentication_.yml b/data_sources/o365_disable_strong_authentication_.yml
index 53f37fa0ab..ea3fb70491 100644
--- a/data_sources/o365_disable_strong_authentication_.yml
+++ b/data_sources/o365_disable_strong_authentication_.yml
@@ -3,10 +3,16 @@ id: 235381c4-382a-4183-b818-a51c3ce12187
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 Disable Strong Authentication.
+description: Logs the disabling of strong authentication (e.g., multi-factor authentication) for a user or group in Microsoft 365, including details about the affected accounts and the action initiator.
+mitre_components:
+- User Account Modification
+- Group Modification
+- Configuration Modification
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: Disable Strong Authentication.
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_mailitemsaccessed.yml b/data_sources/o365_mailitemsaccessed.yml
index d2bad265dc..bc03fd713a 100644
--- a/data_sources/o365_mailitemsaccessed.yml
+++ b/data_sources/o365_mailitemsaccessed.yml
@@ -3,10 +3,16 @@ id: 3d5188eb-341a-4b46-9caa-aade4047d027
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 MailItemsAccessed
+description: Logs access to mailbox items in Microsoft 365, including details about the user accessing the items, the accessed content, and the method of access.
+mitre_components:
+- File Access
+- User Account Metadata
+- Application Log Content
+- Active Directory Object Access
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: MailItemsAccessed
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_modifyfolderpermissions.yml b/data_sources/o365_modifyfolderpermissions.yml
index bf6d9f1855..76c4e10d20 100644
--- a/data_sources/o365_modifyfolderpermissions.yml
+++ b/data_sources/o365_modifyfolderpermissions.yml
@@ -3,10 +3,16 @@ id: 0a8c1080-68c2-46d7-8324-2e7d97bb6e2f
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 ModifyFolderPermissions
+description: Logs modifications to folder permissions in Microsoft 365, including updates to access levels, user assignments, and sharing settings.
+mitre_components:
+- User Account Modification
+- File Access
+- Active Directory Object Modification
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: ModifyFolderPermissions
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_set_company_information_.yml b/data_sources/o365_set_company_information_.yml
index d40cca2fcb..5fab124138 100644
--- a/data_sources/o365_set_company_information_.yml
+++ b/data_sources/o365_set_company_information_.yml
@@ -3,10 +3,16 @@ id: 06c6d576-f032-41e3-b15d-80a434ce13d8
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 Set Company Information.
+description: Logs updates to organizational settings and company information in Microsoft 365, including changes to contact details, branding, and configuration policies.
+mitre_components:
+- Cloud Service Modification
+- Configuration Modification
+- Cloud Service Metadata
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: Set Company Information.
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_set_mailbox.yml b/data_sources/o365_set_mailbox.yml
index 30ebad4b33..6849ce100a 100644
--- a/data_sources/o365_set_mailbox.yml
+++ b/data_sources/o365_set_mailbox.yml
@@ -3,10 +3,16 @@ id: db798c5c-928c-4972-bb42-e5f90e35865f
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 Set-Mailbox
+description: Logs changes to mailbox properties in Microsoft 365, including updates to permissions, storage quotas, and configuration settings.
+mitre_components:
+- User Account Modification
+- Active Directory Object Modification
+- User Account Metadata
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: Set-Mailbox
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_update_application_.yml b/data_sources/o365_update_application_.yml
index f78faf1948..155f1353ca 100644
--- a/data_sources/o365_update_application_.yml
+++ b/data_sources/o365_update_application_.yml
@@ -3,10 +3,16 @@ id: 62159133-911b-4c63-9e30-a6a8c89195ca
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 Update application.
+description: Logs updates made to applications in Microsoft 365, including changes to configurations, permissions, and role assignments.
+mitre_components:
+- Cloud Service Modification
+- Configuration Modification
+- Cloud Service Metadata
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: Update application.
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_update_authorization_policy_.yml b/data_sources/o365_update_authorization_policy_.yml
index b53bce2417..2438a25b16 100644
--- a/data_sources/o365_update_authorization_policy_.yml
+++ b/data_sources/o365_update_authorization_policy_.yml
@@ -3,10 +3,16 @@ id: d40e6a20-4d64-404c-8351-2caae8228d34
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 Update authorization policy.
+description: Logs changes to authorization policies in Microsoft 365, including updates to access controls, permissions, and security settings.
+mitre_components:
+- Cloud Service Modification
+- Configuration Modification
+- User Account Metadata
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: Update authorization policy.
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_update_user_.yml b/data_sources/o365_update_user_.yml
index 5497544e68..308a4ac7a4 100644
--- a/data_sources/o365_update_user_.yml
+++ b/data_sources/o365_update_user_.yml
@@ -3,10 +3,16 @@ id: a05fd01e-34d9-4233-9089-11272416b531
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 Update user.
+description: Logs updates to user account properties in Microsoft 365, including changes to roles, permissions, and profile information.
+mitre_components:
+- User Account Modification
+- User Account Metadata
+- Active Directory Object Modification
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: Update user.
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_userloggedin.yml b/data_sources/o365_userloggedin.yml
index 540450b496..3296cb188a 100644
--- a/data_sources/o365_userloggedin.yml
+++ b/data_sources/o365_userloggedin.yml
@@ -3,10 +3,16 @@ id: ed29c8c4-4053-419c-b133-16abf2a1c4c9
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 UserLoggedIn
+description: Logs successful login events by users in Microsoft 365, including details about the user account, IP address, and session metadata.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Logon Session Metadata
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: UserLoggedIn
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_userloginfailed.yml b/data_sources/o365_userloginfailed.yml
index b03d5032ae..dfea247775 100644
--- a/data_sources/o365_userloginfailed.yml
+++ b/data_sources/o365_userloginfailed.yml
@@ -3,10 +3,16 @@ id: 6099b33d-d581-43ed-8401-911862590361
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for O365 UserLoginFailed
+description: Logs failed login attempts by users in Microsoft 365, including details about the user account, IP address, and reason for failure.
+mitre_components:
+- User Account Authentication
+- Logon Session Metadata
+- User Account Metadata
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
+separator_value: UserLoginFailed
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/okta.yml b/data_sources/okta.yml
index 816d155e23..27417c8961 100644
--- a/data_sources/okta.yml
+++ b/data_sources/okta.yml
@@ -3,7 +3,13 @@ id: ec26febe-e760-4981-bbee-72e107c7b9d2
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Okta
+description: Logs authentication and administrative activities captured by Okta, including user login attempts, session management, and configuration changes.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Configuration Modification
+- Application Log Content
source: Okta
sourcetype: OktaIM2:log
supported_TA:
diff --git a/data_sources/osquery.yml b/data_sources/osquery.yml
index 7244b5e8ce..bd8cb58790 100644
--- a/data_sources/osquery.yml
+++ b/data_sources/osquery.yml
@@ -3,7 +3,13 @@ id: 7ec4d7c8-c1d0-423a-9169-261f6adb74c0
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for osquery
+description: Logs system queries performed using osquery, including details about processes, file access, network activity, and system configurations.
+mitre_components:
+- Process Metadata
+- File Access
+- Network Traffic Content
+- Host Status
+- Application Log Content
source: osquery
sourcetype: osquery:results
supported_TA: []
diff --git a/data_sources/palo_alto_network_threat.yml b/data_sources/palo_alto_network_threat.yml
index 37d07f372d..d9c2937be9 100644
--- a/data_sources/palo_alto_network_threat.yml
+++ b/data_sources/palo_alto_network_threat.yml
@@ -3,7 +3,13 @@ id: 375c2b0e-d216-41ad-9406-200464595209
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Palo Alto Network Threat
+description: Logs detected threats identified by Palo Alto Networks devices, including details about malware, intrusion attempts, and malicious network activity.
+mitre_components:
+- Malware Metadata
+- Network Traffic Content
+- Network Traffic Flow
+- Application Log Content
+- Host Status
source: pan:threat
sourcetype: pan:threat
supported_TA:
diff --git a/data_sources/palo_alto_network_traffic.yml b/data_sources/palo_alto_network_traffic.yml
index 7f42b934b2..02afe2d863 100644
--- a/data_sources/palo_alto_network_traffic.yml
+++ b/data_sources/palo_alto_network_traffic.yml
@@ -3,7 +3,13 @@ id: 182a83bc-c31a-4817-8c7a-263744cec52a
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Palo Alto Network Traffic
+description: Logs network traffic events captured by Palo Alto Networks devices, including details about sessions, protocols, and source and destination IPs.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Network Connection Creation
+- Response Metadata
+- Application Log Content
source: screenconnect_palo_traffic
sourcetype: pan:traffic
supported_TA:
diff --git a/data_sources/pingid.yml b/data_sources/pingid.yml
index 1342a8c5d5..2b77686143 100644
--- a/data_sources/pingid.yml
+++ b/data_sources/pingid.yml
@@ -3,7 +3,13 @@ id: 17890675-61c1-40bd-a88e-6a8e9e246b43
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for PingID
+description: Logs authentication and multi-factor authentication (MFA) events managed by PingID, including user logins, device enrollments, and MFA challenges.
+mitre_components:
+- User Account Authentication
+- Logon Session Metadata
+- User Account Metadata
+- Application Log Content
+- Host Status
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
supported_TA: []
diff --git a/data_sources/powershell_installed_iis_modules.yml b/data_sources/powershell_installed_iis_modules.yml
index a27822830a..cf0b592d7b 100644
--- a/data_sources/powershell_installed_iis_modules.yml
+++ b/data_sources/powershell_installed_iis_modules.yml
@@ -3,7 +3,12 @@ id: 4f2ccf42-3503-4417-a684-bfccf7f0d7b4
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Powershell Installed IIS Modules
+description: Logs the list of installed IIS modules retrieved using PowerShell, including details about their names and statuses.
+mitre_components:
+- Service Metadata
+- Configuration Modification
+- OS API Execution
+- Application Log Content
source: powershell://AppCmdModules
sourcetype: Pwsh:InstalledIISModules
supported_TA: []
diff --git a/data_sources/powershell_script_block_logging_4104.yml b/data_sources/powershell_script_block_logging_4104.yml
index 8333b3c4b2..b5aba9d7f7 100644
--- a/data_sources/powershell_script_block_logging_4104.yml
+++ b/data_sources/powershell_script_block_logging_4104.yml
@@ -3,9 +3,17 @@ id: 5cfd0c72-d989-47a0-92f9-6edc6f8d3564
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Powershell Script Block Logging 4104
+description: Logs detailed content of PowerShell script blocks as they are executed, including the full command text and context for the execution.
+mitre_components:
+- Script Execution
+- Command Execution
+- Process Metadata
+- OS API Execution
+- Application Log Content
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog
+separator: EventID
+separator_value: 4104
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/powershell_sip_inventory.yml b/data_sources/powershell_sip_inventory.yml
index dc02c04217..3d87d08359 100644
--- a/data_sources/powershell_sip_inventory.yml
+++ b/data_sources/powershell_sip_inventory.yml
@@ -3,7 +3,12 @@ id: 5ef5cb5d-1fa8-4567-b48f-27317662cd73
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Powershell SIP Inventory
+description: Logs the inventory of System Integrity Policies (SIP) on a system retrieved via PowerShell, including details about policy configurations and statuses.
+mitre_components:
+- Configuration Modification
+- Host Status
+- Application Log Content
+- OS API Execution
source: powershell://SubjectInterfacePackage
sourcetype: PwSh:SubjectInterfacePackage
supported_TA: []
diff --git a/data_sources/splunk.yml b/data_sources/splunk.yml
index 59728f1060..fdd3c93db4 100644
--- a/data_sources/splunk.yml
+++ b/data_sources/splunk.yml
@@ -3,7 +3,13 @@ id: d8a2c791-460b-4756-a8e5-ecade77b21e3
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Splunk
+description: Logs user interface access events for Splunk, including details about user actions, accessed resources, and authentication information.
+mitre_components:
+- User Account Authentication
+- User Account Metadata
+- Application Log Content
+- Configuration Modification
+- Logon Session Metadata
source: splunkd_ui_access.log
sourcetype: splunkd_ui_access
supported_TA: []
diff --git a/data_sources/splunk_stream_http.yml b/data_sources/splunk_stream_http.yml
index 29db818262..7db141fc5f 100644
--- a/data_sources/splunk_stream_http.yml
+++ b/data_sources/splunk_stream_http.yml
@@ -3,7 +3,13 @@ id: b0070a33-92ed-49e5-8f38-576cdf300710
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Splunk Stream HTTP
+description: Logs HTTP traffic captured by Splunk Stream, including details such as request methods, URLs, headers, response codes, and client-server interactions.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Response Content
+- Response Metadata
+- Application Log Content
source: stream:http
sourcetype: stream:http
supported_TA:
diff --git a/data_sources/splunk_stream_ip.yml b/data_sources/splunk_stream_ip.yml
index d722002f17..9460dfccac 100644
--- a/data_sources/splunk_stream_ip.yml
+++ b/data_sources/splunk_stream_ip.yml
@@ -3,7 +3,13 @@ id: c96f5906-f601-4f32-a26c-482535159bc2
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Splunk Stream IP
+description: Logs IP traffic captured by Splunk Stream, including details about source and destination IPs, protocols, and packet metadata.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Network Connection Creation
+- Response Metadata
+- Application Log Content
source: stream:ip
sourcetype: stream:ip
supported_TA:
diff --git a/data_sources/splunk_stream_tcp.yml b/data_sources/splunk_stream_tcp.yml
index 685c0f6931..e1488a0873 100644
--- a/data_sources/splunk_stream_tcp.yml
+++ b/data_sources/splunk_stream_tcp.yml
@@ -3,7 +3,13 @@ id: 4b1233d1-f80a-4da1-ab27-a5b10ea8a4ce
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Splunk Stream TCP
+description: Logs TCP traffic captured by Splunk Stream, including details about source and destination IPs, ports, connection states, and packet-level metadata.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Network Connection Creation
+- Response Metadata
+- Application Log Content
source: stream:tcp
sourcetype: stream:tcp
supported_TA:
diff --git a/data_sources/suricata.yml b/data_sources/suricata.yml
index 6ad1b8e80c..389920b743 100644
--- a/data_sources/suricata.yml
+++ b/data_sources/suricata.yml
@@ -3,7 +3,13 @@ id: 64b245d4-a4d1-4865-a718-c83d3b939f2e
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Suricata
+description: Logs network traffic and security events detected by Suricata, including details about connections, protocol metadata, and potential threats.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Network Connection Creation
+- Malware Metadata
+- Application Log Content
source: suricata
sourcetype: suricata
supported_TA: []
diff --git a/data_sources/sysmon_eventid_1.yml b/data_sources/sysmon_eventid_1.yml
index 80284e88ac..9af0398f6a 100644
--- a/data_sources/sysmon_eventid_1.yml
+++ b/data_sources/sysmon_eventid_1.yml
@@ -3,10 +3,16 @@ id: b375f4d1-d7ca-4bc0-9103-294825c0af17
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 1
+description: Logs the creation of a new process, including details such as process ID, parent process, command line arguments, and hashes of the executable.
+mitre_components:
+- Process Creation
+- Process Metadata
+- Command Execution
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 1
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_10.yml b/data_sources/sysmon_eventid_10.yml
index be7121e719..80713f8dc3 100644
--- a/data_sources/sysmon_eventid_10.yml
+++ b/data_sources/sysmon_eventid_10.yml
@@ -3,10 +3,16 @@ id: 659cd5a8-148a-4c59-ade1-05f41ac1b096
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 10
+description: Logs events where one process accesses another process, typically for memory reads or injections, including details about the source and target processes.
+mitre_components:
+- Process Access
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 10
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_11.yml b/data_sources/sysmon_eventid_11.yml
index e206bee06f..ecf23fc755 100644
--- a/data_sources/sysmon_eventid_11.yml
+++ b/data_sources/sysmon_eventid_11.yml
@@ -3,10 +3,17 @@ id: f3db9179-f4f5-416d-bc03-39f4d4ff699e
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 11
+description: Logs the creation of a new file, including details about the file path, hash information, and associated process metadata.
+mitre_components:
+- File Creation
+- File Metadata
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 11
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_12.yml b/data_sources/sysmon_eventid_12.yml
index 232ca47a23..665a69a98e 100644
--- a/data_sources/sysmon_eventid_12.yml
+++ b/data_sources/sysmon_eventid_12.yml
@@ -3,10 +3,16 @@ id: 3ef28798-8eaa-4fd2-b074-6f36d08a1b33
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 12
+description: Logs the creation of a new registry key, including details about the key name, registry path, and associated process metadata.
+mitre_components:
+- Windows Registry Key Creation
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 12
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_13.yml b/data_sources/sysmon_eventid_13.yml
index ff0aa0690b..d7ed659f74 100644
--- a/data_sources/sysmon_eventid_13.yml
+++ b/data_sources/sysmon_eventid_13.yml
@@ -3,10 +3,16 @@ id: 19cd00ee-f65f-48ca-bb08-64aac28638ce
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 13
+description: Logs changes to a registry key, including details about the modified key, value, and associated process.
+mitre_components:
+- Windows Registry Key Modification
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 13
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_15.yml b/data_sources/sysmon_eventid_15.yml
index 335042f192..8ffed5fe5c 100644
--- a/data_sources/sysmon_eventid_15.yml
+++ b/data_sources/sysmon_eventid_15.yml
@@ -3,10 +3,17 @@ id: 95785e02-93b4-47e2-81f1-be326295348e
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 15
+description: Logs the creation of a new file stream, including details about the file stream's hash, path, and associated process metadata.
+mitre_components:
+- File Creation
+- File Metadata
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 15
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_17.yml b/data_sources/sysmon_eventid_17.yml
index b1125bf4d3..221feadee2 100644
--- a/data_sources/sysmon_eventid_17.yml
+++ b/data_sources/sysmon_eventid_17.yml
@@ -3,10 +3,13 @@ id: 08924246-c8e8-4c95-a9fc-633c43cc82df
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 17
+description: Sysmon EventID 17 logs details about the detection of a named pipe.
+mitre_components:
+- Named Pipe Metadata
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 17
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_18.yml b/data_sources/sysmon_eventid_18.yml
index a1204b64f7..d776df79ee 100644
--- a/data_sources/sysmon_eventid_18.yml
+++ b/data_sources/sysmon_eventid_18.yml
@@ -3,10 +3,16 @@ id: 37eb3554-214e-4e66-af10-c3ffc5b8ca82
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 18
+description: Logs the connection to a named pipe, including details about the pipe name, source and destination processes, and communication direction.
+mitre_components:
+- Named Pipe Metadata
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 18
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_20.yml b/data_sources/sysmon_eventid_20.yml
index dfcc795a12..07720a1a9e 100644
--- a/data_sources/sysmon_eventid_20.yml
+++ b/data_sources/sysmon_eventid_20.yml
@@ -3,7 +3,12 @@ id: aeee5374-3203-4286-b744-a8cc4ad1cd7e
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 20
+description: Logs WMI (Windows Management Instrumentation) consumer activity, including details about the WMI event consumer, associated process, and event data.
+mitre_components:
+- WMI Creation
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
diff --git a/data_sources/sysmon_eventid_21.yml b/data_sources/sysmon_eventid_21.yml
index 89de93b9dc..4fb0386039 100644
--- a/data_sources/sysmon_eventid_21.yml
+++ b/data_sources/sysmon_eventid_21.yml
@@ -3,10 +3,16 @@ id: 304384bc-715e-4958-988b-a8051a91349a
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 21
+description: Logs activity related to the association of a WMI event consumer with a filter, including details about the consumer, filter, and associated process.
+mitre_components:
+- WMI Creation
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 21
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_22.yml b/data_sources/sysmon_eventid_22.yml
index eee550143e..5ed15373d4 100644
--- a/data_sources/sysmon_eventid_22.yml
+++ b/data_sources/sysmon_eventid_22.yml
@@ -3,10 +3,17 @@ id: 911538b2-eba7-4d3e-85e8-d82d380c37bf
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 22
+description: Logs DNS query events, including details about the queried domain, source IP, query type, and response data.
+mitre_components:
+- Passive DNS
+- Active DNS
+- Network Traffic Content
+- Network Traffic Flow
+- Application Log Content
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 22
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_23.yml b/data_sources/sysmon_eventid_23.yml
index ee91eb49d2..dfcd344c24 100644
--- a/data_sources/sysmon_eventid_23.yml
+++ b/data_sources/sysmon_eventid_23.yml
@@ -3,10 +3,17 @@ id: 5ea2721d-f60c-4f48-a047-47d514e327c3
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 23
+description: Logs the deletion of a file, including details about the file path, associated process, and the time of deletion.
+mitre_components:
+- File Deletion
+- File Metadata
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 23
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_3.yml b/data_sources/sysmon_eventid_3.yml
index 4a92e3fcd3..36d5299c6b 100644
--- a/data_sources/sysmon_eventid_3.yml
+++ b/data_sources/sysmon_eventid_3.yml
@@ -3,10 +3,17 @@ id: 01d84dff-4e26-422c-9389-6a579ee6e75b
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 3
+description: Logs details of network connections initiated by processes, including source and destination IPs, ports, protocols, and the associated process metadata.
+mitre_components:
+- Network Connection Creation
+- Network Traffic Flow
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 3
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_5.yml b/data_sources/sysmon_eventid_5.yml
index 2e8f6f0ab7..06cf9d15a3 100644
--- a/data_sources/sysmon_eventid_5.yml
+++ b/data_sources/sysmon_eventid_5.yml
@@ -3,10 +3,16 @@ id: 556471bf-44fa-44e6-97e2-eb25416aeb6d
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 5
+description: Logs the termination of a process, including details about the process name, process ID, parent process, and associated metadata.
+mitre_components:
+- Process Termination
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 5
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_6.yml b/data_sources/sysmon_eventid_6.yml
index 33345ac58b..9cf7db46b6 100644
--- a/data_sources/sysmon_eventid_6.yml
+++ b/data_sources/sysmon_eventid_6.yml
@@ -3,10 +3,16 @@ id: eadc297a-c20c-45a1-8fac-74ad54019767
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 6
+description: Logs the loading of a driver into the kernel or user mode, including details about the driver name, file path, and associated process metadata.
+mitre_components:
+- Driver Load
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 6
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_7.yml b/data_sources/sysmon_eventid_7.yml
index 2efd35e16d..24d4800817 100644
--- a/data_sources/sysmon_eventid_7.yml
+++ b/data_sources/sysmon_eventid_7.yml
@@ -3,10 +3,17 @@ id: 45512fa5-4d55-4088-9d51-f4dedc16fdff
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 7
+description: Logs the loading of an image (module) into a process, including details about the image name, file path, and hash information.
+mitre_components:
+- Module Load
+- Process Metadata
+- File Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 7
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_8.yml b/data_sources/sysmon_eventid_8.yml
index 5fc772500d..ff4dd0f046 100644
--- a/data_sources/sysmon_eventid_8.yml
+++ b/data_sources/sysmon_eventid_8.yml
@@ -3,10 +3,16 @@ id: df7a786c-ade0-48f0-8596-26f10d169f7d
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 8
+description: Logs the creation of a new thread in a process, including details about the thread ID, start address, and source process.
+mitre_components:
+- Process Modification
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 8
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_9.yml b/data_sources/sysmon_eventid_9.yml
index b93f6051cb..8d3731938b 100644
--- a/data_sources/sysmon_eventid_9.yml
+++ b/data_sources/sysmon_eventid_9.yml
@@ -3,10 +3,17 @@ id: ae4a6a24-9b8c-4386-a7ac-677d7ad5bf09
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 9
+description: Logs the access of raw disk data by a process, including details about the disk name, process ID, and process metadata.
+mitre_components:
+- Drive Access
+- File Metadata
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
+separator_value: 9
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_for_linux_eventid_1.yml b/data_sources/sysmon_for_linux_eventid_1.yml
index 9ee369f5b8..ac395956a2 100644
--- a/data_sources/sysmon_for_linux_eventid_1.yml
+++ b/data_sources/sysmon_for_linux_eventid_1.yml
@@ -3,10 +3,17 @@ id: 93643652-30fe-4941-a1f7-6454f2948660
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon for Linux EventID 1
+description: Logs process creation events on Linux systems, including details about the process name, process ID, command line arguments, and parent process ID.
+mitre_components:
+- Process Creation
+- Command Execution
+- Process Metadata
+- OS API Execution
+- Application Log Content
source: Syslog:Linux-Sysmon/Operational
sourcetype: sysmon:linux
separator: EventID
+separator_value: 1
supported_TA:
- name: Splunk Add-on for Sysmon for Linux
url: https://splunkbase.splunk.com/app/6652
diff --git a/data_sources/sysmon_for_linux_eventid_11.yml b/data_sources/sysmon_for_linux_eventid_11.yml
index 8276870f8a..96020a1d91 100644
--- a/data_sources/sysmon_for_linux_eventid_11.yml
+++ b/data_sources/sysmon_for_linux_eventid_11.yml
@@ -3,7 +3,13 @@ id: 14672fed-235a-411f-8062-ace9696fb2af
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon for Linux EventID 11
+description: Logs the creation of a new file on a Linux system, including details about the file path, file type, and associated process.
+mitre_components:
+- File Creation
+- File Metadata
+- Process Metadata
+- OS API Execution
+- Application Log Content
source: Syslog:Linux-Sysmon/Operational
sourcetype: sysmon:linux
separator: EventID
diff --git a/data_sources/windows_active_directory_admon.yml b/data_sources/windows_active_directory_admon.yml
index cfeb4c831e..7e660bb3e7 100644
--- a/data_sources/windows_active_directory_admon.yml
+++ b/data_sources/windows_active_directory_admon.yml
@@ -3,7 +3,13 @@ id: 22bbf4e4-d313-43c1-98ee-808b8775519d
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Active Directory Admon
+description: Logs administrative actions within Active Directory, including user and group modifications, permission changes, and policy updates.
+mitre_components:
+- Active Directory Object Modification
+- Group Modification
+- User Account Modification
+- Configuration Modification
+- Application Log Content
source: ActiveDirectory
sourcetype: ActiveDirectory
supported_TA:
diff --git a/data_sources/windows_defender_alerts.yml b/data_sources/windows_defender_alerts.yml
index 83a470bf4b..7a4de96d5d 100644
--- a/data_sources/windows_defender_alerts.yml
+++ b/data_sources/windows_defender_alerts.yml
@@ -3,7 +3,13 @@ id: 91738e9e-d112-41c9-b91b-e5868d8993d7
version: 1
date: '2024-09-24'
author: Gowthamaraj Rajendran
-description: Data source object for Windows Defender alerts
+description: Logs security alerts generated by Windows Defender, including details about detected threats, impacted files, and recommended actions for remediation.
+mitre_components:
+- Malware Metadata
+- File Access
+- Process Metadata
+- Application Log Content
+- Host Status
source: eventhub://windowsdefenderlogs
sourcetype: mscs:azure:eventhub:defender:advancedhunting
separator: AlertId
diff --git a/data_sources/windows_event_log_application_2282.yml b/data_sources/windows_event_log_application_2282.yml
index eb6fc6d136..af675f03ca 100644
--- a/data_sources/windows_event_log_application_2282.yml
+++ b/data_sources/windows_event_log_application_2282.yml
@@ -3,7 +3,12 @@ id: 4490537e-5e0c-46f7-9209-f56f852aa237
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Application 2282
+description: Logs an event in IIS when a module DLL fails to load due to a configuration issue, including details about the module and error message.
+mitre_components:
+- Service Modification
+- Configuration Modification
+- Application Log Content
+- Service Metadata
source: XmlWinEventLog:Application
sourcetype: XmlWinEventLog
separator: EventCode
diff --git a/data_sources/windows_event_log_application_3000.yml b/data_sources/windows_event_log_application_3000.yml
index 87b847e9bc..9ec681c407 100644
--- a/data_sources/windows_event_log_application_3000.yml
+++ b/data_sources/windows_event_log_application_3000.yml
@@ -3,10 +3,16 @@ id: 3911945d-9222-408d-b851-9b1bce4c2d24
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Application 3000
+description: Logs the termination of a process, including details about the process, its termination code, and timestamp.
+mitre_components:
+- Process Termination
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Application
sourcetype: XmlWinEventLog
separator: EventCode
+separator_value: 3000
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_capi2_70.yml b/data_sources/windows_event_log_capi2_70.yml
index b604bbe548..0ac0455e60 100644
--- a/data_sources/windows_event_log_capi2_70.yml
+++ b/data_sources/windows_event_log_capi2_70.yml
@@ -3,10 +3,17 @@ id: 821de0a6-c5b4-491b-a27e-187552792817
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log CAPI2 70
+description: This event log records events related to cryptographic operations, including the deletion and export of certificates.
+mitre_components:
+- Certificate Registration
+- Process Metadata
+- Application Log Content
+- OS API Execution
+- Host Status
source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 70
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_capi2_81.yml b/data_sources/windows_event_log_capi2_81.yml
index 376d347618..5d677ef6c5 100644
--- a/data_sources/windows_event_log_capi2_81.yml
+++ b/data_sources/windows_event_log_capi2_81.yml
@@ -3,10 +3,17 @@ id: 463ff898-8135-4c0e-811e-f8629dfc5027
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log CAPI2 81
+description: Logs an error when attempting to verify the digital signature of a file, including details about the file path, signature failure, and the process involved.
+mitre_components:
+- File Access
+- File Metadata
+- Malware Metadata
+- Application Log Content
+- Process Metadata
source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 81
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_certificateservicesclient_1007.yml b/data_sources/windows_event_log_certificateservicesclient_1007.yml
index aecc0bf864..0399196d64 100644
--- a/data_sources/windows_event_log_certificateservicesclient_1007.yml
+++ b/data_sources/windows_event_log_certificateservicesclient_1007.yml
@@ -3,10 +3,17 @@ id: c51444e3-479d-4c4a-b111-e8276a3acf39
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log CertificateServicesClient 1007
+description: Logs the export of a certificate from the local certificate store, including details about the certificate thumbprint, subject names, and the process involved.
+mitre_components:
+- Certificate Registration
+- Certificate Metadata
+- Process Metadata
+- Application Log Content
+- User Account Metadata
source: XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
sourcetype: XmlWinEventLog
separator: EventCode
+separator_value: 1007
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_defender_1121.yml b/data_sources/windows_event_log_defender_1121.yml
index e06fcfddca..4ff6962a3c 100644
--- a/data_sources/windows_event_log_defender_1121.yml
+++ b/data_sources/windows_event_log_defender_1121.yml
@@ -3,10 +3,15 @@ id: 84a254c5-7900-4b52-a324-a176adb7c11d
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Defender 1121
+description: Logs an event when a Windows Defender attack surface reduction rule fires in block mode.
+mitre_components:
+- Application Log Content
+- Host Status
+- Process Creation
source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 1121
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_defender_1122.yml b/data_sources/windows_event_log_defender_1122.yml
index 669bbb0047..bc1fe7c3eb 100644
--- a/data_sources/windows_event_log_defender_1122.yml
+++ b/data_sources/windows_event_log_defender_1122.yml
@@ -3,10 +3,15 @@ id: 4a2d0499-f489-4557-82f4-f357025cf3e7
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Defender 1122
+description: Logs an event when a process attempts to load a DLL that is blocked by an attack surface reduction rule.
+mitre_components:
+- Application Log Content
+- Process Creation
+- Module Load
source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 1122
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_defender_1129.yml b/data_sources/windows_event_log_defender_1129.yml
index 1227f6efa2..d2572d00c0 100644
--- a/data_sources/windows_event_log_defender_1129.yml
+++ b/data_sources/windows_event_log_defender_1129.yml
@@ -3,10 +3,15 @@ id: 0572e119-a48a-4c70-bc58-90e453edacd2
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Defender 1129
+description: Logs an event when a user overrides a security policy set by an Attack Surface Reduction rule in Microsoft Defender.
+mitre_components:
+- User Account Authentication
+- Security Policy Modification
+- Application Log Content
source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 1129
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_defender_5007.yml b/data_sources/windows_event_log_defender_5007.yml
index 598ccc1740..80df5e2faa 100644
--- a/data_sources/windows_event_log_defender_5007.yml
+++ b/data_sources/windows_event_log_defender_5007.yml
@@ -3,7 +3,10 @@ id: 27f18792-8d95-4871-8853-874b7faf023f
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Defender 5007
+description: Logs an event when Windows Defender antimalware settings are modified.
+mitre_components:
+- Service Modification
+- Service Metadata
source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
sourcetype: xmlwineventlog
separator: EventCode
diff --git a/data_sources/windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml b/data_sources/windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml
index d17981dc1f..22e591d7a7 100644
--- a/data_sources/windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml
+++ b/data_sources/windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml
@@ -3,7 +3,10 @@ id: 2490537e-5e0c-46f7-9209-f56f852aa217
version: 1
date: '2024-11-21'
author: Michael Haag, Splunk
-description: Data source object for Windows Event Microsoft Windows TerminalServices RDPClient 1024
+description: Logs an event when a Remote Desktop Protocol (RDP) client successfully connects to a remote host.
+mitre_components:
+- Network Connection Creation
+- Logon Session Creation
source: WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational
sourcetype: WinEventLog
separator: EventCode
diff --git a/data_sources/windows_event_log_printservice_316.yml b/data_sources/windows_event_log_printservice_316.yml
index 66896969fe..507a925e5d 100644
--- a/data_sources/windows_event_log_printservice_316.yml
+++ b/data_sources/windows_event_log_printservice_316.yml
@@ -3,10 +3,14 @@ id: 12f0be8b-22c0-4fdf-9468-b7ccca824d1d
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Printservice 316
+description: Logs an event when printer drivers are installed or updated on the system.
+mitre_components:
+- Driver Load
+- Driver Metadata
source: WinEventLog:Microsoft-Windows-PrintService/Admin
sourcetype: WinEventLog
separator: EventCode
+separator_value: 316
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_printservice_808.yml b/data_sources/windows_event_log_printservice_808.yml
index bc9a09f66d..ef717b2d20 100644
--- a/data_sources/windows_event_log_printservice_808.yml
+++ b/data_sources/windows_event_log_printservice_808.yml
@@ -3,10 +3,15 @@ id: e3a26785-4389-4830-8d7b-3dad4252719e
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Printservice 808
+description: Logs an event when the print spooler service fails to load a printer plug-in module.
+mitre_components:
+- Module Load
+- Application Log Content
+- Service Metadata
source: WinEventLog:Microsoft-Windows-PrintService/Admin
sourcetype: WinEventLog
separator: EventCode
+separator_value: 808
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_remoteconnectionmanager_1149.yml b/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
index 1081028aa2..14c3a6bc1a 100644
--- a/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
+++ b/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
@@ -3,10 +3,15 @@ id: 08f9edb4-f95f-40be-b1dd-bc3a1cd95aaf
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log RemoteConnectionManager 1149
+description: Logs an event when a Remote Desktop Service session is initialized.
+mitre_components:
+- Network Connection Creation
+- Logon Session Creation
+- Logon Session Metadata
source: WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
sourcetype: wineventlog
separator: EventCode
+separator_value: 1149
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_1100.yml b/data_sources/windows_event_log_security_1100.yml
index 1e2404f690..41e0c3fced 100644
--- a/data_sources/windows_event_log_security_1100.yml
+++ b/data_sources/windows_event_log_security_1100.yml
@@ -3,10 +3,14 @@ id: 2a25dafa-691e-4cb2-ae59-07a48867ed9a
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 1100
+description: Logs an event when the event logging service has shut down.
+mitre_components:
+- Host Status
+- System Configuration Changes
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 1100
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_1102.yml b/data_sources/windows_event_log_security_1102.yml
index 0646f5ad48..50bcf53f6b 100644
--- a/data_sources/windows_event_log_security_1102.yml
+++ b/data_sources/windows_event_log_security_1102.yml
@@ -3,10 +3,15 @@ id: 8db7b91a-6d7a-40e7-bfac-06f8e901a9cb
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 1102
+description: Logs an event when the audit log is cleared.
+mitre_components:
+- User Account Modification
+- Logon Session Metadata
+- File Deletion
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 1102
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4624.yml b/data_sources/windows_event_log_security_4624.yml
index 4f02eeb290..0faba24352 100644
--- a/data_sources/windows_event_log_security_4624.yml
+++ b/data_sources/windows_event_log_security_4624.yml
@@ -3,10 +3,15 @@ id: 08682968-0366-4882-9559-fe4fe018a846
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4624
+description: Logs an event when an account successfully logs on to a system.
+mitre_components:
+- Logon Session Creation
+- User Account Authentication
+- Logon Session Metadata
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4624
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4625.yml b/data_sources/windows_event_log_security_4625.yml
index 3928d3b9d6..5f58a8d248 100644
--- a/data_sources/windows_event_log_security_4625.yml
+++ b/data_sources/windows_event_log_security_4625.yml
@@ -3,10 +3,14 @@ id: 365a02c2-7d18-4baf-b76e-d90c20bbe6ed
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4625
+description: Logs an event when an account fails to log on to a system.
+mitre_components:
+- User Account Authentication
+- Logon Session Metadata
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4625
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4627.yml b/data_sources/windows_event_log_security_4627.yml
index dbb7cc5c55..d91715f957 100644
--- a/data_sources/windows_event_log_security_4627.yml
+++ b/data_sources/windows_event_log_security_4627.yml
@@ -3,10 +3,15 @@ id: e35c7b9a-b451-4084-95a5-43b7f8965cac
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4627
+description: Logs an event when a successful account logon occurs and displays the list of groups the logged-on account belongs to.
+mitre_components:
+- Logon Session Creation
+- Group Metadata
+- User Account Authentication
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4627
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4648.yml b/data_sources/windows_event_log_security_4648.yml
index 26445ed64d..ade1d81ce9 100644
--- a/data_sources/windows_event_log_security_4648.yml
+++ b/data_sources/windows_event_log_security_4648.yml
@@ -3,10 +3,14 @@ id: 6a367f8b-1ee0-463d-94a7-029757c6cd02
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4648
+description: Logged when an account logon is attempted by a process by explicitly specifying the credentials of that account
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4648
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4662.yml b/data_sources/windows_event_log_security_4662.yml
index 1970056294..f55185240e 100644
--- a/data_sources/windows_event_log_security_4662.yml
+++ b/data_sources/windows_event_log_security_4662.yml
@@ -3,10 +3,14 @@ id: f3c2cd64-0b5f-4013-8201-35dc03828ec6
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4662
+description: Logs an event when a user accessed an object within the Active Directory, such as creating, modifying, or deleting it
+mitre_components:
+- Active Directory Object Access
+- Active Directory Object Modification
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4662
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4663.yml b/data_sources/windows_event_log_security_4663.yml
index 78a84369d9..addcc024d9 100644
--- a/data_sources/windows_event_log_security_4663.yml
+++ b/data_sources/windows_event_log_security_4663.yml
@@ -3,10 +3,14 @@ id: 5d6dca8c-dad9-494f-a321-ef2b0b92fbf4
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4663
+description: Logs an event when a user or process tried to access a file, directory, registry key, or other system object on the computer
+mitre_components:
+- File Access
+- File Modification
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4663
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4672.yml b/data_sources/windows_event_log_security_4672.yml
index 69d9996108..71facef2ee 100644
--- a/data_sources/windows_event_log_security_4672.yml
+++ b/data_sources/windows_event_log_security_4672.yml
@@ -3,10 +3,14 @@ id: 43f189b6-369d-4a32-a34c-57e0d38d92f1
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4672
+description: Logs an event when a user with administrative privileges logs on to a system.
+mitre_components:
+- Logon Session Creation
+- User Account Authentication
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4672
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4688.yml b/data_sources/windows_event_log_security_4688.yml
index 8f0a3e3a57..082bce7da0 100644
--- a/data_sources/windows_event_log_security_4688.yml
+++ b/data_sources/windows_event_log_security_4688.yml
@@ -3,10 +3,14 @@ id: d195eb26-a81c-45ed-aeb3-25792e8a985a
version: 2
date: '2024-09-26'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4688
+description: Logs the creation of a new process
+mitre_components:
+- Process Creation
+- Command Execution
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4688
configuration: Enabling Windows event log process command line logging via group policy
object https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_Windows_event_log_process_command_line_logging_via_group_policy_object
supported_TA:
diff --git a/data_sources/windows_event_log_security_4698.yml b/data_sources/windows_event_log_security_4698.yml
index 0aa1b8ab6a..9f863f1161 100644
--- a/data_sources/windows_event_log_security_4698.yml
+++ b/data_sources/windows_event_log_security_4698.yml
@@ -3,10 +3,14 @@ id: 32c06703-02d3-47ec-8856-b0dc3045866c
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4698
+description: Logs an event when a new scheduled task is created
+mitre_components:
+- Scheduled Job Creation
+- Scheduled Job Metadata
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4698
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4699.yml b/data_sources/windows_event_log_security_4699.yml
index a0184e87ef..764795adec 100644
--- a/data_sources/windows_event_log_security_4699.yml
+++ b/data_sources/windows_event_log_security_4699.yml
@@ -3,10 +3,14 @@ id: 4727dead-d063-4333-9ddd-59823a416aff
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4699
+description: Logs an event when a scheduled task is deleted from the system.
+mitre_components:
+- Scheduled Job Metadata
+- Scheduled Job Modification
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4699
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4703.yml b/data_sources/windows_event_log_security_4703.yml
index 6d914bbc8c..a776196575 100644
--- a/data_sources/windows_event_log_security_4703.yml
+++ b/data_sources/windows_event_log_security_4703.yml
@@ -3,10 +3,14 @@ id: e256673b-16e8-4b74-b7aa-9eed6ce67072
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4703
+description: Logs an event when a token right is adjusted on a Windows system.
+mitre_components:
+- User Account Modification
+- Process Modification
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4703
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4719.yml b/data_sources/windows_event_log_security_4719.yml
index 07f7261f0d..a5305e46f7 100644
--- a/data_sources/windows_event_log_security_4719.yml
+++ b/data_sources/windows_event_log_security_4719.yml
@@ -3,10 +3,14 @@ id: 954033e6-dd05-4775-a1f2-1f19632f4420
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4719
+description: Logs an event when a system audit policy is modified on a Windows system.
+mitre_components:
+- Service Modification
+- User Account Modification
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4719
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4720.yml b/data_sources/windows_event_log_security_4720.yml
index bbed05f0b9..390bcae55a 100644
--- a/data_sources/windows_event_log_security_4720.yml
+++ b/data_sources/windows_event_log_security_4720.yml
@@ -3,10 +3,13 @@ id: 7ef1c9e5-691b-48c2-811b-eba91d2d2f1d
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4720
+description: Logs an event when a new user account is created on a Windows system.
+mitre_components:
+- User Account Creation
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4720
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4724.yml b/data_sources/windows_event_log_security_4724.yml
index 1960e64264..2a42ca008c 100644
--- a/data_sources/windows_event_log_security_4724.yml
+++ b/data_sources/windows_event_log_security_4724.yml
@@ -3,10 +3,13 @@ id: 117fe51f-93f8-4589-8e8b-c6b7b7154c7d
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4724
+description: Logs an event when an attempt is made to reset an account's password, whether successful or not.
+mitre_components:
+- User Account Modification
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4724
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4725.yml b/data_sources/windows_event_log_security_4725.yml
index 62a49da0e5..a70b371aa9 100644
--- a/data_sources/windows_event_log_security_4725.yml
+++ b/data_sources/windows_event_log_security_4725.yml
@@ -3,10 +3,13 @@ id: 31fd887d-0d14-44cc-bb64-80063a9f2968
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4725
+description: Logs an event when a user account has been disabled in Active Directory.
+mitre_components:
+- User Account Modification
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4725
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4726.yml b/data_sources/windows_event_log_security_4726.yml
index feb818c007..c6bcdb5ef2 100644
--- a/data_sources/windows_event_log_security_4726.yml
+++ b/data_sources/windows_event_log_security_4726.yml
@@ -3,10 +3,13 @@ id: 0b56dcd7-0f72-4a05-9226-d6059781737b
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4726
+description: Logs an event when a user account is deleted from Active Directory.
+mitre_components:
+- User Account Deletion
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4726
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4732.yml b/data_sources/windows_event_log_security_4732.yml
index 574c3dd7aa..4cf35ee519 100644
--- a/data_sources/windows_event_log_security_4732.yml
+++ b/data_sources/windows_event_log_security_4732.yml
@@ -3,10 +3,13 @@ id: b0d61c5d-aefe-486a-9152-de45cc10fbb4
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4732
+description: Logs an event when a member is added to a security-enabled local group on a Windows system.
+mitre_components:
+- Group Modification
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4732
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4738.yml b/data_sources/windows_event_log_security_4738.yml
index 7ee6af3b45..7298903e0b 100644
--- a/data_sources/windows_event_log_security_4738.yml
+++ b/data_sources/windows_event_log_security_4738.yml
@@ -3,10 +3,13 @@ id: cb85709b-101e-41a9-bb60-d2108f79dfbd
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4738
+description: Logs an event when a user account's properties, such as permissions or memberships, are modified on a Windows system.
+mitre_components:
+- User Account Modification
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4738
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4739.yml b/data_sources/windows_event_log_security_4739.yml
index 4ac66f85a9..3642e4b93e 100644
--- a/data_sources/windows_event_log_security_4739.yml
+++ b/data_sources/windows_event_log_security_4739.yml
@@ -3,10 +3,14 @@ id: c1e0442a-8a97-405d-baf2-057c5d68cd9a
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4739
+description: Logs an event when a domain policy, such as account or lockout policy, is modified in Active Directory or local security settings.
+mitre_components:
+- Group Modification
+- Active Directory Object Modification
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4739
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4741.yml b/data_sources/windows_event_log_security_4741.yml
index 2d112fb492..7d4b9f3150 100644
--- a/data_sources/windows_event_log_security_4741.yml
+++ b/data_sources/windows_event_log_security_4741.yml
@@ -3,10 +3,16 @@ id: ef87257f-e7d1-4856-abae-097b2cfdcdb4
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4741
+description: Logs the creation of a new computer account in Active Directory, including details about the account name, domain, and the user performing the action.
+mitre_components:
+- Active Directory Object Creation
+- User Account Metadata
+- Application Log Content
+- Configuration Modification
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4741
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4742.yml b/data_sources/windows_event_log_security_4742.yml
index 042c75ef93..8668a87cdd 100644
--- a/data_sources/windows_event_log_security_4742.yml
+++ b/data_sources/windows_event_log_security_4742.yml
@@ -3,7 +3,12 @@ id: ea830adf-5450-489a-bcdc-fb8d2cbe674c
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4742
+description: Logs changes to the properties of a computer account in Active Directory, including details about the modified attributes and the user performing the action.
+mitre_components:
+- Active Directory Object Modification
+- User Account Metadata
+- Application Log Content
+- Configuration Modification
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
diff --git a/data_sources/windows_event_log_security_4768.yml b/data_sources/windows_event_log_security_4768.yml
index 474534451e..bee4afe853 100644
--- a/data_sources/windows_event_log_security_4768.yml
+++ b/data_sources/windows_event_log_security_4768.yml
@@ -3,10 +3,16 @@ id: 4a5fd6ed-66bd-4f34-bc74-51c00c73c298
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4768
+description: Logs Kerberos pre-authentication requests, including details about the user account, authentication type, and client IP address.
+mitre_components:
+- User Account Authentication
+- Active Directory Credential Request
+- Logon Session Metadata
+- User Account Metadata
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4768
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4769.yml b/data_sources/windows_event_log_security_4769.yml
index d8694a1dea..ce9343c3c8 100644
--- a/data_sources/windows_event_log_security_4769.yml
+++ b/data_sources/windows_event_log_security_4769.yml
@@ -3,10 +3,16 @@ id: 358d5520-f40b-4fa2-b799-966c030cb731
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4769
+description: Logs Kerberos service ticket requests, including details about the requesting user, target service, and client IP address.
+mitre_components:
+- Active Directory Credential Request
+- User Account Authentication
+- Logon Session Metadata
+- User Account Metadata
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4769
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4771.yml b/data_sources/windows_event_log_security_4771.yml
index f31e4b50fe..b4db6f6ec1 100644
--- a/data_sources/windows_event_log_security_4771.yml
+++ b/data_sources/windows_event_log_security_4771.yml
@@ -3,10 +3,16 @@ id: 418debbb-adf3-48ec-9efd-59d45f8861e5
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4771
+description: Logs failed Kerberos pre-authentication attempts, including details about the user account, client IP, and failure reason.
+mitre_components:
+- User Account Authentication
+- Logon Session Metadata
+- User Account Metadata
+- Application Log Content
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4771
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4776.yml b/data_sources/windows_event_log_security_4776.yml
index e6ea80b2c5..fb3ebc5cac 100644
--- a/data_sources/windows_event_log_security_4776.yml
+++ b/data_sources/windows_event_log_security_4776.yml
@@ -3,10 +3,16 @@ id: 1da9092a-c795-4a26-ace8-d43855524e96
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4776
+description: Logs NTLM authentication attempts, including details about the account name, authentication status, and the originating workstation.
+mitre_components:
+- User Account Authentication
+- Logon Session Metadata
+- User Account Metadata
+- Application Log Content
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4776
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4781.yml b/data_sources/windows_event_log_security_4781.yml
index b807a5a1d9..453217cdd0 100644
--- a/data_sources/windows_event_log_security_4781.yml
+++ b/data_sources/windows_event_log_security_4781.yml
@@ -3,10 +3,16 @@ id: 9732ffe7-ebce-4557-865c-1725a0f633cb
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4781
+description: Logs changes made to the name of a computer account, including the old and new names and the user performing the action.
+mitre_components:
+- User Account Modification
+- User Account Metadata
+- Active Directory Object Modification
+- Application Log Content
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4781
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4794.yml b/data_sources/windows_event_log_security_4794.yml
index f3ea14b1c1..bc7d30320b 100644
--- a/data_sources/windows_event_log_security_4794.yml
+++ b/data_sources/windows_event_log_security_4794.yml
@@ -3,10 +3,16 @@ id: ec7da74f-274a-4bde-aa0e-15c68aca0426
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4794
+description: Logs attempts to set the Directory Services Restore Mode (DSRM) administrator password, including details about the account name and the user performing the action.
+mitre_components:
+- User Account Modification
+- User Account Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value:
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4798.yml b/data_sources/windows_event_log_security_4798.yml
index 0d64c1b297..ff04d051f0 100644
--- a/data_sources/windows_event_log_security_4798.yml
+++ b/data_sources/windows_event_log_security_4798.yml
@@ -3,7 +3,12 @@ id: 29e97f72-eb2e-400e-b0c9-81277547e43b
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4798
+description: Logs an enumeration of local group membership on a system, including details about the groups queried and the account performing the action.
+mitre_components:
+- Group Enumeration
+- Group Metadata
+- User Account Metadata
+- Application Log Content
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
diff --git a/data_sources/windows_event_log_security_4876.yml b/data_sources/windows_event_log_security_4876.yml
index 4d978151e4..b44884ed9a 100644
--- a/data_sources/windows_event_log_security_4876.yml
+++ b/data_sources/windows_event_log_security_4876.yml
@@ -3,10 +3,16 @@ id: 4a78722a-9cd9-44e8-b010-dffad5c7f170
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4876
+description: Logs the result of a cryptographic operation, including details about the key, algorithm used, and whether the operation succeeded or failed.
+mitre_components:
+- Certificate Registration
+- User Account Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4876
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4886.yml b/data_sources/windows_event_log_security_4886.yml
index 3c82a3eb85..dd50c8c278 100644
--- a/data_sources/windows_event_log_security_4886.yml
+++ b/data_sources/windows_event_log_security_4886.yml
@@ -3,10 +3,16 @@ id: c5abd97d-b468-451f-bd65-b4f97efa4ecc
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4886
+description: Logs the deletion of a cryptographic key container, including details about the key container name and the user performing the action.
+mitre_components:
+- Certificate Registration
+- User Account Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4886
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4887.yml b/data_sources/windows_event_log_security_4887.yml
index 39f5cbb7cc..80ac4f9763 100644
--- a/data_sources/windows_event_log_security_4887.yml
+++ b/data_sources/windows_event_log_security_4887.yml
@@ -3,10 +3,16 @@ id: 994c7b19-a623-4231-9818-f00e453b9a75
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4887
+description: Logs cryptographic operations performed by a Windows system, including details about the certificate or key used and the operation type.
+mitre_components:
+- Certificate Registration
+- User Account Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4887
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_5136.yml b/data_sources/windows_event_log_security_5136.yml
index 9e685b1960..f2494cadc9 100644
--- a/data_sources/windows_event_log_security_5136.yml
+++ b/data_sources/windows_event_log_security_5136.yml
@@ -3,10 +3,16 @@ id: 7ba3737e-231e-455d-824e-cd077749f835
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 5136
+description: Logs modifications made to an Active Directory object, including details about the object name, type, and the changes applied.
+mitre_components:
+- Active Directory Object Modification
+- Active Directory Object Access
+- User Account Metadata
+- Application Log Content
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 5136
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_5137.yml b/data_sources/windows_event_log_security_5137.yml
index aef4beca13..8787969fa8 100644
--- a/data_sources/windows_event_log_security_5137.yml
+++ b/data_sources/windows_event_log_security_5137.yml
@@ -3,10 +3,16 @@ id: 64ed7bb1-9c3c-4355-ac08-b506ec3b053e
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 5137
+description: Logs the creation of a new Active Directory object, including details about the object name, type, and the user performing the action.
+mitre_components:
+- Active Directory Object Creation
+- Active Directory Object Modification
+- User Account Metadata
+- Application Log Content
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 5137
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_5140.yml b/data_sources/windows_event_log_security_5140.yml
index 0687f2ebb5..8d1883d26c 100644
--- a/data_sources/windows_event_log_security_5140.yml
+++ b/data_sources/windows_event_log_security_5140.yml
@@ -3,10 +3,16 @@ id: 93e0ca09-e4b8-4da6-872a-d0127c4d2b22
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 5140
+description: Logs access to a network share, including details about the user, share path, and the access type.
+mitre_components:
+- Network Share Access
+- File Access
+- User Account Metadata
+- Application Log Content
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 5140
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_5141.yml b/data_sources/windows_event_log_security_5141.yml
index 07f144b980..713a598abe 100644
--- a/data_sources/windows_event_log_security_5141.yml
+++ b/data_sources/windows_event_log_security_5141.yml
@@ -3,10 +3,16 @@ id: eafb35fa-f034-4be3-8508-d9173a73c0a1
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 5141
+description: Logs the deletion of an Active Directory object, including details about the object name, type, and the user performing the action.
+mitre_components:
+- Active Directory Object Deletion
+- Active Directory Object Modification
+- User Account Metadata
+- Application Log Content
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 5141
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_5145.yml b/data_sources/windows_event_log_security_5145.yml
index 1d6560e36e..70a22f8d7c 100644
--- a/data_sources/windows_event_log_security_5145.yml
+++ b/data_sources/windows_event_log_security_5145.yml
@@ -3,10 +3,16 @@ id: 0746479b-7b82-4d7e-8811-0b35da00f798
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 5145
+description: Logs detailed information about access to a network share, including the user, share path, accessed file, and access permissions.
+mitre_components:
+- Network Share Access
+- File Access
+- User Account Metadata
+- Application Log Content
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 5145
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_4720.yml b/data_sources/windows_event_log_system_4720.yml
index d930d69759..a2b9a2e197 100644
--- a/data_sources/windows_event_log_system_4720.yml
+++ b/data_sources/windows_event_log_system_4720.yml
@@ -3,10 +3,16 @@ id: f01d4758-05c8-4ac4-a9a5-33500dd5eb6c
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log System 4720
+description: Logs the creation of a new user account, including details about the account name, associated domain, and the account performing the action.
+mitre_components:
+- User Account Creation
+- User Account Metadata
+- Active Directory Object Creation
+- Application Log Content
source: XmlWinEventLog:System
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4720
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_4726.yml b/data_sources/windows_event_log_system_4726.yml
index 706432fb4e..a94f1b82e5 100644
--- a/data_sources/windows_event_log_system_4726.yml
+++ b/data_sources/windows_event_log_system_4726.yml
@@ -3,10 +3,16 @@ id: 05e6b2df-b50e-441b-8ac8-565f2e80d62f
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log System 4726
+description: Logs the deletion of a user account, including details about the account name, associated domain, and the account performing the action.
+mitre_components:
+- User Account Deletion
+- User Account Metadata
+- Active Directory Object Modification
+- Application Log Content
source: XmlWinEventLog:System
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4726
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_4728.yml b/data_sources/windows_event_log_system_4728.yml
index 906b7cd67d..9d5380f3ca 100644
--- a/data_sources/windows_event_log_system_4728.yml
+++ b/data_sources/windows_event_log_system_4728.yml
@@ -3,10 +3,16 @@ id: 4549f0ac-3df9-4bfb-bea5-1459690c8040
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log System 4728
+description: Logs the addition of a user to a security-enabled group, including details about the group name, user account, and associated domain.
+mitre_components:
+- Group Modification
+- Group Metadata
+- User Account Metadata
+- Active Directory Object Modification
source: XmlWinEventLog:System
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 4728
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_7036.yml b/data_sources/windows_event_log_system_7036.yml
index 2b5c6845fa..4079da5408 100644
--- a/data_sources/windows_event_log_system_7036.yml
+++ b/data_sources/windows_event_log_system_7036.yml
@@ -3,10 +3,16 @@ id: a6e9b34f-1507-4fa1-a4ba-684d1b676a34
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log System 7036
+description: Logs state changes of a Windows service, including details about the service name and its new state (e.g., started or stopped).
+mitre_components:
+- Service Metadata
+- OS API Execution
+- Application Log Content
+- Host Status
source: XmlWinEventLog:System
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 7036
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_7040.yml b/data_sources/windows_event_log_system_7040.yml
index 9a669d6262..e1d08e67e4 100644
--- a/data_sources/windows_event_log_system_7040.yml
+++ b/data_sources/windows_event_log_system_7040.yml
@@ -3,10 +3,16 @@ id: 91738e9e-d112-41c9-b91b-e5868d8993d9
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log System 7040
+description: Logs changes to the start type of a Windows service, including details about the service name, old start type, and new start type.
+mitre_components:
+- Service Modification
+- Service Metadata
+- OS API Execution
+- Application Log Content
source: XmlWinEventLog:System
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 7040
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_7045.yml b/data_sources/windows_event_log_system_7045.yml
index 335efef1a8..b7e8511470 100644
--- a/data_sources/windows_event_log_system_7045.yml
+++ b/data_sources/windows_event_log_system_7045.yml
@@ -3,10 +3,16 @@ id: 614dedc8-8a14-4393-ba9b-6f093cbcd293
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log System 7045
+description: Logs the successful installation of a new Windows service, including details about the service name, executable path, and service type.
+mitre_components:
+- Service Creation
+- Service Metadata
+- OS API Execution
+- Process Metadata
source: XmlWinEventLog:System
sourcetype: xmlwineventlog
separator: EventCode
+separator_value: 7045
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_taskscheduler_200.yml b/data_sources/windows_event_log_taskscheduler_200.yml
index 979e053f1d..c7af8fd33b 100644
--- a/data_sources/windows_event_log_taskscheduler_200.yml
+++ b/data_sources/windows_event_log_taskscheduler_200.yml
@@ -3,10 +3,16 @@ id: f8c777f8-e88a-4bba-ae8a-79b250212f23
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log TaskScheduler 200
+description: Logs the successful registration of a new scheduled task in Windows Task Scheduler, including task details and configurations.
+mitre_components:
+- Scheduled Job Creation
+- Scheduled Job Metadata
+- Service Creation
+- OS API Execution
source: WinEventLog:Microsoft-Windows-TaskScheduler/Operational
sourcetype: wineventlog
separator: EventCode
+separator_value: 200
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_iis.yml b/data_sources/windows_iis.yml
index a78d2107dd..0aa47abd32 100644
--- a/data_sources/windows_iis.yml
+++ b/data_sources/windows_iis.yml
@@ -3,7 +3,12 @@ id: 469335b3-b6ad-49e2-bbe6-47e15c1464a7
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows IIS
+description: Logs changes to IIS server configuration, including updates to settings, modules, authentication methods, and site bindings.
+mitre_components:
+- Service Modification
+- Cloud Service Modification
+- Configuration Modification
+- Application Log Content
source: IIS:Configuration:Operational
sourcetype: IIS:Configuration:Operational
separator: EventID
diff --git a/data_sources/windows_iis_29.yml b/data_sources/windows_iis_29.yml
index 7657e0c52c..26d05e774f 100644
--- a/data_sources/windows_iis_29.yml
+++ b/data_sources/windows_iis_29.yml
@@ -3,10 +3,16 @@ id: 1d99ddd7-7fec-4dea-bf4f-1f4906142328
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
-description: Data source object for Windows IIS 29
+description: Logs modifications to IIS server authentication settings, including updates to client certificate requirements and authentication methods.
+mitre_components:
+- Service Modification
+- Configuration Modification
+- Certificate Registration
+- Application Log Content
source: IIS:Configuration:Operational
sourcetype: IIS:Configuration:Operational
separator: EventID
+separator_value: 29
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
From cbac872e4109835bbe9998d867423347ad653cc3 Mon Sep 17 00:00:00 2001
From: delgado-jacob <29643013+delgado-jacob@users.noreply.github.com>
Date: Thu, 23 Jan 2025 09:38:13 -0700
Subject: [PATCH 2/6] Update version and modified date. Fix reference in
detection.
---
data_sources/asl_aws_cloudtrail.yml | 34 +-
data_sources/aws_cloudfront.yml | 183 +-
.../aws_cloudtrail_assumerolewithsaml.yml | 198 +-
data_sources/aws_cloudtrail_consolelogin.yml | 177 +-
data_sources/aws_cloudtrail_copyobject.yml | 187 +-
.../aws_cloudtrail_createaccesskey.yml | 175 +-
data_sources/aws_cloudtrail_createkey.yml | 211 +-
.../aws_cloudtrail_createloginprofile.yml | 173 +-
.../aws_cloudtrail_createnetworkaclentry.yml | 205 +-
.../aws_cloudtrail_createpolicyversion.yml | 175 +-
.../aws_cloudtrail_createsnapshot.yml | 193 +-
data_sources/aws_cloudtrail_createtask.yml | 191 +-
.../aws_cloudtrail_createvirtualmfadevice.yml | 171 +-
.../aws_cloudtrail_deactivatemfadevice.yml | 171 +-
...cloudtrail_deleteaccountpasswordpolicy.yml | 169 +-
data_sources/aws_cloudtrail_deletealarms.yml | 239 +--
.../aws_cloudtrail_deletedetector.yml | 165 +-
data_sources/aws_cloudtrail_deletegroup.yml | 175 +-
data_sources/aws_cloudtrail_deleteipset.yml | 165 +-
.../aws_cloudtrail_deleteloggroup.yml | 169 +-
.../aws_cloudtrail_deletelogstream.yml | 171 +-
.../aws_cloudtrail_deletenetworkaclentry.yml | 183 +-
data_sources/aws_cloudtrail_deletepolicy.yml | 171 +-
data_sources/aws_cloudtrail_deleterule.yml | 171 +-
.../aws_cloudtrail_deletesnapshot.yml | 253 +--
data_sources/aws_cloudtrail_deletetrail.yml | 167 +-
.../aws_cloudtrail_deletevirtualmfadevice.yml | 167 +-
data_sources/aws_cloudtrail_deletewebacl.yml | 167 +-
...aws_cloudtrail_describeeventaggregates.yml | 159 +-
...s_cloudtrail_describeimagescanfindings.yml | 1831 +++++++++--------
...ws_cloudtrail_getaccountpasswordpolicy.yml | 165 +-
data_sources/aws_cloudtrail_getobject.yml | 183 +-
.../aws_cloudtrail_getpassworddata.yml | 185 +-
data_sources/aws_cloudtrail_jobcreated.yml | 134 +-
.../aws_cloudtrail_modifydbinstance.yml | 283 +--
.../aws_cloudtrail_modifyimageattribute.yml | 173 +-
...aws_cloudtrail_modifysnapshotattribute.yml | 163 +-
data_sources/aws_cloudtrail_putbucketacl.yml | 191 +-
.../aws_cloudtrail_putbucketlifecycle.yml | 193 +-
.../aws_cloudtrail_putbucketreplication.yml | 217 +-
.../aws_cloudtrail_putbucketversioning.yml | 199 +-
data_sources/aws_cloudtrail_putimage.yml | 179 +-
data_sources/aws_cloudtrail_putkeypolicy.yml | 179 +-
.../aws_cloudtrail_replacenetworkaclentry.yml | 192 +-
...aws_cloudtrail_setdefaultpolicyversion.yml | 165 +-
data_sources/aws_cloudtrail_stoplogging.yml | 155 +-
...cloudtrail_updateaccountpasswordpolicy.yml | 176 +-
.../aws_cloudtrail_updateloginprofile.yml | 160 +-
.../aws_cloudtrail_updatesamlprovider.yml | 343 +--
data_sources/aws_cloudtrail_updatetrail.yml | 173 +-
data_sources/aws_cloudwatchlogs_vpcflow.yml | 124 +-
data_sources/aws_security_hub.yml | 227 +-
...p_role_assignment_to_service_principal.yml | 170 +-
...re_active_directory_add_member_to_role.yml | 122 +-
...ive_directory_add_owner_to_application.yml | 132 +-
...active_directory_add_service_principal.yml | 122 +-
...active_directory_add_unverified_domain.yml | 121 +-
...ctive_directory_consent_to_application.yml | 132 +-
...irectory_disable_strong_authentication.yml | 117 +-
.../azure_active_directory_enable_account.yml | 116 +-
..._active_directory_invite_external_user.yml | 117 +-
...ve_directory_reset_password_(by_admin).yml | 119 +-
...ve_directory_set_domain_authentication.yml | 119 +-
...zure_active_directory_sign_in_activity.yml | 219 +-
...re_active_directory_update_application.yml | 119 +-
..._directory_update_authorization_policy.yml | 121 +-
.../azure_active_directory_update_user.yml | 118 +-
...irectory_user_registered_security_info.yml | 113 +-
..._or_update_an_azure_automation_account.yml | 192 +-
..._or_update_an_azure_automation_runbook.yml | 193 +-
..._or_update_an_azure_automation_webhook.yml | 210 +-
data_sources/bro_conn.yml | 15 +-
data_sources/bro_dns.yml | 17 +-
data_sources/bro_files.yml | 18 +-
data_sources/bro_http.yml | 17 +-
data_sources/bro_loaded_scripts.yml | 15 +-
data_sources/bro_ntp.yml | 15 +-
data_sources/bro_ocsp.yml | 19 +-
data_sources/bro_ssl.yml | 19 +-
data_sources/bro_weird.yml | 17 +-
data_sources/bro_x509.yml | 19 +-
data_sources/circleci.yml | 127 +-
data_sources/crowdstrike_processrollup2.yml | 200 +-
data_sources/crushftp.yml | 21 +-
data_sources/g_suite_drive.yml | 85 +-
data_sources/g_suite_gmail.yml | 161 +-
data_sources/github.yml | 401 ++--
.../google_workspace_login_failure.yml | 91 +-
.../google_workspace_login_success.yml | 87 +-
data_sources/ivanti_vtm_audit.yml | 36 +-
data_sources/kubernetes_audit.yml | 111 +-
data_sources/kubernetes_falco.yml | 87 +-
data_sources/linux_auditd_add_user.yml | 62 +-
data_sources/linux_auditd_execve.yml | 34 +-
data_sources/linux_auditd_path.yml | 63 +-
data_sources/linux_auditd_proctitle.yml | 27 +-
data_sources/linux_auditd_service_stop.yml | 58 +-
data_sources/linux_auditd_syscall.yml | 106 +-
data_sources/linux_secure.yml | 87 +-
.../ms365_defender_incident_alerts.yml | 414 ++--
data_sources/ms_defender_atp_alerts.yml | 691 ++++---
data_sources/nginx_access.yml | 135 +-
data_sources/o365.yml | 23 +-
...add_app_role_assignment_grant_to_user_.yml | 159 +-
..._role_assignment_to_service_principal_.yml | 158 +-
data_sources/o365_add_mailboxpermission.yml | 142 +-
data_sources/o365_add_member_to_role_.yml | 163 +-
.../o365_add_owner_to_application_.yml | 168 +-
data_sources/o365_add_service_principal_.yml | 167 +-
data_sources/o365_change_user_license_.yml | 159 +-
data_sources/o365_consent_to_application_.yml | 152 +-
.../o365_disable_strong_authentication_.yml | 154 +-
data_sources/o365_mailitemsaccessed.yml | 145 +-
data_sources/o365_modifyfolderpermissions.yml | 181 +-
.../o365_set_company_information_.yml | 169 +-
data_sources/o365_set_mailbox.yml | 161 +-
data_sources/o365_update_application_.yml | 167 +-
.../o365_update_authorization_policy_.yml | 151 +-
data_sources/o365_update_user_.yml | 165 +-
data_sources/o365_userloggedin.yml | 165 +-
data_sources/o365_userloginfailed.yml | 183 +-
data_sources/okta.yml | 23 +-
data_sources/osquery.yml | 123 +-
data_sources/palo_alto_network_threat.yml | 62 +-
data_sources/palo_alto_network_traffic.yml | 65 +-
data_sources/pingid.yml | 71 +-
.../powershell_installed_iis_modules.yml | 35 +-
.../powershell_script_block_logging_4104.yml | 162 +-
data_sources/powershell_sip_inventory.yml | 15 +-
data_sources/splunk.yml | 63 +-
data_sources/splunk_stream_http.yml | 113 +-
data_sources/splunk_stream_ip.yml | 146 +-
data_sources/splunk_stream_tcp.yml | 23 +-
data_sources/suricata.yml | 109 +-
data_sources/sysmon_eventid_1.yml | 333 +--
data_sources/sysmon_eventid_10.yml | 183 +-
data_sources/sysmon_eventid_11.yml | 188 +-
data_sources/sysmon_eventid_12.yml | 178 +-
data_sources/sysmon_eventid_13.yml | 205 +-
data_sources/sysmon_eventid_15.yml | 184 +-
data_sources/sysmon_eventid_17.yml | 156 +-
data_sources/sysmon_eventid_18.yml | 165 +-
data_sources/sysmon_eventid_20.yml | 171 +-
data_sources/sysmon_eventid_21.yml | 175 +-
data_sources/sysmon_eventid_22.yml | 163 +-
data_sources/sysmon_eventid_23.yml | 187 +-
data_sources/sysmon_eventid_3.yml | 215 +-
data_sources/sysmon_eventid_5.yml | 159 +-
data_sources/sysmon_eventid_6.yml | 166 +-
data_sources/sysmon_eventid_7.yml | 206 +-
data_sources/sysmon_eventid_8.yml | 187 +-
data_sources/sysmon_eventid_9.yml | 161 +-
data_sources/sysmon_for_linux_eventid_1.yml | 205 +-
data_sources/sysmon_for_linux_eventid_11.yml | 161 +-
.../windows_active_directory_admon.yml | 103 +-
data_sources/windows_defender_alerts.yml | 44 +-
.../windows_event_log_application_2282.yml | 130 +-
.../windows_event_log_application_3000.yml | 115 +-
data_sources/windows_event_log_capi2_70.yml | 123 +-
data_sources/windows_event_log_capi2_81.yml | 129 +-
...ent_log_certificateservicesclient_1007.yml | 125 +-
.../windows_event_log_defender_1121.yml | 132 +-
.../windows_event_log_defender_1122.yml | 126 +-
.../windows_event_log_defender_1129.yml | 111 +-
.../windows_event_log_defender_5007.yml | 101 +-
...indows_terminalservices_rdpclient_1024.yml | 101 +-
.../windows_event_log_printservice_316.yml | 102 +-
.../windows_event_log_printservice_808.yml | 113 +-
...event_log_remoteconnectionmanager_1149.yml | 103 +-
.../windows_event_log_security_1100.yml | 142 +-
.../windows_event_log_security_1102.yml | 154 +-
.../windows_event_log_security_4624.yml | 227 +-
.../windows_event_log_security_4625.yml | 217 +-
.../windows_event_log_security_4627.yml | 178 +-
.../windows_event_log_security_4648.yml | 204 +-
.../windows_event_log_security_4662.yml | 178 +-
.../windows_event_log_security_4663.yml | 191 +-
.../windows_event_log_security_4672.yml | 158 +-
.../windows_event_log_security_4688.yml | 239 +--
.../windows_event_log_security_4698.yml | 158 +-
.../windows_event_log_security_4699.yml | 156 +-
.../windows_event_log_security_4703.yml | 196 +-
.../windows_event_log_security_4719.yml | 167 +-
.../windows_event_log_security_4720.yml | 202 +-
.../windows_event_log_security_4724.yml | 189 +-
.../windows_event_log_security_4725.yml | 186 +-
.../windows_event_log_security_4726.yml | 188 +-
.../windows_event_log_security_4732.yml | 181 +-
.../windows_event_log_security_4738.yml | 229 ++-
.../windows_event_log_security_4739.yml | 205 +-
.../windows_event_log_security_4741.yml | 231 ++-
.../windows_event_log_security_4742.yml | 233 +--
.../windows_event_log_security_4768.yml | 193 +-
.../windows_event_log_security_4769.yml | 193 +-
.../windows_event_log_security_4771.yml | 181 +-
.../windows_event_log_security_4776.yml | 163 +-
.../windows_event_log_security_4781.yml | 194 +-
.../windows_event_log_security_4794.yml | 178 +-
.../windows_event_log_security_4798.yml | 174 +-
.../windows_event_log_security_4876.yml | 162 +-
.../windows_event_log_security_4886.yml | 146 +-
.../windows_event_log_security_4887.yml | 152 +-
.../windows_event_log_security_5136.yml | 185 +-
.../windows_event_log_security_5137.yml | 178 +-
.../windows_event_log_security_5140.yml | 213 +-
.../windows_event_log_security_5141.yml | 174 +-
.../windows_event_log_security_5145.yml | 253 +--
.../windows_event_log_system_4720.yml | 211 +-
.../windows_event_log_system_4726.yml | 191 +-
.../windows_event_log_system_4728.yml | 191 +-
.../windows_event_log_system_7036.yml | 142 +-
.../windows_event_log_system_7040.yml | 147 +-
.../windows_event_log_system_7045.yml | 147 +-
.../windows_event_log_taskscheduler_200.yml | 140 +-
data_sources/windows_iis.yml | 21 +-
data_sources/windows_iis_29.yml | 53 +-
.../network/detect_outbound_ldap_traffic.yml | 9 +-
217 files changed, 17727 insertions(+), 17073 deletions(-)
diff --git a/data_sources/asl_aws_cloudtrail.yml b/data_sources/asl_aws_cloudtrail.yml
index 8311be25cc..05767f098b 100644
--- a/data_sources/asl_aws_cloudtrail.yml
+++ b/data_sources/asl_aws_cloudtrail.yml
@@ -1,26 +1,26 @@
name: ASL AWS CloudTrail
id: 1dcf9cfb-0e91-44c6-81b3-61b2574ec898
-version: 1
-date: '2025-01-14'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Represents AWS API dataset data collection from Amazon Security Lake.
mitre_components:
-- Cloud Service Metadata
-- Cloud Service Modification
-- Cloud Storage Access
-- Instance Creation
-- Instance Deletion
-- Instance Start
-- Instance Stop
-- Instance Modification
-- Cloud Storage Creation
-- Cloud Storage Deletion
-- Cloud Service Enumeration
-- Cloud Storage Enumeration
+ - Cloud Service Metadata
+ - Cloud Service Modification
+ - Cloud Storage Access
+ - Instance Creation
+ - Instance Deletion
+ - Instance Start
+ - Instance Stop
+ - Instance Modification
+ - Cloud Storage Creation
+ - Cloud Storage Deletion
+ - Cloud Service Enumeration
+ - Cloud Storage Enumeration
source: aws_asl
sourcetype: aws:asl
separator: api.operation
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
diff --git a/data_sources/aws_cloudfront.yml b/data_sources/aws_cloudfront.yml
index bc4196951d..b8eb8a416b 100644
--- a/data_sources/aws_cloudfront.yml
+++ b/data_sources/aws_cloudfront.yml
@@ -1,102 +1,103 @@
name: AWS Cloudfront
id: 780086dc-2384-45b6-ade7-56cb00105464
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs requests made to AWS CloudFront distributions, including details on client access, response data, and performance metrics.
+description: Logs requests made to AWS CloudFront distributions, including details
+ on client access, response data, and performance metrics.
mitre_components:
-- Network Traffic Content
-- Network Traffic Flow
-- Response Metadata
-- Response Content
-- Logon Session Metadata
-- Cloud Service Metadata
+ - Network Traffic Content
+ - Network Traffic Flow
+ - Response Metadata
+ - Response Content
+ - Logon Session Metadata
+ - Cloud Service Metadata
source: aws
sourcetype: aws:cloudfront:accesslogs
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- bytes
-- bytes_in
-- bytes_out
-- c_ip
-- c_port
-- cached
-- category
-- client_ip
-- cs_bytes
-- cs_cookie
-- cs_host
-- cs_method
-- cs_protocol
-- cs_protocol_version
-- cs_referer
-- cs_uri_query
-- cs_uri_stem
-- cs_user_agent
-- date
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- duration
-- edge_location_name
-- eventtype
-- fle_encrypted_fields
-- fle_status
-- host
-- http_content_type
-- http_method
-- http_user_agent
-- http_user_agent_length
-- index
-- linecount
-- punct
-- response_time
-- sc_bytes
-- sc_content_len
-- sc_content_type
-- sc_range_end
-- sc_range_start
-- sc_status
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_port
-- ssl_cipher
-- ssl_protocol
-- status
-- tag
-- tag::eventtype
-- time
-- time_taken
-- time_to_first_byte
-- timeendpos
-- timestartpos
-- uri_path
-- url
-- url_domain
-- url_length
-- vendor_product
-- x_edge_detail_result_type
-- x_edge_location
-- x_edge_request_id
-- x_edge_response_result_type
-- x_edge_result_type
-- x_forwarded_for
-- x_host_header
+ - _time
+ - action
+ - app
+ - bytes
+ - bytes_in
+ - bytes_out
+ - c_ip
+ - c_port
+ - cached
+ - category
+ - client_ip
+ - cs_bytes
+ - cs_cookie
+ - cs_host
+ - cs_method
+ - cs_protocol
+ - cs_protocol_version
+ - cs_referer
+ - cs_uri_query
+ - cs_uri_stem
+ - cs_user_agent
+ - date
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - duration
+ - edge_location_name
+ - eventtype
+ - fle_encrypted_fields
+ - fle_status
+ - host
+ - http_content_type
+ - http_method
+ - http_user_agent
+ - http_user_agent_length
+ - index
+ - linecount
+ - punct
+ - response_time
+ - sc_bytes
+ - sc_content_len
+ - sc_content_type
+ - sc_range_end
+ - sc_range_start
+ - sc_status
+ - source
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - src_port
+ - ssl_cipher
+ - ssl_protocol
+ - status
+ - tag
+ - tag::eventtype
+ - time
+ - time_taken
+ - time_to_first_byte
+ - timeendpos
+ - timestartpos
+ - uri_path
+ - url
+ - url_domain
+ - url_length
+ - vendor_product
+ - x_edge_detail_result_type
+ - x_edge_location
+ - x_edge_request_id
+ - x_edge_response_result_type
+ - x_edge_result_type
+ - x_forwarded_for
+ - x_host_header
example_log: "2023-11-07\t16:58:21\tIAD55-P5\t921\t44.192.78.55\tGET\td3u5aue66f5ui4.cloudfront.net\t\
/plugins/servlet/com.jsos.shell/ShellServlet\t200\t-\tSlackbot-LinkExpanding%201.0%20(+https://api.slack.com/robots)\t\
-\t-\tLambdaGeneratedResponse\tsGwvFCkFU4qlMxatCoJRgW87P7Ee8bKQor3U6lRt6I6jaFvLC7vcPA==\t\
diff --git a/data_sources/aws_cloudtrail_assumerolewithsaml.yml b/data_sources/aws_cloudtrail_assumerolewithsaml.yml
index acd5a6247f..c9823cd2d7 100644
--- a/data_sources/aws_cloudtrail_assumerolewithsaml.yml
+++ b/data_sources/aws_cloudtrail_assumerolewithsaml.yml
@@ -1,114 +1,114 @@
name: AWS CloudTrail AssumeRoleWithSAML
id: 1e28f2a6-2db9-405f-b298-18734a293f77
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs attempts to assume roles via SAML authentication in AWS, including
details of identity provider and role mapping.
mitre_components:
-- User Account Authentication
-- Logon Session Creation
-- User Account Metadata
-- Cloud Service Metadata
-- Instance Modification
+ - User Account Authentication
+ - Logon Session Creation
+ - User Account Metadata
+ - Cloud Service Metadata
+ - Instance Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: AssumeRoleWithSAML
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.durationSeconds
-- requestParameters.principalArn
-- requestParameters.roleArn
-- requestParameters.roleSessionName
-- requestParameters.sAMLAssertionID
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements.assumedRoleUser.arn
-- responseElements.assumedRoleUser.assumedRoleId
-- responseElements.audience
-- responseElements.credentials.accessKeyId
-- responseElements.credentials.expiration
-- responseElements.credentials.sessionToken
-- responseElements.issuer
-- responseElements.nameQualifier
-- responseElements.subject
-- responseElements.subjectType
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_user
-- src_user_id
-- src_user_type
-- start_time
-- status
-- tag
-- tag::action
-- tag::eventtype
-- temp_access_key
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.identityProvider
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- user_agent
-- user_arn
-- user_id
-- user_name
-- user_role
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.durationSeconds
+ - requestParameters.principalArn
+ - requestParameters.roleArn
+ - requestParameters.roleSessionName
+ - requestParameters.sAMLAssertionID
+ - resources{}.ARN
+ - resources{}.accountId
+ - resources{}.type
+ - responseElements.assumedRoleUser.arn
+ - responseElements.assumedRoleUser.assumedRoleId
+ - responseElements.audience
+ - responseElements.credentials.accessKeyId
+ - responseElements.credentials.expiration
+ - responseElements.credentials.sessionToken
+ - responseElements.issuer
+ - responseElements.nameQualifier
+ - responseElements.subject
+ - responseElements.subjectType
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - src_user
+ - src_user_id
+ - src_user_type
+ - start_time
+ - status
+ - tag
+ - tag::action
+ - tag::eventtype
+ - temp_access_key
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.identityProvider
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - user_agent
+ - user_arn
+ - user_id
+ - user_name
+ - user_role
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "SAMLUser", "principalId":
"ZRu9MRAjiG9tvi1QBNfdI664G5A=:rodsoto@rodsoto.onmicrosoft.com", "userName": "rodsoto@rodsoto.onmicrosoft.com",
"identityProvider": "ZRu9MRAjiG9tvi1QBNfdI664G5A="}, "eventTime": "2021-01-22T03:44:16Z",
diff --git a/data_sources/aws_cloudtrail_consolelogin.yml b/data_sources/aws_cloudtrail_consolelogin.yml
index 934d502f32..0d05cff28d 100644
--- a/data_sources/aws_cloudtrail_consolelogin.yml
+++ b/data_sources/aws_cloudtrail_consolelogin.yml
@@ -1,101 +1,102 @@
name: AWS CloudTrail ConsoleLogin
id: b68b3f26-bd21-4fa8-b593-616fe75ac0ae
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs attempts to sign in to the AWS Management Console, including successful and failed login events.
+description: Logs attempts to sign in to the AWS Management Console, including successful
+ and failed login events.
mitre_components:
-- User Account Authentication
-- Logon Session Creation
-- User Account Metadata
-- Logon Session Metadata
-- Cloud Service Metadata
+ - User Account Authentication
+ - Logon Session Creation
+ - User Account Metadata
+ - Logon Session Metadata
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: ConsoleLogin
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- additionalEventData.LoginTo
-- additionalEventData.MFAUsed
-- additionalEventData.MobileVersion
-- app
-- authentication_method
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- desc
-- dest
-- dvc
-- errorCode
-- errorMessage
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- reason
-- recipientAccountId
-- region
-- requestParameters
-- responseElements.ConsoleLogin
-- result
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.type
-- userIdentity.userName
-- user_access_key
-- user_agent
-- user_group_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - additionalEventData.LoginTo
+ - additionalEventData.MFAUsed
+ - additionalEventData.MobileVersion
+ - app
+ - authentication_method
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - desc
+ - dest
+ - dvc
+ - errorCode
+ - errorMessage
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - reason
+ - recipientAccountId
+ - region
+ - requestParameters
+ - responseElements.ConsoleLogin
+ - result
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - status
+ - tag
+ - tag::action
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.type
+ - userIdentity.userName
+ - user_access_key
+ - user_agent
+ - user_group_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "accountId":
"140429656527", "accessKeyId": "", "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"},
"eventTime": "2022-10-19T20:33:38Z", "eventSource": "signin.amazonaws.com", "eventName":
diff --git a/data_sources/aws_cloudtrail_copyobject.yml b/data_sources/aws_cloudtrail_copyobject.yml
index 72a9c6af4b..9edd40bb4d 100644
--- a/data_sources/aws_cloudtrail_copyobject.yml
+++ b/data_sources/aws_cloudtrail_copyobject.yml
@@ -1,106 +1,107 @@
name: AWS CloudTrail CopyObject
id: 965083f4-64a8-403f-99cc-252e1a6bd3b6
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs operations that copy objects within or between AWS S3 buckets, including details of source and destination.
+description: Logs operations that copy objects within or between AWS S3 buckets, including
+ details of source and destination.
mitre_components:
-- Cloud Storage Access
-- Cloud Storage Modification
-- Cloud Storage Metadata
-- Instance Modification
+ - Cloud Storage Access
+ - Cloud Storage Modification
+ - Cloud Storage Metadata
+ - Instance Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_values: CopyObject
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- additionalEventData.AuthenticationMethod
-- additionalEventData.CipherSuite
-- additionalEventData.SSEApplied
-- additionalEventData.SignatureVersion
-- additionalEventData.bytesTransferredIn
-- additionalEventData.bytesTransferredOut
-- additionalEventData.x-amz-id-2
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.Host
-- requestParameters.bucketName
-- requestParameters.key
-- requestParameters.x-amz-copy-source
-- requestParameters.x-amz-server-side-encryption
-- requestParameters.x-amz-server-side-encryption-aws-kms-key-id
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements.x-amz-server-side-encryption
-- responseElements.x-amz-server-side-encryption-aws-kms-key-id
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - additionalEventData.AuthenticationMethod
+ - additionalEventData.CipherSuite
+ - additionalEventData.SSEApplied
+ - additionalEventData.SignatureVersion
+ - additionalEventData.bytesTransferredIn
+ - additionalEventData.bytesTransferredOut
+ - additionalEventData.x-amz-id-2
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.Host
+ - requestParameters.bucketName
+ - requestParameters.key
+ - requestParameters.x-amz-copy-source
+ - requestParameters.x-amz-server-side-encryption
+ - requestParameters.x-amz-server-side-encryption-aws-kms-key-id
+ - resources{}.ARN
+ - resources{}.accountId
+ - resources{}.type
+ - responseElements.x-amz-server-side-encryption
+ - responseElements.x-amz-server-side-encryption-aws-kms-key-id
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLNALZHZ6KX", "arn": "arn:aws:iam::111111111111:user/patrick_cli", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLJ2OYSF6E", "userName": "patrick_cli"},
diff --git a/data_sources/aws_cloudtrail_createaccesskey.yml b/data_sources/aws_cloudtrail_createaccesskey.yml
index 6e95f8ab0f..d72354f779 100644
--- a/data_sources/aws_cloudtrail_createaccesskey.yml
+++ b/data_sources/aws_cloudtrail_createaccesskey.yml
@@ -1,100 +1,101 @@
name: AWS CloudTrail CreateAccessKey
id: 0460f7da-3254-4d90-b8c0-2ca657d0cea0
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the creation of new AWS access keys, including details of the associated user and permissions.
+description: Logs the creation of new AWS access keys, including details of the associated
+ user and permissions.
mitre_components:
-- User Account Creation
-- User Account Metadata
-- Cloud Service Modification
-- Cloud Service Metadata
+ - User Account Creation
+ - User Account Metadata
+ - Cloud Service Modification
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: CreateAccessKey
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.userName
-- responseElements.accessKey.accessKeyId
-- responseElements.accessKey.createDate
-- responseElements.accessKey.status
-- responseElements.accessKey.userName
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_user_name
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.userName
+ - responseElements.accessKey.accessKeyId
+ - responseElements.accessKey.createDate
+ - responseElements.accessKey.status
+ - responseElements.accessKey.userName
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - src_user_name
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::121521347698:user/bhavin_cli", "accountId":
"121521347698", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_createkey.yml b/data_sources/aws_cloudtrail_createkey.yml
index 655ce8762f..293ecba3cd 100644
--- a/data_sources/aws_cloudtrail_createkey.yml
+++ b/data_sources/aws_cloudtrail_createkey.yml
@@ -1,118 +1,119 @@
name: AWS CloudTrail CreateKey
id: fcfc1593-b6b5-4a0f-91c5-3c395116a8b9
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the creation of new AWS KMS keys, including details of key properties and associated metadata.
+description: Logs the creation of new AWS KMS keys, including details of key properties
+ and associated metadata.
mitre_components:
-- Cloud Service Creation
-- Cloud Service Metadata
-- Instance Creation
-- Volume Metadata
+ - Cloud Service Creation
+ - Cloud Service Metadata
+ - Instance Creation
+ - Volume Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: CreateKey
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.bypassPolicyLockoutSafetyCheck
-- requestParameters.customerMasterKeySpec
-- requestParameters.description
-- requestParameters.keyUsage
-- requestParameters.origin
-- requestParameters.policy
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements.keyMetadata.aWSAccountId
-- responseElements.keyMetadata.arn
-- responseElements.keyMetadata.creationDate
-- responseElements.keyMetadata.customerMasterKeySpec
-- responseElements.keyMetadata.description
-- responseElements.keyMetadata.enabled
-- responseElements.keyMetadata.encryptionAlgorithms{}
-- responseElements.keyMetadata.keyId
-- responseElements.keyMetadata.keyManager
-- responseElements.keyMetadata.keyState
-- responseElements.keyMetadata.keyUsage
-- responseElements.keyMetadata.origin
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.bypassPolicyLockoutSafetyCheck
+ - requestParameters.customerMasterKeySpec
+ - requestParameters.description
+ - requestParameters.keyUsage
+ - requestParameters.origin
+ - requestParameters.policy
+ - resources{}.ARN
+ - resources{}.accountId
+ - resources{}.type
+ - responseElements.keyMetadata.aWSAccountId
+ - responseElements.keyMetadata.arn
+ - responseElements.keyMetadata.creationDate
+ - responseElements.keyMetadata.customerMasterKeySpec
+ - responseElements.keyMetadata.description
+ - responseElements.keyMetadata.enabled
+ - responseElements.keyMetadata.encryptionAlgorithms{}
+ - responseElements.keyMetadata.keyId
+ - responseElements.keyMetadata.keyManager
+ - responseElements.keyMetadata.keyState
+ - responseElements.keyMetadata.keyUsage
+ - responseElements.keyMetadata.origin
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.sessionContext.sessionIssuer.accountId
+ - userIdentity.sessionContext.sessionIssuer.arn
+ - userIdentity.sessionContext.sessionIssuer.principalId
+ - userIdentity.sessionContext.sessionIssuer.type
+ - userIdentity.sessionContext.sessionIssuer.userName
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLK74OPBDR", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_createloginprofile.yml b/data_sources/aws_cloudtrail_createloginprofile.yml
index 7c272ab23f..df6b04e40d 100644
--- a/data_sources/aws_cloudtrail_createloginprofile.yml
+++ b/data_sources/aws_cloudtrail_createloginprofile.yml
@@ -1,99 +1,100 @@
name: AWS CloudTrail CreateLoginProfile
id: 0024fdb1-0d62-4449-970a-746952cf80b6
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the creation of login profiles for IAM users, including associated metadata and authentication settings.
+description: Logs the creation of login profiles for IAM users, including associated
+ metadata and authentication settings.
mitre_components:
-- User Account Creation
-- User Account Metadata
-- Logon Session Metadata
-- Cloud Service Metadata
+ - User Account Creation
+ - User Account Metadata
+ - Logon Session Metadata
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: CreateLoginProfile
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.passwordResetRequired
-- requestParameters.userName
-- responseElements.loginProfile.createDate
-- responseElements.loginProfile.passwordResetRequired
-- responseElements.loginProfile.userName
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.passwordResetRequired
+ - requestParameters.userName
+ - responseElements.loginProfile.createDate
+ - responseElements.loginProfile.passwordResetRequired
+ - responseElements.loginProfile.userName
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_createnetworkaclentry.yml b/data_sources/aws_cloudtrail_createnetworkaclentry.yml
index 65830e0d0c..993b03197a 100644
--- a/data_sources/aws_cloudtrail_createnetworkaclentry.yml
+++ b/data_sources/aws_cloudtrail_createnetworkaclentry.yml
@@ -1,115 +1,116 @@
name: AWS CloudTrail CreateNetworkAclEntry
id: 45934028-10ec-4ab5-a7b1-a6349b833e67
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the creation of new entries in a network ACL, including rules to allow or deny specific network traffic.
+description: Logs the creation of new entries in a network ACL, including rules to
+ allow or deny specific network traffic.
mitre_components:
-- Firewall Rule Modification
-- Network Connection Creation
-- Cloud Service Modification
-- Cloud Service Metadata
+ - Firewall Rule Modification
+ - Network Connection Creation
+ - Cloud Service Modification
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: CreateNetworkAclEntry
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- direction
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object
-- object_category
-- object_id
-- product
-- protocol
-- protocol_code
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.aclProtocol
-- requestParameters.cidrBlock
-- requestParameters.egress
-- requestParameters.networkAclId
-- requestParameters.ruleAction
-- requestParameters.ruleNumber
-- responseElements._return
-- responseElements.requestId
-- rule_action
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_ip_range
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - direction
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object
+ - object_category
+ - object_id
+ - product
+ - protocol
+ - protocol_code
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.aclProtocol
+ - requestParameters.cidrBlock
+ - requestParameters.egress
+ - requestParameters.networkAclId
+ - requestParameters.ruleAction
+ - requestParameters.ruleNumber
+ - responseElements._return
+ - responseElements.requestId
+ - rule_action
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - src_ip_range
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.sessionContext.sessionIssuer.accountId
+ - userIdentity.sessionContext.sessionIssuer.arn
+ - userIdentity.sessionContext.sessionIssuer.principalId
+ - userIdentity.sessionContext.sessionIssuer.type
+ - userIdentity.sessionContext.sessionIssuer.userName
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLF3F7BXZK", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_createpolicyversion.yml b/data_sources/aws_cloudtrail_createpolicyversion.yml
index cc6b2d03f0..2973c651b0 100644
--- a/data_sources/aws_cloudtrail_createpolicyversion.yml
+++ b/data_sources/aws_cloudtrail_createpolicyversion.yml
@@ -1,100 +1,101 @@
name: AWS CloudTrail CreatePolicyVersion
id: f9f0f3da-37ec-4164-9ea0-0ae46645a86b
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the creation of new versions of IAM policies, including changes to permissions and attached roles or resources.
+description: Logs the creation of new versions of IAM policies, including changes
+ to permissions and attached roles or resources.
mitre_components:
-- Cloud Service Modification
-- Cloud Service Metadata
-- User Account Metadata
-- Group Modification
+ - Cloud Service Modification
+ - Cloud Service Metadata
+ - User Account Metadata
+ - Group Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: CreatePolicyVersion
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.policyArn
-- requestParameters.policyDocument
-- requestParameters.setAsDefault
-- responseElements.policyVersion.createDate
-- responseElements.policyVersion.isDefaultVersion
-- responseElements.policyVersion.versionId
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.policyArn
+ - requestParameters.policyDocument
+ - requestParameters.setAsDefault
+ - responseElements.policyVersion.createDate
+ - responseElements.policyVersion.isDefaultVersion
+ - responseElements.policyVersion.versionId
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLNMCDVJZAY", "arn": "arn:aws:iam::111111111111:user/rhino_escalate",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLHSQZPZFZ", "userName":
diff --git a/data_sources/aws_cloudtrail_createsnapshot.yml b/data_sources/aws_cloudtrail_createsnapshot.yml
index db7c828449..ae5c392552 100644
--- a/data_sources/aws_cloudtrail_createsnapshot.yml
+++ b/data_sources/aws_cloudtrail_createsnapshot.yml
@@ -1,109 +1,110 @@
name: AWS CloudTrail CreateSnapshot
id: 514135a2-f4b2-4d32-8f31-d87824887f9f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the creation of a new snapshot of a cloud resource, such as an Amazon EBS volume, including details about the snapshot ID and resource type.
+description: Logs the creation of a new snapshot of a cloud resource, such as an Amazon
+ EBS volume, including details about the snapshot ID and resource type.
mitre_components:
-- Snapshot Creation
-- Snapshot Metadata
-- Volume Metadata
-- Cloud Service Metadata
+ - Snapshot Creation
+ - Snapshot Metadata
+ - Volume Metadata
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: CreateSnapshot
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.tagSpecificationSet.items{}.resourceType
-- requestParameters.tagSpecificationSet.items{}.tags{}.key
-- requestParameters.tagSpecificationSet.items{}.tags{}.value
-- requestParameters.volumeId
-- responseElements.encrypted
-- responseElements.ownerId
-- responseElements.requestId
-- responseElements.snapshotId
-- responseElements.startTime
-- responseElements.status
-- responseElements.tagSet.items{}.key
-- responseElements.tagSet.items{}.value
-- responseElements.volumeId
-- responseElements.volumeSize
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.tagSpecificationSet.items{}.resourceType
+ - requestParameters.tagSpecificationSet.items{}.tags{}.key
+ - requestParameters.tagSpecificationSet.items{}.tags{}.value
+ - requestParameters.volumeId
+ - responseElements.encrypted
+ - responseElements.ownerId
+ - responseElements.requestId
+ - responseElements.snapshotId
+ - responseElements.startTime
+ - responseElements.status
+ - responseElements.tagSet.items{}.key
+ - responseElements.tagSet.items{}.value
+ - responseElements.volumeId
+ - responseElements.volumeSize
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLCNEAQXWZV", "arn": "arn:aws:iam::111111111111:user/bhavin_console",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLF5EAXXXX", "userName":
diff --git a/data_sources/aws_cloudtrail_createtask.yml b/data_sources/aws_cloudtrail_createtask.yml
index ee7394b6e4..7808c2b9cc 100644
--- a/data_sources/aws_cloudtrail_createtask.yml
+++ b/data_sources/aws_cloudtrail_createtask.yml
@@ -1,108 +1,109 @@
name: AWS CloudTrail CreateTask
id: 6501e4fe-05b2-45f1-bd51-9e06a94fa7d9
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the creation of a new task in AWS services, such as ECS, including details about the task definition and resource allocation.
+description: Logs the creation of a new task in AWS services, such as ECS, including
+ details about the task definition and resource allocation.
mitre_components:
-- Scheduled Job Creation
-- Scheduled Job Metadata
-- Cloud Service Metadata
-- Instance Creation
+ - Scheduled Job Creation
+ - Scheduled Job Metadata
+ - Cloud Service Metadata
+ - Instance Creation
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_name: CreateTask
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.cloudWatchLogGroupArn
-- requestParameters.destinationLocationArn
-- requestParameters.options.logLevel
-- requestParameters.options.verifyMode
-- requestParameters.schedule.scheduleExpression
-- requestParameters.sourceLocationArn
-- responseElements.taskArn
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.cloudWatchLogGroupArn
+ - requestParameters.destinationLocationArn
+ - requestParameters.options.logLevel
+ - requestParameters.options.verifyMode
+ - requestParameters.schedule.scheduleExpression
+ - requestParameters.sourceLocationArn
+ - responseElements.taskArn
+ - sessionCredentialFromConsole
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.sessionContext.sessionIssuer.accountId
+ - userIdentity.sessionContext.sessionIssuer.arn
+ - userIdentity.sessionContext.sessionIssuer.principalId
+ - userIdentity.sessionContext.sessionIssuer.type
+ - userIdentity.sessionContext.sessionIssuer.userName
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLDF6WQQQQQ:abc@acme.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/abc@acme.com",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLOB2GM111", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
index ba978e3343..7b6b181672 100644
--- a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
+++ b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
@@ -1,98 +1,99 @@
name: AWS CloudTrail CreateVirtualMFADevice
id: 13e6e952-0dad-4190-865c-fb5911725f7a
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the creation of a new virtual multi-factor authentication (MFA) device, including details about the associated user and configuration.
+description: Logs the creation of a new virtual multi-factor authentication (MFA)
+ device, including details about the associated user and configuration.
mitre_components:
-- User Account Creation
-- User Account Metadata
-- Cloud Service Creation
-- Cloud Service Metadata
+ - User Account Creation
+ - User Account Metadata
+ - Cloud Service Creation
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: CreateVirtualMFADevice
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.path
-- requestParameters.virtualMFADeviceName
-- responseElements.virtualMFADevice.serialNumber
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.path
+ - requestParameters.virtualMFADeviceName
+ - responseElements.virtualMFADevice.serialNumber
+ - sessionCredentialFromConsole
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
"140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527",
"accessKeyId": "ASIASBMSCQHH2YXNXJBU", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
diff --git a/data_sources/aws_cloudtrail_deactivatemfadevice.yml b/data_sources/aws_cloudtrail_deactivatemfadevice.yml
index a62bdde87c..e53018b544 100644
--- a/data_sources/aws_cloudtrail_deactivatemfadevice.yml
+++ b/data_sources/aws_cloudtrail_deactivatemfadevice.yml
@@ -1,98 +1,99 @@
name: AWS CloudTrail DeactivateMFADevice
id: 7397a10b-1150-4de9-8062-a96454ae53b2
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the deactivation of a multi-factor authentication (MFA) device, including details about the associated user and the device.
+description: Logs the deactivation of a multi-factor authentication (MFA) device,
+ including details about the associated user and the device.
mitre_components:
-- User Account Modification
-- User Account Metadata
-- Cloud Service Modification
-- Cloud Service Metadata
+ - User Account Modification
+ - User Account Metadata
+ - Cloud Service Modification
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeactivateMFADevice
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.serialNumber
-- requestParameters.userName
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.serialNumber
+ - requestParameters.userName
+ - responseElements
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
"111111111111", "arn": "arn:aws:iam::111111111111:root", "accountId": "111111111111",
"accessKeyId": "ASIASBMSCQHHWAIHMHUX", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
diff --git a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
index 631ac8d253..9d10c7443a 100644
--- a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
+++ b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
@@ -1,97 +1,98 @@
name: AWS CloudTrail DeleteAccountPasswordPolicy
id: b0730ac8-0992-4de8-b000-2c7d0fc7a67f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the deletion of an account-level password policy in AWS, including details about the account and policy being removed.
+description: Logs the deletion of an account-level password policy in AWS, including
+ details about the account and policy being removed.
mitre_components:
-- Cloud Service Modification
-- Cloud Service Metadata
+ - Cloud Service Modification
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteAccountPasswordPolicy
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- desc
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters
-- responseElements
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - desc
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters
+ - responseElements
+ - sessionCredentialFromConsole
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
"111111111111", "arn": "arn:aws:iam::111111111111:root", "accountId": "111111111111",
"accessKeyId": "ASIASBMSCQHHWMDJXSE6", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
diff --git a/data_sources/aws_cloudtrail_deletealarms.yml b/data_sources/aws_cloudtrail_deletealarms.yml
index 2fdf221e51..7babfa595c 100644
--- a/data_sources/aws_cloudtrail_deletealarms.yml
+++ b/data_sources/aws_cloudtrail_deletealarms.yml
@@ -1,132 +1,133 @@
name: AWS CloudTrail DeleteAlarms
id: b0730ac8-0992-4de8-b000-2c7d0fc7a61f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Bhavin Patel, Splunk
-description: Logs the deletion of CloudWatch alarms, including details about the alarm names and associated monitoring configurations.
+description: Logs the deletion of CloudWatch alarms, including details about the alarm
+ names and associated monitoring configurations.
mitre_components:
-- Cloud Service Modification
-- Cloud Service Metadata
-- Application Log Content
-- Host Status
+ - Cloud Service Modification
+ - Cloud Service Metadata
+ - Application Log Content
+ - Host Status
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteAlarms
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- authentication_method
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- desc
-- dest
-- dest_ip_range
-- dest_port_range
-- direction
-- dvc
-- errorCode
-- errorMessage
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- image_id
-- index
-- instance_type
-- linecount
-- managementEvent
-- msg
-- object
-- object_attrs
-- object_category
-- object_id
-- product
-- protocol
-- protocol_code
-- punct
-- readOnly
-- reason
-- recipientAccountId
-- region
-- requestID
-- requestParameters.alarmNames{}
-- responseElements
-- result
-- result_id
-- rule_action
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- splunk_server
-- splunk_server_group
-- src
-- src_ip
-- src_ip_range
-- src_port_range
-- src_user
-- src_user_id
-- src_user_name
-- src_user_role
-- src_user_type
-- start_time
-- status
-- tag
-- tag::action
-- tag::eventtype
-- tag::object_category
-- temp_access_key
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.invokedBy
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_role
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - authentication_method
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - desc
+ - dest
+ - dest_ip_range
+ - dest_port_range
+ - direction
+ - dvc
+ - errorCode
+ - errorMessage
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - image_id
+ - index
+ - instance_type
+ - linecount
+ - managementEvent
+ - msg
+ - object
+ - object_attrs
+ - object_category
+ - object_id
+ - product
+ - protocol
+ - protocol_code
+ - punct
+ - readOnly
+ - reason
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.alarmNames{}
+ - responseElements
+ - result
+ - result_id
+ - rule_action
+ - sessionCredentialFromConsole
+ - signature
+ - source
+ - sourceIPAddress
+ - splunk_server
+ - splunk_server_group
+ - src
+ - src_ip
+ - src_ip_range
+ - src_port_range
+ - src_user
+ - src_user_id
+ - src_user_name
+ - src_user_role
+ - src_user_type
+ - start_time
+ - status
+ - tag
+ - tag::action
+ - tag::eventtype
+ - tag::object_category
+ - temp_access_key
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.invokedBy
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.sessionContext.sessionIssuer.accountId
+ - userIdentity.sessionContext.sessionIssuer.arn
+ - userIdentity.sessionContext.sessionIssuer.principalId
+ - userIdentity.sessionContext.sessionIssuer.type
+ - userIdentity.sessionContext.sessionIssuer.userName
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_role
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLKZK7JIDWN:AutoScaling-ManageAlarms", "arn": "arn:aws:sts::111111111111:assumed-role/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable/AutoScaling-ManageAlarms",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLJ7ZZZZZZZ", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_deletedetector.yml b/data_sources/aws_cloudtrail_deletedetector.yml
index f467d9348d..f20cba230e 100644
--- a/data_sources/aws_cloudtrail_deletedetector.yml
+++ b/data_sources/aws_cloudtrail_deletedetector.yml
@@ -1,95 +1,96 @@
name: AWS CloudTrail DeleteDetector
id: 5d8bd475-c8bc-4447-b27f-efa508728b90
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the deletion of an Amazon GuardDuty detector, including details about the detector ID and associated configurations.
+description: Logs the deletion of an Amazon GuardDuty detector, including details
+ about the detector ID and associated configurations.
mitre_components:
-- Cloud Service Modification
-- Cloud Service Metadata
-- Host Status
-- Application Log Content
+ - Cloud Service Modification
+ - Cloud Service Metadata
+ - Host Status
+ - Application Log Content
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteDetector
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.detectorId
-- responseElements.__type
-- responseElements.message
-- result_id
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.detectorId
+ - responseElements.__type
+ - responseElements.message
+ - result_id
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
diff --git a/data_sources/aws_cloudtrail_deletegroup.yml b/data_sources/aws_cloudtrail_deletegroup.yml
index a683fd2697..e2bd256da6 100644
--- a/data_sources/aws_cloudtrail_deletegroup.yml
+++ b/data_sources/aws_cloudtrail_deletegroup.yml
@@ -1,100 +1,101 @@
name: AWS CloudTrail DeleteGroup
id: c95308a4-a943-42ca-b112-f90a05c21bd3
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the deletion of an IAM group in AWS, including details about the group name and its associated policies or members.
+description: Logs the deletion of an IAM group in AWS, including details about the
+ group name and its associated policies or members.
mitre_components:
-- Group Modification
-- Group Metadata
-- User Account Metadata
-- Cloud Service Modification
+ - Group Modification
+ - Group Metadata
+ - User Account Metadata
+ - Cloud Service Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteGroup
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- errorMessage
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- reason
-- recipientAccountId
-- region
-- requestID
-- requestParameters.groupName
-- responseElements
-- result
-- result_id
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - errorMessage
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - reason
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.groupName
+ - responseElements
+ - result
+ - result_id
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::121522247101:user/bhavin_cli", "accountId":
"121522247101", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_deleteipset.yml b/data_sources/aws_cloudtrail_deleteipset.yml
index 4c8770dcb2..ce670c3006 100644
--- a/data_sources/aws_cloudtrail_deleteipset.yml
+++ b/data_sources/aws_cloudtrail_deleteipset.yml
@@ -1,95 +1,96 @@
name: AWS CloudTrail DeleteIPSet
id: ebdeeb63-77a0-4808-a6fe-549956731377
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the deletion of an IP set in AWS WAF or GuardDuty, including details about the IP set ID and its associated configurations.
+description: Logs the deletion of an IP set in AWS WAF or GuardDuty, including details
+ about the IP set ID and its associated configurations.
mitre_components:
-- Cloud Service Modification
-- Cloud Service Metadata
-- Firewall Rule Modification
+ - Cloud Service Modification
+ - Cloud Service Metadata
+ - Firewall Rule Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteIPSet
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.detectorId
-- requestParameters.ipSetId
-- responseElements.__type
-- responseElements.message
-- result_id
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.detectorId
+ - requestParameters.ipSetId
+ - responseElements.__type
+ - responseElements.message
+ - result_id
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLKQ3U2PDY", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_deleteloggroup.yml b/data_sources/aws_cloudtrail_deleteloggroup.yml
index 04895c5bab..3aafeff30a 100644
--- a/data_sources/aws_cloudtrail_deleteloggroup.yml
+++ b/data_sources/aws_cloudtrail_deleteloggroup.yml
@@ -1,97 +1,98 @@
name: AWS CloudTrail DeleteLogGroup
id: 60cf6a69-fa43-4a6c-8808-e9fb46bf387f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the deletion of a CloudWatch log group, including details about the log group name and associated resources.
+description: Logs the deletion of a CloudWatch log group, including details about
+ the log group name and associated resources.
mitre_components:
-- Cloud Service Modification
-- Cloud Service Metadata
-- Application Log Content
-- Host Status
+ - Cloud Service Modification
+ - Cloud Service Metadata
+ - Application Log Content
+ - Host Status
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteLogGroup
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- apiVersion
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.logGroupName
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - apiVersion
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.logGroupName
+ - responseElements
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
diff --git a/data_sources/aws_cloudtrail_deletelogstream.yml b/data_sources/aws_cloudtrail_deletelogstream.yml
index 998218f3d2..7f4805833e 100644
--- a/data_sources/aws_cloudtrail_deletelogstream.yml
+++ b/data_sources/aws_cloudtrail_deletelogstream.yml
@@ -1,98 +1,99 @@
name: AWS CloudTrail DeleteLogStream
id: 6f8bb808-89f8-465e-a34d-229df2f46402
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the deletion of a log stream within a CloudWatch log group, including details about the stream name and associated log group.
+description: Logs the deletion of a log stream within a CloudWatch log group, including
+ details about the stream name and associated log group.
mitre_components:
-- Cloud Service Modification
-- Cloud Service Metadata
-- Application Log Content
-- Host Status
+ - Cloud Service Modification
+ - Cloud Service Metadata
+ - Application Log Content
+ - Host Status
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteLogStream
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- apiVersion
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.logGroupName
-- requestParameters.logStreamName
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - apiVersion
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.logGroupName
+ - requestParameters.logStreamName
+ - responseElements
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
diff --git a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
index ce7ac268b0..deca786012 100644
--- a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
+++ b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
@@ -1,104 +1,105 @@
name: AWS CloudTrail DeleteNetworkAclEntry
id: a0dd0f10-cc03-425d-bd5a-e1e0d954b856
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the deletion of a network ACL entry in AWS, including details about the rule number and associated network ACL.
+description: Logs the deletion of a network ACL entry in AWS, including details about
+ the rule number and associated network ACL.
mitre_components:
-- Firewall Rule Modification
-- Cloud Service Modification
-- Cloud Service Metadata
+ - Firewall Rule Modification
+ - Cloud Service Modification
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteNetworkAclEntry
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- direction
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.egress
-- requestParameters.networkAclId
-- requestParameters.ruleNumber
-- responseElements._return
-- responseElements.requestId
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - direction
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.egress
+ - requestParameters.networkAclId
+ - requestParameters.ruleNumber
+ - responseElements._return
+ - responseElements.requestId
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.sessionContext.sessionIssuer.accountId
+ - userIdentity.sessionContext.sessionIssuer.arn
+ - userIdentity.sessionContext.sessionIssuer.principalId
+ - userIdentity.sessionContext.sessionIssuer.type
+ - userIdentity.sessionContext.sessionIssuer.userName
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLF3F7BXZK", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_deletepolicy.yml b/data_sources/aws_cloudtrail_deletepolicy.yml
index fd3dbe18c2..62fa46bbd0 100644
--- a/data_sources/aws_cloudtrail_deletepolicy.yml
+++ b/data_sources/aws_cloudtrail_deletepolicy.yml
@@ -1,98 +1,99 @@
name: AWS CloudTrail DeletePolicy
id: d190d23a-2c59-4a0e-9c55-a53ebef28ee5
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the deletion of an IAM policy in AWS, including details about the policy name and its associated roles or users.
+description: Logs the deletion of an IAM policy in AWS, including details about the
+ policy name and its associated roles or users.
mitre_components:
-- Cloud Service Modification
-- Cloud Service Metadata
+ - Cloud Service Modification
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeletePolicy
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- errorMessage
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- reason
-- recipientAccountId
-- region
-- requestID
-- requestParameters.policyArn
-- responseElements
-- result
-- result_id
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - errorMessage
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - reason
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.policyArn
+ - responseElements
+ - result
+ - result_id
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::151521547504:user/bhavin_cli", "accountId":
"151521547504", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_deleterule.yml b/data_sources/aws_cloudtrail_deleterule.yml
index b5bf81865b..b5f3c819fa 100644
--- a/data_sources/aws_cloudtrail_deleterule.yml
+++ b/data_sources/aws_cloudtrail_deleterule.yml
@@ -1,98 +1,99 @@
name: AWS CloudTrail DeleteRule
id: b5760623-f3ca-492d-a372-d5c2b3567dfc
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the deletion of an event rule in AWS EventBridge, including details about the rule name and its associated targets or schedules.
+description: Logs the deletion of an event rule in AWS EventBridge, including details
+ about the rule name and its associated targets or schedules.
mitre_components:
-- Cloud Service Modification
-- Cloud Service Metadata
-- Scheduled Job Modification
-- Application Log Content
+ - Cloud Service Modification
+ - Cloud Service Metadata
+ - Scheduled Job Modification
+ - Application Log Content
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteRule
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- apiVersion
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.changeToken
-- requestParameters.ruleId
-- responseElements.changeToken
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - apiVersion
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.changeToken
+ - requestParameters.ruleId
+ - responseElements.changeToken
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
diff --git a/data_sources/aws_cloudtrail_deletesnapshot.yml b/data_sources/aws_cloudtrail_deletesnapshot.yml
index dc157cb6bd..62a075237d 100644
--- a/data_sources/aws_cloudtrail_deletesnapshot.yml
+++ b/data_sources/aws_cloudtrail_deletesnapshot.yml
@@ -1,139 +1,140 @@
name: AWS CloudTrail DeleteSnapshot
id: b0731ac8-0992-4de8-b000-2c7d0fc2a61f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Bhavin Patel, Splunk
-description: Logs the deletion of a cloud resource snapshot, such as an Amazon EBS snapshot, including details about the snapshot ID and associated resource.
+description: Logs the deletion of a cloud resource snapshot, such as an Amazon EBS
+ snapshot, including details about the snapshot ID and associated resource.
mitre_components:
-- Snapshot Deletion
-- Snapshot Metadata
-- Cloud Service Modification
-- Cloud Service Metadata
+ - Snapshot Deletion
+ - Snapshot Metadata
+ - Cloud Service Modification
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteSnapshot
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- authentication_method
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- desc
-- dest
-- dest_ip_range
-- dest_port_range
-- direction
-- dvc
-- errorCode
-- errorMessage
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- image_id
-- index
-- instance_type
-- linecount
-- managementEvent
-- msg
-- object
-- object_attrs
-- object_category
-- object_id
-- product
-- protocol
-- protocol_code
-- punct
-- readOnly
-- reason
-- recipientAccountId
-- region
-- requestID
-- requestParameters.force
-- requestParameters.snapshotId
-- responseElements
-- responseElements._return
-- responseElements.requestId
-- result
-- result_id
-- rule_action
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- splunk_server_group
-- src
-- src_ip
-- src_ip_range
-- src_port_range
-- src_user
-- src_user_id
-- src_user_name
-- src_user_role
-- src_user_type
-- start_time
-- status
-- tag
-- tag::action
-- tag::eventtype
-- tag::object_category
-- temp_access_key
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_role
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - authentication_method
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - desc
+ - dest
+ - dest_ip_range
+ - dest_port_range
+ - direction
+ - dvc
+ - errorCode
+ - errorMessage
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - image_id
+ - index
+ - instance_type
+ - linecount
+ - managementEvent
+ - msg
+ - object
+ - object_attrs
+ - object_category
+ - object_id
+ - product
+ - protocol
+ - protocol_code
+ - punct
+ - readOnly
+ - reason
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.force
+ - requestParameters.snapshotId
+ - responseElements
+ - responseElements._return
+ - responseElements.requestId
+ - result
+ - result_id
+ - rule_action
+ - sessionCredentialFromConsole
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - splunk_server_group
+ - src
+ - src_ip
+ - src_ip_range
+ - src_port_range
+ - src_user
+ - src_user_id
+ - src_user_name
+ - src_user_role
+ - src_user_type
+ - start_time
+ - status
+ - tag
+ - tag::action
+ - tag::eventtype
+ - tag::object_category
+ - temp_access_key
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.sessionContext.sessionIssuer.accountId
+ - userIdentity.sessionContext.sessionIssuer.arn
+ - userIdentity.sessionContext.sessionIssuer.principalId
+ - userIdentity.sessionContext.sessionIssuer.type
+ - userIdentity.sessionContext.sessionIssuer.userName
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_role
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.09", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLDF6WPXXXX:daftpunk@splunk.com", "arn": "arn:aws:sts::11111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/daftpunk@splunk.com",
"accountId": "11111111111111", "accessKeyId": "AAAAAAAAAAAAAAAAAA", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_deletetrail.yml b/data_sources/aws_cloudtrail_deletetrail.yml
index 50d8ba5c17..2d077d3400 100644
--- a/data_sources/aws_cloudtrail_deletetrail.yml
+++ b/data_sources/aws_cloudtrail_deletetrail.yml
@@ -1,96 +1,97 @@
name: AWS CloudTrail DeleteTrail
id: a5af09ff-07b6-4df6-92a0-2146bfe402c8
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the deletion of an AWS CloudTrail trail, including details about the trail name and its associated logging configurations.
+description: Logs the deletion of an AWS CloudTrail trail, including details about
+ the trail name and its associated logging configurations.
mitre_components:
-- Cloud Service Modification
-- Cloud Service Metadata
-- Application Log Content
-- Host Status
+ - Cloud Service Modification
+ - Cloud Service Metadata
+ - Application Log Content
+ - Host Status
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteTrail
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.name
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.name
+ - responseElements
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLKQ3U2PDY", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
index 64de0ba5eb..ba7bd9f0b0 100644
--- a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
+++ b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
@@ -1,96 +1,97 @@
name: AWS CloudTrail DeleteVirtualMFADevice
id: 84a08d6b-3d59-4260-8cab-84278ada262f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when a virtual Multi-Factor Authentication (MFA) device is deleted in AWS CloudTrail.
+description: Logs an event when a virtual Multi-Factor Authentication (MFA) device
+ is deleted in AWS CloudTrail.
mitre_components:
-- User Account Authentication
-- User Account Deletion
+ - User Account Authentication
+ - User Account Deletion
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteVirtualMFADevice
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.serialNumber
-- responseElements
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.serialNumber
+ - responseElements
+ - sessionCredentialFromConsole
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
"111111111111", "arn": "arn:aws:iam::111111111111:root", "accountId": "111111111111",
"accessKeyId": "ASIASBMSCQHHWAIHMHUX", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
diff --git a/data_sources/aws_cloudtrail_deletewebacl.yml b/data_sources/aws_cloudtrail_deletewebacl.yml
index 8d9c4b1cb9..dad7353b3b 100644
--- a/data_sources/aws_cloudtrail_deletewebacl.yml
+++ b/data_sources/aws_cloudtrail_deletewebacl.yml
@@ -1,96 +1,97 @@
name: AWS CloudTrail DeleteWebACL
id: 90da5f08-7961-4c29-8de8-01364982aadf
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when a Web Access Control List (WebACL) is deleted in AWS CloudTrail.
+description: Logs an event when a Web Access Control List (WebACL) is deleted in AWS
+ CloudTrail.
mitre_components:
-- Cloud Service Modification
-- Cloud Service Metadata
+ - Cloud Service Modification
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteWebACL
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- apiVersion
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.changeToken
-- requestParameters.webACLId
-- responseElements.changeToken
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - apiVersion
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.changeToken
+ - requestParameters.webACLId
+ - responseElements.changeToken
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
diff --git a/data_sources/aws_cloudtrail_describeeventaggregates.yml b/data_sources/aws_cloudtrail_describeeventaggregates.yml
index 68042cdaa6..51c3b5464a 100644
--- a/data_sources/aws_cloudtrail_describeeventaggregates.yml
+++ b/data_sources/aws_cloudtrail_describeeventaggregates.yml
@@ -1,92 +1,93 @@
name: AWS CloudTrail DescribeEventAggregates
id: 7efe4afe-62ae-4f96-81d1-76598ea37fc2
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when aggregate details about AWS events are queried, often for analysis.
+description: Logs an event when aggregate details about AWS events are queried, often
+ for analysis.
mitre_components:
-- Cloud Service Enumeration
-- Cloud Service Metadata
+ - Cloud Service Enumeration
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DescribeEventAggregates
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.aggregateField
-- requestParameters.filter.eventStatusCodes{}
-- requestParameters.filter.startTimes{}.from
-- responseElements
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.aggregateField
+ - requestParameters.filter.eventStatusCodes{}
+ - requestParameters.filter.startTimes{}.from
+ - responseElements
+ - sessionCredentialFromConsole
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
"140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527",
"accessKeyId": "ASIASBMSCQHHQQ6LB24V", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
diff --git a/data_sources/aws_cloudtrail_describeimagescanfindings.yml b/data_sources/aws_cloudtrail_describeimagescanfindings.yml
index d29dc3e798..fab3a5b39f 100644
--- a/data_sources/aws_cloudtrail_describeimagescanfindings.yml
+++ b/data_sources/aws_cloudtrail_describeimagescanfindings.yml
@@ -1,900 +1,985 @@
name: AWS CloudTrail DescribeImageScanFindings
id: 688ea789-9ba2-4970-90a2-17e541e273c9
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when findings from an image vulnerability scan are described using the DescribeImageScanFindings operation in AWS CloudTrail.
+description: Logs an event when findings from an image vulnerability scan are described
+ using the DescribeImageScanFindings operation in AWS CloudTrail.
mitre_components:
-- Image Metadata
-- Image Modification
-- Malware Metadata
+ - Image Metadata
+ - Image Modification
+ - Malware Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DescribeImageScanFindings
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.imageId.imageDigest
-- requestParameters.maxResults
-- requestParameters.repositoryName
-- responseElements.imageId.imageDigest
-- responseElements.imageScanFindings.findingSeverityCounts.HIGH
-- responseElements.imageScanFindings.findingSeverityCounts.INFORMATIONAL
-- responseElements.imageScanFindings.findingSeverityCounts.LOW
-- responseElements.imageScanFindings.findingSeverityCounts.MEDIUM
-- responseElements.imageScanFindings.findingSeverityCounts.UNDEFINED
-- responseElements.imageScanFindings.findings{}.attributes{}.key
-- responseElements.imageScanFindings.findings{}.attributes{}.value
-- responseElements.imageScanFindings.findings{}.description
-- responseElements.imageScanFindings.findings{}.name
-- responseElements.imageScanFindings.findings{}.severity
-- responseElements.imageScanFindings.findings{}.uri
-- responseElements.imageScanFindings.imageScanCompletedAt
-- responseElements.imageScanFindings.vulnerabilitySourceUpdatedAt
-- responseElements.imageScanStatus.description
-- responseElements.imageScanStatus.status
-- responseElements.registryId
-- responseElements.repositoryName
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
- "AAAAAAAAAAAAAAAAAAAAA:test@test.com", "arn": "arn:aws:sts::111111111111:assumed-role/role_name/test@test.com",
- "accountId": "111111111111", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext":
- {"sessionIssuer": {"type": "Role", "principalId": "AKIAIOSFODNN7EXAMPLE", "arn":
- "arn:aws:iam::111111111111:role/aws-reserved/test/region/group", "accountId": "111111111111",
- "userName": "test"}, "webIdFederationData": {}, "attributes": {"creationDate": "2021-08-11T09:42:53Z",
- "mfaAuthenticated": "false"}}}, "eventTime": "2021-08-11T11:52:27Z", "eventSource":
- "ecr.amazonaws.com", "eventName": "DescribeImageScanFindings", "awsRegion": "eu-central-1",
- "sourceIPAddress": "154.16.165.133", "userAgent": "aws-internal/3 aws-sdk-java/1.11.1030
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.imageId.imageDigest
+ - requestParameters.maxResults
+ - requestParameters.repositoryName
+ - responseElements.imageId.imageDigest
+ - responseElements.imageScanFindings.findingSeverityCounts.HIGH
+ - responseElements.imageScanFindings.findingSeverityCounts.INFORMATIONAL
+ - responseElements.imageScanFindings.findingSeverityCounts.LOW
+ - responseElements.imageScanFindings.findingSeverityCounts.MEDIUM
+ - responseElements.imageScanFindings.findingSeverityCounts.UNDEFINED
+ - responseElements.imageScanFindings.findings{}.attributes{}.key
+ - responseElements.imageScanFindings.findings{}.attributes{}.value
+ - responseElements.imageScanFindings.findings{}.description
+ - responseElements.imageScanFindings.findings{}.name
+ - responseElements.imageScanFindings.findings{}.severity
+ - responseElements.imageScanFindings.findings{}.uri
+ - responseElements.imageScanFindings.imageScanCompletedAt
+ - responseElements.imageScanFindings.vulnerabilitySourceUpdatedAt
+ - responseElements.imageScanStatus.description
+ - responseElements.imageScanStatus.status
+ - responseElements.registryId
+ - responseElements.repositoryName
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.sessionContext.sessionIssuer.accountId
+ - userIdentity.sessionContext.sessionIssuer.arn
+ - userIdentity.sessionContext.sessionIssuer.principalId
+ - userIdentity.sessionContext.sessionIssuer.type
+ - userIdentity.sessionContext.sessionIssuer.userName
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
+example_log: "{\"eventVersion\": \"1.08\", \"userIdentity\": {\"type\": \"AssumedRole\"\
+ , \"principalId\": \"AAAAAAAAAAAAAAAAAAAAA:test@test.com\", \"arn\": \"arn:aws:sts::111111111111:assumed-role/role_name/test@test.com\"\
+ , \"accountId\": \"111111111111\", \"accessKeyId\": \"AKIAIOSFODNN7EXAMPLE\", \"\
+ sessionContext\": {\"sessionIssuer\": {\"type\": \"Role\", \"principalId\": \"AKIAIOSFODNN7EXAMPLE\"\
+ , \"arn\": \"arn:aws:iam::111111111111:role/aws-reserved/test/region/group\", \"\
+ accountId\": \"111111111111\", \"userName\": \"test\"}, \"webIdFederationData\"
+ : {}, \"attributes\": {\"creationDate\": \"2021-08-11T09:42:53Z\", \"mfaAuthenticated\"\
+ : \"false\"}}}, \"eventTime\": \"2021-08-11T11:52:27Z\", \"eventSource\": \"ecr.amazonaws.com\"\
+ , \"eventName\": \"DescribeImageScanFindings\", \"awsRegion\": \"eu-central-1\"
+ , \"sourceIPAddress\": \"154.16.165.133\", \"userAgent\": \"aws-internal/3 aws-sdk-java/1.11.1030
Linux/4.9.273-0.1.ac.226.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08
- java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/legacy", "requestParameters":
- {"repositoryName": "devsecops/cat_dog_client", "imageId": {"imageDigest": "sha256:a27d73188718a511a1ec1ec788826674b21e097f29873dde734a4dedfbfab1c6"},
- "maxResults": 1000}, "responseElements": {"registryId": "111111111111", "repositoryName":
- "devsecops/cat_dog_client", "imageId": {"imageDigest": "sha256:a27d73188718a511a1ec1ec788826674b21e097f29873dde734a4dedfbfab1c6"},
- "imageScanStatus": {"status": "COMPLETE", "description": "The scan was completed
- successfully."}, "imageScanFindings": {"imageScanCompletedAt": "Aug 11, 2021, 11:30:16
- AM", "vulnerabilitySourceUpdatedAt": "Aug 11, 2021, 1:17:52 AM", "findings": [{"name":
- "CVE-2019-25013", "description": "The iconv feature in the GNU C Library (aka glibc
- or libc6) through 2.32, when processing invalid multi-byte input sequences in the
- EUC-KR encoding, may have a buffer over-read.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-25013",
- "severity": "HIGH", "attributes": [{"key": "package_version", "value": "2.28-10"},
- {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:C"},
- {"key": "CVSS2_SCORE", "value": "7.1"}]}, {"name": "CVE-2021-33574", "description":
- "The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33
- has a use-after-free. It may use the notification thread attributes object (passed
- through its struct sigevent parameter) after it has been freed by the caller, leading
- to a denial of service (application crash) or possibly unspecified other impact.",
- "uri": "https://security-tracker.debian.org/tracker/CVE-2021-33574", "severity":
- "HIGH", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name",
- "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"},
- {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2018-12886", "description":
- "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c
- in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate
- instruction sequences when targeting ARM targets that spill the address of the stack
- protector guard, which allows an attacker to bypass the protection of -fstack-protector,
- -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit
- against stack overflow by controlling what the stack canary is compared against.",
- "uri": "https://security-tracker.debian.org/tracker/CVE-2018-12886", "severity":
- "MEDIUM", "attributes": [{"key": "package_version", "value": "8.3.0-6"}, {"key":
- "package_name", "value": "gcc-8"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
- {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2020-1751", "description":
- "An out-of-bounds write vulnerability was found in glibc before 2.31 when handling
- signal trampolines on PowerPC. Specifically, the backtrace function did not properly
- check the array bounds when storing the frame address, resulting in a denial of
- service or potential code execution. The highest threat from this vulnerability
- is to system availability.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-1751",
- "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.28-10"},
- {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:P/I:P/A:C"},
- {"key": "CVSS2_SCORE", "value": "5.9"}]}, {"name": "CVE-2021-3326", "description":
- "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier,
- when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an
- assertion in the code path and aborts the program, potentially resulting in a denial
- of service.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-3326",
- "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.28-10"},
- {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2021-35942", "description":
- "The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or
- read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted,
- crafted pattern, potentially resulting in a denial of service or disclosure of information.
- This occurs because atoi was used but strtoul should have been used to ensure correct
- calculations.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-35942",
- "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.28-10"},
- {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "6.4"}]}, {"name": "CVE-2019-12904", "description":
- "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload
- side-channel attack because physical addresses are available to other processes.
- (The C implementation is used on platforms where an assembly-language implementation
- is unavailable.)", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-12904",
- "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "1.8.4-5+deb10u1"},
- {"key": "package_name", "value": "libgcrypt20"}, {"key": "CVSS2_VECTOR", "value":
- "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name":
- "CVE-2017-6363", "description": "** DISPUTED ** In the GD Graphics Library (aka
- LibGD) through 2.2.5, there is a heap-based buffer over-read in tiffWriter in gd_tiff.c.
- NOTE: the vendor says \"In my opinion this issue should not have a CVE, since the
- GD and GD2 formats are documented to be ''obsolete, and should only be used for
- development and testing purposes.''\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-6363",
- "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.2.5-5.2"},
- {"key": "package_name", "value": "libgd2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2019-12290", "description":
- "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490
- Section 4.2 when converting A-labels to U-labels. This makes it possible in some
- circumstances for one domain to impersonate another. By creating a malicious domain
- that matches a target domain except for the inclusion of certain punycoded Unicode
- characters (that would be discarded when converted first to a Unicode label and
- then back to an ASCII label), arbitrary domains can be impersonated.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-12290",
- "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.0.5-1+deb10u1"},
- {"key": "package_name", "value": "libidn2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"},
- {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2019-13115", "description":
- "In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange
+ java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/legacy\", \"requestParameters\"\
+ : {\"repositoryName\": \"devsecops/cat_dog_client\", \"imageId\": {\"imageDigest\"\
+ : \"sha256:a27d73188718a511a1ec1ec788826674b21e097f29873dde734a4dedfbfab1c6\"},
+ \"maxResults\": 1000}, \"responseElements\": {\"registryId\": \"111111111111\",
+ \"repositoryName\": \"devsecops/cat_dog_client\", \"imageId\": {\"imageDigest\"
+ : \"sha256:a27d73188718a511a1ec1ec788826674b21e097f29873dde734a4dedfbfab1c6\"},
+ \"imageScanStatus\": {\"status\": \"COMPLETE\", \"description\": \"The scan was
+ completed successfully.\"}, \"imageScanFindings\": {\"imageScanCompletedAt\": \"\
+ Aug 11, 2021, 11:30:16 AM\", \"vulnerabilitySourceUpdatedAt\": \"Aug 11, 2021, 1:17:52
+ AM\", \"findings\": [{\"name\": \"CVE-2019-25013\", \"description\": \"The iconv
+ feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing
+ invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-25013\", \"severity\"\
+ : \"HIGH\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"2.28-10\"\
+ }, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"CVSS2_VECTOR\"\
+ , \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:C\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
+ : \"7.1\"}]}, {\"name\": \"CVE-2021-33574\", \"description\": \"The mq_notify function
+ in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It
+ may use the notification thread attributes object (passed through its struct sigevent
+ parameter) after it has been freed by the caller, leading to a denial of service
+ (application crash) or possibly unspecified other impact.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-33574\"\
+ , \"severity\": \"HIGH\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"7.5\"}]}, {\"name\": \"CVE-2018-12886\", \"description\": \"stack_protect_prologue
+ in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection
+ (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences
+ when targeting ARM targets that spill the address of the stack protector guard,
+ which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all,
+ -fstack-protector-strong, and -fstack-protector-explicit against stack overflow
+ by controlling what the stack canary is compared against.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-12886\"\
+ , \"severity\": \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"8.3.0-6\"}, {\"key\": \"package_name\", \"value\": \"gcc-8\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"6.8\"}]}, {\"name\": \"CVE-2020-1751\", \"description\": \"An out-of-bounds
+ write vulnerability was found in glibc before 2.31 when handling signal trampolines
+ on PowerPC. Specifically, the backtrace function did not properly check the array
+ bounds when storing the frame address, resulting in a denial of service or potential
+ code execution. The highest threat from this vulnerability is to system availability.\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-1751\", \"severity\"\
+ : \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"2.28-10\"\
+ }, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"CVSS2_VECTOR\"\
+ , \"value\": \"AV:L/AC:M/Au:N/C:P/I:P/A:C\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
+ : \"5.9\"}]}, {\"name\": \"CVE-2021-3326\", \"description\": \"The iconv function
+ in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid
+ input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path
+ and aborts the program, potentially resulting in a denial of service.\", \"uri\"\
+ : \"https://security-tracker.debian.org/tracker/CVE-2021-3326\", \"severity\": \"\
+ MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"2.28-10\"\
+ }, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"CVSS2_VECTOR\"\
+ , \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
+ : \"5\"}]}, {\"name\": \"CVE-2021-35942\", \"description\": \"The wordexp function
+ in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory
+ in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern,
+ potentially resulting in a denial of service or disclosure of information. This
+ occurs because atoi was used but strtoul should have been used to ensure correct
+ calculations.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-35942\"\
+ , \"severity\": \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"6.4\"}]}, {\"name\": \"CVE-2019-12904\", \"description\": \"In Libgcrypt
+ 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel
+ attack because physical addresses are available to other processes. (The C implementation
+ is used on platforms where an assembly-language implementation is unavailable.)\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-12904\", \"severity\"\
+ : \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"1.8.4-5+deb10u1\"\
+ }, {\"key\": \"package_name\", \"value\": \"libgcrypt20\"}, {\"key\": \"CVSS2_VECTOR\"\
+ , \"value\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
+ : \"4.3\"}]}, {\"name\": \"CVE-2017-6363\", \"description\": \"** DISPUTED ** In
+ the GD Graphics Library (aka LibGD) through 2.2.5, there is a heap-based buffer
+ over-read in tiffWriter in gd_tiff.c. NOTE: the vendor says \\\"In my opinion this
+ issue should not have a CVE, since the GD and GD2 formats are documented to be 'obsolete,
+ and should only be used for development and testing purposes.'\\\"\", \"uri\": \"\
+ https://security-tracker.debian.org/tracker/CVE-2017-6363\", \"severity\": \"MEDIUM\"\
+ , \"attributes\": [{\"key\": \"package_version\", \"value\": \"2.2.5-5.2\"}, {\"\
+ key\": \"package_name\", \"value\": \"libgd2\"}, {\"key\": \"CVSS2_VECTOR\", \"\
+ value\": \"AV:N/AC:M/Au:N/C:P/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\", \"value\":
+ \"5.8\"}]}, {\"name\": \"CVE-2019-12290\", \"description\": \"GNU libidn2 before
+ 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when
+ converting A-labels to U-labels. This makes it possible in some circumstances for
+ one domain to impersonate another. By creating a malicious domain that matches a
+ target domain except for the inclusion of certain punycoded Unicode characters (that
+ would be discarded when converted first to a Unicode label and then back to an ASCII
+ label), arbitrary domains can be impersonated.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-12290\"\
+ , \"severity\": \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.0.5-1+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"libidn2\"}, {\"\
+ key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\"}, {\"key\": \"\
+ CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2019-13115\", \"description\"\
+ : \"In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange
in kex.c has an integer overflow that could lead to an out-of-bounds read in the
way packets are read from the server. A remote attacker who compromises a SSH server
may be able to disclose sensitive information or cause a denial of service condition
on the client system when a user connects to the server. This is related to an _libssh2_check_length
- mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.",
- "uri": "https://security-tracker.debian.org/tracker/CVE-2019-13115", "severity":
- "MEDIUM", "attributes": [{"key": "package_version", "value": "1.8.0-2.1"}, {"key":
- "package_name", "value": "libssh2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2016-9318", "description":
- "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products,
- does not offer a flag directly indicating that the current document may be read
- but other files may not be opened, which makes it easier for remote attackers to
- conduct XML External Entity (XXE) attacks via a crafted document.", "uri": "https://security-tracker.debian.org/tracker/CVE-2016-9318",
- "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.9.4+dfsg1-7+deb10u2"},
- {"key": "package_name", "value": "libxml2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:N"},
- {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2017-16932", "description":
- "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter
- entities.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-16932",
- "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.9.4+dfsg1-7+deb10u2"},
- {"key": "package_name", "value": "libxml2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2020-36309", "description":
- "ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe
- characters in an argument when using the API to mutate a URI, or a request or response
- header.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-36309", "severity":
- "MEDIUM", "attributes": [{"key": "package_version", "value": "1.21.1-1~buster"},
- {"key": "package_name", "value": "nginx"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"},
- {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2020-14155", "description":
- "libpcre in PCRE before 8.44 allows an integer overflow via a large number after
- a (?C substring.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-14155",
- "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2:8.39-12"},
- {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2019-3843", "description":
- "It was discovered that a systemd service that uses DynamicUser property can create
- a SUID/SGID binary that would be allowed to run as the transient service UID/GID
- even after the service is terminated. A local attacker may use this flaw to access
- resources that will be owned by a potentially different service in the future, when
- the UID/GID will be recycled.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-3843",
- "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"},
- {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:P/I:P/A:P"},
- {"key": "CVSS2_SCORE", "value": "4.6"}]}, {"name": "CVE-2019-3844", "description":
- "It was discovered that a systemd service that uses DynamicUser property can get
- new privileges through the execution of SUID binaries, which would allow to create
- binaries owned by the service transient group with the setgid bit set. A local attacker
- may use this flaw to access resources that will be owned by a potentially different
- service in the future, when the GID will be recycled.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-3844",
- "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"},
- {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:P/I:P/A:P"},
- {"key": "CVSS2_SCORE", "value": "4.6"}]}, {"name": "CVE-2016-2781", "description":
- "chroot in GNU coreutils, when used with --userspec, allows local users to escape
- to the parent session via a crafted TIOCSTI ioctl call, which pushes characters
- to the terminal''s input buffer.", "uri": "https://security-tracker.debian.org/tracker/CVE-2016-2781",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "8.30-3"},
- {"key": "package_name", "value": "coreutils"}, {"key": "CVSS2_VECTOR", "value":
- "AV:L/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name":
- "CVE-2021-22898", "description": "curl 7.7 through 7.76.1 suffers from an information
- disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in
- libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw
- in the option parser for sending NEW_ENV variables, libcurl could be made to pass
- on uninitialized data from a stack based buffer to the server, resulting in potentially
- revealing sensitive internal information to the server using a clear-text network
- protocol.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22898",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "7.64.0-4+deb10u2"},
- {"key": "package_name", "value": "curl"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:H/Au:N/C:P/I:N/A:N"},
- {"key": "CVSS2_SCORE", "value": "2.6"}]}, {"name": "CVE-2019-15847", "description":
- "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize
- multiple calls of the __builtin_darn intrinsic into a single call, thus reducing
- the entropy of the random number generator. This occurred because a volatile operation
- was not specified. For example, within a single execution of a program, the output
- of every __builtin_darn() call may be the same.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-15847",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "8.3.0-6"},
- {"key": "package_name", "value": "gcc-8"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"},
- {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2020-1752", "description":
- "A use-after-free vulnerability introduced in glibc upstream version 2.14 was found
- in the way the tilde expansion was carried out. Directory paths containing an initial
- tilde followed by a valid username were affected by this issue. A local attacker
- could exploit this flaw by creating a specially crafted path that, when processed
- by the glob function, would potentially lead to arbitrary code execution. This was
- fixed in version 2.32.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-1752",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"},
- {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:H/Au:N/C:P/I:P/A:P"},
- {"key": "CVSS2_SCORE", "value": "3.7"}]}, {"name": "CVE-2020-6096", "description":
- "An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation
- of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU
- glibc implementation) with a negative value for the ''num'' parameter results in
- a signed comparison vulnerability. If an attacker underflows the ''num'' parameter
- to memcpy(), this vulnerability could lead to undefined behavior such as writing
- to out-of-bounds memory and potentially remote code execution. Furthermore, this
- memcpy() implementation allows for program execution to continue in scenarios where
- a segmentation fault or crash should have occurred. The dangers occur in that subsequent
- execution and iterations of this code will be executed with this corrupted data.",
- "uri": "https://security-tracker.debian.org/tracker/CVE-2020-6096", "severity":
- "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name",
- "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
- {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2020-10029", "description":
- "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer
- during range reduction if an input to an 80-bit long double function contains a
- non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to
- sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.",
- "uri": "https://security-tracker.debian.org/tracker/CVE-2020-10029", "severity":
- "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name",
- "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2020-27618", "description":
- "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier,
- when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388,
- IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead
- to an infinite loop in applications, resulting in a denial of service, a different
- vulnerability from CVE-2016-10228.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-27618",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"},
- {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2016-10228", "description":
- "The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when
- invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE)
- along with the -c option, enters an infinite loop when processing invalid multi-byte
- input sequences, leading to a denial of service.", "uri": "https://security-tracker.debian.org/tracker/CVE-2016-10228",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"},
- {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2019-19126", "description":
- "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to
- ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution
- after a security transition, allowing local attackers to restrict the possible mapping
- addresses for loaded libraries and thus bypass ASLR for a setuid program.", "uri":
- "https://security-tracker.debian.org/tracker/CVE-2019-19126", "severity": "LOW",
- "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name",
- "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:P/I:N/A:N"},
- {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-27645", "description":
- "The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6)
- 2.29 through 2.33, when processing a request for netgroup lookup, may crash due
- to a double-free, potentially resulting in degraded service or Denial of Service
- on the local system. This is related to netgroupcache.c.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-27645",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"},
- {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:N/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "1.9"}]}, {"name": "CVE-2019-14855", "description":
- "A flaw was found in the way certificate signatures could be forged using collisions
- found in the SHA-1 algorithm. An attacker could use this weakness to create forged
- certificate signatures. This issue affects GnuPG versions before 2.2.18.", "uri":
- "https://security-tracker.debian.org/tracker/CVE-2019-14855", "severity": "LOW",
- "attributes": [{"key": "package_version", "value": "2.2.12-1+deb10u1"}, {"key":
- "package_name", "value": "gnupg2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"},
- {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2019-13627", "description":
- "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic
+ mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-13115\", \"severity\"\
+ : \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"1.8.0-2.1\"\
+ }, {\"key\": \"package_name\", \"value\": \"libssh2\"}, {\"key\": \"CVSS2_VECTOR\"\
+ , \"value\": \"AV:N/AC:M/Au:N/C:P/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
+ : \"5.8\"}]}, {\"name\": \"CVE-2016-9318\", \"description\": \"libxml2 2.9.4 and
+ earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer
+ a flag directly indicating that the current document may be read but other files
+ may not be opened, which makes it easier for remote attackers to conduct XML External
+ Entity (XXE) attacks via a crafted document.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2016-9318\"\
+ , \"severity\": \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.9.4+dfsg1-7+deb10u2\"}, {\"key\": \"package_name\", \"value\": \"libxml2\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"4.3\"}]}, {\"name\": \"CVE-2017-16932\", \"description\"\
+ : \"parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter
+ entities.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-16932\"\
+ , \"severity\": \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.9.4+dfsg1-7+deb10u2\"}, {\"key\": \"package_name\", \"value\": \"libxml2\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2020-36309\", \"description\"\
+ : \"ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows
+ unsafe characters in an argument when using the API to mutate a URI, or a request
+ or response header.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-36309\"\
+ , \"severity\": \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"1.21.1-1~buster\"}, {\"key\": \"package_name\", \"value\": \"nginx\"}, {\"key\"\
+ : \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"5\"}]}, {\"name\": \"CVE-2020-14155\", \"description\": \"libpcre
+ in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-14155\", \"severity\"\
+ : \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"2:8.39-12\"\
+ }, {\"key\": \"package_name\", \"value\": \"pcre3\"}, {\"key\": \"CVSS2_VECTOR\"\
+ , \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
+ : \"5\"}]}, {\"name\": \"CVE-2019-3843\", \"description\": \"It was discovered that
+ a systemd service that uses DynamicUser property can create a SUID/SGID binary that
+ would be allowed to run as the transient service UID/GID even after the service
+ is terminated. A local attacker may use this flaw to access resources that will
+ be owned by a potentially different service in the future, when the UID/GID will
+ be recycled.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-3843\"\
+ , \"severity\": \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"241-7~deb10u8\"}, {\"key\": \"package_name\", \"value\": \"systemd\"}, {\"key\"\
+ : \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"4.6\"}]}, {\"name\": \"CVE-2019-3844\", \"description\": \"It was
+ discovered that a systemd service that uses DynamicUser property can get new privileges
+ through the execution of SUID binaries, which would allow to create binaries owned
+ by the service transient group with the setgid bit set. A local attacker may use
+ this flaw to access resources that will be owned by a potentially different service
+ in the future, when the GID will be recycled.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-3844\"\
+ , \"severity\": \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"241-7~deb10u8\"}, {\"key\": \"package_name\", \"value\": \"systemd\"}, {\"key\"\
+ : \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"4.6\"}]}, {\"name\": \"CVE-2016-2781\", \"description\": \"chroot
+ in GNU coreutils, when used with --userspec, allows local users to escape to the
+ parent session via a crafted TIOCSTI ioctl call, which pushes characters to the
+ terminal's input buffer.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2016-2781\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"8.30-3\"}, {\"key\": \"package_name\", \"value\": \"coreutils\"}, {\"key\":
+ \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:P/A:N\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2021-22898\", \"description\": \"curl
+ 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command
+ line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content
+ pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV
+ variables, libcurl could be made to pass on uninitialized data from a stack based
+ buffer to the server, resulting in potentially revealing sensitive internal information
+ to the server using a clear-text network protocol.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-22898\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"7.64.0-4+deb10u2\"}, {\"key\": \"package_name\", \"value\": \"curl\"}, {\"key\"\
+ : \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:H/Au:N/C:P/I:N/A:N\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"2.6\"}]}, {\"name\": \"CVE-2019-15847\", \"description\": \"The POWER9
+ backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple
+ calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy
+ of the random number generator. This occurred because a volatile operation was not
+ specified. For example, within a single execution of a program, the output of every
+ __builtin_darn() call may be the same.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-15847\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"8.3.0-6\"}, {\"key\": \"package_name\", \"value\": \"gcc-8\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"5\"}]}, {\"name\": \"CVE-2020-1752\", \"description\": \"A use-after-free
+ vulnerability introduced in glibc upstream version 2.14 was found in the way the
+ tilde expansion was carried out. Directory paths containing an initial tilde followed
+ by a valid username were affected by this issue. A local attacker could exploit
+ this flaw by creating a specially crafted path that, when processed by the glob
+ function, would potentially lead to arbitrary code execution. This was fixed in
+ version 2.32.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-1752\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:L/AC:H/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"3.7\"}]}, {\"name\": \"CVE-2020-6096\", \"description\": \"An exploitable
+ signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU
+ glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation)
+ with a negative value for the 'num' parameter results in a signed comparison vulnerability.
+ If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could
+ lead to undefined behavior such as writing to out-of-bounds memory and potentially
+ remote code execution. Furthermore, this memcpy() implementation allows for program
+ execution to continue in scenarios where a segmentation fault or crash should have
+ occurred. The dangers occur in that subsequent execution and iterations of this
+ code will be executed with this corrupted data.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-6096\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"6.8\"}]}, {\"name\": \"CVE-2020-10029\", \"description\": \"The GNU
+ C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during
+ range reduction if an input to an 80-bit long double function contains a non-canonical
+ bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets.
+ This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-10029\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2020-27618\", \"description\": \"The iconv
+ function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing
+ invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399
+ encodings, fails to advance the input state, which could lead to an infinite loop
+ in applications, resulting in a denial of service, a different vulnerability from
+ CVE-2016-10228.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-27618\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2016-10228\", \"description\": \"The iconv
+ program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked
+ with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with
+ the -c option, enters an infinite loop when processing invalid multi-byte input
+ sequences, leading to a denial of service.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2016-10228\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"4.3\"}]}, {\"name\": \"CVE-2019-19126\", \"description\": \"On the
+ x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the
+ LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security
+ transition, allowing local attackers to restrict the possible mapping addresses
+ for loaded libraries and thus bypass ASLR for a setuid program.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-19126\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2021-27645\", \"description\": \"The nameserver
+ caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33,
+ when processing a request for netgroup lookup, may crash due to a double-free, potentially
+ resulting in degraded service or Denial of Service on the local system. This is
+ related to netgroupcache.c.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-27645\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:L/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"1.9\"}]}, {\"name\": \"CVE-2019-14855\", \"description\": \"A flaw
+ was found in the way certificate signatures could be forged using collisions found
+ in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate
+ signatures. This issue affects GnuPG versions before 2.2.18.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-14855\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.2.12-1+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"gnupg2\"}, {\"\
+ key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\"}, {\"key\": \"\
+ CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2019-13627\", \"description\"\
+ : \"It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic
library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions
- fixed: 1.8.5-2 and 1.6.3-2+deb8u7.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-13627",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.8.4-5+deb10u1"},
- {"key": "package_name", "value": "libgcrypt20"}, {"key": "CVSS2_VECTOR", "value":
- "AV:L/AC:H/Au:N/C:P/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "2.6"}]}, {"name":
- "CVE-2018-14553", "description": "gdImageClone in gd.c in libgd 2.1.0-rc2 through
- 2.2.5 has a NULL pointer dereference allowing attackers to crash an application
- via a specific function call sequence. Only affects PHP when linked with an external
- libgd (not bundled).", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-14553",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.2.5-5.2"},
- {"key": "package_name", "value": "libgd2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2021-36086", "description":
- "The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission
- (called from cil_reset_classperms_set and cil_reset_classperms_list).", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36086",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.8-1"},
- {"key": "package_name", "value": "libsepol"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-36085", "description":
- "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms
- (called from __verify_map_perm_classperms and hashtab_map).", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36085",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.8-1"},
- {"key": "package_name", "value": "libsepol"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-36087", "description":
- "The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any
- (called indirectly from cil_check_neverallow). This occurs because there is sometimes
- a lack of checks for invalid statements in an optional block.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36087",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.8-1"},
- {"key": "package_name", "value": "libsepol"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-36084", "description":
- "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms
- (called from __cil_verify_classpermission and __cil_pre_verify_helper).", "uri":
- "https://security-tracker.debian.org/tracker/CVE-2021-36084", "severity": "LOW",
- "attributes": [{"key": "package_version", "value": "2.8-1"}, {"key": "package_name",
- "value": "libsepol"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2019-17498", "description":
- "In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c
- has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary
- (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be
- able to disclose sensitive information or cause a denial of service condition on
- the client system when a user connects to the server.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-17498",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.8.0-2.1"},
- {"key": "package_name", "value": "libssh2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2019-17543", "description":
- "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize),
+ fixed: 1.8.5-2 and 1.6.3-2+deb8u7.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-13627\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"1.8.4-5+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"libgcrypt20\"},
+ {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:H/Au:N/C:P/I:P/A:N\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"2.6\"}]}, {\"name\": \"CVE-2018-14553\", \"description\"\
+ : \"gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference
+ allowing attackers to crash an application via a specific function call sequence.
+ Only affects PHP when linked with an external libgd (not bundled).\", \"uri\": \"\
+ https://security-tracker.debian.org/tracker/CVE-2018-14553\", \"severity\": \"LOW\"\
+ , \"attributes\": [{\"key\": \"package_version\", \"value\": \"2.2.5-5.2\"}, {\"\
+ key\": \"package_name\", \"value\": \"libgd2\"}, {\"key\": \"CVSS2_VECTOR\", \"\
+ value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\", \"value\":
+ \"5\"}]}, {\"name\": \"CVE-2021-36086\", \"description\": \"The CIL compiler in
+ SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set
+ and cil_reset_classperms_list).\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-36086\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.8-1\"}, {\"key\": \"package_name\", \"value\": \"libsepol\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2021-36085\", \"description\": \"The CIL
+ compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called
+ from __verify_map_perm_classperms and hashtab_map).\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-36085\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.8-1\"}, {\"key\": \"package_name\", \"value\": \"libsepol\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2021-36087\", \"description\": \"The CIL
+ compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called
+ indirectly from cil_check_neverallow). This occurs because there is sometimes a
+ lack of checks for invalid statements in an optional block.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-36087\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.8-1\"}, {\"key\": \"package_name\", \"value\": \"libsepol\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2021-36084\", \"description\": \"The CIL
+ compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called
+ from __cil_verify_classpermission and __cil_pre_verify_helper).\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-36084\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.8-1\"}, {\"key\": \"package_name\", \"value\": \"libsepol\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2019-17498\", \"description\": \"In libssh2
+ v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer
+ overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds)
+ offset for a subsequent memory read. A crafted SSH server may be able to disclose
+ sensitive information or cause a denial of service condition on the client system
+ when a user connects to the server.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-17498\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"1.8.0-2.1\"}, {\"key\": \"package_name\", \"value\": \"libssh2\"}, {\"key\"
+ : \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"5.8\"}]}, {\"name\": \"CVE-2019-17543\", \"description\": \"LZ4 before
+ 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize),
affecting applications that call LZ4_compress_fast with a large input. (This issue
- can also lead to data corruption.) NOTE: the vendor states \"only a few specific
- / uncommon usages of the API are at risk.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-17543",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.8.3-1+deb10u1"},
- {"key": "package_name", "value": "lz4"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
- {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2013-0337", "description":
- "The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable
- permissions for the (1) access.log and (2) error.log files, which allows local users
- to obtain sensitive information by reading the files.", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-0337",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.21.1-1~buster"},
- {"key": "package_name", "value": "nginx"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"},
- {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2018-7169", "description":
- "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and
- allows an unprivileged user to be placed in a user namespace where setgroups(2)
- is permitted. This allows an attacker to remove themselves from a supplementary
- group, which may allow access to certain filesystem paths if the administrator has
- used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This
- flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups
- knob) to prevent this sort of privilege escalation.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-7169",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "1:4.5-1.1"},
- {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"},
- {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2021-37600", "description":
- "An integer overflow in util-linux through 2.37.1 can potentially cause a buffer
- overflow if an attacker were able to use system resources in a way that leads to
- a large number in the /proc/sysvipc/sem file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-37600",
- "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.33.1-0.1"},
- {"key": "package_name", "value": "util-linux"}, {"key": "CVSS2_VECTOR", "value":
- "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name":
- "CVE-2011-3374", "description": "It was found that apt-key in apt, all versions,
- do not correctly validate gpg keys with the master keyring, leading to a potential
- man-in-the-middle attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2011-3374",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "1.8.2.3"}, {"key": "package_name", "value": "apt"}, {"key": "CVSS2_VECTOR", "value":
- "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name":
- "CVE-2019-18276", "description": "An issue was discovered in disable_priv_mode in
- shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective
- UID not equal to its real UID, it will drop privileges by setting its effective
- UID to its real UID. However, it does so incorrectly. On Linux and other systems
- that support \"saved UID\" functionality, the saved UID is not dropped. An attacker
- with command execution in the shell can use \"enable -f\" for runtime loading of
- a new builtin, which can be a shared object that calls setuid() and therefore regains
- privileges. However, binaries running with an effective UID of 0 are unaffected.",
- "uri": "https://security-tracker.debian.org/tracker/CVE-2019-18276", "severity":
- "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "5.0-4"}, {"key":
- "package_name", "value": "bash"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:C/I:C/A:C"},
- {"key": "CVSS2_SCORE", "value": "7.2"}]}, {"name": "CVE-2017-18018", "description":
- "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent
- replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options,
- which allows local users to modify the ownership of arbitrary files by leveraging
- a race condition.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-18018",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "8.30-3"}, {"key": "package_name", "value": "coreutils"}, {"key": "CVSS2_VECTOR",
- "value": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "1.9"}]},
- {"name": "CVE-2021-22923", "description": "When curl is instructed to get content
- using the metalink feature, and a user name and password are used to download the
- metalink XML file, those same credentials are then subsequently passed on to each
- of the servers from which curl will download or try to download the contents from.
- Often contrary to the user''s expectations and intentions and without telling the
- user it happened.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22923",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "7.64.0-4+deb10u2"}, {"key": "package_name", "value": "curl"}]}, {"name": "CVE-2021-22922",
- "description": "When curl is instructed to download content using the metalink feature,
- thecontents is verified against a hash provided in the metalink XML file.The metalink
- XML file points out to the client how to get the same contentfrom a set of different
- URLs, potentially hosted by different servers and theclient can then download the
- file from one or several of them. In a serial orparallel manner.If one of the servers
- hosting the contents has been breached and the contentsof the specific file on that
- server is replaced with a modified payload, curlshould detect this when the hash
- of the file mismatches after a completeddownload. It should remove the contents
- and instead try getting the contentsfrom another URL. This is not done, and instead
- such a hash mismatch is onlymentioned in text and the potentially malicious content
- is kept in the file ondisk.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22922",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "7.64.0-4+deb10u2"}, {"key": "package_name", "value": "curl"}]}, {"name": "CVE-2013-0340",
- "description": "expat 2.1.0 and earlier does not properly handle entities expansion
- unless an application developer uses the XML_SetEntityDeclHandler function, which
- allows remote attackers to cause a denial of service (resource consumption), send
- HTTP requests to intranet servers, or read arbitrary files via a crafted XML document,
- aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat
- already provides the ability to disable external entity expansion, the responsibility
- for resolving this issue lies with application developers; according to this argument,
- this entry should be REJECTed, and each affected application would need its own
- CVE.", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-0340", "severity":
- "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.2.6-2+deb10u1"},
- {"key": "package_name", "value": "expat"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
- {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2019-1010023", "description":
- "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library
+ can also lead to data corruption.) NOTE: the vendor states \\\"only a few specific
+ / uncommon usages of the API are at risk.\\\"\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-17543\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"1.8.3-1+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"lz4\"}, {\"key\"\
+ : \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"6.8\"}]}, {\"name\": \"CVE-2013-0337\", \"description\": \"The default
+ configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions
+ for the (1) access.log and (2) error.log files, which allows local users to obtain
+ sensitive information by reading the files.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2013-0337\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"1.21.1-1~buster\"}, {\"key\": \"package_name\", \"value\": \"nginx\"}, {\"key\"\
+ : \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"7.5\"}]}, {\"name\": \"CVE-2018-7169\", \"description\": \"An issue
+ was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an
+ unprivileged user to be placed in a user namespace where setgroups(2) is permitted.
+ This allows an attacker to remove themselves from a supplementary group, which may
+ allow access to certain filesystem paths if the administrator has used \\\"group
+ blacklisting\\\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively
+ reverts a security feature in the kernel (in particular, the /proc/self/setgroups
+ knob) to prevent this sort of privilege escalation.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-7169\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"1:4.5-1.1\"}, {\"key\": \"package_name\", \"value\": \"shadow\"}, {\"key\":
+ \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"5\"}]}, {\"name\": \"CVE-2021-37600\", \"description\": \"An integer
+ overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if
+ an attacker were able to use system resources in a way that leads to a large number
+ in the /proc/sysvipc/sem file.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-37600\"\
+ , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
+ : \"2.33.1-0.1\"}, {\"key\": \"package_name\", \"value\": \"util-linux\"}, {\"key\"\
+ : \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"7.5\"}]}, {\"name\": \"CVE-2011-3374\", \"description\": \"It was
+ found that apt-key in apt, all versions, do not correctly validate gpg keys with
+ the master keyring, leading to a potential man-in-the-middle attack.\", \"uri\"
+ : \"https://security-tracker.debian.org/tracker/CVE-2011-3374\", \"severity\": \"\
+ INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"1.8.2.3\"\
+ }, {\"key\": \"package_name\", \"value\": \"apt\"}, {\"key\": \"CVSS2_VECTOR\",
+ \"value\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
+ : \"4.3\"}]}, {\"name\": \"CVE-2019-18276\", \"description\": \"An issue was discovered
+ in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if
+ Bash is run with its effective UID not equal to its real UID, it will drop privileges
+ by setting its effective UID to its real UID. However, it does so incorrectly. On
+ Linux and other systems that support \\\"saved UID\\\" functionality, the saved
+ UID is not dropped. An attacker with command execution in the shell can use \\\"\
+ enable -f\\\" for runtime loading of a new builtin, which can be a shared object
+ that calls setuid() and therefore regains privileges. However, binaries running
+ with an effective UID of 0 are unaffected.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-18276\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"5.0-4\"}, {\"key\": \"package_name\", \"value\": \"bash\"}, {\"key\"\
+ : \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:C/I:C/A:C\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"7.2\"}]}, {\"name\": \"CVE-2017-18018\", \"description\": \"In GNU
+ Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement
+ of a plain file with a symlink during use of the POSIX \\\"-R -L\\\" options, which
+ allows local users to modify the ownership of arbitrary files by leveraging a race
+ condition.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-18018\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"8.30-3\"}, {\"key\": \"package_name\", \"value\": \"coreutils\"},
+ {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:M/Au:N/C:N/I:P/A:N\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"1.9\"}]}, {\"name\": \"CVE-2021-22923\", \"description\"\
+ : \"When curl is instructed to get content using the metalink feature, and a user
+ name and password are used to download the metalink XML file, those same credentials
+ are then subsequently passed on to each of the servers from which curl will download
+ or try to download the contents from. Often contrary to the user's expectations
+ and intentions and without telling the user it happened.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-22923\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"7.64.0-4+deb10u2\"}, {\"key\": \"package_name\", \"value\": \"curl\"\
+ }]}, {\"name\": \"CVE-2021-22922\", \"description\": \"When curl is instructed to
+ download content using the metalink feature, thecontents is verified against a hash
+ provided in the metalink XML file.The metalink XML file points out to the client
+ how to get the same contentfrom a set of different URLs, potentially hosted by different
+ servers and theclient can then download the file from one or several of them. In
+ a serial orparallel manner.If one of the servers hosting the contents has been breached
+ and the contentsof the specific file on that server is replaced with a modified
+ payload, curlshould detect this when the hash of the file mismatches after a completeddownload.
+ It should remove the contents and instead try getting the contentsfrom another URL.
+ This is not done, and instead such a hash mismatch is onlymentioned in text and
+ the potentially malicious content is kept in the file ondisk.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-22922\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"7.64.0-4+deb10u2\"}, {\"key\": \"package_name\", \"value\": \"curl\"\
+ }]}, {\"name\": \"CVE-2013-0340\", \"description\": \"expat 2.1.0 and earlier does
+ not properly handle entities expansion unless an application developer uses the
+ XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial
+ of service (resource consumption), send HTTP requests to intranet servers, or read
+ arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue.\
+ \ NOTE: it could be argued that because expat already provides the ability to disable
+ external entity expansion, the responsibility for resolving this issue lies with
+ application developers; according to this argument, this entry should be REJECTed,
+ and each affected application would need its own CVE.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2013-0340\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"2.2.6-2+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"expat\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"6.8\"}]}, {\"name\": \"CVE-2019-1010023\", \"description\"\
+ : \"** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library
with malicious ELF file. The impact is: In worst case attacker may evaluate privileges.
The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim
- and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this
- is being treated as a non-security bug and no real threat.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-1010023",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
- "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name":
- "CVE-2010-4051", "description": "The regcomp implementation in the GNU C Library
- (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent
- attackers to cause a denial of service (application crash) via a regular expression
- containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation,
- as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit
- for ProFTPD, related to a \"RE_DUP_MAX overflow.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2010-4051",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
- "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
- "CVE-2019-1010022", "description": "** DISPUTED ** GNU Libc current is affected
- by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection.
- The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability
- and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments
- indicate \"this is being treated as a non-security bug and no real threat.\"", "uri":
- "https://security-tracker.debian.org/tracker/CVE-2019-1010022", "severity": "INFORMATIONAL",
- "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name",
- "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"},
- {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2010-4052", "description":
- "Stack consumption vulnerability in the regcomp implementation in the GNU C Library
+ and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \\\
+ \"this is being treated as a non-security bug and no real threat.\\\"\", \"uri\"\
+ : \"https://security-tracker.debian.org/tracker/CVE-2019-1010023\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"CVSS2_VECTOR\"\
+ , \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
+ : \"6.8\"}]}, {\"name\": \"CVE-2010-4051\", \"description\": \"The regcomp implementation
+ in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2,
+ allows context-dependent attackers to cause a denial of service (application crash)
+ via a regular expression containing adjacent bounded repetitions that bypass the
+ intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence
+ in the proftpd.gnu.c exploit for ProFTPD, related to a \\\"RE_DUP_MAX overflow.\\\
+ \"\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2010-4051\", \"\
+ severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"\
+ value\": \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\"\
+ : \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"5\"}]}, {\"name\": \"CVE-2019-1010022\", \"description\": \"** DISPUTED
+ ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may
+ bypass stack guard protection. The component is: nptl. The attack vector is: Exploit
+ stack buffer overflow vulnerability and use this bypass vulnerability to bypass
+ stack guard. NOTE: Upstream comments indicate \\\"this is being treated as a non-security
+ bug and no real threat.\\\"\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-1010022\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"\
+ key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\"}, {\"key\": \"\
+ CVSS2_SCORE\", \"value\": \"7.5\"}]}, {\"name\": \"CVE-2010-4052\", \"description\"\
+ : \"Stack consumption vulnerability in the regcomp implementation in the GNU C Library
(aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent
attackers to cause a denial of service (resource exhaustion) via a regular expression
containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,}
- sequence in the proftpd.gnu.c exploit for ProFTPD.", "uri": "https://security-tracker.debian.org/tracker/CVE-2010-4052",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
- "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
- "CVE-2019-1010024", "description": "** DISPUTED ** GNU Libc current is affected
- by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread
- stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this
- is being treated as a non-security bug and no real threat.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-1010024",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
- "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
- "CVE-2010-4756", "description": "The glob implementation in the GNU C Library (aka
- glibc or libc6) allows remote authenticated users to cause a denial of service (CPU
- and memory consumption) via crafted glob expressions that do not match any pathnames,
- as demonstrated by glob expressions in STAT commands to an FTP daemon, a different
- vulnerability than CVE-2010-2632.", "uri": "https://security-tracker.debian.org/tracker/CVE-2010-4756",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
- "AV:N/AC:L/Au:S/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4"}]}, {"name":
- "CVE-2019-1010025", "description": "** DISPUTED ** GNU Libc current is affected
- by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created
- thread. The component is: glibc. NOTE: the vendor''s position is \"ASLR bypass itself
- is not a vulnerability.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-1010025",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
- "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
- "CVE-2018-20796", "description": "In the GNU C Library (aka glibc or libc6) through
- 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion,
- as demonstrated by ''(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+'' in grep.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-20796",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
- "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
- "CVE-2019-9192", "description": "** DISPUTED ** In the GNU C Library (aka glibc
- or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled
- Recursion, as demonstrated by ''(|)(\\\\1\\\\1)*'' in grep, a different issue than
- CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability
- because the behavior occurs only with a crafted pattern.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-9192",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
- "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
- "CVE-2011-3389", "description": "The SSL protocol, as used in certain configurations
- in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome,
- Opera, and other products, encrypts data by using CBC mode with chained initialization
- vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers
- via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction
- with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection
- API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2011-3389",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "3.6.7-4+deb10u7"}, {"key": "package_name", "value": "gnutls28"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4.3"}]},
- {"name": "CVE-2021-30535", "description": "Double free in ICU in Google Chrome prior
- to 91.0.4472.77 allowed a remote attacker to potentially exploit heap corruption
- via a crafted HTML page.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-30535",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "63.1-6+deb10u1"}, {"key": "package_name", "value": "icu"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]},
- {"name": "CVE-2017-9937", "description": "In LibTIFF 4.0.8, there is a memory malloc
- failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in
- a remote denial of service attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-9937",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "2.1-3.1"}, {"key": "package_name", "value": "jbigkit"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]},
- {"name": "CVE-2018-5709", "description": "An issue was discovered in MIT Kerberos
- 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c
- that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable
- to it, which is for 32-bit data. An attacker can use this vulnerability to affect
- other artifacts of the database as we know that a Kerberos database dump file contains
- trusted data.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-5709",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "1.17-3+deb10u1"}, {"key": "package_name", "value": "krb5"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]},
- {"name": "CVE-2021-36222", "description": "ec_verify in kdc/kdc_preauth_ec.c in
- the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and
- 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference
- and daemon crash. This occurs because a return value is not properly managed in
- a certain situation.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36222",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "1.17-3+deb10u1"}, {"key": "package_name", "value": "krb5"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]},
- {"name": "CVE-2004-0971", "description": "The krb5-send-pr script in the kerberos5
- (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating
- systems, allows local users to overwrite files via a symlink attack on temporary
- files.", "uri": "https://security-tracker.debian.org/tracker/CVE-2004-0971", "severity":
- "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.17-3+deb10u1"},
- {"key": "package_name", "value": "krb5"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:P/A:N"},
- {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2018-6829", "description":
- "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly,
+ sequence in the proftpd.gnu.c exploit for ProFTPD.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2010-4052\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"\
+ key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"\
+ CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2019-1010024\", \"description\"\
+ : \"** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact
+ is: Attacker may bypass ASLR using cache of thread stack and heap. The component
+ is: glibc. NOTE: Upstream comments indicate \\\"this is being treated as a non-security
+ bug and no real threat.\\\"\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-1010024\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"\
+ key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\"}, {\"key\": \"\
+ CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2010-4756\", \"description\"\
+ : \"The glob implementation in the GNU C Library (aka glibc or libc6) allows remote
+ authenticated users to cause a denial of service (CPU and memory consumption) via
+ crafted glob expressions that do not match any pathnames, as demonstrated by glob
+ expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2010-4756\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"CVSS2_VECTOR\"\
+ , \"value\": \"AV:N/AC:L/Au:S/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
+ : \"4\"}]}, {\"name\": \"CVE-2019-1010025\", \"description\": \"** DISPUTED ** GNU
+ Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess
+ the heap addresses of pthread_created thread. The component is: glibc. NOTE: the
+ vendor's position is \\\"ASLR bypass itself is not a vulnerability.\\\"\", \"uri\"\
+ : \"https://security-tracker.debian.org/tracker/CVE-2019-1010025\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"CVSS2_VECTOR\"\
+ , \"value\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
+ : \"5\"}]}, {\"name\": \"CVE-2018-20796\", \"description\": \"In the GNU C Library
+ (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c
+ has Uncontrolled Recursion, as demonstrated by '(\\\\227|)(\\\\\\\\1\\\\\\\\1|t1|\\\
+ \\\\\\\\\\2537)+' in grep.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-20796\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"\
+ key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"\
+ CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2019-9192\", \"description\"\
+ : \"** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1
+ in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\\\\\\
+ 1\\\\\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software
+ maintainer disputes that this is a vulnerability because the behavior occurs only
+ with a crafted pattern.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-9192\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"\
+ key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"\
+ CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2011-3389\", \"description\"\
+ : \"The SSL protocol, as used in certain configurations in Microsoft Windows and
+ Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products,
+ encrypts data by using CBC mode with chained initialization vectors, which allows
+ man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary
+ attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses
+ (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight
+ WebClient API, aka a \\\"BEAST\\\" attack.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2011-3389\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"3.6.7-4+deb10u7\"}, {\"key\": \"package_name\", \"value\": \"gnutls28\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"4.3\"}]}, {\"name\": \"CVE-2021-30535\", \"description\"\
+ : \"Double free in ICU in Google Chrome prior to 91.0.4472.77 allowed a remote attacker
+ to potentially exploit heap corruption via a crafted HTML page.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-30535\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"63.1-6+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"icu\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"6.8\"}]}, {\"name\": \"CVE-2017-9937\", \"description\"\
+ : \"In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted
+ TIFF document can lead to an abort resulting in a remote denial of service attack.\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-9937\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"2.1-3.1\"}, {\"key\": \"package_name\", \"value\": \"jbigkit\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"4.3\"}]}, {\"name\": \"CVE-2018-5709\", \"description\": \"An issue
+ was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \\\
+ \"dbentry->n_key_data\\\" in kadmin/dbutil/dump.c that can store 16-bit data but
+ unknowingly the developer has assigned a \\\"u4\\\" variable to it, which is for
+ 32-bit data. An attacker can use this vulnerability to affect other artifacts of
+ the database as we know that a Kerberos database dump file contains trusted data.\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-5709\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"1.17-3+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"krb5\"}, {\"key\"
+ : \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"5\"}]}, {\"name\": \"CVE-2021-36222\", \"description\": \"ec_verify
+ in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka
+ krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a
+ NULL pointer dereference and daemon crash. This occurs because a return value is
+ not properly managed in a certain situation.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-36222\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"1.17-3+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"krb5\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2004-0971\", \"description\"\
+ : \"The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux
+ 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite
+ files via a symlink attack on temporary files.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2004-0971\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"1.17-3+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"krb5\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:P/A:N\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"2.1\"}]}, {\"name\": \"CVE-2018-6829\", \"description\"\
+ : \"cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly,
improperly encodes plaintexts, which allows attackers to obtain sensitive information
by reading ciphertext data (i.e., it does not have semantic security in face of
a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not
- hold for Libgcrypt''s ElGamal implementation.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-6829",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "1.8.4-5+deb10u1"}, {"key": "package_name", "value": "libgcrypt20"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]},
- {"name": "CVE-2018-11813", "description": "libjpeg 9c has a large loop because read_pixel
- in rdtarga.c mishandles EOF.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-11813",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "1:1.5.2-2+deb10u1"}, {"key": "package_name", "value": "libjpeg-turbo"}, {"key":
- "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
- "5"}]}, {"name": "CVE-2020-17541", "description": "Libjpeg-turbo all version have
- a stack-based buffer overflow in the \"transform\" component. A remote attacker
- can send a malformed jpeg file to the service and cause arbitrary code execution
- or denial of service of the target service.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-17541",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "1:1.5.2-2+deb10u1"}, {"key": "package_name", "value": "libjpeg-turbo"}, {"key":
- "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value":
- "6.8"}]}, {"name": "CVE-2017-15232", "description": "libjpeg-turbo 1.5.2 has a NULL
- Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file.", "uri":
- "https://security-tracker.debian.org/tracker/CVE-2017-15232", "severity": "INFORMATIONAL",
- "attributes": [{"key": "package_version", "value": "1:1.5.2-2+deb10u1"}, {"key":
- "package_name", "value": "libjpeg-turbo"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2018-14048", "description":
- "An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data
- in png.c, related to the recommended error handling for png_read_image.", "uri":
- "https://security-tracker.debian.org/tracker/CVE-2018-14048", "severity": "INFORMATIONAL",
- "attributes": [{"key": "package_version", "value": "1.6.36-6"}, {"key": "package_name",
- "value": "libpng1.6"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2019-6129", "description":
- "** DISPUTED ** png_create_info_struct in png.c in libpng 1.6.36 has a memory leak,
- as demonstrated by pngcp. NOTE: a third party has stated \"I don''t think it is
- libpng''s job to free this buffer.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-6129",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "1.6.36-6"}, {"key": "package_name", "value": "libpng1.6"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]},
- {"name": "CVE-2018-14550", "description": "An issue has been found in third-party
- PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow
- in the function get_token in pnm2png.c in pnm2png.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-14550",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "1.6.36-6"}, {"key": "package_name", "value": "libpng1.6"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]},
- {"name": "CVE-2019-9893", "description": "libseccomp before 2.4.0 did not correctly
- generate 64-bit syscall argument comparisons using the arithmetic operators (LT,
- GT, LE, GE), which might able to lead to bypassing seccomp filters and potential
- privilege escalations.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-9893",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "2.3.3-4"}, {"key": "package_name", "value": "libseccomp"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "7.5"}]},
- {"name": "CVE-2018-1000654", "description": "GNU Libtasn1-4.13 libtasn1-4.13 version
- libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100%
- when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree),
- after a long time, the program will be killed. This attack appears to be exploitable
- via parsing a crafted file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-1000654",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "4.13-3"}, {"key": "package_name", "value": "libtasn1-6"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}, {"key": "CVSS2_SCORE", "value": "7.1"}]},
- {"name": "CVE-2016-9085", "description": "Multiple integer overflows in libwebp
- allows attackers to have unspecified impact via unknown vectors.", "uri": "https://security-tracker.debian.org/tracker/CVE-2016-9085",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "0.6.1-2+deb10u1"}, {"key": "package_name", "value": "libwebp"}, {"key": "CVSS2_VECTOR",
- "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]},
- {"name": "CVE-2015-9019", "description": "In libxslt 1.1.29 and earlier, the EXSLT
- math.random function was not initialized with a random seed during startup, which
- could cause usage of this function to produce predictable outputs.", "uri": "https://security-tracker.debian.org/tracker/CVE-2015-9019",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "1.1.32-2.2~deb10u1"}, {"key": "package_name", "value": "libxslt"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]},
- {"name": "CVE-2009-4487", "description": "nginx 0.7.64 writes data to a log file
- without sanitizing non-printable characters, which might allow remote attackers
- to modify a window''s title, or possibly execute arbitrary commands or overwrite
- files, via an HTTP request containing an escape sequence for a terminal emulator.",
- "uri": "https://security-tracker.debian.org/tracker/CVE-2009-4487", "severity":
- "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.21.1-1~buster"},
- {"key": "package_name", "value": "nginx"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
- {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2020-15719", "description":
- "libldap in certain third-party OpenLDAP packages has a certificate-validation flaw
- when the third-party package is asserting RFC6125 support. It considers CN even
- when there is a non-matching subjectAltName (SAN). This is fixed in, for example,
- openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-15719",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "2.4.47+dfsg-3+deb10u6"}, {"key": "package_name", "value": "openldap"}, {"key":
- "CVSS2_VECTOR", "value": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}, {"key": "CVSS2_SCORE", "value":
- "4"}]}, {"name": "CVE-2015-3276", "description": "The nss_parse_ciphers function
- in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword
- mode cipher strings, which might cause a weaker than intended cipher to be used
- and allow remote attackers to have unspecified impact via unknown vectors.", "uri":
- "https://security-tracker.debian.org/tracker/CVE-2015-3276", "severity": "INFORMATIONAL",
- "attributes": [{"key": "package_version", "value": "2.4.47+dfsg-3+deb10u6"}, {"key":
- "package_name", "value": "openldap"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"},
- {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2017-14159", "description":
- "slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges
- to a non-root account, which might allow local users to kill arbitrary processes
- by leveraging access to this non-root account for PID file modification before a
- root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.",
- "uri": "https://security-tracker.debian.org/tracker/CVE-2017-14159", "severity":
- "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.4.47+dfsg-3+deb10u6"},
- {"key": "package_name", "value": "openldap"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:N/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "1.9"}]}, {"name": "CVE-2017-17740", "description":
- "contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops
- module and the memberof overlay are enabled, attempts to free a buffer that was
- allocated on the stack, which allows remote attackers to cause a denial of service
- (slapd crash) via a member MODDN operation.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-17740",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "2.4.47+dfsg-3+deb10u6"}, {"key": "package_name", "value": "openldap"}, {"key":
- "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
- "5"}]}, {"name": "CVE-2010-0928", "description": "OpenSSL 0.9.8i on the Gaisler
- Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation
- (FWE) algorithm for certain signature calculations, and does not verify the signature
- before providing it to a caller, which makes it easier for physically proximate
- attackers to determine the private key via a modified supply voltage for the microprocessor,
- related to a \"fault-based attack.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2010-0928",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "1.1.1d-0+deb10u6"}, {"key": "package_name", "value": "openssl"}, {"key": "CVSS2_VECTOR",
- "value": "AV:L/AC:H/Au:N/C:C/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4"}]},
- {"name": "CVE-2007-6755", "description": "The NIST SP 800-90A default statement
- of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm
- contains point Q constants with a possible relationship to certain \"skeleton key\"
- values, which might allow context-dependent attackers to defeat cryptographic protection
- mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary
- CVE for Dual_EC_DRBG; future research may provide additional details about point
- Q and associated attacks, and could potentially lead to a RECAST or REJECT of this
- CVE.", "uri": "https://security-tracker.debian.org/tracker/CVE-2007-6755", "severity":
- "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.1.1d-0+deb10u6"},
- {"key": "package_name", "value": "openssl"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:N"},
- {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2017-7246", "description":
- "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c
+ hold for Libgcrypt's ElGamal implementation.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-6829\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"1.8.4-5+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"libgcrypt20\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2018-11813\", \"description\"\
+ : \"libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-11813\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"1:1.5.2-2+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"libjpeg-turbo\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2020-17541\", \"description\"\
+ : \"Libjpeg-turbo all version have a stack-based buffer overflow in the \\\"transform\\\
+ \" component. A remote attacker can send a malformed jpeg file to the service and
+ cause arbitrary code execution or denial of service of the target service.\", \"\
+ uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-17541\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"1:1.5.2-2+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"libjpeg-turbo\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"6.8\"}]}, {\"name\": \"CVE-2017-15232\", \"description\"\
+ : \"libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c
+ via a crafted JPEG file.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-15232\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"1:1.5.2-2+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"libjpeg-turbo\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"4.3\"}]}, {\"name\": \"CVE-2018-14048\", \"description\"\
+ : \"An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data
+ in png.c, related to the recommended error handling for png_read_image.\", \"uri\"\
+ : \"https://security-tracker.debian.org/tracker/CVE-2018-14048\", \"severity\":
+ \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"\
+ 1.6.36-6\"}, {\"key\": \"package_name\", \"value\": \"libpng1.6\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"4.3\"}]}, {\"name\": \"CVE-2019-6129\", \"description\": \"** DISPUTED
+ ** png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated
+ by pngcp. NOTE: a third party has stated \\\"I don't think it is libpng's job to
+ free this buffer.\\\"\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-6129\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"1.6.36-6\"}, {\"key\": \"package_name\", \"value\": \"libpng1.6\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"4.3\"}]}, {\"name\": \"CVE-2018-14550\", \"description\"\
+ : \"An issue has been found in third-party PNM decoding associated with libpng 1.6.35.
+ It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-14550\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"1.6.36-6\"}, {\"key\": \"package_name\", \"value\": \"libpng1.6\"}, {\"key\":
+ \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"6.8\"}]}, {\"name\": \"CVE-2019-9893\", \"description\": \"libseccomp
+ before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using
+ the arithmetic operators (LT, GT, LE, GE), which might able to lead to bypassing
+ seccomp filters and potential privilege escalations.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-9893\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"2.3.3-4\"}, {\"key\": \"package_name\", \"value\": \"libseccomp\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"7.5\"}]}, {\"name\": \"CVE-2018-1000654\", \"description\"\
+ : \"GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains
+ a DoS, specifically CPU usage will reach 100% when running asn1Paser against the
+ POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program
+ will be killed. This attack appears to be exploitable via parsing a crafted file.\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-1000654\", \"\
+ severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"\
+ value\": \"4.13-3\"}, {\"key\": \"package_name\", \"value\": \"libtasn1-6\"}, {\"\
+ key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:C\"}, {\"key\": \"\
+ CVSS2_SCORE\", \"value\": \"7.1\"}]}, {\"name\": \"CVE-2016-9085\", \"description\"\
+ : \"Multiple integer overflows in libwebp allows attackers to have unspecified impact
+ via unknown vectors.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2016-9085\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"0.6.1-2+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"libwebp\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"2.1\"}]}, {\"name\": \"CVE-2015-9019\", \"description\"\
+ : \"In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized
+ with a random seed during startup, which could cause usage of this function to produce
+ predictable outputs.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2015-9019\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"1.1.32-2.2~deb10u1\"}, {\"key\": \"package_name\", \"value\": \"\
+ libxslt\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\"\
+ }, {\"key\": \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2009-4487\"
+ , \"description\": \"nginx 0.7.64 writes data to a log file without sanitizing non-printable
+ characters, which might allow remote attackers to modify a window's title, or possibly
+ execute arbitrary commands or overwrite files, via an HTTP request containing an
+ escape sequence for a terminal emulator.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2009-4487\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"1.21.1-1~buster\"}, {\"key\": \"package_name\", \"value\": \"nginx\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"6.8\"}]}, {\"name\": \"CVE-2020-15719\", \"description\"\
+ : \"libldap in certain third-party OpenLDAP packages has a certificate-validation
+ flaw when the third-party package is asserting RFC6125 support. It considers CN
+ even when there is a non-matching subjectAltName (SAN). This is fixed in, for example,
+ openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-15719\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"2.4.47+dfsg-3+deb10u6\"}, {\"key\": \"package_name\", \"value\":
+ \"openldap\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:H/Au:N/C:P/I:P/A:N\"\
+ }, {\"key\": \"CVSS2_SCORE\", \"value\": \"4\"}]}, {\"name\": \"CVE-2015-3276\"
+ , \"description\": \"The nss_parse_ciphers function in libraries/libldap/tls_m.c
+ in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings,
+ which might cause a weaker than intended cipher to be used and allow remote attackers
+ to have unspecified impact via unknown vectors.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2015-3276\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"2.4.47+dfsg-3+deb10u6\"}, {\"key\": \"package_name\", \"value\":
+ \"openldap\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\"\
+ }, {\"key\": \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2017-14159\"\
+ , \"description\": \"slapd in OpenLDAP 2.4.45 and earlier creates a PID file after
+ dropping privileges to a non-root account, which might allow local users to kill
+ arbitrary processes by leveraging access to this non-root account for PID file modification
+ before a root script executes a \\\"kill `cat /pathname`\\\" command, as demonstrated
+ by openldap-initscript.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-14159\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"2.4.47+dfsg-3+deb10u6\"}, {\"key\": \"package_name\", \"value\":
+ \"openldap\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:M/Au:N/C:N/I:N/A:P\"\
+ }, {\"key\": \"CVSS2_SCORE\", \"value\": \"1.9\"}]}, {\"name\": \"CVE-2017-17740\"\
+ , \"description\": \"contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45,
+ when both the nops module and the memberof overlay are enabled, attempts to free
+ a buffer that was allocated on the stack, which allows remote attackers to cause
+ a denial of service (slapd crash) via a member MODDN operation.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-17740\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"2.4.47+dfsg-3+deb10u6\"}, {\"key\": \"package_name\", \"value\":
+ \"openldap\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"\
+ }, {\"key\": \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2010-0928\"
+ , \"description\": \"OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx
+ Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain
+ signature calculations, and does not verify the signature before providing it to
+ a caller, which makes it easier for physically proximate attackers to determine
+ the private key via a modified supply voltage for the microprocessor, related to
+ a \\\"fault-based attack.\\\"\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2010-0928\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"1.1.1d-0+deb10u6\"}, {\"key\": \"package_name\", \"value\": \"openssl\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:H/Au:N/C:C/I:N/A:N\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"4\"}]}, {\"name\": \"CVE-2007-6755\", \"description\"\
+ : \"The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic
+ Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a
+ possible relationship to certain \\\"skeleton key\\\" values, which might allow
+ context-dependent attackers to defeat cryptographic protection mechanisms by leveraging
+ knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future
+ research may provide additional details about point Q and associated attacks, and
+ could potentially lead to a RECAST or REJECT of this CVE.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2007-6755\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"1.1.1d-0+deb10u6\"}, {\"key\": \"package_name\", \"value\": \"openssl\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:N\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"5.8\"}]}, {\"name\": \"CVE-2017-7246\", \"description\"\
+ : \"Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c
in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE
- of size 268) or possibly have unspecified other impact via a crafted file.", "uri":
- "https://security-tracker.debian.org/tracker/CVE-2017-7246", "severity": "INFORMATIONAL",
- "attributes": [{"key": "package_version", "value": "2:8.39-12"}, {"key": "package_name",
- "value": "pcre3"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
- {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2019-20838", "description":
- "libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is
- disabled, and \\X or \\R has more than one fixed quantifier, a related issue to
- CVE-2019-20454.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-20838",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]},
- {"name": "CVE-2017-7245", "description": "Stack-based buffer overflow in the pcre32_copy_substring
- function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause
- a denial of service (WRITE of size 4) or possibly have unspecified other impact
- via a crafted file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-7245",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]},
- {"name": "CVE-2017-16231", "description": "** DISPUTED ** In PCRE 8.41, after compiling,
- a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c
- because of a self-recursive call. NOTE: third parties dispute the relevance of this
- report, noting that there are options that can be used to limit the amount of stack
- that is used.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-16231",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR",
- "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]},
- {"name": "CVE-2017-11164", "description": "In PCRE 8.41, the OP_KETRMAX feature
- in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion)
- when processing a crafted regular expression.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-11164",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, {"key": "CVSS2_SCORE", "value": "7.8"}]},
- {"name": "CVE-2011-4116", "description": "_is_safe in the File::Temp module for
- Perl does not properly handle symlinks.", "uri": "https://security-tracker.debian.org/tracker/CVE-2011-4116",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "5.28.1-6+deb10u1"}, {"key": "package_name", "value": "perl"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]},
- {"name": "CVE-2019-19882", "description": "shadow 4.8, in certain circumstances
- affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain
- root access because setuid programs are misconfigured. Specifically, this affects
- shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid,
- and without a PAM configuration suitable for use with setuid account management
- tools. This combination leads to account management tools (groupadd, groupdel, groupmod,
- useradd, userdel, usermod) that can easily be used by unprivileged local users to
- escalate privileges to root in multiple ways. This issue became much more relevant
- in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod
- calls to suidusbins were fixed in the upstream Makefile which is now included in
- the release version 4.8).", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-19882",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "1:4.5-1.1"}, {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR",
- "value": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, {"key": "CVSS2_SCORE", "value": "6.9"}]},
- {"name": "CVE-2007-5686", "description": "initscripts in rPath Linux 1 sets insecure
- permissions for the /var/log/btmp file, which allows local users to obtain sensitive
- information regarding authentication attempts. NOTE: because sshd detects the insecure
- permissions and does not log certain events, this also prevents sshd from logging
- failed authentication attempts by remote attackers.", "uri": "https://security-tracker.debian.org/tracker/CVE-2007-5686",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "1:4.5-1.1"}, {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR",
- "value": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4.9"}]},
- {"name": "CVE-2013-4235", "description": "shadow: TOCTOU (time-of-check time-of-use)
- race condition when copying and removing directory trees", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-4235",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "1:4.5-1.1"}, {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR",
- "value": "AV:L/AC:M/Au:N/C:N/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "3.3"}]},
- {"name": "CVE-2020-13529", "description": "An exploitable denial-of-service vulnerability
- exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server
- running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker
- can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.",
- "uri": "https://security-tracker.debian.org/tracker/CVE-2020-13529", "severity":
- "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"},
- {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:A/AC:M/Au:N/C:N/I:N/A:P"},
- {"key": "CVSS2_SCORE", "value": "2.9"}]}, {"name": "CVE-2013-4392", "description":
- "systemd, when updating file permissions, allows local users to change the permissions
+ of size 268) or possibly have unspecified other impact via a crafted file.\", \"\
+ uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-7246\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"2:8.39-12\"}, {\"key\": \"package_name\", \"value\": \"pcre3\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"6.8\"}]}, {\"name\": \"CVE-2019-20838\", \"description\": \"libpcre
+ in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled,
+ and \\\\X or \\\\R has more than one fixed quantifier, a related issue to CVE-2019-20454.\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-20838\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"2:8.39-12\"}, {\"key\": \"package_name\", \"value\": \"pcre3\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"4.3\"}]}, {\"name\": \"CVE-2017-7245\", \"description\": \"Stack-based
+ buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1
+ in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size
+ 4) or possibly have unspecified other impact via a crafted file.\", \"uri\": \"\
+ https://security-tracker.debian.org/tracker/CVE-2017-7245\", \"severity\": \"INFORMATIONAL\"\
+ , \"attributes\": [{\"key\": \"package_version\", \"value\": \"2:8.39-12\"}, {\"\
+ key\": \"package_name\", \"value\": \"pcre3\"}, {\"key\": \"CVSS2_VECTOR\", \"value\"\
+ : \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\", \"value\": \"6.8\"\
+ }]}, {\"name\": \"CVE-2017-16231\", \"description\": \"** DISPUTED ** In PCRE 8.41,
+ after compiling, a pcretest load test PoC produces a crash overflow in the function
+ match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute
+ the relevance of this report, noting that there are options that can be used to
+ limit the amount of stack that is used.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-16231\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"2:8.39-12\"}, {\"key\": \"package_name\", \"value\": \"pcre3\"},
+ {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"2.1\"}]}, {\"name\": \"CVE-2017-11164\", \"description\"\
+ : \"In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows
+ stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-11164\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"2:8.39-12\"}, {\"key\": \"package_name\", \"value\": \"pcre3\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:C\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"7.8\"}]}, {\"name\": \"CVE-2011-4116\", \"description\": \"_is_safe
+ in the File::Temp module for Perl does not properly handle symlinks.\", \"uri\"
+ : \"https://security-tracker.debian.org/tracker/CVE-2011-4116\", \"severity\": \"\
+ INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"5.28.1-6+deb10u1\"\
+ }, {\"key\": \"package_name\", \"value\": \"perl\"}, {\"key\": \"CVSS2_VECTOR\"
+ , \"value\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
+ : \"5\"}]}, {\"name\": \"CVE-2019-19882\", \"description\": \"shadow 4.8, in certain
+ circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local
+ users to obtain root access because setuid programs are misconfigured. Specifically,
+ this affects shadow 4.8 when compiled using --with-libpam but without explicitly
+ passing --disable-account-tools-setuid, and without a PAM configuration suitable
+ for use with setuid account management tools. This combination leads to account
+ management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that
+ can easily be used by unprivileged local users to escalate privileges to root in
+ multiple ways. This issue became much more relevant in approximately December 2019
+ when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed
+ in the upstream Makefile which is now included in the release version 4.8).\", \"\
+ uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-19882\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"1:4.5-1.1\"}, {\"key\": \"package_name\", \"value\": \"shadow\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:L/AC:M/Au:N/C:C/I:C/A:C\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"6.9\"}]}, {\"name\": \"CVE-2007-5686\", \"description\": \"initscripts
+ in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows
+ local users to obtain sensitive information regarding authentication attempts. \
+ \ NOTE: because sshd detects the insecure permissions and does not log certain events,
+ this also prevents sshd from logging failed authentication attempts by remote attackers.\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2007-5686\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"1:4.5-1.1\"}, {\"key\": \"package_name\", \"value\": \"shadow\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:C/I:N/A:N\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"4.9\"}]}, {\"name\": \"CVE-2013-4235\", \"description\": \"shadow:
+ TOCTOU (time-of-check time-of-use) race condition when copying and removing directory
+ trees\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2013-4235\"
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"1:4.5-1.1\"}, {\"key\": \"package_name\", \"value\": \"shadow\"},
+ {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:M/Au:N/C:N/I:P/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"3.3\"}]}, {\"name\": \"CVE-2020-13529\", \"description\"\
+ : \"An exploitable denial-of-service vulnerability exists in Systemd 245. A specially
+ crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be
+ vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW
+ and DCHP ACK packets to reconfigure the server.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-13529\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"241-7~deb10u8\"}, {\"key\": \"package_name\", \"value\": \"systemd\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:A/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"2.9\"}]}, {\"name\": \"CVE-2013-4392\", \"description\"\
+ : \"systemd, when updating file permissions, allows local users to change the permissions
and SELinux security contexts for arbitrary files via a symlink attack on unspecified
- files.", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-4392", "severity":
- "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"},
- {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:P/I:P/A:N"},
- {"key": "CVSS2_SCORE", "value": "3.3"}]}, {"name": "CVE-2020-13776", "description":
- "systemd through v245 mishandles numerical usernames such as ones composed of decimal
- digits or 0x followed by hex digits, as demonstrated by use of root privileges when
- privileges of the 0x0 user account were intended. NOTE: this issue exists because
- of an incomplete fix for CVE-2017-1000082.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-13776",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "241-7~deb10u8"}, {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR",
- "value": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}, {"key": "CVSS2_SCORE", "value": "6.2"}]},
- {"name": "CVE-2019-20386", "description": "An issue was discovered in button_open
- in login/logind-button.c in systemd before 243. When executing the udevadm trigger
- command, a memory leak may occur.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-20386",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "241-7~deb10u8"}, {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR",
- "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]},
- {"name": "CVE-2019-9923", "description": "pax_decode_header in sparse.c in GNU Tar
- before 1.32 had a NULL pointer dereference when parsing certain archives that have
- malformed extended headers.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-9923",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "1.30+dfsg-6"}, {"key": "package_name", "value": "tar"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]},
- {"name": "CVE-2005-2541", "description": "Tar 1.15.1 does not properly warn the
- user when extracting setuid or setgid files, which may allow local users or remote
- attackers to gain privileges.", "uri": "https://security-tracker.debian.org/tracker/CVE-2005-2541",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "1.30+dfsg-6"}, {"key": "package_name", "value": "tar"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, {"key": "CVSS2_SCORE", "value": "10"}]},
- {"name": "CVE-2021-20193", "description": "A flaw was found in the src/list.c of
- tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input
- file to tar to cause uncontrolled consumption of memory. The highest threat from
- this vulnerability is to system availability.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-20193",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "1.30+dfsg-6"}, {"key": "package_name", "value": "tar"}, {"key": "CVSS2_VECTOR",
- "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]},
- {"name": "CVE-2017-17973", "description": "** DISPUTED ** In LibTIFF 4.0.8, there
- is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE:
- there is a third-party report of inability to reproduce this issue.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-17973",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
- "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value":
- "6.8"}]}, {"name": "CVE-2020-35521", "description": "A flaw was found in libtiff.
- Due to a memory allocation failure in tif_read.c, a crafted TIFF file can lead to
- an abort, resulting in denial of service.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-35521",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
- "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
- "4.3"}]}, {"name": "CVE-2014-8130", "description": "The _TIFFmalloc function in
- tif_unix.c in LibTIFF 4.0.3 does not reject a zero size, which allows remote attackers
- to cause a denial of service (divide-by-zero error and application crash) via a
- crafted TIFF image that is mishandled by the TIFFWriteScanline function in tif_write.c,
- as demonstrated by tiffdither.", "uri": "https://security-tracker.debian.org/tracker/CVE-2014-8130",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
- "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
- "4.3"}]}, {"name": "CVE-2017-5563", "description": "LibTIFF version 4.0.7 is vulnerable
- to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution
- via a crafted bmp image to tools/bmp2tiff.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-5563",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
- "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value":
- "6.8"}]}, {"name": "CVE-2020-35522", "description": "In LibTIFF, there is a memory
- malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort,
- resulting in a remote denial of service attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-35522",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
- "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
- "4.3"}]}, {"name": "CVE-2017-9117", "description": "In LibTIFF 4.0.7, the program
- processes BMP images without verifying that biWidth and biHeight in the bitmap-information
- header match the actual input, leading to a heap-based buffer over-read in bmp2tiff.",
- "uri": "https://security-tracker.debian.org/tracker/CVE-2017-9117", "severity":
- "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "4.1.0+git191117-2~deb10u2"},
- {"key": "package_name", "value": "tiff"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"},
- {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2017-16232", "description":
- "** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow
- attackers to cause a denial of service (memory consumption), as demonstrated by
- tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce
- the issue.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-16232",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
- "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
- "5"}]}, {"name": "CVE-2018-10126", "description": "LibTIFF 4.0.9 has a NULL pointer
- dereference in the jpeg_fdct_16x16 function in jfdctint.c.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-10126",
- "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
- "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
- "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
- "4.3"}]}, {"name": "CVE-2021-22924", "description": "libcurl keeps previously used
- connections in a connection pool for subsequenttransfers to reuse, if one of them
- matches the setup.Due to errors in the logic, the config matching function did not
- take ''issuercert'' into account and it compared the involved paths *case insensitively*,which
- could lead to libcurl reusing wrong connections.File paths are, or can be, case
- sensitive on many systems but not all, and caneven vary depending on used file systems.The
- comparison also didn''t include the ''issuer cert'' which a transfer can setto qualify
- how to verify the server certificate.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22924",
- "severity": "UNDEFINED", "attributes": [{"key": "package_version", "value": "7.64.0-4+deb10u2"},
- {"key": "package_name", "value": "curl"}]}, {"name": "CVE-2021-38115", "description":
- "read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2
- allows remote attackers to cause a denial of service (out-of-bounds read) via a
- crafted TGA file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-38115",
- "severity": "UNDEFINED", "attributes": [{"key": "package_version", "value": "2.2.5-5.2"},
- {"key": "package_name", "value": "libgd2"}]}, {"name": "CVE-2021-3618", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-3618",
- "severity": "UNDEFINED", "attributes": [{"key": "package_version", "value": "1.21.1-1~buster"},
- {"key": "package_name", "value": "nginx"}]}], "findingSeverityCounts": {"HIGH":
- 2, "MEDIUM": 14, "INFORMATIONAL": 63, "LOW": 22, "UNDEFINED": 3}}}, "requestID":
- "23c19e2d-c48b-4265-b4eb-853e7b325780", "eventID": "6c94a9b2-36dc-43f8-a6dd-4ec839ded8af",
- "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
- "111111111111", "eventCategory": "Management"}'
+ files.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2013-4392\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"241-7~deb10u8\"}, {\"key\": \"package_name\", \"value\": \"systemd\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:M/Au:N/C:P/I:P/A:N\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"3.3\"}]}, {\"name\": \"CVE-2020-13776\", \"description\"\
+ : \"systemd through v245 mishandles numerical usernames such as ones composed of
+ decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges
+ when privileges of the 0x0 user account were intended. NOTE: this issue exists because
+ of an incomplete fix for CVE-2017-1000082.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-13776\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"241-7~deb10u8\"}, {\"key\": \"package_name\", \"value\": \"systemd\"\
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:H/Au:N/C:C/I:C/A:C\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"6.2\"}]}, {\"name\": \"CVE-2019-20386\", \"description\"\
+ : \"An issue was discovered in button_open in login/logind-button.c in systemd before
+ 243. When executing the udevadm trigger command, a memory leak may occur.\", \"\
+ uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-20386\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"241-7~deb10u8\"}, {\"key\": \"package_name\", \"value\": \"systemd\"}, {\"key\"\
+ : \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2019-9923\", \"description\": \"pax_decode_header
+ in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain
+ archives that have malformed extended headers.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-9923\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"1.30+dfsg-6\"}, {\"key\": \"package_name\", \"value\": \"tar\"},
+ {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2005-2541\", \"description\"\
+ : \"Tar 1.15.1 does not properly warn the user when extracting setuid or setgid
+ files, which may allow local users or remote attackers to gain privileges.\", \"\
+ uri\": \"https://security-tracker.debian.org/tracker/CVE-2005-2541\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"1.30+dfsg-6\"}, {\"key\": \"package_name\", \"value\": \"tar\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:C/I:C/A:C\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"10\"}]}, {\"name\": \"CVE-2021-20193\", \"description\": \"A flaw
+ was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker
+ who can submit a crafted input file to tar to cause uncontrolled consumption of
+ memory. The highest threat from this vulnerability is to system availability.\"
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-20193\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"1.30+dfsg-6\"}, {\"key\": \"package_name\", \"value\": \"tar\"}, {\"key\": \"\
+ CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
+ , \"value\": \"4.3\"}]}, {\"name\": \"CVE-2017-17973\", \"description\": \"** DISPUTED
+ ** In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function
+ in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this
+ issue.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-17973\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"4.1.0+git191117-2~deb10u2\"}, {\"key\": \"package_name\", \"value\"\
+ : \"tiff\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"\
+ }, {\"key\": \"CVSS2_SCORE\", \"value\": \"6.8\"}]}, {\"name\": \"CVE-2020-35521\"\
+ , \"description\": \"A flaw was found in libtiff. Due to a memory allocation failure
+ in tif_read.c, a crafted TIFF file can lead to an abort, resulting in denial of
+ service.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-35521\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"4.1.0+git191117-2~deb10u2\"}, {\"key\": \"package_name\", \"value\"\
+ : \"tiff\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"\
+ }, {\"key\": \"CVSS2_SCORE\", \"value\": \"4.3\"}]}, {\"name\": \"CVE-2014-8130\"\
+ , \"description\": \"The _TIFFmalloc function in tif_unix.c in LibTIFF 4.0.3 does
+ not reject a zero size, which allows remote attackers to cause a denial of service
+ (divide-by-zero error and application crash) via a crafted TIFF image that is mishandled
+ by the TIFFWriteScanline function in tif_write.c, as demonstrated by tiffdither.\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2014-8130\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"4.1.0+git191117-2~deb10u2\"}, {\"key\": \"package_name\", \"value\": \"tiff\"
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"4.3\"}]}, {\"name\": \"CVE-2017-5563\", \"description\"\
+ : \"LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c
+ resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff.\"
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-5563\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"4.1.0+git191117-2~deb10u2\"}, {\"key\": \"package_name\", \"value\": \"tiff\"
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"6.8\"}]}, {\"name\": \"CVE-2020-35522\", \"description\"\
+ : \"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF
+ document can lead to an abort, resulting in a remote denial of service attack.\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-35522\", \"severity\"\
+ : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
+ \"4.1.0+git191117-2~deb10u2\"}, {\"key\": \"package_name\", \"value\": \"tiff\"
+ }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\"\
+ : \"CVSS2_SCORE\", \"value\": \"4.3\"}]}, {\"name\": \"CVE-2017-9117\", \"description\"\
+ : \"In LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth
+ and biHeight in the bitmap-information header match the actual input, leading to
+ a heap-based buffer over-read in bmp2tiff.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-9117\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"4.1.0+git191117-2~deb10u2\"}, {\"key\": \"package_name\", \"value\"\
+ : \"tiff\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\"\
+ }, {\"key\": \"CVSS2_SCORE\", \"value\": \"7.5\"}]}, {\"name\": \"CVE-2017-16232\"\
+ , \"description\": \"** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities,
+ which allow attackers to cause a denial of service (memory consumption), as demonstrated
+ by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce
+ the issue.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-16232\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"4.1.0+git191117-2~deb10u2\"}, {\"key\": \"package_name\", \"value\"\
+ : \"tiff\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"\
+ }, {\"key\": \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2018-10126\"\
+ , \"description\": \"LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16
+ function in jfdctint.c.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-10126\"\
+ , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
+ , \"value\": \"4.1.0+git191117-2~deb10u2\"}, {\"key\": \"package_name\", \"value\"\
+ : \"tiff\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"\
+ }, {\"key\": \"CVSS2_SCORE\", \"value\": \"4.3\"}]}, {\"name\": \"CVE-2021-22924\"\
+ , \"description\": \"libcurl keeps previously used connections in a connection pool
+ for subsequenttransfers to reuse, if one of them matches the setup.Due to errors
+ in the logic, the config matching function did not take 'issuercert' into account
+ and it compared the involved paths *case insensitively*,which could lead to libcurl
+ reusing wrong connections.File paths are, or can be, case sensitive on many systems
+ but not all, and caneven vary depending on used file systems.The comparison also
+ didn't include the 'issuer cert' which a transfer can setto qualify how to verify
+ the server certificate.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-22924\"\
+ , \"severity\": \"UNDEFINED\", \"attributes\": [{\"key\": \"package_version\", \"\
+ value\": \"7.64.0-4+deb10u2\"}, {\"key\": \"package_name\", \"value\": \"curl\"
+ }]}, {\"name\": \"CVE-2021-38115\", \"description\": \"read_header_tga in gd_tga.c
+ in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to
+ cause a denial of service (out-of-bounds read) via a crafted TGA file.\", \"uri\"\
+ : \"https://security-tracker.debian.org/tracker/CVE-2021-38115\", \"severity\":
+ \"UNDEFINED\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"2.2.5-5.2\"\
+ }, {\"key\": \"package_name\", \"value\": \"libgd2\"}]}, {\"name\": \"CVE-2021-3618\"\
+ , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-3618\", \"severity\"\
+ : \"UNDEFINED\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"1.21.1-1~buster\"\
+ }, {\"key\": \"package_name\", \"value\": \"nginx\"}]}], \"findingSeverityCounts\"\
+ : {\"HIGH\": 2, \"MEDIUM\": 14, \"INFORMATIONAL\": 63, \"LOW\": 22, \"UNDEFINED\"\
+ : 3}}}, \"requestID\": \"23c19e2d-c48b-4265-b4eb-853e7b325780\", \"eventID\": \"\
+ 6c94a9b2-36dc-43f8-a6dd-4ec839ded8af\", \"readOnly\": true, \"eventType\": \"AwsApiCall\"\
+ , \"managementEvent\": true, \"recipientAccountId\": \"111111111111\", \"eventCategory\"\
+ : \"Management\"}"
diff --git a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
index d4abfd2473..56fa1914b9 100644
--- a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
+++ b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
@@ -1,95 +1,96 @@
name: AWS CloudTrail GetAccountPasswordPolicy
id: 439bdc53-6e4b-4cd7-b326-86c7317fd396
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when a request is made to get the account password policy in AWS CloudTrail.
+description: Logs an event when a request is made to get the account password policy
+ in AWS CloudTrail.
mitre_components:
-- User Account Authentication
-- User Account Metadata
+ - User Account Authentication
+ - User Account Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: GetAccountPasswordPolicy
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- desc
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - desc
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters
+ - responseElements
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - status
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDASBMSCQHHTH5NDF4GD", "arn": "arn:aws:iam::111111111111:user/strt_fonder", "accountId":
"111111111111", "accessKeyId": "AKIASBMSCQHH5A5NJDM5", "userName": "strt_fonder"},
diff --git a/data_sources/aws_cloudtrail_getobject.yml b/data_sources/aws_cloudtrail_getobject.yml
index 3a3c9a6e10..d303eb012c 100644
--- a/data_sources/aws_cloudtrail_getobject.yml
+++ b/data_sources/aws_cloudtrail_getobject.yml
@@ -1,104 +1,105 @@
name: AWS CloudTrail GetObject
id: 5063cb10-84c0-44af-ade4-ab9ecad11dfe
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when a request is made to access an object stored in an AWS S3 bucket.
+description: Logs an event when a request is made to access an object stored in an
+ AWS S3 bucket.
mitre_components:
-- Cloud Storage Access
-- Cloud Storage Metadata
-- Cloud Storage Enumeration
+ - Cloud Storage Access
+ - Cloud Storage Metadata
+ - Cloud Storage Enumeration
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: GetObject
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- additionalEventData.AuthenticationMethod
-- additionalEventData.CipherSuite
-- additionalEventData.SignatureVersion
-- additionalEventData.bytesTransferredIn
-- additionalEventData.bytesTransferredOut
-- additionalEventData.x-amz-id-2
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.Host
-- requestParameters.bucketName
-- requestParameters.key
-- requestParameters.x-amz-request-payer
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - additionalEventData.AuthenticationMethod
+ - additionalEventData.CipherSuite
+ - additionalEventData.SignatureVersion
+ - additionalEventData.bytesTransferredIn
+ - additionalEventData.bytesTransferredOut
+ - additionalEventData.x-amz-id-2
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.Host
+ - requestParameters.bucketName
+ - requestParameters.key
+ - requestParameters.x-amz-request-payer
+ - resources{}.ARN
+ - resources{}.accountId
+ - resources{}.type
+ - responseElements
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLCNEAQXWZV", "arn": "arn:aws:iam::111111111111:user/console", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLF5EAXXXX", "userName": "console"}, "eventTime":
diff --git a/data_sources/aws_cloudtrail_getpassworddata.yml b/data_sources/aws_cloudtrail_getpassworddata.yml
index 7b86ddd0fe..6644109837 100644
--- a/data_sources/aws_cloudtrail_getpassworddata.yml
+++ b/data_sources/aws_cloudtrail_getpassworddata.yml
@@ -1,105 +1,106 @@
name: AWS CloudTrail GetPasswordData
id: 6ff2ce99-85b1-4c17-888a-56dbc3570671
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when a request is made to retrieve the administrator password of an EC2 instance.
+description: Logs an event when a request is made to retrieve the administrator password
+ of an EC2 instance.
mitre_components:
-- Instance Metadata
-- User Account Authentication
+ - Instance Metadata
+ - User Account Authentication
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: GetPasswordData
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- errorMessage
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- reason
-- recipientAccountId
-- region
-- requestID
-- requestParameters.instanceId
-- responseElements
-- result
-- result_id
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - errorMessage
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - reason
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.instanceId
+ - responseElements
+ - result
+ - result_id
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.sessionContext.sessionIssuer.accountId
+ - userIdentity.sessionContext.sessionIssuer.arn
+ - userIdentity.sessionContext.sessionIssuer.principalId
+ - userIdentity.sessionContext.sessionIssuer.type
+ - userIdentity.sessionContext.sessionIssuer.userName
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLP5AASA6I5:aws-go-sdk-1660169051746043000", "arn": "arn:aws:sts::111111111111:assumed-role/sample-role-used-by-stratus-for-ec2-password-data/aws-go-sdk-1660169051746043000",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLLY5RQXEF", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_jobcreated.yml b/data_sources/aws_cloudtrail_jobcreated.yml
index fb86a52163..2278f224a5 100644
--- a/data_sources/aws_cloudtrail_jobcreated.yml
+++ b/data_sources/aws_cloudtrail_jobcreated.yml
@@ -1,81 +1,81 @@
name: AWS CloudTrail JobCreated
id: 6473289b-d097-4c86-a837-3cc5ae408155
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a new job is created in AWS CloudTrail.
mitre_components:
-- Scheduled Job Creation
-- Cloud Service Metadata
+ - Scheduled Job Creation
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: JobCreated
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- desc
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestParameters
-- responseElements
-- serviceEventDetails.jobArn
-- serviceEventDetails.jobEventId
-- serviceEventDetails.jobId
-- serviceEventDetails.status
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- userAgent
-- userIdentity.accountId
-- userIdentity.invokedBy
-- user_agent
-- user_group_id
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - desc
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestParameters
+ - responseElements
+ - serviceEventDetails.jobArn
+ - serviceEventDetails.jobEventId
+ - serviceEventDetails.jobId
+ - serviceEventDetails.status
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - timeendpos
+ - timestartpos
+ - userAgent
+ - userIdentity.accountId
+ - userIdentity.invokedBy
+ - user_agent
+ - user_group_id
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"accountId": "111111111111",
"invokedBy": "s3.amazonaws.com"}, "eventTime": "2023-04-24T23:51:17Z", "eventSource":
"s3.amazonaws.com", "eventName": "JobCreated", "awsRegion": "us-west-2", "sourceIPAddress":
diff --git a/data_sources/aws_cloudtrail_modifydbinstance.yml b/data_sources/aws_cloudtrail_modifydbinstance.yml
index df5c25ffe5..99cb79f0b2 100644
--- a/data_sources/aws_cloudtrail_modifydbinstance.yml
+++ b/data_sources/aws_cloudtrail_modifydbinstance.yml
@@ -1,154 +1,155 @@
name: AWS CloudTrail ModifyDBInstance
id: bfa2912d-1a33-4b05-be46-543874d68241
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when a modification is made to an AWS database instance, such as parameters or configurations.
+description: Logs an event when a modification is made to an AWS database instance,
+ such as parameters or configurations.
mitre_components:
-- Instance Modification
-- Cloud Service Modification
-- Instance Metadata
+ - Instance Modification
+ - Cloud Service Modification
+ - Instance Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: ModifyDBInstance
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.allowMajorVersionUpgrade
-- requestParameters.applyImmediately
-- requestParameters.dBInstanceIdentifier
-- requestParameters.deletionProtection
-- requestParameters.masterUserPassword
-- responseElements.allocatedStorage
-- responseElements.autoMinorVersionUpgrade
-- responseElements.availabilityZone
-- responseElements.backupRetentionPeriod
-- responseElements.backupTarget
-- responseElements.cACertificateIdentifier
-- responseElements.copyTagsToSnapshot
-- responseElements.customerOwnedIpEnabled
-- responseElements.dBInstanceArn
-- responseElements.dBInstanceClass
-- responseElements.dBInstanceIdentifier
-- responseElements.dBInstanceStatus
-- responseElements.dBParameterGroups{}.dBParameterGroupName
-- responseElements.dBParameterGroups{}.parameterApplyStatus
-- responseElements.dBSubnetGroup.dBSubnetGroupDescription
-- responseElements.dBSubnetGroup.dBSubnetGroupName
-- responseElements.dBSubnetGroup.subnetGroupStatus
-- responseElements.dBSubnetGroup.subnets{}.subnetAvailabilityZone.name
-- responseElements.dBSubnetGroup.subnets{}.subnetIdentifier
-- responseElements.dBSubnetGroup.subnets{}.subnetStatus
-- responseElements.dBSubnetGroup.vpcId
-- responseElements.dbInstancePort
-- responseElements.dbiResourceId
-- responseElements.deletionProtection
-- responseElements.endpoint.address
-- responseElements.endpoint.hostedZoneId
-- responseElements.endpoint.port
-- responseElements.engine
-- responseElements.engineVersion
-- responseElements.enhancedMonitoringResourceArn
-- responseElements.httpEndpointEnabled
-- responseElements.iAMDatabaseAuthenticationEnabled
-- responseElements.instanceCreateTime
-- responseElements.kmsKeyId
-- responseElements.latestRestorableTime
-- responseElements.licenseModel
-- responseElements.masterUsername
-- responseElements.monitoringInterval
-- responseElements.monitoringRoleArn
-- responseElements.multiAZ
-- responseElements.networkType
-- responseElements.optionGroupMemberships{}.optionGroupName
-- responseElements.optionGroupMemberships{}.status
-- responseElements.pendingModifiedValues.masterUserPassword
-- responseElements.performanceInsightsEnabled
-- responseElements.performanceInsightsKMSKeyId
-- responseElements.performanceInsightsRetentionPeriod
-- responseElements.preferredBackupWindow
-- responseElements.preferredMaintenanceWindow
-- responseElements.publiclyAccessible
-- responseElements.storageEncrypted
-- responseElements.storageThroughput
-- responseElements.storageType
-- responseElements.vpcSecurityGroups{}.status
-- responseElements.vpcSecurityGroups{}.vpcSecurityGroupId
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.allowMajorVersionUpgrade
+ - requestParameters.applyImmediately
+ - requestParameters.dBInstanceIdentifier
+ - requestParameters.deletionProtection
+ - requestParameters.masterUserPassword
+ - responseElements.allocatedStorage
+ - responseElements.autoMinorVersionUpgrade
+ - responseElements.availabilityZone
+ - responseElements.backupRetentionPeriod
+ - responseElements.backupTarget
+ - responseElements.cACertificateIdentifier
+ - responseElements.copyTagsToSnapshot
+ - responseElements.customerOwnedIpEnabled
+ - responseElements.dBInstanceArn
+ - responseElements.dBInstanceClass
+ - responseElements.dBInstanceIdentifier
+ - responseElements.dBInstanceStatus
+ - responseElements.dBParameterGroups{}.dBParameterGroupName
+ - responseElements.dBParameterGroups{}.parameterApplyStatus
+ - responseElements.dBSubnetGroup.dBSubnetGroupDescription
+ - responseElements.dBSubnetGroup.dBSubnetGroupName
+ - responseElements.dBSubnetGroup.subnetGroupStatus
+ - responseElements.dBSubnetGroup.subnets{}.subnetAvailabilityZone.name
+ - responseElements.dBSubnetGroup.subnets{}.subnetIdentifier
+ - responseElements.dBSubnetGroup.subnets{}.subnetStatus
+ - responseElements.dBSubnetGroup.vpcId
+ - responseElements.dbInstancePort
+ - responseElements.dbiResourceId
+ - responseElements.deletionProtection
+ - responseElements.endpoint.address
+ - responseElements.endpoint.hostedZoneId
+ - responseElements.endpoint.port
+ - responseElements.engine
+ - responseElements.engineVersion
+ - responseElements.enhancedMonitoringResourceArn
+ - responseElements.httpEndpointEnabled
+ - responseElements.iAMDatabaseAuthenticationEnabled
+ - responseElements.instanceCreateTime
+ - responseElements.kmsKeyId
+ - responseElements.latestRestorableTime
+ - responseElements.licenseModel
+ - responseElements.masterUsername
+ - responseElements.monitoringInterval
+ - responseElements.monitoringRoleArn
+ - responseElements.multiAZ
+ - responseElements.networkType
+ - responseElements.optionGroupMemberships{}.optionGroupName
+ - responseElements.optionGroupMemberships{}.status
+ - responseElements.pendingModifiedValues.masterUserPassword
+ - responseElements.performanceInsightsEnabled
+ - responseElements.performanceInsightsKMSKeyId
+ - responseElements.performanceInsightsRetentionPeriod
+ - responseElements.preferredBackupWindow
+ - responseElements.preferredMaintenanceWindow
+ - responseElements.publiclyAccessible
+ - responseElements.storageEncrypted
+ - responseElements.storageThroughput
+ - responseElements.storageType
+ - responseElements.vpcSecurityGroups{}.status
+ - responseElements.vpcSecurityGroups{}.vpcSecurityGroupId
+ - sessionCredentialFromConsole
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.sessionContext.sessionIssuer.accountId
+ - userIdentity.sessionContext.sessionIssuer.arn
+ - userIdentity.sessionContext.sessionIssuer.principalId
+ - userIdentity.sessionContext.sessionIssuer.type
+ - userIdentity.sessionContext.sessionIssuer.userName
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLDF6WP4HD6:gowthamarajr@splunk.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/gowthamarajr@splunk.com",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLAKJDBQGB", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_modifyimageattribute.yml b/data_sources/aws_cloudtrail_modifyimageattribute.yml
index 3d415b44b9..67fd0edb8a 100644
--- a/data_sources/aws_cloudtrail_modifyimageattribute.yml
+++ b/data_sources/aws_cloudtrail_modifyimageattribute.yml
@@ -1,99 +1,100 @@
name: AWS CloudTrail ModifyImageAttribute
id: 667c2115-8082-419e-b541-8150066bda4d
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when the attributes of an Amazon Machine Image (AMI) are modified.
+description: Logs an event when the attributes of an Amazon Machine Image (AMI) are
+ modified.
mitre_components:
-- Image Modification
-- Image Metadata
+ - Image Modification
+ - Image Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: ModifyImageAttribute
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.attributeType
-- requestParameters.imageId
-- requestParameters.launchPermission.add.items{}.userId
-- responseElements._return
-- responseElements.requestId
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.attributeType
+ - requestParameters.imageId
+ - requestParameters.launchPermission.add.items{}.userId
+ - responseElements._return
+ - responseElements.requestId
+ - sessionCredentialFromConsole
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.sessionContext.sessionIssuer.accountId
+ - userIdentity.sessionContext.sessionIssuer.arn
+ - userIdentity.sessionContext.sessionIssuer.principalId
+ - userIdentity.sessionContext.sessionIssuer.type
+ - userIdentity.sessionContext.sessionIssuer.userName
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLDF6WP4HD6:bonobo@bo.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/bonobo@bo.com",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLBHIEEEPN", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
index 211ccdf1dc..d44c5fa436 100644
--- a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
+++ b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
@@ -1,94 +1,95 @@
name: AWS CloudTrail ModifySnapshotAttribute
id: 7e5aa947-3a0d-4ee5-b800-0c10b555da05
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when modifications are made to the attributes of a snapshot in AWS CloudTrail.
+description: Logs an event when modifications are made to the attributes of a snapshot
+ in AWS CloudTrail.
mitre_components:
-- Snapshot Modification
+ - Snapshot Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: ModifySnapshotAttribute
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.attributeType
-- requestParameters.createVolumePermission.add.items{}.userId
-- requestParameters.snapshotId
-- responseElements._return
-- responseElements.requestId
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.attributeType
+ - requestParameters.createVolumePermission.add.items{}.userId
+ - requestParameters.snapshotId
+ - responseElements._return
+ - responseElements.requestId
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLCNEAQXWZV", "arn": "arn:aws:iam::111111111111:user/bhavin_console",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLF5EAXXXX", "userName":
diff --git a/data_sources/aws_cloudtrail_putbucketacl.yml b/data_sources/aws_cloudtrail_putbucketacl.yml
index 24be91aea5..715cb571cb 100644
--- a/data_sources/aws_cloudtrail_putbucketacl.yml
+++ b/data_sources/aws_cloudtrail_putbucketacl.yml
@@ -1,108 +1,109 @@
name: AWS CloudTrail PutBucketAcl
id: 28fffbfd-d98d-4a42-990b-b04ab47422eb
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when an ACL is set or modified for an S3 bucket in AWS CloudTrail.
+description: Logs an event when an ACL is set or modified for an S3 bucket in AWS
+ CloudTrail.
mitre_components:
-- Cloud Storage Modification
-- Cloud Storage Metadata
+ - Cloud Storage Modification
+ - Cloud Storage Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: PutBucketAcl
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- additionalEventData.AuthenticationMethod
-- additionalEventData.CipherSuite
-- additionalEventData.SignatureVersion
-- additionalEventData.bytesTransferredIn
-- additionalEventData.bytesTransferredOut
-- additionalEventData.x-amz-id-2
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object
-- object_category
-- object_id
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.Host
-- requestParameters.accessControlList.x-amz-grant-write-acp
-- requestParameters.acl
-- requestParameters.bucketName
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_user
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - additionalEventData.AuthenticationMethod
+ - additionalEventData.CipherSuite
+ - additionalEventData.SignatureVersion
+ - additionalEventData.bytesTransferredIn
+ - additionalEventData.bytesTransferredOut
+ - additionalEventData.x-amz-id-2
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object
+ - object_category
+ - object_id
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.Host
+ - requestParameters.accessControlList.x-amz-grant-write-acp
+ - requestParameters.acl
+ - requestParameters.bucketName
+ - resources{}.ARN
+ - resources{}.accountId
+ - resources{}.type
+ - responseElements
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - src_user
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLNALZHZ6KX", "arn": "arn:aws:iam::111111111111:user/patrick_cli", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLJ2OYSF6E", "userName": "patrick_cli"},
diff --git a/data_sources/aws_cloudtrail_putbucketlifecycle.yml b/data_sources/aws_cloudtrail_putbucketlifecycle.yml
index a01d2b76d2..e5108f5812 100644
--- a/data_sources/aws_cloudtrail_putbucketlifecycle.yml
+++ b/data_sources/aws_cloudtrail_putbucketlifecycle.yml
@@ -1,109 +1,110 @@
name: AWS CloudTrail PutBucketLifecycle
id: 1c73e954-87b6-4bd7-ac6a-5db7c4082b22
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when a lifecycle configuration is added to an S3 bucket in AWS CloudTrail.
+description: Logs an event when a lifecycle configuration is added to an S3 bucket
+ in AWS CloudTrail.
mitre_components:
-- Cloud Storage Modification
-- Cloud Storage Metadata
+ - Cloud Storage Modification
+ - Cloud Storage Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: PutBucketLifecycle
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- additionalEventData.AuthenticationMethod
-- additionalEventData.CipherSuite
-- additionalEventData.SignatureVersion
-- additionalEventData.bytesTransferredIn
-- additionalEventData.bytesTransferredOut
-- additionalEventData.x-amz-id-2
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object
-- object_category
-- object_id
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.Host
-- requestParameters.LifecycleConfiguration.Rule.Expiration.Days
-- requestParameters.LifecycleConfiguration.Rule.Filter.Prefix
-- requestParameters.LifecycleConfiguration.Rule.ID
-- requestParameters.LifecycleConfiguration.Rule.Status
-- requestParameters.LifecycleConfiguration.xmlns
-- requestParameters.bucketName
-- requestParameters.lifecycle
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - additionalEventData.AuthenticationMethod
+ - additionalEventData.CipherSuite
+ - additionalEventData.SignatureVersion
+ - additionalEventData.bytesTransferredIn
+ - additionalEventData.bytesTransferredOut
+ - additionalEventData.x-amz-id-2
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object
+ - object_category
+ - object_id
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.Host
+ - requestParameters.LifecycleConfiguration.Rule.Expiration.Days
+ - requestParameters.LifecycleConfiguration.Rule.Filter.Prefix
+ - requestParameters.LifecycleConfiguration.Rule.ID
+ - requestParameters.LifecycleConfiguration.Rule.Status
+ - requestParameters.LifecycleConfiguration.xmlns
+ - requestParameters.bucketName
+ - requestParameters.lifecycle
+ - resources{}.ARN
+ - resources{}.accountId
+ - resources{}.type
+ - responseElements
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLKQ3U2PDY", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_putbucketreplication.yml b/data_sources/aws_cloudtrail_putbucketreplication.yml
index b16eec7546..779545c3e7 100644
--- a/data_sources/aws_cloudtrail_putbucketreplication.yml
+++ b/data_sources/aws_cloudtrail_putbucketreplication.yml
@@ -1,121 +1,122 @@
name: AWS CloudTrail PutBucketReplication
id: 0e1362eb-e592-419f-8fa5-556d3a122417
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when replication configurations are added or modified for an S3 bucket.
+description: Logs an event when replication configurations are added or modified for
+ an S3 bucket.
mitre_components:
-- Cloud Storage Modification
+ - Cloud Storage Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: PutBucketReplication
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- additionalEventData.AuthenticationMethod
-- additionalEventData.CipherSuite
-- additionalEventData.SignatureVersion
-- additionalEventData.bytesTransferredIn
-- additionalEventData.bytesTransferredOut
-- additionalEventData.x-amz-id-2
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object
-- object_category
-- object_id
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.Host
-- requestParameters.ReplicationConfiguration.Role
-- requestParameters.ReplicationConfiguration.Rule.DeleteMarkerReplication.Status
-- requestParameters.ReplicationConfiguration.Rule.Destination.Bucket
-- requestParameters.ReplicationConfiguration.Rule.Filter
-- requestParameters.ReplicationConfiguration.Rule.ID
-- requestParameters.ReplicationConfiguration.Rule.Priority
-- requestParameters.ReplicationConfiguration.Rule.Status
-- requestParameters.ReplicationConfiguration.xmlns
-- requestParameters.bucketName
-- requestParameters.replication
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-- vpcEndpointId
+ - _time
+ - additionalEventData.AuthenticationMethod
+ - additionalEventData.CipherSuite
+ - additionalEventData.SignatureVersion
+ - additionalEventData.bytesTransferredIn
+ - additionalEventData.bytesTransferredOut
+ - additionalEventData.x-amz-id-2
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object
+ - object_category
+ - object_id
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.Host
+ - requestParameters.ReplicationConfiguration.Role
+ - requestParameters.ReplicationConfiguration.Rule.DeleteMarkerReplication.Status
+ - requestParameters.ReplicationConfiguration.Rule.Destination.Bucket
+ - requestParameters.ReplicationConfiguration.Rule.Filter
+ - requestParameters.ReplicationConfiguration.Rule.ID
+ - requestParameters.ReplicationConfiguration.Rule.Priority
+ - requestParameters.ReplicationConfiguration.Rule.Status
+ - requestParameters.ReplicationConfiguration.xmlns
+ - requestParameters.bucketName
+ - requestParameters.replication
+ - resources{}.ARN
+ - resources{}.accountId
+ - resources{}.type
+ - responseElements
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.sessionContext.sessionIssuer.accountId
+ - userIdentity.sessionContext.sessionIssuer.arn
+ - userIdentity.sessionContext.sessionIssuer.principalId
+ - userIdentity.sessionContext.sessionIssuer.type
+ - userIdentity.sessionContext.sessionIssuer.userName
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
+ - vpcEndpointId
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLDF6WP4H11:bpatel@splunk.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/bpatel@splunk.com",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLJOVYQHW2", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_putbucketversioning.yml b/data_sources/aws_cloudtrail_putbucketversioning.yml
index 1fcc3c6668..1d727cc4d1 100644
--- a/data_sources/aws_cloudtrail_putbucketversioning.yml
+++ b/data_sources/aws_cloudtrail_putbucketversioning.yml
@@ -1,112 +1,113 @@
name: AWS CloudTrail PutBucketVersioning
id: 17b2fc7d-c8ce-487c-8815-f9a65a09e980
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when the bucket versioning state is modified in an AWS S3 bucket.
+description: Logs an event when the bucket versioning state is modified in an AWS
+ S3 bucket.
mitre_components:
-- Cloud Storage Modification
+ - Cloud Storage Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: PutBucketVersioning
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- additionalEventData.AuthenticationMethod
-- additionalEventData.CipherSuite
-- additionalEventData.SignatureVersion
-- additionalEventData.bytesTransferredIn
-- additionalEventData.bytesTransferredOut
-- additionalEventData.x-amz-id-2
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object
-- object_category
-- object_id
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.Host
-- requestParameters.VersioningConfiguration.Status
-- requestParameters.VersioningConfiguration.xmlns
-- requestParameters.bucketName
-- requestParameters.versioning
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-- vpcEndpointId
+ - _time
+ - additionalEventData.AuthenticationMethod
+ - additionalEventData.CipherSuite
+ - additionalEventData.SignatureVersion
+ - additionalEventData.bytesTransferredIn
+ - additionalEventData.bytesTransferredOut
+ - additionalEventData.x-amz-id-2
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object
+ - object_category
+ - object_id
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.Host
+ - requestParameters.VersioningConfiguration.Status
+ - requestParameters.VersioningConfiguration.xmlns
+ - requestParameters.bucketName
+ - requestParameters.versioning
+ - resources{}.ARN
+ - resources{}.accountId
+ - resources{}.type
+ - responseElements
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.sessionContext.sessionIssuer.accountId
+ - userIdentity.sessionContext.sessionIssuer.arn
+ - userIdentity.sessionContext.sessionIssuer.principalId
+ - userIdentity.sessionContext.sessionIssuer.type
+ - userIdentity.sessionContext.sessionIssuer.userName
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
+ - vpcEndpointId
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLDF6WP4HD6:daftpunk@splunk.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/daftpunk@splunk.com",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLAQ5VXXXX", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_putimage.yml b/data_sources/aws_cloudtrail_putimage.yml
index 263b630172..713ed667e1 100644
--- a/data_sources/aws_cloudtrail_putimage.yml
+++ b/data_sources/aws_cloudtrail_putimage.yml
@@ -1,102 +1,103 @@
name: AWS CloudTrail PutImage
id: bb13f10d-0d8c-4fde-9136-b7cfd930e87c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when a container image is uploaded to a repository in AWS CloudTrail.
+description: Logs an event when a container image is uploaded to a repository in AWS
+ CloudTrail.
mitre_components:
-- Image Creation
-- Image Metadata
+ - Image Creation
+ - Image Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: PutImage
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.imageManifest
-- requestParameters.imageManifestMediaType
-- requestParameters.imageTag
-- requestParameters.registryId
-- requestParameters.repositoryName
-- resources{}.ARN
-- resources{}.accountId
-- responseElements.image.imageId.imageDigest
-- responseElements.image.imageId.imageTag
-- responseElements.image.imageManifest
-- responseElements.image.imageManifestMediaType
-- responseElements.image.registryId
-- responseElements.image.repositoryName
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.invokedBy
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.imageManifest
+ - requestParameters.imageManifestMediaType
+ - requestParameters.imageTag
+ - requestParameters.registryId
+ - requestParameters.repositoryName
+ - resources{}.ARN
+ - resources{}.accountId
+ - responseElements.image.imageId.imageDigest
+ - responseElements.image.imageId.imageTag
+ - responseElements.image.imageManifest
+ - responseElements.image.imageManifestMediaType
+ - responseElements.image.registryId
+ - responseElements.image.repositoryName
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.invokedBy
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AAAAAAAAAAAAAAAAAAAAA", "arn": "arn:aws:iam::111111111111:user/test", "accountId":
"111111111111", "accessKeyId": "AAAAAAAAAAAAAAAAAAAAA", "userName": "test", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_putkeypolicy.yml b/data_sources/aws_cloudtrail_putkeypolicy.yml
index edac5877b5..d291365312 100644
--- a/data_sources/aws_cloudtrail_putkeypolicy.yml
+++ b/data_sources/aws_cloudtrail_putkeypolicy.yml
@@ -1,101 +1,102 @@
name: AWS CloudTrail PutKeyPolicy
id: 9c54c86b-43b9-4bb8-915d-6838beb7f07c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs changes made to AWS Key Management Service (KMS) key policies, including updates and permission assignments.
+description: Logs changes made to AWS Key Management Service (KMS) key policies, including
+ updates and permission assignments.
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.bypassPolicyLockoutSafetyCheck
-- requestParameters.keyId
-- requestParameters.policy
-- requestParameters.policyName
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.bypassPolicyLockoutSafetyCheck
+ - requestParameters.keyId
+ - requestParameters.policy
+ - requestParameters.policyName
+ - resources{}.ARN
+ - resources{}.accountId
+ - resources{}.type
+ - responseElements
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.sessionContext.sessionIssuer.accountId
+ - userIdentity.sessionContext.sessionIssuer.arn
+ - userIdentity.sessionContext.sessionIssuer.principalId
+ - userIdentity.sessionContext.sessionIssuer.type
+ - userIdentity.sessionContext.sessionIssuer.userName
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
mitre_components:
-- Cloud Service Modification
+ - Cloud Service Modification
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLK74OPBDR", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
index af51b981b1..4e7c3f9359 100644
--- a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
+++ b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
@@ -1,110 +1,110 @@
name: AWS CloudTrail ReplaceNetworkAclEntry
id: db0c240e-3754-40e4-86ef-cde018ee9f65
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a network ACL entry is replaced within the AWS CloudTrail.
mitre_components:
-- Firewall Rule Modification
-- Cloud Service Modification
+ - Firewall Rule Modification
+ - Cloud Service Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: ReplaceNetworkAclEntry
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- direction
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- protocol
-- protocol_code
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.aclProtocol
-- requestParameters.cidrBlock
-- requestParameters.egress
-- requestParameters.networkAclId
-- requestParameters.ruleAction
-- requestParameters.ruleNumber
-- responseElements._return
-- responseElements.requestId
-- rule_action
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_ip_range
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - direction
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - protocol
+ - protocol_code
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.aclProtocol
+ - requestParameters.cidrBlock
+ - requestParameters.egress
+ - requestParameters.networkAclId
+ - requestParameters.ruleAction
+ - requestParameters.ruleNumber
+ - responseElements._return
+ - responseElements.requestId
+ - rule_action
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - src_ip_range
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.sessionContext.sessionIssuer.accountId
+ - userIdentity.sessionContext.sessionIssuer.arn
+ - userIdentity.sessionContext.sessionIssuer.principalId
+ - userIdentity.sessionContext.sessionIssuer.type
+ - userIdentity.sessionContext.sessionIssuer.userName
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLF3F7BXZK", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
index df1e0b4657..d5c2a78694 100644
--- a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
+++ b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
@@ -1,95 +1,96 @@
name: AWS CloudTrail SetDefaultPolicyVersion
id: 06e0b5a0-8d36-485e-befc-4ae79d77ef6c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when the default version of a resource policy in AWS is set or changed.
+description: Logs an event when the default version of a resource policy in AWS is
+ set or changed.
mitre_components:
-- Cloud Service Modification
-- Cloud Service Metadata
+ - Cloud Service Modification
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: SetDefaultPolicyVersion
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.policyArn
-- requestParameters.versionId
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.policyArn
+ - requestParameters.versionId
+ - responseElements
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLESDK2NOSX", "arn": "arn:aws:iam::111111111111:user/AtomicRedTeam",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLKMZDMPVA", "userName":
diff --git a/data_sources/aws_cloudtrail_stoplogging.yml b/data_sources/aws_cloudtrail_stoplogging.yml
index 69859da19d..934920e8fb 100644
--- a/data_sources/aws_cloudtrail_stoplogging.yml
+++ b/data_sources/aws_cloudtrail_stoplogging.yml
@@ -1,90 +1,91 @@
name: AWS CloudTrail StopLogging
id: c5de7c54-4809-4659-bf9f-3bacf8bdfd35
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when a cloud service in AWS, such as CloudTrail, is deactivated or stopped.
+description: Logs an event when a cloud service in AWS, such as CloudTrail, is deactivated
+ or stopped.
mitre_components:
-- Cloud Service Disable
+ - Cloud Service Disable
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: StopLogging
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.name
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.name
+ - responseElements
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLKQ3U2PDY", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
index 3959397892..6fd33c83e7 100644
--- a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
+++ b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
@@ -1,102 +1,102 @@
name: AWS CloudTrail UpdateAccountPasswordPolicy
id: 35a8cc97-3600-40e1-a5d1-1c2ad5060be0
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when an AWS account's password policy is updated.
mitre_components:
-- User Account Modification
-- Cloud Service Modification
+ - User Account Modification
+ - Cloud Service Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: UpdateAccountPasswordPolicy
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.allowUsersToChangePassword
-- requestParameters.hardExpiry
-- requestParameters.minimumPasswordLength
-- requestParameters.requireLowercaseCharacters
-- requestParameters.requireNumbers
-- requestParameters.requireSymbols
-- requestParameters.requireUppercaseCharacters
-- responseElements
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.allowUsersToChangePassword
+ - requestParameters.hardExpiry
+ - requestParameters.minimumPasswordLength
+ - requestParameters.requireLowercaseCharacters
+ - requestParameters.requireNumbers
+ - requestParameters.requireSymbols
+ - requestParameters.requireUppercaseCharacters
+ - responseElements
+ - sessionCredentialFromConsole
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
"111111111111", "arn": "arn:aws:iam::111111111111:root", "accountId": "111111111111",
"accessKeyId": "ASIASBMSCQHHZZ4THONS", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
diff --git a/data_sources/aws_cloudtrail_updateloginprofile.yml b/data_sources/aws_cloudtrail_updateloginprofile.yml
index e8d28c061a..911021b6d6 100644
--- a/data_sources/aws_cloudtrail_updateloginprofile.yml
+++ b/data_sources/aws_cloudtrail_updateloginprofile.yml
@@ -1,94 +1,94 @@
name: AWS CloudTrail UpdateLoginProfile
id: 1db79158-e5d3-4d35-9d3c-586e44e09f1c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when an IAM user's login profile is updated.
mitre_components:
-- User Account Modification
-- User Account Authentication
+ - User Account Modification
+ - User Account Authentication
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: UpdateLoginProfile
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.userName
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.userName
+ - responseElements
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_updatesamlprovider.yml b/data_sources/aws_cloudtrail_updatesamlprovider.yml
index 9477d6a455..3c7f55c5ea 100644
--- a/data_sources/aws_cloudtrail_updatesamlprovider.yml
+++ b/data_sources/aws_cloudtrail_updatesamlprovider.yml
@@ -1,192 +1,211 @@
name: AWS CloudTrail UpdateSAMLProvider
id: e5eb628d-711e-499c-87d9-8fa5dee419ec
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a SAML provider is updated in AWS.
mitre_components:
-- Cloud Service Modification
-- User Account Modification
-- Cloud Service Metadata
+ - Cloud Service Modification
+ - User Account Modification
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: UpdateSAMLProvider
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.sAMLMetadataDocument
-- requestParameters.sAMLProviderArn
-- responseElements.sAMLProviderArn
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
- "AROAYTOGP2RLKFUVAQAIJ:rodsoto@rodsoto.onmicrosoft.com", "arn": "arn:aws:sts::111111111111:assumed-role/rodonmicrotestrole/rodsoto@rodsoto.onmicrosoft.com",
- "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLMZGPIW6C", "sessionContext":
- {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLKFUVAQAIJ", "arn":
- "arn:aws:iam::111111111111:role/rodonmicrotestrole", "accountId": "111111111111",
- "userName": "rodonmicrotestrole"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated":
- "false", "creationDate": "2021-01-20T03:10:32Z"}}}, "eventTime": "2021-01-20T03:12:39Z",
- "eventSource": "iam.amazonaws.com", "eventName": "UpdateSAMLProvider", "awsRegion":
- "us-east-1", "sourceIPAddress": "66.176.252.11", "userAgent": "aws-internal/3 aws-sdk-java/1.11.930
- Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.275-b01
- java/1.8.0_275 vendor/Oracle_Corporation", "requestParameters": {"sAMLMetadataDocument":
- "ncp+pf0e75KdoRTy1PQeu74OKXjcVNM+bnT7Ns6cwQI=J9PRCq201gGMzMtt4Ye+gsM7xOgrNvDg/usqIMvsyUy2r/MeTBz5FKCK+Okjwm49vyTWUoUioYGiwm/TD2Knv59g1zy+/OjZcmBJgDrCmksFJdkwG/fDlOZQNGuj2qh1CEKL5n6Ipy2z1dQ9XUmhhndtXNnjdZ0fJ9QWufWoxveSCLHcU7eUB9obwq96pbAp+6as0XreMNC/xPv5gDdHfKaIppsXtEwcZY7m1c25jDWqPUTQrtbVC0uryffg1Yu0JLTr646GMTzxulBSpQGRfNf5UT0bUiLtKngi++UHrngKdv3ovWwpVmY82JhG7rMDhkuWZu3LdEFvY3svNxGtsQ==MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KNNameThe
+ - _time
+ - action
+ - app
+ - awsRegion
+ - aws_account_id
+ - change_type
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - eventtype
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.sAMLMetadataDocument
+ - requestParameters.sAMLProviderArn
+ - responseElements.sAMLProviderArn
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.sessionContext.attributes.creationDate
+ - userIdentity.sessionContext.attributes.mfaAuthenticated
+ - userIdentity.sessionContext.sessionIssuer.accountId
+ - userIdentity.sessionContext.sessionIssuer.arn
+ - userIdentity.sessionContext.sessionIssuer.principalId
+ - userIdentity.sessionContext.sessionIssuer.type
+ - userIdentity.sessionContext.sessionIssuer.userName
+ - userIdentity.type
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
+example_log: "{\"eventVersion\": \"1.08\", \"userIdentity\": {\"type\": \"AssumedRole\"\
+ , \"principalId\": \"AROAYTOGP2RLKFUVAQAIJ:rodsoto@rodsoto.onmicrosoft.com\", \"\
+ arn\": \"arn:aws:sts::111111111111:assumed-role/rodonmicrotestrole/rodsoto@rodsoto.onmicrosoft.com\"\
+ , \"accountId\": \"111111111111\", \"accessKeyId\": \"ASIAYTOGP2RLMZGPIW6C\", \"\
+ sessionContext\": {\"sessionIssuer\": {\"type\": \"Role\", \"principalId\": \"AROAYTOGP2RLKFUVAQAIJ\"\
+ , \"arn\": \"arn:aws:iam::111111111111:role/rodonmicrotestrole\", \"accountId\"
+ : \"111111111111\", \"userName\": \"rodonmicrotestrole\"}, \"webIdFederationData\"\
+ : {}, \"attributes\": {\"mfaAuthenticated\": \"false\", \"creationDate\": \"2021-01-20T03:10:32Z\"\
+ }}}, \"eventTime\": \"2021-01-20T03:12:39Z\", \"eventSource\": \"iam.amazonaws.com\"\
+ , \"eventName\": \"UpdateSAMLProvider\", \"awsRegion\": \"us-east-1\", \"sourceIPAddress\"\
+ : \"66.176.252.11\", \"userAgent\": \"aws-internal/3 aws-sdk-java/1.11.930 Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64
+ OpenJDK_64-Bit_Server_VM/25.275-b01 java/1.8.0_275 vendor/Oracle_Corporation\",
+ \"requestParameters\": {\"sAMLMetadataDocument\": \"ncp+pf0e75KdoRTy1PQeu74OKXjcVNM+bnT7Ns6cwQI=J9PRCq201gGMzMtt4Ye+gsM7xOgrNvDg/usqIMvsyUy2r/MeTBz5FKCK+Okjwm49vyTWUoUioYGiwm/TD2Knv59g1zy+/OjZcmBJgDrCmksFJdkwG/fDlOZQNGuj2qh1CEKL5n6Ipy2z1dQ9XUmhhndtXNnjdZ0fJ9QWufWoxveSCLHcU7eUB9obwq96pbAp+6as0XreMNC/xPv5gDdHfKaIppsXtEwcZY7m1c25jDWqPUTQrtbVC0uryffg1Yu0JLTr646GMTzxulBSpQGRfNf5UT0bUiLtKngi++UHrngKdv3ovWwpVmY82JhG7rMDhkuWZu3LdEFvY3svNxGtsQ==MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KNNameThe
mutable display name of the user.SubjectAn
+ Uri=\\\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\\\"\
+ \ xmlns:auth=\\\"http://docs.oasis-open.org/wsfed/authorization/200706\\\">SubjectAn
immutable, globally unique, non-reusable identifier of the user that is unique to
the application for which a token is issued.Given
+ Uri=\\\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\\\" xmlns:auth=\\\
+ \"http://docs.oasis-open.org/wsfed/authorization/200706\\\">Given
NameFirst name of the user.SurnameLast
- name of the user.Display
+ Uri=\\\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\\\" xmlns:auth=\\\
+ \"http://docs.oasis-open.org/wsfed/authorization/200706\\\">SurnameLast
+ name of the user.Display
NameDisplay name of the user.Nick
+ Uri=\\\"http://schemas.microsoft.com/identity/claims/nickname\\\" xmlns:auth=\\\"\
+ http://docs.oasis-open.org/wsfed/authorization/200706\\\">Nick
NameNick name of the user.Authentication
+ Uri=\\\"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant\\\
+ \" xmlns:auth=\\\"http://docs.oasis-open.org/wsfed/authorization/200706\\\">Authentication
InstantThe time (UTC) when the user is authenticated
to Windows Azure Active Directory.Authentication
+ Uri=\\\"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod\\\
+ \" xmlns:auth=\\\"http://docs.oasis-open.org/wsfed/authorization/200706\\\">Authentication
MethodThe method that Windows Azure Active
Directory uses to authenticate users.ObjectIdentifierPrimary
+ Uri=\\\"http://schemas.microsoft.com/identity/claims/objectidentifier\\\" xmlns:auth=\\\
+ \"http://docs.oasis-open.org/wsfed/authorization/200706\\\">ObjectIdentifierPrimary
identifier for the user in the directory. Immutable, globally unique, non-reusable.TenantIdIdentifier
- for the user''s tenant.IdentityProviderIdentity
- provider for the user.EmailEmail
- address of the user.GroupsGroups
- of the user.External
+ Uri=\\\"http://schemas.microsoft.com/identity/claims/tenantid\\\" xmlns:auth=\\\"\
+ http://docs.oasis-open.org/wsfed/authorization/200706\\\">TenantIdIdentifier
+ for the user's tenant.IdentityProviderIdentity
+ provider for the user.EmailEmail
+ address of the user.GroupsGroups
+ of the user.External
Access TokenAccess token issued by external
- identity provider.External
+ identity provider.External
Access Token ExpirationUTC expiration time
of access token issued by external identity provider.External
+ Uri=\\\"http://schemas.microsoft.com/identity/claims/openid2_id\\\" xmlns:auth=\\\
+ \"http://docs.oasis-open.org/wsfed/authorization/200706\\\">External
OpenID 2.0 IdentifierOpenID 2.0 identifier
issued by external identity provider.GroupsOverageClaimIssued
- when number of user''s group claims exceeds return limit.Role
+ Uri=\\\"http://schemas.microsoft.com/claims/groups.link\\\" xmlns:auth=\\\"http://docs.oasis-open.org/wsfed/authorization/200706\\\
+ \">GroupsOverageClaimIssued
+ when number of user's group claims exceeds return limit.Role
ClaimRoles that the user or Service Principal
- is attached toRoleTemplate
+ is attached toRoleTemplate
Id ClaimRole template id of the Built-in Directory
Roles that the user is a member ofhttps://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfedhttps://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfedMIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KNhttps://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfedhttps://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfedMIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KN", "sAMLProviderArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"},
- "responseElements": {"sAMLProviderArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"},
- "requestID": "83d621ad-5b33-4ff0-acf4-0043cb432844", "eventID": "51b6d859-0cc4-4591-ba76-3494f3f43832",
- "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory":
- "Management", "recipientAccountId": "111111111111"}'
+ xmlns:wsa=\\\"http://www.w3.org/2005/08/addressing\\\">https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfedhttps://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfedMIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KNhttps://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfedhttps://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfedMIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KN\", \"sAMLProviderArn\": \"arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft\"\
+ }, \"responseElements\": {\"sAMLProviderArn\": \"arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft\"\
+ }, \"requestID\": \"83d621ad-5b33-4ff0-acf4-0043cb432844\", \"eventID\": \"51b6d859-0cc4-4591-ba76-3494f3f43832\"\
+ , \"readOnly\": false, \"eventType\": \"AwsApiCall\", \"managementEvent\": true,
+ \"eventCategory\": \"Management\", \"recipientAccountId\": \"111111111111\"}"
diff --git a/data_sources/aws_cloudtrail_updatetrail.yml b/data_sources/aws_cloudtrail_updatetrail.yml
index edc2d3ff2a..6020310ebe 100644
--- a/data_sources/aws_cloudtrail_updatetrail.yml
+++ b/data_sources/aws_cloudtrail_updatetrail.yml
@@ -1,99 +1,100 @@
name: AWS CloudTrail UpdateTrail
id: d5b7a1eb-711a-4c96-aa93-235fe3c8a939
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when an AWS CloudTrail trail is updated, typically involving changes to settings or configuration.
+description: Logs an event when an AWS CloudTrail trail is updated, typically involving
+ changes to settings or configuration.
mitre_components:
-- Cloud Service Modification
-- Cloud Service Metadata
+ - Cloud Service Modification
+ - Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: UpdateTrail
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.includeGlobalServiceEvents
-- requestParameters.isMultiRegionTrail
-- requestParameters.name
-- responseElements.includeGlobalServiceEvents
-- responseElements.isMultiRegionTrail
-- responseElements.isOrganizationTrail
-- responseElements.logFileValidationEnabled
-- responseElements.name
-- responseElements.s3BucketName
-- responseElements.trailARN
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
+ - _time
+ - app
+ - awsRegion
+ - aws_account_id
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - errorCode
+ - eventCategory
+ - eventID
+ - eventName
+ - eventSource
+ - eventTime
+ - eventType
+ - eventVersion
+ - host
+ - index
+ - linecount
+ - managementEvent
+ - msg
+ - object_category
+ - product
+ - punct
+ - readOnly
+ - recipientAccountId
+ - region
+ - requestID
+ - requestParameters.includeGlobalServiceEvents
+ - requestParameters.isMultiRegionTrail
+ - requestParameters.name
+ - responseElements.includeGlobalServiceEvents
+ - responseElements.isMultiRegionTrail
+ - responseElements.isOrganizationTrail
+ - responseElements.logFileValidationEnabled
+ - responseElements.name
+ - responseElements.s3BucketName
+ - responseElements.trailARN
+ - signature
+ - source
+ - sourceIPAddress
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - start_time
+ - timeendpos
+ - timestartpos
+ - tlsDetails.cipherSuite
+ - tlsDetails.clientProvidedHostHeader
+ - tlsDetails.tlsVersion
+ - user
+ - userAgent
+ - userIdentity.accessKeyId
+ - userIdentity.accountId
+ - userIdentity.arn
+ - userIdentity.principalId
+ - userIdentity.type
+ - userIdentity.userName
+ - userName
+ - user_access_key
+ - user_agent
+ - user_arn
+ - user_group_id
+ - user_id
+ - user_name
+ - user_type
+ - vendor
+ - vendor_account
+ - vendor_product
+ - vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
diff --git a/data_sources/aws_cloudwatchlogs_vpcflow.yml b/data_sources/aws_cloudwatchlogs_vpcflow.yml
index bec254d4fa..6cd8b1cec1 100644
--- a/data_sources/aws_cloudwatchlogs_vpcflow.yml
+++ b/data_sources/aws_cloudwatchlogs_vpcflow.yml
@@ -1,71 +1,73 @@
name: AWS CloudWatchLogs VPCflow
id: 38a34fc4-e128-4478-a8f4-7835d51d5135
-version: 1
+version: 2
author: Bhavin Patel, Splunk
-date: '2024-07-18'
-description: Logs an event when network traffic flow information such as source and destination IPs, ports, protocol, and action (allow/deny) is captured for VPC in AWS.
+date: '2025-01-23'
+description: Logs an event when network traffic flow information such as source and
+ destination IPs, ports, protocol, and action (allow/deny) is captured for VPC in
+ AWS.
mitre_components:
-- Network Traffic Flow
-- Network Connection Creation
+ - Network Traffic Flow
+ - Network Connection Creation
source: aws_cloudwatchlogs_vpcflow
sourcetype: aws:cloudwatchlogs:vpcflow
supported_TA:
-- name: Splunk Add-on for AWS
- version: 7.9.0
- url: https://splunkbase.splunk.com/app/1876
+ - name: Splunk Add-on for AWS
+ version: 7.9.0
+ url: https://splunkbase.splunk.com/app/1876
fields:
-- _raw
-- _time
-- account_id
-- action
-- app
-- aws_account_id
-- bytes
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_ip
-- dest_port
-- duration
-- dvc
-- end_time
-- eventtype
-- host
-- index
-- interface_id
-- linecount
-- log_status
-- packets
-- protocol
-- protocol_code
-- protocol_full_name
-- protocol_version
-- punct
-- region
-- source
-- sourcetype
-- splunk_server
-- splunk_server_group
-- src
-- src_ip
-- src_port
-- start_time
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- transport
-- user_id
-- vendor_account
-- vendor_product
-- version
-- vpcflow_action
+ - _raw
+ - _time
+ - account_id
+ - action
+ - app
+ - aws_account_id
+ - bytes
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_ip
+ - dest_port
+ - duration
+ - dvc
+ - end_time
+ - eventtype
+ - host
+ - index
+ - interface_id
+ - linecount
+ - log_status
+ - packets
+ - protocol
+ - protocol_code
+ - protocol_full_name
+ - protocol_version
+ - punct
+ - region
+ - source
+ - sourcetype
+ - splunk_server
+ - splunk_server_group
+ - src
+ - src_ip
+ - src_port
+ - start_time
+ - tag
+ - tag::action
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - transport
+ - user_id
+ - vendor_account
+ - vendor_product
+ - version
+ - vpcflow_action
example_log: 2 123397614277 eni-0b0f9f261f45e6489 10.0.1.30 10.0.1.1 47254 22 17 2
98 1697608042 1697608070 ACCEPT OK
diff --git a/data_sources/aws_security_hub.yml b/data_sources/aws_security_hub.yml
index 5d72ddeb75..0173357cdf 100644
--- a/data_sources/aws_security_hub.yml
+++ b/data_sources/aws_security_hub.yml
@@ -1,124 +1,125 @@
name: AWS Security Hub
id: b02bfbf3-294f-478e-99a1-e24b8c692d7e
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when AWS Security Hub identifies potential security risks or deviations from configured best practices across AWS accounts.
+description: Logs an event when AWS Security Hub identifies potential security risks
+ or deviations from configured best practices across AWS accounts.
mitre_components:
-- Cloud Service Metadata
-- Cloud Service Enumeration
-- Cloud Service Modification
-- Cloud Service Disable
+ - Cloud Service Metadata
+ - Cloud Service Enumeration
+ - Cloud Service Modification
+ - Cloud Service Disable
source: aws_securityhub_finding
sourcetype: aws:securityhub:finding
supported_TA:
-- name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+ - name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
-- _time
-- AwsAccountId
-- CreatedAt
-- Description
-- FirstObservedAt
-- GeneratorId
-- Id
-- LastObservedAt
-- ProductArn
-- ProductFields.aws/guardduty/service/action/actionType
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::S3::Bucket
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/api
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/city/cityName
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/country/countryName
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lat
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lon
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/serviceName
-- ProductFields.aws/guardduty/service/additionalInfo/sample
-- ProductFields.aws/guardduty/service/additionalInfo/unusual/hoursOfDay.0_
-- ProductFields.aws/guardduty/service/additionalInfo/unusual/userNames.0_
-- ProductFields.aws/guardduty/service/archived
-- ProductFields.aws/guardduty/service/count
-- ProductFields.aws/guardduty/service/detectorId
-- ProductFields.aws/guardduty/service/eventFirstSeen
-- ProductFields.aws/guardduty/service/eventLastSeen
-- ProductFields.aws/guardduty/service/resourceRole
-- ProductFields.aws/guardduty/service/serviceName
-- ProductFields.aws/securityhub/CompanyName
-- ProductFields.aws/securityhub/FindingId
-- ProductFields.aws/securityhub/ProductName
-- RecordState
-- Resources{}.Details.AwsEc2Instance.IamInstanceProfileArn
-- Resources{}.Details.AwsEc2Instance.ImageId
-- Resources{}.Details.AwsEc2Instance.IpV4Addresses{}
-- Resources{}.Details.AwsEc2Instance.LaunchedAt
-- Resources{}.Details.AwsEc2Instance.SubnetId
-- Resources{}.Details.AwsEc2Instance.Type
-- Resources{}.Details.AwsEc2Instance.VpcId
-- Resources{}.Details.AwsIamAccessKey.PrincipalId
-- Resources{}.Details.AwsIamAccessKey.PrincipalName
-- Resources{}.Details.AwsIamAccessKey.PrincipalType
-- Resources{}.Details.AwsS3Bucket.CreatedAt
-- Resources{}.Details.AwsS3Bucket.OwnerId
-- Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.KMSMasterKeyID
-- Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.SSEAlgorithm
-- Resources{}.Id
-- Resources{}.Partition
-- Resources{}.Region
-- Resources{}.Tags.GeneratedFindingInstaceTag1
-- Resources{}.Tags.GeneratedFindingInstaceTag2
-- Resources{}.Tags.GeneratedFindingInstaceTag3
-- Resources{}.Tags.GeneratedFindingInstaceTag4
-- Resources{}.Tags.GeneratedFindingInstaceTag5
-- Resources{}.Tags.GeneratedFindingInstaceTag6
-- Resources{}.Tags.GeneratedFindingInstaceTag7
-- Resources{}.Tags.GeneratedFindingInstaceTag8
-- Resources{}.Tags.GeneratedFindingInstaceTag9
-- Resources{}.Tags.foo
-- Resources{}.Type
-- SchemaVersion
-- Severity.Label
-- Severity.Normalized
-- Severity.Product
-- SourceUrl
-- Title
-- Types{}
-- UpdatedAt
-- Workflow.Status
-- WorkflowState
-- accesskey_extract
-- app
-- body
-- description
-- dest
-- dest_type
-- eventtype
-- host
-- id
-- index
-- instance_extract
-- linecount
-- punct
-- s3bucket_extract
-- severity
-- severity_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- subject
-- tag
-- tag::eventtype
-- timestamp
-- type
-- vendor_account
-- vendor_region
+ - _time
+ - AwsAccountId
+ - CreatedAt
+ - Description
+ - FirstObservedAt
+ - GeneratorId
+ - Id
+ - LastObservedAt
+ - ProductArn
+ - ProductFields.aws/guardduty/service/action/actionType
+ - ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::S3::Bucket
+ - ProductFields.aws/guardduty/service/action/awsApiCallAction/api
+ - ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType
+ - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/city/cityName
+ - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/country/countryName
+ - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lat
+ - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lon
+ - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4
+ - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn
+ - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg
+ - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp
+ - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org
+ - ProductFields.aws/guardduty/service/action/awsApiCallAction/serviceName
+ - ProductFields.aws/guardduty/service/additionalInfo/sample
+ - ProductFields.aws/guardduty/service/additionalInfo/unusual/hoursOfDay.0_
+ - ProductFields.aws/guardduty/service/additionalInfo/unusual/userNames.0_
+ - ProductFields.aws/guardduty/service/archived
+ - ProductFields.aws/guardduty/service/count
+ - ProductFields.aws/guardduty/service/detectorId
+ - ProductFields.aws/guardduty/service/eventFirstSeen
+ - ProductFields.aws/guardduty/service/eventLastSeen
+ - ProductFields.aws/guardduty/service/resourceRole
+ - ProductFields.aws/guardduty/service/serviceName
+ - ProductFields.aws/securityhub/CompanyName
+ - ProductFields.aws/securityhub/FindingId
+ - ProductFields.aws/securityhub/ProductName
+ - RecordState
+ - Resources{}.Details.AwsEc2Instance.IamInstanceProfileArn
+ - Resources{}.Details.AwsEc2Instance.ImageId
+ - Resources{}.Details.AwsEc2Instance.IpV4Addresses{}
+ - Resources{}.Details.AwsEc2Instance.LaunchedAt
+ - Resources{}.Details.AwsEc2Instance.SubnetId
+ - Resources{}.Details.AwsEc2Instance.Type
+ - Resources{}.Details.AwsEc2Instance.VpcId
+ - Resources{}.Details.AwsIamAccessKey.PrincipalId
+ - Resources{}.Details.AwsIamAccessKey.PrincipalName
+ - Resources{}.Details.AwsIamAccessKey.PrincipalType
+ - Resources{}.Details.AwsS3Bucket.CreatedAt
+ - Resources{}.Details.AwsS3Bucket.OwnerId
+ - Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.KMSMasterKeyID
+ - Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.SSEAlgorithm
+ - Resources{}.Id
+ - Resources{}.Partition
+ - Resources{}.Region
+ - Resources{}.Tags.GeneratedFindingInstaceTag1
+ - Resources{}.Tags.GeneratedFindingInstaceTag2
+ - Resources{}.Tags.GeneratedFindingInstaceTag3
+ - Resources{}.Tags.GeneratedFindingInstaceTag4
+ - Resources{}.Tags.GeneratedFindingInstaceTag5
+ - Resources{}.Tags.GeneratedFindingInstaceTag6
+ - Resources{}.Tags.GeneratedFindingInstaceTag7
+ - Resources{}.Tags.GeneratedFindingInstaceTag8
+ - Resources{}.Tags.GeneratedFindingInstaceTag9
+ - Resources{}.Tags.foo
+ - Resources{}.Type
+ - SchemaVersion
+ - Severity.Label
+ - Severity.Normalized
+ - Severity.Product
+ - SourceUrl
+ - Title
+ - Types{}
+ - UpdatedAt
+ - Workflow.Status
+ - WorkflowState
+ - accesskey_extract
+ - app
+ - body
+ - description
+ - dest
+ - dest_type
+ - eventtype
+ - host
+ - id
+ - index
+ - instance_extract
+ - linecount
+ - punct
+ - s3bucket_extract
+ - severity
+ - severity_id
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - subject
+ - tag
+ - tag::eventtype
+ - timestamp
+ - type
+ - vendor_account
+ - vendor_region
example_log: '{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/guardduty","Types":["Software
and Configuration Checks/Exfiltration:S3.ObjectRead.Unusual"],"SourceUrl":"https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=6aba6b696aea10606e8b336f68d98819","Description":"Principal
GeneratedFindingUserName read objects from S3 bucket GeneratedFindingS3Bucket in
diff --git a/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml b/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
index 2afbd8e4ba..b0f85d0cb5 100644
--- a/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
+++ b/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
@@ -1,97 +1,99 @@
name: Azure Active Directory Add app role assignment to service principal
id: 8b2e84cd-6db0-47e9-badc-75c17df1995f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the addition of an application role assignment to a service principal in Azure Active Directory, including details about the role, service principal, and the user or process performing the action.
+description: Logs the addition of an application role assignment to a service principal
+ in Azure Active Directory, including details about the role, service principal,
+ and the user or process performing the action.
mitre_components:
-- User Account Modification
-- Group Modification
-- Cloud Service Modification
-- Cloud Service Metadata
+ - User Account Modification
+ - Group Modification
+ - Cloud Service Modification
+ - Cloud Service Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Add app role assignment to service principal
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- Level
-- additional_details
-- additional_details_name
-- additional_details_value
-- category
-- command
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_type
-- durationMs
-- dvc
-- eventtype
-- host
-- id
-- identity
-- index
-- linecount
-- object_attrs
-- object_id
-- operationName
-- operationVersion
-- path_from_resourceId
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.app.appId
-- properties.initiatedBy.app.displayName
-- properties.initiatedBy.app.servicePrincipalId
-- properties.initiatedBy.app.servicePrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.userAgent
-- punct
-- resourceId
-- result
-- resultSignature
-- result_id
-- signature
-- source
-- sourcetype
-- splunk_server
-- src_user_type
-- status
-- tag
-- tag::eventtype
-- tenantId
-- time
-- timeendpos
-- timestartpos
-- user_agent
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - Level
+ - additional_details
+ - additional_details_name
+ - additional_details_value
+ - category
+ - command
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_type
+ - durationMs
+ - dvc
+ - eventtype
+ - host
+ - id
+ - identity
+ - index
+ - linecount
+ - object_attrs
+ - object_id
+ - operationName
+ - operationVersion
+ - path_from_resourceId
+ - properties.activityDateTime
+ - properties.activityDisplayName
+ - properties.additionalDetails{}.key
+ - properties.additionalDetails{}.value
+ - properties.category
+ - properties.correlationId
+ - properties.id
+ - properties.initiatedBy.app.appId
+ - properties.initiatedBy.app.displayName
+ - properties.initiatedBy.app.servicePrincipalId
+ - properties.initiatedBy.app.servicePrincipalName
+ - properties.loggedByService
+ - properties.operationType
+ - properties.result
+ - properties.resultReason
+ - properties.targetResources{}.displayName
+ - properties.targetResources{}.id
+ - properties.targetResources{}.modifiedProperties{}.displayName
+ - properties.targetResources{}.modifiedProperties{}.newValue
+ - properties.targetResources{}.modifiedProperties{}.oldValue
+ - properties.targetResources{}.type
+ - properties.userAgent
+ - punct
+ - resourceId
+ - result
+ - resultSignature
+ - result_id
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - src_user_type
+ - status
+ - tag
+ - tag::eventtype
+ - tenantId
+ - time
+ - timeendpos
+ - timestartpos
+ - user_agent
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"time": "2024-02-08T21:49:53.7643129Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam",
"operationName": "Add app role assignment to service principal", "operationVersion":
"1.0", "category": "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4",
diff --git a/data_sources/azure_active_directory_add_member_to_role.yml b/data_sources/azure_active_directory_add_member_to_role.yml
index c2dfa64ecb..8a977d8625 100644
--- a/data_sources/azure_active_directory_add_member_to_role.yml
+++ b/data_sources/azure_active_directory_add_member_to_role.yml
@@ -1,73 +1,75 @@
name: Azure Active Directory Add member to role
id: 1660d196-127f-4678-81b2-472d51711b07
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the addition of a member to a directory role in Azure Active Directory, including details about the role, the member added, and the user or process performing the action.
+description: Logs the addition of a member to a directory role in Azure Active Directory,
+ including details about the role, the member added, and the user or process performing
+ the action.
mitre_components:
-- Group Modification
-- Group Metadata
-- User Account Metadata
-- Cloud Service Modification
+ - Group Modification
+ - Group Metadata
+ - User Account Metadata
+ - Cloud Service Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Add member to role
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.targetResources{}.userPrincipalName
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
+ - _time
+ - Level
+ - callerIpAddress
+ - category
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - durationMs
+ - host
+ - index
+ - linecount
+ - operationName
+ - operationVersion
+ - properties.activityDateTime
+ - properties.activityDisplayName
+ - properties.category
+ - properties.correlationId
+ - properties.id
+ - properties.initiatedBy.user.displayName
+ - properties.initiatedBy.user.id
+ - properties.initiatedBy.user.ipAddress
+ - properties.initiatedBy.user.userPrincipalName
+ - properties.loggedByService
+ - properties.operationType
+ - properties.result
+ - properties.resultReason
+ - properties.targetResources{}.displayName
+ - properties.targetResources{}.id
+ - properties.targetResources{}.modifiedProperties{}.displayName
+ - properties.targetResources{}.modifiedProperties{}.newValue
+ - properties.targetResources{}.modifiedProperties{}.oldValue
+ - properties.targetResources{}.type
+ - properties.targetResources{}.userPrincipalName
+ - properties.userAgent
+ - punct
+ - resourceId
+ - resultSignature
+ - source
+ - sourcetype
+ - splunk_server
+ - tenantId
+ - time
+ - timeendpos
+ - timestartpos
example_log: '{"time": "2023-04-28T16:39:51.9312625Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Add member to role", "operationVersion": "1.0", "category": "AuditLogs",
"tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs":
diff --git a/data_sources/azure_active_directory_add_owner_to_application.yml b/data_sources/azure_active_directory_add_owner_to_application.yml
index f174ee00b6..70948b2b1f 100644
--- a/data_sources/azure_active_directory_add_owner_to_application.yml
+++ b/data_sources/azure_active_directory_add_owner_to_application.yml
@@ -1,78 +1,80 @@
name: Azure Active Directory Add owner to application
id: e895ed56-7be4-4b3a-b782-ecd0f594ec4c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the addition of an owner to an application in Azure Active Directory, including details about the application, the owner added, and the user or process performing the action.
+description: Logs the addition of an owner to an application in Azure Active Directory,
+ including details about the application, the owner added, and the user or process
+ performing the action.
mitre_components:
-- User Account Modification
-- Group Modification
-- Cloud Service Modification
-- Cloud Service Metadata
+ - User Account Modification
+ - Group Modification
+ - Cloud Service Modification
+ - Cloud Service Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Add owner to application
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- eventtype
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.targetResources{}.userPrincipalName
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- tenantId
-- time
-- timeendpos
-- timestartpos
+ - _time
+ - Level
+ - callerIpAddress
+ - category
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - durationMs
+ - eventtype
+ - host
+ - index
+ - linecount
+ - operationName
+ - operationVersion
+ - properties.activityDateTime
+ - properties.activityDisplayName
+ - properties.additionalDetails{}.key
+ - properties.additionalDetails{}.value
+ - properties.category
+ - properties.correlationId
+ - properties.id
+ - properties.initiatedBy.user.displayName
+ - properties.initiatedBy.user.id
+ - properties.initiatedBy.user.ipAddress
+ - properties.initiatedBy.user.userPrincipalName
+ - properties.loggedByService
+ - properties.operationType
+ - properties.result
+ - properties.resultReason
+ - properties.targetResources{}.displayName
+ - properties.targetResources{}.id
+ - properties.targetResources{}.modifiedProperties{}.displayName
+ - properties.targetResources{}.modifiedProperties{}.newValue
+ - properties.targetResources{}.modifiedProperties{}.oldValue
+ - properties.targetResources{}.type
+ - properties.targetResources{}.userPrincipalName
+ - properties.userAgent
+ - punct
+ - resourceId
+ - resultSignature
+ - source
+ - sourcetype
+ - splunk_server
+ - tag
+ - tag::eventtype
+ - tenantId
+ - time
+ - timeendpos
+ - timestartpos
example_log: '{"time": "2023-06-20T15:54:13.2420879Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Add owner to application", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
diff --git a/data_sources/azure_active_directory_add_service_principal.yml b/data_sources/azure_active_directory_add_service_principal.yml
index d100855262..46f3c3d7d9 100644
--- a/data_sources/azure_active_directory_add_service_principal.yml
+++ b/data_sources/azure_active_directory_add_service_principal.yml
@@ -1,73 +1,75 @@
name: Azure Active Directory Add service principal
id: fd89d337-e4c0-4162-ad13-bca36f096fe6
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the creation of a new service principal in Azure Active Directory, including details about the service principal, associated application, and the user or process performing the action.
+description: Logs the creation of a new service principal in Azure Active Directory,
+ including details about the service principal, associated application, and the user
+ or process performing the action.
mitre_components:
-- Cloud Service Creation
-- Cloud Service Metadata
-- User Account Metadata
-- Active Directory Object Creation
+ - Cloud Service Creation
+ - Cloud Service Metadata
+ - User Account Metadata
+ - Active Directory Object Creation
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Add service principal
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- Level
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
+ - _time
+ - Level
+ - category
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - durationMs
+ - host
+ - index
+ - linecount
+ - operationName
+ - operationVersion
+ - properties.activityDateTime
+ - properties.activityDisplayName
+ - properties.additionalDetails{}.key
+ - properties.additionalDetails{}.value
+ - properties.category
+ - properties.correlationId
+ - properties.id
+ - properties.initiatedBy.user.displayName
+ - properties.initiatedBy.user.id
+ - properties.initiatedBy.user.ipAddress
+ - properties.initiatedBy.user.userPrincipalName
+ - properties.loggedByService
+ - properties.operationType
+ - properties.result
+ - properties.resultReason
+ - properties.targetResources{}.displayName
+ - properties.targetResources{}.id
+ - properties.targetResources{}.modifiedProperties{}.displayName
+ - properties.targetResources{}.modifiedProperties{}.newValue
+ - properties.targetResources{}.modifiedProperties{}.oldValue
+ - properties.targetResources{}.type
+ - properties.userAgent
+ - punct
+ - resourceId
+ - resultSignature
+ - source
+ - sourcetype
+ - splunk_server
+ - tenantId
+ - time
+ - timeendpos
+ - timestartpos
example_log: '{"time": "2024-02-07T22:31:14.4970418Z", "resourceId": "/tenants/a417c578-c7ee-480d-a225-d48057e74df5/providers/Microsoft.aadiam",
"operationName": "Add service principal", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "a417c578-c7ee-480d-a225-d48057e74df5", "resultSignature":
diff --git a/data_sources/azure_active_directory_add_unverified_domain.yml b/data_sources/azure_active_directory_add_unverified_domain.yml
index 1b06002e40..444d3e1a6f 100644
--- a/data_sources/azure_active_directory_add_unverified_domain.yml
+++ b/data_sources/azure_active_directory_add_unverified_domain.yml
@@ -1,73 +1,74 @@
name: Azure Active Directory Add unverified domain
id: d4c01fb1-3b88-46d3-bd12-9b9e256450f7
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the addition of an unverified domain to Azure Active Directory, including details about the domain name and the user or process performing the action.
+description: Logs the addition of an unverified domain to Azure Active Directory,
+ including details about the domain name and the user or process performing the action.
mitre_components:
-- Domain Registration
-- Cloud Service Modification
-- Cloud Service Metadata
-- Configuration Modification
+ - Domain Registration
+ - Cloud Service Modification
+ - Cloud Service Metadata
+ - Configuration Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Add unverified domain
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
+ - _time
+ - Level
+ - callerIpAddress
+ - category
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - durationMs
+ - host
+ - index
+ - linecount
+ - operationName
+ - operationVersion
+ - properties.activityDateTime
+ - properties.activityDisplayName
+ - properties.additionalDetails{}.key
+ - properties.additionalDetails{}.value
+ - properties.category
+ - properties.correlationId
+ - properties.id
+ - properties.initiatedBy.user.displayName
+ - properties.initiatedBy.user.id
+ - properties.initiatedBy.user.ipAddress
+ - properties.initiatedBy.user.userPrincipalName
+ - properties.loggedByService
+ - properties.operationType
+ - properties.result
+ - properties.resultReason
+ - properties.targetResources{}.displayName
+ - properties.targetResources{}.id
+ - properties.targetResources{}.modifiedProperties{}.displayName
+ - properties.targetResources{}.modifiedProperties{}.newValue
+ - properties.targetResources{}.modifiedProperties{}.oldValue
+ - properties.userAgent
+ - punct
+ - resourceId
+ - resultSignature
+ - source
+ - sourcetype
+ - splunk_server
+ - tenantId
+ - time
+ - timeendpos
+ - timestartpos
example_log: '{"time": "2023-07-26T13:45:54.1582053Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Add unverified domain", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
diff --git a/data_sources/azure_active_directory_consent_to_application.yml b/data_sources/azure_active_directory_consent_to_application.yml
index cc0ee34156..4222ab6a7c 100644
--- a/data_sources/azure_active_directory_consent_to_application.yml
+++ b/data_sources/azure_active_directory_consent_to_application.yml
@@ -1,78 +1,80 @@
name: Azure Active Directory Consent to application
id: 4c5d6c49-53e3-4980-a4de-c63e26291ed0
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs user or admin consent to an application's permissions in Azure Active Directory, including details about the application, granted permissions, and the consenting user or process.
+description: Logs user or admin consent to an application's permissions in Azure Active
+ Directory, including details about the application, granted permissions, and the
+ consenting user or process.
mitre_components:
-- User Account Modification
-- Cloud Service Modification
-- Cloud Service Metadata
-- Configuration Modification
+ - User Account Modification
+ - Cloud Service Modification
+ - Cloud Service Metadata
+ - Configuration Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Consent to application
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- eventtype
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.userAgent
-- punct
-- resourceId
-- resultDescription
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- tenantId
-- time
-- timeendpos
-- timestartpos
+ - _time
+ - Level
+ - callerIpAddress
+ - category
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - durationMs
+ - eventtype
+ - host
+ - index
+ - linecount
+ - operationName
+ - operationVersion
+ - properties.activityDateTime
+ - properties.activityDisplayName
+ - properties.additionalDetails{}.key
+ - properties.additionalDetails{}.value
+ - properties.category
+ - properties.correlationId
+ - properties.id
+ - properties.initiatedBy.user.displayName
+ - properties.initiatedBy.user.id
+ - properties.initiatedBy.user.ipAddress
+ - properties.initiatedBy.user.userPrincipalName
+ - properties.loggedByService
+ - properties.operationType
+ - properties.result
+ - properties.resultReason
+ - properties.targetResources{}.displayName
+ - properties.targetResources{}.id
+ - properties.targetResources{}.modifiedProperties{}.displayName
+ - properties.targetResources{}.modifiedProperties{}.newValue
+ - properties.targetResources{}.modifiedProperties{}.oldValue
+ - properties.targetResources{}.type
+ - properties.userAgent
+ - punct
+ - resourceId
+ - resultDescription
+ - resultSignature
+ - source
+ - sourcetype
+ - splunk_server
+ - tag
+ - tag::eventtype
+ - tenantId
+ - time
+ - timeendpos
+ - timestartpos
example_log: '{"time": "2023-10-27T16:14:14.9747033Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam",
"operationName": "Consent to application", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature":
diff --git a/data_sources/azure_active_directory_disable_strong_authentication.yml b/data_sources/azure_active_directory_disable_strong_authentication.yml
index c32bf6b639..6c329d8872 100644
--- a/data_sources/azure_active_directory_disable_strong_authentication.yml
+++ b/data_sources/azure_active_directory_disable_strong_authentication.yml
@@ -1,71 +1,72 @@
name: Azure Active Directory Disable Strong Authentication
id: 8f31966d-c496-496d-8837-f7fd11f31255
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when strong authentication methods are disabled in Azure Active Directory.
+description: Logs an event when strong authentication methods are disabled in Azure
+ Active Directory.
mitre_components:
-- User Account Authentication
-- User Account Modification
-- Cloud Service Modification
+ - User Account Authentication
+ - User Account Modification
+ - Cloud Service Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Disable Strong Authentication
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- Level
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.targetResources{}.userPrincipalName
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
+ - _time
+ - Level
+ - category
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - durationMs
+ - host
+ - index
+ - linecount
+ - operationName
+ - operationVersion
+ - properties.activityDateTime
+ - properties.activityDisplayName
+ - properties.category
+ - properties.correlationId
+ - properties.id
+ - properties.initiatedBy.user.displayName
+ - properties.initiatedBy.user.id
+ - properties.initiatedBy.user.ipAddress
+ - properties.initiatedBy.user.userPrincipalName
+ - properties.loggedByService
+ - properties.operationType
+ - properties.result
+ - properties.resultReason
+ - properties.targetResources{}.displayName
+ - properties.targetResources{}.id
+ - properties.targetResources{}.modifiedProperties{}.displayName
+ - properties.targetResources{}.modifiedProperties{}.newValue
+ - properties.targetResources{}.modifiedProperties{}.oldValue
+ - properties.targetResources{}.type
+ - properties.targetResources{}.userPrincipalName
+ - properties.userAgent
+ - punct
+ - resourceId
+ - resultSignature
+ - source
+ - sourcetype
+ - splunk_server
+ - tenantId
+ - time
+ - timeendpos
+ - timestartpos
example_log: '{"time": "2023-07-11T00:01:35.0251899Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Disable Strong Authentication", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
diff --git a/data_sources/azure_active_directory_enable_account.yml b/data_sources/azure_active_directory_enable_account.yml
index d335c79ffc..2e3380277d 100644
--- a/data_sources/azure_active_directory_enable_account.yml
+++ b/data_sources/azure_active_directory_enable_account.yml
@@ -1,72 +1,72 @@
name: Azure Active Directory Enable account
id: cb49f3cd-04ad-415c-a5ed-9b27b2829fa7
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when an Azure Active Directory account is enabled.
mitre_components:
-- User Account Modification
-- User Account Authentication
-- User Account Metadata
+ - User Account Modification
+ - User Account Authentication
+ - User Account Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Enable account
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.targetResources{}.userPrincipalName
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
+ - _time
+ - Level
+ - callerIpAddress
+ - category
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - durationMs
+ - host
+ - index
+ - linecount
+ - operationName
+ - operationVersion
+ - properties.activityDateTime
+ - properties.activityDisplayName
+ - properties.category
+ - properties.correlationId
+ - properties.id
+ - properties.initiatedBy.user.displayName
+ - properties.initiatedBy.user.id
+ - properties.initiatedBy.user.ipAddress
+ - properties.initiatedBy.user.userPrincipalName
+ - properties.loggedByService
+ - properties.operationType
+ - properties.result
+ - properties.resultReason
+ - properties.targetResources{}.displayName
+ - properties.targetResources{}.id
+ - properties.targetResources{}.modifiedProperties{}.displayName
+ - properties.targetResources{}.modifiedProperties{}.newValue
+ - properties.targetResources{}.modifiedProperties{}.oldValue
+ - properties.targetResources{}.type
+ - properties.targetResources{}.userPrincipalName
+ - properties.userAgent
+ - punct
+ - resourceId
+ - resultSignature
+ - source
+ - sourcetype
+ - splunk_server
+ - tenantId
+ - time
+ - timeendpos
+ - timestartpos
example_log: '{"time": "2023-07-24T14:28:15.2223487Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Enable account", "operationVersion": "1.0", "category": "AuditLogs",
"tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs":
diff --git a/data_sources/azure_active_directory_invite_external_user.yml b/data_sources/azure_active_directory_invite_external_user.yml
index d7cb59bbba..08726897f3 100644
--- a/data_sources/azure_active_directory_invite_external_user.yml
+++ b/data_sources/azure_active_directory_invite_external_user.yml
@@ -1,71 +1,72 @@
name: Azure Active Directory Invite external user
id: d3818bd5-f283-4518-8b67-df19240c3e40
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when an external user is invited to join an Azure Active Directory tenant.
+description: Logs an event when an external user is invited to join an Azure Active
+ Directory tenant.
mitre_components:
-- Active Directory Object Creation
-- User Account Creation
-- User Account Authentication
+ - Active Directory Object Creation
+ - User Account Creation
+ - User Account Authentication
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Invite external user
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.type
-- properties.targetResources{}.userPrincipalName
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
+ - _time
+ - Level
+ - callerIpAddress
+ - category
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - durationMs
+ - host
+ - index
+ - linecount
+ - operationName
+ - operationVersion
+ - properties.activityDateTime
+ - properties.activityDisplayName
+ - properties.additionalDetails{}.key
+ - properties.additionalDetails{}.value
+ - properties.category
+ - properties.correlationId
+ - properties.id
+ - properties.initiatedBy.user.displayName
+ - properties.initiatedBy.user.id
+ - properties.initiatedBy.user.ipAddress
+ - properties.initiatedBy.user.userPrincipalName
+ - properties.loggedByService
+ - properties.operationType
+ - properties.result
+ - properties.resultReason
+ - properties.targetResources{}.displayName
+ - properties.targetResources{}.id
+ - properties.targetResources{}.type
+ - properties.targetResources{}.userPrincipalName
+ - properties.userAgent
+ - punct
+ - resourceId
+ - resultSignature
+ - source
+ - sourcetype
+ - splunk_server
+ - tenantId
+ - time
+ - timeendpos
+ - timestartpos
example_log: '{"time": "2023-07-13T00:29:59.5100003Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Invite external user", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
diff --git a/data_sources/azure_active_directory_reset_password_(by_admin).yml b/data_sources/azure_active_directory_reset_password_(by_admin).yml
index 9c4db01f1f..54208cb250 100644
--- a/data_sources/azure_active_directory_reset_password_(by_admin).yml
+++ b/data_sources/azure_active_directory_reset_password_(by_admin).yml
@@ -1,72 +1,73 @@
name: Azure Active Directory Reset password (by admin)
id: dcd0e4dc-68f8-4b77-a66f-89c57b3afa6b
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when an admin resets a user's password in Azure Active Directory.
+description: Logs an event when an admin resets a user's password in Azure Active
+ Directory.
mitre_components:
-- User Account Authentication
-- User Account Modification
-- Active Directory Object Modification
+ - User Account Authentication
+ - User Account Modification
+ - Active Directory Object Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Reset password (by admin)
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.type
-- properties.targetResources{}.userPrincipalName
-- properties.userAgent
-- punct
-- resourceId
-- resultDescription
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
+ - _time
+ - Level
+ - callerIpAddress
+ - category
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - durationMs
+ - host
+ - index
+ - linecount
+ - operationName
+ - operationVersion
+ - properties.activityDateTime
+ - properties.activityDisplayName
+ - properties.additionalDetails{}.key
+ - properties.additionalDetails{}.value
+ - properties.category
+ - properties.correlationId
+ - properties.id
+ - properties.initiatedBy.user.displayName
+ - properties.initiatedBy.user.id
+ - properties.initiatedBy.user.ipAddress
+ - properties.initiatedBy.user.userPrincipalName
+ - properties.loggedByService
+ - properties.operationType
+ - properties.result
+ - properties.resultReason
+ - properties.targetResources{}.displayName
+ - properties.targetResources{}.id
+ - properties.targetResources{}.type
+ - properties.targetResources{}.userPrincipalName
+ - properties.userAgent
+ - punct
+ - resourceId
+ - resultDescription
+ - resultSignature
+ - source
+ - sourcetype
+ - splunk_server
+ - tenantId
+ - time
+ - timeendpos
+ - timestartpos
example_log: '{"time": "2023-07-24T14:28:55.0648789Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Reset password (by admin)", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
diff --git a/data_sources/azure_active_directory_set_domain_authentication.yml b/data_sources/azure_active_directory_set_domain_authentication.yml
index c20d10043c..c29183d14e 100644
--- a/data_sources/azure_active_directory_set_domain_authentication.yml
+++ b/data_sources/azure_active_directory_set_domain_authentication.yml
@@ -1,72 +1,73 @@
name: Azure Active Directory Set domain authentication
id: e7bcdab9-908c-40ab-ba38-5db54fa87750
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when the authentication method for a domain in Azure Active Directory is set or modified.
+description: Logs an event when the authentication method for a domain in Azure Active
+ Directory is set or modified.
mitre_components:
-- Active Directory Object Modification
-- User Account Authentication
-- Cloud Service Modification
+ - Active Directory Object Modification
+ - User Account Authentication
+ - Cloud Service Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Set domain authentication
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
+ - _time
+ - Level
+ - callerIpAddress
+ - category
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - durationMs
+ - host
+ - index
+ - linecount
+ - operationName
+ - operationVersion
+ - properties.activityDateTime
+ - properties.activityDisplayName
+ - properties.additionalDetails{}.key
+ - properties.additionalDetails{}.value
+ - properties.category
+ - properties.correlationId
+ - properties.id
+ - properties.initiatedBy.user.displayName
+ - properties.initiatedBy.user.id
+ - properties.initiatedBy.user.ipAddress
+ - properties.initiatedBy.user.userPrincipalName
+ - properties.loggedByService
+ - properties.operationType
+ - properties.result
+ - properties.resultReason
+ - properties.targetResources{}.displayName
+ - properties.targetResources{}.id
+ - properties.targetResources{}.modifiedProperties{}.displayName
+ - properties.targetResources{}.modifiedProperties{}.newValue
+ - properties.targetResources{}.modifiedProperties{}.oldValue
+ - properties.userAgent
+ - punct
+ - resourceId
+ - resultSignature
+ - source
+ - sourcetype
+ - splunk_server
+ - tenantId
+ - time
+ - timeendpos
+ - timestartpos
example_log: '{"time": "2023-07-26T13:44:59.0372448Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Set domain authentication", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
diff --git a/data_sources/azure_active_directory_sign_in_activity.yml b/data_sources/azure_active_directory_sign_in_activity.yml
index 3fca810c95..d5ed7fa94d 100644
--- a/data_sources/azure_active_directory_sign_in_activity.yml
+++ b/data_sources/azure_active_directory_sign_in_activity.yml
@@ -1,122 +1,123 @@
name: Azure Active Directory Sign-in activity
id: f9ed0a3a-9e20-4198-a035-d0a29593fbe0
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when a user attempts to sign into Azure Active Directory, capturing authentication details and outcomes.
+description: Logs an event when a user attempts to sign into Azure Active Directory,
+ capturing authentication details and outcomes.
mitre_components:
-- User Account Authentication
-- Logon Session Creation
-- User Account Metadata
+ - User Account Authentication
+ - Logon Session Creation
+ - User Account Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Sign-in activity
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- identity
-- index
-- linecount
-- location
-- operationName
-- operationVersion
-- properties.alternateSignInName
-- properties.appDisplayName
-- properties.appId
-- properties.appServicePrincipalId
-- properties.authenticationDetails{}.RequestSequence
-- properties.authenticationDetails{}.StatusSequence
-- properties.authenticationDetails{}.authenticationMethod
-- properties.authenticationDetails{}.authenticationMethodDetail
-- properties.authenticationDetails{}.authenticationStepDateTime
-- properties.authenticationDetails{}.authenticationStepRequirement
-- properties.authenticationDetails{}.authenticationStepResultDetail
-- properties.authenticationDetails{}.succeeded
-- properties.authenticationProcessingDetails{}.key
-- properties.authenticationProcessingDetails{}.value
-- properties.authenticationProtocol
-- properties.authenticationRequirement
-- properties.authenticationRequirementPolicies{}.detail
-- properties.authenticationRequirementPolicies{}.requirementProvider
-- properties.autonomousSystemNumber
-- properties.clientAppUsed
-- properties.clientCredentialType
-- properties.conditionalAccessStatus
-- properties.correlationId
-- properties.createdDateTime
-- properties.crossTenantAccessType
-- properties.deviceDetail.deviceId
-- properties.deviceDetail.operatingSystem
-- properties.flaggedForReview
-- properties.homeTenantId
-- properties.id
-- properties.incomingTokenType
-- properties.ipAddress
-- properties.isInteractive
-- properties.isTenantRestricted
-- properties.location.city
-- properties.location.countryOrRegion
-- properties.location.geoCoordinates.latitude
-- properties.location.geoCoordinates.longitude
-- properties.location.state
-- properties.originalRequestId
-- properties.originalTransferMethod
-- properties.processingTimeInMilliseconds
-- properties.resourceDisplayName
-- properties.resourceId
-- properties.resourceServicePrincipalId
-- properties.resourceTenantId
-- properties.riskDetail
-- properties.riskLevelAggregated
-- properties.riskLevelDuringSignIn
-- properties.riskState
-- properties.rngcStatus
-- properties.servicePrincipalId
-- properties.signInIdentifier
-- properties.signInTokenProtectionStatus
-- properties.ssoExtensionVersion
-- properties.status.additionalDetails
-- properties.status.errorCode
-- properties.status.failureReason
-- properties.tenantId
-- properties.tokenIssuerName
-- properties.tokenIssuerType
-- properties.uniqueTokenIdentifier
-- properties.userAgent
-- properties.userDisplayName
-- properties.userId
-- properties.userPrincipalName
-- properties.userType
-- punct
-- resourceId
-- resultDescription
-- resultSignature
-- resultType
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
+ - _time
+ - Level
+ - callerIpAddress
+ - category
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - durationMs
+ - host
+ - identity
+ - index
+ - linecount
+ - location
+ - operationName
+ - operationVersion
+ - properties.alternateSignInName
+ - properties.appDisplayName
+ - properties.appId
+ - properties.appServicePrincipalId
+ - properties.authenticationDetails{}.RequestSequence
+ - properties.authenticationDetails{}.StatusSequence
+ - properties.authenticationDetails{}.authenticationMethod
+ - properties.authenticationDetails{}.authenticationMethodDetail
+ - properties.authenticationDetails{}.authenticationStepDateTime
+ - properties.authenticationDetails{}.authenticationStepRequirement
+ - properties.authenticationDetails{}.authenticationStepResultDetail
+ - properties.authenticationDetails{}.succeeded
+ - properties.authenticationProcessingDetails{}.key
+ - properties.authenticationProcessingDetails{}.value
+ - properties.authenticationProtocol
+ - properties.authenticationRequirement
+ - properties.authenticationRequirementPolicies{}.detail
+ - properties.authenticationRequirementPolicies{}.requirementProvider
+ - properties.autonomousSystemNumber
+ - properties.clientAppUsed
+ - properties.clientCredentialType
+ - properties.conditionalAccessStatus
+ - properties.correlationId
+ - properties.createdDateTime
+ - properties.crossTenantAccessType
+ - properties.deviceDetail.deviceId
+ - properties.deviceDetail.operatingSystem
+ - properties.flaggedForReview
+ - properties.homeTenantId
+ - properties.id
+ - properties.incomingTokenType
+ - properties.ipAddress
+ - properties.isInteractive
+ - properties.isTenantRestricted
+ - properties.location.city
+ - properties.location.countryOrRegion
+ - properties.location.geoCoordinates.latitude
+ - properties.location.geoCoordinates.longitude
+ - properties.location.state
+ - properties.originalRequestId
+ - properties.originalTransferMethod
+ - properties.processingTimeInMilliseconds
+ - properties.resourceDisplayName
+ - properties.resourceId
+ - properties.resourceServicePrincipalId
+ - properties.resourceTenantId
+ - properties.riskDetail
+ - properties.riskLevelAggregated
+ - properties.riskLevelDuringSignIn
+ - properties.riskState
+ - properties.rngcStatus
+ - properties.servicePrincipalId
+ - properties.signInIdentifier
+ - properties.signInTokenProtectionStatus
+ - properties.ssoExtensionVersion
+ - properties.status.additionalDetails
+ - properties.status.errorCode
+ - properties.status.failureReason
+ - properties.tenantId
+ - properties.tokenIssuerName
+ - properties.tokenIssuerType
+ - properties.uniqueTokenIdentifier
+ - properties.userAgent
+ - properties.userDisplayName
+ - properties.userId
+ - properties.userPrincipalName
+ - properties.userType
+ - punct
+ - resourceId
+ - resultDescription
+ - resultSignature
+ - resultType
+ - source
+ - sourcetype
+ - splunk_server
+ - tenantId
+ - time
+ - timeendpos
+ - timestartpos
example_log: '{"time": "2023-10-24T20:13:31.4449614Z", "resourceId": "/tenants/887c9144-28b8-431b-885b-764fdeefcf62/providers/Microsoft.aadiam",
"operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs",
"tenantId": "887c9144-28b8-431b-885b-764fdeefcf62", "resultType": "50076", "resultSignature":
diff --git a/data_sources/azure_active_directory_update_application.yml b/data_sources/azure_active_directory_update_application.yml
index cc9da95340..fe57e659f8 100644
--- a/data_sources/azure_active_directory_update_application.yml
+++ b/data_sources/azure_active_directory_update_application.yml
@@ -1,72 +1,73 @@
name: Azure Active Directory Update application
id: 2c08188a-ba25-496e-87c7-803cf28b6c90
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when an application in Azure Active Directory is updated, such as changes to its settings or permissions.
+description: Logs an event when an application in Azure Active Directory is updated,
+ such as changes to its settings or permissions.
mitre_components:
-- Service Modification
-- User Account Modification
-- Cloud Service Modification
+ - Service Modification
+ - User Account Modification
+ - Cloud Service Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Update application
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- Level
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
+ - _time
+ - Level
+ - category
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - durationMs
+ - host
+ - index
+ - linecount
+ - operationName
+ - operationVersion
+ - properties.activityDateTime
+ - properties.activityDisplayName
+ - properties.additionalDetails{}.key
+ - properties.additionalDetails{}.value
+ - properties.category
+ - properties.correlationId
+ - properties.id
+ - properties.initiatedBy.user.displayName
+ - properties.initiatedBy.user.id
+ - properties.initiatedBy.user.ipAddress
+ - properties.initiatedBy.user.userPrincipalName
+ - properties.loggedByService
+ - properties.operationType
+ - properties.result
+ - properties.resultReason
+ - properties.targetResources{}.displayName
+ - properties.targetResources{}.id
+ - properties.targetResources{}.modifiedProperties{}.displayName
+ - properties.targetResources{}.modifiedProperties{}.newValue
+ - properties.targetResources{}.modifiedProperties{}.oldValue
+ - properties.targetResources{}.type
+ - properties.userAgent
+ - punct
+ - resourceId
+ - resultSignature
+ - source
+ - sourcetype
+ - splunk_server
+ - tenantId
+ - time
+ - timeendpos
+ - timestartpos
example_log: '{"time": "2024-01-29T21:31:03.0102031Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam",
"operationName": "Update application", "operationVersion": "1.0", "category": "AuditLogs",
"tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "durationMs":
diff --git a/data_sources/azure_active_directory_update_authorization_policy.yml b/data_sources/azure_active_directory_update_authorization_policy.yml
index 37b2c7c4be..34e141f92e 100644
--- a/data_sources/azure_active_directory_update_authorization_policy.yml
+++ b/data_sources/azure_active_directory_update_authorization_policy.yml
@@ -1,73 +1,74 @@
name: Azure Active Directory Update authorization policy
id: c5b7ffcd-73d8-4fe5-afd8-b1218d715c0c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when an authorization policy is updated in Azure Active Directory.
+description: Logs an event when an authorization policy is updated in Azure Active
+ Directory.
mitre_components:
-- User Account Modification
-- Group Modification
-- Active Directory Object Modification
+ - User Account Modification
+ - Group Modification
+ - Active Directory Object Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Update authorization policy
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
+ - _time
+ - Level
+ - callerIpAddress
+ - category
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - durationMs
+ - host
+ - index
+ - linecount
+ - operationName
+ - operationVersion
+ - properties.activityDateTime
+ - properties.activityDisplayName
+ - properties.additionalDetails{}.key
+ - properties.additionalDetails{}.value
+ - properties.category
+ - properties.correlationId
+ - properties.id
+ - properties.initiatedBy.user.displayName
+ - properties.initiatedBy.user.id
+ - properties.initiatedBy.user.ipAddress
+ - properties.initiatedBy.user.userPrincipalName
+ - properties.loggedByService
+ - properties.operationType
+ - properties.result
+ - properties.resultReason
+ - properties.targetResources{}.displayName
+ - properties.targetResources{}.id
+ - properties.targetResources{}.modifiedProperties{}.displayName
+ - properties.targetResources{}.modifiedProperties{}.newValue
+ - properties.targetResources{}.modifiedProperties{}.oldValue
+ - properties.targetResources{}.type
+ - properties.userAgent
+ - punct
+ - resourceId
+ - resultSignature
+ - source
+ - sourcetype
+ - splunk_server
+ - tenantId
+ - time
+ - timeendpos
+ - timestartpos
example_log: '{"time": "2023-10-26T19:22:20.2814027Z", "resourceId": "/tenants/5f210575-a69b-41a7-b623-3f6d79ccd432/providers/Microsoft.aadiam",
"operationName": "Update authorization policy", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "5f210575-a69b-41a7-b623-3f6d79ccd432", "resultSignature":
diff --git a/data_sources/azure_active_directory_update_user.yml b/data_sources/azure_active_directory_update_user.yml
index a37a792233..3bc111e209 100644
--- a/data_sources/azure_active_directory_update_user.yml
+++ b/data_sources/azure_active_directory_update_user.yml
@@ -1,73 +1,73 @@
name: Azure Active Directory Update user
id: 5495c90a-047c-4b8e-b2fe-1db6282d3872
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a user account is updated in Azure Active Directory.
mitre_components:
-- User Account Modification
-- User Account Metadata
+ - User Account Modification
+ - User Account Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Update user
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.targetResources{}.userPrincipalName
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
+ - _time
+ - Level
+ - callerIpAddress
+ - category
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - durationMs
+ - host
+ - index
+ - linecount
+ - operationName
+ - operationVersion
+ - properties.activityDateTime
+ - properties.activityDisplayName
+ - properties.additionalDetails{}.key
+ - properties.additionalDetails{}.value
+ - properties.category
+ - properties.correlationId
+ - properties.id
+ - properties.initiatedBy.user.displayName
+ - properties.initiatedBy.user.id
+ - properties.initiatedBy.user.ipAddress
+ - properties.initiatedBy.user.userPrincipalName
+ - properties.loggedByService
+ - properties.operationType
+ - properties.result
+ - properties.resultReason
+ - properties.targetResources{}.displayName
+ - properties.targetResources{}.id
+ - properties.targetResources{}.modifiedProperties{}.displayName
+ - properties.targetResources{}.modifiedProperties{}.newValue
+ - properties.targetResources{}.modifiedProperties{}.oldValue
+ - properties.targetResources{}.type
+ - properties.targetResources{}.userPrincipalName
+ - properties.userAgent
+ - punct
+ - resourceId
+ - resultSignature
+ - source
+ - sourcetype
+ - splunk_server
+ - tenantId
+ - time
+ - timeendpos
+ - timestartpos
example_log: '{"time": "2023-07-24T14:28:15.2233481Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Update user", "operationVersion": "1.0", "category": "AuditLogs",
"tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs":
diff --git a/data_sources/azure_active_directory_user_registered_security_info.yml b/data_sources/azure_active_directory_user_registered_security_info.yml
index ae651e960d..db1c5af928 100644
--- a/data_sources/azure_active_directory_user_registered_security_info.yml
+++ b/data_sources/azure_active_directory_user_registered_security_info.yml
@@ -1,69 +1,70 @@
name: Azure Active Directory User registered security info
id: b63240de-8a01-4ba8-8987-89d18d4b375d
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when a user registers or updates their security information in Azure Active Directory.
+description: Logs an event when a user registers or updates their security information
+ in Azure Active Directory.
mitre_components:
-- User Account Modification
-- User Account Metadata
+ - User Account Modification
+ - User Account Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: User registered security info
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.type
-- properties.targetResources{}.userPrincipalName
-- properties.userAgent
-- punct
-- resourceId
-- resultDescription
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
+ - _time
+ - Level
+ - callerIpAddress
+ - category
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - durationMs
+ - host
+ - index
+ - linecount
+ - operationName
+ - operationVersion
+ - properties.activityDateTime
+ - properties.activityDisplayName
+ - properties.category
+ - properties.correlationId
+ - properties.id
+ - properties.initiatedBy.user.displayName
+ - properties.initiatedBy.user.id
+ - properties.initiatedBy.user.ipAddress
+ - properties.initiatedBy.user.userPrincipalName
+ - properties.loggedByService
+ - properties.operationType
+ - properties.result
+ - properties.resultReason
+ - properties.targetResources{}.displayName
+ - properties.targetResources{}.id
+ - properties.targetResources{}.type
+ - properties.targetResources{}.userPrincipalName
+ - properties.userAgent
+ - punct
+ - resourceId
+ - resultDescription
+ - resultSignature
+ - source
+ - sourcetype
+ - splunk_server
+ - tenantId
+ - time
+ - timeendpos
+ - timestartpos
example_log: '{"time": "2023-01-30T21:11:30.8690619Z", "resourceId": "/tenants/91da745f-8abb-4a7d-ba94-5667c6f9e01a/providers/Microsoft.aadiam",
"operationName": "User registered security info", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "91da745f-8abb-4a7d-ba94-5667c6f9e01a", "resultSignature":
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
index 290688b816..d16b39fe67 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
@@ -1,110 +1,110 @@
name: Azure Audit Create or Update an Azure Automation account
id: 2ab182e7-feda-4249-9418-32710b55a885
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when an Azure Automation account is created or updated.
mitre_components:
-- Cloud Service Creation
-- Cloud Service Modification
-- Cloud Service Metadata
+ - Cloud Service Creation
+ - Cloud Service Modification
+ - Cloud Service Metadata
source: mscs:azure:audit
sourcetype: mscs:azure:audit
separator: operationName.localizedValue
separator_value: Create or Update an Azure Automation account
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- authorization.action
-- authorization.scope
-- caller
-- channels
-- claims.aio
-- claims.altsecid
-- claims.appid
-- claims.appidacr
-- claims.aud
-- claims.exp
-- claims.groups
-- claims.http://schemas.microsoft.com/claims/authnclassreference
-- claims.http://schemas.microsoft.com/claims/authnmethodsreferences
-- claims.http://schemas.microsoft.com/identity/claims/identityprovider
-- claims.http://schemas.microsoft.com/identity/claims/objectidentifier
-- claims.http://schemas.microsoft.com/identity/claims/scope
-- claims.http://schemas.microsoft.com/identity/claims/tenantid
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
-- claims.iat
-- claims.ipaddr
-- claims.iss
-- claims.name
-- claims.nbf
-- claims.puid
-- claims.rh
-- claims.uti
-- claims.ver
-- claims.wids
-- claims.xms_tcdt
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- eventDataId
-- eventName.localizedValue
-- eventName.value
-- eventSource.localizedValue
-- eventSource.value
-- eventTimestamp
-- host
-- id
-- index
-- level
-- linecount
-- object
-- object_id
-- object_path
-- operationId
-- operationName.localizedValue
-- operationName.value
-- product
-- properties.entity
-- properties.eventCategory
-- properties.hierarchy
-- properties.message
-- punct
-- resourceGroupName
-- resourceProviderName.localizedValue
-- resourceProviderName.value
-- resourceUri
-- source
-- sourcetype
-- splunk_server
-- status
-- status.localizedValue
-- status.value
-- subStatus.value
-- submissionTimestamp
-- subscriptionId
-- timeendpos
-- timestartpos
-- user
-- user_name
-- vendor
-- vendor_product
-- vendor_res_code
+ - _time
+ - authorization.action
+ - authorization.scope
+ - caller
+ - channels
+ - claims.aio
+ - claims.altsecid
+ - claims.appid
+ - claims.appidacr
+ - claims.aud
+ - claims.exp
+ - claims.groups
+ - claims.http://schemas.microsoft.com/claims/authnclassreference
+ - claims.http://schemas.microsoft.com/claims/authnmethodsreferences
+ - claims.http://schemas.microsoft.com/identity/claims/identityprovider
+ - claims.http://schemas.microsoft.com/identity/claims/objectidentifier
+ - claims.http://schemas.microsoft.com/identity/claims/scope
+ - claims.http://schemas.microsoft.com/identity/claims/tenantid
+ - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
+ - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
+ - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
+ - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
+ - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
+ - claims.iat
+ - claims.ipaddr
+ - claims.iss
+ - claims.name
+ - claims.nbf
+ - claims.puid
+ - claims.rh
+ - claims.uti
+ - claims.ver
+ - claims.wids
+ - claims.xms_tcdt
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - eventDataId
+ - eventName.localizedValue
+ - eventName.value
+ - eventSource.localizedValue
+ - eventSource.value
+ - eventTimestamp
+ - host
+ - id
+ - index
+ - level
+ - linecount
+ - object
+ - object_id
+ - object_path
+ - operationId
+ - operationName.localizedValue
+ - operationName.value
+ - product
+ - properties.entity
+ - properties.eventCategory
+ - properties.hierarchy
+ - properties.message
+ - punct
+ - resourceGroupName
+ - resourceProviderName.localizedValue
+ - resourceProviderName.value
+ - resourceUri
+ - source
+ - sourcetype
+ - splunk_server
+ - status
+ - status.localizedValue
+ - status.value
+ - subStatus.value
+ - submissionTimestamp
+ - subscriptionId
+ - timeendpos
+ - timestartpos
+ - user
+ - user_name
+ - vendor
+ - vendor_product
+ - vendor_res_code
example_log: '{"authorization": {"action": "Microsoft.Automation/automationAccounts/write",
"scope": "/subscriptions/67165197-75ea-4ca3-96a5-3e23868eacd0/resourcegroups/ResourceGroup1/providers/Microsoft.Automation/automationAccounts/TestAutomationAccount"},
"caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/",
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
index e7ee46661a..8522e7ab79 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
@@ -1,109 +1,110 @@
name: Azure Audit Create or Update an Azure Automation Runbook
id: 2bd83221-7a8b-436f-9b2b-efa1d44d009e
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when a new Azure Automation Runbook is created or an existing one is updated.
+description: Logs an event when a new Azure Automation Runbook is created or an existing
+ one is updated.
mitre_components:
-- Scheduled Job Modification
-- Scheduled Job Creation
+ - Scheduled Job Modification
+ - Scheduled Job Creation
source: mscs:azure:audit
sourcetype: mscs:azure:audit
separator: operationName.localizedValue
separator_value: Create or Update an Azure Automation Runbook
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- authorization.action
-- authorization.scope
-- caller
-- channels
-- claims.aio
-- claims.altsecid
-- claims.appid
-- claims.appidacr
-- claims.aud
-- claims.exp
-- claims.groups
-- claims.http://schemas.microsoft.com/claims/authnclassreference
-- claims.http://schemas.microsoft.com/claims/authnmethodsreferences
-- claims.http://schemas.microsoft.com/identity/claims/identityprovider
-- claims.http://schemas.microsoft.com/identity/claims/objectidentifier
-- claims.http://schemas.microsoft.com/identity/claims/scope
-- claims.http://schemas.microsoft.com/identity/claims/tenantid
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
-- claims.iat
-- claims.ipaddr
-- claims.iss
-- claims.name
-- claims.nbf
-- claims.puid
-- claims.rh
-- claims.uti
-- claims.ver
-- claims.wids
-- claims.xms_tcdt
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- eventDataId
-- eventName.localizedValue
-- eventName.value
-- eventSource.localizedValue
-- eventSource.value
-- eventTimestamp
-- host
-- id
-- index
-- level
-- linecount
-- object
-- object_id
-- object_path
-- operationId
-- operationName.localizedValue
-- operationName.value
-- product
-- properties.entity
-- properties.eventCategory
-- properties.hierarchy
-- properties.message
-- punct
-- resourceGroupName
-- resourceProviderName.localizedValue
-- resourceProviderName.value
-- resourceUri
-- source
-- sourcetype
-- splunk_server
-- status
-- status.localizedValue
-- status.value
-- subStatus.value
-- submissionTimestamp
-- subscriptionId
-- timeendpos
-- timestartpos
-- user
-- user_name
-- vendor
-- vendor_product
-- vendor_res_code
+ - _time
+ - authorization.action
+ - authorization.scope
+ - caller
+ - channels
+ - claims.aio
+ - claims.altsecid
+ - claims.appid
+ - claims.appidacr
+ - claims.aud
+ - claims.exp
+ - claims.groups
+ - claims.http://schemas.microsoft.com/claims/authnclassreference
+ - claims.http://schemas.microsoft.com/claims/authnmethodsreferences
+ - claims.http://schemas.microsoft.com/identity/claims/identityprovider
+ - claims.http://schemas.microsoft.com/identity/claims/objectidentifier
+ - claims.http://schemas.microsoft.com/identity/claims/scope
+ - claims.http://schemas.microsoft.com/identity/claims/tenantid
+ - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
+ - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
+ - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
+ - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
+ - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
+ - claims.iat
+ - claims.ipaddr
+ - claims.iss
+ - claims.name
+ - claims.nbf
+ - claims.puid
+ - claims.rh
+ - claims.uti
+ - claims.ver
+ - claims.wids
+ - claims.xms_tcdt
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - eventDataId
+ - eventName.localizedValue
+ - eventName.value
+ - eventSource.localizedValue
+ - eventSource.value
+ - eventTimestamp
+ - host
+ - id
+ - index
+ - level
+ - linecount
+ - object
+ - object_id
+ - object_path
+ - operationId
+ - operationName.localizedValue
+ - operationName.value
+ - product
+ - properties.entity
+ - properties.eventCategory
+ - properties.hierarchy
+ - properties.message
+ - punct
+ - resourceGroupName
+ - resourceProviderName.localizedValue
+ - resourceProviderName.value
+ - resourceUri
+ - source
+ - sourcetype
+ - splunk_server
+ - status
+ - status.localizedValue
+ - status.value
+ - subStatus.value
+ - submissionTimestamp
+ - subscriptionId
+ - timeendpos
+ - timestartpos
+ - user
+ - user_name
+ - vendor
+ - vendor_product
+ - vendor_res_code
example_log: '{"authorization": {"action": "Microsoft.Automation/automationAccounts/runbooks/write",
"scope": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook"},
"caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/",
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
index 584e44aaff..eb21ed90a8 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
@@ -1,119 +1,119 @@
name: Azure Audit Create or Update an Azure Automation webhook
id: 575faeb2-09d0-4849-b1f6-eae241f26ff2
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a webhook is created or updated in Azure Automation.
mitre_components:
-- Scheduled Job Modification
-- Cloud Service Modification
-- Scheduled Job Metadata
+ - Scheduled Job Modification
+ - Cloud Service Modification
+ - Scheduled Job Metadata
source: mscs:azure:audit
sourcetype: mscs:azure:audit
separator: operationName.localizedValue
separator_value: Create or Update an Azure Automation webhook
supported_TA:
-- name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+ - name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
-- _time
-- authorization.action
-- authorization.scope
-- caller
-- channels
-- claims.aio
-- claims.altsecid
-- claims.appid
-- claims.appidacr
-- claims.aud
-- claims.exp
-- claims.groups
-- claims.http://schemas.microsoft.com/claims/authnclassreference
-- claims.http://schemas.microsoft.com/claims/authnmethodsreferences
-- claims.http://schemas.microsoft.com/identity/claims/identityprovider
-- claims.http://schemas.microsoft.com/identity/claims/objectidentifier
-- claims.http://schemas.microsoft.com/identity/claims/scope
-- claims.http://schemas.microsoft.com/identity/claims/tenantid
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
-- claims.iat
-- claims.ipaddr
-- claims.iss
-- claims.name
-- claims.nbf
-- claims.puid
-- claims.rh
-- claims.uti
-- claims.ver
-- claims.wids
-- claims.xms_tcdt
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- eventDataId
-- eventName.localizedValue
-- eventName.value
-- eventSource.localizedValue
-- eventSource.value
-- eventTimestamp
-- host
-- httpRequest.clientIpAddress
-- httpRequest.clientRequestId
-- httpRequest.method
-- id
-- index
-- level
-- linecount
-- object
-- object_id
-- object_path
-- operationId
-- operationName.localizedValue
-- operationName.value
-- product
-- properties.entity
-- properties.eventCategory
-- properties.hierarchy
-- properties.message
-- properties.serviceRequestId
-- properties.statusCode
-- punct
-- resourceGroupName
-- resourceProviderName.localizedValue
-- resourceProviderName.value
-- resourceUri
-- result
-- result_id
-- source
-- sourcetype
-- splunk_server
-- src
-- status
-- status.localizedValue
-- status.value
-- subStatus.localizedValue
-- subStatus.value
-- submissionTimestamp
-- subscriptionId
-- timeendpos
-- timestartpos
-- user
-- user_name
-- vendor
-- vendor_product
-- vendor_res_code
+ - _time
+ - authorization.action
+ - authorization.scope
+ - caller
+ - channels
+ - claims.aio
+ - claims.altsecid
+ - claims.appid
+ - claims.appidacr
+ - claims.aud
+ - claims.exp
+ - claims.groups
+ - claims.http://schemas.microsoft.com/claims/authnclassreference
+ - claims.http://schemas.microsoft.com/claims/authnmethodsreferences
+ - claims.http://schemas.microsoft.com/identity/claims/identityprovider
+ - claims.http://schemas.microsoft.com/identity/claims/objectidentifier
+ - claims.http://schemas.microsoft.com/identity/claims/scope
+ - claims.http://schemas.microsoft.com/identity/claims/tenantid
+ - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
+ - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
+ - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
+ - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
+ - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
+ - claims.iat
+ - claims.ipaddr
+ - claims.iss
+ - claims.name
+ - claims.nbf
+ - claims.puid
+ - claims.rh
+ - claims.uti
+ - claims.ver
+ - claims.wids
+ - claims.xms_tcdt
+ - correlationId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - eventDataId
+ - eventName.localizedValue
+ - eventName.value
+ - eventSource.localizedValue
+ - eventSource.value
+ - eventTimestamp
+ - host
+ - httpRequest.clientIpAddress
+ - httpRequest.clientRequestId
+ - httpRequest.method
+ - id
+ - index
+ - level
+ - linecount
+ - object
+ - object_id
+ - object_path
+ - operationId
+ - operationName.localizedValue
+ - operationName.value
+ - product
+ - properties.entity
+ - properties.eventCategory
+ - properties.hierarchy
+ - properties.message
+ - properties.serviceRequestId
+ - properties.statusCode
+ - punct
+ - resourceGroupName
+ - resourceProviderName.localizedValue
+ - resourceProviderName.value
+ - resourceUri
+ - result
+ - result_id
+ - source
+ - sourcetype
+ - splunk_server
+ - src
+ - status
+ - status.localizedValue
+ - status.value
+ - subStatus.localizedValue
+ - subStatus.value
+ - submissionTimestamp
+ - subscriptionId
+ - timeendpos
+ - timestartpos
+ - user
+ - user_name
+ - vendor
+ - vendor_product
+ - vendor_res_code
example_log: '{"authorization": {"action": "Microsoft.Automation/automationAccounts/webhooks/write",
"scope": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook"},
"caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/",
diff --git a/data_sources/bro_conn.yml b/data_sources/bro_conn.yml
index d4ed14b382..992da75275 100644
--- a/data_sources/bro_conn.yml
+++ b/data_sources/bro_conn.yml
@@ -1,14 +1,15 @@
name: Bro conn
id: c5a7e93b-2172-45a7-a7e9-3b217255a7f5
-version: 1
-date: '2025-20-01'
+version: 2
+date: '2025-01-23'
author: Jacob Delgado, SnapAttack
-description: Logs network connection metadata captured by Zeek (formerly Bro), including details such as source and destination IPs, ports, connection state, and protocol.
+description: Logs network connection metadata captured by Zeek (formerly Bro), including
+ details such as source and destination IPs, ports, connection state, and protocol.
mitre_components:
-- Network Connection Creation
-- Network Traffic Flow
-- Response Metadata
-- Application Log Content
+ - Network Connection Creation
+ - Network Traffic Flow
+ - Response Metadata
+ - Application Log Content
source: bro:conn:json
sourcetype: bro:conn:json
supported_TA: []
diff --git a/data_sources/bro_dns.yml b/data_sources/bro_dns.yml
index 2b7cf87568..7d878c681b 100644
--- a/data_sources/bro_dns.yml
+++ b/data_sources/bro_dns.yml
@@ -1,15 +1,16 @@
name: Bro dns
id: a4576cbf-06cc-4ed0-976c-bf06ccaed011
-version: 1
-date: '2025-20-01'
+version: 2
+date: '2025-01-23'
author: Jacob Delgado, SnapAttack
-description: Logs DNS queries and responses captured by Zeek (formerly Bro), including details such as queried domains, resolved IPs, query types, and response codes.
+description: Logs DNS queries and responses captured by Zeek (formerly Bro), including
+ details such as queried domains, resolved IPs, query types, and response codes.
mitre_components:
-- Active DNS
-- Passive DNS
-- Network Traffic Content
-- Network Traffic Flow
-- Response Metadata
+ - Active DNS
+ - Passive DNS
+ - Network Traffic Content
+ - Network Traffic Flow
+ - Response Metadata
source: bro:dns:json
sourcetype: bro:dns:json
supported_TA: []
diff --git a/data_sources/bro_files.yml b/data_sources/bro_files.yml
index b8b0f83dc8..4cb84af9fa 100644
--- a/data_sources/bro_files.yml
+++ b/data_sources/bro_files.yml
@@ -1,15 +1,17 @@
name: Bro files
id: f72d34d0-3495-4826-ad34-d03495782633
-version: 1
-date: '2025-20-01'
+version: 2
+date: '2025-01-23'
author: Jacob Delgado, SnapAttack
-description: Logs metadata about files transferred over the network captured by Zeek (formerly Bro), including details such as file names, hashes, MIME types, and transfer protocols.
+description: Logs metadata about files transferred over the network captured by Zeek
+ (formerly Bro), including details such as file names, hashes, MIME types, and transfer
+ protocols.
mitre_components:
-- File Metadata
-- Network Traffic Content
-- Network Traffic Flow
-- Response Metadata
-- Application Log Content
+ - File Metadata
+ - Network Traffic Content
+ - Network Traffic Flow
+ - Response Metadata
+ - Application Log Content
source: bro:files:json
sourcetype: bro:files:json
supported_TA: []
diff --git a/data_sources/bro_http.yml b/data_sources/bro_http.yml
index f0e879954e..59232b529e 100644
--- a/data_sources/bro_http.yml
+++ b/data_sources/bro_http.yml
@@ -1,15 +1,16 @@
name: Bro http
id: c5d9612b-0ffd-44d3-8247-3cf3486ec5e2
-version: 2
-date: '2024-07-18'
+version: 3
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs HTTP traffic analyzed by Zeek (formerly Bro), including details such as request methods, URLs, user agents, response codes, and headers.
+description: Logs HTTP traffic analyzed by Zeek (formerly Bro), including details
+ such as request methods, URLs, user agents, response codes, and headers.
mitre_components:
-- Network Traffic Content
-- Network Traffic Flow
-- Response Content
-- Response Metadata
-- Application Log Content
+ - Network Traffic Content
+ - Network Traffic Flow
+ - Response Content
+ - Response Metadata
+ - Application Log Content
source: bro:http:json
sourcetype: bro:http:json
supported_TA: []
diff --git a/data_sources/bro_loaded_scripts.yml b/data_sources/bro_loaded_scripts.yml
index e6f2764604..be17c3a7e1 100644
--- a/data_sources/bro_loaded_scripts.yml
+++ b/data_sources/bro_loaded_scripts.yml
@@ -1,14 +1,15 @@
name: Bro loaded_scripts
id: 81e08a21-a735-42b1-a08a-21a73582b1bf
-version: 1
-date: '2025-20-01'
+version: 2
+date: '2025-01-23'
author: Jacob Delgado, SnapAttack
-description: Logs details about the scripts loaded by Zeek (formerly Bro) during initialization, including script names and paths.
+description: Logs details about the scripts loaded by Zeek (formerly Bro) during initialization,
+ including script names and paths.
mitre_components:
-- Application Log Content
-- Configuration Modification
-- Script Execution
-- OS API Execution
+ - Application Log Content
+ - Configuration Modification
+ - Script Execution
+ - OS API Execution
source: bro:loaded_scripts:json
sourcetype: bro:loaded_scripts:json
supported_TA: []
diff --git a/data_sources/bro_ntp.yml b/data_sources/bro_ntp.yml
index 15ea709585..b849d5d5db 100644
--- a/data_sources/bro_ntp.yml
+++ b/data_sources/bro_ntp.yml
@@ -1,14 +1,15 @@
name: Bro ntp
id: 3f64a544-47a4-4958-a4a5-4447a47958df
-version: 1
-date: '2025-20-01'
+version: 2
+date: '2025-01-23'
author: Jacob Delgado, SnapAttack
-description: Logs Network Time Protocol (NTP) activity captured by Zeek (formerly Bro), including details such as NTP requests, responses, and server metadata.
+description: Logs Network Time Protocol (NTP) activity captured by Zeek (formerly
+ Bro), including details such as NTP requests, responses, and server metadata.
mitre_components:
-- Network Traffic Flow
-- Network Traffic Content
-- Response Metadata
-- Application Log Content
+ - Network Traffic Flow
+ - Network Traffic Content
+ - Response Metadata
+ - Application Log Content
source: bro:ntp:json
sourcetype: bro:ntp:json
supported_TA: []
diff --git a/data_sources/bro_ocsp.yml b/data_sources/bro_ocsp.yml
index c0da63d49e..00e8942e83 100644
--- a/data_sources/bro_ocsp.yml
+++ b/data_sources/bro_ocsp.yml
@@ -1,15 +1,16 @@
name: Bro ocsp
id: d20909ab-70be-409a-8909-ab70be609af1
-version: 1
-date: '2025-20-01'
+version: 2
+date: '2025-01-23'
author: Jacob Delgado, SnapAttack
-description: Logs Online Certificate Status Protocol (OCSP) activity captured by Zeek (formerly Bro), including details such as certificate validation requests and responses.
+description: Logs Online Certificate Status Protocol (OCSP) activity captured by Zeek
+ (formerly Bro), including details such as certificate validation requests and responses.
mitre_components:
-- Certificate Registration
-- Network Traffic Flow
-- Network Traffic Content
-- Response Metadata
-- Application Log Content
+ - Certificate Registration
+ - Network Traffic Flow
+ - Network Traffic Content
+ - Response Metadata
+ - Application Log Content
source: bro:ocsp:json
sourcetype: bro:ocsp:json
-supported_TA: []
\ No newline at end of file
+supported_TA: []
diff --git a/data_sources/bro_ssl.yml b/data_sources/bro_ssl.yml
index 2616ce8186..a2c17d7261 100644
--- a/data_sources/bro_ssl.yml
+++ b/data_sources/bro_ssl.yml
@@ -1,15 +1,16 @@
name: Bro ssl
id: 22c637eb-f62e-41f0-8637-ebf62e11f0a8
-version: 1
-date: '2025-20-01'
+version: 2
+date: '2025-01-23'
author: Jacob Delgado, SnapAttack
-description: Logs SSL/TLS handshake and session details captured by Zeek (formerly Bro), including certificates, cipher suites, and session information.
+description: Logs SSL/TLS handshake and session details captured by Zeek (formerly
+ Bro), including certificates, cipher suites, and session information.
mitre_components:
-- Certificate Registration
-- Network Traffic Flow
-- Network Traffic Content
-- Response Metadata
-- Application Log Content
+ - Certificate Registration
+ - Network Traffic Flow
+ - Network Traffic Content
+ - Response Metadata
+ - Application Log Content
source: bro:ssl:json
sourcetype: bro:ssl:json
-supported_TA: []
\ No newline at end of file
+supported_TA: []
diff --git a/data_sources/bro_weird.yml b/data_sources/bro_weird.yml
index 346236e53d..1fc72ac2de 100644
--- a/data_sources/bro_weird.yml
+++ b/data_sources/bro_weird.yml
@@ -1,15 +1,16 @@
name: Bro weird
id: e03762c5-c4b8-44e3-b762-c5c4b8e4e3b6
-version: 1
-date: '2025-20-01'
+version: 2
+date: '2025-01-23'
author: Jacob Delgado, SnapAttack
-description: Logs anomalous or unexpected network behaviors identified by Zeek (formerly Bro), including protocol violations and unusual traffic patterns.
+description: Logs anomalous or unexpected network behaviors identified by Zeek (formerly
+ Bro), including protocol violations and unusual traffic patterns.
mitre_components:
-- Network Traffic Flow
-- Network Traffic Content
-- Response Metadata
-- Application Log Content
-- Host Status
+ - Network Traffic Flow
+ - Network Traffic Content
+ - Response Metadata
+ - Application Log Content
+ - Host Status
source: bro:weird:json
sourcetype: bro:weird:json
supported_TA: []
diff --git a/data_sources/bro_x509.yml b/data_sources/bro_x509.yml
index 8c41ee6ac1..3d9d08adf7 100644
--- a/data_sources/bro_x509.yml
+++ b/data_sources/bro_x509.yml
@@ -1,15 +1,16 @@
name: Bro x509
id: e8792367-64b0-47e9-b923-6764b0f7e936
-version: 1
-date: '2025-20-01'
+version: 2
+date: '2025-01-23'
author: Jacob Delgado, SnapAttack
-description: Logs details about X.509 certificates observed in network traffic captured by Zeek (formerly Bro), including certificate fields, validity periods, and issuers.
+description: Logs details about X.509 certificates observed in network traffic captured
+ by Zeek (formerly Bro), including certificate fields, validity periods, and issuers.
mitre_components:
-- Certificate Registration
-- Network Traffic Content
-- Response Metadata
-- Application Log Content
-- Host Status
+ - Certificate Registration
+ - Network Traffic Content
+ - Response Metadata
+ - Application Log Content
+ - Host Status
source: bro:x509:json
sourcetype: bro:x509:json
-supported_TA: []
\ No newline at end of file
+supported_TA: []
diff --git a/data_sources/circleci.yml b/data_sources/circleci.yml
index 6cf9ff1092..b07ad95c84 100644
--- a/data_sources/circleci.yml
+++ b/data_sources/circleci.yml
@@ -1,74 +1,75 @@
name: CircleCI
id: 34ad06fc-a296-4ab5-8315-2f07714948e3
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs activities related to CI/CD pipelines executed in CircleCI, including job execution, workflow progress, and configuration changes.
+description: Logs activities related to CI/CD pipelines executed in CircleCI, including
+ job execution, workflow progress, and configuration changes.
mitre_components:
-- Scheduled Job Execution
-- Scheduled Job Metadata
-- Application Log Content
-- Configuration Modification
-- Host Status
+ - Scheduled Job Execution
+ - Scheduled Job Metadata
+ - Application Log Content
+ - Configuration Modification
+ - Host Status
source: circleci
sourcetype: circleci
supported_TA:
-- name: App for CircleCI
- url: https://splunkbase.splunk.com/app/5162
- version: 0.1.1
+ - name: App for CircleCI
+ url: https://splunkbase.splunk.com/app/5162
+ version: 0.1.1
fields:
-- _time
-- author_name
-- avatar_url
-- branch
-- build_num
-- build_time_millis
-- build_url
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- eventtype
-- fail_reason
-- host
-- index
-- job_name
-- job_time
-- linecount
-- owners{}
-- project_slug
-- punct
-- queued_time
-- reponame
-- source
-- sourcetype
-- splunk_server
-- start_time
-- status
-- stop_time
-- tag
-- tag::eventtype
-- timedout
-- timeendpos
-- timestartpos
-- username
-- vcs.commit_time
-- vcs.committer_name
-- vcs.revision
-- vcs.subject
-- vcs.tag
-- vcs.type
-- vcs.url
-- workflows.job_id
-- workflows.job_name
-- workflows.upstream_job_ids{}
-- workflows.workflow_id
-- workflows.workflow_name
-- workflows.workspace_id
+ - _time
+ - author_name
+ - avatar_url
+ - branch
+ - build_num
+ - build_time_millis
+ - build_url
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - eventtype
+ - fail_reason
+ - host
+ - index
+ - job_name
+ - job_time
+ - linecount
+ - owners{}
+ - project_slug
+ - punct
+ - queued_time
+ - reponame
+ - source
+ - sourcetype
+ - splunk_server
+ - start_time
+ - status
+ - stop_time
+ - tag
+ - tag::eventtype
+ - timedout
+ - timeendpos
+ - timestartpos
+ - username
+ - vcs.commit_time
+ - vcs.committer_name
+ - vcs.revision
+ - vcs.subject
+ - vcs.tag
+ - vcs.type
+ - vcs.url
+ - workflows.job_id
+ - workflows.job_name
+ - workflows.upstream_job_ids{}
+ - workflows.workflow_id
+ - workflows.workflow_name
+ - workflows.workspace_id
example_log: '{"job_time": "2021-09-02T08:13:34.273Z", "stop_time": "2021-09-02T08:13:34.273Z",
"start_time": "2021-09-02T08:10:15.829Z", "queued_time": "2021-09-02T08:10:12.764Z",
"job_name": "Unknown", "reponame": "devsecops_poc", "build_num": 94, "build_url":
diff --git a/data_sources/crowdstrike_processrollup2.yml b/data_sources/crowdstrike_processrollup2.yml
index e9074afdd5..d160cf8620 100644
--- a/data_sources/crowdstrike_processrollup2.yml
+++ b/data_sources/crowdstrike_processrollup2.yml
@@ -1,113 +1,115 @@
name: CrowdStrike ProcessRollup2
id: cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs process-related activities captured by CrowdStrike, including process creation, termination, and metadata such as hashes, parent processes, and command-line arguments.
+description: Logs process-related activities captured by CrowdStrike, including process
+ creation, termination, and metadata such as hashes, parent processes, and command-line
+ arguments.
mitre_components:
-- Process Creation
-- Process Termination
-- Process Metadata
-- Command Execution
-- OS API Execution
+ - Process Creation
+ - Process Termination
+ - Process Metadata
+ - Command Execution
+ - OS API Execution
source: crowdstrike
sourcetype: crowdstrike:events:sensor
separator: event_simpleName
separator_value: ProcessRollup2
supported_TA:
-- name: Splunk Add-on for CrowdStrike FDR
- url: https://splunkbase.splunk.com/app/5579
- version: 2.0.3
+ - name: Splunk Add-on for CrowdStrike FDR
+ url: https://splunkbase.splunk.com/app/5579
+ version: 2.0.3
fields:
-- AuthenticationId
-- AuthenticationId_meaning
-- AuthenticodeHashData
-- CommandLine
-- ConfigBuild
-- ConfigStateHash
-- EffectiveTransmissionClass
-- Entitlements
-- EventOrigin
-- ImageFileName
-- ImageSubsystem
-- ImageSubsystem_meaning
-- IntegrityLevel
-- IntegrityLevel_meaning
-- MD5HashData
-- ParentAuthenticationId
-- ParentBaseFileName
-- ParentProcessId
-- ProcessCreateFlags
-- ProcessEndTime
-- ProcessParameterFlags
-- ProcessParameterFlags_meaning
-- ProcessStartTime
-- ProcessSxsFlags
-- ProcessSxsFlags_meaning
-- RawProcessId
-- SHA1HashData
-- SHA256HashData
-- SessionId
-- SignInfoFlags
-- SignInfoFlags_meaning
-- SourceProcessId
-- SourceThreadId
-- Tags
-- TargetProcessId
-- TokenType
-- TokenType_meaning
-- UserSid
-- WindowFlags
-- WindowFlags_meaning
-- action
-- aid
-- aid_city
-- aid_computer_name
-- aid_continent
-- aid_country
-- aid_machine_domain
-- aid_os_version
-- aid_ou
-- aid_site_name
-- aid_system_product_name
-- aip
-- cid
-- dest
-- event_ingest_time
-- event_platform
-- event_simpleName
-- eventtype
-- host_res_aid
-- id
-- os
-- parent_process_exec
-- parent_process_id
-- parent_process_name
-- process
-- process_exec
-- process_hash
-- process_id
-- process_integrity_level
-- process_name
-- process_path
-- resolve_dest
-- resolve_process_integrity_level
-- tag
-- timestamp
-- user
-- user_id
-- vendor_product
+ - AuthenticationId
+ - AuthenticationId_meaning
+ - AuthenticodeHashData
+ - CommandLine
+ - ConfigBuild
+ - ConfigStateHash
+ - EffectiveTransmissionClass
+ - Entitlements
+ - EventOrigin
+ - ImageFileName
+ - ImageSubsystem
+ - ImageSubsystem_meaning
+ - IntegrityLevel
+ - IntegrityLevel_meaning
+ - MD5HashData
+ - ParentAuthenticationId
+ - ParentBaseFileName
+ - ParentProcessId
+ - ProcessCreateFlags
+ - ProcessEndTime
+ - ProcessParameterFlags
+ - ProcessParameterFlags_meaning
+ - ProcessStartTime
+ - ProcessSxsFlags
+ - ProcessSxsFlags_meaning
+ - RawProcessId
+ - SHA1HashData
+ - SHA256HashData
+ - SessionId
+ - SignInfoFlags
+ - SignInfoFlags_meaning
+ - SourceProcessId
+ - SourceThreadId
+ - Tags
+ - TargetProcessId
+ - TokenType
+ - TokenType_meaning
+ - UserSid
+ - WindowFlags
+ - WindowFlags_meaning
+ - action
+ - aid
+ - aid_city
+ - aid_computer_name
+ - aid_continent
+ - aid_country
+ - aid_machine_domain
+ - aid_os_version
+ - aid_ou
+ - aid_site_name
+ - aid_system_product_name
+ - aip
+ - cid
+ - dest
+ - event_ingest_time
+ - event_platform
+ - event_simpleName
+ - eventtype
+ - host_res_aid
+ - id
+ - os
+ - parent_process_exec
+ - parent_process_id
+ - parent_process_name
+ - process
+ - process_exec
+ - process_hash
+ - process_id
+ - process_integrity_level
+ - process_name
+ - process_path
+ - resolve_dest
+ - resolve_process_integrity_level
+ - tag
+ - timestamp
+ - user
+ - user_id
+ - vendor_product
field_mappings:
-- data_model: cim
- data_set: Endpoint.Processes
- mapping:
- CommandLine: Processes.process
- ImageFileName: Processes.process_path
- ParentBaseFileName: Processes.parent_process_name
- ParentProcessId: Processes.parent_process_id
- RawProcessId: Processes.process_id
- SHA256HashData: Processes.process_hash
- UserSid: Processes.user
+ - data_model: cim
+ data_set: Endpoint.Processes
+ mapping:
+ CommandLine: Processes.process
+ ImageFileName: Processes.process_path
+ ParentBaseFileName: Processes.parent_process_name
+ ParentProcessId: Processes.parent_process_id
+ RawProcessId: Processes.process_id
+ SHA256HashData: Processes.process_hash
+ UserSid: Processes.user
example_log: '{"LinkName":"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start
Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk","ProcessCreateFlags":"67634196","IntegrityLevel":"12288","ParentProcessId":"5459598860","SourceProcessId":"5459598860","aip":"3.126.231.40","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-586445407-708991241-1829972403-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"3b98faafc17b47beb9027c437fceeafdf0624a1c","ParentBaseFileName":"explorer.exe","EventOrigin":"1","ImageSubsystem":"3","id":"e2210781-0e8f-47d2-bf6a-56d2c59f38ee","EffectiveTransmissionClass":"3","SessionId":"2","ShowWindowFlags":"1","Tags":"27,
40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 212205744161605,
diff --git a/data_sources/crushftp.yml b/data_sources/crushftp.yml
index 04a5b0827c..67968d73ef 100644
--- a/data_sources/crushftp.yml
+++ b/data_sources/crushftp.yml
@@ -1,21 +1,22 @@
name: CrushFTP
id: 8a42ace5-e4c8-4653-80cf-1b8e7e6024ef
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs activities related to file transfers and user interactions in CrushFTP, including file uploads, downloads, user authentication, and session details.
+description: Logs activities related to file transfers and user interactions in CrushFTP,
+ including file uploads, downloads, user authentication, and session details.
mitre_components:
-- File Access
-- File Metadata
-- User Account Authentication
-- Logon Session Metadata
-- Network Traffic Content
+ - File Access
+ - File Metadata
+ - User Account Authentication
+ - Logon Session Metadata
+ - Network Traffic Content
source: crushftp
sourcetype: crushftp:sessionlogs
supported_TA: []
fields:
-- _time
-- _raw
+ - _time
+ - _raw
example_log: 'SESSION|05/14/2024 17:36:21.859|[HTTPS:169_52326_sMa:anonymous:10.0.1.30]
READ: *POST /WebInterface/function/?c2f=CmF1&command=zip&path=%3CINCLUDE%3Eusers/MainUsers/groups.XML%3C/INCLUDE%3E&names=/a
HTTP/1.1*'
diff --git a/data_sources/g_suite_drive.yml b/data_sources/g_suite_drive.yml
index a07ee5cd8c..0d56a7944d 100644
--- a/data_sources/g_suite_drive.yml
+++ b/data_sources/g_suite_drive.yml
@@ -1,53 +1,54 @@
name: G Suite Drive
id: 5f79120f-a235-4468-bd0d-55203758ac22
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs activities related to Google Drive in G Suite, including file creation, modification, sharing, and access details.
+description: Logs activities related to Google Drive in G Suite, including file creation,
+ modification, sharing, and access details.
mitre_components:
-- File Access
-- File Creation
-- File Modification
-- Cloud Storage Access
-- Cloud Storage Metadata
+ - File Access
+ - File Creation
+ - File Modification
+ - Cloud Storage Access
+ - Cloud Storage Metadata
source: http:gsuite
sourcetype: gsuite:drive:json
supported_TA:
-- name: Splunk Add-on for Google Workspace
- url: https://splunkbase.splunk.com/app/5556
- version: 3.0.2
+ - name: Splunk Add-on for Google Workspace
+ url: https://splunkbase.splunk.com/app/5556
+ version: 3.0.2
fields:
-- _time
-- email
-- host
-- index
-- ip_address
-- linecount
-- name
-- parameters.actor_is_collaborator_account
-- parameters.billable
-- parameters.doc_id
-- parameters.doc_title
-- parameters.doc_type
-- parameters.is_encrypted
-- parameters.new_value{}
-- parameters.old_value{}
-- parameters.old_visibility
-- parameters.originating_app_id
-- parameters.owner
-- parameters.owner_is_shared_drive
-- parameters.owner_is_team_drive
-- parameters.primary_event
-- parameters.target_user
-- parameters.visibility
-- parameters.visibility_change
-- punct
-- source
-- sourcetype
-- splunk_server
-- timestamp
-- type
-- unique_id
+ - _time
+ - email
+ - host
+ - index
+ - ip_address
+ - linecount
+ - name
+ - parameters.actor_is_collaborator_account
+ - parameters.billable
+ - parameters.doc_id
+ - parameters.doc_title
+ - parameters.doc_type
+ - parameters.is_encrypted
+ - parameters.new_value{}
+ - parameters.old_value{}
+ - parameters.old_visibility
+ - parameters.originating_app_id
+ - parameters.owner
+ - parameters.owner_is_shared_drive
+ - parameters.owner_is_team_drive
+ - parameters.primary_event
+ - parameters.target_user
+ - parameters.visibility
+ - parameters.visibility_change
+ - punct
+ - source
+ - sourcetype
+ - splunk_server
+ - timestamp
+ - type
+ - unique_id
example_log: '{"type": "acl_change", "name": "change_user_access", "parameters": {"primary_event":
true, "billable": true, "visibility_change": "none", "target_user": "alberto@internal_test_email.com",
"old_value": ["none"], "new_value": ["can_edit"], "old_visibility": "private", "doc_id":
diff --git a/data_sources/g_suite_gmail.yml b/data_sources/g_suite_gmail.yml
index 0a6ddc9596..c89e7087fb 100644
--- a/data_sources/g_suite_gmail.yml
+++ b/data_sources/g_suite_gmail.yml
@@ -1,91 +1,92 @@
name: G Suite Gmail
id: 706c3978-41de-406b-b6e0-75bd01e12a5d
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs Gmail activities in G Suite, including email sending, receiving, and access details, as well as potential security-related events.
+description: Logs Gmail activities in G Suite, including email sending, receiving,
+ and access details, as well as potential security-related events.
mitre_components:
-- Application Log Content
-- User Account Metadata
-- Email Metadata
-- Cloud Service Metadata
+ - Application Log Content
+ - User Account Metadata
+ - Email Metadata
+ - Cloud Service Metadata
source: http:gsuite
sourcetype: gsuite:gmail:bigquery
supported_TA:
-- name: Splunk Add-on for Google Workspace
- url: https://splunkbase.splunk.com/app/5556
- version: 3.0.2
+ - name: Splunk Add-on for Google Workspace
+ url: https://splunkbase.splunk.com/app/5556
+ version: 3.0.2
fields:
-- _time
-- action_type
-- attachment{}.file_extension_type
-- attachment{}.malware_family
-- attachment{}.sha256
-- connection_info.authenticated_domain{}.name
-- connection_info.authenticated_domain{}.type
-- connection_info.client_host_zone
-- connection_info.client_ip
-- connection_info.dkim_pass
-- connection_info.dmarc_pass
-- connection_info.dmarc_published_domain
-- connection_info.ip_geo_city
-- connection_info.ip_geo_country
-- connection_info.is_internal
-- connection_info.is_intra_domain
-- connection_info.smtp_in_connect_ip
-- connection_info.smtp_out_connect_ip
-- connection_info.smtp_out_remote_host
-- connection_info.smtp_reply_code
-- connection_info.smtp_response_reason
-- connection_info.smtp_tls_cipher
-- connection_info.smtp_tls_state
-- connection_info.smtp_tls_version
-- connection_info.smtp_user_agent_ip
-- connection_info.spf_pass
-- connection_info.tls_required_but_unavailable
-- description
-- destination{}.address
-- destination{}.rcpt_response
-- destination{}.selector
-- destination{}.service
-- destination{}.smime_decryption_success
-- destination{}.smime_extraction_success
-- destination{}.smime_parsing_success
-- destination{}.smime_signature_verification_success
-- eventtype
-- flattened_destinations
-- flattened_triggered_rule_info
-- host
-- index
-- is_policy_check_for_sender
-- is_spam
-- linecount
-- message_set{}.type
-- num_message_attachments
-- payload_size
-- punct
-- rfc2822_message_id
-- smime_content_type
-- smime_encrypt_message
-- smime_extraction_success
-- smime_packaging_success
-- smime_sign_message
-- smtp_relay_error
-- source
-- source.address
-- source.from_header_address
-- source.from_header_displayname
-- source.selector
-- source.service
-- sourcetype
-- spam_info
-- splunk_server
-- structured_policy_log_info
-- subject
-- tag
-- tag::eventtype
-- timestamp
-- upload_error_category
+ - _time
+ - action_type
+ - attachment{}.file_extension_type
+ - attachment{}.malware_family
+ - attachment{}.sha256
+ - connection_info.authenticated_domain{}.name
+ - connection_info.authenticated_domain{}.type
+ - connection_info.client_host_zone
+ - connection_info.client_ip
+ - connection_info.dkim_pass
+ - connection_info.dmarc_pass
+ - connection_info.dmarc_published_domain
+ - connection_info.ip_geo_city
+ - connection_info.ip_geo_country
+ - connection_info.is_internal
+ - connection_info.is_intra_domain
+ - connection_info.smtp_in_connect_ip
+ - connection_info.smtp_out_connect_ip
+ - connection_info.smtp_out_remote_host
+ - connection_info.smtp_reply_code
+ - connection_info.smtp_response_reason
+ - connection_info.smtp_tls_cipher
+ - connection_info.smtp_tls_state
+ - connection_info.smtp_tls_version
+ - connection_info.smtp_user_agent_ip
+ - connection_info.spf_pass
+ - connection_info.tls_required_but_unavailable
+ - description
+ - destination{}.address
+ - destination{}.rcpt_response
+ - destination{}.selector
+ - destination{}.service
+ - destination{}.smime_decryption_success
+ - destination{}.smime_extraction_success
+ - destination{}.smime_parsing_success
+ - destination{}.smime_signature_verification_success
+ - eventtype
+ - flattened_destinations
+ - flattened_triggered_rule_info
+ - host
+ - index
+ - is_policy_check_for_sender
+ - is_spam
+ - linecount
+ - message_set{}.type
+ - num_message_attachments
+ - payload_size
+ - punct
+ - rfc2822_message_id
+ - smime_content_type
+ - smime_encrypt_message
+ - smime_extraction_success
+ - smime_packaging_success
+ - smime_sign_message
+ - smtp_relay_error
+ - source
+ - source.address
+ - source.from_header_address
+ - source.from_header_displayname
+ - source.selector
+ - source.service
+ - sourcetype
+ - spam_info
+ - splunk_server
+ - structured_policy_log_info
+ - subject
+ - tag
+ - tag::eventtype
+ - timestamp
+ - upload_error_category
example_log: '{"action_type": 10, "rfc2822_message_id": "",
"subject": "New Order DHL0000001 - Dummy email for Detection Development", "payload_size":
6733, "source": {"address": "john@external_test_email.com", "service": "gmail-for-work",
diff --git a/data_sources/github.yml b/data_sources/github.yml
index e9125f7f07..32ebea53e7 100644
--- a/data_sources/github.yml
+++ b/data_sources/github.yml
@@ -1,211 +1,212 @@
name: GitHub
id: 88aa4632-3c3e-43f6-a00a-998d71f558e3
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs activities on GitHub repositories, including push events, pull requests, issue creation, and user authentication events.
+description: Logs activities on GitHub repositories, including push events, pull requests,
+ issue creation, and user authentication events.
mitre_components:
-- User Account Authentication
-- Configuration Modification
-- Application Log Content
-- User Account Metadata
-- Scheduled Job Metadata
+ - User Account Authentication
+ - Configuration Modification
+ - Application Log Content
+ - User Account Metadata
+ - Scheduled Job Metadata
source: github
sourcetype: aws:firehose:json
supported_TA:
-- name: Splunk Add-on for Github
- url: https://splunkbase.splunk.com/app/6254
- version: 3.1.0
+ - name: Splunk Add-on for Github
+ url: https://splunkbase.splunk.com/app/6254
+ version: 3.1.0
fields:
-- _time
-- action
-- host
-- index
-- linecount
-- meta
-- punct
-- source
-- sourcetype
-- splunk_server
-- timestamp
-- workflow_run.actor.avatar_url
-- workflow_run.actor.events_url
-- workflow_run.actor.followers_url
-- workflow_run.actor.following_url
-- workflow_run.actor.gists_url
-- workflow_run.actor.gravatar_id
-- workflow_run.actor.html_url
-- workflow_run.actor.id
-- workflow_run.actor.login
-- workflow_run.actor.node_id
-- workflow_run.actor.organizations_url
-- workflow_run.actor.received_events_url
-- workflow_run.actor.repos_url
-- workflow_run.actor.site_admin
-- workflow_run.actor.starred_url
-- workflow_run.actor.subscriptions_url
-- workflow_run.actor.type
-- workflow_run.actor.url
-- workflow_run.artifacts_url
-- workflow_run.cancel_url
-- workflow_run.check_suite_id
-- workflow_run.check_suite_node_id
-- workflow_run.check_suite_url
-- workflow_run.conclusion
-- workflow_run.created_at
-- workflow_run.event
-- workflow_run.head_branch
-- workflow_run.head_commit.author.email
-- workflow_run.head_commit.author.name
-- workflow_run.head_commit.committer.email
-- workflow_run.head_commit.committer.name
-- workflow_run.head_commit.id
-- workflow_run.head_commit.message
-- workflow_run.head_commit.timestamp
-- workflow_run.head_commit.tree_id
-- workflow_run.head_repository.collaborators_url
-- workflow_run.head_repository.description
-- workflow_run.head_repository.fork
-- workflow_run.head_repository.forks_url
-- workflow_run.head_repository.full_name
-- workflow_run.head_repository.hooks_url
-- workflow_run.head_repository.html_url
-- workflow_run.head_repository.id
-- workflow_run.head_repository.keys_url
-- workflow_run.head_repository.name
-- workflow_run.head_repository.node_id
-- workflow_run.head_repository.owner.avatar_url
-- workflow_run.head_repository.owner.events_url
-- workflow_run.head_repository.owner.followers_url
-- workflow_run.head_repository.owner.following_url
-- workflow_run.head_repository.owner.gists_url
-- workflow_run.head_repository.owner.gravatar_id
-- workflow_run.head_repository.owner.html_url
-- workflow_run.head_repository.owner.id
-- workflow_run.head_repository.owner.login
-- workflow_run.head_repository.owner.node_id
-- workflow_run.head_repository.owner.organizations_url
-- workflow_run.head_repository.owner.received_events_url
-- workflow_run.head_repository.owner.repos_url
-- workflow_run.head_repository.owner.site_admin
-- workflow_run.head_repository.owner.starred_url
-- workflow_run.head_repository.owner.subscriptions_url
-- workflow_run.head_repository.owner.type
-- workflow_run.head_repository.owner.url
-- workflow_run.head_repository.private
-- workflow_run.head_repository.teams_url
-- workflow_run.head_repository.url
-- workflow_run.head_sha
-- workflow_run.html_url
-- workflow_run.id
-- workflow_run.jobs_url
-- workflow_run.logs_url
-- workflow_run.name
-- workflow_run.node_id
-- workflow_run.previous_attempt_url
-- workflow_run.pull_requests{}.base.ref
-- workflow_run.pull_requests{}.base.repo.id
-- workflow_run.pull_requests{}.base.repo.name
-- workflow_run.pull_requests{}.base.repo.url
-- workflow_run.pull_requests{}.base.sha
-- workflow_run.pull_requests{}.head.ref
-- workflow_run.pull_requests{}.head.repo.id
-- workflow_run.pull_requests{}.head.repo.name
-- workflow_run.pull_requests{}.head.repo.url
-- workflow_run.pull_requests{}.head.sha
-- workflow_run.pull_requests{}.id
-- workflow_run.pull_requests{}.number
-- workflow_run.pull_requests{}.url
-- workflow_run.repository.archive_url
-- workflow_run.repository.assignees_url
-- workflow_run.repository.blobs_url
-- workflow_run.repository.branches_url
-- workflow_run.repository.collaborators_url
-- workflow_run.repository.comments_url
-- workflow_run.repository.commits_url
-- workflow_run.repository.compare_url
-- workflow_run.repository.contents_url
-- workflow_run.repository.contributors_url
-- workflow_run.repository.deployments_url
-- workflow_run.repository.description
-- workflow_run.repository.downloads_url
-- workflow_run.repository.events_url
-- workflow_run.repository.fork
-- workflow_run.repository.forks_url
-- workflow_run.repository.full_name
-- workflow_run.repository.git_commits_url
-- workflow_run.repository.git_refs_url
-- workflow_run.repository.git_tags_url
-- workflow_run.repository.hooks_url
-- workflow_run.repository.html_url
-- workflow_run.repository.id
-- workflow_run.repository.issue_comment_url
-- workflow_run.repository.issue_events_url
-- workflow_run.repository.issues_url
-- workflow_run.repository.keys_url
-- workflow_run.repository.labels_url
-- workflow_run.repository.languages_url
-- workflow_run.repository.merges_url
-- workflow_run.repository.milestones_url
-- workflow_run.repository.name
-- workflow_run.repository.node_id
-- workflow_run.repository.notifications_url
-- workflow_run.repository.owner.avatar_url
-- workflow_run.repository.owner.events_url
-- workflow_run.repository.owner.followers_url
-- workflow_run.repository.owner.following_url
-- workflow_run.repository.owner.gists_url
-- workflow_run.repository.owner.gravatar_id
-- workflow_run.repository.owner.html_url
-- workflow_run.repository.owner.id
-- workflow_run.repository.owner.login
-- workflow_run.repository.owner.node_id
-- workflow_run.repository.owner.organizations_url
-- workflow_run.repository.owner.received_events_url
-- workflow_run.repository.owner.repos_url
-- workflow_run.repository.owner.site_admin
-- workflow_run.repository.owner.starred_url
-- workflow_run.repository.owner.subscriptions_url
-- workflow_run.repository.owner.type
-- workflow_run.repository.owner.url
-- workflow_run.repository.private
-- workflow_run.repository.pulls_url
-- workflow_run.repository.releases_url
-- workflow_run.repository.stargazers_url
-- workflow_run.repository.statuses_url
-- workflow_run.repository.subscribers_url
-- workflow_run.repository.subscription_url
-- workflow_run.repository.tags_url
-- workflow_run.repository.teams_url
-- workflow_run.repository.trees_url
-- workflow_run.repository.url
-- workflow_run.rerun_url
-- workflow_run.run_attempt
-- workflow_run.run_number
-- workflow_run.run_started_at
-- workflow_run.status
-- workflow_run.triggering_actor.avatar_url
-- workflow_run.triggering_actor.events_url
-- workflow_run.triggering_actor.followers_url
-- workflow_run.triggering_actor.following_url
-- workflow_run.triggering_actor.gists_url
-- workflow_run.triggering_actor.gravatar_id
-- workflow_run.triggering_actor.html_url
-- workflow_run.triggering_actor.id
-- workflow_run.triggering_actor.login
-- workflow_run.triggering_actor.node_id
-- workflow_run.triggering_actor.organizations_url
-- workflow_run.triggering_actor.received_events_url
-- workflow_run.triggering_actor.repos_url
-- workflow_run.triggering_actor.site_admin
-- workflow_run.triggering_actor.starred_url
-- workflow_run.triggering_actor.subscriptions_url
-- workflow_run.triggering_actor.type
-- workflow_run.triggering_actor.url
-- workflow_run.updated_at
-- workflow_run.url
-- workflow_run.workflow_id
-- workflow_run.workflow_url
+ - _time
+ - action
+ - host
+ - index
+ - linecount
+ - meta
+ - punct
+ - source
+ - sourcetype
+ - splunk_server
+ - timestamp
+ - workflow_run.actor.avatar_url
+ - workflow_run.actor.events_url
+ - workflow_run.actor.followers_url
+ - workflow_run.actor.following_url
+ - workflow_run.actor.gists_url
+ - workflow_run.actor.gravatar_id
+ - workflow_run.actor.html_url
+ - workflow_run.actor.id
+ - workflow_run.actor.login
+ - workflow_run.actor.node_id
+ - workflow_run.actor.organizations_url
+ - workflow_run.actor.received_events_url
+ - workflow_run.actor.repos_url
+ - workflow_run.actor.site_admin
+ - workflow_run.actor.starred_url
+ - workflow_run.actor.subscriptions_url
+ - workflow_run.actor.type
+ - workflow_run.actor.url
+ - workflow_run.artifacts_url
+ - workflow_run.cancel_url
+ - workflow_run.check_suite_id
+ - workflow_run.check_suite_node_id
+ - workflow_run.check_suite_url
+ - workflow_run.conclusion
+ - workflow_run.created_at
+ - workflow_run.event
+ - workflow_run.head_branch
+ - workflow_run.head_commit.author.email
+ - workflow_run.head_commit.author.name
+ - workflow_run.head_commit.committer.email
+ - workflow_run.head_commit.committer.name
+ - workflow_run.head_commit.id
+ - workflow_run.head_commit.message
+ - workflow_run.head_commit.timestamp
+ - workflow_run.head_commit.tree_id
+ - workflow_run.head_repository.collaborators_url
+ - workflow_run.head_repository.description
+ - workflow_run.head_repository.fork
+ - workflow_run.head_repository.forks_url
+ - workflow_run.head_repository.full_name
+ - workflow_run.head_repository.hooks_url
+ - workflow_run.head_repository.html_url
+ - workflow_run.head_repository.id
+ - workflow_run.head_repository.keys_url
+ - workflow_run.head_repository.name
+ - workflow_run.head_repository.node_id
+ - workflow_run.head_repository.owner.avatar_url
+ - workflow_run.head_repository.owner.events_url
+ - workflow_run.head_repository.owner.followers_url
+ - workflow_run.head_repository.owner.following_url
+ - workflow_run.head_repository.owner.gists_url
+ - workflow_run.head_repository.owner.gravatar_id
+ - workflow_run.head_repository.owner.html_url
+ - workflow_run.head_repository.owner.id
+ - workflow_run.head_repository.owner.login
+ - workflow_run.head_repository.owner.node_id
+ - workflow_run.head_repository.owner.organizations_url
+ - workflow_run.head_repository.owner.received_events_url
+ - workflow_run.head_repository.owner.repos_url
+ - workflow_run.head_repository.owner.site_admin
+ - workflow_run.head_repository.owner.starred_url
+ - workflow_run.head_repository.owner.subscriptions_url
+ - workflow_run.head_repository.owner.type
+ - workflow_run.head_repository.owner.url
+ - workflow_run.head_repository.private
+ - workflow_run.head_repository.teams_url
+ - workflow_run.head_repository.url
+ - workflow_run.head_sha
+ - workflow_run.html_url
+ - workflow_run.id
+ - workflow_run.jobs_url
+ - workflow_run.logs_url
+ - workflow_run.name
+ - workflow_run.node_id
+ - workflow_run.previous_attempt_url
+ - workflow_run.pull_requests{}.base.ref
+ - workflow_run.pull_requests{}.base.repo.id
+ - workflow_run.pull_requests{}.base.repo.name
+ - workflow_run.pull_requests{}.base.repo.url
+ - workflow_run.pull_requests{}.base.sha
+ - workflow_run.pull_requests{}.head.ref
+ - workflow_run.pull_requests{}.head.repo.id
+ - workflow_run.pull_requests{}.head.repo.name
+ - workflow_run.pull_requests{}.head.repo.url
+ - workflow_run.pull_requests{}.head.sha
+ - workflow_run.pull_requests{}.id
+ - workflow_run.pull_requests{}.number
+ - workflow_run.pull_requests{}.url
+ - workflow_run.repository.archive_url
+ - workflow_run.repository.assignees_url
+ - workflow_run.repository.blobs_url
+ - workflow_run.repository.branches_url
+ - workflow_run.repository.collaborators_url
+ - workflow_run.repository.comments_url
+ - workflow_run.repository.commits_url
+ - workflow_run.repository.compare_url
+ - workflow_run.repository.contents_url
+ - workflow_run.repository.contributors_url
+ - workflow_run.repository.deployments_url
+ - workflow_run.repository.description
+ - workflow_run.repository.downloads_url
+ - workflow_run.repository.events_url
+ - workflow_run.repository.fork
+ - workflow_run.repository.forks_url
+ - workflow_run.repository.full_name
+ - workflow_run.repository.git_commits_url
+ - workflow_run.repository.git_refs_url
+ - workflow_run.repository.git_tags_url
+ - workflow_run.repository.hooks_url
+ - workflow_run.repository.html_url
+ - workflow_run.repository.id
+ - workflow_run.repository.issue_comment_url
+ - workflow_run.repository.issue_events_url
+ - workflow_run.repository.issues_url
+ - workflow_run.repository.keys_url
+ - workflow_run.repository.labels_url
+ - workflow_run.repository.languages_url
+ - workflow_run.repository.merges_url
+ - workflow_run.repository.milestones_url
+ - workflow_run.repository.name
+ - workflow_run.repository.node_id
+ - workflow_run.repository.notifications_url
+ - workflow_run.repository.owner.avatar_url
+ - workflow_run.repository.owner.events_url
+ - workflow_run.repository.owner.followers_url
+ - workflow_run.repository.owner.following_url
+ - workflow_run.repository.owner.gists_url
+ - workflow_run.repository.owner.gravatar_id
+ - workflow_run.repository.owner.html_url
+ - workflow_run.repository.owner.id
+ - workflow_run.repository.owner.login
+ - workflow_run.repository.owner.node_id
+ - workflow_run.repository.owner.organizations_url
+ - workflow_run.repository.owner.received_events_url
+ - workflow_run.repository.owner.repos_url
+ - workflow_run.repository.owner.site_admin
+ - workflow_run.repository.owner.starred_url
+ - workflow_run.repository.owner.subscriptions_url
+ - workflow_run.repository.owner.type
+ - workflow_run.repository.owner.url
+ - workflow_run.repository.private
+ - workflow_run.repository.pulls_url
+ - workflow_run.repository.releases_url
+ - workflow_run.repository.stargazers_url
+ - workflow_run.repository.statuses_url
+ - workflow_run.repository.subscribers_url
+ - workflow_run.repository.subscription_url
+ - workflow_run.repository.tags_url
+ - workflow_run.repository.teams_url
+ - workflow_run.repository.trees_url
+ - workflow_run.repository.url
+ - workflow_run.rerun_url
+ - workflow_run.run_attempt
+ - workflow_run.run_number
+ - workflow_run.run_started_at
+ - workflow_run.status
+ - workflow_run.triggering_actor.avatar_url
+ - workflow_run.triggering_actor.events_url
+ - workflow_run.triggering_actor.followers_url
+ - workflow_run.triggering_actor.following_url
+ - workflow_run.triggering_actor.gists_url
+ - workflow_run.triggering_actor.gravatar_id
+ - workflow_run.triggering_actor.html_url
+ - workflow_run.triggering_actor.id
+ - workflow_run.triggering_actor.login
+ - workflow_run.triggering_actor.node_id
+ - workflow_run.triggering_actor.organizations_url
+ - workflow_run.triggering_actor.received_events_url
+ - workflow_run.triggering_actor.repos_url
+ - workflow_run.triggering_actor.site_admin
+ - workflow_run.triggering_actor.starred_url
+ - workflow_run.triggering_actor.subscriptions_url
+ - workflow_run.triggering_actor.type
+ - workflow_run.triggering_actor.url
+ - workflow_run.updated_at
+ - workflow_run.url
+ - workflow_run.workflow_id
+ - workflow_run.workflow_url
example_log: '{"action":"requested","workflow_run":{"id":2088708615,"name":"auto-update","node_id":"WFR_kwLOCa00Ec58fyoH","head_branch":"mac_os_detections","head_sha":"4049334910ea3d52a917ca35aed66d11c80ed966","run_number":9504,"event":"push","status":"queued","conclusion":null,"workflow_id":4692335,"check_suite_id":5918781611,"check_suite_node_id":"CS_kwDOCa00Ec8AAAABYMlwqw","url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615","html_url":"https://github.com/splunk/security_content/actions/runs/2088708615","pull_requests":[{"url":"https://api.github.com/repos/splunk/security_content/pulls/2131","id":893091277,"number":2131,"head":{"ref":"mac_os_detections","sha":"4049334910ea3d52a917ca35aed66d11c80ed966","repo":{"id":162346001,"url":"https://api.github.com/repos/splunk/security_content","name":"security_content"}},"base":{"ref":"develop","sha":"a7d3d1dc57f9bf36fe22e470bcf518fcc2c89283","repo":{"id":162346001,"url":"https://api.github.com/repos/splunk/security_content","name":"security_content"}}}],"created_at":"2022-04-04T08:43:15Z","updated_at":"2022-04-04T08:43:15Z","actor":{"login":"jsmith","id":8362376,"node_id":"MDQ6VXNlcjgzNjIzNzY=","avatar_url":"https://avatars.githubusercontent.com/u/8362376?v=4","gravatar_id":"","url":"https://api.github.com/users/jsmith","html_url":"https://github.com/jsmith","followers_url":"https://api.github.com/users/jsmith/followers","following_url":"https://api.github.com/users/jsmith/following{/other_user}","gists_url":"https://api.github.com/users/jsmith/gists{/gist_id}","starred_url":"https://api.github.com/users/jsmith/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/jsmith/subscriptions","organizations_url":"https://api.github.com/users/jsmith/orgs","repos_url":"https://api.github.com/users/jsmith/repos","events_url":"https://api.github.com/users/jsmith/events{/privacy}","received_events_url":"https://api.github.com/users/jsmith/received_events","type":"User","site_admin":false},"run_attempt":1,"run_started_at":"2022-04-04T08:43:15Z","triggering_actor":{"login":"jsmith","id":8362376,"node_id":"MDQ6VXNlcjgzNjIzNzY=","avatar_url":"https://avatars.githubusercontent.com/u/8362376?v=4","gravatar_id":"","url":"https://api.github.com/users/jsmith","html_url":"https://github.com/jsmith","followers_url":"https://api.github.com/users/jsmith/followers","following_url":"https://api.github.com/users/jsmith/following{/other_user}","gists_url":"https://api.github.com/users/jsmith/gists{/gist_id}","starred_url":"https://api.github.com/users/jsmith/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/jsmith/subscriptions","organizations_url":"https://api.github.com/users/jsmith/orgs","repos_url":"https://api.github.com/users/jsmith/repos","events_url":"https://api.github.com/users/jsmith/events{/privacy}","received_events_url":"https://api.github.com/users/jsmith/received_events","type":"User","site_admin":false},"jobs_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/jobs","logs_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/logs","check_suite_url":"https://api.github.com/repos/splunk/security_content/check-suites/5918781611","artifacts_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/artifacts","cancel_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/cancel","rerun_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/rerun","previous_attempt_url":null,"workflow_url":"https://api.github.com/repos/splunk/security_content/actions/workflows/4692335","head_commit":{"id":"4049334910ea3d52a917ca35aed66d11c80ed966","tree_id":"df4ddc1359be3b19f093b7a27dbf5708187743a0","message":"small
change","timestamp":"2022-04-04T08:43:01Z","author":{"name":"jsmith","email":"jsmith@evilcorp.com"},"committer":{"name":"jsmith","email":"jsmith@evilcorp.com"}},"repository":{"id":162346001,"node_id":"MDEwOlJlcG9zaXRvcnkxNjIzNDYwMDE=","name":"security_content","full_name":"splunk/security_content","private":false,"owner":{"login":"splunk","id":651467,"node_id":"MDEyOk9yZ2FuaXphdGlvbjY1MTQ2Nw==","avatar_url":"https://avatars.githubusercontent.com/u/651467?v=4","gravatar_id":"","url":"https://api.github.com/users/splunk","html_url":"https://github.com/splunk","followers_url":"https://api.github.com/users/splunk/followers","following_url":"https://api.github.com/users/splunk/following{/other_user}","gists_url":"https://api.github.com/users/splunk/gists{/gist_id}","starred_url":"https://api.github.com/users/splunk/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/splunk/subscriptions","organizations_url":"https://api.github.com/users/splunk/orgs","repos_url":"https://api.github.com/users/splunk/repos","events_url":"https://api.github.com/users/splunk/events{/privacy}","received_events_url":"https://api.github.com/users/splunk/received_events","type":"Organization","site_admin":false},"html_url":"https://github.com/splunk/security_content","description":"Splunk
Security Content","fork":false,"url":"https://api.github.com/repos/splunk/security_content","forks_url":"https://api.github.com/repos/splunk/security_content/forks","keys_url":"https://api.github.com/repos/splunk/security_content/keys{/key_id}","collaborators_url":"https://api.github.com/repos/splunk/security_content/collaborators{/collaborator}","teams_url":"https://api.github.com/repos/splunk/security_content/teams","hooks_url":"https://api.github.com/repos/splunk/security_content/hooks","issue_events_url":"https://api.github.com/repos/splunk/security_content/issues/events{/number}","events_url":"https://api.github.com/repos/splunk/security_content/events","assignees_url":"https://api.github.com/repos/splunk/security_content/assignees{/user}","branches_url":"https://api.github.com/repos/splunk/security_content/branches{/branch}","tags_url":"https://api.github.com/repos/splunk/security_content/tags","blobs_url":"https://api.github.com/repos/splunk/security_content/git/blobs{/sha}","git_tags_url":"https://api.github.com/repos/splunk/security_content/git/tags{/sha}","git_refs_url":"https://api.github.com/repos/splunk/security_content/git/refs{/sha}","trees_url":"https://api.github.com/repos/splunk/security_content/git/trees{/sha}","statuses_url":"https://api.github.com/repos/splunk/security_content/statuses/{sha}","languages_url":"https://api.github.com/repos/splunk/security_content/languages","stargazers_url":"https://api.github.com/repos/splunk/security_content/stargazers","contributors_url":"https://api.github.com/repos/splunk/security_content/contributors","subscribers_url":"https://api.github.com/repos/splunk/security_content/subscribers","subscription_url":"https://api.github.com/repos/splunk/security_content/subscription","commits_url":"https://api.github.com/repos/splunk/security_content/commits{/sha}","git_commits_url":"https://api.github.com/repos/splunk/security_content/git/commits{/sha}","comments_url":"https://api.github.com/repos/splunk/security_content/comments{/number}","issue_comment_url":"https://api.github.com/repos/splunk/security_content/issues/comments{/number}","contents_url":"https://api.github.com/repos/splunk/security_content/contents/{+path}","compare_url":"https://api.github.com/repos/splunk/security_content/compare/{base}...{head}","merges_url":"https://api.github.com/repos/splunk/security_content/merges","archive_url":"https://api.github.com/repos/splunk/security_content/{archive_format}{/ref}","downloads_url":"https://api.github.com/repos/splunk/security_content/downloads","issues_url":"https://api.github.com/repos/splunk/security_content/issues{/number}","pulls_url":"https://api.github.com/repos/splunk/security_content/pulls{/number}","milestones_url":"https://api.github.com/repos/splunk/security_content/milestones{/number}","notifications_url":"https://api.github.com/repos/splunk/security_content/notifications{?since,all,participating}","labels_url":"https://api.github.com/repos/splunk/security_content/labels{/name}","releases_url":"https://api.github.com/repos/splunk/security_content/releases{/id}","deployments_url":"https://api.github.com/repos/splunk/security_content/deployments"},"head_repository":{"id":162346001,"node_id":"MDEwOlJlcG9zaXRvcnkxNjIzNDYwMDE=","name":"security_content","full_name":"splunk/security_content","private":false,"owner":{"login":"splunk","id":651467,"node_id":"MDEyOk9yZ2FuaXphdGlvbjY1MTQ2Nw==","avatar_url":"https://avatars.githubusercontent.com/u/651467?v=4","gravatar_id":"","url":"https://api.github.com/users/splunk","html_url":"https://github.com/splunk","followers_url":"https://api.github.com/users/splunk/followers","following_url":"https://api.github.com/users/splunk/following{/other_user}","gists_url":"https://api.github.com/users/splunk/gists{/gist_id}","starred_url":"https://api.github.com/users/splunk/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/splunk/subscriptions","organizations_url":"https://api.github.com/users/splunk/orgs","repos_url":"https://api.github.com/users/splunk/repos","events_url":"https://api.github.com/users/splunk/events{/privacy}","received_events_url":"https://api.github.com/users/splunk/received_events","type":"Organization","site_admin":false},"html_url":"https://github.com/splunk/security_content","description":"Splunk
diff --git a/data_sources/google_workspace_login_failure.yml b/data_sources/google_workspace_login_failure.yml
index 4f49e2a565..f853aa35f3 100644
--- a/data_sources/google_workspace_login_failure.yml
+++ b/data_sources/google_workspace_login_failure.yml
@@ -1,58 +1,59 @@
name: Google Workspace login_failure
id: cabec7cf-4008-4899-b47e-39c34a9a1255
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs failed login attempts to Google Workspace accounts, including details about the user, IP address, and reason for failure.
+description: Logs failed login attempts to Google Workspace accounts, including details
+ about the user, IP address, and reason for failure.
mitre_components:
-- User Account Authentication
-- Logon Session Metadata
-- User Account Metadata
-- Application Log Content
+ - User Account Authentication
+ - Logon Session Metadata
+ - User Account Metadata
+ - Application Log Content
source: gws:reports:admin
sourcetype: gws:reports:admin
separator: event.name
separator_value: login_failure
supported_TA:
-- name: Splunk Add-on for Google Workspace
- url: https://splunkbase.splunk.com/app/5556
- version: 3.0.2
+ - name: Splunk Add-on for Google Workspace
+ url: https://splunkbase.splunk.com/app/5556
+ version: 3.0.2
fields:
-- _time
-- actor.email
-- actor.profileId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- etag
-- event.name
-- event.parameters{}.multiValue{}
-- event.parameters{}.name
-- event.parameters{}.value
-- event.type
-- eventtype
-- host
-- id.applicationName
-- id.customerId
-- id.time
-- id.uniqueQualifier
-- index
-- ipAddress
-- kind
-- linecount
-- punct
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
+ - _time
+ - actor.email
+ - actor.profileId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - etag
+ - event.name
+ - event.parameters{}.multiValue{}
+ - event.parameters{}.name
+ - event.parameters{}.value
+ - event.type
+ - eventtype
+ - host
+ - id.applicationName
+ - id.customerId
+ - id.time
+ - id.uniqueQualifier
+ - index
+ - ipAddress
+ - kind
+ - linecount
+ - punct
+ - source
+ - sourcetype
+ - splunk_server
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
example_log: '{"kind": "admin#reports#activity", "id": {"time": "2022-10-12T01:05:35.119Z",
"uniqueQualifier": "720229394436", "applicationName": "login", "customerId": "C046r85ir"},
"etag": "\"JCPRxFaiNR1s5TJ6ecIH8OpGdY4efiOYXbIB65itOzY/_lixtTooT11WXorGf6w6ElN0m0g\"",
diff --git a/data_sources/google_workspace_login_success.yml b/data_sources/google_workspace_login_success.yml
index 723b1b2724..4f0d7d8265 100644
--- a/data_sources/google_workspace_login_success.yml
+++ b/data_sources/google_workspace_login_success.yml
@@ -1,56 +1,57 @@
name: Google Workspace login_success
id: bffe8013-9cdf-4fe6-9c1b-6784391a4951
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs successful login attempts to Google Workspace accounts, including details about the user, IP address, and session metadata.
+description: Logs successful login attempts to Google Workspace accounts, including
+ details about the user, IP address, and session metadata.
mitre_components:
-- User Account Authentication
-- Logon Session Creation
-- User Account Metadata
-- Logon Session Metadata
+ - User Account Authentication
+ - Logon Session Creation
+ - User Account Metadata
+ - Logon Session Metadata
source: gws:reports:admin
sourcetype: gws:reports:admin
separator: event.name
separator_value: login_success
supported_TA:
-- name: Splunk Add-on for Google Workspace
- url: https://splunkbase.splunk.com/app/5556
- version: 3.0.2
+ - name: Splunk Add-on for Google Workspace
+ url: https://splunkbase.splunk.com/app/5556
+ version: 3.0.2
fields:
-- _time
-- actor.email
-- actor.profileId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- etag
-- event.name
-- event.parameters{}.boolValue
-- event.parameters{}.multiValue{}
-- event.parameters{}.name
-- event.parameters{}.value
-- event.type
-- host
-- id.applicationName
-- id.customerId
-- id.time
-- id.uniqueQualifier
-- index
-- ipAddress
-- kind
-- linecount
-- punct
-- source
-- sourcetype
-- splunk_server
-- timeendpos
-- timestartpos
+ - _time
+ - actor.email
+ - actor.profileId
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - etag
+ - event.name
+ - event.parameters{}.boolValue
+ - event.parameters{}.multiValue{}
+ - event.parameters{}.name
+ - event.parameters{}.value
+ - event.type
+ - host
+ - id.applicationName
+ - id.customerId
+ - id.time
+ - id.uniqueQualifier
+ - index
+ - ipAddress
+ - kind
+ - linecount
+ - punct
+ - source
+ - sourcetype
+ - splunk_server
+ - timeendpos
+ - timestartpos
example_log: '{"kind": "admin#reports#activity", "id": {"time": "2022-10-13T20:57:35.833Z",
"uniqueQualifier": "437744618349", "applicationName": "login", "customerId": "C046r85ir"},
"etag": "\"JCPRxFaiNR1s5TJ6ecIH8OpGdY4efiOYXbIB65itOzY/OgAbD-Tz8hSD1vUJWw7NLiJ5SF4\"",
diff --git a/data_sources/ivanti_vtm_audit.yml b/data_sources/ivanti_vtm_audit.yml
index a10ae34f02..389bf9b8d9 100644
--- a/data_sources/ivanti_vtm_audit.yml
+++ b/data_sources/ivanti_vtm_audit.yml
@@ -1,25 +1,27 @@
name: Ivanti VTM Audit
id: b04be6e5-2002-4a49-8722-52285635b8f5
-version: 1
-date: '2024-08-19'
+version: 2
+date: '2025-01-23'
author: Michael Haag, Splunk
-description: Logs administrative and operational activities in Ivanti Virtual Traffic Manager (VTM), including configuration changes, user actions, and system events.
+description: Logs administrative and operational activities in Ivanti Virtual Traffic
+ Manager (VTM), including configuration changes, user actions, and system events.
mitre_components:
-- Configuration Modification
-- Application Log Content
-- User Account Metadata
-- Host Status
-- Service Modification
+ - Configuration Modification
+ - Application Log Content
+ - User Account Metadata
+ - Host Status
+ - Service Modification
source: ivanti_vtm
sourcetype: ivanti_vtm_audit
supported_TA: []
fields:
-- _time
-- IP
-- MODUSER
-- OPERATION
-- MODGROUP
-- AUTH
-- USER
-- GROUP
-example_log: '[19/Aug/2024:19:41:22 +0000] USER=!!ABSENT!! GROUP=!!ABSENT!! AUTH=!!ABSENT!! IP=!!ABSENT!! OPERATION=adduser MODUSER=newadmin MODGROUP=admin'
+ - _time
+ - IP
+ - MODUSER
+ - OPERATION
+ - MODGROUP
+ - AUTH
+ - USER
+ - GROUP
+example_log: '[19/Aug/2024:19:41:22 +0000] USER=!!ABSENT!! GROUP=!!ABSENT!! AUTH=!!ABSENT!!
+ IP=!!ABSENT!! OPERATION=adduser MODUSER=newadmin MODGROUP=admin'
diff --git a/data_sources/kubernetes_audit.yml b/data_sources/kubernetes_audit.yml
index 9035f6c381..89588cee18 100644
--- a/data_sources/kubernetes_audit.yml
+++ b/data_sources/kubernetes_audit.yml
@@ -1,66 +1,67 @@
name: Kubernetes Audit
id: 6c25181a-0c07-4aaf-90e6-77ab1f0e6699
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs activities within a Kubernetes cluster, including API server requests, resource access, configuration changes, and user authentication events.
+description: Logs activities within a Kubernetes cluster, including API server requests,
+ resource access, configuration changes, and user authentication events.
mitre_components:
-- Pod Metadata
-- Pod Modification
-- Cluster Metadata
-- User Account Authentication
-- Configuration Modification
-- Application Log Content
+ - Pod Metadata
+ - Pod Modification
+ - Cluster Metadata
+ - User Account Authentication
+ - Configuration Modification
+ - Application Log Content
source: kubernetes
sourcetype: _json
supported_TA: []
fields:
-- _time
-- annotations.authorization.k8s.io/decision
-- annotations.authorization.k8s.io/reason
-- apiVersion
-- auditID
-- eventtype
-- host
-- index
-- kind
-- level
-- linecount
-- objectRef.apiGroup
-- objectRef.apiVersion
-- objectRef.namespace
-- objectRef.resource
-- punct
-- requestReceivedTimestamp
-- requestURI
-- responseObject.apiVersion
-- responseObject.code
-- responseObject.details.group
-- responseObject.details.kind
-- responseObject.kind
-- responseObject.message
-- responseObject.reason
-- responseObject.status
-- responseStatus.code
-- responseStatus.details.group
-- responseStatus.details.kind
-- responseStatus.message
-- responseStatus.reason
-- responseStatus.status
-- source
-- sourceIPs{}
-- sourcetype
-- splunk_server
-- stage
-- stageTimestamp
-- tag
-- tag::eventtype
-- timestamp
-- user.groups{}
-- user.uid
-- user.username
-- userAgent
-- verb
+ - _time
+ - annotations.authorization.k8s.io/decision
+ - annotations.authorization.k8s.io/reason
+ - apiVersion
+ - auditID
+ - eventtype
+ - host
+ - index
+ - kind
+ - level
+ - linecount
+ - objectRef.apiGroup
+ - objectRef.apiVersion
+ - objectRef.namespace
+ - objectRef.resource
+ - punct
+ - requestReceivedTimestamp
+ - requestURI
+ - responseObject.apiVersion
+ - responseObject.code
+ - responseObject.details.group
+ - responseObject.details.kind
+ - responseObject.kind
+ - responseObject.message
+ - responseObject.reason
+ - responseObject.status
+ - responseStatus.code
+ - responseStatus.details.group
+ - responseStatus.details.kind
+ - responseStatus.message
+ - responseStatus.reason
+ - responseStatus.status
+ - source
+ - sourceIPs{}
+ - sourcetype
+ - splunk_server
+ - stage
+ - stageTimestamp
+ - tag
+ - tag::eventtype
+ - timestamp
+ - user.groups{}
+ - user.uid
+ - user.username
+ - userAgent
+ - verb
example_log: '{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"582c31ab-4906-49bb-9ff9-872f980ccb84","stage":"ResponseComplete","requestURI":"/apis/batch/v1/namespaces/test2/jobs?fieldManager=kubectl-create\u0026fieldValidation=Strict","verb":"create","user":{"username":"k8s-test-user","uid":"aws-iam-authenticator:591511147606:AROAYTOGP2RLFHNBOTP5J","groups":["system:authenticated"]},"sourceIPs":["176.95.188.101"],"userAgent":"kubectl/v1.27.2
(darwin/arm64) kubernetes/7f6f68f","objectRef":{"resource":"jobs","namespace":"test2","apiGroup":"batch","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Failure","message":"jobs.batch
is forbidden: User \"k8s-test-user\" cannot create resource \"jobs\" in API group
diff --git a/data_sources/kubernetes_falco.yml b/data_sources/kubernetes_falco.yml
index 6b21e39781..cff1b27f1c 100644
--- a/data_sources/kubernetes_falco.yml
+++ b/data_sources/kubernetes_falco.yml
@@ -1,54 +1,55 @@
name: Kubernetes Falco
id: 23c0eeed-840a-4711-a41b-6819c1ffbba5
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs suspicious or anomalous activities within a Kubernetes environment detected by Falco, including system calls, file access, and network activity.
+description: Logs suspicious or anomalous activities within a Kubernetes environment
+ detected by Falco, including system calls, file access, and network activity.
mitre_components:
-- File Access
-- Network Traffic Content
-- Process Creation
-- Process Modification
-- Application Log Content
-- Host Status
+ - File Access
+ - Network Traffic Content
+ - Process Creation
+ - Process Modification
+ - Application Log Content
+ - Host Status
source: kubernetes
sourcetype: kube:container:falco
supported_TA: []
fields:
-- _time
-- command
-- container_id
-- container_image
-- container_image_tag
-- container_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- evt_type
-- exe_flags
-- host
-- index
-- k8s_ns
-- k8s_pod_name
-- linecount
-- parent
-- proc_exepath
-- process
-- punct
-- source
-- sourcetype
-- splunk_server
-- terminal
-- timeendpos
-- timestartpos
-- user
-- user_loginuid
-- user_uid
+ - _time
+ - command
+ - container_id
+ - container_image
+ - container_image_tag
+ - container_name
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - evt_type
+ - exe_flags
+ - host
+ - index
+ - k8s_ns
+ - k8s_pod_name
+ - linecount
+ - parent
+ - proc_exepath
+ - process
+ - punct
+ - source
+ - sourcetype
+ - splunk_server
+ - terminal
+ - timeendpos
+ - timestartpos
+ - user
+ - user_loginuid
+ - user_uid
example_log: '12:18:18.691725165: Notice A shell was spawned in a container with an
attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash
proc_exepath=/usr/lib/splunk-otel-collector/agent-bundle/bin/bash parent=runc command=bash
diff --git a/data_sources/linux_auditd_add_user.yml b/data_sources/linux_auditd_add_user.yml
index 1b6bb6ba17..da361ede71 100644
--- a/data_sources/linux_auditd_add_user.yml
+++ b/data_sources/linux_auditd_add_user.yml
@@ -1,40 +1,44 @@
name: Linux Auditd Add User
id: 30f79353-e1d2-4585-8735-1e0359559f3f
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-01-23'
author: Teoderick Contreras, Splunk
-description: Logs activities related to the addition of a new user account on a Linux system, including details about the username, UID, and the process initiating the action.
+description: Logs activities related to the addition of a new user account on a Linux
+ system, including details about the username, UID, and the process initiating the
+ action.
mitre_components:
-- User Account Creation
-- User Account Metadata
-- OS API Execution
-- Application Log Content
+ - User Account Creation
+ - User Account Metadata
+ - OS API Execution
+ - Application Log Content
source: /var/log/audit/audit.log
sourcetype: linux:audit
separator: type
separator_value: ADD_USER
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
-- name: Splunk Add-on for Unix and Linux
- url: https://splunkbase.splunk.com/app/833
- version: 9.2.0
+ - name: Splunk Add-on for Unix and Linux
+ url: https://splunkbase.splunk.com/app/833
+ version: 9.2.0
fields:
-- msg
-- type
-- pid
-- uid
-- auid
-- ses
-- subj
-- msg
-- op
-- id
-- exe
-- hostname
-- addr
-- terminal
-- res
-- UID
-- AUID
-- ID
-example_log: 'type=ADD_USER msg=audit(1722950859.266:6994): pid=1788 uid=0 auid=1000 ses=1 subj=unconfined msg=''op=adding user id=1002 exe="/usr/sbin/useradd" hostname=ar-linux1 addr=? terminal=pts/1 res=success''UID="root" AUID="ubuntu" ID="unknown(1002)"'
+ - msg
+ - type
+ - pid
+ - uid
+ - auid
+ - ses
+ - subj
+ - msg
+ - op
+ - id
+ - exe
+ - hostname
+ - addr
+ - terminal
+ - res
+ - UID
+ - AUID
+ - ID
+example_log: "type=ADD_USER msg=audit(1722950859.266:6994): pid=1788 uid=0 auid=1000
+ ses=1 subj=unconfined msg='op=adding user id=1002 exe=\"/usr/sbin/useradd\" hostname=ar-linux1
+ addr=? terminal=pts/1 res=success'UID=\"root\" AUID=\"ubuntu\" ID=\"unknown(1002)\""
diff --git a/data_sources/linux_auditd_execve.yml b/data_sources/linux_auditd_execve.yml
index f70b98a8f9..72433806de 100644
--- a/data_sources/linux_auditd_execve.yml
+++ b/data_sources/linux_auditd_execve.yml
@@ -1,27 +1,29 @@
name: Linux Auditd Execve
id: 9ef6364d-cc67-480e-8448-3306829a6a24
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-01-23'
author: Teoderick Contreras, Splunk
-description: Logs the execution of processes on a Linux system, including details about the executed command, arguments, and the initiating process.
+description: Logs the execution of processes on a Linux system, including details
+ about the executed command, arguments, and the initiating process.
mitre_components:
-- Command Execution
-- Process Creation
-- Process Metadata
-- OS API Execution
-- Application Log Content
+ - Command Execution
+ - Process Creation
+ - Process Metadata
+ - OS API Execution
+ - Application Log Content
source: /var/log/audit/audit.log
sourcetype: linux:audit
separator: type
separator_value: EXECVE
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
-- name: Splunk Add-on for Unix and Linux
- url: https://splunkbase.splunk.com/app/833
- version: 9.2.0
+ - name: Splunk Add-on for Unix and Linux
+ url: https://splunkbase.splunk.com/app/833
+ version: 9.2.0
fields:
-- msg
-- type
-- msg
-- argc
-example_log: 'type=EXECVE msg=audit(1723044684.257:15795): argc=3 a0="sudo" a1="LD_PRELOAD=./myfopen.so" a2="./prog"'
+ - msg
+ - type
+ - msg
+ - argc
+example_log: 'type=EXECVE msg=audit(1723044684.257:15795): argc=3 a0="sudo" a1="LD_PRELOAD=./myfopen.so"
+ a2="./prog"'
diff --git a/data_sources/linux_auditd_path.yml b/data_sources/linux_auditd_path.yml
index 3dd0c9d22a..d612530b4e 100644
--- a/data_sources/linux_auditd_path.yml
+++ b/data_sources/linux_auditd_path.yml
@@ -1,41 +1,44 @@
name: Linux Auditd Path
id: 3d86125c-0496-4a5a-aae3-0d355a4f3d7d
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-01-23'
author: Teoderick Contreras, Splunk
-description: Logs file system access events on a Linux system, including details about file paths, permissions, and associated processes.
+description: Logs file system access events on a Linux system, including details about
+ file paths, permissions, and associated processes.
mitre_components:
-- File Access
-- File Metadata
-- Process Metadata
-- OS API Execution
-- Application Log Content
+ - File Access
+ - File Metadata
+ - Process Metadata
+ - OS API Execution
+ - Application Log Content
source: /var/log/audit/audit.log
sourcetype: linux:audit
separator: type
separator_value: PATH
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
-- name: Splunk Add-on for Unix and Linux
- url: https://splunkbase.splunk.com/app/833
- version: 9.2.0
+ - name: Splunk Add-on for Unix and Linux
+ url: https://splunkbase.splunk.com/app/833
+ version: 9.2.0
fields:
-- msg
-- type
-- item
-- name
-- inode
-- dev
-- mode
-- ouid
-- ogid
-- rdev
-- nametype
-- cap_fp
-- cap_fi
-- cap_fe
-- cap_fver
-- cap_frootid
-- OUID
-- OGID
-example_log: 'type=PATH msg=audit(1723043687.149:14898): item=1 name="/etc/ssh/ssh_config~" inode=1292 dev=103:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"'
+ - msg
+ - type
+ - item
+ - name
+ - inode
+ - dev
+ - mode
+ - ouid
+ - ogid
+ - rdev
+ - nametype
+ - cap_fp
+ - cap_fi
+ - cap_fe
+ - cap_fver
+ - cap_frootid
+ - OUID
+ - OGID
+example_log: 'type=PATH msg=audit(1723043687.149:14898): item=1 name="/etc/ssh/ssh_config~"
+ inode=1292 dev=103:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0
+ cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"'
diff --git a/data_sources/linux_auditd_proctitle.yml b/data_sources/linux_auditd_proctitle.yml
index e0038b6a94..fbd067aed5 100644
--- a/data_sources/linux_auditd_proctitle.yml
+++ b/data_sources/linux_auditd_proctitle.yml
@@ -1,25 +1,26 @@
name: Linux Auditd Proctitle
id: 5a25984a-2789-400a-858b-d75c923e06b1
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-01-23'
author: Teoderick Contreras, Splunk
-description: Logs the full command-line arguments of a process execution on a Linux system, providing visibility into the executed command and its parameters.
+description: Logs the full command-line arguments of a process execution on a Linux
+ system, providing visibility into the executed command and its parameters.
mitre_components:
-- Command Execution
-- Process Metadata
-- OS API Execution
-- Application Log Content
+ - Command Execution
+ - Process Metadata
+ - OS API Execution
+ - Application Log Content
separator: type
separator_value: PROCTITLE
source: /var/log/audit/audit.log
sourcetype: linux:audit
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
-- name: Splunk Add-on for Unix and Linux
- url: https://splunkbase.splunk.com/app/833
- version: 9.2.0
+ - name: Splunk Add-on for Unix and Linux
+ url: https://splunkbase.splunk.com/app/833
+ version: 9.2.0
fields:
-- proctitle
-- msg
-- type
+ - proctitle
+ - msg
+ - type
example_log: 'type=PROCTITLE msg=audit(1722944427.844:4146): proctitle=63686D6F640037373700312E7368'
diff --git a/data_sources/linux_auditd_service_stop.yml b/data_sources/linux_auditd_service_stop.yml
index 3c4f41bcbf..8b1c94b0f2 100644
--- a/data_sources/linux_auditd_service_stop.yml
+++ b/data_sources/linux_auditd_service_stop.yml
@@ -1,38 +1,42 @@
name: Linux Auditd Service Stop
id: 0643483c-bc62-455c-8d6e-1630e5f0e00d
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-01-23'
author: Teoderick Contreras, Splunk
-description: Logs events related to the stoppage of a service on a Linux system, including details about the service name, the process initiating the stop, and associated timestamps.
+description: Logs events related to the stoppage of a service on a Linux system, including
+ details about the service name, the process initiating the stop, and associated
+ timestamps.
mitre_components:
-- Service Modification
-- Service Metadata
-- OS API Execution
-- Application Log Content
+ - Service Modification
+ - Service Metadata
+ - OS API Execution
+ - Application Log Content
separator: type
separator_value: SERVICE_STOP
source: /var/log/audit/audit.log
sourcetype: linux:audit
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
-- name: Splunk Add-on for Unix and Linux
- url: https://splunkbase.splunk.com/app/833
- version: 9.2.0
+ - name: Splunk Add-on for Unix and Linux
+ url: https://splunkbase.splunk.com/app/833
+ version: 9.2.0
fields:
-- msg
-- type
-- pid
-- uid
-- auid
-- ses
-- subj
-- msg
-- comm
-- exe
-- hostname
-- addr
-- terminal
-- res
-- UID
-- AUID
-example_log: 'type=SERVICE_STOP msg=audit(1722957155.494:4802): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg=''unit=atd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success''UID="root" AUID="unset"'
+ - msg
+ - type
+ - pid
+ - uid
+ - auid
+ - ses
+ - subj
+ - msg
+ - comm
+ - exe
+ - hostname
+ - addr
+ - terminal
+ - res
+ - UID
+ - AUID
+example_log: "type=SERVICE_STOP msg=audit(1722957155.494:4802): pid=1 uid=0 auid=4294967295
+ ses=4294967295 subj=unconfined msg='unit=atd comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\"\
+ \ hostname=? addr=? terminal=? res=success'UID=\"root\" AUID=\"unset\""
diff --git a/data_sources/linux_auditd_syscall.yml b/data_sources/linux_auditd_syscall.yml
index 46f043e357..c753a66b54 100644
--- a/data_sources/linux_auditd_syscall.yml
+++ b/data_sources/linux_auditd_syscall.yml
@@ -1,61 +1,67 @@
name: Linux Auditd Syscall
id: 4dff7047-0d43-4096-bb3f-b756c889bbad
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-01-23'
author: Teoderick Contreras, Splunk
-description: Logs system calls made by processes on a Linux system, including details about the syscall number, arguments, return values, and associated process metadata.
+description: Logs system calls made by processes on a Linux system, including details
+ about the syscall number, arguments, return values, and associated process metadata.
mitre_components:
-- OS API Execution
-- Process Metadata
-- Application Log Content
-- Host Status
+ - OS API Execution
+ - Process Metadata
+ - Application Log Content
+ - Host Status
source: /var/log/audit/audit.log
sourcetype: linux:audit
separator: type
separator_value: syscall
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
-- name: Splunk Add-on for Unix and Linux
- url: https://splunkbase.splunk.com/app/833
- version: 9.2.0
+ - name: Splunk Add-on for Unix and Linux
+ url: https://splunkbase.splunk.com/app/833
+ version: 9.2.0
fields:
-- msg
-- type
-- msg
-- arch
-- syscall
-- success
-- exit
-- a1
-- a2
-- a3
-- items
-- ppid
-- pid
-- auid
-- uid
-- gid
-- euid
-- suid
-- fsuid
-- egid
-- sgid
-- fsgid
-- tty
-- ses
-- comm
-- exe
-- subj
-- key
-- ARCH
-- SYSCALL
-- AUID
-- UID
-- GID
-- EUID
-- SUID
-- FSUID
-- EGID
-- SGID
-- FSGID
-example_log: 'type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59 success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2 ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="lsmod" exe="/usr/bin/kmod" subj=unconfined key="rootcmd" ARCH=x86_64 SYSCALL=execve AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"'
+ - msg
+ - type
+ - msg
+ - arch
+ - syscall
+ - success
+ - exit
+ - a1
+ - a2
+ - a3
+ - items
+ - ppid
+ - pid
+ - auid
+ - uid
+ - gid
+ - euid
+ - suid
+ - fsuid
+ - egid
+ - sgid
+ - fsgid
+ - tty
+ - ses
+ - comm
+ - exe
+ - subj
+ - key
+ - ARCH
+ - SYSCALL
+ - AUID
+ - UID
+ - GID
+ - EUID
+ - SUID
+ - FSUID
+ - EGID
+ - SGID
+ - FSGID
+example_log: 'type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59
+ success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2
+ ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
+ tty=pts1 ses=1 comm="lsmod" exe="/usr/bin/kmod" subj=unconfined key="rootcmd" ARCH=x86_64
+ SYSCALL=execve AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root"
+ EGID="root" SGID="root" FSGID="root"'
diff --git a/data_sources/linux_secure.yml b/data_sources/linux_secure.yml
index 1f1c1917e3..e6f8b78160 100644
--- a/data_sources/linux_secure.yml
+++ b/data_sources/linux_secure.yml
@@ -1,53 +1,54 @@
name: Linux Secure
id: 9a47d88b-1b17-49ce-a0ef-b440ddbd98bb
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs authentication and authorization events on a Linux system, including login attempts, SSH connections, and privilege escalation activities.
+description: Logs authentication and authorization events on a Linux system, including
+ login attempts, SSH connections, and privilege escalation activities.
mitre_components:
-- User Account Authentication
-- Logon Session Creation
-- Logon Session Metadata
-- User Account Metadata
-- Application Log Content
+ - User Account Authentication
+ - Logon Session Creation
+ - Logon Session Metadata
+ - User Account Metadata
+ - Application Log Content
source: /var/log/secure
sourcetype: linux_secure
supported_TA: []
fields:
-- _time
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- eventtype
-- host
-- index
-- linecount
-- pid
-- process
-- punct
-- source
-- sourcetype
-- splunk_server
-- src
-- src_port
-- sshd_protocol
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_name
-- vendor_action
-- vendor_product
+ - _time
+ - action
+ - app
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - eventtype
+ - host
+ - index
+ - linecount
+ - pid
+ - process
+ - punct
+ - source
+ - sourcetype
+ - splunk_server
+ - src
+ - src_port
+ - sshd_protocol
+ - tag
+ - tag::action
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - user_name
+ - vendor_action
+ - vendor_product
example_log: 'May 27 09:28:36 ip-172-31-24-46 sshd[5617]: Accepted password for mikael
from 84.202.159.161 port 63487 ssh2'
diff --git a/data_sources/ms365_defender_incident_alerts.yml b/data_sources/ms365_defender_incident_alerts.yml
index d8114c0151..80e582df46 100644
--- a/data_sources/ms365_defender_incident_alerts.yml
+++ b/data_sources/ms365_defender_incident_alerts.yml
@@ -1,189 +1,241 @@
name: MS365 Defender Incident Alerts
id: 12345678-90ab-cdef-1234-567890abcdef
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Bhavin Patel, Splunk
-description: Logs security incidents and correlated alerts in Microsoft 365 Defender, including details about affected assets, threat types, and remediation steps.
+description: Logs security incidents and correlated alerts in Microsoft 365 Defender,
+ including details about affected assets, threat types, and remediation steps.
mitre_components:
-- Host Status
-- User Account Metadata
-- Application Log Content
-- Malware Metadata
-- Active Directory Object Access
+ - Host Status
+ - User Account Metadata
+ - Application Log Content
+ - Malware Metadata
+ - Active Directory Object Access
source: ms365_defender_incident_alerts
sourcetype: ms365:defender:incident:alerts
supported_TA:
-- name: Splunk Add-on for Microsoft Security
- url: https://splunkbase.splunk.com/app/6207
- version: 2.4.1
+ - name: Splunk Add-on for Microsoft Security
+ url: https://splunkbase.splunk.com/app/6207
+ version: 2.4.1
fields:
-- actorName
-- alertId
-- app
-- assignedTo
-- body
-- category
-- classification
-- creationTime
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- description
-- dest
-- detectionSource
-- detectorId
-- determination
-- devices{}.aadDeviceId
-- devices{}.defenderAvStatus
-- devices{}.deviceDnsName
-- devices{}.firstSeen
-- devices{}.healthStatus
-- devices{}.loggedOnUsers{}.accountName
-- devices{}.loggedOnUsers{}.domainName
-- devices{}.mdatpDeviceId
-- devices{}.onboardingStatus
-- devices{}.osBuild
-- devices{}.osPlatform
-- devices{}.osProcessor
-- devices{}.rbacGroupName
-- devices{}.riskScore
-- devices{}.version
-- devices{}.vmMetadata
-- devices{}.vmMetadata.cloudProvider
-- devices{}.vmMetadata.resourceId
-- devices{}.vmMetadata.subscriptionId
-- devices{}.vmMetadata.vmId
-- entities{}.aadUserId
-- entities{}.accountName
-- entities{}.applicationId
-- entities{}.applicationName
-- entities{}.detectionStatus
-- entities{}.deviceId
-- entities{}.domainName
-- entities{}.entityType
-- entities{}.evidenceCreationTime
-- entities{}.fileName
-- entities{}.filePath
-- entities{}.ipAddress
-- entities{}.parentProcessCreationTime
-- entities{}.parentProcessFileName
-- entities{}.parentProcessFilePath
-- entities{}.parentProcessId
-- entities{}.processCommandLine
-- entities{}.processCreationTime
-- entities{}.processId
-- entities{}.remediationStatus
-- entities{}.remediationStatusDetails
-- entities{}.sha1
-- entities{}.sha256
-- entities{}.userPrincipalName
-- entities{}.userSid
-- entities{}.verdict
-- eventtype
-- firstActivity
-- host
-- id
-- incidentId
-- index
-- investigationId
-- investigationState
-- lastActivity
-- lastUpdatedTime
-- linecount
-- mitreTechniques{}
-- mitre_technique_id
-- providerAlertId
-- resolvedTime
-- serviceSource
-- severity
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- splunk_server_group
-- src
-- status
-- subject
-- tag
-- tag::app
-- tag::eventtype
-- threatFamilyName
-- timeendpos
-- timestartpos
-- title
-- type
-- user
-- user_name
-- _bkt
-- _cd
-- _eventtype_color
-- _indextime
-- _raw
-- _serial
-- _si
-- _sourcetype
-- _subsecond
-- _time
-example_log: "{\n \"alertId\": \"da638001130101730338_582949328\",\n \"providerAlertId\"\
- : \"da638001130101730338_582949328\",\n \"incidentId\": 486,\n \"serviceSource\"\
- : \"MicrosoftDefenderForEndpoint\",\n \"creationTime\": \"2022-09-30T05:36:50.1732198Z\"\
- ,\n \"lastUpdatedTime\": \"2022-11-19T01:35:42.7033333Z\",\n \"resolvedTime\"\
- : \"2022-10-01T01:36:00.5066667Z\",\n \"firstActivity\": \"2022-09-30T05:06:43.8196597Z\"\
- ,\n \"lastActivity\": \"2022-09-30T05:06:43.8196597Z\",\n \"title\": \"Suspicious\
- \ URL clicked\",\n \"description\": \"A user opened a potentially malicious URL.\
- \ This alert was triggered based on a Microsoft Defender for Office 365 alert.\"\
- ,\n \"category\": \"InitialAccess\",\n \"status\": \"Resolved\",\n \"severity\"\
- : \"High\",\n \"investigationId\": null,\n \"investigationState\": \"UnsupportedAlertType\"\
- ,\n \"classification\": \"TruePositive\",\n \"determination\": \"SecurityTesting\"\
- ,\n \"detectionSource\": \"MTP\",\n \"detectorId\": \"359b36eb-337c-4f1c-b280-8c5e08f9c4a0\"\
- ,\n \"assignedTo\": \"msftadmin@metal.m365dpoc.com\",\n \"actorName\": null,\n\
- \ \"threatFamilyName\": null,\n \"mitreTechniques\": [\n \"T1566.002\"\n ],\n\
- \ \"devices\": [\n {\n \"mdatpDeviceId\": \"c7e147cb0eb3534a4dcea5acb8e61c933713b145\"\
- ,\n \"aadDeviceId\": null,\n \"deviceDnsName\": \"metal-win10v.metal.m365dpoc.com\"\
- ,\n \"osPlatform\": \"Windows10\",\n \"version\": \"1809\",\n \"\
- osProcessor\": \"x64\",\n \"osBuild\": 17763,\n \"healthStatus\": \"Active\"\
- ,\n \"riskScore\": \"High\",\n \"rbacGroupName\": \"Full Auto Clients\"\
- ,\n \"firstSeen\": \"2022-08-08T08:51:02.455Z\",\n \"tags\": [\n \
- \ \"Full auto\"\n ],\n \"defenderAvStatus\": \"Updated\",\n \"\
- onboardingStatus\": \"Onboarded\",\n \"vmMetadata\": {\n \"vmId\": \"\
- 17881b39-b03f-4a2c-9b56-078be1330bd0\",\n \"cloudProvider\": \"Unknown\"\
- ,\n \"resourceId\": \"/subscriptions/29e73d07-8740-4164-a257-592a19a7b77c/resourceGroups/MSDXV2/providers/Microsoft.Compute/virtualMachines/MSDXV2-Win10V\"\
- ,\n \"subscriptionId\": \"29e73d07-8740-4164-a257-592a19a7b77c\"\n },\n\
- \ \"loggedOnUsers\": [\n {\n \"accountName\": \"hetfield\"\
- ,\n \"domainName\": \"MSDXV2\"\n }\n ]\n }\n ],\n \"entities\"\
- : [\n {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\":\
- \ \"2022-09-30T05:36:50.2133333Z\",\n \"verdict\": \"Suspicious\",\n \"\
- remediationStatus\": \"None\",\n \"sha1\": \"6cbce4a295c163791b60fc23d285e6d84f28ee4c\"\
- ,\n \"sha256\": \"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"\
- ,\n \"fileName\": \"powershell.exe\",\n \"filePath\": \"\",\n \"\
- processId\": 7068,\n \"processCommandLine\": \"powershell.exe -command \\\"\
- \ $Process = New-Object\
- \ System.Diagnostics.Process; \
- \ $Process.StartInfo.FileName = 'https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgcajebahdi.corporatelogon.xyz%2Fab%2Fjnkmbkkdnlgedc&data=05%7C01%7Chetfield%40metal.m365dpoc.com%7Cca409616a82145bd6a5f08daa2a10255%7C1a49212958c8401191cd245285f5345c%7C0%7C0%7C638001109710345383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FyEjRS5qOd2SkJELlueibuxLFMYNjL7fz8EbuOAvFwg%3D&reserved=0';\
- \ $Process.StartInfo.UseShellExecute\
- \ = $true; $Process.Start()\
- \ | Out-Null; \\\" \
- \ \",\n \"processCreationTime\"\
- : \"2022-09-30T05:06:43.3390523Z\",\n \"parentProcessId\": 7116,\n \"\
- parentProcessCreationTime\": \"2022-09-30T05:06:43.3100364Z\",\n \"accountName\"\
- : \"hetfield\",\n \"userSid\": \"S-1-5-21-2300221942-1987151257-321556088-1104\"\
- \n },\n {\n \"entityType\": \"File\",\n \"evidenceCreationTime\"\
- : \"2022-09-30T05:36:50.2133333Z\",\n \"verdict\": \"Suspicious\",\n \"\
- remediationStatus\": \"None\",\n \"sha1\": \"6cbce4a295c163791b60fc23d285e6d84f28ee4c\"\
- ,\n \"sha256\": \"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"\
- ,\n \"fileName\": \"powershell.exe\",\n \"filePath\": \"\"\n },\n \
- \ {\n \"entityType\": \"User\",\n \"evidenceCreationTime\": \"2022-09-30T05:36:50.2133333Z\"\
- ,\n \"verdict\": \"Suspicious\",\n \"remediationStatus\": \"None\",\n\
- \ \"accountName\": \"hetfield\",\n \"domainName\": \"metal.m365dpoc\"\
- ,\n \"userSid\": \"S-1-5-21-2300221942-1987151257-321556088-1104\",\n \
- \ \"aadUserId\": \"e848b07a-87af-4448-9979-09f0b809c8d4\",\n \"userPrincipalName\"\
- : \"daftpunk\"\n },\n {\n \"entityType\": \"Url\",\n \"evidenceCreationTime\"\
- : \"2022-09-30T05:36:50.2133333Z\",\n \"verdict\": \"Suspicious\",\n \"\
- remediationStatus\": \"None\",\n \"url\": \"http://gcajebahdi.corporatelogon.xyz/ab/jnkmbkkdnlgedc\"\
- \n }\n ]\n}"
+ - actorName
+ - alertId
+ - app
+ - assignedTo
+ - body
+ - category
+ - classification
+ - creationTime
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - description
+ - dest
+ - detectionSource
+ - detectorId
+ - determination
+ - devices{}.aadDeviceId
+ - devices{}.defenderAvStatus
+ - devices{}.deviceDnsName
+ - devices{}.firstSeen
+ - devices{}.healthStatus
+ - devices{}.loggedOnUsers{}.accountName
+ - devices{}.loggedOnUsers{}.domainName
+ - devices{}.mdatpDeviceId
+ - devices{}.onboardingStatus
+ - devices{}.osBuild
+ - devices{}.osPlatform
+ - devices{}.osProcessor
+ - devices{}.rbacGroupName
+ - devices{}.riskScore
+ - devices{}.version
+ - devices{}.vmMetadata
+ - devices{}.vmMetadata.cloudProvider
+ - devices{}.vmMetadata.resourceId
+ - devices{}.vmMetadata.subscriptionId
+ - devices{}.vmMetadata.vmId
+ - entities{}.aadUserId
+ - entities{}.accountName
+ - entities{}.applicationId
+ - entities{}.applicationName
+ - entities{}.detectionStatus
+ - entities{}.deviceId
+ - entities{}.domainName
+ - entities{}.entityType
+ - entities{}.evidenceCreationTime
+ - entities{}.fileName
+ - entities{}.filePath
+ - entities{}.ipAddress
+ - entities{}.parentProcessCreationTime
+ - entities{}.parentProcessFileName
+ - entities{}.parentProcessFilePath
+ - entities{}.parentProcessId
+ - entities{}.processCommandLine
+ - entities{}.processCreationTime
+ - entities{}.processId
+ - entities{}.remediationStatus
+ - entities{}.remediationStatusDetails
+ - entities{}.sha1
+ - entities{}.sha256
+ - entities{}.userPrincipalName
+ - entities{}.userSid
+ - entities{}.verdict
+ - eventtype
+ - firstActivity
+ - host
+ - id
+ - incidentId
+ - index
+ - investigationId
+ - investigationState
+ - lastActivity
+ - lastUpdatedTime
+ - linecount
+ - mitreTechniques{}
+ - mitre_technique_id
+ - providerAlertId
+ - resolvedTime
+ - serviceSource
+ - severity
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - splunk_server_group
+ - src
+ - status
+ - subject
+ - tag
+ - tag::app
+ - tag::eventtype
+ - threatFamilyName
+ - timeendpos
+ - timestartpos
+ - title
+ - type
+ - user
+ - user_name
+ - _bkt
+ - _cd
+ - _eventtype_color
+ - _indextime
+ - _raw
+ - _serial
+ - _si
+ - _sourcetype
+ - _subsecond
+ - _time
+example_log: |-
+ {
+ "alertId": "da638001130101730338_582949328",
+ "providerAlertId": "da638001130101730338_582949328",
+ "incidentId": 486,
+ "serviceSource": "MicrosoftDefenderForEndpoint",
+ "creationTime": "2022-09-30T05:36:50.1732198Z",
+ "lastUpdatedTime": "2022-11-19T01:35:42.7033333Z",
+ "resolvedTime": "2022-10-01T01:36:00.5066667Z",
+ "firstActivity": "2022-09-30T05:06:43.8196597Z",
+ "lastActivity": "2022-09-30T05:06:43.8196597Z",
+ "title": "Suspicious URL clicked",
+ "description": "A user opened a potentially malicious URL. This alert was triggered based on a Microsoft Defender for Office 365 alert.",
+ "category": "InitialAccess",
+ "status": "Resolved",
+ "severity": "High",
+ "investigationId": null,
+ "investigationState": "UnsupportedAlertType",
+ "classification": "TruePositive",
+ "determination": "SecurityTesting",
+ "detectionSource": "MTP",
+ "detectorId": "359b36eb-337c-4f1c-b280-8c5e08f9c4a0",
+ "assignedTo": "msftadmin@metal.m365dpoc.com",
+ "actorName": null,
+ "threatFamilyName": null,
+ "mitreTechniques": [
+ "T1566.002"
+ ],
+ "devices": [
+ {
+ "mdatpDeviceId": "c7e147cb0eb3534a4dcea5acb8e61c933713b145",
+ "aadDeviceId": null,
+ "deviceDnsName": "metal-win10v.metal.m365dpoc.com",
+ "osPlatform": "Windows10",
+ "version": "1809",
+ "osProcessor": "x64",
+ "osBuild": 17763,
+ "healthStatus": "Active",
+ "riskScore": "High",
+ "rbacGroupName": "Full Auto Clients",
+ "firstSeen": "2022-08-08T08:51:02.455Z",
+ "tags": [
+ "Full auto"
+ ],
+ "defenderAvStatus": "Updated",
+ "onboardingStatus": "Onboarded",
+ "vmMetadata": {
+ "vmId": "17881b39-b03f-4a2c-9b56-078be1330bd0",
+ "cloudProvider": "Unknown",
+ "resourceId": "/subscriptions/29e73d07-8740-4164-a257-592a19a7b77c/resourceGroups/MSDXV2/providers/Microsoft.Compute/virtualMachines/MSDXV2-Win10V",
+ "subscriptionId": "29e73d07-8740-4164-a257-592a19a7b77c"
+ },
+ "loggedOnUsers": [
+ {
+ "accountName": "hetfield",
+ "domainName": "MSDXV2"
+ }
+ ]
+ }
+ ],
+ "entities": [
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
+ "verdict": "Suspicious",
+ "remediationStatus": "None",
+ "sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c",
+ "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
+ "fileName": "powershell.exe",
+ "filePath": "",
+ "processId": 7068,
+ "processCommandLine": "powershell.exe -command \" $Process = New-Object System.Diagnostics.Process; $Process.StartInfo.FileName = 'https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgcajebahdi.corporatelogon.xyz%2Fab%2Fjnkmbkkdnlgedc&data=05%7C01%7Chetfield%40metal.m365dpoc.com%7Cca409616a82145bd6a5f08daa2a10255%7C1a49212958c8401191cd245285f5345c%7C0%7C0%7C638001109710345383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FyEjRS5qOd2SkJELlueibuxLFMYNjL7fz8EbuOAvFwg%3D&reserved=0'; $Process.StartInfo.UseShellExecute = $true; $Process.Start() | Out-Null; \" ",
+ "processCreationTime": "2022-09-30T05:06:43.3390523Z",
+ "parentProcessId": 7116,
+ "parentProcessCreationTime": "2022-09-30T05:06:43.3100364Z",
+ "accountName": "hetfield",
+ "userSid": "S-1-5-21-2300221942-1987151257-321556088-1104"
+ },
+ {
+ "entityType": "File",
+ "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
+ "verdict": "Suspicious",
+ "remediationStatus": "None",
+ "sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c",
+ "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
+ "fileName": "powershell.exe",
+ "filePath": ""
+ },
+ {
+ "entityType": "User",
+ "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
+ "verdict": "Suspicious",
+ "remediationStatus": "None",
+ "accountName": "hetfield",
+ "domainName": "metal.m365dpoc",
+ "userSid": "S-1-5-21-2300221942-1987151257-321556088-1104",
+ "aadUserId": "e848b07a-87af-4448-9979-09f0b809c8d4",
+ "userPrincipalName": "daftpunk"
+ },
+ {
+ "entityType": "Url",
+ "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
+ "verdict": "Suspicious",
+ "remediationStatus": "None",
+ "url": "http://gcajebahdi.corporatelogon.xyz/ab/jnkmbkkdnlgedc"
+ }
+ ]
+ }
diff --git a/data_sources/ms_defender_atp_alerts.yml b/data_sources/ms_defender_atp_alerts.yml
index 09026a67d5..f1f68b0b7e 100644
--- a/data_sources/ms_defender_atp_alerts.yml
+++ b/data_sources/ms_defender_atp_alerts.yml
@@ -1,278 +1,429 @@
name: MS Defender ATP Alerts
id: 38f034ed-1598-46c8-95e8-14edf01fdf5d
-version: 1
-date: '2024-10-30'
+version: 2
+date: '2025-01-23'
author: Bryan Pluta, Bhavin Patel, Splunk
-description: Logs security alerts generated by Microsoft Defender for Endpoint, including information about detected threats, impacted devices, and recommended actions.
+description: Logs security alerts generated by Microsoft Defender for Endpoint, including
+ information about detected threats, impacted devices, and recommended actions.
mitre_components:
-- Host Status
-- Malware Metadata
-- Process Metadata
-- User Account Metadata
-- Application Log Content
+ - Host Status
+ - Malware Metadata
+ - Process Metadata
+ - User Account Metadata
+ - Application Log Content
source: ms_defender_atp_alerts
sourcetype: ms:defender:atp:alerts
supported_TA:
-- name: Splunk Add-on for Microsoft Security
- url: https://splunkbase.splunk.com/app/6207
- version: 2.4.1
+ - name: Splunk Add-on for Microsoft Security
+ url: https://splunkbase.splunk.com/app/6207
+ version: 2.4.1
fields:
-- column
-- accountName
-- action
-- activity
-- activityType
-- actor
-- actorName
-- alertId
-- app
-- assignedTo
-- body
-- category
-- classification
-- creationTime
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- description
-- dest
-- detectionSource
-- detectorId
-- determination
-- devices{}.aadDeviceId
-- devices{}.defenderAvStatus
-- devices{}.deviceDnsName
-- devices{}.firstSeen
-- devices{}.healthStatus
-- devices{}.loggedOnUsers{}.accountName
-- devices{}.loggedOnUsers{}.domainName
-- devices{}.mdatpDeviceId
-- devices{}.onboardingStatus
-- devices{}.osBuild
-- devices{}.osPlatform
-- devices{}.osProcessor
-- devices{}.rbacGroupName
-- devices{}.riskScore
-- devices{}.version
-- devices{}.vmMetadata
-- devices{}.vmMetadata.cloudProvider
-- devices{}.vmMetadata.resourceId
-- devices{}.vmMetadata.subscriptionId
-- devices{}.vmMetadata.vmId
-- entities{}.aadUserId
-- entities{}.accountName
-- entities{}.applicationId
-- entities{}.applicationName
-- entities{}.detectionStatus
-- entities{}.deviceId
-- entities{}.domainName
-- entities{}.entityType
-- entities{}.evidenceCreationTime
-- entities{}.fileName
-- entities{}.filePath
-- entities{}.ipAddress
-- entities{}.parentProcessCreationTime
-- entities{}.parentProcessFileName
-- entities{}.parentProcessFilePath
-- entities{}.parentProcessId
-- entities{}.processCommandLine
-- entities{}.processCreationTime
-- entities{}.processId
-- entities{}.remediationStatus
-- entities{}.remediationStatusDetails
-- entities{}.sha1
-- entities{}.sha256
-- entities{}.userPrincipalName
-- entities{}.userSid
-- entities{}.verdict
-- eventtype
-- firstActivity
-- host
-- id
-- incidentId
-- index
-- investigationId
-- investigationState
-- lastActivity
-- lastUpdatedTime
-- linecount
-- mitreTechniques{}
-- mitre_technique_id
-- providerAlertId
-- resolvedTime
-- serviceSource
-- severity
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- splunk_server_group
-- src
-- status
-- subject
-- tag
-- tag::app
-- tag::eventtype
-- threatFamilyName
-- timeendpos
-- timestartpos
-- title
-- type
-- user
-- user_name
-- _time
-example_log: "{\n\"id\": \"da47dc5671-e560-4229-984b-457564996b31_1\",\n\"incidentId\"\
- : 989,\n\"investigationId\": null,\n\"assignedTo\": null,\n\"severity\": \"High\"\
- ,\n\"status\": \"New\",\n\"classification\": null,\n\"determination\": null,\n\"\
- investigationState\": \"UnsupportedAlertType\",\n\"detectionSource\": \"WindowsDefenderAtp\"\
- ,\n\"detectorId\": \"9c3a70ec-e18a-4f92-865a-530f73130b7c\",\n\"category\": \"LateralMovement\"\
- ,\n\"threatFamilyName\": null,\n\"title\": \"Ongoing hands-on-keyboard attack via\
- \ Impacket toolkit\",\n\"description\": \"Suspicious execution of a command via\
- \ Impacket was observed on this device. This tool connects to other hosts to explore\
- \ network shares and execute commands. Attackers might be attempting to move laterally\
- \ across the network using this tool. This usage of Impacket has often been observed\
- \ in hands-on-keyboard attacks, where ransomware and other payloads are installed\
- \ on target devices.\",\n\"alertCreationTime\": \"2023-01-24T05:33:37.3245808Z\"\
- ,\n\"firstEventTime\": \"2023-01-24T05:31:07.5276179Z\",\n\"lastEventTime\": \"\
- 2023-01-24T13:02:50.7831636Z\",\n\"lastUpdateTime\": \"2023-01-24T13:07:13.3233333Z\"\
- ,\n\"resolvedTime\": null,\n\"machineId\": \"302293d9f276eae65553e5042156bce93cbc7148\"\
- ,\n\"computerDnsName\": \"diytestmachine\",\n\"rbacGroupName\": \"UnassignedGroup\"\
- ,\n\"aadTenantId\": \"1a492129-58c8-4011-91cd-245285f5345c\",\n\"threatName\": null,\n\
- \"mitreTechniques\": [\n \"T1021.002\",\n \"T1047\",\n \"T1059.003\"\n],\n\"\
- relatedUser\": {\n \"userName\": \"User1\",\n \"domainName\": \"DIYTESTMACHINE\"\
- \n},\n\"loggedOnUsers\": [\n {\n \"accountName\": \"administrator1\",\n \"\
- domainName\": \"DIYTESTMACHINE\"\n }\n],\n\"comments\": [],\n\"evidence\": [\n\
- \ {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\": \"2023-01-24T05:45:51.6833333Z\"\
- ,\n \"sha1\": \"3ea7cc066317ac45f963c2227c4c7c50aa16eb7c\",\n \"sha256\":\
- \ \"2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3\",\n \"\
- fileName\": \"WmiPrvSE.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\\\\\
- wbem\",\n \"processId\": 4476,\n \"processCommandLine\": \"wmiprvse.exe -secured\
- \ -Embedding\",\n \"processCreationTime\": \"2023-01-24T05:43:32.4631151Z\",\n\
- \ \"parentProcessId\": 896,\n \"parentProcessCreationTime\": \"2023-01-24T04:44:17.1940386Z\"\
- ,\n \"parentProcessFileName\": \"svchost.exe\",\n \"parentProcessFilePath\"\
- : \"C:\\\\Windows\\\\System32\",\n \"ipAddress\": null,\n \"url\": null,\n\
- \ \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\
- : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\
- accountName\": \"NETWORK SERVICE\",\n \"domainName\": \"NT AUTHORITY\",\n \
- \ \"userSid\": \"S-1-5-20\",\n \"aadUserId\": null,\n \"userPrincipalName\"\
- : null,\n \"detectionStatus\": \"Detected\"\n },\n {\n \"entityType\": \"\
- User\",\n \"evidenceCreationTime\": \"2023-01-24T05:33:37.4166667Z\",\n \"\
- sha1\": null,\n \"sha256\": null,\n \"fileName\": null,\n \"filePath\"\
- : null,\n \"processId\": null,\n \"processCommandLine\": null,\n \"processCreationTime\"\
- : null,\n \"parentProcessId\": null,\n \"parentProcessCreationTime\": null,\n\
- \ \"parentProcessFileName\": null,\n \"parentProcessFilePath\": null,\n \
- \ \"ipAddress\": null,\n \"url\": null,\n \"registryKey\": null,\n \"\
- registryHive\": null,\n \"registryValueType\": null,\n \"registryValue\":\
- \ null,\n \"registryValueName\": null,\n \"accountName\": \"User1\",\n \
- \ \"domainName\": \"DIYTESTMACHINE\",\n \"userSid\": \"S-1-5-21-4215714199-1288013905-3478400915-1002\"\
- ,\n \"aadUserId\": null,\n \"userPrincipalName\": null,\n \"detectionStatus\"\
- : null\n },\n {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\"\
- : \"2023-01-24T05:33:37.4166667Z\",\n \"sha1\": \"3ea7cc066317ac45f963c2227c4c7c50aa16eb7c\"\
- ,\n \"sha256\": \"2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3\"\
- ,\n \"fileName\": \"WmiPrvSE.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\\\
- \\wbem\",\n \"processId\": 7824,\n \"processCommandLine\": \"wmiprvse.exe\
- \ -secured -Embedding\",\n \"processCreationTime\": \"2023-01-24T05:30:50.8649791Z\"\
- ,\n \"parentProcessId\": 896,\n \"parentProcessCreationTime\": \"2023-01-24T04:44:17.1940386Z\"\
- ,\n \"parentProcessFileName\": \"svchost.exe\",\n \"parentProcessFilePath\"\
- : \"C:\\\\Windows\\\\System32\",\n \"ipAddress\": null,\n \"url\": null,\n\
- \ \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\
- : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\
- accountName\": \"NETWORK SERVICE\",\n \"domainName\": \"NT AUTHORITY\",\n \
- \ \"userSid\": \"S-1-5-20\",\n \"aadUserId\": null,\n \"userPrincipalName\"\
- : null,\n \"detectionStatus\": \"Detected\"\n },\n {\n \"entityType\": \"\
- Process\",\n \"evidenceCreationTime\": \"2023-01-24T13:07:13.2233333Z\",\n \
- \ \"sha1\": \"f1efb0fddc156e4c61c5f78a54700e4e7984d55d\",\n \"sha256\": \"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\"\
- ,\n \"fileName\": \"cmd.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\"\
- ,\n \"processId\": 5500,\n \"processCommandLine\": \"cmd.exe /Q /c powershell\
- \ -NoProfile -ExecutionPolicy Bypass -File \\\"C:\\\\Users\\\\administrator1\\\\\
- Desktop\\\\SharedFolder\\\\payload.ps1\\\" 1> \\\\\\\\127.0.0.1\\\\SharedFolder\\\
- \\__1674565222.7012053 2>&1\",\n \"processCreationTime\": \"2023-01-24T13:02:50.4661885Z\"\
- ,\n \"parentProcessId\": 756,\n \"parentProcessCreationTime\": \"2023-01-24T13:00:35.0107475Z\"\
- ,\n \"parentProcessFileName\": \"WmiPrvSE.exe\",\n \"parentProcessFilePath\"\
- : \"C:\\\\Windows\\\\System32\\\\wbem\",\n \"ipAddress\": null,\n \"url\"\
- : null,\n \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\
- : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\
- accountName\": \"User1\",\n \"domainName\": \"DIYTESTMACHINE\",\n \"userSid\"\
- : \"S-1-5-21-4215714199-1288013905-3478400915-1002\",\n \"aadUserId\": null,\n\
- \ \"userPrincipalName\": null,\n \"detectionStatus\": \"Detected\"\n },\n\
- \ {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\": \"2023-01-24T05:33:37.4166667Z\"\
- ,\n \"sha1\": \"f1efb0fddc156e4c61c5f78a54700e4e7984d55d\",\n \"sha256\":\
- \ \"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\",\n \"\
- fileName\": \"cmd.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\",\n \
- \ \"processId\": 8964,\n \"processCommandLine\": \"cmd.exe /Q /c powershell -NoProfile\
- \ -ExecutionPolicy Bypass -File \\\"C:\\\\Users\\\\administrator1\\\\Desktop\\\\\
- SharedFolder\\\\payload.ps1\\\" 1> \\\\\\\\127.0.0.1\\\\SharedFolder\\\\__1674538248.357367\
- \ 2>&1\",\n \"processCreationTime\": \"2023-01-24T05:31:04.0743902Z\",\n \"\
- parentProcessId\": 7824,\n \"parentProcessCreationTime\": \"2023-01-24T05:30:50.8649791Z\"\
- ,\n \"parentProcessFileName\": \"WmiPrvSE.exe\",\n \"parentProcessFilePath\"\
- : \"C:\\\\Windows\\\\System32\\\\wbem\",\n \"ipAddress\": null,\n \"url\"\
- : null,\n \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\
- : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\
- accountName\": \"User1\",\n \"domainName\": \"DIYTESTMACHINE\",\n \"userSid\"\
- : \"S-1-5-21-4215714199-1288013905-3478400915-1002\",\n \"aadUserId\": null,\n\
- \ \"userPrincipalName\": null,\n \"detectionStatus\": \"Detected\"\n },\n\
- \ {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\": \"2023-01-24T05:39:47.1733333Z\"\
- ,\n \"sha1\": \"f1efb0fddc156e4c61c5f78a54700e4e7984d55d\",\n \"sha256\":\
- \ \"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\",\n \"\
- fileName\": \"cmd.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\",\n \
- \ \"processId\": 884,\n \"processCommandLine\": \"cmd.exe /Q /c powershell -NoProfile\
- \ -ExecutionPolicy Bypass -File \\\"C:\\\\Users\\\\administrator1\\\\Desktop\\\\\
- SharedFolder\\\\payload.ps1\\\" 1> \\\\\\\\127.0.0.1\\\\SharedFolder\\\\__1674538583.8648584\
- \ 2>&1\",\n \"processCreationTime\": \"2023-01-24T05:36:38.826505Z\",\n \"\
- parentProcessId\": 7736,\n \"parentProcessCreationTime\": \"2023-01-24T05:36:26.0524655Z\"\
- ,\n \"parentProcessFileName\": \"WmiPrvSE.exe\",\n \"parentProcessFilePath\"\
- : \"C:\\\\Windows\\\\System32\\\\wbem\",\n \"ipAddress\": null,\n \"url\"\
- : null,\n \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\
- : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\
- accountName\": \"User1\",\n \"domainName\": \"DIYTESTMACHINE\",\n \"userSid\"\
- : \"S-1-5-21-4215714199-1288013905-3478400915-1002\",\n \"aadUserId\": null,\n\
- \ \"userPrincipalName\": null,\n \"detectionStatus\": \"Detected\"\n },\n\
- \ {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\": \"2023-01-24T13:07:13.2233333Z\"\
- ,\n \"sha1\": \"3ea7cc066317ac45f963c2227c4c7c50aa16eb7c\",\n \"sha256\":\
- \ \"2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3\",\n \"\
- fileName\": \"WmiPrvSE.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\\\\\
- wbem\",\n \"processId\": 756,\n \"processCommandLine\": \"wmiprvse.exe -secured\
- \ -Embedding\",\n \"processCreationTime\": \"2023-01-24T13:00:35.0107475Z\",\n\
- \ \"parentProcessId\": 908,\n \"parentProcessCreationTime\": \"2023-01-24T08:20:44.6877667Z\"\
- ,\n \"parentProcessFileName\": \"svchost.exe\",\n \"parentProcessFilePath\"\
- : \"C:\\\\Windows\\\\System32\",\n \"ipAddress\": null,\n \"url\": null,\n\
- \ \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\
- : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\
- accountName\": \"NETWORK SERVICE\",\n \"domainName\": \"NT AUTHORITY\",\n \
- \ \"userSid\": \"S-1-5-20\",\n \"aadUserId\": null,\n \"userPrincipalName\"\
- : null,\n \"detectionStatus\": \"Detected\"\n },\n {\n \"entityType\": \"\
- Process\",\n \"evidenceCreationTime\": \"2023-01-24T05:45:51.6833333Z\",\n \
- \ \"sha1\": \"f1efb0fddc156e4c61c5f78a54700e4e7984d55d\",\n \"sha256\": \"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\"\
- ,\n \"fileName\": \"cmd.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\"\
- ,\n \"processId\": 1140,\n \"processCommandLine\": \"cmd.exe /Q /c powershell\
- \ -NoProfile -ExecutionPolicy Bypass -File \\\"C:\\\\Users\\\\administrator1\\\\\
- Desktop\\\\SharedFolder\\\\payload.ps1\\\" 1> \\\\\\\\127.0.0.1\\\\SharedFolder\\\
- \\__1674538878.1586335 2>&1\",\n \"processCreationTime\": \"2023-01-24T05:43:49.9375398Z\"\
- ,\n \"parentProcessId\": 4476,\n \"parentProcessCreationTime\": \"2023-01-24T05:43:32.4631151Z\"\
- ,\n \"parentProcessFileName\": \"WmiPrvSE.exe\",\n \"parentProcessFilePath\"\
- : \"C:\\\\Windows\\\\System32\\\\wbem\",\n \"ipAddress\": null,\n \"url\"\
- : null,\n \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\
- : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\
- accountName\": \"User1\",\n \"domainName\": \"DIYTESTMACHINE\",\n \"userSid\"\
- : \"S-1-5-21-4215714199-1288013905-3478400915-1002\",\n \"aadUserId\": null,\n\
- \ \"userPrincipalName\": null,\n \"detectionStatus\": \"Detected\"\n },\n\
- \ {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\": \"2023-01-24T05:39:47.1733333Z\"\
- ,\n \"sha1\": \"3ea7cc066317ac45f963c2227c4c7c50aa16eb7c\",\n \"sha256\":\
- \ \"2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3\",\n \"\
- fileName\": \"WmiPrvSE.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\\\\\
- wbem\",\n \"processId\": 7736,\n \"processCommandLine\": \"wmiprvse.exe -secured\
- \ -Embedding\",\n \"processCreationTime\": \"2023-01-24T05:36:26.0524655Z\",\n\
- \ \"parentProcessId\": 896,\n \"parentProcessCreationTime\": \"2023-01-24T04:44:17.1940386Z\"\
- ,\n \"parentProcessFileName\": \"svchost.exe\",\n \"parentProcessFilePath\"\
- : \"C:\\\\Windows\\\\System32\",\n \"ipAddress\": null,\n \"url\": null,\n\
- \ \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\
- : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\
- accountName\": \"NETWORK SERVICE\",\n \"domainName\": \"NT AUTHORITY\",\n \
- \ \"userSid\": \"S-1-5-20\",\n \"aadUserId\": null,\n \"userPrincipalName\"\
- : null,\n \"detectionStatus\": \"Detected\"\n }\n],\n\"domains\": []\n}"
+ - column
+ - accountName
+ - action
+ - activity
+ - activityType
+ - actor
+ - actorName
+ - alertId
+ - app
+ - assignedTo
+ - body
+ - category
+ - classification
+ - creationTime
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - description
+ - dest
+ - detectionSource
+ - detectorId
+ - determination
+ - devices{}.aadDeviceId
+ - devices{}.defenderAvStatus
+ - devices{}.deviceDnsName
+ - devices{}.firstSeen
+ - devices{}.healthStatus
+ - devices{}.loggedOnUsers{}.accountName
+ - devices{}.loggedOnUsers{}.domainName
+ - devices{}.mdatpDeviceId
+ - devices{}.onboardingStatus
+ - devices{}.osBuild
+ - devices{}.osPlatform
+ - devices{}.osProcessor
+ - devices{}.rbacGroupName
+ - devices{}.riskScore
+ - devices{}.version
+ - devices{}.vmMetadata
+ - devices{}.vmMetadata.cloudProvider
+ - devices{}.vmMetadata.resourceId
+ - devices{}.vmMetadata.subscriptionId
+ - devices{}.vmMetadata.vmId
+ - entities{}.aadUserId
+ - entities{}.accountName
+ - entities{}.applicationId
+ - entities{}.applicationName
+ - entities{}.detectionStatus
+ - entities{}.deviceId
+ - entities{}.domainName
+ - entities{}.entityType
+ - entities{}.evidenceCreationTime
+ - entities{}.fileName
+ - entities{}.filePath
+ - entities{}.ipAddress
+ - entities{}.parentProcessCreationTime
+ - entities{}.parentProcessFileName
+ - entities{}.parentProcessFilePath
+ - entities{}.parentProcessId
+ - entities{}.processCommandLine
+ - entities{}.processCreationTime
+ - entities{}.processId
+ - entities{}.remediationStatus
+ - entities{}.remediationStatusDetails
+ - entities{}.sha1
+ - entities{}.sha256
+ - entities{}.userPrincipalName
+ - entities{}.userSid
+ - entities{}.verdict
+ - eventtype
+ - firstActivity
+ - host
+ - id
+ - incidentId
+ - index
+ - investigationId
+ - investigationState
+ - lastActivity
+ - lastUpdatedTime
+ - linecount
+ - mitreTechniques{}
+ - mitre_technique_id
+ - providerAlertId
+ - resolvedTime
+ - serviceSource
+ - severity
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - splunk_server_group
+ - src
+ - status
+ - subject
+ - tag
+ - tag::app
+ - tag::eventtype
+ - threatFamilyName
+ - timeendpos
+ - timestartpos
+ - title
+ - type
+ - user
+ - user_name
+ - _time
+example_log: |-
+ {
+ "id": "da47dc5671-e560-4229-984b-457564996b31_1",
+ "incidentId": 989,
+ "investigationId": null,
+ "assignedTo": null,
+ "severity": "High",
+ "status": "New",
+ "classification": null,
+ "determination": null,
+ "investigationState": "UnsupportedAlertType",
+ "detectionSource": "WindowsDefenderAtp",
+ "detectorId": "9c3a70ec-e18a-4f92-865a-530f73130b7c",
+ "category": "LateralMovement",
+ "threatFamilyName": null,
+ "title": "Ongoing hands-on-keyboard attack via Impacket toolkit",
+ "description": "Suspicious execution of a command via Impacket was observed on this device. This tool connects to other hosts to explore network shares and execute commands. Attackers might be attempting to move laterally across the network using this tool. This usage of Impacket has often been observed in hands-on-keyboard attacks, where ransomware and other payloads are installed on target devices.",
+ "alertCreationTime": "2023-01-24T05:33:37.3245808Z",
+ "firstEventTime": "2023-01-24T05:31:07.5276179Z",
+ "lastEventTime": "2023-01-24T13:02:50.7831636Z",
+ "lastUpdateTime": "2023-01-24T13:07:13.3233333Z",
+ "resolvedTime": null,
+ "machineId": "302293d9f276eae65553e5042156bce93cbc7148",
+ "computerDnsName": "diytestmachine",
+ "rbacGroupName": "UnassignedGroup",
+ "aadTenantId": "1a492129-58c8-4011-91cd-245285f5345c",
+ "threatName": null,
+ "mitreTechniques": [
+ "T1021.002",
+ "T1047",
+ "T1059.003"
+ ],
+ "relatedUser": {
+ "userName": "User1",
+ "domainName": "DIYTESTMACHINE"
+ },
+ "loggedOnUsers": [
+ {
+ "accountName": "administrator1",
+ "domainName": "DIYTESTMACHINE"
+ }
+ ],
+ "comments": [],
+ "evidence": [
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2023-01-24T05:45:51.6833333Z",
+ "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
+ "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
+ "fileName": "WmiPrvSE.exe",
+ "filePath": "C:\\Windows\\System32\\wbem",
+ "processId": 4476,
+ "processCommandLine": "wmiprvse.exe -secured -Embedding",
+ "processCreationTime": "2023-01-24T05:43:32.4631151Z",
+ "parentProcessId": 896,
+ "parentProcessCreationTime": "2023-01-24T04:44:17.1940386Z",
+ "parentProcessFileName": "svchost.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "registryValueName": null,
+ "accountName": "NETWORK SERVICE",
+ "domainName": "NT AUTHORITY",
+ "userSid": "S-1-5-20",
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ },
+ {
+ "entityType": "User",
+ "evidenceCreationTime": "2023-01-24T05:33:37.4166667Z",
+ "sha1": null,
+ "sha256": null,
+ "fileName": null,
+ "filePath": null,
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "registryValueName": null,
+ "accountName": "User1",
+ "domainName": "DIYTESTMACHINE",
+ "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": null
+ },
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2023-01-24T05:33:37.4166667Z",
+ "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
+ "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
+ "fileName": "WmiPrvSE.exe",
+ "filePath": "C:\\Windows\\System32\\wbem",
+ "processId": 7824,
+ "processCommandLine": "wmiprvse.exe -secured -Embedding",
+ "processCreationTime": "2023-01-24T05:30:50.8649791Z",
+ "parentProcessId": 896,
+ "parentProcessCreationTime": "2023-01-24T04:44:17.1940386Z",
+ "parentProcessFileName": "svchost.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "registryValueName": null,
+ "accountName": "NETWORK SERVICE",
+ "domainName": "NT AUTHORITY",
+ "userSid": "S-1-5-20",
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ },
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2023-01-24T13:07:13.2233333Z",
+ "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
+ "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
+ "fileName": "cmd.exe",
+ "filePath": "C:\\Windows\\System32",
+ "processId": 5500,
+ "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674565222.7012053 2>&1",
+ "processCreationTime": "2023-01-24T13:02:50.4661885Z",
+ "parentProcessId": 756,
+ "parentProcessCreationTime": "2023-01-24T13:00:35.0107475Z",
+ "parentProcessFileName": "WmiPrvSE.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32\\wbem",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "registryValueName": null,
+ "accountName": "User1",
+ "domainName": "DIYTESTMACHINE",
+ "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ },
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2023-01-24T05:33:37.4166667Z",
+ "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
+ "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
+ "fileName": "cmd.exe",
+ "filePath": "C:\\Windows\\System32",
+ "processId": 8964,
+ "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674538248.357367 2>&1",
+ "processCreationTime": "2023-01-24T05:31:04.0743902Z",
+ "parentProcessId": 7824,
+ "parentProcessCreationTime": "2023-01-24T05:30:50.8649791Z",
+ "parentProcessFileName": "WmiPrvSE.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32\\wbem",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "registryValueName": null,
+ "accountName": "User1",
+ "domainName": "DIYTESTMACHINE",
+ "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ },
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2023-01-24T05:39:47.1733333Z",
+ "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
+ "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
+ "fileName": "cmd.exe",
+ "filePath": "C:\\Windows\\System32",
+ "processId": 884,
+ "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674538583.8648584 2>&1",
+ "processCreationTime": "2023-01-24T05:36:38.826505Z",
+ "parentProcessId": 7736,
+ "parentProcessCreationTime": "2023-01-24T05:36:26.0524655Z",
+ "parentProcessFileName": "WmiPrvSE.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32\\wbem",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "registryValueName": null,
+ "accountName": "User1",
+ "domainName": "DIYTESTMACHINE",
+ "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ },
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2023-01-24T13:07:13.2233333Z",
+ "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
+ "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
+ "fileName": "WmiPrvSE.exe",
+ "filePath": "C:\\Windows\\System32\\wbem",
+ "processId": 756,
+ "processCommandLine": "wmiprvse.exe -secured -Embedding",
+ "processCreationTime": "2023-01-24T13:00:35.0107475Z",
+ "parentProcessId": 908,
+ "parentProcessCreationTime": "2023-01-24T08:20:44.6877667Z",
+ "parentProcessFileName": "svchost.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "registryValueName": null,
+ "accountName": "NETWORK SERVICE",
+ "domainName": "NT AUTHORITY",
+ "userSid": "S-1-5-20",
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ },
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2023-01-24T05:45:51.6833333Z",
+ "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
+ "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
+ "fileName": "cmd.exe",
+ "filePath": "C:\\Windows\\System32",
+ "processId": 1140,
+ "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674538878.1586335 2>&1",
+ "processCreationTime": "2023-01-24T05:43:49.9375398Z",
+ "parentProcessId": 4476,
+ "parentProcessCreationTime": "2023-01-24T05:43:32.4631151Z",
+ "parentProcessFileName": "WmiPrvSE.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32\\wbem",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "registryValueName": null,
+ "accountName": "User1",
+ "domainName": "DIYTESTMACHINE",
+ "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ },
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2023-01-24T05:39:47.1733333Z",
+ "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
+ "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
+ "fileName": "WmiPrvSE.exe",
+ "filePath": "C:\\Windows\\System32\\wbem",
+ "processId": 7736,
+ "processCommandLine": "wmiprvse.exe -secured -Embedding",
+ "processCreationTime": "2023-01-24T05:36:26.0524655Z",
+ "parentProcessId": 896,
+ "parentProcessCreationTime": "2023-01-24T04:44:17.1940386Z",
+ "parentProcessFileName": "svchost.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "registryValueName": null,
+ "accountName": "NETWORK SERVICE",
+ "domainName": "NT AUTHORITY",
+ "userSid": "S-1-5-20",
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ }
+ ],
+ "domains": []
+ }
diff --git a/data_sources/nginx_access.yml b/data_sources/nginx_access.yml
index 052bfc81e4..e24bb4163c 100644
--- a/data_sources/nginx_access.yml
+++ b/data_sources/nginx_access.yml
@@ -1,78 +1,79 @@
name: Nginx Access
id: c716a418-eab3-4df5-9dff-5420174e3068
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs HTTP/S access events on an Nginx server, including details such as client IP, request method, URI, response status, and user agent.
+description: Logs HTTP/S access events on an Nginx server, including details such
+ as client IP, request method, URI, response status, and user agent.
mitre_components:
-- Network Traffic Content
-- Network Traffic Flow
-- Response Metadata
-- Application Log Content
-- User Account Metadata
+ - Network Traffic Content
+ - Network Traffic Flow
+ - Response Metadata
+ - Application Log Content
+ - User Account Metadata
source: /var/log/nginx/access.log
sourcetype: nginx:plus:kv
supported_TA: []
fields:
-- _time
-- action
-- app
-- bytes
-- bytes_in
-- bytes_out
-- category
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_ip
-- dest_port
-- eventtype
-- host
-- http_content_type
-- http_method
-- http_referer
-- http_user_agent
-- http_user_agent_length
-- http_x_forwarded_for
-- http_x_header
-- https
-- index
-- linecount
-- nginx_version
-- product
-- protocol
-- punct
-- request_time
-- response_time
-- server
-- site
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- status
-- status_description
-- status_type
-- tag
-- tag::eventtype
-- time_local
-- timeendpos
-- timestartpos
-- uri_path
-- url
-- url_domain
-- url_length
-- vendor
-- vendor_product
-- version
-- web_server
+ - _time
+ - action
+ - app
+ - bytes
+ - bytes_in
+ - bytes_out
+ - category
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_ip
+ - dest_port
+ - eventtype
+ - host
+ - http_content_type
+ - http_method
+ - http_referer
+ - http_user_agent
+ - http_user_agent_length
+ - http_x_forwarded_for
+ - http_x_header
+ - https
+ - index
+ - linecount
+ - nginx_version
+ - product
+ - protocol
+ - punct
+ - request_time
+ - response_time
+ - server
+ - site
+ - source
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - status
+ - status_description
+ - status_type
+ - tag
+ - tag::eventtype
+ - time_local
+ - timeendpos
+ - timestartpos
+ - uri_path
+ - url
+ - url_domain
+ - url_length
+ - vendor
+ - vendor_product
+ - version
+ - web_server
example_log: site="www.example.com" server="www.example.com" dest_port="443" dest_ip="192.0.2.1"
src="198.51.100.1" src_ip="198.51.100.1" user="-" time_local="22/Feb/2024:13:00:00
-0500" protocol="HTTP/1.1" status="200" bytes_out="1073741000" bytes_in="234" http_referer="-"
diff --git a/data_sources/o365.yml b/data_sources/o365.yml
index efbfc3ee05..3bda514d41 100644
--- a/data_sources/o365.yml
+++ b/data_sources/o365.yml
@@ -1,19 +1,20 @@
name: O365
id: b32de97d-0074-4cca-853c-db22c392b6c0
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs management activities in Microsoft 365, including administrative actions, user activities, and configuration changes across various services.
+description: Logs management activities in Microsoft 365, including administrative
+ actions, user activities, and configuration changes across various services.
mitre_components:
-- User Account Metadata
-- Cloud Service Modification
-- Application Log Content
-- Configuration Modification
-- Active Directory Object Modification
+ - User Account Metadata
+ - Cloud Service Modification
+ - Application Log Content
+ - Configuration Modification
+ - Active Directory Object Modification
source: o365
sourcetype: o365:management:activity
separator: Operation
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
diff --git a/data_sources/o365_add_app_role_assignment_grant_to_user_.yml b/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
index 4c64614e57..a6e90c409a 100644
--- a/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
+++ b/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
@@ -1,92 +1,93 @@
name: O365 Add app role assignment grant to user.
id: ce1d7849-a1d2-47fd-b6eb-d7ef854a860c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the assignment of an application role grant to a user in Microsoft 365, including details about the role, user, and application involved.
+description: Logs the assignment of an application role grant to a user in Microsoft
+ 365, including details about the role, user, and application involved.
mitre_components:
-- User Account Modification
-- Group Modification
-- Cloud Service Modification
-- Cloud Service Metadata
+ - User Account Modification
+ - Group Modification
+ - Cloud Service Modification
+ - Cloud Service Metadata
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Add app role assignment grant to user.
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- ActorContextId
-- ActorIpAddress
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- ClientIP
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- additionalDetails
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- extendedAuditEventCategory
-- extended_properties
-- host
-- index
-- linecount
-- object
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_user
-- status
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - ActorContextId
+ - ActorIpAddress
+ - Actor{}.ID
+ - Actor{}.Type
+ - AzureActiveDirectoryEventType
+ - ClientIP
+ - CreationTime
+ - ExtendedProperties{}.Name
+ - ExtendedProperties{}.Value
+ - Id
+ - InterSystemsId
+ - IntraSystemId
+ - ModifiedProperties{}.Name
+ - ModifiedProperties{}.NewValue
+ - ModifiedProperties{}.OldValue
+ - ObjectId
+ - Operation
+ - OrganizationId
+ - RecordType
+ - ResultStatus
+ - SupportTicketId
+ - TargetContextId
+ - Target{}.ID
+ - Target{}.Type
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - additionalDetails
+ - app
+ - authentication_service
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - event_type
+ - extendedAuditEventCategory
+ - extended_properties
+ - host
+ - index
+ - linecount
+ - object
+ - punct
+ - record_type
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - src_user
+ - status
+ - timeendpos
+ - timestartpos
+ - user
+ - user_id
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"Actor": [{"ID": "rodsoto@rodsoto.onmicrosoft.com", "Type": 5}, {"ID":
"10037FFEA938FB92", "Type": 3}, {"ID": "74658136-14ec-4630-ad9b-26e160ff0fc6", "Type":
2}, {"ID": "User_bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "bfb8c366-0406-41a5-b3e3-328f4a3b4484",
diff --git a/data_sources/o365_add_app_role_assignment_to_service_principal_.yml b/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
index 1549f8b091..720652a539 100644
--- a/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
+++ b/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
@@ -1,91 +1,93 @@
name: O365 Add app role assignment to service principal.
id: 785ba57a-ba7b-474e-97c8-9474e6e00b3a
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the assignment of an application role to a service principal in Microsoft 365, including details about the role, service principal, and application involved.
+description: Logs the assignment of an application role to a service principal in
+ Microsoft 365, including details about the role, service principal, and application
+ involved.
mitre_components:
-- Cloud Service Modification
-- Cloud Service Metadata
-- User Account Metadata
-- Group Modification
+ - Cloud Service Modification
+ - Cloud Service Metadata
+ - User Account Metadata
+ - Group Modification
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Add app role assignment to service principal.
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- additionalDetails
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_agent
-- user_agent_change
-- user_id
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - ActorContextId
+ - Actor{}.ID
+ - Actor{}.Type
+ - AzureActiveDirectoryEventType
+ - CreationTime
+ - ExtendedProperties{}.Name
+ - ExtendedProperties{}.Value
+ - Id
+ - InterSystemsId
+ - IntraSystemId
+ - ModifiedProperties{}.Name
+ - ModifiedProperties{}.NewValue
+ - ModifiedProperties{}.OldValue
+ - ObjectId
+ - Operation
+ - OrganizationId
+ - RecordType
+ - ResultStatus
+ - SupportTicketId
+ - TargetContextId
+ - Target{}.ID
+ - Target{}.Type
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - additionalDetails
+ - app
+ - authentication_service
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - event_type
+ - eventtype
+ - extendedAuditEventCategory
+ - host
+ - index
+ - linecount
+ - object
+ - punct
+ - record_type
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - user_agent
+ - user_agent_change
+ - user_id
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"CreationTime": "2024-02-08T21:49:53", "Id": "a6bee61d-8b3f-42e1-b4fa-778fb05c43ac",
"Operation": "Add app role assignment to service principal.", "OrganizationId":
"75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success",
diff --git a/data_sources/o365_add_mailboxpermission.yml b/data_sources/o365_add_mailboxpermission.yml
index e98765f07b..09a36817fe 100644
--- a/data_sources/o365_add_mailboxpermission.yml
+++ b/data_sources/o365_add_mailboxpermission.yml
@@ -1,83 +1,85 @@
name: O365 Add-MailboxPermission
id: 9c0babdb-bb15-449e-abba-0a9cdb3fc061
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the addition of mailbox permissions in Microsoft 365, including details about the mailbox, granted permissions, and the user or administrator performing the action.
+description: Logs the addition of mailbox permissions in Microsoft 365, including
+ details about the mailbox, granted permissions, and the user or administrator performing
+ the action.
mitre_components:
-- User Account Modification
-- User Account Metadata
-- Active Directory Object Modification
-- Application Log Content
+ - User Account Modification
+ - User Account Metadata
+ - Active Directory Object Modification
+ - Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Add-MailboxPermission
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- AccessRights
-- AppId
-- ClientAppId
-- ClientIP
-- CreationTime
-- ExternalAccess
-- Id
-- Identity
-- InheritanceType
-- ObjectId
-- Operation
-- OrganizationId
-- OrganizationName
-- OriginatingServer
-- Parameters{}.Name
-- Parameters{}.Value
-- RecordType
-- ResultStatus
-- SessionId
-- User
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- host
-- index
-- linecount
-- object
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- status
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - AccessRights
+ - AppId
+ - ClientAppId
+ - ClientIP
+ - CreationTime
+ - ExternalAccess
+ - Id
+ - Identity
+ - InheritanceType
+ - ObjectId
+ - Operation
+ - OrganizationId
+ - OrganizationName
+ - OriginatingServer
+ - Parameters{}.Name
+ - Parameters{}.Value
+ - RecordType
+ - ResultStatus
+ - SessionId
+ - User
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - app
+ - authentication_service
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - host
+ - index
+ - linecount
+ - object
+ - punct
+ - record_type
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - status
+ - timeendpos
+ - timestartpos
+ - user
+ - user_id
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"AppId": "", "ClientAppId": "", "ClientIP": "18.159.234.121:30395",
"CreationTime": "2020-12-15T10:18:53", "ExternalAccess": false, "Id": "bb6e31a3-e98f-493d-bbff-08d8a0e2d2b0",
"ObjectId": "jhernan", "Operation": "Add-MailboxPermission", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08",
diff --git a/data_sources/o365_add_member_to_role_.yml b/data_sources/o365_add_member_to_role_.yml
index 3fc466dba1..7a6ea65406 100644
--- a/data_sources/o365_add_member_to_role_.yml
+++ b/data_sources/o365_add_member_to_role_.yml
@@ -1,94 +1,95 @@
name: O365 Add member to role.
id: 8b949f7c-4b5d-404f-9694-d7403c4ec096
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the addition of a member to a role in Microsoft 365, including details about the role, the added member, and the user or administrator performing the action.
+description: Logs the addition of a member to a role in Microsoft 365, including details
+ about the role, the added member, and the user or administrator performing the action.
mitre_components:
-- Group Modification
-- Group Metadata
-- User Account Metadata
-- Cloud Service Modification
+ - Group Modification
+ - Group Metadata
+ - User Account Metadata
+ - Cloud Service Modification
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Add member to role.
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- additionalDetails
-- app
-- authentication_service
-- change_type
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - ActorContextId
+ - Actor{}.ID
+ - Actor{}.Type
+ - AzureActiveDirectoryEventType
+ - CreationTime
+ - ExtendedProperties{}.Name
+ - ExtendedProperties{}.Value
+ - Id
+ - InterSystemsId
+ - IntraSystemId
+ - ModifiedProperties{}.Name
+ - ModifiedProperties{}.NewValue
+ - ModifiedProperties{}.OldValue
+ - ObjectId
+ - Operation
+ - OrganizationId
+ - RecordType
+ - ResultStatus
+ - SupportTicketId
+ - TargetContextId
+ - Target{}.ID
+ - Target{}.Type
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - action
+ - additionalDetails
+ - app
+ - authentication_service
+ - change_type
+ - command
+ - dataset_name
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - event_type
+ - eventtype
+ - extendedAuditEventCategory
+ - host
+ - index
+ - linecount
+ - object
+ - object_attrs
+ - object_category
+ - punct
+ - record_type
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - user_id
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"CreationTime": "2023-10-20T16:50:46", "Id": "30a8b107-b190-406c-9b80-c3f5c3a29129",
"Operation": "Add member to role.", "OrganizationId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com",
diff --git a/data_sources/o365_add_owner_to_application_.yml b/data_sources/o365_add_owner_to_application_.yml
index 71caf3f806..5c3b3c7f4b 100644
--- a/data_sources/o365_add_owner_to_application_.yml
+++ b/data_sources/o365_add_owner_to_application_.yml
@@ -1,96 +1,98 @@
name: O365 Add owner to application.
id: da012cbf-af6e-40ee-a1ba-32a5f8da8f8a
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the addition of an owner to an application in Microsoft 365, including details about the application, the new owner, and the user or administrator performing the action.
+description: Logs the addition of an owner to an application in Microsoft 365, including
+ details about the application, the new owner, and the user or administrator performing
+ the action.
mitre_components:
-- User Account Modification
-- Group Modification
-- Cloud Service Modification
-- Cloud Service Metadata
+ - User Account Modification
+ - Group Modification
+ - Cloud Service Modification
+ - Cloud Service Metadata
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Add owner to application.
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- additionalDetails
-- app
-- authentication_service
-- change_type
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_agent
-- user_agent_change
-- user_id
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - ActorContextId
+ - Actor{}.ID
+ - Actor{}.Type
+ - AzureActiveDirectoryEventType
+ - CreationTime
+ - ExtendedProperties{}.Name
+ - ExtendedProperties{}.Value
+ - Id
+ - InterSystemsId
+ - IntraSystemId
+ - ModifiedProperties{}.Name
+ - ModifiedProperties{}.NewValue
+ - ModifiedProperties{}.OldValue
+ - ObjectId
+ - Operation
+ - OrganizationId
+ - RecordType
+ - ResultStatus
+ - SupportTicketId
+ - TargetContextId
+ - Target{}.ID
+ - Target{}.Type
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - action
+ - additionalDetails
+ - app
+ - authentication_service
+ - change_type
+ - command
+ - dataset_name
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - event_type
+ - eventtype
+ - extendedAuditEventCategory
+ - host
+ - index
+ - linecount
+ - object
+ - object_attrs
+ - object_category
+ - punct
+ - record_type
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - user_agent
+ - user_agent_change
+ - user_id
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"CreationTime": "2023-09-07T13:42:04", "Id": "6e2c723b-8f6e-47f4-8c60-fa23ef3fccee",
"Operation": "Add owner to application.", "OrganizationId": "48203edf-5d2c-45f2-8123-a368cc8b0e51",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com",
diff --git a/data_sources/o365_add_service_principal_.yml b/data_sources/o365_add_service_principal_.yml
index 8511ac4c76..806ce7eda5 100644
--- a/data_sources/o365_add_service_principal_.yml
+++ b/data_sources/o365_add_service_principal_.yml
@@ -1,96 +1,97 @@
name: O365 Add service principal.
id: 9c1ef9f5-bc30-4a47-a1bd-cb34484ee778
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the addition of a new service principal in Microsoft 365, including details about the associated application and the action initiator.
+description: Logs the addition of a new service principal in Microsoft 365, including
+ details about the associated application and the action initiator.
mitre_components:
-- Cloud Service Creation
-- Cloud Service Metadata
-- User Account Metadata
-- Active Directory Object Creation
+ - Cloud Service Creation
+ - Cloud Service Metadata
+ - User Account Metadata
+ - Active Directory Object Creation
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Add service principal.
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- additionalDetails
-- app
-- authentication_service
-- change_type
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object_attrs
-- object_category
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- src_user
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_agent
-- user_agent_change
-- user_id
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - ActorContextId
+ - Actor{}.ID
+ - Actor{}.Type
+ - AzureActiveDirectoryEventType
+ - CreationTime
+ - ExtendedProperties{}.Name
+ - ExtendedProperties{}.Value
+ - Id
+ - InterSystemsId
+ - IntraSystemId
+ - ModifiedProperties{}.Name
+ - ModifiedProperties{}.NewValue
+ - ModifiedProperties{}.OldValue
+ - ObjectId
+ - Operation
+ - OrganizationId
+ - RecordType
+ - ResultStatus
+ - SupportTicketId
+ - TargetContextId
+ - Target{}.ID
+ - Target{}.Type
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - action
+ - additionalDetails
+ - app
+ - authentication_service
+ - change_type
+ - command
+ - dataset_name
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - event_type
+ - eventtype
+ - extendedAuditEventCategory
+ - host
+ - index
+ - linecount
+ - object_attrs
+ - object_category
+ - punct
+ - record_type
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - src_user
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - user_agent
+ - user_agent_change
+ - user_id
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"CreationTime": "2024-02-07T22:31:14", "Id": "f624ed92-b4a2-4d42-aa8b-20a261d06b7f",
"Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com",
diff --git a/data_sources/o365_change_user_license_.yml b/data_sources/o365_change_user_license_.yml
index 2cceff2f8a..cec6ea1cc1 100644
--- a/data_sources/o365_change_user_license_.yml
+++ b/data_sources/o365_change_user_license_.yml
@@ -1,92 +1,93 @@
name: O365 Change user license.
id: 1029a20d-3d0d-4fb9-b5e2-22ac5380b20a
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs changes to user licenses in Microsoft 365, including additions, removals, or updates to service plans associated with a user account.
+description: Logs changes to user licenses in Microsoft 365, including additions,
+ removals, or updates to service plans associated with a user account.
mitre_components:
-- User Account Modification
-- User Account Metadata
-- Cloud Service Modification
-- Configuration Modification
+ - User Account Modification
+ - User Account Metadata
+ - Cloud Service Modification
+ - Configuration Modification
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Change user license.
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- additionalDetails
-- app
-- authentication_service
-- change_type
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- src_user
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - ActorContextId
+ - Actor{}.ID
+ - Actor{}.Type
+ - AzureActiveDirectoryEventType
+ - CreationTime
+ - ExtendedProperties{}.Name
+ - ExtendedProperties{}.Value
+ - Id
+ - InterSystemsId
+ - IntraSystemId
+ - ObjectId
+ - Operation
+ - OrganizationId
+ - RecordType
+ - ResultStatus
+ - SupportTicketId
+ - TargetContextId
+ - Target{}.ID
+ - Target{}.Type
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - action
+ - additionalDetails
+ - app
+ - authentication_service
+ - change_type
+ - command
+ - dataset_name
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - event_type
+ - eventtype
+ - extendedAuditEventCategory
+ - host
+ - index
+ - linecount
+ - object
+ - object_attrs
+ - object_category
+ - punct
+ - record_type
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - src_user
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - user_id
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"CreationTime": "2023-09-11T15:55:46", "Id": "1e39f32d-081d-4494-994a-533b57f91df7",
"Operation": "Change user license.", "OrganizationId": "bbad9541-eb53-4533-bcef-2b76182c3b75",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com",
diff --git a/data_sources/o365_consent_to_application_.yml b/data_sources/o365_consent_to_application_.yml
index a5df3bc9f2..9a8aacafcd 100644
--- a/data_sources/o365_consent_to_application_.yml
+++ b/data_sources/o365_consent_to_application_.yml
@@ -1,88 +1,90 @@
name: O365 Consent to application.
id: 0a15a464-ef51-4614-9a07-a216eb9817db
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs user or administrator consent to an application's permissions in Microsoft 365, including details about the application, granted permissions, and the consenting user or process.
+description: Logs user or administrator consent to an application's permissions in
+ Microsoft 365, including details about the application, granted permissions, and
+ the consenting user or process.
mitre_components:
-- User Account Modification
-- Cloud Service Modification
-- Cloud Service Metadata
-- Configuration Modification
+ - User Account Modification
+ - Cloud Service Modification
+ - Cloud Service Metadata
+ - Configuration Modification
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Consent to application.
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- additionalDetails
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- timeendpos
-- timestartpos
-- user
-- user_agent
-- user_agent_change
-- user_id
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - ActorContextId
+ - Actor{}.ID
+ - Actor{}.Type
+ - AzureActiveDirectoryEventType
+ - CreationTime
+ - ExtendedProperties{}.Name
+ - ExtendedProperties{}.Value
+ - Id
+ - InterSystemsId
+ - IntraSystemId
+ - ModifiedProperties{}.Name
+ - ModifiedProperties{}.NewValue
+ - ModifiedProperties{}.OldValue
+ - ObjectId
+ - Operation
+ - OrganizationId
+ - RecordType
+ - ResultStatus
+ - SupportTicketId
+ - TargetContextId
+ - Target{}.ID
+ - Target{}.Type
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - additionalDetails
+ - app
+ - authentication_service
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - event_type
+ - extendedAuditEventCategory
+ - host
+ - index
+ - linecount
+ - object
+ - punct
+ - record_type
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - status
+ - timeendpos
+ - timestartpos
+ - user
+ - user_agent
+ - user_agent_change
+ - user_id
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"CreationTime": "2023-09-05T21:05:31", "Id": "5822e126-1fbc-4269-9ad6-4c1879cdbcf3",
"Operation": "Consent to application.", "OrganizationId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com",
diff --git a/data_sources/o365_disable_strong_authentication_.yml b/data_sources/o365_disable_strong_authentication_.yml
index ea3fb70491..bd40f2eca5 100644
--- a/data_sources/o365_disable_strong_authentication_.yml
+++ b/data_sources/o365_disable_strong_authentication_.yml
@@ -1,89 +1,91 @@
name: O365 Disable Strong Authentication.
id: 235381c4-382a-4183-b818-a51c3ce12187
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the disabling of strong authentication (e.g., multi-factor authentication) for a user or group in Microsoft 365, including details about the affected accounts and the action initiator.
+description: Logs the disabling of strong authentication (e.g., multi-factor authentication)
+ for a user or group in Microsoft 365, including details about the affected accounts
+ and the action initiator.
mitre_components:
-- User Account Modification
-- Group Modification
-- Configuration Modification
-- Application Log Content
+ - User Account Modification
+ - Group Modification
+ - Configuration Modification
+ - Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Disable Strong Authentication.
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- ActorContextId
-- ActorIpAddress
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- ClientIP
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- additionalDetails
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- extendedAuditEventCategory
-- extended_properties
-- host
-- index
-- linecount
-- object
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - ActorContextId
+ - ActorIpAddress
+ - Actor{}.ID
+ - Actor{}.Type
+ - AzureActiveDirectoryEventType
+ - ClientIP
+ - CreationTime
+ - ExtendedProperties{}.Name
+ - ExtendedProperties{}.Value
+ - Id
+ - InterSystemsId
+ - IntraSystemId
+ - ModifiedProperties{}.Name
+ - ModifiedProperties{}.NewValue
+ - ModifiedProperties{}.OldValue
+ - ObjectId
+ - Operation
+ - OrganizationId
+ - RecordType
+ - ResultStatus
+ - SupportTicketId
+ - TargetContextId
+ - Target{}.ID
+ - Target{}.Type
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - additionalDetails
+ - app
+ - authentication_service
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - event_type
+ - extendedAuditEventCategory
+ - extended_properties
+ - host
+ - index
+ - linecount
+ - object
+ - punct
+ - record_type
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - status
+ - timeendpos
+ - timestartpos
+ - user
+ - user_id
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"Actor": [{"ID": "rodsoto@rodsoto.onmicrosoft.com", "Type": 5}, {"ID":
"10037FFEA938FB92", "Type": 3}, {"ID": "User_bfb8c366-0406-41a5-b3e3-328f4a3b4484",
"Type": 2}, {"ID": "bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "User",
diff --git a/data_sources/o365_mailitemsaccessed.yml b/data_sources/o365_mailitemsaccessed.yml
index bc03fd713a..49429c5898 100644
--- a/data_sources/o365_mailitemsaccessed.yml
+++ b/data_sources/o365_mailitemsaccessed.yml
@@ -1,85 +1,86 @@
name: O365 MailItemsAccessed
id: 3d5188eb-341a-4b46-9caa-aade4047d027
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs access to mailbox items in Microsoft 365, including details about the user accessing the items, the accessed content, and the method of access.
+description: Logs access to mailbox items in Microsoft 365, including details about
+ the user accessing the items, the accessed content, and the method of access.
mitre_components:
-- File Access
-- User Account Metadata
-- Application Log Content
-- Active Directory Object Access
+ - File Access
+ - User Account Metadata
+ - Application Log Content
+ - Active Directory Object Access
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: MailItemsAccessed
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- AppId
-- ClientAppId
-- ClientIPAddress
-- ClientInfoString
-- CreationTime
-- ExternalAccess
-- Folders{}.FolderItems{}.InternetMessageId
-- Folders{}.FolderItems{}.SizeInBytes
-- Folders{}.Id
-- Folders{}.Path
-- Id
-- InternalLogonType
-- IsThrottled
-- LogonType
-- LogonUserSid
-- MailAccessType
-- MailboxGuid
-- MailboxOwnerSid
-- MailboxOwnerUPN
-- Operation
-- OperationCount
-- OperationProperties{}.Name
-- OperationProperties{}.Value
-- OrganizationId
-- OrganizationName
-- OriginatingServer
-- RecordType
-- ResultStatus
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dvc
-- host
-- index
-- linecount
-- punct
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - AppId
+ - ClientAppId
+ - ClientIPAddress
+ - ClientInfoString
+ - CreationTime
+ - ExternalAccess
+ - Folders{}.FolderItems{}.InternetMessageId
+ - Folders{}.FolderItems{}.SizeInBytes
+ - Folders{}.Id
+ - Folders{}.Path
+ - Id
+ - InternalLogonType
+ - IsThrottled
+ - LogonType
+ - LogonUserSid
+ - MailAccessType
+ - MailboxGuid
+ - MailboxOwnerSid
+ - MailboxOwnerUPN
+ - Operation
+ - OperationCount
+ - OperationProperties{}.Name
+ - OperationProperties{}.Value
+ - OrganizationId
+ - OrganizationName
+ - OriginatingServer
+ - RecordType
+ - ResultStatus
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - app
+ - authentication_service
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dvc
+ - host
+ - index
+ - linecount
+ - punct
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - status
+ - timeendpos
+ - timestartpos
+ - user
+ - user_id
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"CreationTime": "2024-02-01T16:07:34", "Id": "9cef02e9-4bfa-4c73-be7d-9dad68b9cea8",
"Operation": "MailItemsAccessed", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4",
"RecordType": 50, "ResultStatus": "Succeeded", "UserKey": "100320030DF47B14", "UserType":
diff --git a/data_sources/o365_modifyfolderpermissions.yml b/data_sources/o365_modifyfolderpermissions.yml
index 76c4e10d20..aca4f79957 100644
--- a/data_sources/o365_modifyfolderpermissions.yml
+++ b/data_sources/o365_modifyfolderpermissions.yml
@@ -1,103 +1,104 @@
name: O365 ModifyFolderPermissions
id: 0a8c1080-68c2-46d7-8324-2e7d97bb6e2f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs modifications to folder permissions in Microsoft 365, including updates to access levels, user assignments, and sharing settings.
+description: Logs modifications to folder permissions in Microsoft 365, including
+ updates to access levels, user assignments, and sharing settings.
mitre_components:
-- User Account Modification
-- File Access
-- Active Directory Object Modification
-- Application Log Content
+ - User Account Modification
+ - File Access
+ - Active Directory Object Modification
+ - Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: ModifyFolderPermissions
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- AppId
-- ClientIP
-- ClientIPAddress
-- ClientInfoString
-- CreationTime
-- ExternalAccess
-- Id
-- InternalLogonType
-- Item.Id
-- Item.ParentFolder.Id
-- Item.ParentFolder.MemberRights
-- Item.ParentFolder.MemberSid
-- Item.ParentFolder.MemberUpn
-- Item.ParentFolder.Name
-- Item.ParentFolder.Path
-- LogonType
-- LogonUserSid
-- MailboxGuid
-- MailboxOwnerSid
-- MailboxOwnerUPN
-- Operation
-- OrganizationId
-- OrganizationName
-- OriginatingServer
-- RecordType
-- ResultStatus
-- SessionId
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- app
-- authentication_service
-- change_type
-- client_info_str
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- eventtype
-- host
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- object_id
-- punct
-- record_type
-- result
-- signature
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- status
-- tag
-- tag::eventtype
-- tenant_id
-- timeendpos
-- timestartpos
-- user
-- user_agent
-- user_id
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - AppId
+ - ClientIP
+ - ClientIPAddress
+ - ClientInfoString
+ - CreationTime
+ - ExternalAccess
+ - Id
+ - InternalLogonType
+ - Item.Id
+ - Item.ParentFolder.Id
+ - Item.ParentFolder.MemberRights
+ - Item.ParentFolder.MemberSid
+ - Item.ParentFolder.MemberUpn
+ - Item.ParentFolder.Name
+ - Item.ParentFolder.Path
+ - LogonType
+ - LogonUserSid
+ - MailboxGuid
+ - MailboxOwnerSid
+ - MailboxOwnerUPN
+ - Operation
+ - OrganizationId
+ - OrganizationName
+ - OriginatingServer
+ - RecordType
+ - ResultStatus
+ - SessionId
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - action
+ - app
+ - authentication_service
+ - change_type
+ - client_info_str
+ - command
+ - dataset_name
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - eventtype
+ - host
+ - index
+ - linecount
+ - object
+ - object_attrs
+ - object_category
+ - object_id
+ - punct
+ - record_type
+ - result
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - status
+ - tag
+ - tag::eventtype
+ - tenant_id
+ - timeendpos
+ - timestartpos
+ - user
+ - user_agent
+ - user_id
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"CreationTime": "2023-09-07T18:19:07", "Id": "ff065c17-e638-4013-20ab-08dbafceeca1",
"Operation": "ModifyFolderPermissions", "OrganizationId": "e17879dd-24ec-44a6-be92-9dcbf6969220",
"RecordType": 2, "ResultStatus": "Succeeded", "UserKey": "10032002CC029AE9", "UserType":
diff --git a/data_sources/o365_set_company_information_.yml b/data_sources/o365_set_company_information_.yml
index 5fab124138..e3da9d7ddd 100644
--- a/data_sources/o365_set_company_information_.yml
+++ b/data_sources/o365_set_company_information_.yml
@@ -1,97 +1,98 @@
name: O365 Set Company Information.
id: 06c6d576-f032-41e3-b15d-80a434ce13d8
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs updates to organizational settings and company information in Microsoft 365, including changes to contact details, branding, and configuration policies.
+description: Logs updates to organizational settings and company information in Microsoft
+ 365, including changes to contact details, branding, and configuration policies.
mitre_components:
-- Cloud Service Modification
-- Configuration Modification
-- Cloud Service Metadata
-- Application Log Content
+ - Cloud Service Modification
+ - Configuration Modification
+ - Cloud Service Metadata
+ - Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Set Company Information.
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- ActorContextId
-- ActorIpAddress
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- ClientIP
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- additionalDetails
-- app
-- authentication_service
-- change_type
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- extendedAuditEventCategory
-- extended_properties
-- host
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - ActorContextId
+ - ActorIpAddress
+ - Actor{}.ID
+ - Actor{}.Type
+ - AzureActiveDirectoryEventType
+ - ClientIP
+ - CreationTime
+ - ExtendedProperties{}.Name
+ - ExtendedProperties{}.Value
+ - Id
+ - InterSystemsId
+ - IntraSystemId
+ - ModifiedProperties{}.Name
+ - ModifiedProperties{}.NewValue
+ - ModifiedProperties{}.OldValue
+ - ObjectId
+ - Operation
+ - OrganizationId
+ - RecordType
+ - ResultStatus
+ - SupportTicketId
+ - TargetContextId
+ - Target{}.ID
+ - Target{}.Type
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - action
+ - additionalDetails
+ - app
+ - authentication_service
+ - change_type
+ - command
+ - dataset_name
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - event_type
+ - eventtype
+ - extendedAuditEventCategory
+ - extended_properties
+ - host
+ - index
+ - linecount
+ - object
+ - object_attrs
+ - object_category
+ - punct
+ - record_type
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - user_id
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"Actor": [{"ID": "bpatel@rodsoto.onmicrosoft.com", "Type": 5}, {"ID":
"100320010208B5DC", "Type": 3}, {"ID": "User_425b75db-38be-4c7b-a474-5f0709247370",
"Type": 2}, {"ID": "425b75db-38be-4c7b-a474-5f0709247370", "Type": 2}, {"ID": "User",
diff --git a/data_sources/o365_set_mailbox.yml b/data_sources/o365_set_mailbox.yml
index 6849ce100a..9da03f53f4 100644
--- a/data_sources/o365_set_mailbox.yml
+++ b/data_sources/o365_set_mailbox.yml
@@ -1,93 +1,94 @@
name: O365 Set-Mailbox
id: db798c5c-928c-4972-bb42-e5f90e35865f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs changes to mailbox properties in Microsoft 365, including updates to permissions, storage quotas, and configuration settings.
+description: Logs changes to mailbox properties in Microsoft 365, including updates
+ to permissions, storage quotas, and configuration settings.
mitre_components:
-- User Account Modification
-- Active Directory Object Modification
-- User Account Metadata
-- Application Log Content
+ - User Account Modification
+ - Active Directory Object Modification
+ - User Account Metadata
+ - Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Set-Mailbox
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- AppId
-- ClientAppId
-- ClientIP
-- CreationTime
-- ExternalAccess
-- Id
-- Identity
-- ObjectId
-- Operation
-- OrganizationId
-- OrganizationName
-- OriginatingServer
-- Parameters{}.Name
-- Parameters{}.Value
-- Params
-- RecordType
-- ResultStatus
-- SessionId
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- app
-- authentication_service
-- change_type
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- eventtype
-- host
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- object_id
-- punct
-- record_type
-- result
-- signature
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_user
-- src_user_type
-- status
-- tag
-- tag::eventtype
-- tenant_id
-- timeendpos
-- timestartpos
-- user
-- user_id
-- vendor_account
-- vendor_product
+ - _time
+ - AppId
+ - ClientAppId
+ - ClientIP
+ - CreationTime
+ - ExternalAccess
+ - Id
+ - Identity
+ - ObjectId
+ - Operation
+ - OrganizationId
+ - OrganizationName
+ - OriginatingServer
+ - Parameters{}.Name
+ - Parameters{}.Value
+ - Params
+ - RecordType
+ - ResultStatus
+ - SessionId
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - action
+ - app
+ - authentication_service
+ - change_type
+ - command
+ - dataset_name
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - eventtype
+ - host
+ - index
+ - linecount
+ - object
+ - object_attrs
+ - object_category
+ - object_id
+ - punct
+ - record_type
+ - result
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - src_user
+ - src_user_type
+ - status
+ - tag
+ - tag::eventtype
+ - tenant_id
+ - timeendpos
+ - timestartpos
+ - user
+ - user_id
+ - vendor_account
+ - vendor_product
example_log: '{"AppId": "", "ClientAppId": "", "ClientIP": "18.192.200.190:52816",
"CreationTime": "2020-12-16T12:32:28", "ExternalAccess": false, "Id": "a6a52406-0912-448d-36eb-08d8a1bea6be",
"ObjectId": "bpatel", "Operation": "Set-Mailbox", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08",
diff --git a/data_sources/o365_update_application_.yml b/data_sources/o365_update_application_.yml
index 155f1353ca..2b04a3230b 100644
--- a/data_sources/o365_update_application_.yml
+++ b/data_sources/o365_update_application_.yml
@@ -1,96 +1,97 @@
name: O365 Update application.
id: 62159133-911b-4c63-9e30-a6a8c89195ca
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs updates made to applications in Microsoft 365, including changes to configurations, permissions, and role assignments.
+description: Logs updates made to applications in Microsoft 365, including changes
+ to configurations, permissions, and role assignments.
mitre_components:
-- Cloud Service Modification
-- Configuration Modification
-- Cloud Service Metadata
-- Application Log Content
+ - Cloud Service Modification
+ - Configuration Modification
+ - Cloud Service Metadata
+ - Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Update application.
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- additionalDetails
-- app
-- authentication_service
-- change_type
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_agent
-- user_agent_change
-- user_id
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - ActorContextId
+ - Actor{}.ID
+ - Actor{}.Type
+ - AzureActiveDirectoryEventType
+ - CreationTime
+ - ExtendedProperties{}.Name
+ - ExtendedProperties{}.Value
+ - Id
+ - InterSystemsId
+ - IntraSystemId
+ - ModifiedProperties{}.Name
+ - ModifiedProperties{}.NewValue
+ - ModifiedProperties{}.OldValue
+ - ObjectId
+ - Operation
+ - OrganizationId
+ - RecordType
+ - ResultStatus
+ - SupportTicketId
+ - TargetContextId
+ - Target{}.ID
+ - Target{}.Type
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - action
+ - additionalDetails
+ - app
+ - authentication_service
+ - change_type
+ - command
+ - dataset_name
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - event_type
+ - eventtype
+ - extendedAuditEventCategory
+ - host
+ - index
+ - linecount
+ - object
+ - object_attrs
+ - object_category
+ - punct
+ - record_type
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - user_agent
+ - user_agent_change
+ - user_id
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"CreationTime": "2023-09-01T17:16:20", "Id": "c428c85c-4fa0-4e97-9033-6a76d9dee45d",
"Operation": "Update application.", "OrganizationId": "58aee3b9-7433-46a0-b54e-2429487992a0",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com",
diff --git a/data_sources/o365_update_authorization_policy_.yml b/data_sources/o365_update_authorization_policy_.yml
index 2438a25b16..90825eca41 100644
--- a/data_sources/o365_update_authorization_policy_.yml
+++ b/data_sources/o365_update_authorization_policy_.yml
@@ -1,88 +1,89 @@
name: O365 Update authorization policy.
id: d40e6a20-4d64-404c-8351-2caae8228d34
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs changes to authorization policies in Microsoft 365, including updates to access controls, permissions, and security settings.
+description: Logs changes to authorization policies in Microsoft 365, including updates
+ to access controls, permissions, and security settings.
mitre_components:
-- Cloud Service Modification
-- Configuration Modification
-- User Account Metadata
-- Application Log Content
+ - Cloud Service Modification
+ - Configuration Modification
+ - User Account Metadata
+ - Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Update authorization policy.
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- additionalDetails
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- timeendpos
-- timestartpos
-- user
-- user_agent
-- user_agent_change
-- user_id
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - ActorContextId
+ - Actor{}.ID
+ - Actor{}.Type
+ - AzureActiveDirectoryEventType
+ - CreationTime
+ - ExtendedProperties{}.Name
+ - ExtendedProperties{}.Value
+ - Id
+ - InterSystemsId
+ - IntraSystemId
+ - ModifiedProperties{}.Name
+ - ModifiedProperties{}.NewValue
+ - ModifiedProperties{}.OldValue
+ - ObjectId
+ - Operation
+ - OrganizationId
+ - RecordType
+ - ResultStatus
+ - SupportTicketId
+ - TargetContextId
+ - Target{}.ID
+ - Target{}.Type
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - additionalDetails
+ - app
+ - authentication_service
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - event_type
+ - extendedAuditEventCategory
+ - host
+ - index
+ - linecount
+ - object
+ - punct
+ - record_type
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - status
+ - timeendpos
+ - timestartpos
+ - user
+ - user_agent
+ - user_agent_change
+ - user_id
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"CreationTime": "2023-10-26T19:22:20", "Id": "83774e72-313f-4d1f-8609-7d0c7bb3b4ff",
"Operation": "Update authorization policy.", "OrganizationId": "a417c578-c7ee-480d-a225-d48057e74df5",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com",
diff --git a/data_sources/o365_update_user_.yml b/data_sources/o365_update_user_.yml
index 308a4ac7a4..f733a674a4 100644
--- a/data_sources/o365_update_user_.yml
+++ b/data_sources/o365_update_user_.yml
@@ -1,95 +1,96 @@
name: O365 Update user.
id: a05fd01e-34d9-4233-9089-11272416b531
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs updates to user account properties in Microsoft 365, including changes to roles, permissions, and profile information.
+description: Logs updates to user account properties in Microsoft 365, including changes
+ to roles, permissions, and profile information.
mitre_components:
-- User Account Modification
-- User Account Metadata
-- Active Directory Object Modification
-- Application Log Content
+ - User Account Modification
+ - User Account Metadata
+ - Active Directory Object Modification
+ - Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Update user.
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- additionalDetails
-- app
-- authentication_service
-- change_type
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- src_user
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - ActorContextId
+ - Actor{}.ID
+ - Actor{}.Type
+ - AzureActiveDirectoryEventType
+ - CreationTime
+ - ExtendedProperties{}.Name
+ - ExtendedProperties{}.Value
+ - Id
+ - InterSystemsId
+ - IntraSystemId
+ - ModifiedProperties{}.Name
+ - ModifiedProperties{}.NewValue
+ - ModifiedProperties{}.OldValue
+ - ObjectId
+ - Operation
+ - OrganizationId
+ - RecordType
+ - ResultStatus
+ - SupportTicketId
+ - TargetContextId
+ - Target{}.ID
+ - Target{}.Type
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - action
+ - additionalDetails
+ - app
+ - authentication_service
+ - change_type
+ - command
+ - dataset_name
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - event_type
+ - eventtype
+ - extendedAuditEventCategory
+ - host
+ - index
+ - linecount
+ - object
+ - object_attrs
+ - object_category
+ - punct
+ - record_type
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - src_user
+ - status
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - user_id
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"CreationTime": "2023-10-20T19:32:59", "Id": "d06df1c6-b3f2-4595-90b9-99b8f91811c3",
"Operation": "Update user.", "OrganizationId": "99825d50-9544-4061-8e46-68923805cbf2",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "10032002CC029AE9@splunkresearch1.onmicrosoft.com",
diff --git a/data_sources/o365_userloggedin.yml b/data_sources/o365_userloggedin.yml
index 3296cb188a..f9169deaee 100644
--- a/data_sources/o365_userloggedin.yml
+++ b/data_sources/o365_userloggedin.yml
@@ -1,95 +1,96 @@
name: O365 UserLoggedIn
id: ed29c8c4-4053-419c-b133-16abf2a1c4c9
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs successful login events by users in Microsoft 365, including details about the user account, IP address, and session metadata.
+description: Logs successful login events by users in Microsoft 365, including details
+ about the user account, IP address, and session metadata.
mitre_components:
-- User Account Authentication
-- Logon Session Creation
-- User Account Metadata
-- Logon Session Metadata
+ - User Account Authentication
+ - Logon Session Creation
+ - User Account Metadata
+ - Logon Session Metadata
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: UserLoggedIn
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- ActorContextId
-- ActorIpAddress
-- Actor{}.ID
-- Actor{}.Type
-- ApplicationId
-- AzureActiveDirectoryEventType
-- BrowserType
-- ClientIP
-- CreationTime
-- DeviceProperties{}.Name
-- DeviceProperties{}.Value
-- ErrorNumber
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- OS
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- RequestType
-- ResultStatus
-- ResultStatusDetail
-- SessionId
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserAgent
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- host
-- index
-- linecount
-- object
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- status
-- timeendpos
-- timestartpos
-- user
-- user_agent
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - ActorContextId
+ - ActorIpAddress
+ - Actor{}.ID
+ - Actor{}.Type
+ - ApplicationId
+ - AzureActiveDirectoryEventType
+ - BrowserType
+ - ClientIP
+ - CreationTime
+ - DeviceProperties{}.Name
+ - DeviceProperties{}.Value
+ - ErrorNumber
+ - ExtendedProperties{}.Name
+ - ExtendedProperties{}.Value
+ - Id
+ - InterSystemsId
+ - IntraSystemId
+ - OS
+ - ObjectId
+ - Operation
+ - OrganizationId
+ - RecordType
+ - RequestType
+ - ResultStatus
+ - ResultStatusDetail
+ - SessionId
+ - SupportTicketId
+ - TargetContextId
+ - Target{}.ID
+ - Target{}.Type
+ - UserAgent
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - app
+ - authentication_service
+ - command
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - event_type
+ - host
+ - index
+ - linecount
+ - object
+ - punct
+ - record_type
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - status
+ - timeendpos
+ - timestartpos
+ - user
+ - user_agent
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"CreationTime": "2023-12-04T20:42:05", "Id": "52d72a62-132b-487b-bb7f-c4c119f90700",
"Operation": "UserLoggedIn", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4",
"RecordType": 15, "ResultStatus": "Success", "UserKey": "2d2f9e2c-8350-4d98-852e-3f06daaf7185",
diff --git a/data_sources/o365_userloginfailed.yml b/data_sources/o365_userloginfailed.yml
index dfea247775..8f3df80a3f 100644
--- a/data_sources/o365_userloginfailed.yml
+++ b/data_sources/o365_userloginfailed.yml
@@ -1,104 +1,105 @@
name: O365 UserLoginFailed
id: 6099b33d-d581-43ed-8401-911862590361
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs failed login attempts by users in Microsoft 365, including details about the user account, IP address, and reason for failure.
+description: Logs failed login attempts by users in Microsoft 365, including details
+ about the user account, IP address, and reason for failure.
mitre_components:
-- User Account Authentication
-- Logon Session Metadata
-- User Account Metadata
-- Application Log Content
+ - User Account Authentication
+ - Logon Session Metadata
+ - User Account Metadata
+ - Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: UserLoginFailed
supported_TA:
-- name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+ - name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
-- _time
-- ActorContextId
-- ActorIpAddress
-- Actor{}.ID
-- Actor{}.Type
-- ApplicationId
-- AzureActiveDirectoryEventType
-- BrowserType
-- ClientIP
-- CreationTime
-- DeviceProperties{}.Name
-- DeviceProperties{}.Value
-- ErrorNumber
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- IsCompliantAndManaged
-- LogonError
-- OS
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- RequestType
-- ResultStatus
-- ResultStatusDetail
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserAgent
-- UserAuthenticationMethod
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- app
-- authentication_method
-- authentication_service
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- host
-- index
-- linecount
-- object
-- punct
-- reason
-- record_type
-- result
-- signature
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- status
-- tag
-- tag::action
-- tag::eventtype
-- user
-- user_agent
-- user_type
-- vendor_account
-- vendor_product
+ - _time
+ - ActorContextId
+ - ActorIpAddress
+ - Actor{}.ID
+ - Actor{}.Type
+ - ApplicationId
+ - AzureActiveDirectoryEventType
+ - BrowserType
+ - ClientIP
+ - CreationTime
+ - DeviceProperties{}.Name
+ - DeviceProperties{}.Value
+ - ErrorNumber
+ - ExtendedProperties{}.Name
+ - ExtendedProperties{}.Value
+ - Id
+ - InterSystemsId
+ - IntraSystemId
+ - IsCompliantAndManaged
+ - LogonError
+ - OS
+ - ObjectId
+ - Operation
+ - OrganizationId
+ - RecordType
+ - RequestType
+ - ResultStatus
+ - ResultStatusDetail
+ - SupportTicketId
+ - TargetContextId
+ - Target{}.ID
+ - Target{}.Type
+ - UserAgent
+ - UserAuthenticationMethod
+ - UserId
+ - UserKey
+ - UserType
+ - Version
+ - Workload
+ - action
+ - app
+ - authentication_method
+ - authentication_service
+ - command
+ - dataset_name
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_name
+ - dvc
+ - event_type
+ - eventtype
+ - host
+ - index
+ - linecount
+ - object
+ - punct
+ - reason
+ - record_type
+ - result
+ - signature
+ - source
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - status
+ - tag
+ - tag::action
+ - tag::eventtype
+ - user
+ - user_agent
+ - user_type
+ - vendor_account
+ - vendor_product
example_log: '{"CreationTime": "2023-10-10T17:08:65", "Id": "4593aac8-855f-4341-9d2a-4289146eb800",
"Operation": "UserLoginFailed", "OrganizationId": "d541aae6-6b73-4a7c-aaf0-a4de30c872bc",
"RecordType": 15, "ResultStatus": "Failed", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72",
diff --git a/data_sources/okta.yml b/data_sources/okta.yml
index 27417c8961..4c4de15b28 100644
--- a/data_sources/okta.yml
+++ b/data_sources/okta.yml
@@ -1,18 +1,19 @@
name: Okta
id: ec26febe-e760-4981-bbee-72e107c7b9d2
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs authentication and administrative activities captured by Okta, including user login attempts, session management, and configuration changes.
+description: Logs authentication and administrative activities captured by Okta, including
+ user login attempts, session management, and configuration changes.
mitre_components:
-- User Account Authentication
-- Logon Session Creation
-- User Account Metadata
-- Configuration Modification
-- Application Log Content
+ - User Account Authentication
+ - Logon Session Creation
+ - User Account Metadata
+ - Configuration Modification
+ - Application Log Content
source: Okta
sourcetype: OktaIM2:log
supported_TA:
-- name: Splunk Add-on for Okta Identity Cloud
- url: https://splunkbase.splunk.com/app/6553
- version: 3.0.0
+ - name: Splunk Add-on for Okta Identity Cloud
+ url: https://splunkbase.splunk.com/app/6553
+ version: 3.0.0
diff --git a/data_sources/osquery.yml b/data_sources/osquery.yml
index bd8cb58790..b2b1828e0f 100644
--- a/data_sources/osquery.yml
+++ b/data_sources/osquery.yml
@@ -1,72 +1,73 @@
name: osquery
id: 7ec4d7c8-c1d0-423a-9169-261f6adb74c0
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs system queries performed using osquery, including details about processes, file access, network activity, and system configurations.
+description: Logs system queries performed using osquery, including details about
+ processes, file access, network activity, and system configurations.
mitre_components:
-- Process Metadata
-- File Access
-- Network Traffic Content
-- Host Status
-- Application Log Content
+ - Process Metadata
+ - File Access
+ - Network Traffic Content
+ - Host Status
+ - Application Log Content
source: osquery
sourcetype: osquery:results
supported_TA: []
fields:
-- _time
-- calendarTime
-- columns.cdhash
-- columns.child_pid
-- columns.cmdline
-- columns.cmdline_count
-- columns.cwd
-- columns.egid
-- columns.env
-- columns.env_count
-- columns.euid
-- columns.event_type
-- columns.exit_code
-- columns.gid
-- columns.global_seq_num
-- columns.original_parent
-- columns.parent
-- columns.path
-- columns.pid
-- columns.platform_binary
-- columns.seq_num
-- columns.signing_id
-- columns.team_id
-- columns.time
-- columns.uid
-- columns.username
-- columns.version
-- counter
-- dest
-- epoch
-- eventtype
-- host
-- hostIdentifier
-- index
-- linecount
-- name
-- numerics
-- parent_process_id
-- process_current_directory
-- process_id
-- process_path
-- punct
-- source
-- sourcetype
-- splunk_server
-- src
-- subject
-- tag
-- tag::eventtype
-- timestamp
-- unixTime
-- user_id
-- vendor_product
+ - _time
+ - calendarTime
+ - columns.cdhash
+ - columns.child_pid
+ - columns.cmdline
+ - columns.cmdline_count
+ - columns.cwd
+ - columns.egid
+ - columns.env
+ - columns.env_count
+ - columns.euid
+ - columns.event_type
+ - columns.exit_code
+ - columns.gid
+ - columns.global_seq_num
+ - columns.original_parent
+ - columns.parent
+ - columns.path
+ - columns.pid
+ - columns.platform_binary
+ - columns.seq_num
+ - columns.signing_id
+ - columns.team_id
+ - columns.time
+ - columns.uid
+ - columns.username
+ - columns.version
+ - counter
+ - dest
+ - epoch
+ - eventtype
+ - host
+ - hostIdentifier
+ - index
+ - linecount
+ - name
+ - numerics
+ - parent_process_id
+ - process_current_directory
+ - process_id
+ - process_path
+ - punct
+ - source
+ - sourcetype
+ - splunk_server
+ - src
+ - subject
+ - tag
+ - tag::eventtype
+ - timestamp
+ - unixTime
+ - user_id
+ - vendor_product
example_log: '{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Tue
Mar 29 13:03:51 2022 UTC","unixTime":1648559031,"epoch":0,"counter":82,"numerics":false,"columns":{"cdhash":"f63c5fbfcf1484b20aa4407a26e087fe3fe28146","child_pid":"","cmdline":"plutil
--help ","cmdline_count":"2","cwd":"/Users/patrick","egid":"20","env":"TERM_SESSION_ID=w0t1p0:93AA9D79-7028-49F1-A93D-4EAEFB7BA6E3
diff --git a/data_sources/palo_alto_network_threat.yml b/data_sources/palo_alto_network_threat.yml
index d9c2937be9..48d799c14e 100644
--- a/data_sources/palo_alto_network_threat.yml
+++ b/data_sources/palo_alto_network_threat.yml
@@ -1,43 +1,45 @@
name: Palo Alto Network Threat
id: 375c2b0e-d216-41ad-9406-200464595209
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs detected threats identified by Palo Alto Networks devices, including details about malware, intrusion attempts, and malicious network activity.
+description: Logs detected threats identified by Palo Alto Networks devices, including
+ details about malware, intrusion attempts, and malicious network activity.
mitre_components:
-- Malware Metadata
-- Network Traffic Content
-- Network Traffic Flow
-- Application Log Content
-- Host Status
+ - Malware Metadata
+ - Network Traffic Content
+ - Network Traffic Flow
+ - Application Log Content
+ - Host Status
source: pan:threat
sourcetype: pan:threat
supported_TA:
-- name: Palo Alto Networks Add-on
- url: https://splunkbase.splunk.com/app/2757
- version: 8.1.3
+ - name: Palo Alto Networks Add-on
+ url: https://splunkbase.splunk.com/app/2757
+ version: 8.1.3
fields:
-- _time
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- host
-- index
-- linecount
-- punct
-- source
-- sourcetype
-- splunk_server
-- timeendpos
-- timestartpos
+ - _time
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - host
+ - index
+ - linecount
+ - punct
+ - source
+ - sourcetype
+ - splunk_server
+ - timeendpos
+ - timestartpos
example_log: May 10 11:08:39 sjc.example.com 1,2022/05/10 11:08:38,013201004583,THREAT,url,2305,2022/05/10
11:08:38,2.18.4.7,1.2.3.4,2.18.4.7,1.2.3.4,service-globalprotect,,,web-browsing,vsys1,UNTRUST,UNTRUST,ethernet1/20,loopback.1,Zero,2022/05/10
11:08:38,1535535,1,32880,443,32880,20077,0x1403000,tcp,allow,"sr.example.com/mgmt/tm/util/bash",(9999),allow-URL,informational,client-to-server,7081856864553612091,0xa000000000000000,United
States,United States,0,,0,,,1,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36
- (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36",,,,,,,0,177,204,178,382,,sjc1-fw-01,,,,post,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,"
+ (KHTML, like Gecko) Chrome/36.0.1944.0
+ Safari/537.36",,,,,,,0,177,204,178,382,,sjc1-fw-01,,,,post,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,"
allow-URL,computer-and-internet-info,low-risk",5283cb95-6902-41db-96c6-ef807361eba5,0,
diff --git a/data_sources/palo_alto_network_traffic.yml b/data_sources/palo_alto_network_traffic.yml
index 02afe2d863..c4673e3fe7 100644
--- a/data_sources/palo_alto_network_traffic.yml
+++ b/data_sources/palo_alto_network_traffic.yml
@@ -1,41 +1,44 @@
name: Palo Alto Network Traffic
id: 182a83bc-c31a-4817-8c7a-263744cec52a
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs network traffic events captured by Palo Alto Networks devices, including details about sessions, protocols, and source and destination IPs.
+description: Logs network traffic events captured by Palo Alto Networks devices, including
+ details about sessions, protocols, and source and destination IPs.
mitre_components:
-- Network Traffic Content
-- Network Traffic Flow
-- Network Connection Creation
-- Response Metadata
-- Application Log Content
+ - Network Traffic Content
+ - Network Traffic Flow
+ - Network Connection Creation
+ - Response Metadata
+ - Application Log Content
source: screenconnect_palo_traffic
sourcetype: pan:traffic
supported_TA:
-- name: Palo Alto Networks Add-on
- url: https://splunkbase.splunk.com/app/2757
- version: 8.1.3
+ - name: Palo Alto Networks Add-on
+ url: https://splunkbase.splunk.com/app/2757
+ version: 8.1.3
fields:
-- _time
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- host
-- index
-- linecount
-- punct
-- source
-- sourcetype
-- splunk_server
-- timeendpos
-- timestartpos
+ - _time
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - host
+ - index
+ - linecount
+ - punct
+ - source
+ - sourcetype
+ - splunk_server
+ - timeendpos
+ - timestartpos
example_log: 577 <14>1 2024-02-22T12:33:50-05:00 PALO220.ATTACK_RANGE.LAN - - - -
- 1,2024/02/22 12:33:50,012801036556,TRAFFIC,end,2305,2024/02/22 12:33:50,192.168.1.205,147.28.146.44,201.17.96.104,147.28.146.44,No_Vuln_Filtering_OUT,,,screenconnect,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,splunk_range,2024/02/22
+ 1,2024/02/22 12:33:50,012801036556,TRAFFIC,end,2305,2024/02/22
+ 12:33:50,192.168.1.205,147.28.146.44,201.17.96.104,147.28.146.44,No_Vuln_Filtering_OUT,,,screenconnect,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,splunk_range,2024/02/22
12:33:50,14740,1,50624,443,11024,443,0x40005e,tcp,allow,7419,6609,810,25,2024/02/22
- 12:32:29,65,any,0,376156893,0x0,192.168.0.0-192.168.255.255,United States,0,14,11,tcp-fin,0,0,0,0,,PALO220,from-policy,,,0,,0,,N/A,0,0,0,0,0862e58b-4a54-436b-b3ac-ea3eccf8403b,0,0,,,,,,,
+ 12:32:29,65,any,0,376156893,0x0,192.168.0.0-192.168.255.255,United
+ States,0,14,11,tcp-fin,0,0,0,0,,PALO220,from-policy,,,0,,0,,N/A,0,0,0,0,0862e58b-4a54-436b-b3ac-ea3eccf8403b,0,0,,,,,,,
diff --git a/data_sources/pingid.yml b/data_sources/pingid.yml
index 2b77686143..5b7648219f 100644
--- a/data_sources/pingid.yml
+++ b/data_sources/pingid.yml
@@ -1,45 +1,46 @@
name: PingID
id: 17890675-61c1-40bd-a88e-6a8e9e246b43
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs authentication and multi-factor authentication (MFA) events managed by PingID, including user logins, device enrollments, and MFA challenges.
+description: Logs authentication and multi-factor authentication (MFA) events managed
+ by PingID, including user logins, device enrollments, and MFA challenges.
mitre_components:
-- User Account Authentication
-- Logon Session Metadata
-- User Account Metadata
-- Application Log Content
-- Host Status
+ - User Account Authentication
+ - Logon Session Metadata
+ - User Account Metadata
+ - Application Log Content
+ - Host Status
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
supported_TA: []
fields:
-- _time
-- actors{}.name
-- actors{}.type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- extracted_source
-- host
-- id
-- index
-- linecount
-- punct
-- recorded
-- resources{}.ipaddress
-- resources{}.websession
-- result.message
-- result.status
-- source
-- sourcetype
-- splunk_server
-- timeendpos
-- timestartpos
+ - _time
+ - actors{}.name
+ - actors{}.type
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - extracted_source
+ - host
+ - id
+ - index
+ - linecount
+ - punct
+ - recorded
+ - resources{}.ipaddress
+ - resources{}.websession
+ - result.message
+ - result.status
+ - source
+ - sourcetype
+ - splunk_server
+ - timeendpos
+ - timestartpos
example_log: '{"source":"PINGID","id":"b2eb1fef-651b-11ee-b38b-0ac7a554ed19","recorded":"2023-10-05T14:10:53.538Z","actors":[{"type":"user","name":"victim_user"}],"resources":[{"ipaddress":"174.235.80.142","websession":"webs_ijkF-T_bAC_G3w2TfvdpAEQeC545KFlqVFOsolCXdjo"}],"result":{"status":"SUCCESS","message":"Device
Paired SMS \"Mobile 1\""}}'
diff --git a/data_sources/powershell_installed_iis_modules.yml b/data_sources/powershell_installed_iis_modules.yml
index cf0b592d7b..3e466057a5 100644
--- a/data_sources/powershell_installed_iis_modules.yml
+++ b/data_sources/powershell_installed_iis_modules.yml
@@ -1,26 +1,27 @@
name: Powershell Installed IIS Modules
id: 4f2ccf42-3503-4417-a684-bfccf7f0d7b4
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the list of installed IIS modules retrieved using PowerShell, including details about their names and statuses.
+description: Logs the list of installed IIS modules retrieved using PowerShell, including
+ details about their names and statuses.
mitre_components:
-- Service Metadata
-- Configuration Modification
-- OS API Execution
-- Application Log Content
+ - Service Metadata
+ - Configuration Modification
+ - OS API Execution
+ - Application Log Content
source: powershell://AppCmdModules
sourcetype: Pwsh:InstalledIISModules
supported_TA: []
fields:
-- _time
-- Schema
-- host
-- index
-- linecount
-- punct
-- source
-- sourcetype
-- splunk_server
-- timestamp
+ - _time
+ - Schema
+ - host
+ - index
+ - linecount
+ - punct
+ - source
+ - sourcetype
+ - splunk_server
+ - timestamp
example_log: Schema="Microsoft.IIs.PowerShell.Framework.ConfigurationElementSchema"
diff --git a/data_sources/powershell_script_block_logging_4104.yml b/data_sources/powershell_script_block_logging_4104.yml
index b5aba9d7f7..67794c1e47 100644
--- a/data_sources/powershell_script_block_logging_4104.yml
+++ b/data_sources/powershell_script_block_logging_4104.yml
@@ -1,95 +1,97 @@
name: Powershell Script Block Logging 4104
id: 5cfd0c72-d989-47a0-92f9-6edc6f8d3564
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs detailed content of PowerShell script blocks as they are executed, including the full command text and context for the execution.
+description: Logs detailed content of PowerShell script blocks as they are executed,
+ including the full command text and context for the execution.
mitre_components:
-- Script Execution
-- Command Execution
-- Process Metadata
-- OS API Execution
-- Application Log Content
+ - Script Execution
+ - Command Execution
+ - Process Metadata
+ - OS API Execution
+ - Application Log Content
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 4104
supported_TA:
-- name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+ - name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
-- _time
-- ActivityID
-- Channel
-- Computer
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- MessageNumber
-- MessageTotal
-- Name
-- Opcode
-- Path
-- ProcessID
-- RecordNumber
-- ScriptBlockId
-- ScriptBlockText
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserID
-- Version
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- punct
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
+ - _time
+ - ActivityID
+ - Channel
+ - Computer
+ - EventCode
+ - EventData_Xml
+ - EventID
+ - EventRecordID
+ - Guid
+ - Keywords
+ - Level
+ - MessageNumber
+ - MessageTotal
+ - Name
+ - Opcode
+ - Path
+ - ProcessID
+ - RecordNumber
+ - ScriptBlockId
+ - ScriptBlockText
+ - SystemTime
+ - System_Props_Xml
+ - Task
+ - ThreadID
+ - UserID
+ - Version
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - punct
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user_id
+ - vendor_product
field_mappings:
-- data_model: cim
- data_set: Endpoint.Processes
- mapping:
- Computer: Processes.dest
- Path: Processes.process_path
- ScriptBlockId: Processes.process_id
- ScriptBlockText: Processes.process
- UserID: Processes.user_id
-- data_model: ocsf
- mapping:
- Computer: device.hostname
- Path: process.file.path
- ScriptBlockId: process.uid
- ScriptBlockText: process.cmd_line
- UserID: actor.user.uid
+ - data_model: cim
+ data_set: Endpoint.Processes
+ mapping:
+ Computer: Processes.dest
+ Path: Processes.process_path
+ ScriptBlockId: Processes.process_id
+ ScriptBlockText: Processes.process
+ UserID: Processes.user_id
+ - data_model: ocsf
+ mapping:
+ Computer: device.hostname
+ Path: process.file.path
+ ScriptBlockId: process.uid
+ ScriptBlockText: process.cmd_line
+ UserID: actor.user.uid
example_log: 4104152150x04104152150x0112748Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-270.attackrange.local154100x80000000000000004522Microsoft-Windows-Sysmon/Operationalwin-dc-6764986.attackrange.local-2020-10-08\
- \ 11:03:46.615{96128EA2-F212-5F7E-E400-000000007F01}2296C:\\Windows\\System32\\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows\
- \ Command ProcessorMicrosoft\xAE Windows\xAE Operating\
- \ SystemMicrosoft CorporationCmd.Exe\"C:\\Windows\\system32\\cmd.exe\" /c \"reg save HKLM\\sam\
- \ %%temp%%\\sam & reg save HKLM\\system %%temp%%\\system & reg save HKLM\\\
- security %%temp%%\\security\" C:\\Users\\ADMINI~1\\\
- AppData\\Local\\Temp\\ATTACKRANGE\\Administrator{96128EA2-F210-5F7E-ACD4-080000000000}0x8d4ac0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{96128EA2-F211-5F7E-DF00-000000007F01}4624C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA=="
+ - data_source: Windows Event Log Security 4688
+ mapping:
+ ProcessId: NewProcessId
+ Image: NewProcessName
+ Image|endswith: NewProcessName|endswith
+ CommandLine: Process_Command_Line
+ User: SubjectUserSid
+ ParentProcessId: ProcessId
+ ParentImage: ParentProcessName
+ ParentImage|endswith: ParentProcessName|endswith
+ Computer: Computer
+ OriginalFileName: NewProcessName|endswith
+ - data_source: Crowdstrike Process
+ mapping:
+ ProcessId: RawProcessId
+ Image: ImageFileName
+ CommandLine: CommandLine
+ User: UserSid
+ ParentProcessId: ParentProcessId
+ ParentImage: ParentBaseFileName
+example_log: 154100x80000000000000004522Microsoft-Windows-Sysmon/Operationalwin-dc-6764986.attackrange.local-2020-10-08
+ 11:03:46.615{96128EA2-F212-5F7E-E400-000000007F01}2296C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows
+ Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "reg save HKLM\sam %%temp%%\sam
+ & reg save HKLM\system %%temp%%\system & reg save HKLM\security %%temp%%\security"
+ C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{96128EA2-F210-5F7E-ACD4-080000000000}0x8d4ac0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{96128EA2-F211-5F7E-DF00-000000007F01}4624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand
+ WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==
diff --git a/data_sources/sysmon_eventid_10.yml b/data_sources/sysmon_eventid_10.yml
index 80713f8dc3..6197a6a241 100644
--- a/data_sources/sysmon_eventid_10.yml
+++ b/data_sources/sysmon_eventid_10.yml
@@ -1,106 +1,109 @@
name: Sysmon EventID 10
id: 659cd5a8-148a-4c59-ade1-05f41ac1b096
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs events where one process accesses another process, typically for memory reads or injections, including details about the source and target processes.
+description: Logs events where one process accesses another process, typically for
+ memory reads or injections, including details about the source and target processes.
mitre_components:
-- Process Access
-- Process Metadata
-- Application Log Content
-- OS API Execution
+ - Process Access
+ - Process Metadata
+ - Application Log Content
+ - OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 10
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
-- name: Splunk Add-on for Sysmon
- url: https://splunkbase.splunk.com/app/5709
- version: 4.0.2
+ - name: Splunk Add-on for Sysmon
+ url: https://splunkbase.splunk.com/app/5709
+ version: 4.0.2
fields:
-- _time
-- CallTrace
-- Channel
-- Computer
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- GrantedAccess
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SourceImage
-- SourceProcessGUID
-- SourceProcessId
-- SourceThreadId
-- SystemTime
-- System_Props_Xml
-- TargetImage
-- TargetProcessGUID
-- TargetProcessId
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- granted_access
-- host
-- id
-- index
-- linecount
-- os
-- parent_process_exec
-- parent_process_guid
-- parent_process_id
-- parent_process_name
-- parent_process_path
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
+ - _time
+ - CallTrace
+ - Channel
+ - Computer
+ - EventChannel
+ - EventCode
+ - EventData_Xml
+ - EventDescription
+ - EventID
+ - EventRecordID
+ - GrantedAccess
+ - Guid
+ - Keywords
+ - Level
+ - Name
+ - Opcode
+ - ProcessID
+ - RecordID
+ - RecordNumber
+ - RuleName
+ - SecurityID
+ - SourceImage
+ - SourceProcessGUID
+ - SourceProcessId
+ - SourceThreadId
+ - SystemTime
+ - System_Props_Xml
+ - TargetImage
+ - TargetProcessGUID
+ - TargetProcessId
+ - Task
+ - ThreadID
+ - TimeCreated
+ - UserID
+ - UtcTime
+ - Version
+ - action
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - granted_access
+ - host
+ - id
+ - index
+ - linecount
+ - os
+ - parent_process_exec
+ - parent_process_guid
+ - parent_process_id
+ - parent_process_name
+ - parent_process_path
+ - process_exec
+ - process_guid
+ - process_id
+ - process_name
+ - process_path
+ - punct
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user_id
+ - vendor_product
example_log: 10341000x800000000000000010341000x8000000000000000150624412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01
21:01:44.670{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe11241100x800000000000000011241100x80000000000000007712490Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-84.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-84.attackrange.localDownloads2023-02-08 13:01:11.053{0F9A6540-A70E-63E2-3091-00000000BD02}9332C:\Users\Administrator\Downloads\mimikatz_trunk\x64\mimikatz.exe9332C:\Users\Administrator\Downloads\mimikatz_trunk\x64\mimikatz.exeC:\Users\Administrator\Downloads\mimikatz_trunk\x64\CURRENT_USER_My_4_atomic@art2.local.pfx2023-02-08 13:01:11.053
diff --git a/data_sources/sysmon_eventid_12.yml b/data_sources/sysmon_eventid_12.yml
index 665a69a98e..57e13fb712 100644
--- a/data_sources/sysmon_eventid_12.yml
+++ b/data_sources/sysmon_eventid_12.yml
@@ -1,103 +1,107 @@
name: Sysmon EventID 12
id: 3ef28798-8eaa-4fd2-b074-6f36d08a1b33
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the creation of a new registry key, including details about the key name, registry path, and associated process metadata.
+description: Logs the creation of a new registry key, including details about the
+ key name, registry path, and associated process metadata.
mitre_components:
-- Windows Registry Key Creation
-- Process Metadata
-- Application Log Content
-- OS API Execution
+ - Windows Registry Key Creation
+ - Process Metadata
+ - Application Log Content
+ - OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 12
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
-- name: Splunk Add-on for Sysmon
- url: https://splunkbase.splunk.com/app/5709
- version: 4.0.2
+ - name: Splunk Add-on for Sysmon
+ url: https://splunkbase.splunk.com/app/5709
+ version: 4.0.2
fields:
-- _time
-- Channel
-- Computer
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- EventType
-- Guid
-- Image
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessGuid
-- ProcessID
-- ProcessId
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- TargetObject
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- object_category
-- object_path
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- registry_hive
-- registry_key_name
-- registry_path
-- severity_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- status
-- tag
-- tag::eventtype
-- tag::object_category
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
+ - _time
+ - Channel
+ - Computer
+ - EventChannel
+ - EventCode
+ - EventData_Xml
+ - EventDescription
+ - EventID
+ - EventRecordID
+ - EventType
+ - Guid
+ - Image
+ - Keywords
+ - Level
+ - Name
+ - Opcode
+ - ProcessGuid
+ - ProcessID
+ - ProcessId
+ - RecordID
+ - RecordNumber
+ - RuleName
+ - SecurityID
+ - SystemTime
+ - System_Props_Xml
+ - TargetObject
+ - Task
+ - ThreadID
+ - TimeCreated
+ - UserID
+ - UtcTime
+ - Version
+ - action
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - object_category
+ - object_path
+ - process_exec
+ - process_guid
+ - process_id
+ - process_name
+ - process_path
+ - punct
+ - registry_hive
+ - registry_key_name
+ - registry_path
+ - severity_id
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - status
+ - tag
+ - tag::eventtype
+ - tag::object_category
+ - timeendpos
+ - timestartpos
+ - user_id
+ - vendor_product
example_log: 12241200x800000000000000012241200x80000000000000001055579Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteKey2021-07-12 08:10:32.592{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112_Classes\exefile\shell\runas\command
diff --git a/data_sources/sysmon_eventid_13.yml b/data_sources/sysmon_eventid_13.yml
index d7ed659f74..d533ac7a5c 100644
--- a/data_sources/sysmon_eventid_13.yml
+++ b/data_sources/sysmon_eventid_13.yml
@@ -1,118 +1,121 @@
name: Sysmon EventID 13
id: 19cd00ee-f65f-48ca-bb08-64aac28638ce
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs changes to a registry key, including details about the modified key, value, and associated process.
+description: Logs changes to a registry key, including details about the modified
+ key, value, and associated process.
mitre_components:
-- Windows Registry Key Modification
-- Process Metadata
-- Application Log Content
-- OS API Execution
+ - Windows Registry Key Modification
+ - Process Metadata
+ - Application Log Content
+ - OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 13
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
-- name: Splunk Add-on for Sysmon
- url: https://splunkbase.splunk.com/app/5709
- version: 4.0.2
+ - name: Splunk Add-on for Sysmon
+ url: https://splunkbase.splunk.com/app/5709
+ version: 4.0.2
fields:
-- _time
-- Channel
-- Computer
-- Details
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- EventType
-- Guid
-- Image
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessGuid
-- ProcessID
-- ProcessId
-- RecordID
-- RecordNumber
-- RegistryValueData
-- RegistryValueType
-- RuleName
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- TargetObject
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- object_category
-- object_path
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- registry_hive
-- registry_key_name
-- registry_path
-- registry_value_data
-- registry_value_name
-- registry_value_type
-- severity_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- status
-- tag
-- tag::eventtype
-- tag::object_category
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
+ - _time
+ - Channel
+ - Computer
+ - Details
+ - EventChannel
+ - EventCode
+ - EventData_Xml
+ - EventDescription
+ - EventID
+ - EventRecordID
+ - EventType
+ - Guid
+ - Image
+ - Keywords
+ - Level
+ - Name
+ - Opcode
+ - ProcessGuid
+ - ProcessID
+ - ProcessId
+ - RecordID
+ - RecordNumber
+ - RegistryValueData
+ - RegistryValueType
+ - RuleName
+ - SecurityID
+ - SystemTime
+ - System_Props_Xml
+ - TargetObject
+ - Task
+ - ThreadID
+ - TimeCreated
+ - UserID
+ - UtcTime
+ - Version
+ - action
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - object_category
+ - object_path
+ - process_exec
+ - process_guid
+ - process_id
+ - process_name
+ - process_path
+ - punct
+ - registry_hive
+ - registry_key_name
+ - registry_path
+ - registry_value_data
+ - registry_value_name
+ - registry_value_type
+ - severity_id
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - status
+ - tag
+ - tag::eventtype
+ - tag::object_category
+ - timeendpos
+ - timestartpos
+ - user_id
+ - vendor_product
field_mappings:
-- data_model: cim
- data_set: Endpoint.Registry
- mapping:
- Computer: Registry.dest
- ProcessGuid: Registry.process_guid
- ProcessId: Registry.process_id
- TargetObject: Registry.registry_path
- Details: Registry.registry_value_data
+ - data_model: cim
+ data_set: Endpoint.Registry
+ mapping:
+ Computer: Registry.dest
+ ProcessGuid: Registry.process_guid
+ ProcessId: Registry.process_id
+ TargetObject: Registry.registry_path
+ Details: Registry.registry_value_data
example_log: 13241300x800000000000000013241300x8000000000000000810987Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:11:04.547{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exe15241500x800000000000000015241500x8000000000000000667860Microsoft-Windows-Sysmon/Operationalproject-mumbai-hostMicrosoft-Windows-Sysmon/Operationalproject-mumbai-host-2021-04-28
20:11:34.709{ED2ECF8A-C154-6089-F967-00000000BB01}7000C:\Users\DefaultAccount\AppData\Roaming\Telegram
Desktop\Telegram.exeC:\Users\DefaultAccount\Downloads\Telegram
Desktop\Good(NLA).txt:Zone.Identifier2021-04-28
- 20:11:33.238MD5=C785C55D5FA3443A11B8417209C4B524,SHA256=D07777E0DC36EBECCE3FA9644F0F44DC4A0B7EDE0CBC1F5D33E8D6CB07AF5B5C,IMPHASH=00000000000000000000000000000000MD5=C785C55D5FA3443A11B8417209C4B524,SHA256=D07777E0DC36EBECCE3FA9644F0F44DC4A0B7EDE0CBC1F5D33E8D6CB07AF5B5C,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3
diff --git a/data_sources/sysmon_eventid_17.yml b/data_sources/sysmon_eventid_17.yml
index 221feadee2..17f9cba91f 100644
--- a/data_sources/sysmon_eventid_17.yml
+++ b/data_sources/sysmon_eventid_17.yml
@@ -1,94 +1,96 @@
name: Sysmon EventID 17
id: 08924246-c8e8-4c95-a9fc-633c43cc82df
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Sysmon EventID 17 logs details about the detection of a named pipe.
mitre_components:
-- Named Pipe Metadata
+ - Named Pipe Metadata
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 17
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
-- name: Splunk Add-on for Sysmon
- url: https://splunkbase.splunk.com/app/5709
- version: 4.0.2
+ - name: Splunk Add-on for Sysmon
+ url: https://splunkbase.splunk.com/app/5709
+ version: 4.0.2
fields:
-- _time
-- Channel
-- Computer
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- EventType
-- Guid
-- Image
-- Keywords
-- Level
-- Name
-- Opcode
-- PipeName
-- ProcessGuid
-- ProcessID
-- ProcessId
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- os
-- pipe_name
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- severity_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
+ - _time
+ - Channel
+ - Computer
+ - EventChannel
+ - EventCode
+ - EventData_Xml
+ - EventDescription
+ - EventID
+ - EventRecordID
+ - EventType
+ - Guid
+ - Image
+ - Keywords
+ - Level
+ - Name
+ - Opcode
+ - PipeName
+ - ProcessGuid
+ - ProcessID
+ - ProcessId
+ - RecordID
+ - RecordNumber
+ - RuleName
+ - SecurityID
+ - SystemTime
+ - System_Props_Xml
+ - Task
+ - ThreadID
+ - TimeCreated
+ - UserID
+ - UtcTime
+ - Version
+ - action
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - os
+ - pipe_name
+ - process_exec
+ - process_guid
+ - process_id
+ - process_name
+ - process_path
+ - punct
+ - severity_id
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user_id
+ - vendor_product
example_log: 17141700x800000000000000017141700x8000000000000000162168Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-CreatePipe2021-04-19 21:00:18.288{761B69BB-EF62-607D-B211-00000000BA01}6960\MSSE-1516-server18141800x800000000000000018141800x8000000000000000162173Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-ConnectPipe2021-04-19 21:00:19.312{761B69BB-EF62-607D-B211-00000000BA01}6960\MSSE-1516-server20342000x800000000000000020342000x80000000000000006249Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-WmiConsumerEvent2020-12-08 13:54:48.514DeletedATTACKRANGE\Administrator "AtomicRedTeam-WMIPersistence-Example"21342100x800000000000000021342100x8000000000000000151644Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-WmiBindingEvent2021-06-16 21:46:50.222ModifiedWIN-HOST-14\Administrator "CommandLineEventConsumer.Name=\"Evil
diff --git a/data_sources/sysmon_eventid_22.yml b/data_sources/sysmon_eventid_22.yml
index 5ed15373d4..a40a8dc863 100644
--- a/data_sources/sysmon_eventid_22.yml
+++ b/data_sources/sysmon_eventid_22.yml
@@ -1,96 +1,99 @@
name: Sysmon EventID 22
id: 911538b2-eba7-4d3e-85e8-d82d380c37bf
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs DNS query events, including details about the queried domain, source IP, query type, and response data.
+description: Logs DNS query events, including details about the queried domain, source
+ IP, query type, and response data.
mitre_components:
-- Passive DNS
-- Active DNS
-- Network Traffic Content
-- Network Traffic Flow
-- Application Log Content
+ - Passive DNS
+ - Active DNS
+ - Network Traffic Content
+ - Network Traffic Flow
+ - Application Log Content
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 22
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
-- name: Splunk Add-on for Sysmon
- url: https://splunkbase.splunk.com/app/5709
- version: 4.0.2
+ - name: Splunk Add-on for Sysmon
+ url: https://splunkbase.splunk.com/app/5709
+ version: 4.0.2
fields:
-- _time
-- Channel
-- Computer
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- Guid
-- Image
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessGuid
-- ProcessID
-- ProcessId
-- QueryName
-- QueryResults
-- QueryStatus
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- process_exec
-- process_guid
-- process_name
-- punct
-- query
-- query_count
-- reply_code_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
+ - _time
+ - Channel
+ - Computer
+ - EventChannel
+ - EventCode
+ - EventData_Xml
+ - EventDescription
+ - EventID
+ - EventRecordID
+ - Guid
+ - Image
+ - Keywords
+ - Level
+ - Name
+ - Opcode
+ - ProcessGuid
+ - ProcessID
+ - ProcessId
+ - QueryName
+ - QueryResults
+ - QueryStatus
+ - RecordID
+ - RecordNumber
+ - RuleName
+ - SecurityID
+ - SystemTime
+ - System_Props_Xml
+ - Task
+ - ThreadID
+ - TimeCreated
+ - UserID
+ - UtcTime
+ - Version
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - process_exec
+ - process_guid
+ - process_name
+ - punct
+ - query
+ - query_count
+ - reply_code_id
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - src
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user_id
+ - vendor_product
example_log: 22542200x800000000000000022542200x8000000000000000113892Microsoft-Windows-Sysmon/Operationalwin-dc-299.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-299.attackrange.local-2021-03-24
12:25:12.840{3CFDEE80-2F7D-605B-F50A-00000000AE01}717250.220.65.3.spam.dnsbl.sorbs.net23542300x800000000000000023542300x8000000000000000281771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01
10:57:09.814{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\Administrator354300x8000000000000000354300x8000000000000000156837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15
12:56:19.679{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe534500x8000000000000000534500x800000000000000039965Microsoft-Windows-Sysmon/Operationalwin-dc-654.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-654.attackrange.local-2021-03-16
14:01:44.004{26337912-BA32-6050-3506-00000000AE01}8672C:\Users\Public\steam.exe
diff --git a/data_sources/sysmon_eventid_6.yml b/data_sources/sysmon_eventid_6.yml
index 9cf7db46b6..d019cb51cf 100644
--- a/data_sources/sysmon_eventid_6.yml
+++ b/data_sources/sysmon_eventid_6.yml
@@ -1,98 +1,102 @@
name: Sysmon EventID 6
id: eadc297a-c20c-45a1-8fac-74ad54019767
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the loading of a driver into the kernel or user mode, including details about the driver name, file path, and associated process metadata.
+description: Logs the loading of a driver into the kernel or user mode, including
+ details about the driver name, file path, and associated process metadata.
mitre_components:
-- Driver Load
-- Process Metadata
-- Application Log Content
-- OS API Execution
+ - Driver Load
+ - Process Metadata
+ - Application Log Content
+ - OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 6
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
-- name: Splunk Add-on for Sysmon
- url: https://splunkbase.splunk.com/app/5709
- version: 4.0.2
+ - name: Splunk Add-on for Sysmon
+ url: https://splunkbase.splunk.com/app/5709
+ version: 4.0.2
fields:
-- _time
-- Channel
-- Computer
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- Guid
-- Hashes
-- ImageLoaded
-- Keywords
-- Level
-- MD5
-- Name
-- Opcode
-- ProcessID
-- RecordID
-- RecordNumber
-- RuleName
-- SHA256
-- SecurityID
-- Signature
-- SignatureStatus
-- Signed
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- os
-- process_hash
-- process_path
-- punct
-- service_signature_exists
-- service_signature_verified
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
+ - _time
+ - Channel
+ - Computer
+ - EventChannel
+ - EventCode
+ - EventData_Xml
+ - EventDescription
+ - EventID
+ - EventRecordID
+ - Guid
+ - Hashes
+ - ImageLoaded
+ - Keywords
+ - Level
+ - MD5
+ - Name
+ - Opcode
+ - ProcessID
+ - RecordID
+ - RecordNumber
+ - RuleName
+ - SHA256
+ - SecurityID
+ - Signature
+ - SignatureStatus
+ - Signed
+ - SystemTime
+ - System_Props_Xml
+ - Task
+ - ThreadID
+ - TimeCreated
+ - UserID
+ - UtcTime
+ - Version
+ - action
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - os
+ - process_hash
+ - process_path
+ - punct
+ - service_signature_exists
+ - service_signature_verified
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user_id
+ - vendor_product
example_log: 644600x8000000000000000644600x800000000000000015708989Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-2022-04-04
- 17:37:04.640C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sysC:\Program
+ Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sysMD5=DE7FCC77F4A503AF4CA6A47D49B3713D,SHA256=4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6trueRiverbed Technology, Inc.Valid
diff --git a/data_sources/sysmon_eventid_7.yml b/data_sources/sysmon_eventid_7.yml
index 24d4800817..23a3dcf3a1 100644
--- a/data_sources/sysmon_eventid_7.yml
+++ b/data_sources/sysmon_eventid_7.yml
@@ -1,121 +1,125 @@
name: Sysmon EventID 7
id: 45512fa5-4d55-4088-9d51-f4dedc16fdff
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the loading of an image (module) into a process, including details about the image name, file path, and hash information.
+description: Logs the loading of an image (module) into a process, including details
+ about the image name, file path, and hash information.
mitre_components:
-- Module Load
-- Process Metadata
-- File Metadata
-- Application Log Content
-- OS API Execution
+ - Module Load
+ - Process Metadata
+ - File Metadata
+ - Application Log Content
+ - OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 7
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
-- name: Splunk Add-on for Sysmon
- url: https://splunkbase.splunk.com/app/5709
- version: 4.0.2
+ - name: Splunk Add-on for Sysmon
+ url: https://splunkbase.splunk.com/app/5709
+ version: 4.0.2
fields:
-- _time
-- Channel
-- Company
-- Computer
-- Description
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- FileVersion
-- Guid
-- Hashes
-- IMPHASH
-- Image
-- ImageLoaded
-- Keywords
-- Level
-- MD5
-- Name
-- Opcode
-- OriginalFileName
-- ProcessGuid
-- ProcessID
-- ProcessId
-- Product
-- RecordID
-- RecordNumber
-- RuleName
-- SHA256
-- SecurityID
-- Signature
-- SignatureStatus
-- Signed
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- TimeCreated
-- User
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- os
-- parent_process_exec
-- parent_process_guid
-- parent_process_id
-- parent_process_name
-- parent_process_path
-- process_exec
-- process_hash
-- process_name
-- process_path
-- punct
-- service_dll_signature_exists
-- service_dll_signature_verified
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_id
-- vendor_product
+ - _time
+ - Channel
+ - Company
+ - Computer
+ - Description
+ - EventChannel
+ - EventCode
+ - EventData_Xml
+ - EventDescription
+ - EventID
+ - EventRecordID
+ - FileVersion
+ - Guid
+ - Hashes
+ - IMPHASH
+ - Image
+ - ImageLoaded
+ - Keywords
+ - Level
+ - MD5
+ - Name
+ - Opcode
+ - OriginalFileName
+ - ProcessGuid
+ - ProcessID
+ - ProcessId
+ - Product
+ - RecordID
+ - RecordNumber
+ - RuleName
+ - SHA256
+ - SecurityID
+ - Signature
+ - SignatureStatus
+ - Signed
+ - SystemTime
+ - System_Props_Xml
+ - Task
+ - ThreadID
+ - TimeCreated
+ - User
+ - UserID
+ - UtcTime
+ - Version
+ - action
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - os
+ - parent_process_exec
+ - parent_process_guid
+ - parent_process_id
+ - parent_process_name
+ - parent_process_path
+ - process_exec
+ - process_hash
+ - process_name
+ - process_path
+ - punct
+ - service_dll_signature_exists
+ - service_dll_signature_verified
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - tag
+ - tag::action
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - user_id
+ - vendor_product
example_log: 734700x8000000000000000734700x800000000000000045273Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localMicrosoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-09-12
08:06:31.433{8814F3F5-1C07-6500-9600-000000000E03}4440C:\Users\Administrator\AppData\Local\Temp\server.exeC:\Users\Administrator\AppData\Local\Temp\server.exe-----MD5=696CBE2CB6F7FAC5ED6262BCA51238BB,SHA256=43005D86607DC94C7D378AA1B8844947BAA03860652F2F2340266061AF12E524,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744--MD5=696CBE2CB6F7FAC5ED6262BCA51238BB,SHA256=43005D86607DC94C7D378AA1B8844947BAA03860652F2F2340266061AF12E524,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-UnavailableATTACKRANGE\Administrator
diff --git a/data_sources/sysmon_eventid_8.yml b/data_sources/sysmon_eventid_8.yml
index ff4dd0f046..086d972abf 100644
--- a/data_sources/sysmon_eventid_8.yml
+++ b/data_sources/sysmon_eventid_8.yml
@@ -1,108 +1,111 @@
name: Sysmon EventID 8
id: df7a786c-ade0-48f0-8596-26f10d169f7d
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the creation of a new thread in a process, including details about the thread ID, start address, and source process.
+description: Logs the creation of a new thread in a process, including details about
+ the thread ID, start address, and source process.
mitre_components:
-- Process Modification
-- Process Metadata
-- Application Log Content
-- OS API Execution
+ - Process Modification
+ - Process Metadata
+ - Application Log Content
+ - OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 8
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
-- name: Splunk Add-on for Sysmon
- url: https://splunkbase.splunk.com/app/5709
- version: 4.0.2
+ - name: Splunk Add-on for Sysmon
+ url: https://splunkbase.splunk.com/app/5709
+ version: 4.0.2
fields:
-- _time
-- Channel
-- Computer
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Name
-- NewThreadId
-- Opcode
-- ProcessID
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SourceImage
-- SourceProcessGuid
-- SourceProcessId
-- StartAddress
-- StartFunction
-- StartModule
-- SystemTime
-- System_Props_Xml
-- TargetImage
-- TargetProcessGuid
-- TargetProcessId
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- os
-- parent_process_exec
-- parent_process_guid
-- parent_process_id
-- parent_process_name
-- parent_process_path
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_address
-- src_function
-- src_module
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
+ - _time
+ - Channel
+ - Computer
+ - EventChannel
+ - EventCode
+ - EventData_Xml
+ - EventDescription
+ - EventID
+ - EventRecordID
+ - Guid
+ - Keywords
+ - Level
+ - Name
+ - NewThreadId
+ - Opcode
+ - ProcessID
+ - RecordID
+ - RecordNumber
+ - RuleName
+ - SecurityID
+ - SourceImage
+ - SourceProcessGuid
+ - SourceProcessId
+ - StartAddress
+ - StartFunction
+ - StartModule
+ - SystemTime
+ - System_Props_Xml
+ - TargetImage
+ - TargetProcessGuid
+ - TargetProcessId
+ - Task
+ - ThreadID
+ - TimeCreated
+ - UserID
+ - UtcTime
+ - Version
+ - action
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - os
+ - parent_process_exec
+ - parent_process_guid
+ - parent_process_id
+ - parent_process_name
+ - parent_process_path
+ - process_exec
+ - process_guid
+ - process_id
+ - process_name
+ - process_path
+ - punct
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - src_address
+ - src_function
+ - src_module
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user_id
+ - vendor_product
example_log: 824800x8000000000000000824800x8000000000000000362233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-487.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-487.attackrange.local-2022-10-27
13:59:12.427{3381F800-8EB0-635A-1306-000000008A02}4864C:\Windows\SysWOW64\wermgr.exe924900x8000000000000000924900x8000000000000000190607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25
12:25:33.359{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exe\Device\HarddiskVolume1
diff --git a/data_sources/sysmon_for_linux_eventid_1.yml b/data_sources/sysmon_for_linux_eventid_1.yml
index ac395956a2..5850fd83d6 100644
--- a/data_sources/sysmon_for_linux_eventid_1.yml
+++ b/data_sources/sysmon_for_linux_eventid_1.yml
@@ -1,115 +1,118 @@
name: Sysmon for Linux EventID 1
id: 93643652-30fe-4941-a1f7-6454f2948660
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs process creation events on Linux systems, including details about the process name, process ID, command line arguments, and parent process ID.
+description: Logs process creation events on Linux systems, including details about
+ the process name, process ID, command line arguments, and parent process ID.
mitre_components:
-- Process Creation
-- Command Execution
-- Process Metadata
-- OS API Execution
-- Application Log Content
+ - Process Creation
+ - Command Execution
+ - Process Metadata
+ - OS API Execution
+ - Application Log Content
source: Syslog:Linux-Sysmon/Operational
sourcetype: sysmon:linux
separator: EventID
separator_value: 1
supported_TA:
-- name: Splunk Add-on for Sysmon for Linux
- url: https://splunkbase.splunk.com/app/6652
- version: 1.0.0
+ - name: Splunk Add-on for Sysmon for Linux
+ url: https://splunkbase.splunk.com/app/6652
+ version: 1.0.0
fields:
-- _time
-- Channel
-- CommandLine
-- Company
-- Computer
-- CurrentDirectory
-- Description
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- FileVersion
-- Guid
-- Hashes
-- Image
-- IntegrityLevel
-- Keywords
-- Level
-- LogonGuid
-- LogonId
-- Name
-- Opcode
-- OriginalFileName
-- ParentCommandLine
-- ParentImage
-- ParentProcessGuid
-- ParentProcessId
-- ParentUser
-- ProcessGuid
-- ProcessID
-- ProcessId
-- Product
-- RecordID
-- RuleName
-- SystemTime
-- System_Props_Xml
-- Task
-- TerminalSessionId
-- ThreadID
-- User
-- UserId
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- eventtype
-- host
-- index
-- linecount
-- original_file_name
-- os
-- parent_process
-- parent_process_exec
-- parent_process_guid
-- parent_process_id
-- parent_process_name
-- parent_process_path
-- process
-- process_current_directory
-- process_exec
-- process_guid
-- process_hash
-- process_id
-- process_integrity_level
-- process_name
-- process_path
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- vendor_product
-example_log: 154100x8000000000000000154100x80000000000000001926574Linux-Sysmon/Operationalar-linuxLinux-Sysmon/Operationalar-linux-2022-08-09
10:42:47.757{ec23eae3-3a27-62f2-085e-16549b550000}10268/usr/bin/sudo-11241100x800000000000000011241100x8000000000000000792913Linux-Sysmon/Operationalsysmonlinux-tcontreras-attack-range-4134Linux-Sysmon/Operationalsysmonlinux-tcontreras-attack-range-4134-2021-12-20
16:07:17.929{ec2c97d1-6aa9-61c0-3038-618238560000}5256/opt/splunkforwarder/bin/splunkd4688201331200x80200000000000004688201331200x8020000000000000362027Securityar-win-2.attackrange.localSecurityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa44C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe228202000x80000000000000228202000x800000000000001001307Applicationwin-dc-exch01.attackrange.localc:\temp\msf.dllAMD64C1000000
+ ProcessID='0'
+ ThreadID='0'/>Applicationwin-dc-exch01.attackrange.localc:\temp\msf.dllAMD64C1000000
diff --git a/data_sources/windows_event_log_application_3000.yml b/data_sources/windows_event_log_application_3000.yml
index 9ec681c407..f7588b104a 100644
--- a/data_sources/windows_event_log_application_3000.yml
+++ b/data_sources/windows_event_log_application_3000.yml
@@ -1,72 +1,75 @@
name: Windows Event Log Application 3000
id: 3911945d-9222-408d-b851-9b1bce4c2d24
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the termination of a process, including details about the process, its termination code, and timestamp.
+description: Logs the termination of a process, including details about the process,
+ its termination code, and timestamp.
mitre_components:
-- Process Termination
-- Process Metadata
-- Application Log Content
-- OS API Execution
+ - Process Termination
+ - Process Metadata
+ - Application Log Content
+ - OS API Execution
source: XmlWinEventLog:Application
sourcetype: XmlWinEventLog
separator: EventCode
separator_value: 3000
supported_TA:
-- name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+ - name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
-- _time
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventRecordID
-- EventSourceName
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- Qualifiers
-- RecordNumber
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserID
-- Version
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- param1
-- param2
-- param3
-- punct
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timestamp
-- user_id
-- vendor_product
+ - _time
+ - Channel
+ - Computer
+ - Error_Code
+ - EventCode
+ - EventData_Xml
+ - EventRecordID
+ - EventSourceName
+ - Guid
+ - Keywords
+ - Level
+ - Name
+ - Opcode
+ - ProcessID
+ - Qualifiers
+ - RecordNumber
+ - SystemTime
+ - System_Props_Xml
+ - Task
+ - ThreadID
+ - UserID
+ - Version
+ - dest
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - param1
+ - param2
+ - param3
+ - punct
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - tag
+ - tag::eventtype
+ - timestamp
+ - user_id
+ - vendor_product
example_log: 300004000x80000000000000300004000x8000000000000021334Applicationwin-host-mhaag-attack-range-117Applicationwin-host-mhaag-attack-range-117C:\Windows\System32\klist.exe001d8c3afcf370d13
diff --git a/data_sources/windows_event_log_capi2_70.yml b/data_sources/windows_event_log_capi2_70.yml
index 0ac0455e60..1ace202695 100644
--- a/data_sources/windows_event_log_capi2_70.yml
+++ b/data_sources/windows_event_log_capi2_70.yml
@@ -1,75 +1,78 @@
name: Windows Event Log CAPI2 70
id: 821de0a6-c5b4-491b-a27e-187552792817
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: This event log records events related to cryptographic operations, including the deletion and export of certificates.
+description: This event log records events related to cryptographic operations, including
+ the deletion and export of certificates.
mitre_components:
-- Certificate Registration
-- Process Metadata
-- Application Log Content
-- OS API Execution
-- Host Status
+ - Certificate Registration
+ - Process Metadata
+ - Application Log Content
+ - OS API Execution
+ - Host Status
source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 70
supported_TA:
-- name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+ - name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
-- _time
-- Channel
-- Computer
-- EventCode
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserData_Xml
-- UserID
-- Version
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- punct
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
+ - _time
+ - Channel
+ - Computer
+ - EventCode
+ - EventID
+ - EventRecordID
+ - Guid
+ - Keywords
+ - Level
+ - Name
+ - Opcode
+ - ProcessID
+ - RecordNumber
+ - SystemTime
+ - System_Props_Xml
+ - Task
+ - ThreadID
+ - UserData_Xml
+ - UserID
+ - Version
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - punct
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user_id
+ - vendor_product
example_log: 70047000x400000000000008070047000x4000000000000080308332Microsoft-Windows-CAPI2/Operationalwin-dc-mhaag-attack-range-84.attackrange.localMicrosoft-Windows-CAPI2/Operationalwin-dc-mhaag-attack-range-84.attackrange.local81028020x400000000000004081028020x40000000000000402400597Microsoft-Windows-CAPI2/Operationalmswin-server.attackrange.localMicrosoft-Windows-CAPI2/Operationalmswin-server.attackrange.local{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}WTD_UI_NONEWTD_STATEACTION_VERIFY2021-01-07T23:21:42.655Z2021-01-07T23:21:42.655ZThe digital signature of the object did not verify.100704000x8000000000000000100704000x80000000000000002Microsoft-Windows-CertificateServicesClient-Lifecycle-System/OperationalDESKTOP-92OQLA1112103000x8000000000000000112103000x80000000000000002975Microsoft-Windows-Windows Defender/Operationalresearchvmhaa112204000x8000000000000000112204000x80000000000000003701Microsoft-Windows-Windows Defender/Operationalresearchvmhaa500704000x8000000000000000500704000x80000000000000003726Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender
diff --git a/data_sources/windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml b/data_sources/windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml
index 22e591d7a7..66a21053dc 100644
--- a/data_sources/windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml
+++ b/data_sources/windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml
@@ -1,64 +1,55 @@
name: Windows Event Log Microsoft Windows TerminalServices RDPClient 1024
id: 2490537e-5e0c-46f7-9209-f56f852aa217
-version: 1
-date: '2024-11-21'
+version: 2
+date: '2025-01-23'
author: Michael Haag, Splunk
-description: Logs an event when a Remote Desktop Protocol (RDP) client successfully connects to a remote host.
+description: Logs an event when a Remote Desktop Protocol (RDP) client successfully
+ connects to a remote host.
mitre_components:
-- Network Connection Creation
-- Logon Session Creation
+ - Network Connection Creation
+ - Logon Session Creation
source: WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational
sourcetype: WinEventLog
separator: EventCode
supported_TA: []
fields:
-- _time
-- Channel
-- Computer
-- EventCode
-- EventData
-- EventID
-- EventRecordID
-- EventType
-- Keywords
-- Level
-- Message
-- Opcode
-- ProcessID
-- RecordNumber
-- Security_ID
-- Src
-- Src_Host
-- Src_NT_Domain
-- Src_User
-- System_TimeCreated
-- Task
-- ThreadID
-- Type
-- User
-- UserID
-- Version
-- dest
-- dvc
-- event_id
-- host
-- source
-- sourcetype
-- tag
-- user
-example_log:
- 11/21/2024 06:09:16 PM
- LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational
- EventCode=1024
- EventType=4
- ComputerName=ar-win-5.attackrange.local
- User=NOT_TRANSLATED
- Sid=S-1-5-21-1731938146-2314223186-1848411941-500
- SidType=0
- SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore
- Type=Information
- RecordNumber=95
- Keywords=None
- TaskCategory=Connection Sequence
- OpCode=This event is raised during the connection process
- Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57)
\ No newline at end of file
+ - _time
+ - Channel
+ - Computer
+ - EventCode
+ - EventData
+ - EventID
+ - EventRecordID
+ - EventType
+ - Keywords
+ - Level
+ - Message
+ - Opcode
+ - ProcessID
+ - RecordNumber
+ - Security_ID
+ - Src
+ - Src_Host
+ - Src_NT_Domain
+ - Src_User
+ - System_TimeCreated
+ - Task
+ - ThreadID
+ - Type
+ - User
+ - UserID
+ - Version
+ - dest
+ - dvc
+ - event_id
+ - host
+ - source
+ - sourcetype
+ - tag
+ - user
+example_log: 11/21/2024 06:09:16 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational
+ EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED
+ Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore
+ Type=Information RecordNumber=95 Keywords=None TaskCategory=Connection Sequence
+ OpCode=This event is raised during the connection process Message=RDP ClientActiveX
+ is trying to connect to the server (34.221.50.57)
diff --git a/data_sources/windows_event_log_printservice_316.yml b/data_sources/windows_event_log_printservice_316.yml
index 507a925e5d..74eecb2f6a 100644
--- a/data_sources/windows_event_log_printservice_316.yml
+++ b/data_sources/windows_event_log_printservice_316.yml
@@ -1,63 +1,63 @@
name: Windows Event Log Printservice 316
id: 12f0be8b-22c0-4fdf-9468-b7ccca824d1d
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when printer drivers are installed or updated on the system.
mitre_components:
-- Driver Load
-- Driver Metadata
+ - Driver Load
+ - Driver Metadata
source: WinEventLog:Microsoft-Windows-PrintService/Admin
sourcetype: WinEventLog
separator: EventCode
separator_value: 316
supported_TA:
-- name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+ - name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
-- _time
-- ComputerName
-- EventCode
-- EventType
-- Keywords
-- LogName
-- Message
-- OpCode
-- RecordNumber
-- Sid
-- SidType
-- SourceName
-- TaskCategory
-- Type
-- User
-- category
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- punct
-- severity
-- severity_id
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor_product
+ - _time
+ - ComputerName
+ - EventCode
+ - EventType
+ - Keywords
+ - LogName
+ - Message
+ - OpCode
+ - RecordNumber
+ - Sid
+ - SidType
+ - SourceName
+ - TaskCategory
+ - Type
+ - User
+ - category
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - punct
+ - severity
+ - severity_id
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - vendor_product
example_log: 07/01/2021 04:20:47 PM
diff --git a/data_sources/windows_event_log_printservice_808.yml b/data_sources/windows_event_log_printservice_808.yml
index ef717b2d20..3f73b548be 100644
--- a/data_sources/windows_event_log_printservice_808.yml
+++ b/data_sources/windows_event_log_printservice_808.yml
@@ -1,67 +1,68 @@
name: Windows Event Log Printservice 808
id: e3a26785-4389-4830-8d7b-3dad4252719e
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when the print spooler service fails to load a printer plug-in module.
+description: Logs an event when the print spooler service fails to load a printer
+ plug-in module.
mitre_components:
-- Module Load
-- Application Log Content
-- Service Metadata
+ - Module Load
+ - Application Log Content
+ - Service Metadata
source: WinEventLog:Microsoft-Windows-PrintService/Admin
sourcetype: WinEventLog
separator: EventCode
separator_value: 808
supported_TA:
-- name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+ - name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
-- _time
-- ComputerName
-- EventCode
-- EventType
-- Keywords
-- LogName
-- Message
-- OpCode
-- RecordNumber
-- Sid
-- SidType
-- SourceName
-- TaskCategory
-- Type
-- User
-- category
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- punct
-- severity
-- severity_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- subject
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor_product
+ - _time
+ - ComputerName
+ - EventCode
+ - EventType
+ - Keywords
+ - LogName
+ - Message
+ - OpCode
+ - RecordNumber
+ - Sid
+ - SidType
+ - SourceName
+ - TaskCategory
+ - Type
+ - User
+ - category
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - name
+ - punct
+ - severity
+ - severity_id
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - subject
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - vendor_product
example_log: 07/01/2021 04:20:47 PM
diff --git a/data_sources/windows_event_log_remoteconnectionmanager_1149.yml b/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
index 14c3a6bc1a..00eb66eec2 100644
--- a/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
+++ b/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
@@ -1,64 +1,67 @@
name: Windows Event Log RemoteConnectionManager 1149
id: 08f9edb4-f95f-40be-b1dd-bc3a1cd95aaf
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a Remote Desktop Service session is initialized.
mitre_components:
-- Network Connection Creation
-- Logon Session Creation
-- Logon Session Metadata
-source: WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
+ - Network Connection Creation
+ - Logon Session Creation
+ - Logon Session Metadata
+source:
+ WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
sourcetype: wineventlog
separator: EventCode
separator_value: 1149
supported_TA:
-- name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+ - name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
-- _time
-- ActivityID
-- Channel
-- Computer
-- EventCode
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserData_Xml
-- UserID
-- Version
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- punct
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timestamp
-- user_id
-- vendor_product
+ - _time
+ - ActivityID
+ - Channel
+ - Computer
+ - EventCode
+ - EventID
+ - EventRecordID
+ - Guid
+ - Keywords
+ - Level
+ - Name
+ - Opcode
+ - ProcessID
+ - RecordNumber
+ - SystemTime
+ - System_Props_Xml
+ - Task
+ - ThreadID
+ - UserData_Xml
+ - UserID
+ - Version
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - punct
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - tag
+ - tag::eventtype
+ - timestamp
+ - user_id
+ - vendor_product
example_log: 114904000x1000000000000000114904000x10000000000000002064Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operationalar-win-1.attackrange.localAdministratorATTACKRANGE10.0.1.14
+ UserID='S-1-5-20'/>AdministratorATTACKRANGE10.0.1.14
diff --git a/data_sources/windows_event_log_security_1100.yml b/data_sources/windows_event_log_security_1100.yml
index 41e0c3fced..3c118a5dfc 100644
--- a/data_sources/windows_event_log_security_1100.yml
+++ b/data_sources/windows_event_log_security_1100.yml
@@ -1,84 +1,86 @@
name: Windows Event Log Security 1100
id: 2a25dafa-691e-4cb2-ae59-07a48867ed9a
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when the event logging service has shut down.
mitre_components:
-- Host Status
-- System Configuration Changes
+ - Host Status
+ - System Configuration Changes
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 1100
supported_TA:
-- name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+ - name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
-- _time
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserData_Xml
-- Version
-- action
-- app
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- object_attrs
-- object_category
-- product
-- punct
-- service
-- service_name
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
+ - _time
+ - Channel
+ - Computer
+ - Error_Code
+ - EventCode
+ - EventID
+ - EventRecordID
+ - Guid
+ - Keywords
+ - Level
+ - Name
+ - Opcode
+ - ProcessID
+ - RecordNumber
+ - SystemTime
+ - System_Props_Xml
+ - Task
+ - ThreadID
+ - UserData_Xml
+ - Version
+ - action
+ - app
+ - change_type
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - name
+ - object_attrs
+ - object_category
+ - product
+ - punct
+ - service
+ - service_name
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - status
+ - subject
+ - ta_windows_action
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - vendor
+ - vendor_product
example_log: 11000410300x402000000000000011000410300x4020000000000000140874Securityar-win-2Securityar-win-2
diff --git a/data_sources/windows_event_log_security_1102.yml b/data_sources/windows_event_log_security_1102.yml
index 50bcf53f6b..3e46c4323f 100644
--- a/data_sources/windows_event_log_security_1102.yml
+++ b/data_sources/windows_event_log_security_1102.yml
@@ -1,90 +1,92 @@
name: Windows Event Log Security 1102
id: 8db7b91a-6d7a-40e7-bfac-06f8e901a9cb
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when the audit log is cleared.
mitre_components:
-- User Account Modification
-- Logon Session Metadata
-- File Deletion
+ - User Account Modification
+ - Logon Session Metadata
+ - File Deletion
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 1102
supported_TA:
-- name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+ - name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
-- _time
-- Caller_User_Name
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- LogFileCleared_Xml
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserData_Xml
-- Version
-- action
-- app
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- object_attrs
-- object_category
-- product
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_user
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
+ - _time
+ - Caller_User_Name
+ - Channel
+ - Computer
+ - Error_Code
+ - EventCode
+ - EventID
+ - EventRecordID
+ - Guid
+ - Keywords
+ - Level
+ - LogFileCleared_Xml
+ - Name
+ - Opcode
+ - ProcessID
+ - RecordNumber
+ - SubjectDomainName
+ - SubjectLogonId
+ - SubjectUserName
+ - SubjectUserSid
+ - SystemTime
+ - System_Props_Xml
+ - Task
+ - ThreadID
+ - UserData_Xml
+ - Version
+ - action
+ - app
+ - change_type
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - name
+ - object_attrs
+ - object_category
+ - product
+ - punct
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - src_user
+ - status
+ - subject
+ - ta_windows_action
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - vendor
+ - vendor_product
example_log: 11020410400x402000000000000011020410400x40200000000000001826166Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a27
diff --git a/data_sources/windows_event_log_security_4624.yml b/data_sources/windows_event_log_security_4624.yml
index 0faba24352..62d69f0c10 100644
--- a/data_sources/windows_event_log_security_4624.yml
+++ b/data_sources/windows_event_log_security_4624.yml
@@ -1,128 +1,129 @@
name: Windows Event Log Security 4624
id: 08682968-0366-4882-9559-fe4fe018a846
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when an account successfully logs on to a system.
mitre_components:
-- Logon Session Creation
-- User Account Authentication
-- Logon Session Metadata
+ - Logon Session Creation
+ - User Account Authentication
+ - Logon Session Metadata
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 4624
supported_TA:
-- name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+ - name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
-- _time
-- ActivityID
-- AuthenticationPackageName
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- ElevatedToken
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- ImpersonationLevel
-- IpAddress
-- IpPort
-- KeyLength
-- Keywords
-- Level
-- LmPackageName
-- LogonGuid
-- LogonProcessName
-- LogonType
-- Logon_ID
-- Logon_Type
-- Name
-- Opcode
-- ProcessID
-- ProcessId
-- ProcessName
-- RecordNumber
-- RestrictedAdminMode
-- Source_Port
-- Source_Workstation
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetLinkedLogonId
-- TargetLogonId
-- TargetOutboundDomainName
-- TargetOutboundUserName
-- TargetUserName
-- TargetUserSid
-- Target_Domain
-- Target_User_Name
-- Task
-- ThreadID
-- TransmittedServices
-- Version
-- VirtualAccount
-- WorkstationName
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- process
-- process_id
-- process_name
-- process_path
-- product
-- punct
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_ip
-- src_port
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::action
-- tag::app
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- vendor
-- vendor_product
+ - _time
+ - ActivityID
+ - AuthenticationPackageName
+ - Caller_Domain
+ - Caller_User_Name
+ - Channel
+ - Computer
+ - ElevatedToken
+ - Error_Code
+ - EventCode
+ - EventData_Xml
+ - EventID
+ - EventRecordID
+ - Guid
+ - ImpersonationLevel
+ - IpAddress
+ - IpPort
+ - KeyLength
+ - Keywords
+ - Level
+ - LmPackageName
+ - LogonGuid
+ - LogonProcessName
+ - LogonType
+ - Logon_ID
+ - Logon_Type
+ - Name
+ - Opcode
+ - ProcessID
+ - ProcessId
+ - ProcessName
+ - RecordNumber
+ - RestrictedAdminMode
+ - Source_Port
+ - Source_Workstation
+ - SubjectDomainName
+ - SubjectLogonId
+ - SubjectUserName
+ - SubjectUserSid
+ - SystemTime
+ - System_Props_Xml
+ - TargetDomainName
+ - TargetLinkedLogonId
+ - TargetLogonId
+ - TargetOutboundDomainName
+ - TargetOutboundUserName
+ - TargetUserName
+ - TargetUserSid
+ - Target_Domain
+ - Target_User_Name
+ - Task
+ - ThreadID
+ - TransmittedServices
+ - Version
+ - VirtualAccount
+ - WorkstationName
+ - action
+ - app
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_nt_domain
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - name
+ - process
+ - process_id
+ - process_name
+ - process_path
+ - product
+ - punct
+ - session_id
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - src_ip
+ - src_port
+ - status
+ - subject
+ - ta_windows_action
+ - tag
+ - tag::action
+ - tag::app
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - user_group
+ - vendor
+ - vendor_product
example_log: 4624201254400x80200000000000004624201254400x8020000000000000371886Securityar-win-7.attackrange.local4625001254400x80100000000000004625001254400x8010000000000000367348Securityar-win-8.attackrange.local4627001255400x80200000000000004627001255400x8020000000000000186260Securityar-win-dc.attackrange.local4648001254400x80200000000000004648001254400x8020000000000000336567Securitywin-host-mvelazco-02713-447.attackrange.local4662001408000x80100000000000004662001408000x801000000000000021623198276Securityattack_range_dc4663101280000x80200000000000004663101280000x802000000000000010525869Securityar-win-2.attackrange.localSecurityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x6cfe7SecurityFileC:\Program
diff --git a/data_sources/windows_event_log_security_4672.yml b/data_sources/windows_event_log_security_4672.yml
index 71facef2ee..9c507ba8bc 100644
--- a/data_sources/windows_event_log_security_4672.yml
+++ b/data_sources/windows_event_log_security_4672.yml
@@ -1,92 +1,94 @@
name: Windows Event Log Security 4672
id: 43f189b6-369d-4a32-a34c-57e0d38d92f1
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs an event when a user with administrative privileges logs on to a system.
+description: Logs an event when a user with administrative privileges logs on to a
+ system.
mitre_components:
-- Logon Session Creation
-- User Account Authentication
+ - Logon Session Creation
+ - User Account Authentication
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 4672
supported_TA:
-- name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+ - name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
-- _time
-- ActivityID
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Logon_ID
-- Name
-- Opcode
-- PrivilegeList
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- product
-- punct
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
+ - _time
+ - ActivityID
+ - Caller_Domain
+ - Caller_User_Name
+ - Channel
+ - Computer
+ - Error_Code
+ - EventCode
+ - EventData_Xml
+ - EventID
+ - EventRecordID
+ - Guid
+ - Keywords
+ - Level
+ - Logon_ID
+ - Name
+ - Opcode
+ - PrivilegeList
+ - ProcessID
+ - RecordNumber
+ - SubjectDomainName
+ - SubjectLogonId
+ - SubjectUserName
+ - SubjectUserSid
+ - SystemTime
+ - System_Props_Xml
+ - Task
+ - ThreadID
+ - Version
+ - action
+ - app
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - name
+ - product
+ - punct
+ - session_id
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - src_nt_domain
+ - src_user
+ - status
+ - subject
+ - ta_windows_action
+ - tag
+ - tag::action
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - vendor
+ - vendor_product
example_log: 4672001254800x80200000000000004672001254800x8020000000000000148946Securityar-win-6.attackrange.local4688201331200x80200000000000004688201331200x8020000000000000432820Securityar-win-1Securityar-win-1NT AUTHORITY\SYSTEMAR-WIN-1$WORKGROUP0x3e70xf84C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe4703001331700x80200000000000004703001331700x8020000000000000328761Securitywin-host-ctus-attack-range-115Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91WIN-HOST-CTUS-A\AdministratorAdministrator4719001356800x80200000000000004719001356800x8020000000000000353597Securityar-win-dc.attackrange.local4724001382400x80200000000000004724001382400x8020000000000000276779Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.localTRUMAN_CLEMENTSATTACKRANGEATTACKRANGE\TRUMAN_CLEMENTSATTACKRANGE\AdministratorAdministratorATTACKRANGE4725001382400x80200000000000004725001382400x8020000000000000278771Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.localWILFORD_SUTTONATTACKRANGEATTACKRANGE\WILFORD_SUTTONATTACKRANGE\AdministratorAdministratorATTACKRANGE4726001382400x80200000000000004726001382400x8020000000000000279283Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.localLYNN_WOLFATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2445ATTACKRANGE\AdministratorAdministratorATTACKRANGE4738001382400x80200000000000004738001382400x80200000000000006389713Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.local-unprivATTACKRANGES-1-5-21-945660386-2529346225-2932127451-1112S-1-5-21-945660386-2529346225-2932127451-500AdministratorATTACKRANGE4739001356900x80200000000000004739001356900x8020000000000000394176Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.localLockout PolicyATTACKRANGEATTACKRANGE\NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE4741001382500x80200000000000004741001382500x8020000000000000143475Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.localAR-WIN-2$ATTACKRANGEATTACKRANGE\AR-WIN-2$ATTACKRANGE\AdministratorAdministratorATTACKRANGE4742001382500x80200000000000004742001382500x8020000000000000901860Securitywin-dc-root-04195-428.attackrange.localSecuritywin-dc-root-04195-428.attackrange.local-WIN-HOST-ROOT-0$ATTACKRANGES-1-5-21-199921393-3534762603-6736986-1111S-1-5-21-199921393-3534762603-6736986-500Administrator4768001433900x80100000000000004768001433900x8010000000000000391562Securitywin-dc-mvelazco-02713-392.attackrange.localSecuritywin-dc-mvelazco-02713-392.attackrange.localRXETPKZHattackrange.localNULL SIDkrbtgt/attackrange.localNULL SID0x408100104769001433700x80200000000000004769001433700x8020000000000000148521Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.localAR-WIN-2$@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-2$ATTACKRANGE\AR-WIN-2$0x408100000x174771001433900x80100000000000004771001433900x8010000000000000391511Securitywin-dc-mvelazco-02713-392.attackrange.localSecuritywin-dc-mvelazco-02713-392.attackrange.localALLISON_WATERSATTACKRANGE\ALLISON_WATERSkrbtgt/attackrange.local0x408100100x182::ffff:10.0.1.154776001433600x80100000000000004776001433600x8010000000000000391615Securitywin-dc-mvelazco-02713-392.attackrange.localSecuritywin-dc-mvelazco-02713-392.attackrange.localMICROSOFT_AUTHENTICATION_PACKAGE_V1_0KSYLEFUAWIN-HOST-MVELAZ0xc0000064
diff --git a/data_sources/windows_event_log_security_4781.yml b/data_sources/windows_event_log_security_4781.yml
index 453217cdd0..eee4c4c3f3 100644
--- a/data_sources/windows_event_log_security_4781.yml
+++ b/data_sources/windows_event_log_security_4781.yml
@@ -1,110 +1,112 @@
name: Windows Event Log Security 4781
id: 9732ffe7-ebce-4557-865c-1725a0f633cb
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs changes made to the name of a computer account, including the old and new names and the user performing the action.
+description: Logs changes made to the name of a computer account, including the old
+ and new names and the user performing the action.
mitre_components:
-- User Account Modification
-- User Account Metadata
-- Active Directory Object Modification
-- Application Log Content
+ - User Account Modification
+ - User Account Metadata
+ - Active Directory Object Modification
+ - Application Log Content
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 4781
supported_TA:
-- name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+ - name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
-- _time
-- ActivityID
-- Caller_Domain
-- Caller_User_Name
-- CategoryString
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Logon_ID
-- Name
-- NewTargetUserName
-- OldTargetUserName
-- Opcode
-- PrivilegeList
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetSid
-- Target_Domain
-- Task
-- ThreadID
-- Version
-- action
-- app
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- object
-- object_attrs
-- object_category
-- object_id
-- product
-- punct
-- result
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- src_user_name
-- status
-- subject
-- ta_windows_action
-- ta_windows_security_CategoryString
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_name
-- vendor
-- vendor_product
+ - _time
+ - ActivityID
+ - Caller_Domain
+ - Caller_User_Name
+ - CategoryString
+ - Channel
+ - Computer
+ - Error_Code
+ - EventCode
+ - EventData_Xml
+ - EventID
+ - EventRecordID
+ - Guid
+ - Keywords
+ - Level
+ - Logon_ID
+ - Name
+ - NewTargetUserName
+ - OldTargetUserName
+ - Opcode
+ - PrivilegeList
+ - ProcessID
+ - RecordNumber
+ - SubjectDomainName
+ - SubjectLogonId
+ - SubjectUserName
+ - SubjectUserSid
+ - SystemTime
+ - System_Props_Xml
+ - TargetDomainName
+ - TargetSid
+ - Target_Domain
+ - Task
+ - ThreadID
+ - Version
+ - action
+ - app
+ - change_type
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dest_nt_domain
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - name
+ - object
+ - object_attrs
+ - object_category
+ - object_id
+ - product
+ - punct
+ - result
+ - session_id
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - src_nt_domain
+ - src_user
+ - src_user_name
+ - status
+ - subject
+ - ta_windows_action
+ - ta_windows_security_CategoryString
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user
+ - user_name
+ - vendor
+ - vendor_product
example_log: 4781001382400x80200000000000004781001382400x8020000000000000148763Securityar-win-dc.attackrange.local4794001382400x80200000000000004794001382400x8020000000000000821077Securitywin-dc-root-17044-552.attackrange.local4798001382400x80200000000000004798001382400x8020000000000000386860Securityar-win-2.attackrange.local4876001280500x80200000000000004876001280500x802000000000000015379961Securitywin-dc-mhaag-attack-range-84.attackrange.local4886001280500x80200000000000004886001280500x802000000000000015379925Securitywin-dc-mhaag-attack-range-84.attackrange.local4887001280500x80200000000000004887001280500x80200000000000001830974609Securitycert_authority.attack_range.local5136001408100x80200000000000005136001408100x80200000000000001997365Securitywin-dc-mvelazco-02713-392.attackrange.local{73C96723-504B-4F15-830A-F4DDB1C48F2E}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x95675attackrange.local%%14676CN=DANNIE_CERVANTES,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=localattackrange.local%%14676CN=DANNIE_CERVANTES,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local{15AFB68A-679C-4F5B-AC18-4D988B3B3E44}userservicePrincipalName2.5.5.12adm/srv1.attackrange.local%%14674
diff --git a/data_sources/windows_event_log_security_5137.yml b/data_sources/windows_event_log_security_5137.yml
index 8787969fa8..9dc78ab362 100644
--- a/data_sources/windows_event_log_security_5137.yml
+++ b/data_sources/windows_event_log_security_5137.yml
@@ -1,103 +1,107 @@
name: Windows Event Log Security 5137
id: 64ed7bb1-9c3c-4355-ac08-b506ec3b053e
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the creation of a new Active Directory object, including details about the object name, type, and the user performing the action.
+description: Logs the creation of a new Active Directory object, including details
+ about the object name, type, and the user performing the action.
mitre_components:
-- Active Directory Object Creation
-- Active Directory Object Modification
-- User Account Metadata
-- Application Log Content
+ - Active Directory Object Creation
+ - Active Directory Object Modification
+ - User Account Metadata
+ - Application Log Content
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 5137
supported_TA:
-- name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+ - name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
-- _time
-- AppCorrelationID
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- DSName
-- DSType
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Logon_ID
-- Name
-- ObjectClass
-- ObjectDN
-- ObjectGUID
-- OpCorrelationID
-- Opcode
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- product
-- punct
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
+ - _time
+ - AppCorrelationID
+ - Caller_Domain
+ - Caller_User_Name
+ - Channel
+ - Computer
+ - DSName
+ - DSType
+ - Error_Code
+ - EventCode
+ - EventData_Xml
+ - EventID
+ - EventRecordID
+ - Guid
+ - Keywords
+ - Level
+ - Logon_ID
+ - Name
+ - ObjectClass
+ - ObjectDN
+ - ObjectGUID
+ - OpCorrelationID
+ - Opcode
+ - ProcessID
+ - RecordNumber
+ - SubjectDomainName
+ - SubjectLogonId
+ - SubjectUserName
+ - SubjectUserSid
+ - SystemTime
+ - System_Props_Xml
+ - Task
+ - ThreadID
+ - Version
+ - action
+ - app
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - name
+ - product
+ - punct
+ - session_id
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - src_nt_domain
+ - src_user
+ - status
+ - subject
+ - ta_windows_action
+ - tag
+ - tag::action
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - vendor
+ - vendor_product
example_log: 5137001408100x80200000000000005137001408100x8020000000000000170140Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.local{681cac8c-b5a4-48fd-be93-4339996bd94d}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=localattackrange.local%%14676CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local{3e7ae4de-29a6-41c1-b27c-bf9548b0444c}groupPolicyContainer
diff --git a/data_sources/windows_event_log_security_5140.yml b/data_sources/windows_event_log_security_5140.yml
index 8d1883d26c..4fb8bf8cc6 100644
--- a/data_sources/windows_event_log_security_5140.yml
+++ b/data_sources/windows_event_log_security_5140.yml
@@ -1,121 +1,124 @@
name: Windows Event Log Security 5140
id: 93e0ca09-e4b8-4da6-872a-d0127c4d2b22
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs access to a network share, including details about the user, share path, and the access type.
+description: Logs access to a network share, including details about the user, share
+ path, and the access type.
mitre_components:
-- Network Share Access
-- File Access
-- User Account Metadata
-- Application Log Content
+ - Network Share Access
+ - File Access
+ - User Account Metadata
+ - Application Log Content
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 5140
supported_TA:
-- name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+ - name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
-- _time
-- AccessList
-- AccessMask
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- IpAddress
-- IpPort
-- Keywords
-- Level
-- Logon_ID
-- Name
-- ObjectType
-- Opcode
-- ProcessID
-- RecordNumber
-- ShareName
-- Source_Port
-- Source_Workstation
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- file_name
-- host
-- id
-- index
-- linecount
-- name
-- product
-- punct
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_nt_domain
-- src_nt_host
-- src_port
-- src_user
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
+ - _time
+ - AccessList
+ - AccessMask
+ - Caller_Domain
+ - Caller_User_Name
+ - Channel
+ - Computer
+ - Error_Code
+ - EventCode
+ - EventData_Xml
+ - EventID
+ - EventRecordID
+ - Guid
+ - IpAddress
+ - IpPort
+ - Keywords
+ - Level
+ - Logon_ID
+ - Name
+ - ObjectType
+ - Opcode
+ - ProcessID
+ - RecordNumber
+ - ShareName
+ - Source_Port
+ - Source_Workstation
+ - SubjectDomainName
+ - SubjectLogonId
+ - SubjectUserName
+ - SubjectUserSid
+ - SystemTime
+ - System_Props_Xml
+ - Task
+ - ThreadID
+ - Version
+ - action
+ - app
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - file_name
+ - host
+ - id
+ - index
+ - linecount
+ - name
+ - product
+ - punct
+ - session_id
+ - signature
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - src
+ - src_ip
+ - src_nt_domain
+ - src_nt_host
+ - src_port
+ - src_user
+ - status
+ - subject
+ - ta_windows_action
+ - tag
+ - tag::action
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - vendor
+ - vendor_product
field_mappings:
-- data_model: ocsf
- mapping:
- AccessList: access_list
- AccessMask: access_mask
- AccessReason: access_result
- ShareLocalPath: file
- ObjectType: file.type
- IpAddress: src_endpoint.ip
- IpPort: src_endpoint.port
- SubjectDomainName: actor.user.domain
- SubjectUserName: actor.user.name
- SubjectLogonId: actor.session.uid
- SubjectUserSid: actor.user.uid
+ - data_model: ocsf
+ mapping:
+ AccessList: access_list
+ AccessMask: access_mask
+ AccessReason: access_result
+ ShareLocalPath: file
+ ObjectType: file.type
+ IpAddress: src_endpoint.ip
+ IpPort: src_endpoint.port
+ SubjectDomainName: actor.user.domain
+ SubjectUserName: actor.user.name
+ SubjectLogonId: actor.session.uid
+ SubjectUserSid: actor.user.uid
example_log: 5140101280800x80200000000000005140101280800x8020000000000000138541Securityar-win-66.attackrange.localSecurityar-win-66.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x2f259bFile10.0.1.16498645141001408100x80200000000000005141001408100x8020000000000000670908Securitywin-dc-range-02713-392.attackrange.local5145001281100x80200000000000005145001281100x80200000000000002018939Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.localANONYMOUS LOGONANONYMOUS
LOGONATTACKRANGE0x13ef1bFile10.0.1.1550160703604000x8080000000000000703604000x8080000000000000168530Systemar-win-dc.attackrange.localsppsvcstopped7300700070007300760063002F0031000000
+ ProcessID='588'
+ ThreadID='2272'/>Systemar-win-dc.attackrange.localsppsvcstopped7300700070007300760063002F0031000000
diff --git a/data_sources/windows_event_log_system_7040.yml b/data_sources/windows_event_log_system_7040.yml
index e1d08e67e4..3a5f943ee0 100644
--- a/data_sources/windows_event_log_system_7040.yml
+++ b/data_sources/windows_event_log_system_7040.yml
@@ -1,88 +1,91 @@
name: Windows Event Log System 7040
id: 91738e9e-d112-41c9-b91b-e5868d8993d9
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs changes to the start type of a Windows service, including details about the service name, old start type, and new start type.
+description: Logs changes to the start type of a Windows service, including details
+ about the service name, old start type, and new start type.
mitre_components:
-- Service Modification
-- Service Metadata
-- OS API Execution
-- Application Log Content
+ - Service Modification
+ - Service Metadata
+ - OS API Execution
+ - Application Log Content
source: XmlWinEventLog:System
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 7040
supported_TA:
-- name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+ - name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
-- _time
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventRecordID
-- EventSourceName
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- Qualifiers
-- RecordNumber
-- ServiceName
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserID
-- Version
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- param1
-- param2
-- param3
-- param4
-- product
-- punct
-- service
-- service_name
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- start_mode
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor
-- vendor_product
+ - _time
+ - Channel
+ - Computer
+ - Error_Code
+ - EventCode
+ - EventData_Xml
+ - EventRecordID
+ - EventSourceName
+ - Guid
+ - Keywords
+ - Level
+ - Name
+ - Opcode
+ - ProcessID
+ - Qualifiers
+ - RecordNumber
+ - ServiceName
+ - SystemTime
+ - System_Props_Xml
+ - Task
+ - ThreadID
+ - UserID
+ - Version
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - param1
+ - param2
+ - param3
+ - param4
+ - product
+ - punct
+ - service
+ - service_name
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - start_mode
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user_id
+ - vendor
+ - vendor_product
example_log: 704004000x8080000000000000704004000x8080000000000000168231Systemar-win-dc.attackrange.localSystemar-win-dc.attackrange.localPrint Spoolerdemand startdisabledSpooler
diff --git a/data_sources/windows_event_log_system_7045.yml b/data_sources/windows_event_log_system_7045.yml
index b7e8511470..a3f5ce006a 100644
--- a/data_sources/windows_event_log_system_7045.yml
+++ b/data_sources/windows_event_log_system_7045.yml
@@ -1,88 +1,91 @@
name: Windows Event Log System 7045
id: 614dedc8-8a14-4393-ba9b-6f093cbcd293
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the successful installation of a new Windows service, including details about the service name, executable path, and service type.
+description: Logs the successful installation of a new Windows service, including
+ details about the service name, executable path, and service type.
mitre_components:
-- Service Creation
-- Service Metadata
-- OS API Execution
-- Process Metadata
+ - Service Creation
+ - Service Metadata
+ - OS API Execution
+ - Process Metadata
source: XmlWinEventLog:System
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 7045
supported_TA:
-- name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+ - name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
-- _time
-- AccountName
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventRecordID
-- EventSourceName
-- Guid
-- ImagePath
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- Qualifiers
-- RecordNumber
-- ServiceName
-- ServiceType
-- StartType
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserID
-- Version
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- product
-- punct
-- service
-- service_name
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- start_mode
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor
-- vendor_product
+ - _time
+ - AccountName
+ - Channel
+ - Computer
+ - Error_Code
+ - EventCode
+ - EventData_Xml
+ - EventRecordID
+ - EventSourceName
+ - Guid
+ - ImagePath
+ - Keywords
+ - Level
+ - Name
+ - Opcode
+ - ProcessID
+ - Qualifiers
+ - RecordNumber
+ - ServiceName
+ - ServiceType
+ - StartType
+ - SystemTime
+ - System_Props_Xml
+ - Task
+ - ThreadID
+ - UserID
+ - Version
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - product
+ - punct
+ - service
+ - service_name
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - start_mode
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user_id
+ - vendor
+ - vendor_product
example_log: 704504000x8080000000000000704504000x8080000000000000168145Systemar-win-dc.attackrange.localSystemar-win-dc.attackrange.localKrbSCMpowershell.exe -WindowStyle
Hiddenestno'
diff --git a/data_sources/windows_event_log_taskscheduler_200.yml b/data_sources/windows_event_log_taskscheduler_200.yml
index c7af8fd33b..4a29c55df5 100644
--- a/data_sources/windows_event_log_taskscheduler_200.yml
+++ b/data_sources/windows_event_log_taskscheduler_200.yml
@@ -1,83 +1,85 @@
name: Windows Event Log TaskScheduler 200
id: f8c777f8-e88a-4bba-ae8a-79b250212f23
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
-description: Logs the successful registration of a new scheduled task in Windows Task Scheduler, including task details and configurations.
+description: Logs the successful registration of a new scheduled task in Windows Task
+ Scheduler, including task details and configurations.
mitre_components:
-- Scheduled Job Creation
-- Scheduled Job Metadata
-- Service Creation
-- OS API Execution
+ - Scheduled Job Creation
+ - Scheduled Job Metadata
+ - Service Creation
+ - OS API Execution
source: WinEventLog:Microsoft-Windows-TaskScheduler/Operational
sourcetype: wineventlog
separator: EventCode
separator_value: 200
supported_TA:
-- name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+ - name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
-- _time
-- ActionName
-- ActivityID
-- Channel
-- Computer
-- EnginePID
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SystemTime
-- System_Props_Xml
-- Task
-- TaskInstanceId
-- TaskName
-- ThreadID
-- UserID
-- Version
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- product
-- punct
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- ta_windows_action
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor
-- vendor_product
+ - _time
+ - ActionName
+ - ActivityID
+ - Channel
+ - Computer
+ - EnginePID
+ - Error_Code
+ - EventCode
+ - EventData_Xml
+ - EventID
+ - EventRecordID
+ - Guid
+ - Keywords
+ - Level
+ - Name
+ - Opcode
+ - ProcessID
+ - RecordNumber
+ - SystemTime
+ - System_Props_Xml
+ - Task
+ - TaskInstanceId
+ - TaskName
+ - ThreadID
+ - UserID
+ - Version
+ - app
+ - date_hour
+ - date_mday
+ - date_minute
+ - date_month
+ - date_second
+ - date_wday
+ - date_year
+ - date_zone
+ - dest
+ - dvc
+ - dvc_nt_host
+ - event_id
+ - eventtype
+ - host
+ - id
+ - index
+ - linecount
+ - product
+ - punct
+ - signature_id
+ - source
+ - sourcetype
+ - splunk_server
+ - ta_windows_action
+ - tag
+ - tag::eventtype
+ - timeendpos
+ - timestartpos
+ - user_id
+ - vendor
+ - vendor_product
example_log: 2001420010x80000000000000002001420010x80000000000000004323Microsoft-Windows-TaskScheduler/Operationalar-win-dc.attackrange.local
Date: Thu, 23 Jan 2025 10:09:09 -0700
Subject: [PATCH 3/6] Fix unintended spacing updates
---
data_sources/asl_aws_cloudtrail.yml | 30 +-
data_sources/aws_cloudfront.yml | 176 +-
.../aws_cloudtrail_assumerolewithsaml.yml | 194 +-
data_sources/aws_cloudtrail_consolelogin.yml | 170 +-
data_sources/aws_cloudtrail_copyobject.yml | 180 +-
.../aws_cloudtrail_createaccesskey.yml | 168 +-
data_sources/aws_cloudtrail_createkey.yml | 204 +-
.../aws_cloudtrail_createloginprofile.yml | 166 +-
.../aws_cloudtrail_createnetworkaclentry.yml | 198 +-
.../aws_cloudtrail_createpolicyversion.yml | 168 +-
.../aws_cloudtrail_createsnapshot.yml | 186 +-
data_sources/aws_cloudtrail_createtask.yml | 184 +-
.../aws_cloudtrail_createvirtualmfadevice.yml | 164 +-
.../aws_cloudtrail_deactivatemfadevice.yml | 164 +-
...cloudtrail_deleteaccountpasswordpolicy.yml | 162 +-
data_sources/aws_cloudtrail_deletealarms.yml | 232 +--
.../aws_cloudtrail_deletedetector.yml | 158 +-
data_sources/aws_cloudtrail_deletegroup.yml | 168 +-
data_sources/aws_cloudtrail_deleteipset.yml | 158 +-
.../aws_cloudtrail_deleteloggroup.yml | 162 +-
.../aws_cloudtrail_deletelogstream.yml | 164 +-
.../aws_cloudtrail_deletenetworkaclentry.yml | 176 +-
data_sources/aws_cloudtrail_deletepolicy.yml | 164 +-
data_sources/aws_cloudtrail_deleterule.yml | 164 +-
.../aws_cloudtrail_deletesnapshot.yml | 246 +--
data_sources/aws_cloudtrail_deletetrail.yml | 160 +-
.../aws_cloudtrail_deletevirtualmfadevice.yml | 160 +-
data_sources/aws_cloudtrail_deletewebacl.yml | 160 +-
...aws_cloudtrail_describeeventaggregates.yml | 152 +-
...s_cloudtrail_describeimagescanfindings.yml | 1826 ++++++++---------
...ws_cloudtrail_getaccountpasswordpolicy.yml | 158 +-
data_sources/aws_cloudtrail_getobject.yml | 176 +-
.../aws_cloudtrail_getpassworddata.yml | 178 +-
data_sources/aws_cloudtrail_jobcreated.yml | 130 +-
.../aws_cloudtrail_modifydbinstance.yml | 276 +--
.../aws_cloudtrail_modifyimageattribute.yml | 166 +-
...aws_cloudtrail_modifysnapshotattribute.yml | 156 +-
data_sources/aws_cloudtrail_putbucketacl.yml | 184 +-
.../aws_cloudtrail_putbucketlifecycle.yml | 186 +-
.../aws_cloudtrail_putbucketreplication.yml | 210 +-
.../aws_cloudtrail_putbucketversioning.yml | 192 +-
data_sources/aws_cloudtrail_putimage.yml | 172 +-
data_sources/aws_cloudtrail_putkeypolicy.yml | 172 +-
.../aws_cloudtrail_replacenetworkaclentry.yml | 188 +-
...aws_cloudtrail_setdefaultpolicyversion.yml | 158 +-
data_sources/aws_cloudtrail_stoplogging.yml | 148 +-
...cloudtrail_updateaccountpasswordpolicy.yml | 172 +-
.../aws_cloudtrail_updateloginprofile.yml | 156 +-
.../aws_cloudtrail_updatesamlprovider.yml | 339 ++-
data_sources/aws_cloudtrail_updatetrail.yml | 166 +-
data_sources/aws_cloudwatchlogs_vpcflow.yml | 116 +-
data_sources/aws_security_hub.yml | 220 +-
...p_role_assignment_to_service_principal.yml | 162 +-
...re_active_directory_add_member_to_role.yml | 114 +-
...ive_directory_add_owner_to_application.yml | 124 +-
...active_directory_add_service_principal.yml | 114 +-
...active_directory_add_unverified_domain.yml | 114 +-
...ctive_directory_consent_to_application.yml | 124 +-
...irectory_disable_strong_authentication.yml | 110 +-
.../azure_active_directory_enable_account.yml | 112 +-
..._active_directory_invite_external_user.yml | 110 +-
...ve_directory_reset_password_(by_admin).yml | 112 +-
...ve_directory_set_domain_authentication.yml | 112 +-
...zure_active_directory_sign_in_activity.yml | 212 +-
...re_active_directory_update_application.yml | 112 +-
..._directory_update_authorization_policy.yml | 114 +-
.../azure_active_directory_update_user.yml | 114 +-
...irectory_user_registered_security_info.yml | 106 +-
..._or_update_an_azure_automation_account.yml | 188 +-
..._or_update_an_azure_automation_runbook.yml | 186 +-
..._or_update_an_azure_automation_webhook.yml | 206 +-
data_sources/bro_conn.yml | 9 +-
data_sources/bro_dns.yml | 10 +-
data_sources/bro_files.yml | 10 +-
data_sources/bro_http.yml | 10 +-
data_sources/bro_loaded_scripts.yml | 8 +-
data_sources/bro_ntp.yml | 8 +-
data_sources/bro_ocsp.yml | 10 +-
data_sources/bro_ssl.yml | 10 +-
data_sources/bro_weird.yml | 10 +-
data_sources/bro_x509.yml | 10 +-
data_sources/circleci.yml | 120 +-
data_sources/crowdstrike_processrollup2.yml | 192 +-
data_sources/crushftp.yml | 14 +-
data_sources/g_suite_drive.yml | 78 +-
data_sources/g_suite_gmail.yml | 154 +-
data_sources/github.yml | 394 ++--
.../google_workspace_login_failure.yml | 84 +-
.../google_workspace_login_success.yml | 80 +-
data_sources/ivanti_vtm_audit.yml | 26 +-
data_sources/kubernetes_audit.yml | 104 +-
data_sources/kubernetes_falco.yml | 80 +-
data_sources/linux_auditd_add_user.yml | 56 +-
data_sources/linux_auditd_execve.yml | 24 +-
data_sources/linux_auditd_path.yml | 52 +-
data_sources/linux_auditd_proctitle.yml | 20 +-
data_sources/linux_auditd_service_stop.yml | 52 +-
data_sources/linux_auditd_syscall.yml | 92 +-
data_sources/linux_secure.yml | 80 +-
.../ms365_defender_incident_alerts.yml | 407 ++--
data_sources/ms_defender_atp_alerts.yml | 684 +++---
data_sources/nginx_access.yml | 128 +-
data_sources/o365.yml | 16 +-
...add_app_role_assignment_grant_to_user_.yml | 152 +-
..._role_assignment_to_service_principal_.yml | 150 +-
data_sources/o365_add_mailboxpermission.yml | 134 +-
data_sources/o365_add_member_to_role_.yml | 156 +-
.../o365_add_owner_to_application_.yml | 160 +-
data_sources/o365_add_service_principal_.yml | 160 +-
data_sources/o365_change_user_license_.yml | 152 +-
data_sources/o365_consent_to_application_.yml | 144 +-
.../o365_disable_strong_authentication_.yml | 146 +-
data_sources/o365_mailitemsaccessed.yml | 138 +-
data_sources/o365_modifyfolderpermissions.yml | 174 +-
.../o365_set_company_information_.yml | 162 +-
data_sources/o365_set_mailbox.yml | 154 +-
data_sources/o365_update_application_.yml | 160 +-
.../o365_update_authorization_policy_.yml | 144 +-
data_sources/o365_update_user_.yml | 158 +-
data_sources/o365_userloggedin.yml | 158 +-
data_sources/o365_userloginfailed.yml | 176 +-
data_sources/okta.yml | 16 +-
data_sources/osquery.yml | 116 +-
data_sources/palo_alto_network_threat.yml | 55 +-
data_sources/palo_alto_network_traffic.yml | 58 +-
data_sources/pingid.yml | 64 +-
.../powershell_installed_iis_modules.yml | 28 +-
.../powershell_script_block_logging_4104.yml | 155 +-
data_sources/powershell_sip_inventory.yml | 8 +-
data_sources/splunk.yml | 56 +-
data_sources/splunk_stream_http.yml | 106 +-
data_sources/splunk_stream_ip.yml | 139 +-
data_sources/splunk_stream_tcp.yml | 16 +-
data_sources/suricata.yml | 102 +-
data_sources/sysmon_eventid_1.yml | 293 ++-
data_sources/sysmon_eventid_10.yml | 176 +-
data_sources/sysmon_eventid_11.yml | 181 +-
data_sources/sysmon_eventid_12.yml | 171 +-
data_sources/sysmon_eventid_13.yml | 198 +-
data_sources/sysmon_eventid_15.yml | 177 +-
data_sources/sysmon_eventid_17.yml | 152 +-
data_sources/sysmon_eventid_18.yml | 158 +-
data_sources/sysmon_eventid_20.yml | 164 +-
data_sources/sysmon_eventid_21.yml | 168 +-
data_sources/sysmon_eventid_22.yml | 156 +-
data_sources/sysmon_eventid_23.yml | 180 +-
data_sources/sysmon_eventid_3.yml | 208 +-
data_sources/sysmon_eventid_5.yml | 152 +-
data_sources/sysmon_eventid_6.yml | 159 +-
data_sources/sysmon_eventid_7.yml | 199 +-
data_sources/sysmon_eventid_8.yml | 180 +-
data_sources/sysmon_eventid_9.yml | 154 +-
data_sources/sysmon_for_linux_eventid_1.yml | 198 +-
data_sources/sysmon_for_linux_eventid_11.yml | 154 +-
.../windows_active_directory_admon.yml | 96 +-
data_sources/windows_defender_alerts.yml | 100 +-
.../windows_event_log_application_2282.yml | 123 +-
.../windows_event_log_application_3000.yml | 108 +-
data_sources/windows_event_log_capi2_70.yml | 116 +-
data_sources/windows_event_log_capi2_81.yml | 122 +-
...ent_log_certificateservicesclient_1007.yml | 118 +-
.../windows_event_log_defender_1121.yml | 125 +-
.../windows_event_log_defender_1122.yml | 119 +-
.../windows_event_log_defender_1129.yml | 104 +-
.../windows_event_log_defender_5007.yml | 97 +-
...indows_terminalservices_rdpclient_1024.yml | 72 +-
.../windows_event_log_printservice_316.yml | 98 +-
.../windows_event_log_printservice_808.yml | 106 +-
...event_log_remoteconnectionmanager_1149.yml | 99 +-
.../windows_event_log_security_1100.yml | 138 +-
.../windows_event_log_security_1102.yml | 150 +-
.../windows_event_log_security_4624.yml | 223 +-
.../windows_event_log_security_4625.yml | 213 +-
.../windows_event_log_security_4627.yml | 171 +-
.../windows_event_log_security_4648.yml | 197 +-
.../windows_event_log_security_4662.yml | 171 +-
.../windows_event_log_security_4663.yml | 184 +-
.../windows_event_log_security_4672.yml | 151 +-
.../windows_event_log_security_4688.yml | 235 ++-
.../windows_event_log_security_4698.yml | 154 +-
.../windows_event_log_security_4699.yml | 152 +-
.../windows_event_log_security_4703.yml | 192 +-
.../windows_event_log_security_4719.yml | 163 +-
.../windows_event_log_security_4720.yml | 198 +-
.../windows_event_log_security_4724.yml | 182 +-
.../windows_event_log_security_4725.yml | 182 +-
.../windows_event_log_security_4726.yml | 184 +-
.../windows_event_log_security_4732.yml | 174 +-
.../windows_event_log_security_4738.yml | 222 +-
.../windows_event_log_security_4739.yml | 198 +-
.../windows_event_log_security_4741.yml | 224 +-
.../windows_event_log_security_4742.yml | 226 +-
.../windows_event_log_security_4768.yml | 186 +-
.../windows_event_log_security_4769.yml | 186 +-
.../windows_event_log_security_4771.yml | 174 +-
.../windows_event_log_security_4776.yml | 156 +-
.../windows_event_log_security_4781.yml | 187 +-
.../windows_event_log_security_4794.yml | 171 +-
.../windows_event_log_security_4798.yml | 167 +-
.../windows_event_log_security_4876.yml | 155 +-
.../windows_event_log_security_4886.yml | 139 +-
.../windows_event_log_security_4887.yml | 145 +-
.../windows_event_log_security_5136.yml | 178 +-
.../windows_event_log_security_5137.yml | 171 +-
.../windows_event_log_security_5140.yml | 206 +-
.../windows_event_log_security_5141.yml | 167 +-
.../windows_event_log_security_5145.yml | 246 ++-
.../windows_event_log_system_4720.yml | 204 +-
.../windows_event_log_system_4726.yml | 184 +-
.../windows_event_log_system_4728.yml | 184 +-
.../windows_event_log_system_7036.yml | 135 +-
.../windows_event_log_system_7040.yml | 140 +-
.../windows_event_log_system_7045.yml | 140 +-
.../windows_event_log_taskscheduler_200.yml | 133 +-
data_sources/windows_iis.yml | 14 +-
data_sources/windows_iis_29.yml | 46 +-
216 files changed, 16448 insertions(+), 16889 deletions(-)
diff --git a/data_sources/asl_aws_cloudtrail.yml b/data_sources/asl_aws_cloudtrail.yml
index 05767f098b..440735d18e 100644
--- a/data_sources/asl_aws_cloudtrail.yml
+++ b/data_sources/asl_aws_cloudtrail.yml
@@ -5,22 +5,22 @@ date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Represents AWS API dataset data collection from Amazon Security Lake.
mitre_components:
- - Cloud Service Metadata
- - Cloud Service Modification
- - Cloud Storage Access
- - Instance Creation
- - Instance Deletion
- - Instance Start
- - Instance Stop
- - Instance Modification
- - Cloud Storage Creation
- - Cloud Storage Deletion
- - Cloud Service Enumeration
- - Cloud Storage Enumeration
+- Cloud Service Metadata
+- Cloud Service Modification
+- Cloud Storage Access
+- Instance Creation
+- Instance Deletion
+- Instance Start
+- Instance Stop
+- Instance Modification
+- Cloud Storage Creation
+- Cloud Storage Deletion
+- Cloud Service Enumeration
+- Cloud Storage Enumeration
source: aws_asl
sourcetype: aws:asl
separator: api.operation
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
diff --git a/data_sources/aws_cloudfront.yml b/data_sources/aws_cloudfront.yml
index b8eb8a416b..f6df73faea 100644
--- a/data_sources/aws_cloudfront.yml
+++ b/data_sources/aws_cloudfront.yml
@@ -6,98 +6,98 @@ author: Patrick Bareiss, Splunk
description: Logs requests made to AWS CloudFront distributions, including details
on client access, response data, and performance metrics.
mitre_components:
- - Network Traffic Content
- - Network Traffic Flow
- - Response Metadata
- - Response Content
- - Logon Session Metadata
- - Cloud Service Metadata
+- Network Traffic Content
+- Network Traffic Flow
+- Response Metadata
+- Response Content
+- Logon Session Metadata
+- Cloud Service Metadata
source: aws
sourcetype: aws:cloudfront:accesslogs
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - bytes
- - bytes_in
- - bytes_out
- - c_ip
- - c_port
- - cached
- - category
- - client_ip
- - cs_bytes
- - cs_cookie
- - cs_host
- - cs_method
- - cs_protocol
- - cs_protocol_version
- - cs_referer
- - cs_uri_query
- - cs_uri_stem
- - cs_user_agent
- - date
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - duration
- - edge_location_name
- - eventtype
- - fle_encrypted_fields
- - fle_status
- - host
- - http_content_type
- - http_method
- - http_user_agent
- - http_user_agent_length
- - index
- - linecount
- - punct
- - response_time
- - sc_bytes
- - sc_content_len
- - sc_content_type
- - sc_range_end
- - sc_range_start
- - sc_status
- - source
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - src_port
- - ssl_cipher
- - ssl_protocol
- - status
- - tag
- - tag::eventtype
- - time
- - time_taken
- - time_to_first_byte
- - timeendpos
- - timestartpos
- - uri_path
- - url
- - url_domain
- - url_length
- - vendor_product
- - x_edge_detail_result_type
- - x_edge_location
- - x_edge_request_id
- - x_edge_response_result_type
- - x_edge_result_type
- - x_forwarded_for
- - x_host_header
+- _time
+- action
+- app
+- bytes
+- bytes_in
+- bytes_out
+- c_ip
+- c_port
+- cached
+- category
+- client_ip
+- cs_bytes
+- cs_cookie
+- cs_host
+- cs_method
+- cs_protocol
+- cs_protocol_version
+- cs_referer
+- cs_uri_query
+- cs_uri_stem
+- cs_user_agent
+- date
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- duration
+- edge_location_name
+- eventtype
+- fle_encrypted_fields
+- fle_status
+- host
+- http_content_type
+- http_method
+- http_user_agent
+- http_user_agent_length
+- index
+- linecount
+- punct
+- response_time
+- sc_bytes
+- sc_content_len
+- sc_content_type
+- sc_range_end
+- sc_range_start
+- sc_status
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_port
+- ssl_cipher
+- ssl_protocol
+- status
+- tag
+- tag::eventtype
+- time
+- time_taken
+- time_to_first_byte
+- timeendpos
+- timestartpos
+- uri_path
+- url
+- url_domain
+- url_length
+- vendor_product
+- x_edge_detail_result_type
+- x_edge_location
+- x_edge_request_id
+- x_edge_response_result_type
+- x_edge_result_type
+- x_forwarded_for
+- x_host_header
example_log: "2023-11-07\t16:58:21\tIAD55-P5\t921\t44.192.78.55\tGET\td3u5aue66f5ui4.cloudfront.net\t\
/plugins/servlet/com.jsos.shell/ShellServlet\t200\t-\tSlackbot-LinkExpanding%201.0%20(+https://api.slack.com/robots)\t\
-\t-\tLambdaGeneratedResponse\tsGwvFCkFU4qlMxatCoJRgW87P7Ee8bKQor3U6lRt6I6jaFvLC7vcPA==\t\
diff --git a/data_sources/aws_cloudtrail_assumerolewithsaml.yml b/data_sources/aws_cloudtrail_assumerolewithsaml.yml
index c9823cd2d7..c8b978c277 100644
--- a/data_sources/aws_cloudtrail_assumerolewithsaml.yml
+++ b/data_sources/aws_cloudtrail_assumerolewithsaml.yml
@@ -6,109 +6,109 @@ author: Patrick Bareiss, Splunk
description: Logs attempts to assume roles via SAML authentication in AWS, including
details of identity provider and role mapping.
mitre_components:
- - User Account Authentication
- - Logon Session Creation
- - User Account Metadata
- - Cloud Service Metadata
- - Instance Modification
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Cloud Service Metadata
+- Instance Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: AssumeRoleWithSAML
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.durationSeconds
- - requestParameters.principalArn
- - requestParameters.roleArn
- - requestParameters.roleSessionName
- - requestParameters.sAMLAssertionID
- - resources{}.ARN
- - resources{}.accountId
- - resources{}.type
- - responseElements.assumedRoleUser.arn
- - responseElements.assumedRoleUser.assumedRoleId
- - responseElements.audience
- - responseElements.credentials.accessKeyId
- - responseElements.credentials.expiration
- - responseElements.credentials.sessionToken
- - responseElements.issuer
- - responseElements.nameQualifier
- - responseElements.subject
- - responseElements.subjectType
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - src_user
- - src_user_id
- - src_user_type
- - start_time
- - status
- - tag
- - tag::action
- - tag::eventtype
- - temp_access_key
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.identityProvider
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - user_agent
- - user_arn
- - user_id
- - user_name
- - user_role
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.durationSeconds
+- requestParameters.principalArn
+- requestParameters.roleArn
+- requestParameters.roleSessionName
+- requestParameters.sAMLAssertionID
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements.assumedRoleUser.arn
+- responseElements.assumedRoleUser.assumedRoleId
+- responseElements.audience
+- responseElements.credentials.accessKeyId
+- responseElements.credentials.expiration
+- responseElements.credentials.sessionToken
+- responseElements.issuer
+- responseElements.nameQualifier
+- responseElements.subject
+- responseElements.subjectType
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_user
+- src_user_id
+- src_user_type
+- start_time
+- status
+- tag
+- tag::action
+- tag::eventtype
+- temp_access_key
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.identityProvider
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- user_agent
+- user_arn
+- user_id
+- user_name
+- user_role
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "SAMLUser", "principalId":
"ZRu9MRAjiG9tvi1QBNfdI664G5A=:rodsoto@rodsoto.onmicrosoft.com", "userName": "rodsoto@rodsoto.onmicrosoft.com",
"identityProvider": "ZRu9MRAjiG9tvi1QBNfdI664G5A="}, "eventTime": "2021-01-22T03:44:16Z",
diff --git a/data_sources/aws_cloudtrail_consolelogin.yml b/data_sources/aws_cloudtrail_consolelogin.yml
index 0d05cff28d..441afb6cea 100644
--- a/data_sources/aws_cloudtrail_consolelogin.yml
+++ b/data_sources/aws_cloudtrail_consolelogin.yml
@@ -6,97 +6,97 @@ author: Patrick Bareiss, Splunk
description: Logs attempts to sign in to the AWS Management Console, including successful
and failed login events.
mitre_components:
- - User Account Authentication
- - Logon Session Creation
- - User Account Metadata
- - Logon Session Metadata
- - Cloud Service Metadata
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Logon Session Metadata
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: ConsoleLogin
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - additionalEventData.LoginTo
- - additionalEventData.MFAUsed
- - additionalEventData.MobileVersion
- - app
- - authentication_method
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - desc
- - dest
- - dvc
- - errorCode
- - errorMessage
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - reason
- - recipientAccountId
- - region
- - requestParameters
- - responseElements.ConsoleLogin
- - result
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - status
- - tag
- - tag::action
- - tag::eventtype
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.type
- - userIdentity.userName
- - user_access_key
- - user_agent
- - user_group_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- additionalEventData.LoginTo
+- additionalEventData.MFAUsed
+- additionalEventData.MobileVersion
+- app
+- authentication_method
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- desc
+- dest
+- dvc
+- errorCode
+- errorMessage
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- reason
+- recipientAccountId
+- region
+- requestParameters
+- responseElements.ConsoleLogin
+- result
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.type
+- userIdentity.userName
+- user_access_key
+- user_agent
+- user_group_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "accountId":
"140429656527", "accessKeyId": "", "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"},
"eventTime": "2022-10-19T20:33:38Z", "eventSource": "signin.amazonaws.com", "eventName":
diff --git a/data_sources/aws_cloudtrail_copyobject.yml b/data_sources/aws_cloudtrail_copyobject.yml
index 9edd40bb4d..93ea12c92f 100644
--- a/data_sources/aws_cloudtrail_copyobject.yml
+++ b/data_sources/aws_cloudtrail_copyobject.yml
@@ -6,102 +6,102 @@ author: Patrick Bareiss, Splunk
description: Logs operations that copy objects within or between AWS S3 buckets, including
details of source and destination.
mitre_components:
- - Cloud Storage Access
- - Cloud Storage Modification
- - Cloud Storage Metadata
- - Instance Modification
+- Cloud Storage Access
+- Cloud Storage Modification
+- Cloud Storage Metadata
+- Instance Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_values: CopyObject
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - additionalEventData.AuthenticationMethod
- - additionalEventData.CipherSuite
- - additionalEventData.SSEApplied
- - additionalEventData.SignatureVersion
- - additionalEventData.bytesTransferredIn
- - additionalEventData.bytesTransferredOut
- - additionalEventData.x-amz-id-2
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.Host
- - requestParameters.bucketName
- - requestParameters.key
- - requestParameters.x-amz-copy-source
- - requestParameters.x-amz-server-side-encryption
- - requestParameters.x-amz-server-side-encryption-aws-kms-key-id
- - resources{}.ARN
- - resources{}.accountId
- - resources{}.type
- - responseElements.x-amz-server-side-encryption
- - responseElements.x-amz-server-side-encryption-aws-kms-key-id
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- additionalEventData.AuthenticationMethod
+- additionalEventData.CipherSuite
+- additionalEventData.SSEApplied
+- additionalEventData.SignatureVersion
+- additionalEventData.bytesTransferredIn
+- additionalEventData.bytesTransferredOut
+- additionalEventData.x-amz-id-2
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.Host
+- requestParameters.bucketName
+- requestParameters.key
+- requestParameters.x-amz-copy-source
+- requestParameters.x-amz-server-side-encryption
+- requestParameters.x-amz-server-side-encryption-aws-kms-key-id
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements.x-amz-server-side-encryption
+- responseElements.x-amz-server-side-encryption-aws-kms-key-id
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLNALZHZ6KX", "arn": "arn:aws:iam::111111111111:user/patrick_cli", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLJ2OYSF6E", "userName": "patrick_cli"},
diff --git a/data_sources/aws_cloudtrail_createaccesskey.yml b/data_sources/aws_cloudtrail_createaccesskey.yml
index d72354f779..e32d68ce5f 100644
--- a/data_sources/aws_cloudtrail_createaccesskey.yml
+++ b/data_sources/aws_cloudtrail_createaccesskey.yml
@@ -6,96 +6,96 @@ author: Patrick Bareiss, Splunk
description: Logs the creation of new AWS access keys, including details of the associated
user and permissions.
mitre_components:
- - User Account Creation
- - User Account Metadata
- - Cloud Service Modification
- - Cloud Service Metadata
+- User Account Creation
+- User Account Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: CreateAccessKey
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.userName
- - responseElements.accessKey.accessKeyId
- - responseElements.accessKey.createDate
- - responseElements.accessKey.status
- - responseElements.accessKey.userName
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - src_user_name
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.userName
+- responseElements.accessKey.accessKeyId
+- responseElements.accessKey.createDate
+- responseElements.accessKey.status
+- responseElements.accessKey.userName
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_user_name
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::121521347698:user/bhavin_cli", "accountId":
"121521347698", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_createkey.yml b/data_sources/aws_cloudtrail_createkey.yml
index 293ecba3cd..c6c31a41a3 100644
--- a/data_sources/aws_cloudtrail_createkey.yml
+++ b/data_sources/aws_cloudtrail_createkey.yml
@@ -6,114 +6,114 @@ author: Patrick Bareiss, Splunk
description: Logs the creation of new AWS KMS keys, including details of key properties
and associated metadata.
mitre_components:
- - Cloud Service Creation
- - Cloud Service Metadata
- - Instance Creation
- - Volume Metadata
+- Cloud Service Creation
+- Cloud Service Metadata
+- Instance Creation
+- Volume Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: CreateKey
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.bypassPolicyLockoutSafetyCheck
- - requestParameters.customerMasterKeySpec
- - requestParameters.description
- - requestParameters.keyUsage
- - requestParameters.origin
- - requestParameters.policy
- - resources{}.ARN
- - resources{}.accountId
- - resources{}.type
- - responseElements.keyMetadata.aWSAccountId
- - responseElements.keyMetadata.arn
- - responseElements.keyMetadata.creationDate
- - responseElements.keyMetadata.customerMasterKeySpec
- - responseElements.keyMetadata.description
- - responseElements.keyMetadata.enabled
- - responseElements.keyMetadata.encryptionAlgorithms{}
- - responseElements.keyMetadata.keyId
- - responseElements.keyMetadata.keyManager
- - responseElements.keyMetadata.keyState
- - responseElements.keyMetadata.keyUsage
- - responseElements.keyMetadata.origin
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.sessionContext.sessionIssuer.accountId
- - userIdentity.sessionContext.sessionIssuer.arn
- - userIdentity.sessionContext.sessionIssuer.principalId
- - userIdentity.sessionContext.sessionIssuer.type
- - userIdentity.sessionContext.sessionIssuer.userName
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.bypassPolicyLockoutSafetyCheck
+- requestParameters.customerMasterKeySpec
+- requestParameters.description
+- requestParameters.keyUsage
+- requestParameters.origin
+- requestParameters.policy
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements.keyMetadata.aWSAccountId
+- responseElements.keyMetadata.arn
+- responseElements.keyMetadata.creationDate
+- responseElements.keyMetadata.customerMasterKeySpec
+- responseElements.keyMetadata.description
+- responseElements.keyMetadata.enabled
+- responseElements.keyMetadata.encryptionAlgorithms{}
+- responseElements.keyMetadata.keyId
+- responseElements.keyMetadata.keyManager
+- responseElements.keyMetadata.keyState
+- responseElements.keyMetadata.keyUsage
+- responseElements.keyMetadata.origin
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLK74OPBDR", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_createloginprofile.yml b/data_sources/aws_cloudtrail_createloginprofile.yml
index df6b04e40d..243ad0b5c5 100644
--- a/data_sources/aws_cloudtrail_createloginprofile.yml
+++ b/data_sources/aws_cloudtrail_createloginprofile.yml
@@ -6,95 +6,95 @@ author: Patrick Bareiss, Splunk
description: Logs the creation of login profiles for IAM users, including associated
metadata and authentication settings.
mitre_components:
- - User Account Creation
- - User Account Metadata
- - Logon Session Metadata
- - Cloud Service Metadata
+- User Account Creation
+- User Account Metadata
+- Logon Session Metadata
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: CreateLoginProfile
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.passwordResetRequired
- - requestParameters.userName
- - responseElements.loginProfile.createDate
- - responseElements.loginProfile.passwordResetRequired
- - responseElements.loginProfile.userName
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.passwordResetRequired
+- requestParameters.userName
+- responseElements.loginProfile.createDate
+- responseElements.loginProfile.passwordResetRequired
+- responseElements.loginProfile.userName
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_createnetworkaclentry.yml b/data_sources/aws_cloudtrail_createnetworkaclentry.yml
index 993b03197a..3f98c6329c 100644
--- a/data_sources/aws_cloudtrail_createnetworkaclentry.yml
+++ b/data_sources/aws_cloudtrail_createnetworkaclentry.yml
@@ -6,111 +6,111 @@ author: Patrick Bareiss, Splunk
description: Logs the creation of new entries in a network ACL, including rules to
allow or deny specific network traffic.
mitre_components:
- - Firewall Rule Modification
- - Network Connection Creation
- - Cloud Service Modification
- - Cloud Service Metadata
+- Firewall Rule Modification
+- Network Connection Creation
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: CreateNetworkAclEntry
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - direction
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object
- - object_category
- - object_id
- - product
- - protocol
- - protocol_code
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.aclProtocol
- - requestParameters.cidrBlock
- - requestParameters.egress
- - requestParameters.networkAclId
- - requestParameters.ruleAction
- - requestParameters.ruleNumber
- - responseElements._return
- - responseElements.requestId
- - rule_action
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - src_ip_range
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.sessionContext.sessionIssuer.accountId
- - userIdentity.sessionContext.sessionIssuer.arn
- - userIdentity.sessionContext.sessionIssuer.principalId
- - userIdentity.sessionContext.sessionIssuer.type
- - userIdentity.sessionContext.sessionIssuer.userName
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- direction
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object
+- object_category
+- object_id
+- product
+- protocol
+- protocol_code
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.aclProtocol
+- requestParameters.cidrBlock
+- requestParameters.egress
+- requestParameters.networkAclId
+- requestParameters.ruleAction
+- requestParameters.ruleNumber
+- responseElements._return
+- responseElements.requestId
+- rule_action
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_ip_range
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLF3F7BXZK", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_createpolicyversion.yml b/data_sources/aws_cloudtrail_createpolicyversion.yml
index 2973c651b0..88b3b2aeb7 100644
--- a/data_sources/aws_cloudtrail_createpolicyversion.yml
+++ b/data_sources/aws_cloudtrail_createpolicyversion.yml
@@ -6,96 +6,96 @@ author: Patrick Bareiss, Splunk
description: Logs the creation of new versions of IAM policies, including changes
to permissions and attached roles or resources.
mitre_components:
- - Cloud Service Modification
- - Cloud Service Metadata
- - User Account Metadata
- - Group Modification
+- Cloud Service Modification
+- Cloud Service Metadata
+- User Account Metadata
+- Group Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: CreatePolicyVersion
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.policyArn
- - requestParameters.policyDocument
- - requestParameters.setAsDefault
- - responseElements.policyVersion.createDate
- - responseElements.policyVersion.isDefaultVersion
- - responseElements.policyVersion.versionId
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.policyArn
+- requestParameters.policyDocument
+- requestParameters.setAsDefault
+- responseElements.policyVersion.createDate
+- responseElements.policyVersion.isDefaultVersion
+- responseElements.policyVersion.versionId
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLNMCDVJZAY", "arn": "arn:aws:iam::111111111111:user/rhino_escalate",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLHSQZPZFZ", "userName":
diff --git a/data_sources/aws_cloudtrail_createsnapshot.yml b/data_sources/aws_cloudtrail_createsnapshot.yml
index ae5c392552..0d724bfada 100644
--- a/data_sources/aws_cloudtrail_createsnapshot.yml
+++ b/data_sources/aws_cloudtrail_createsnapshot.yml
@@ -6,105 +6,105 @@ author: Patrick Bareiss, Splunk
description: Logs the creation of a new snapshot of a cloud resource, such as an Amazon
EBS volume, including details about the snapshot ID and resource type.
mitre_components:
- - Snapshot Creation
- - Snapshot Metadata
- - Volume Metadata
- - Cloud Service Metadata
+- Snapshot Creation
+- Snapshot Metadata
+- Volume Metadata
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: CreateSnapshot
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.tagSpecificationSet.items{}.resourceType
- - requestParameters.tagSpecificationSet.items{}.tags{}.key
- - requestParameters.tagSpecificationSet.items{}.tags{}.value
- - requestParameters.volumeId
- - responseElements.encrypted
- - responseElements.ownerId
- - responseElements.requestId
- - responseElements.snapshotId
- - responseElements.startTime
- - responseElements.status
- - responseElements.tagSet.items{}.key
- - responseElements.tagSet.items{}.value
- - responseElements.volumeId
- - responseElements.volumeSize
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.tagSpecificationSet.items{}.resourceType
+- requestParameters.tagSpecificationSet.items{}.tags{}.key
+- requestParameters.tagSpecificationSet.items{}.tags{}.value
+- requestParameters.volumeId
+- responseElements.encrypted
+- responseElements.ownerId
+- responseElements.requestId
+- responseElements.snapshotId
+- responseElements.startTime
+- responseElements.status
+- responseElements.tagSet.items{}.key
+- responseElements.tagSet.items{}.value
+- responseElements.volumeId
+- responseElements.volumeSize
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLCNEAQXWZV", "arn": "arn:aws:iam::111111111111:user/bhavin_console",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLF5EAXXXX", "userName":
diff --git a/data_sources/aws_cloudtrail_createtask.yml b/data_sources/aws_cloudtrail_createtask.yml
index 7808c2b9cc..3db15c7370 100644
--- a/data_sources/aws_cloudtrail_createtask.yml
+++ b/data_sources/aws_cloudtrail_createtask.yml
@@ -6,104 +6,104 @@ author: Patrick Bareiss, Splunk
description: Logs the creation of a new task in AWS services, such as ECS, including
details about the task definition and resource allocation.
mitre_components:
- - Scheduled Job Creation
- - Scheduled Job Metadata
- - Cloud Service Metadata
- - Instance Creation
+- Scheduled Job Creation
+- Scheduled Job Metadata
+- Cloud Service Metadata
+- Instance Creation
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_name: CreateTask
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.cloudWatchLogGroupArn
- - requestParameters.destinationLocationArn
- - requestParameters.options.logLevel
- - requestParameters.options.verifyMode
- - requestParameters.schedule.scheduleExpression
- - requestParameters.sourceLocationArn
- - responseElements.taskArn
- - sessionCredentialFromConsole
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.sessionContext.sessionIssuer.accountId
- - userIdentity.sessionContext.sessionIssuer.arn
- - userIdentity.sessionContext.sessionIssuer.principalId
- - userIdentity.sessionContext.sessionIssuer.type
- - userIdentity.sessionContext.sessionIssuer.userName
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.cloudWatchLogGroupArn
+- requestParameters.destinationLocationArn
+- requestParameters.options.logLevel
+- requestParameters.options.verifyMode
+- requestParameters.schedule.scheduleExpression
+- requestParameters.sourceLocationArn
+- responseElements.taskArn
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLDF6WQQQQQ:abc@acme.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/abc@acme.com",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLOB2GM111", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
index 7b6b181672..f76f14d9c1 100644
--- a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
+++ b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
@@ -6,94 +6,94 @@ author: Patrick Bareiss, Splunk
description: Logs the creation of a new virtual multi-factor authentication (MFA)
device, including details about the associated user and configuration.
mitre_components:
- - User Account Creation
- - User Account Metadata
- - Cloud Service Creation
- - Cloud Service Metadata
+- User Account Creation
+- User Account Metadata
+- Cloud Service Creation
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: CreateVirtualMFADevice
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.path
- - requestParameters.virtualMFADeviceName
- - responseElements.virtualMFADevice.serialNumber
- - sessionCredentialFromConsole
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.path
+- requestParameters.virtualMFADeviceName
+- responseElements.virtualMFADevice.serialNumber
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
"140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527",
"accessKeyId": "ASIASBMSCQHH2YXNXJBU", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
diff --git a/data_sources/aws_cloudtrail_deactivatemfadevice.yml b/data_sources/aws_cloudtrail_deactivatemfadevice.yml
index e53018b544..06d7103bfe 100644
--- a/data_sources/aws_cloudtrail_deactivatemfadevice.yml
+++ b/data_sources/aws_cloudtrail_deactivatemfadevice.yml
@@ -6,94 +6,94 @@ author: Patrick Bareiss, Splunk
description: Logs the deactivation of a multi-factor authentication (MFA) device,
including details about the associated user and the device.
mitre_components:
- - User Account Modification
- - User Account Metadata
- - Cloud Service Modification
- - Cloud Service Metadata
+- User Account Modification
+- User Account Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeactivateMFADevice
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.serialNumber
- - requestParameters.userName
- - responseElements
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.serialNumber
+- requestParameters.userName
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
"111111111111", "arn": "arn:aws:iam::111111111111:root", "accountId": "111111111111",
"accessKeyId": "ASIASBMSCQHHWAIHMHUX", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
diff --git a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
index 9d10c7443a..feeaa4fd66 100644
--- a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
+++ b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
@@ -6,93 +6,93 @@ author: Patrick Bareiss, Splunk
description: Logs the deletion of an account-level password policy in AWS, including
details about the account and policy being removed.
mitre_components:
- - Cloud Service Modification
- - Cloud Service Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteAccountPasswordPolicy
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - desc
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters
- - responseElements
- - sessionCredentialFromConsole
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- desc
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters
+- responseElements
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
"111111111111", "arn": "arn:aws:iam::111111111111:root", "accountId": "111111111111",
"accessKeyId": "ASIASBMSCQHHWMDJXSE6", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
diff --git a/data_sources/aws_cloudtrail_deletealarms.yml b/data_sources/aws_cloudtrail_deletealarms.yml
index 7babfa595c..8b11625dfe 100644
--- a/data_sources/aws_cloudtrail_deletealarms.yml
+++ b/data_sources/aws_cloudtrail_deletealarms.yml
@@ -6,128 +6,128 @@ author: Bhavin Patel, Splunk
description: Logs the deletion of CloudWatch alarms, including details about the alarm
names and associated monitoring configurations.
mitre_components:
- - Cloud Service Modification
- - Cloud Service Metadata
- - Application Log Content
- - Host Status
+- Cloud Service Modification
+- Cloud Service Metadata
+- Application Log Content
+- Host Status
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteAlarms
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - authentication_method
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - desc
- - dest
- - dest_ip_range
- - dest_port_range
- - direction
- - dvc
- - errorCode
- - errorMessage
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - image_id
- - index
- - instance_type
- - linecount
- - managementEvent
- - msg
- - object
- - object_attrs
- - object_category
- - object_id
- - product
- - protocol
- - protocol_code
- - punct
- - readOnly
- - reason
- - recipientAccountId
- - region
- - requestID
- - requestParameters.alarmNames{}
- - responseElements
- - result
- - result_id
- - rule_action
- - sessionCredentialFromConsole
- - signature
- - source
- - sourceIPAddress
- - splunk_server
- - splunk_server_group
- - src
- - src_ip
- - src_ip_range
- - src_port_range
- - src_user
- - src_user_id
- - src_user_name
- - src_user_role
- - src_user_type
- - start_time
- - status
- - tag
- - tag::action
- - tag::eventtype
- - tag::object_category
- - temp_access_key
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.invokedBy
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.sessionContext.sessionIssuer.accountId
- - userIdentity.sessionContext.sessionIssuer.arn
- - userIdentity.sessionContext.sessionIssuer.principalId
- - userIdentity.sessionContext.sessionIssuer.type
- - userIdentity.sessionContext.sessionIssuer.userName
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_role
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- authentication_method
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- desc
+- dest
+- dest_ip_range
+- dest_port_range
+- direction
+- dvc
+- errorCode
+- errorMessage
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- image_id
+- index
+- instance_type
+- linecount
+- managementEvent
+- msg
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- protocol
+- protocol_code
+- punct
+- readOnly
+- reason
+- recipientAccountId
+- region
+- requestID
+- requestParameters.alarmNames{}
+- responseElements
+- result
+- result_id
+- rule_action
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- splunk_server
+- splunk_server_group
+- src
+- src_ip
+- src_ip_range
+- src_port_range
+- src_user
+- src_user_id
+- src_user_name
+- src_user_role
+- src_user_type
+- start_time
+- status
+- tag
+- tag::action
+- tag::eventtype
+- tag::object_category
+- temp_access_key
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.invokedBy
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_role
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLKZK7JIDWN:AutoScaling-ManageAlarms", "arn": "arn:aws:sts::111111111111:assumed-role/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable/AutoScaling-ManageAlarms",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLJ7ZZZZZZZ", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_deletedetector.yml b/data_sources/aws_cloudtrail_deletedetector.yml
index f20cba230e..1046a8b7db 100644
--- a/data_sources/aws_cloudtrail_deletedetector.yml
+++ b/data_sources/aws_cloudtrail_deletedetector.yml
@@ -6,91 +6,91 @@ author: Patrick Bareiss, Splunk
description: Logs the deletion of an Amazon GuardDuty detector, including details
about the detector ID and associated configurations.
mitre_components:
- - Cloud Service Modification
- - Cloud Service Metadata
- - Host Status
- - Application Log Content
+- Cloud Service Modification
+- Cloud Service Metadata
+- Host Status
+- Application Log Content
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteDetector
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.detectorId
- - responseElements.__type
- - responseElements.message
- - result_id
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.detectorId
+- responseElements.__type
+- responseElements.message
+- result_id
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
diff --git a/data_sources/aws_cloudtrail_deletegroup.yml b/data_sources/aws_cloudtrail_deletegroup.yml
index e2bd256da6..e8e98628b6 100644
--- a/data_sources/aws_cloudtrail_deletegroup.yml
+++ b/data_sources/aws_cloudtrail_deletegroup.yml
@@ -6,96 +6,96 @@ author: Patrick Bareiss, Splunk
description: Logs the deletion of an IAM group in AWS, including details about the
group name and its associated policies or members.
mitre_components:
- - Group Modification
- - Group Metadata
- - User Account Metadata
- - Cloud Service Modification
+- Group Modification
+- Group Metadata
+- User Account Metadata
+- Cloud Service Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteGroup
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - errorMessage
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - reason
- - recipientAccountId
- - region
- - requestID
- - requestParameters.groupName
- - responseElements
- - result
- - result_id
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- errorMessage
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- reason
+- recipientAccountId
+- region
+- requestID
+- requestParameters.groupName
+- responseElements
+- result
+- result_id
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::121522247101:user/bhavin_cli", "accountId":
"121522247101", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_deleteipset.yml b/data_sources/aws_cloudtrail_deleteipset.yml
index ce670c3006..3f00e45f4d 100644
--- a/data_sources/aws_cloudtrail_deleteipset.yml
+++ b/data_sources/aws_cloudtrail_deleteipset.yml
@@ -6,91 +6,91 @@ author: Patrick Bareiss, Splunk
description: Logs the deletion of an IP set in AWS WAF or GuardDuty, including details
about the IP set ID and its associated configurations.
mitre_components:
- - Cloud Service Modification
- - Cloud Service Metadata
- - Firewall Rule Modification
+- Cloud Service Modification
+- Cloud Service Metadata
+- Firewall Rule Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteIPSet
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.detectorId
- - requestParameters.ipSetId
- - responseElements.__type
- - responseElements.message
- - result_id
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.detectorId
+- requestParameters.ipSetId
+- responseElements.__type
+- responseElements.message
+- result_id
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLKQ3U2PDY", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_deleteloggroup.yml b/data_sources/aws_cloudtrail_deleteloggroup.yml
index 3aafeff30a..8e4206a1fb 100644
--- a/data_sources/aws_cloudtrail_deleteloggroup.yml
+++ b/data_sources/aws_cloudtrail_deleteloggroup.yml
@@ -6,93 +6,93 @@ author: Patrick Bareiss, Splunk
description: Logs the deletion of a CloudWatch log group, including details about
the log group name and associated resources.
mitre_components:
- - Cloud Service Modification
- - Cloud Service Metadata
- - Application Log Content
- - Host Status
+- Cloud Service Modification
+- Cloud Service Metadata
+- Application Log Content
+- Host Status
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteLogGroup
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - apiVersion
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.logGroupName
- - responseElements
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- apiVersion
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.logGroupName
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
diff --git a/data_sources/aws_cloudtrail_deletelogstream.yml b/data_sources/aws_cloudtrail_deletelogstream.yml
index 7f4805833e..66ce8c87ec 100644
--- a/data_sources/aws_cloudtrail_deletelogstream.yml
+++ b/data_sources/aws_cloudtrail_deletelogstream.yml
@@ -6,94 +6,94 @@ author: Patrick Bareiss, Splunk
description: Logs the deletion of a log stream within a CloudWatch log group, including
details about the stream name and associated log group.
mitre_components:
- - Cloud Service Modification
- - Cloud Service Metadata
- - Application Log Content
- - Host Status
+- Cloud Service Modification
+- Cloud Service Metadata
+- Application Log Content
+- Host Status
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteLogStream
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - apiVersion
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.logGroupName
- - requestParameters.logStreamName
- - responseElements
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- apiVersion
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.logGroupName
+- requestParameters.logStreamName
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
diff --git a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
index deca786012..860acf5cb3 100644
--- a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
+++ b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
@@ -6,100 +6,100 @@ author: Patrick Bareiss, Splunk
description: Logs the deletion of a network ACL entry in AWS, including details about
the rule number and associated network ACL.
mitre_components:
- - Firewall Rule Modification
- - Cloud Service Modification
- - Cloud Service Metadata
+- Firewall Rule Modification
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteNetworkAclEntry
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - direction
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.egress
- - requestParameters.networkAclId
- - requestParameters.ruleNumber
- - responseElements._return
- - responseElements.requestId
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.sessionContext.sessionIssuer.accountId
- - userIdentity.sessionContext.sessionIssuer.arn
- - userIdentity.sessionContext.sessionIssuer.principalId
- - userIdentity.sessionContext.sessionIssuer.type
- - userIdentity.sessionContext.sessionIssuer.userName
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- direction
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.egress
+- requestParameters.networkAclId
+- requestParameters.ruleNumber
+- responseElements._return
+- responseElements.requestId
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLF3F7BXZK", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_deletepolicy.yml b/data_sources/aws_cloudtrail_deletepolicy.yml
index 62fa46bbd0..1eb13dccc6 100644
--- a/data_sources/aws_cloudtrail_deletepolicy.yml
+++ b/data_sources/aws_cloudtrail_deletepolicy.yml
@@ -6,94 +6,94 @@ author: Patrick Bareiss, Splunk
description: Logs the deletion of an IAM policy in AWS, including details about the
policy name and its associated roles or users.
mitre_components:
- - Cloud Service Modification
- - Cloud Service Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeletePolicy
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - errorMessage
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - reason
- - recipientAccountId
- - region
- - requestID
- - requestParameters.policyArn
- - responseElements
- - result
- - result_id
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- errorMessage
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- reason
+- recipientAccountId
+- region
+- requestID
+- requestParameters.policyArn
+- responseElements
+- result
+- result_id
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::151521547504:user/bhavin_cli", "accountId":
"151521547504", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_deleterule.yml b/data_sources/aws_cloudtrail_deleterule.yml
index b5f3c819fa..8cc54b2ae9 100644
--- a/data_sources/aws_cloudtrail_deleterule.yml
+++ b/data_sources/aws_cloudtrail_deleterule.yml
@@ -6,94 +6,94 @@ author: Patrick Bareiss, Splunk
description: Logs the deletion of an event rule in AWS EventBridge, including details
about the rule name and its associated targets or schedules.
mitre_components:
- - Cloud Service Modification
- - Cloud Service Metadata
- - Scheduled Job Modification
- - Application Log Content
+- Cloud Service Modification
+- Cloud Service Metadata
+- Scheduled Job Modification
+- Application Log Content
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteRule
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - apiVersion
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.changeToken
- - requestParameters.ruleId
- - responseElements.changeToken
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- apiVersion
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.changeToken
+- requestParameters.ruleId
+- responseElements.changeToken
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
diff --git a/data_sources/aws_cloudtrail_deletesnapshot.yml b/data_sources/aws_cloudtrail_deletesnapshot.yml
index 62a075237d..6d802d417f 100644
--- a/data_sources/aws_cloudtrail_deletesnapshot.yml
+++ b/data_sources/aws_cloudtrail_deletesnapshot.yml
@@ -6,135 +6,135 @@ author: Bhavin Patel, Splunk
description: Logs the deletion of a cloud resource snapshot, such as an Amazon EBS
snapshot, including details about the snapshot ID and associated resource.
mitre_components:
- - Snapshot Deletion
- - Snapshot Metadata
- - Cloud Service Modification
- - Cloud Service Metadata
+- Snapshot Deletion
+- Snapshot Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteSnapshot
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - authentication_method
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - desc
- - dest
- - dest_ip_range
- - dest_port_range
- - direction
- - dvc
- - errorCode
- - errorMessage
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - image_id
- - index
- - instance_type
- - linecount
- - managementEvent
- - msg
- - object
- - object_attrs
- - object_category
- - object_id
- - product
- - protocol
- - protocol_code
- - punct
- - readOnly
- - reason
- - recipientAccountId
- - region
- - requestID
- - requestParameters.force
- - requestParameters.snapshotId
- - responseElements
- - responseElements._return
- - responseElements.requestId
- - result
- - result_id
- - rule_action
- - sessionCredentialFromConsole
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - splunk_server_group
- - src
- - src_ip
- - src_ip_range
- - src_port_range
- - src_user
- - src_user_id
- - src_user_name
- - src_user_role
- - src_user_type
- - start_time
- - status
- - tag
- - tag::action
- - tag::eventtype
- - tag::object_category
- - temp_access_key
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.sessionContext.sessionIssuer.accountId
- - userIdentity.sessionContext.sessionIssuer.arn
- - userIdentity.sessionContext.sessionIssuer.principalId
- - userIdentity.sessionContext.sessionIssuer.type
- - userIdentity.sessionContext.sessionIssuer.userName
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_role
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- authentication_method
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- desc
+- dest
+- dest_ip_range
+- dest_port_range
+- direction
+- dvc
+- errorCode
+- errorMessage
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- image_id
+- index
+- instance_type
+- linecount
+- managementEvent
+- msg
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- protocol
+- protocol_code
+- punct
+- readOnly
+- reason
+- recipientAccountId
+- region
+- requestID
+- requestParameters.force
+- requestParameters.snapshotId
+- responseElements
+- responseElements._return
+- responseElements.requestId
+- result
+- result_id
+- rule_action
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_ip
+- src_ip_range
+- src_port_range
+- src_user
+- src_user_id
+- src_user_name
+- src_user_role
+- src_user_type
+- start_time
+- status
+- tag
+- tag::action
+- tag::eventtype
+- tag::object_category
+- temp_access_key
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_role
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.09", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLDF6WPXXXX:daftpunk@splunk.com", "arn": "arn:aws:sts::11111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/daftpunk@splunk.com",
"accountId": "11111111111111", "accessKeyId": "AAAAAAAAAAAAAAAAAA", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_deletetrail.yml b/data_sources/aws_cloudtrail_deletetrail.yml
index 2d077d3400..1ab9032017 100644
--- a/data_sources/aws_cloudtrail_deletetrail.yml
+++ b/data_sources/aws_cloudtrail_deletetrail.yml
@@ -6,92 +6,92 @@ author: Patrick Bareiss, Splunk
description: Logs the deletion of an AWS CloudTrail trail, including details about
the trail name and its associated logging configurations.
mitre_components:
- - Cloud Service Modification
- - Cloud Service Metadata
- - Application Log Content
- - Host Status
+- Cloud Service Modification
+- Cloud Service Metadata
+- Application Log Content
+- Host Status
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteTrail
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.name
- - responseElements
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.name
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLKQ3U2PDY", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
index ba7bd9f0b0..4a7caa655b 100644
--- a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
+++ b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
@@ -6,92 +6,92 @@ author: Patrick Bareiss, Splunk
description: Logs an event when a virtual Multi-Factor Authentication (MFA) device
is deleted in AWS CloudTrail.
mitre_components:
- - User Account Authentication
- - User Account Deletion
+- User Account Authentication
+- User Account Deletion
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteVirtualMFADevice
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.serialNumber
- - responseElements
- - sessionCredentialFromConsole
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.serialNumber
+- responseElements
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
"111111111111", "arn": "arn:aws:iam::111111111111:root", "accountId": "111111111111",
"accessKeyId": "ASIASBMSCQHHWAIHMHUX", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
diff --git a/data_sources/aws_cloudtrail_deletewebacl.yml b/data_sources/aws_cloudtrail_deletewebacl.yml
index dad7353b3b..8386aa1d15 100644
--- a/data_sources/aws_cloudtrail_deletewebacl.yml
+++ b/data_sources/aws_cloudtrail_deletewebacl.yml
@@ -6,92 +6,92 @@ author: Patrick Bareiss, Splunk
description: Logs an event when a Web Access Control List (WebACL) is deleted in AWS
CloudTrail.
mitre_components:
- - Cloud Service Modification
- - Cloud Service Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DeleteWebACL
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - apiVersion
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.changeToken
- - requestParameters.webACLId
- - responseElements.changeToken
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- apiVersion
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.changeToken
+- requestParameters.webACLId
+- responseElements.changeToken
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
diff --git a/data_sources/aws_cloudtrail_describeeventaggregates.yml b/data_sources/aws_cloudtrail_describeeventaggregates.yml
index 51c3b5464a..4ad39a0e97 100644
--- a/data_sources/aws_cloudtrail_describeeventaggregates.yml
+++ b/data_sources/aws_cloudtrail_describeeventaggregates.yml
@@ -6,88 +6,88 @@ author: Patrick Bareiss, Splunk
description: Logs an event when aggregate details about AWS events are queried, often
for analysis.
mitre_components:
- - Cloud Service Enumeration
- - Cloud Service Metadata
+- Cloud Service Enumeration
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DescribeEventAggregates
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.aggregateField
- - requestParameters.filter.eventStatusCodes{}
- - requestParameters.filter.startTimes{}.from
- - responseElements
- - sessionCredentialFromConsole
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.aggregateField
+- requestParameters.filter.eventStatusCodes{}
+- requestParameters.filter.startTimes{}.from
+- responseElements
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
"140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527",
"accessKeyId": "ASIASBMSCQHHQQ6LB24V", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
diff --git a/data_sources/aws_cloudtrail_describeimagescanfindings.yml b/data_sources/aws_cloudtrail_describeimagescanfindings.yml
index fab3a5b39f..e91321536e 100644
--- a/data_sources/aws_cloudtrail_describeimagescanfindings.yml
+++ b/data_sources/aws_cloudtrail_describeimagescanfindings.yml
@@ -6,980 +6,896 @@ author: Patrick Bareiss, Splunk
description: Logs an event when findings from an image vulnerability scan are described
using the DescribeImageScanFindings operation in AWS CloudTrail.
mitre_components:
- - Image Metadata
- - Image Modification
- - Malware Metadata
+- Image Metadata
+- Image Modification
+- Malware Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: DescribeImageScanFindings
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.imageId.imageDigest
- - requestParameters.maxResults
- - requestParameters.repositoryName
- - responseElements.imageId.imageDigest
- - responseElements.imageScanFindings.findingSeverityCounts.HIGH
- - responseElements.imageScanFindings.findingSeverityCounts.INFORMATIONAL
- - responseElements.imageScanFindings.findingSeverityCounts.LOW
- - responseElements.imageScanFindings.findingSeverityCounts.MEDIUM
- - responseElements.imageScanFindings.findingSeverityCounts.UNDEFINED
- - responseElements.imageScanFindings.findings{}.attributes{}.key
- - responseElements.imageScanFindings.findings{}.attributes{}.value
- - responseElements.imageScanFindings.findings{}.description
- - responseElements.imageScanFindings.findings{}.name
- - responseElements.imageScanFindings.findings{}.severity
- - responseElements.imageScanFindings.findings{}.uri
- - responseElements.imageScanFindings.imageScanCompletedAt
- - responseElements.imageScanFindings.vulnerabilitySourceUpdatedAt
- - responseElements.imageScanStatus.description
- - responseElements.imageScanStatus.status
- - responseElements.registryId
- - responseElements.repositoryName
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.sessionContext.sessionIssuer.accountId
- - userIdentity.sessionContext.sessionIssuer.arn
- - userIdentity.sessionContext.sessionIssuer.principalId
- - userIdentity.sessionContext.sessionIssuer.type
- - userIdentity.sessionContext.sessionIssuer.userName
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
-example_log: "{\"eventVersion\": \"1.08\", \"userIdentity\": {\"type\": \"AssumedRole\"\
- , \"principalId\": \"AAAAAAAAAAAAAAAAAAAAA:test@test.com\", \"arn\": \"arn:aws:sts::111111111111:assumed-role/role_name/test@test.com\"\
- , \"accountId\": \"111111111111\", \"accessKeyId\": \"AKIAIOSFODNN7EXAMPLE\", \"\
- sessionContext\": {\"sessionIssuer\": {\"type\": \"Role\", \"principalId\": \"AKIAIOSFODNN7EXAMPLE\"\
- , \"arn\": \"arn:aws:iam::111111111111:role/aws-reserved/test/region/group\", \"\
- accountId\": \"111111111111\", \"userName\": \"test\"}, \"webIdFederationData\"
- : {}, \"attributes\": {\"creationDate\": \"2021-08-11T09:42:53Z\", \"mfaAuthenticated\"\
- : \"false\"}}}, \"eventTime\": \"2021-08-11T11:52:27Z\", \"eventSource\": \"ecr.amazonaws.com\"\
- , \"eventName\": \"DescribeImageScanFindings\", \"awsRegion\": \"eu-central-1\"
- , \"sourceIPAddress\": \"154.16.165.133\", \"userAgent\": \"aws-internal/3 aws-sdk-java/1.11.1030
- Linux/4.9.273-0.1.ac.226.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08
- java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/legacy\", \"requestParameters\"\
- : {\"repositoryName\": \"devsecops/cat_dog_client\", \"imageId\": {\"imageDigest\"\
- : \"sha256:a27d73188718a511a1ec1ec788826674b21e097f29873dde734a4dedfbfab1c6\"},
- \"maxResults\": 1000}, \"responseElements\": {\"registryId\": \"111111111111\",
- \"repositoryName\": \"devsecops/cat_dog_client\", \"imageId\": {\"imageDigest\"
- : \"sha256:a27d73188718a511a1ec1ec788826674b21e097f29873dde734a4dedfbfab1c6\"},
- \"imageScanStatus\": {\"status\": \"COMPLETE\", \"description\": \"The scan was
- completed successfully.\"}, \"imageScanFindings\": {\"imageScanCompletedAt\": \"\
- Aug 11, 2021, 11:30:16 AM\", \"vulnerabilitySourceUpdatedAt\": \"Aug 11, 2021, 1:17:52
- AM\", \"findings\": [{\"name\": \"CVE-2019-25013\", \"description\": \"The iconv
- feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing
- invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-25013\", \"severity\"\
- : \"HIGH\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"2.28-10\"\
- }, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"CVSS2_VECTOR\"\
- , \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:C\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
- : \"7.1\"}]}, {\"name\": \"CVE-2021-33574\", \"description\": \"The mq_notify function
- in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It
- may use the notification thread attributes object (passed through its struct sigevent
- parameter) after it has been freed by the caller, leading to a denial of service
- (application crash) or possibly unspecified other impact.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-33574\"\
- , \"severity\": \"HIGH\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"7.5\"}]}, {\"name\": \"CVE-2018-12886\", \"description\": \"stack_protect_prologue
- in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection
- (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences
- when targeting ARM targets that spill the address of the stack protector guard,
- which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all,
- -fstack-protector-strong, and -fstack-protector-explicit against stack overflow
- by controlling what the stack canary is compared against.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-12886\"\
- , \"severity\": \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"8.3.0-6\"}, {\"key\": \"package_name\", \"value\": \"gcc-8\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"6.8\"}]}, {\"name\": \"CVE-2020-1751\", \"description\": \"An out-of-bounds
- write vulnerability was found in glibc before 2.31 when handling signal trampolines
- on PowerPC. Specifically, the backtrace function did not properly check the array
- bounds when storing the frame address, resulting in a denial of service or potential
- code execution. The highest threat from this vulnerability is to system availability.\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-1751\", \"severity\"\
- : \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"2.28-10\"\
- }, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"CVSS2_VECTOR\"\
- , \"value\": \"AV:L/AC:M/Au:N/C:P/I:P/A:C\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
- : \"5.9\"}]}, {\"name\": \"CVE-2021-3326\", \"description\": \"The iconv function
- in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid
- input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path
- and aborts the program, potentially resulting in a denial of service.\", \"uri\"\
- : \"https://security-tracker.debian.org/tracker/CVE-2021-3326\", \"severity\": \"\
- MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"2.28-10\"\
- }, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"CVSS2_VECTOR\"\
- , \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
- : \"5\"}]}, {\"name\": \"CVE-2021-35942\", \"description\": \"The wordexp function
- in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory
- in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern,
- potentially resulting in a denial of service or disclosure of information. This
- occurs because atoi was used but strtoul should have been used to ensure correct
- calculations.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-35942\"\
- , \"severity\": \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"6.4\"}]}, {\"name\": \"CVE-2019-12904\", \"description\": \"In Libgcrypt
- 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel
- attack because physical addresses are available to other processes. (The C implementation
- is used on platforms where an assembly-language implementation is unavailable.)\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-12904\", \"severity\"\
- : \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"1.8.4-5+deb10u1\"\
- }, {\"key\": \"package_name\", \"value\": \"libgcrypt20\"}, {\"key\": \"CVSS2_VECTOR\"\
- , \"value\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
- : \"4.3\"}]}, {\"name\": \"CVE-2017-6363\", \"description\": \"** DISPUTED ** In
- the GD Graphics Library (aka LibGD) through 2.2.5, there is a heap-based buffer
- over-read in tiffWriter in gd_tiff.c. NOTE: the vendor says \\\"In my opinion this
- issue should not have a CVE, since the GD and GD2 formats are documented to be 'obsolete,
- and should only be used for development and testing purposes.'\\\"\", \"uri\": \"\
- https://security-tracker.debian.org/tracker/CVE-2017-6363\", \"severity\": \"MEDIUM\"\
- , \"attributes\": [{\"key\": \"package_version\", \"value\": \"2.2.5-5.2\"}, {\"\
- key\": \"package_name\", \"value\": \"libgd2\"}, {\"key\": \"CVSS2_VECTOR\", \"\
- value\": \"AV:N/AC:M/Au:N/C:P/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\", \"value\":
- \"5.8\"}]}, {\"name\": \"CVE-2019-12290\", \"description\": \"GNU libidn2 before
- 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when
- converting A-labels to U-labels. This makes it possible in some circumstances for
- one domain to impersonate another. By creating a malicious domain that matches a
- target domain except for the inclusion of certain punycoded Unicode characters (that
- would be discarded when converted first to a Unicode label and then back to an ASCII
- label), arbitrary domains can be impersonated.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-12290\"\
- , \"severity\": \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.0.5-1+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"libidn2\"}, {\"\
- key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\"}, {\"key\": \"\
- CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2019-13115\", \"description\"\
- : \"In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.imageId.imageDigest
+- requestParameters.maxResults
+- requestParameters.repositoryName
+- responseElements.imageId.imageDigest
+- responseElements.imageScanFindings.findingSeverityCounts.HIGH
+- responseElements.imageScanFindings.findingSeverityCounts.INFORMATIONAL
+- responseElements.imageScanFindings.findingSeverityCounts.LOW
+- responseElements.imageScanFindings.findingSeverityCounts.MEDIUM
+- responseElements.imageScanFindings.findingSeverityCounts.UNDEFINED
+- responseElements.imageScanFindings.findings{}.attributes{}.key
+- responseElements.imageScanFindings.findings{}.attributes{}.value
+- responseElements.imageScanFindings.findings{}.description
+- responseElements.imageScanFindings.findings{}.name
+- responseElements.imageScanFindings.findings{}.severity
+- responseElements.imageScanFindings.findings{}.uri
+- responseElements.imageScanFindings.imageScanCompletedAt
+- responseElements.imageScanFindings.vulnerabilitySourceUpdatedAt
+- responseElements.imageScanStatus.description
+- responseElements.imageScanStatus.status
+- responseElements.registryId
+- responseElements.repositoryName
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
+ "AAAAAAAAAAAAAAAAAAAAA:test@test.com", "arn": "arn:aws:sts::111111111111:assumed-role/role_name/test@test.com",
+ "accountId": "111111111111", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext":
+ {"sessionIssuer": {"type": "Role", "principalId": "AKIAIOSFODNN7EXAMPLE", "arn":
+ "arn:aws:iam::111111111111:role/aws-reserved/test/region/group", "accountId": "111111111111",
+ "userName": "test"}, "webIdFederationData" : {}, "attributes": {"creationDate":
+ "2021-08-11T09:42:53Z", "mfaAuthenticated": "false"}}}, "eventTime": "2021-08-11T11:52:27Z",
+ "eventSource": "ecr.amazonaws.com", "eventName": "DescribeImageScanFindings", "awsRegion":
+ "eu-central-1" , "sourceIPAddress": "154.16.165.133", "userAgent": "aws-internal/3
+ aws-sdk-java/1.11.1030 Linux/4.9.273-0.1.ac.226.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08
+ java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/legacy", "requestParameters":
+ {"repositoryName": "devsecops/cat_dog_client", "imageId": {"imageDigest": "sha256:a27d73188718a511a1ec1ec788826674b21e097f29873dde734a4dedfbfab1c6"},
+ "maxResults": 1000}, "responseElements": {"registryId": "111111111111", "repositoryName":
+ "devsecops/cat_dog_client", "imageId": {"imageDigest" : "sha256:a27d73188718a511a1ec1ec788826674b21e097f29873dde734a4dedfbfab1c6"},
+ "imageScanStatus": {"status": "COMPLETE", "description": "The scan was completed
+ successfully."}, "imageScanFindings": {"imageScanCompletedAt": "Aug 11, 2021, 11:30:16
+ AM", "vulnerabilitySourceUpdatedAt": "Aug 11, 2021, 1:17:52 AM", "findings": [{"name":
+ "CVE-2019-25013", "description": "The iconv feature in the GNU C Library (aka glibc
+ or libc6) through 2.32, when processing invalid multi-byte input sequences in the
+ EUC-KR encoding, may have a buffer over-read.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-25013",
+ "severity": "HIGH", "attributes": [{"key": "package_version", "value": "2.28-10"},
+ {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:C"},
+ {"key": "CVSS2_SCORE", "value": "7.1"}]}, {"name": "CVE-2021-33574", "description":
+ "The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33
+ has a use-after-free. It may use the notification thread attributes object (passed
+ through its struct sigevent parameter) after it has been freed by the caller, leading
+ to a denial of service (application crash) or possibly unspecified other impact.",
+ "uri": "https://security-tracker.debian.org/tracker/CVE-2021-33574", "severity":
+ "HIGH", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name",
+ "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"},
+ {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2018-12886", "description":
+ "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c
+ in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate
+ instruction sequences when targeting ARM targets that spill the address of the stack
+ protector guard, which allows an attacker to bypass the protection of -fstack-protector,
+ -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit
+ against stack overflow by controlling what the stack canary is compared against.",
+ "uri": "https://security-tracker.debian.org/tracker/CVE-2018-12886", "severity":
+ "MEDIUM", "attributes": [{"key": "package_version", "value": "8.3.0-6"}, {"key":
+ "package_name", "value": "gcc-8"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
+ {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2020-1751", "description":
+ "An out-of-bounds write vulnerability was found in glibc before 2.31 when handling
+ signal trampolines on PowerPC. Specifically, the backtrace function did not properly
+ check the array bounds when storing the frame address, resulting in a denial of
+ service or potential code execution. The highest threat from this vulnerability
+ is to system availability.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-1751",
+ "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.28-10"},
+ {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:P/I:P/A:C"},
+ {"key": "CVSS2_SCORE", "value": "5.9"}]}, {"name": "CVE-2021-3326", "description":
+ "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier,
+ when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an
+ assertion in the code path and aborts the program, potentially resulting in a denial
+ of service.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-3326",
+ "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.28-10"},
+ {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2021-35942", "description":
+ "The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or
+ read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted,
+ crafted pattern, potentially resulting in a denial of service or disclosure of information.
+ This occurs because atoi was used but strtoul should have been used to ensure correct
+ calculations.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-35942",
+ "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.28-10"},
+ {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "6.4"}]}, {"name": "CVE-2019-12904", "description":
+ "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload
+ side-channel attack because physical addresses are available to other processes.
+ (The C implementation is used on platforms where an assembly-language implementation
+ is unavailable.)", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-12904",
+ "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "1.8.4-5+deb10u1"},
+ {"key": "package_name", "value": "libgcrypt20"}, {"key": "CVSS2_VECTOR", "value":
+ "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name":
+ "CVE-2017-6363", "description": "** DISPUTED ** In the GD Graphics Library (aka
+ LibGD) through 2.2.5, there is a heap-based buffer over-read in tiffWriter in gd_tiff.c.
+ NOTE: the vendor says \"In my opinion this issue should not have a CVE, since the
+ GD and GD2 formats are documented to be ''obsolete, and should only be used for
+ development and testing purposes.''\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-6363",
+ "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.2.5-5.2"},
+ {"key": "package_name", "value": "libgd2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2019-12290", "description":
+ "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490
+ Section 4.2 when converting A-labels to U-labels. This makes it possible in some
+ circumstances for one domain to impersonate another. By creating a malicious domain
+ that matches a target domain except for the inclusion of certain punycoded Unicode
+ characters (that would be discarded when converted first to a Unicode label and
+ then back to an ASCII label), arbitrary domains can be impersonated.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-12290",
+ "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.0.5-1+deb10u1"},
+ {"key": "package_name", "value": "libidn2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"},
+ {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2019-13115", "description":
+ "In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange
in kex.c has an integer overflow that could lead to an out-of-bounds read in the
way packets are read from the server. A remote attacker who compromises a SSH server
may be able to disclose sensitive information or cause a denial of service condition
on the client system when a user connects to the server. This is related to an _libssh2_check_length
- mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-13115\", \"severity\"\
- : \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"1.8.0-2.1\"\
- }, {\"key\": \"package_name\", \"value\": \"libssh2\"}, {\"key\": \"CVSS2_VECTOR\"\
- , \"value\": \"AV:N/AC:M/Au:N/C:P/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
- : \"5.8\"}]}, {\"name\": \"CVE-2016-9318\", \"description\": \"libxml2 2.9.4 and
- earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer
- a flag directly indicating that the current document may be read but other files
- may not be opened, which makes it easier for remote attackers to conduct XML External
- Entity (XXE) attacks via a crafted document.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2016-9318\"\
- , \"severity\": \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.9.4+dfsg1-7+deb10u2\"}, {\"key\": \"package_name\", \"value\": \"libxml2\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"4.3\"}]}, {\"name\": \"CVE-2017-16932\", \"description\"\
- : \"parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter
- entities.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-16932\"\
- , \"severity\": \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.9.4+dfsg1-7+deb10u2\"}, {\"key\": \"package_name\", \"value\": \"libxml2\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2020-36309\", \"description\"\
- : \"ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows
- unsafe characters in an argument when using the API to mutate a URI, or a request
- or response header.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-36309\"\
- , \"severity\": \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"1.21.1-1~buster\"}, {\"key\": \"package_name\", \"value\": \"nginx\"}, {\"key\"\
- : \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"5\"}]}, {\"name\": \"CVE-2020-14155\", \"description\": \"libpcre
- in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-14155\", \"severity\"\
- : \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"2:8.39-12\"\
- }, {\"key\": \"package_name\", \"value\": \"pcre3\"}, {\"key\": \"CVSS2_VECTOR\"\
- , \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
- : \"5\"}]}, {\"name\": \"CVE-2019-3843\", \"description\": \"It was discovered that
- a systemd service that uses DynamicUser property can create a SUID/SGID binary that
- would be allowed to run as the transient service UID/GID even after the service
- is terminated. A local attacker may use this flaw to access resources that will
- be owned by a potentially different service in the future, when the UID/GID will
- be recycled.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-3843\"\
- , \"severity\": \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"241-7~deb10u8\"}, {\"key\": \"package_name\", \"value\": \"systemd\"}, {\"key\"\
- : \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"4.6\"}]}, {\"name\": \"CVE-2019-3844\", \"description\": \"It was
- discovered that a systemd service that uses DynamicUser property can get new privileges
- through the execution of SUID binaries, which would allow to create binaries owned
- by the service transient group with the setgid bit set. A local attacker may use
- this flaw to access resources that will be owned by a potentially different service
- in the future, when the GID will be recycled.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-3844\"\
- , \"severity\": \"MEDIUM\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"241-7~deb10u8\"}, {\"key\": \"package_name\", \"value\": \"systemd\"}, {\"key\"\
- : \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"4.6\"}]}, {\"name\": \"CVE-2016-2781\", \"description\": \"chroot
- in GNU coreutils, when used with --userspec, allows local users to escape to the
- parent session via a crafted TIOCSTI ioctl call, which pushes characters to the
- terminal's input buffer.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2016-2781\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"8.30-3\"}, {\"key\": \"package_name\", \"value\": \"coreutils\"}, {\"key\":
- \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:P/A:N\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2021-22898\", \"description\": \"curl
- 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command
- line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content
- pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV
- variables, libcurl could be made to pass on uninitialized data from a stack based
- buffer to the server, resulting in potentially revealing sensitive internal information
- to the server using a clear-text network protocol.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-22898\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"7.64.0-4+deb10u2\"}, {\"key\": \"package_name\", \"value\": \"curl\"}, {\"key\"\
- : \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:H/Au:N/C:P/I:N/A:N\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"2.6\"}]}, {\"name\": \"CVE-2019-15847\", \"description\": \"The POWER9
- backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple
- calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy
- of the random number generator. This occurred because a volatile operation was not
- specified. For example, within a single execution of a program, the output of every
- __builtin_darn() call may be the same.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-15847\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"8.3.0-6\"}, {\"key\": \"package_name\", \"value\": \"gcc-8\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"5\"}]}, {\"name\": \"CVE-2020-1752\", \"description\": \"A use-after-free
- vulnerability introduced in glibc upstream version 2.14 was found in the way the
- tilde expansion was carried out. Directory paths containing an initial tilde followed
- by a valid username were affected by this issue. A local attacker could exploit
- this flaw by creating a specially crafted path that, when processed by the glob
- function, would potentially lead to arbitrary code execution. This was fixed in
- version 2.32.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-1752\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:L/AC:H/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"3.7\"}]}, {\"name\": \"CVE-2020-6096\", \"description\": \"An exploitable
- signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU
- glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation)
- with a negative value for the 'num' parameter results in a signed comparison vulnerability.
- If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could
- lead to undefined behavior such as writing to out-of-bounds memory and potentially
- remote code execution. Furthermore, this memcpy() implementation allows for program
- execution to continue in scenarios where a segmentation fault or crash should have
- occurred. The dangers occur in that subsequent execution and iterations of this
- code will be executed with this corrupted data.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-6096\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"6.8\"}]}, {\"name\": \"CVE-2020-10029\", \"description\": \"The GNU
- C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during
- range reduction if an input to an 80-bit long double function contains a non-canonical
- bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets.
- This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-10029\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2020-27618\", \"description\": \"The iconv
- function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing
- invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399
- encodings, fails to advance the input state, which could lead to an infinite loop
- in applications, resulting in a denial of service, a different vulnerability from
- CVE-2016-10228.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-27618\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2016-10228\", \"description\": \"The iconv
- program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked
- with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with
- the -c option, enters an infinite loop when processing invalid multi-byte input
- sequences, leading to a denial of service.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2016-10228\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"4.3\"}]}, {\"name\": \"CVE-2019-19126\", \"description\": \"On the
- x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the
- LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security
- transition, allowing local attackers to restrict the possible mapping addresses
- for loaded libraries and thus bypass ASLR for a setuid program.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-19126\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2021-27645\", \"description\": \"The nameserver
- caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33,
- when processing a request for netgroup lookup, may crash due to a double-free, potentially
- resulting in degraded service or Denial of Service on the local system. This is
- related to netgroupcache.c.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-27645\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:L/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"1.9\"}]}, {\"name\": \"CVE-2019-14855\", \"description\": \"A flaw
- was found in the way certificate signatures could be forged using collisions found
- in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate
- signatures. This issue affects GnuPG versions before 2.2.18.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-14855\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.2.12-1+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"gnupg2\"}, {\"\
- key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\"}, {\"key\": \"\
- CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2019-13627\", \"description\"\
- : \"It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic
+ mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.",
+ "uri": "https://security-tracker.debian.org/tracker/CVE-2019-13115", "severity":
+ "MEDIUM", "attributes": [{"key": "package_version", "value": "1.8.0-2.1"}, {"key":
+ "package_name", "value": "libssh2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2016-9318", "description":
+ "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products,
+ does not offer a flag directly indicating that the current document may be read
+ but other files may not be opened, which makes it easier for remote attackers to
+ conduct XML External Entity (XXE) attacks via a crafted document.", "uri": "https://security-tracker.debian.org/tracker/CVE-2016-9318",
+ "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.9.4+dfsg1-7+deb10u2"},
+ {"key": "package_name", "value": "libxml2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:N"},
+ {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2017-16932", "description":
+ "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter
+ entities.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-16932",
+ "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.9.4+dfsg1-7+deb10u2"},
+ {"key": "package_name", "value": "libxml2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2020-36309", "description":
+ "ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe
+ characters in an argument when using the API to mutate a URI, or a request or response
+ header.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-36309", "severity":
+ "MEDIUM", "attributes": [{"key": "package_version", "value": "1.21.1-1~buster"},
+ {"key": "package_name", "value": "nginx"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"},
+ {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2020-14155", "description":
+ "libpcre in PCRE before 8.44 allows an integer overflow via a large number after
+ a (?C substring.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-14155",
+ "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2:8.39-12"},
+ {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2019-3843", "description":
+ "It was discovered that a systemd service that uses DynamicUser property can create
+ a SUID/SGID binary that would be allowed to run as the transient service UID/GID
+ even after the service is terminated. A local attacker may use this flaw to access
+ resources that will be owned by a potentially different service in the future, when
+ the UID/GID will be recycled.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-3843",
+ "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"},
+ {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:P/I:P/A:P"},
+ {"key": "CVSS2_SCORE", "value": "4.6"}]}, {"name": "CVE-2019-3844", "description":
+ "It was discovered that a systemd service that uses DynamicUser property can get
+ new privileges through the execution of SUID binaries, which would allow to create
+ binaries owned by the service transient group with the setgid bit set. A local attacker
+ may use this flaw to access resources that will be owned by a potentially different
+ service in the future, when the GID will be recycled.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-3844",
+ "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"},
+ {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:P/I:P/A:P"},
+ {"key": "CVSS2_SCORE", "value": "4.6"}]}, {"name": "CVE-2016-2781", "description":
+ "chroot in GNU coreutils, when used with --userspec, allows local users to escape
+ to the parent session via a crafted TIOCSTI ioctl call, which pushes characters
+ to the terminal''s input buffer.", "uri": "https://security-tracker.debian.org/tracker/CVE-2016-2781",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "8.30-3"},
+ {"key": "package_name", "value": "coreutils"}, {"key": "CVSS2_VECTOR", "value":
+ "AV:L/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name":
+ "CVE-2021-22898", "description": "curl 7.7 through 7.76.1 suffers from an information
+ disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in
+ libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw
+ in the option parser for sending NEW_ENV variables, libcurl could be made to pass
+ on uninitialized data from a stack based buffer to the server, resulting in potentially
+ revealing sensitive internal information to the server using a clear-text network
+ protocol.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22898",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "7.64.0-4+deb10u2"},
+ {"key": "package_name", "value": "curl"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:H/Au:N/C:P/I:N/A:N"},
+ {"key": "CVSS2_SCORE", "value": "2.6"}]}, {"name": "CVE-2019-15847", "description":
+ "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize
+ multiple calls of the __builtin_darn intrinsic into a single call, thus reducing
+ the entropy of the random number generator. This occurred because a volatile operation
+ was not specified. For example, within a single execution of a program, the output
+ of every __builtin_darn() call may be the same.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-15847",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "8.3.0-6"},
+ {"key": "package_name", "value": "gcc-8"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"},
+ {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2020-1752", "description":
+ "A use-after-free vulnerability introduced in glibc upstream version 2.14 was found
+ in the way the tilde expansion was carried out. Directory paths containing an initial
+ tilde followed by a valid username were affected by this issue. A local attacker
+ could exploit this flaw by creating a specially crafted path that, when processed
+ by the glob function, would potentially lead to arbitrary code execution. This was
+ fixed in version 2.32.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-1752",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"},
+ {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:H/Au:N/C:P/I:P/A:P"},
+ {"key": "CVSS2_SCORE", "value": "3.7"}]}, {"name": "CVE-2020-6096", "description":
+ "An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation
+ of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU
+ glibc implementation) with a negative value for the ''num'' parameter results in
+ a signed comparison vulnerability. If an attacker underflows the ''num'' parameter
+ to memcpy(), this vulnerability could lead to undefined behavior such as writing
+ to out-of-bounds memory and potentially remote code execution. Furthermore, this
+ memcpy() implementation allows for program execution to continue in scenarios where
+ a segmentation fault or crash should have occurred. The dangers occur in that subsequent
+ execution and iterations of this code will be executed with this corrupted data.",
+ "uri": "https://security-tracker.debian.org/tracker/CVE-2020-6096", "severity":
+ "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name",
+ "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
+ {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2020-10029", "description":
+ "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer
+ during range reduction if an input to an 80-bit long double function contains a
+ non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to
+ sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.",
+ "uri": "https://security-tracker.debian.org/tracker/CVE-2020-10029", "severity":
+ "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name",
+ "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2020-27618", "description":
+ "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier,
+ when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388,
+ IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead
+ to an infinite loop in applications, resulting in a denial of service, a different
+ vulnerability from CVE-2016-10228.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-27618",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"},
+ {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2016-10228", "description":
+ "The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when
+ invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE)
+ along with the -c option, enters an infinite loop when processing invalid multi-byte
+ input sequences, leading to a denial of service.", "uri": "https://security-tracker.debian.org/tracker/CVE-2016-10228",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"},
+ {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2019-19126", "description":
+ "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to
+ ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution
+ after a security transition, allowing local attackers to restrict the possible mapping
+ addresses for loaded libraries and thus bypass ASLR for a setuid program.", "uri":
+ "https://security-tracker.debian.org/tracker/CVE-2019-19126", "severity": "LOW",
+ "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name",
+ "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:P/I:N/A:N"},
+ {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-27645", "description":
+ "The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6)
+ 2.29 through 2.33, when processing a request for netgroup lookup, may crash due
+ to a double-free, potentially resulting in degraded service or Denial of Service
+ on the local system. This is related to netgroupcache.c.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-27645",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"},
+ {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:N/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "1.9"}]}, {"name": "CVE-2019-14855", "description":
+ "A flaw was found in the way certificate signatures could be forged using collisions
+ found in the SHA-1 algorithm. An attacker could use this weakness to create forged
+ certificate signatures. This issue affects GnuPG versions before 2.2.18.", "uri":
+ "https://security-tracker.debian.org/tracker/CVE-2019-14855", "severity": "LOW",
+ "attributes": [{"key": "package_version", "value": "2.2.12-1+deb10u1"}, {"key":
+ "package_name", "value": "gnupg2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"},
+ {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2019-13627", "description":
+ "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic
library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions
- fixed: 1.8.5-2 and 1.6.3-2+deb8u7.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-13627\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"1.8.4-5+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"libgcrypt20\"},
- {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:H/Au:N/C:P/I:P/A:N\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"2.6\"}]}, {\"name\": \"CVE-2018-14553\", \"description\"\
- : \"gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference
- allowing attackers to crash an application via a specific function call sequence.
- Only affects PHP when linked with an external libgd (not bundled).\", \"uri\": \"\
- https://security-tracker.debian.org/tracker/CVE-2018-14553\", \"severity\": \"LOW\"\
- , \"attributes\": [{\"key\": \"package_version\", \"value\": \"2.2.5-5.2\"}, {\"\
- key\": \"package_name\", \"value\": \"libgd2\"}, {\"key\": \"CVSS2_VECTOR\", \"\
- value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\", \"value\":
- \"5\"}]}, {\"name\": \"CVE-2021-36086\", \"description\": \"The CIL compiler in
- SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set
- and cil_reset_classperms_list).\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-36086\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.8-1\"}, {\"key\": \"package_name\", \"value\": \"libsepol\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2021-36085\", \"description\": \"The CIL
- compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called
- from __verify_map_perm_classperms and hashtab_map).\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-36085\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.8-1\"}, {\"key\": \"package_name\", \"value\": \"libsepol\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2021-36087\", \"description\": \"The CIL
- compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called
- indirectly from cil_check_neverallow). This occurs because there is sometimes a
- lack of checks for invalid statements in an optional block.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-36087\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.8-1\"}, {\"key\": \"package_name\", \"value\": \"libsepol\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2021-36084\", \"description\": \"The CIL
- compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called
- from __cil_verify_classpermission and __cil_pre_verify_helper).\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-36084\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.8-1\"}, {\"key\": \"package_name\", \"value\": \"libsepol\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2019-17498\", \"description\": \"In libssh2
- v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer
- overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds)
- offset for a subsequent memory read. A crafted SSH server may be able to disclose
- sensitive information or cause a denial of service condition on the client system
- when a user connects to the server.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-17498\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"1.8.0-2.1\"}, {\"key\": \"package_name\", \"value\": \"libssh2\"}, {\"key\"
- : \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"5.8\"}]}, {\"name\": \"CVE-2019-17543\", \"description\": \"LZ4 before
- 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize),
+ fixed: 1.8.5-2 and 1.6.3-2+deb8u7.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-13627",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.8.4-5+deb10u1"},
+ {"key": "package_name", "value": "libgcrypt20"}, {"key": "CVSS2_VECTOR", "value":
+ "AV:L/AC:H/Au:N/C:P/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "2.6"}]}, {"name":
+ "CVE-2018-14553", "description": "gdImageClone in gd.c in libgd 2.1.0-rc2 through
+ 2.2.5 has a NULL pointer dereference allowing attackers to crash an application
+ via a specific function call sequence. Only affects PHP when linked with an external
+ libgd (not bundled).", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-14553",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.2.5-5.2"},
+ {"key": "package_name", "value": "libgd2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2021-36086", "description":
+ "The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission
+ (called from cil_reset_classperms_set and cil_reset_classperms_list).", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36086",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.8-1"},
+ {"key": "package_name", "value": "libsepol"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-36085", "description":
+ "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms
+ (called from __verify_map_perm_classperms and hashtab_map).", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36085",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.8-1"},
+ {"key": "package_name", "value": "libsepol"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-36087", "description":
+ "The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any
+ (called indirectly from cil_check_neverallow). This occurs because there is sometimes
+ a lack of checks for invalid statements in an optional block.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36087",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.8-1"},
+ {"key": "package_name", "value": "libsepol"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-36084", "description":
+ "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms
+ (called from __cil_verify_classpermission and __cil_pre_verify_helper).", "uri":
+ "https://security-tracker.debian.org/tracker/CVE-2021-36084", "severity": "LOW",
+ "attributes": [{"key": "package_version", "value": "2.8-1"}, {"key": "package_name",
+ "value": "libsepol"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2019-17498", "description":
+ "In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c
+ has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary
+ (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be
+ able to disclose sensitive information or cause a denial of service condition on
+ the client system when a user connects to the server.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-17498",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.8.0-2.1"},
+ {"key": "package_name", "value": "libssh2"}, {"key" : "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2019-17543", "description":
+ "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize),
affecting applications that call LZ4_compress_fast with a large input. (This issue
- can also lead to data corruption.) NOTE: the vendor states \\\"only a few specific
- / uncommon usages of the API are at risk.\\\"\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-17543\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"1.8.3-1+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"lz4\"}, {\"key\"\
- : \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"6.8\"}]}, {\"name\": \"CVE-2013-0337\", \"description\": \"The default
- configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions
- for the (1) access.log and (2) error.log files, which allows local users to obtain
- sensitive information by reading the files.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2013-0337\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"1.21.1-1~buster\"}, {\"key\": \"package_name\", \"value\": \"nginx\"}, {\"key\"\
- : \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"7.5\"}]}, {\"name\": \"CVE-2018-7169\", \"description\": \"An issue
- was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an
- unprivileged user to be placed in a user namespace where setgroups(2) is permitted.
- This allows an attacker to remove themselves from a supplementary group, which may
- allow access to certain filesystem paths if the administrator has used \\\"group
- blacklisting\\\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively
- reverts a security feature in the kernel (in particular, the /proc/self/setgroups
- knob) to prevent this sort of privilege escalation.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-7169\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"1:4.5-1.1\"}, {\"key\": \"package_name\", \"value\": \"shadow\"}, {\"key\":
- \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"5\"}]}, {\"name\": \"CVE-2021-37600\", \"description\": \"An integer
- overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if
- an attacker were able to use system resources in a way that leads to a large number
- in the /proc/sysvipc/sem file.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-37600\"\
- , \"severity\": \"LOW\", \"attributes\": [{\"key\": \"package_version\", \"value\"\
- : \"2.33.1-0.1\"}, {\"key\": \"package_name\", \"value\": \"util-linux\"}, {\"key\"\
- : \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"7.5\"}]}, {\"name\": \"CVE-2011-3374\", \"description\": \"It was
- found that apt-key in apt, all versions, do not correctly validate gpg keys with
- the master keyring, leading to a potential man-in-the-middle attack.\", \"uri\"
- : \"https://security-tracker.debian.org/tracker/CVE-2011-3374\", \"severity\": \"\
- INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"1.8.2.3\"\
- }, {\"key\": \"package_name\", \"value\": \"apt\"}, {\"key\": \"CVSS2_VECTOR\",
- \"value\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
- : \"4.3\"}]}, {\"name\": \"CVE-2019-18276\", \"description\": \"An issue was discovered
- in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if
- Bash is run with its effective UID not equal to its real UID, it will drop privileges
- by setting its effective UID to its real UID. However, it does so incorrectly. On
- Linux and other systems that support \\\"saved UID\\\" functionality, the saved
- UID is not dropped. An attacker with command execution in the shell can use \\\"\
- enable -f\\\" for runtime loading of a new builtin, which can be a shared object
- that calls setuid() and therefore regains privileges. However, binaries running
- with an effective UID of 0 are unaffected.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-18276\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"5.0-4\"}, {\"key\": \"package_name\", \"value\": \"bash\"}, {\"key\"\
- : \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:C/I:C/A:C\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"7.2\"}]}, {\"name\": \"CVE-2017-18018\", \"description\": \"In GNU
- Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement
- of a plain file with a symlink during use of the POSIX \\\"-R -L\\\" options, which
- allows local users to modify the ownership of arbitrary files by leveraging a race
- condition.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-18018\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"8.30-3\"}, {\"key\": \"package_name\", \"value\": \"coreutils\"},
- {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:M/Au:N/C:N/I:P/A:N\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"1.9\"}]}, {\"name\": \"CVE-2021-22923\", \"description\"\
- : \"When curl is instructed to get content using the metalink feature, and a user
- name and password are used to download the metalink XML file, those same credentials
- are then subsequently passed on to each of the servers from which curl will download
- or try to download the contents from. Often contrary to the user's expectations
- and intentions and without telling the user it happened.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-22923\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"7.64.0-4+deb10u2\"}, {\"key\": \"package_name\", \"value\": \"curl\"\
- }]}, {\"name\": \"CVE-2021-22922\", \"description\": \"When curl is instructed to
- download content using the metalink feature, thecontents is verified against a hash
- provided in the metalink XML file.The metalink XML file points out to the client
- how to get the same contentfrom a set of different URLs, potentially hosted by different
- servers and theclient can then download the file from one or several of them. In
- a serial orparallel manner.If one of the servers hosting the contents has been breached
- and the contentsof the specific file on that server is replaced with a modified
- payload, curlshould detect this when the hash of the file mismatches after a completeddownload.
- It should remove the contents and instead try getting the contentsfrom another URL.
- This is not done, and instead such a hash mismatch is onlymentioned in text and
- the potentially malicious content is kept in the file ondisk.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-22922\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"7.64.0-4+deb10u2\"}, {\"key\": \"package_name\", \"value\": \"curl\"\
- }]}, {\"name\": \"CVE-2013-0340\", \"description\": \"expat 2.1.0 and earlier does
- not properly handle entities expansion unless an application developer uses the
- XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial
- of service (resource consumption), send HTTP requests to intranet servers, or read
- arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue.\
- \ NOTE: it could be argued that because expat already provides the ability to disable
- external entity expansion, the responsibility for resolving this issue lies with
- application developers; according to this argument, this entry should be REJECTed,
- and each affected application would need its own CVE.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2013-0340\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"2.2.6-2+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"expat\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"6.8\"}]}, {\"name\": \"CVE-2019-1010023\", \"description\"\
- : \"** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library
+ can also lead to data corruption.) NOTE: the vendor states \"only a few specific
+ / uncommon usages of the API are at risk.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-17543",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.8.3-1+deb10u1"},
+ {"key": "package_name", "value": "lz4"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
+ {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2013-0337", "description":
+ "The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable
+ permissions for the (1) access.log and (2) error.log files, which allows local users
+ to obtain sensitive information by reading the files.", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-0337",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.21.1-1~buster"},
+ {"key": "package_name", "value": "nginx"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"},
+ {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2018-7169", "description":
+ "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and
+ allows an unprivileged user to be placed in a user namespace where setgroups(2)
+ is permitted. This allows an attacker to remove themselves from a supplementary
+ group, which may allow access to certain filesystem paths if the administrator has
+ used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This
+ flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups
+ knob) to prevent this sort of privilege escalation.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-7169",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "1:4.5-1.1"},
+ {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"},
+ {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2021-37600", "description":
+ "An integer overflow in util-linux through 2.37.1 can potentially cause a buffer
+ overflow if an attacker were able to use system resources in a way that leads to
+ a large number in the /proc/sysvipc/sem file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-37600",
+ "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.33.1-0.1"},
+ {"key": "package_name", "value": "util-linux"}, {"key": "CVSS2_VECTOR", "value":
+ "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name":
+ "CVE-2011-3374", "description": "It was found that apt-key in apt, all versions,
+ do not correctly validate gpg keys with the master keyring, leading to a potential
+ man-in-the-middle attack.", "uri" : "https://security-tracker.debian.org/tracker/CVE-2011-3374",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "1.8.2.3"}, {"key": "package_name", "value": "apt"}, {"key": "CVSS2_VECTOR", "value":
+ "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name":
+ "CVE-2019-18276", "description": "An issue was discovered in disable_priv_mode in
+ shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective
+ UID not equal to its real UID, it will drop privileges by setting its effective
+ UID to its real UID. However, it does so incorrectly. On Linux and other systems
+ that support \"saved UID\" functionality, the saved UID is not dropped. An attacker
+ with command execution in the shell can use \"enable -f\" for runtime loading of
+ a new builtin, which can be a shared object that calls setuid() and therefore regains
+ privileges. However, binaries running with an effective UID of 0 are unaffected.",
+ "uri": "https://security-tracker.debian.org/tracker/CVE-2019-18276", "severity":
+ "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "5.0-4"}, {"key":
+ "package_name", "value": "bash"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:C/I:C/A:C"},
+ {"key": "CVSS2_SCORE", "value": "7.2"}]}, {"name": "CVE-2017-18018", "description":
+ "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent
+ replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options,
+ which allows local users to modify the ownership of arbitrary files by leveraging
+ a race condition.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-18018",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "8.30-3"}, {"key": "package_name", "value": "coreutils"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "1.9"}]},
+ {"name": "CVE-2021-22923", "description": "When curl is instructed to get content
+ using the metalink feature, and a user name and password are used to download the
+ metalink XML file, those same credentials are then subsequently passed on to each
+ of the servers from which curl will download or try to download the contents from.
+ Often contrary to the user''s expectations and intentions and without telling the
+ user it happened.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22923",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "7.64.0-4+deb10u2"}, {"key": "package_name", "value": "curl"}]}, {"name": "CVE-2021-22922",
+ "description": "When curl is instructed to download content using the metalink feature,
+ thecontents is verified against a hash provided in the metalink XML file.The metalink
+ XML file points out to the client how to get the same contentfrom a set of different
+ URLs, potentially hosted by different servers and theclient can then download the
+ file from one or several of them. In a serial orparallel manner.If one of the servers
+ hosting the contents has been breached and the contentsof the specific file on that
+ server is replaced with a modified payload, curlshould detect this when the hash
+ of the file mismatches after a completeddownload. It should remove the contents
+ and instead try getting the contentsfrom another URL. This is not done, and instead
+ such a hash mismatch is onlymentioned in text and the potentially malicious content
+ is kept in the file ondisk.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22922",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "7.64.0-4+deb10u2"}, {"key": "package_name", "value": "curl"}]}, {"name": "CVE-2013-0340",
+ "description": "expat 2.1.0 and earlier does not properly handle entities expansion
+ unless an application developer uses the XML_SetEntityDeclHandler function, which
+ allows remote attackers to cause a denial of service (resource consumption), send
+ HTTP requests to intranet servers, or read arbitrary files via a crafted XML document,
+ aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat
+ already provides the ability to disable external entity expansion, the responsibility
+ for resolving this issue lies with application developers; according to this argument,
+ this entry should be REJECTed, and each affected application would need its own
+ CVE.", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-0340", "severity":
+ "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.2.6-2+deb10u1"},
+ {"key": "package_name", "value": "expat"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
+ {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2019-1010023", "description":
+ "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library
with malicious ELF file. The impact is: In worst case attacker may evaluate privileges.
The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim
- and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \\\
- \"this is being treated as a non-security bug and no real threat.\\\"\", \"uri\"\
- : \"https://security-tracker.debian.org/tracker/CVE-2019-1010023\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"CVSS2_VECTOR\"\
- , \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
- : \"6.8\"}]}, {\"name\": \"CVE-2010-4051\", \"description\": \"The regcomp implementation
- in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2,
- allows context-dependent attackers to cause a denial of service (application crash)
- via a regular expression containing adjacent bounded repetitions that bypass the
- intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence
- in the proftpd.gnu.c exploit for ProFTPD, related to a \\\"RE_DUP_MAX overflow.\\\
- \"\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2010-4051\", \"\
- severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"\
- value\": \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\"\
- : \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"5\"}]}, {\"name\": \"CVE-2019-1010022\", \"description\": \"** DISPUTED
- ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may
- bypass stack guard protection. The component is: nptl. The attack vector is: Exploit
- stack buffer overflow vulnerability and use this bypass vulnerability to bypass
- stack guard. NOTE: Upstream comments indicate \\\"this is being treated as a non-security
- bug and no real threat.\\\"\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-1010022\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"\
- key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\"}, {\"key\": \"\
- CVSS2_SCORE\", \"value\": \"7.5\"}]}, {\"name\": \"CVE-2010-4052\", \"description\"\
- : \"Stack consumption vulnerability in the regcomp implementation in the GNU C Library
+ and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this
+ is being treated as a non-security bug and no real threat.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-1010023",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
+ "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name":
+ "CVE-2010-4051", "description": "The regcomp implementation in the GNU C Library
+ (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent
+ attackers to cause a denial of service (application crash) via a regular expression
+ containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation,
+ as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit
+ for ProFTPD, related to a \"RE_DUP_MAX overflow.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2010-4051",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
+ "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
+ "CVE-2019-1010022", "description": "** DISPUTED ** GNU Libc current is affected
+ by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection.
+ The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability
+ and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments
+ indicate \"this is being treated as a non-security bug and no real threat.\"", "uri":
+ "https://security-tracker.debian.org/tracker/CVE-2019-1010022", "severity": "INFORMATIONAL",
+ "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name",
+ "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"},
+ {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2010-4052", "description":
+ "Stack consumption vulnerability in the regcomp implementation in the GNU C Library
(aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent
attackers to cause a denial of service (resource exhaustion) via a regular expression
containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,}
- sequence in the proftpd.gnu.c exploit for ProFTPD.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2010-4052\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"\
- key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"\
- CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2019-1010024\", \"description\"\
- : \"** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact
- is: Attacker may bypass ASLR using cache of thread stack and heap. The component
- is: glibc. NOTE: Upstream comments indicate \\\"this is being treated as a non-security
- bug and no real threat.\\\"\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-1010024\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"\
- key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\"}, {\"key\": \"\
- CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2010-4756\", \"description\"\
- : \"The glob implementation in the GNU C Library (aka glibc or libc6) allows remote
- authenticated users to cause a denial of service (CPU and memory consumption) via
- crafted glob expressions that do not match any pathnames, as demonstrated by glob
- expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2010-4756\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"CVSS2_VECTOR\"\
- , \"value\": \"AV:N/AC:L/Au:S/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
- : \"4\"}]}, {\"name\": \"CVE-2019-1010025\", \"description\": \"** DISPUTED ** GNU
- Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess
- the heap addresses of pthread_created thread. The component is: glibc. NOTE: the
- vendor's position is \\\"ASLR bypass itself is not a vulnerability.\\\"\", \"uri\"\
- : \"https://security-tracker.debian.org/tracker/CVE-2019-1010025\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"key\": \"CVSS2_VECTOR\"\
- , \"value\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
- : \"5\"}]}, {\"name\": \"CVE-2018-20796\", \"description\": \"In the GNU C Library
- (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c
- has Uncontrolled Recursion, as demonstrated by '(\\\\227|)(\\\\\\\\1\\\\\\\\1|t1|\\\
- \\\\\\\\\\2537)+' in grep.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-20796\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"\
- key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"\
- CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2019-9192\", \"description\"\
- : \"** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1
- in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\\\\\\
- 1\\\\\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software
- maintainer disputes that this is a vulnerability because the behavior occurs only
- with a crafted pattern.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-9192\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"2.28-10\"}, {\"key\": \"package_name\", \"value\": \"glibc\"}, {\"\
- key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"\
- CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2011-3389\", \"description\"\
- : \"The SSL protocol, as used in certain configurations in Microsoft Windows and
- Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products,
- encrypts data by using CBC mode with chained initialization vectors, which allows
- man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary
- attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses
- (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight
- WebClient API, aka a \\\"BEAST\\\" attack.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2011-3389\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"3.6.7-4+deb10u7\"}, {\"key\": \"package_name\", \"value\": \"gnutls28\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"4.3\"}]}, {\"name\": \"CVE-2021-30535\", \"description\"\
- : \"Double free in ICU in Google Chrome prior to 91.0.4472.77 allowed a remote attacker
- to potentially exploit heap corruption via a crafted HTML page.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-30535\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"63.1-6+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"icu\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"6.8\"}]}, {\"name\": \"CVE-2017-9937\", \"description\"\
- : \"In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted
- TIFF document can lead to an abort resulting in a remote denial of service attack.\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-9937\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"2.1-3.1\"}, {\"key\": \"package_name\", \"value\": \"jbigkit\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"4.3\"}]}, {\"name\": \"CVE-2018-5709\", \"description\": \"An issue
- was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \\\
- \"dbentry->n_key_data\\\" in kadmin/dbutil/dump.c that can store 16-bit data but
- unknowingly the developer has assigned a \\\"u4\\\" variable to it, which is for
- 32-bit data. An attacker can use this vulnerability to affect other artifacts of
- the database as we know that a Kerberos database dump file contains trusted data.\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-5709\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"1.17-3+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"krb5\"}, {\"key\"
- : \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"5\"}]}, {\"name\": \"CVE-2021-36222\", \"description\": \"ec_verify
- in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka
- krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a
- NULL pointer dereference and daemon crash. This occurs because a return value is
- not properly managed in a certain situation.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-36222\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"1.17-3+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"krb5\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2004-0971\", \"description\"\
- : \"The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux
- 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite
- files via a symlink attack on temporary files.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2004-0971\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"1.17-3+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"krb5\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:P/A:N\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"2.1\"}]}, {\"name\": \"CVE-2018-6829\", \"description\"\
- : \"cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly,
+ sequence in the proftpd.gnu.c exploit for ProFTPD.", "uri": "https://security-tracker.debian.org/tracker/CVE-2010-4052",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
+ "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
+ "CVE-2019-1010024", "description": "** DISPUTED ** GNU Libc current is affected
+ by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread
+ stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this
+ is being treated as a non-security bug and no real threat.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-1010024",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
+ "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
+ "CVE-2010-4756", "description": "The glob implementation in the GNU C Library (aka
+ glibc or libc6) allows remote authenticated users to cause a denial of service (CPU
+ and memory consumption) via crafted glob expressions that do not match any pathnames,
+ as demonstrated by glob expressions in STAT commands to an FTP daemon, a different
+ vulnerability than CVE-2010-2632.", "uri": "https://security-tracker.debian.org/tracker/CVE-2010-4756",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
+ "AV:N/AC:L/Au:S/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4"}]}, {"name":
+ "CVE-2019-1010025", "description": "** DISPUTED ** GNU Libc current is affected
+ by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created
+ thread. The component is: glibc. NOTE: the vendor''s position is \"ASLR bypass itself
+ is not a vulnerability.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-1010025",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
+ "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
+ "CVE-2018-20796", "description": "In the GNU C Library (aka glibc or libc6) through
+ 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion,
+ as demonstrated by ''(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+'' in grep.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-20796",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
+ "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
+ "CVE-2019-9192", "description": "** DISPUTED ** In the GNU C Library (aka glibc
+ or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled
+ Recursion, as demonstrated by ''(|)(\\\\1\\\\1)*'' in grep, a different issue than
+ CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability
+ because the behavior occurs only with a crafted pattern.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-9192",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
+ "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
+ "CVE-2011-3389", "description": "The SSL protocol, as used in certain configurations
+ in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome,
+ Opera, and other products, encrypts data by using CBC mode with chained initialization
+ vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers
+ via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction
+ with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection
+ API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2011-3389",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "3.6.7-4+deb10u7"}, {"key": "package_name", "value": "gnutls28"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4.3"}]},
+ {"name": "CVE-2021-30535", "description": "Double free in ICU in Google Chrome prior
+ to 91.0.4472.77 allowed a remote attacker to potentially exploit heap corruption
+ via a crafted HTML page.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-30535",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "63.1-6+deb10u1"}, {"key": "package_name", "value": "icu"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]},
+ {"name": "CVE-2017-9937", "description": "In LibTIFF 4.0.8, there is a memory malloc
+ failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in
+ a remote denial of service attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-9937",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "2.1-3.1"}, {"key": "package_name", "value": "jbigkit"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]},
+ {"name": "CVE-2018-5709", "description": "An issue was discovered in MIT Kerberos
+ 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c
+ that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable
+ to it, which is for 32-bit data. An attacker can use this vulnerability to affect
+ other artifacts of the database as we know that a Kerberos database dump file contains
+ trusted data.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-5709",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "1.17-3+deb10u1"}, {"key": "package_name", "value": "krb5"}, {"key" : "CVSS2_VECTOR",
+ "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]},
+ {"name": "CVE-2021-36222", "description": "ec_verify in kdc/kdc_preauth_ec.c in
+ the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and
+ 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference
+ and daemon crash. This occurs because a return value is not properly managed in
+ a certain situation.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36222",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "1.17-3+deb10u1"}, {"key": "package_name", "value": "krb5"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]},
+ {"name": "CVE-2004-0971", "description": "The krb5-send-pr script in the kerberos5
+ (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating
+ systems, allows local users to overwrite files via a symlink attack on temporary
+ files.", "uri": "https://security-tracker.debian.org/tracker/CVE-2004-0971", "severity":
+ "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.17-3+deb10u1"},
+ {"key": "package_name", "value": "krb5"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:P/A:N"},
+ {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2018-6829", "description":
+ "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly,
improperly encodes plaintexts, which allows attackers to obtain sensitive information
by reading ciphertext data (i.e., it does not have semantic security in face of
a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not
- hold for Libgcrypt's ElGamal implementation.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-6829\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"1.8.4-5+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"libgcrypt20\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2018-11813\", \"description\"\
- : \"libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-11813\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"1:1.5.2-2+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"libjpeg-turbo\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2020-17541\", \"description\"\
- : \"Libjpeg-turbo all version have a stack-based buffer overflow in the \\\"transform\\\
- \" component. A remote attacker can send a malformed jpeg file to the service and
- cause arbitrary code execution or denial of service of the target service.\", \"\
- uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-17541\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"1:1.5.2-2+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"libjpeg-turbo\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"6.8\"}]}, {\"name\": \"CVE-2017-15232\", \"description\"\
- : \"libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c
- via a crafted JPEG file.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-15232\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"1:1.5.2-2+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"libjpeg-turbo\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"4.3\"}]}, {\"name\": \"CVE-2018-14048\", \"description\"\
- : \"An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data
- in png.c, related to the recommended error handling for png_read_image.\", \"uri\"\
- : \"https://security-tracker.debian.org/tracker/CVE-2018-14048\", \"severity\":
- \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"\
- 1.6.36-6\"}, {\"key\": \"package_name\", \"value\": \"libpng1.6\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"4.3\"}]}, {\"name\": \"CVE-2019-6129\", \"description\": \"** DISPUTED
- ** png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated
- by pngcp. NOTE: a third party has stated \\\"I don't think it is libpng's job to
- free this buffer.\\\"\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-6129\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"1.6.36-6\"}, {\"key\": \"package_name\", \"value\": \"libpng1.6\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"4.3\"}]}, {\"name\": \"CVE-2018-14550\", \"description\"\
- : \"An issue has been found in third-party PNM decoding associated with libpng 1.6.35.
- It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-14550\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"1.6.36-6\"}, {\"key\": \"package_name\", \"value\": \"libpng1.6\"}, {\"key\":
- \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"6.8\"}]}, {\"name\": \"CVE-2019-9893\", \"description\": \"libseccomp
- before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using
- the arithmetic operators (LT, GT, LE, GE), which might able to lead to bypassing
- seccomp filters and potential privilege escalations.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-9893\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"2.3.3-4\"}, {\"key\": \"package_name\", \"value\": \"libseccomp\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"7.5\"}]}, {\"name\": \"CVE-2018-1000654\", \"description\"\
- : \"GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains
- a DoS, specifically CPU usage will reach 100% when running asn1Paser against the
- POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program
- will be killed. This attack appears to be exploitable via parsing a crafted file.\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-1000654\", \"\
- severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"\
- value\": \"4.13-3\"}, {\"key\": \"package_name\", \"value\": \"libtasn1-6\"}, {\"\
- key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:C\"}, {\"key\": \"\
- CVSS2_SCORE\", \"value\": \"7.1\"}]}, {\"name\": \"CVE-2016-9085\", \"description\"\
- : \"Multiple integer overflows in libwebp allows attackers to have unspecified impact
- via unknown vectors.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2016-9085\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"0.6.1-2+deb10u1\"}, {\"key\": \"package_name\", \"value\": \"libwebp\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"2.1\"}]}, {\"name\": \"CVE-2015-9019\", \"description\"\
- : \"In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized
- with a random seed during startup, which could cause usage of this function to produce
- predictable outputs.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2015-9019\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"1.1.32-2.2~deb10u1\"}, {\"key\": \"package_name\", \"value\": \"\
- libxslt\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\"\
- }, {\"key\": \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2009-4487\"
- , \"description\": \"nginx 0.7.64 writes data to a log file without sanitizing non-printable
- characters, which might allow remote attackers to modify a window's title, or possibly
- execute arbitrary commands or overwrite files, via an HTTP request containing an
- escape sequence for a terminal emulator.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2009-4487\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"1.21.1-1~buster\"}, {\"key\": \"package_name\", \"value\": \"nginx\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"6.8\"}]}, {\"name\": \"CVE-2020-15719\", \"description\"\
- : \"libldap in certain third-party OpenLDAP packages has a certificate-validation
- flaw when the third-party package is asserting RFC6125 support. It considers CN
- even when there is a non-matching subjectAltName (SAN). This is fixed in, for example,
- openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-15719\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"2.4.47+dfsg-3+deb10u6\"}, {\"key\": \"package_name\", \"value\":
- \"openldap\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:H/Au:N/C:P/I:P/A:N\"\
- }, {\"key\": \"CVSS2_SCORE\", \"value\": \"4\"}]}, {\"name\": \"CVE-2015-3276\"
- , \"description\": \"The nss_parse_ciphers function in libraries/libldap/tls_m.c
- in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings,
- which might cause a weaker than intended cipher to be used and allow remote attackers
- to have unspecified impact via unknown vectors.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2015-3276\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"2.4.47+dfsg-3+deb10u6\"}, {\"key\": \"package_name\", \"value\":
- \"openldap\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\"\
- }, {\"key\": \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2017-14159\"\
- , \"description\": \"slapd in OpenLDAP 2.4.45 and earlier creates a PID file after
- dropping privileges to a non-root account, which might allow local users to kill
- arbitrary processes by leveraging access to this non-root account for PID file modification
- before a root script executes a \\\"kill `cat /pathname`\\\" command, as demonstrated
- by openldap-initscript.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-14159\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"2.4.47+dfsg-3+deb10u6\"}, {\"key\": \"package_name\", \"value\":
- \"openldap\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:M/Au:N/C:N/I:N/A:P\"\
- }, {\"key\": \"CVSS2_SCORE\", \"value\": \"1.9\"}]}, {\"name\": \"CVE-2017-17740\"\
- , \"description\": \"contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45,
- when both the nops module and the memberof overlay are enabled, attempts to free
- a buffer that was allocated on the stack, which allows remote attackers to cause
- a denial of service (slapd crash) via a member MODDN operation.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-17740\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"2.4.47+dfsg-3+deb10u6\"}, {\"key\": \"package_name\", \"value\":
- \"openldap\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"\
- }, {\"key\": \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2010-0928\"
- , \"description\": \"OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx
- Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain
- signature calculations, and does not verify the signature before providing it to
- a caller, which makes it easier for physically proximate attackers to determine
- the private key via a modified supply voltage for the microprocessor, related to
- a \\\"fault-based attack.\\\"\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2010-0928\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"1.1.1d-0+deb10u6\"}, {\"key\": \"package_name\", \"value\": \"openssl\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:H/Au:N/C:C/I:N/A:N\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"4\"}]}, {\"name\": \"CVE-2007-6755\", \"description\"\
- : \"The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic
- Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a
- possible relationship to certain \\\"skeleton key\\\" values, which might allow
- context-dependent attackers to defeat cryptographic protection mechanisms by leveraging
- knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future
- research may provide additional details about point Q and associated attacks, and
- could potentially lead to a RECAST or REJECT of this CVE.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2007-6755\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"1.1.1d-0+deb10u6\"}, {\"key\": \"package_name\", \"value\": \"openssl\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:N\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"5.8\"}]}, {\"name\": \"CVE-2017-7246\", \"description\"\
- : \"Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c
+ hold for Libgcrypt''s ElGamal implementation.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-6829",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "1.8.4-5+deb10u1"}, {"key": "package_name", "value": "libgcrypt20"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]},
+ {"name": "CVE-2018-11813", "description": "libjpeg 9c has a large loop because read_pixel
+ in rdtarga.c mishandles EOF.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-11813",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "1:1.5.2-2+deb10u1"}, {"key": "package_name", "value": "libjpeg-turbo"}, {"key":
+ "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
+ "5"}]}, {"name": "CVE-2020-17541", "description": "Libjpeg-turbo all version have
+ a stack-based buffer overflow in the \"transform\" component. A remote attacker
+ can send a malformed jpeg file to the service and cause arbitrary code execution
+ or denial of service of the target service.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-17541",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "1:1.5.2-2+deb10u1"}, {"key": "package_name", "value": "libjpeg-turbo"}, {"key":
+ "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value":
+ "6.8"}]}, {"name": "CVE-2017-15232", "description": "libjpeg-turbo 1.5.2 has a NULL
+ Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file.", "uri":
+ "https://security-tracker.debian.org/tracker/CVE-2017-15232", "severity": "INFORMATIONAL",
+ "attributes": [{"key": "package_version", "value": "1:1.5.2-2+deb10u1"}, {"key":
+ "package_name", "value": "libjpeg-turbo"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2018-14048", "description":
+ "An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data
+ in png.c, related to the recommended error handling for png_read_image.", "uri":
+ "https://security-tracker.debian.org/tracker/CVE-2018-14048", "severity": "INFORMATIONAL",
+ "attributes": [{"key": "package_version", "value": "1.6.36-6"}, {"key": "package_name",
+ "value": "libpng1.6"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2019-6129", "description":
+ "** DISPUTED ** png_create_info_struct in png.c in libpng 1.6.36 has a memory leak,
+ as demonstrated by pngcp. NOTE: a third party has stated \"I don''t think it is
+ libpng''s job to free this buffer.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-6129",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "1.6.36-6"}, {"key": "package_name", "value": "libpng1.6"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]},
+ {"name": "CVE-2018-14550", "description": "An issue has been found in third-party
+ PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow
+ in the function get_token in pnm2png.c in pnm2png.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-14550",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "1.6.36-6"}, {"key": "package_name", "value": "libpng1.6"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]},
+ {"name": "CVE-2019-9893", "description": "libseccomp before 2.4.0 did not correctly
+ generate 64-bit syscall argument comparisons using the arithmetic operators (LT,
+ GT, LE, GE), which might able to lead to bypassing seccomp filters and potential
+ privilege escalations.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-9893",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "2.3.3-4"}, {"key": "package_name", "value": "libseccomp"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "7.5"}]},
+ {"name": "CVE-2018-1000654", "description": "GNU Libtasn1-4.13 libtasn1-4.13 version
+ libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100%
+ when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree),
+ after a long time, the program will be killed. This attack appears to be exploitable
+ via parsing a crafted file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-1000654",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "4.13-3"}, {"key": "package_name", "value": "libtasn1-6"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}, {"key": "CVSS2_SCORE", "value": "7.1"}]},
+ {"name": "CVE-2016-9085", "description": "Multiple integer overflows in libwebp
+ allows attackers to have unspecified impact via unknown vectors.", "uri": "https://security-tracker.debian.org/tracker/CVE-2016-9085",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "0.6.1-2+deb10u1"}, {"key": "package_name", "value": "libwebp"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]},
+ {"name": "CVE-2015-9019", "description": "In libxslt 1.1.29 and earlier, the EXSLT
+ math.random function was not initialized with a random seed during startup, which
+ could cause usage of this function to produce predictable outputs.", "uri": "https://security-tracker.debian.org/tracker/CVE-2015-9019",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "1.1.32-2.2~deb10u1"}, {"key": "package_name", "value": "libxslt"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]},
+ {"name": "CVE-2009-4487" , "description": "nginx 0.7.64 writes data to a log file
+ without sanitizing non-printable characters, which might allow remote attackers
+ to modify a window''s title, or possibly execute arbitrary commands or overwrite
+ files, via an HTTP request containing an escape sequence for a terminal emulator.",
+ "uri": "https://security-tracker.debian.org/tracker/CVE-2009-4487", "severity":
+ "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.21.1-1~buster"},
+ {"key": "package_name", "value": "nginx"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
+ {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2020-15719", "description":
+ "libldap in certain third-party OpenLDAP packages has a certificate-validation flaw
+ when the third-party package is asserting RFC6125 support. It considers CN even
+ when there is a non-matching subjectAltName (SAN). This is fixed in, for example,
+ openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-15719",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "2.4.47+dfsg-3+deb10u6"}, {"key": "package_name", "value": "openldap"}, {"key":
+ "CVSS2_VECTOR", "value": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}, {"key": "CVSS2_SCORE", "value":
+ "4"}]}, {"name": "CVE-2015-3276" , "description": "The nss_parse_ciphers function
+ in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword
+ mode cipher strings, which might cause a weaker than intended cipher to be used
+ and allow remote attackers to have unspecified impact via unknown vectors.", "uri":
+ "https://security-tracker.debian.org/tracker/CVE-2015-3276", "severity": "INFORMATIONAL",
+ "attributes": [{"key": "package_version", "value": "2.4.47+dfsg-3+deb10u6"}, {"key":
+ "package_name", "value": "openldap"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"},
+ {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2017-14159", "description":
+ "slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges
+ to a non-root account, which might allow local users to kill arbitrary processes
+ by leveraging access to this non-root account for PID file modification before a
+ root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.",
+ "uri": "https://security-tracker.debian.org/tracker/CVE-2017-14159", "severity":
+ "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.4.47+dfsg-3+deb10u6"},
+ {"key": "package_name", "value": "openldap"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:N/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "1.9"}]}, {"name": "CVE-2017-17740", "description":
+ "contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops
+ module and the memberof overlay are enabled, attempts to free a buffer that was
+ allocated on the stack, which allows remote attackers to cause a denial of service
+ (slapd crash) via a member MODDN operation.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-17740",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "2.4.47+dfsg-3+deb10u6"}, {"key": "package_name", "value": "openldap"}, {"key":
+ "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
+ "5"}]}, {"name": "CVE-2010-0928" , "description": "OpenSSL 0.9.8i on the Gaisler
+ Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation
+ (FWE) algorithm for certain signature calculations, and does not verify the signature
+ before providing it to a caller, which makes it easier for physically proximate
+ attackers to determine the private key via a modified supply voltage for the microprocessor,
+ related to a \"fault-based attack.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2010-0928",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "1.1.1d-0+deb10u6"}, {"key": "package_name", "value": "openssl"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:L/AC:H/Au:N/C:C/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4"}]},
+ {"name": "CVE-2007-6755", "description": "The NIST SP 800-90A default statement
+ of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm
+ contains point Q constants with a possible relationship to certain \"skeleton key\"
+ values, which might allow context-dependent attackers to defeat cryptographic protection
+ mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary
+ CVE for Dual_EC_DRBG; future research may provide additional details about point
+ Q and associated attacks, and could potentially lead to a RECAST or REJECT of this
+ CVE.", "uri": "https://security-tracker.debian.org/tracker/CVE-2007-6755", "severity":
+ "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.1.1d-0+deb10u6"},
+ {"key": "package_name", "value": "openssl"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:N"},
+ {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2017-7246", "description":
+ "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c
in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE
- of size 268) or possibly have unspecified other impact via a crafted file.\", \"\
- uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-7246\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"2:8.39-12\"}, {\"key\": \"package_name\", \"value\": \"pcre3\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"6.8\"}]}, {\"name\": \"CVE-2019-20838\", \"description\": \"libpcre
- in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled,
- and \\\\X or \\\\R has more than one fixed quantifier, a related issue to CVE-2019-20454.\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-20838\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"2:8.39-12\"}, {\"key\": \"package_name\", \"value\": \"pcre3\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"4.3\"}]}, {\"name\": \"CVE-2017-7245\", \"description\": \"Stack-based
- buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1
- in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size
- 4) or possibly have unspecified other impact via a crafted file.\", \"uri\": \"\
- https://security-tracker.debian.org/tracker/CVE-2017-7245\", \"severity\": \"INFORMATIONAL\"\
- , \"attributes\": [{\"key\": \"package_version\", \"value\": \"2:8.39-12\"}, {\"\
- key\": \"package_name\", \"value\": \"pcre3\"}, {\"key\": \"CVSS2_VECTOR\", \"value\"\
- : \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\": \"CVSS2_SCORE\", \"value\": \"6.8\"\
- }]}, {\"name\": \"CVE-2017-16231\", \"description\": \"** DISPUTED ** In PCRE 8.41,
- after compiling, a pcretest load test PoC produces a crash overflow in the function
- match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute
- the relevance of this report, noting that there are options that can be used to
- limit the amount of stack that is used.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-16231\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"2:8.39-12\"}, {\"key\": \"package_name\", \"value\": \"pcre3\"},
- {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"2.1\"}]}, {\"name\": \"CVE-2017-11164\", \"description\"\
- : \"In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows
- stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-11164\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"2:8.39-12\"}, {\"key\": \"package_name\", \"value\": \"pcre3\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:C\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"7.8\"}]}, {\"name\": \"CVE-2011-4116\", \"description\": \"_is_safe
- in the File::Temp module for Perl does not properly handle symlinks.\", \"uri\"
- : \"https://security-tracker.debian.org/tracker/CVE-2011-4116\", \"severity\": \"\
- INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"5.28.1-6+deb10u1\"\
- }, {\"key\": \"package_name\", \"value\": \"perl\"}, {\"key\": \"CVSS2_VECTOR\"
- , \"value\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\"}, {\"key\": \"CVSS2_SCORE\", \"value\"\
- : \"5\"}]}, {\"name\": \"CVE-2019-19882\", \"description\": \"shadow 4.8, in certain
- circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local
- users to obtain root access because setuid programs are misconfigured. Specifically,
- this affects shadow 4.8 when compiled using --with-libpam but without explicitly
- passing --disable-account-tools-setuid, and without a PAM configuration suitable
- for use with setuid account management tools. This combination leads to account
- management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that
- can easily be used by unprivileged local users to escalate privileges to root in
- multiple ways. This issue became much more relevant in approximately December 2019
- when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed
- in the upstream Makefile which is now included in the release version 4.8).\", \"\
- uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-19882\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"1:4.5-1.1\"}, {\"key\": \"package_name\", \"value\": \"shadow\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:L/AC:M/Au:N/C:C/I:C/A:C\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"6.9\"}]}, {\"name\": \"CVE-2007-5686\", \"description\": \"initscripts
- in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows
- local users to obtain sensitive information regarding authentication attempts. \
- \ NOTE: because sshd detects the insecure permissions and does not log certain events,
- this also prevents sshd from logging failed authentication attempts by remote attackers.\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2007-5686\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"1:4.5-1.1\"}, {\"key\": \"package_name\", \"value\": \"shadow\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:C/I:N/A:N\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"4.9\"}]}, {\"name\": \"CVE-2013-4235\", \"description\": \"shadow:
- TOCTOU (time-of-check time-of-use) race condition when copying and removing directory
- trees\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2013-4235\"
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"1:4.5-1.1\"}, {\"key\": \"package_name\", \"value\": \"shadow\"},
- {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:M/Au:N/C:N/I:P/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"3.3\"}]}, {\"name\": \"CVE-2020-13529\", \"description\"\
- : \"An exploitable denial-of-service vulnerability exists in Systemd 245. A specially
- crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be
- vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW
- and DCHP ACK packets to reconfigure the server.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-13529\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"241-7~deb10u8\"}, {\"key\": \"package_name\", \"value\": \"systemd\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:A/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"2.9\"}]}, {\"name\": \"CVE-2013-4392\", \"description\"\
- : \"systemd, when updating file permissions, allows local users to change the permissions
+ of size 268) or possibly have unspecified other impact via a crafted file.", "uri":
+ "https://security-tracker.debian.org/tracker/CVE-2017-7246", "severity": "INFORMATIONAL",
+ "attributes": [{"key": "package_version", "value": "2:8.39-12"}, {"key": "package_name",
+ "value": "pcre3"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
+ {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2019-20838", "description":
+ "libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is
+ disabled, and \\X or \\R has more than one fixed quantifier, a related issue to
+ CVE-2019-20454.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-20838",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]},
+ {"name": "CVE-2017-7245", "description": "Stack-based buffer overflow in the pcre32_copy_substring
+ function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause
+ a denial of service (WRITE of size 4) or possibly have unspecified other impact
+ via a crafted file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-7245",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]},
+ {"name": "CVE-2017-16231", "description": "** DISPUTED ** In PCRE 8.41, after compiling,
+ a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c
+ because of a self-recursive call. NOTE: third parties dispute the relevance of this
+ report, noting that there are options that can be used to limit the amount of stack
+ that is used.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-16231",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]},
+ {"name": "CVE-2017-11164", "description": "In PCRE 8.41, the OP_KETRMAX feature
+ in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion)
+ when processing a crafted regular expression.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-11164",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, {"key": "CVSS2_SCORE", "value": "7.8"}]},
+ {"name": "CVE-2011-4116", "description": "_is_safe in the File::Temp module for
+ Perl does not properly handle symlinks.", "uri" : "https://security-tracker.debian.org/tracker/CVE-2011-4116",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "5.28.1-6+deb10u1"}, {"key": "package_name", "value": "perl"}, {"key": "CVSS2_VECTOR"
+ , "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]},
+ {"name": "CVE-2019-19882", "description": "shadow 4.8, in certain circumstances
+ affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain
+ root access because setuid programs are misconfigured. Specifically, this affects
+ shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid,
+ and without a PAM configuration suitable for use with setuid account management
+ tools. This combination leads to account management tools (groupadd, groupdel, groupmod,
+ useradd, userdel, usermod) that can easily be used by unprivileged local users to
+ escalate privileges to root in multiple ways. This issue became much more relevant
+ in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod
+ calls to suidusbins were fixed in the upstream Makefile which is now included in
+ the release version 4.8).", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-19882",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "1:4.5-1.1"}, {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, {"key": "CVSS2_SCORE", "value": "6.9"}]},
+ {"name": "CVE-2007-5686", "description": "initscripts in rPath Linux 1 sets insecure
+ permissions for the /var/log/btmp file, which allows local users to obtain sensitive
+ information regarding authentication attempts. NOTE: because sshd detects the insecure
+ permissions and does not log certain events, this also prevents sshd from logging
+ failed authentication attempts by remote attackers.", "uri": "https://security-tracker.debian.org/tracker/CVE-2007-5686",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "1:4.5-1.1"}, {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4.9"}]},
+ {"name": "CVE-2013-4235", "description": "shadow: TOCTOU (time-of-check time-of-use)
+ race condition when copying and removing directory trees", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-4235"
+ , "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "1:4.5-1.1"}, {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:L/AC:M/Au:N/C:N/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "3.3"}]},
+ {"name": "CVE-2020-13529", "description": "An exploitable denial-of-service vulnerability
+ exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server
+ running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker
+ can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.",
+ "uri": "https://security-tracker.debian.org/tracker/CVE-2020-13529", "severity":
+ "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"},
+ {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:A/AC:M/Au:N/C:N/I:N/A:P"},
+ {"key": "CVSS2_SCORE", "value": "2.9"}]}, {"name": "CVE-2013-4392", "description":
+ "systemd, when updating file permissions, allows local users to change the permissions
and SELinux security contexts for arbitrary files via a symlink attack on unspecified
- files.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2013-4392\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"241-7~deb10u8\"}, {\"key\": \"package_name\", \"value\": \"systemd\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:M/Au:N/C:P/I:P/A:N\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"3.3\"}]}, {\"name\": \"CVE-2020-13776\", \"description\"\
- : \"systemd through v245 mishandles numerical usernames such as ones composed of
- decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges
- when privileges of the 0x0 user account were intended. NOTE: this issue exists because
- of an incomplete fix for CVE-2017-1000082.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-13776\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"241-7~deb10u8\"}, {\"key\": \"package_name\", \"value\": \"systemd\"\
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:H/Au:N/C:C/I:C/A:C\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"6.2\"}]}, {\"name\": \"CVE-2019-20386\", \"description\"\
- : \"An issue was discovered in button_open in login/logind-button.c in systemd before
- 243. When executing the udevadm trigger command, a memory leak may occur.\", \"\
- uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-20386\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"241-7~deb10u8\"}, {\"key\": \"package_name\", \"value\": \"systemd\"}, {\"key\"\
- : \"CVSS2_VECTOR\", \"value\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"2.1\"}]}, {\"name\": \"CVE-2019-9923\", \"description\": \"pax_decode_header
- in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain
- archives that have malformed extended headers.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2019-9923\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"1.30+dfsg-6\"}, {\"key\": \"package_name\", \"value\": \"tar\"},
- {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2005-2541\", \"description\"\
- : \"Tar 1.15.1 does not properly warn the user when extracting setuid or setgid
- files, which may allow local users or remote attackers to gain privileges.\", \"\
- uri\": \"https://security-tracker.debian.org/tracker/CVE-2005-2541\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"1.30+dfsg-6\"}, {\"key\": \"package_name\", \"value\": \"tar\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:C/I:C/A:C\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"10\"}]}, {\"name\": \"CVE-2021-20193\", \"description\": \"A flaw
- was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker
- who can submit a crafted input file to tar to cause uncontrolled consumption of
- memory. The highest threat from this vulnerability is to system availability.\"
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-20193\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"1.30+dfsg-6\"}, {\"key\": \"package_name\", \"value\": \"tar\"}, {\"key\": \"\
- CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\": \"CVSS2_SCORE\"\
- , \"value\": \"4.3\"}]}, {\"name\": \"CVE-2017-17973\", \"description\": \"** DISPUTED
- ** In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function
- in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this
- issue.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-17973\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"4.1.0+git191117-2~deb10u2\"}, {\"key\": \"package_name\", \"value\"\
- : \"tiff\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"\
- }, {\"key\": \"CVSS2_SCORE\", \"value\": \"6.8\"}]}, {\"name\": \"CVE-2020-35521\"\
- , \"description\": \"A flaw was found in libtiff. Due to a memory allocation failure
- in tif_read.c, a crafted TIFF file can lead to an abort, resulting in denial of
- service.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-35521\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"4.1.0+git191117-2~deb10u2\"}, {\"key\": \"package_name\", \"value\"\
- : \"tiff\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"\
- }, {\"key\": \"CVSS2_SCORE\", \"value\": \"4.3\"}]}, {\"name\": \"CVE-2014-8130\"\
- , \"description\": \"The _TIFFmalloc function in tif_unix.c in LibTIFF 4.0.3 does
- not reject a zero size, which allows remote attackers to cause a denial of service
- (divide-by-zero error and application crash) via a crafted TIFF image that is mishandled
- by the TIFFWriteScanline function in tif_write.c, as demonstrated by tiffdither.\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2014-8130\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"4.1.0+git191117-2~deb10u2\"}, {\"key\": \"package_name\", \"value\": \"tiff\"
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"4.3\"}]}, {\"name\": \"CVE-2017-5563\", \"description\"\
- : \"LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c
- resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff.\"
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-5563\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"4.1.0+git191117-2~deb10u2\"}, {\"key\": \"package_name\", \"value\": \"tiff\"
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"6.8\"}]}, {\"name\": \"CVE-2020-35522\", \"description\"\
- : \"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF
- document can lead to an abort, resulting in a remote denial of service attack.\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2020-35522\", \"severity\"\
- : \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\", \"value\":
- \"4.1.0+git191117-2~deb10u2\"}, {\"key\": \"package_name\", \"value\": \"tiff\"
- }, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"}, {\"key\"\
- : \"CVSS2_SCORE\", \"value\": \"4.3\"}]}, {\"name\": \"CVE-2017-9117\", \"description\"\
- : \"In LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth
- and biHeight in the bitmap-information header match the actual input, leading to
- a heap-based buffer over-read in bmp2tiff.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-9117\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"4.1.0+git191117-2~deb10u2\"}, {\"key\": \"package_name\", \"value\"\
- : \"tiff\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\"\
- }, {\"key\": \"CVSS2_SCORE\", \"value\": \"7.5\"}]}, {\"name\": \"CVE-2017-16232\"\
- , \"description\": \"** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities,
- which allow attackers to cause a denial of service (memory consumption), as demonstrated
- by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce
- the issue.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2017-16232\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"4.1.0+git191117-2~deb10u2\"}, {\"key\": \"package_name\", \"value\"\
- : \"tiff\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\"\
- }, {\"key\": \"CVSS2_SCORE\", \"value\": \"5\"}]}, {\"name\": \"CVE-2018-10126\"\
- , \"description\": \"LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16
- function in jfdctint.c.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2018-10126\"\
- , \"severity\": \"INFORMATIONAL\", \"attributes\": [{\"key\": \"package_version\"\
- , \"value\": \"4.1.0+git191117-2~deb10u2\"}, {\"key\": \"package_name\", \"value\"\
- : \"tiff\"}, {\"key\": \"CVSS2_VECTOR\", \"value\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\"\
- }, {\"key\": \"CVSS2_SCORE\", \"value\": \"4.3\"}]}, {\"name\": \"CVE-2021-22924\"\
- , \"description\": \"libcurl keeps previously used connections in a connection pool
- for subsequenttransfers to reuse, if one of them matches the setup.Due to errors
- in the logic, the config matching function did not take 'issuercert' into account
- and it compared the involved paths *case insensitively*,which could lead to libcurl
- reusing wrong connections.File paths are, or can be, case sensitive on many systems
- but not all, and caneven vary depending on used file systems.The comparison also
- didn't include the 'issuer cert' which a transfer can setto qualify how to verify
- the server certificate.\", \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-22924\"\
- , \"severity\": \"UNDEFINED\", \"attributes\": [{\"key\": \"package_version\", \"\
- value\": \"7.64.0-4+deb10u2\"}, {\"key\": \"package_name\", \"value\": \"curl\"
- }]}, {\"name\": \"CVE-2021-38115\", \"description\": \"read_header_tga in gd_tga.c
- in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to
- cause a denial of service (out-of-bounds read) via a crafted TGA file.\", \"uri\"\
- : \"https://security-tracker.debian.org/tracker/CVE-2021-38115\", \"severity\":
- \"UNDEFINED\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"2.2.5-5.2\"\
- }, {\"key\": \"package_name\", \"value\": \"libgd2\"}]}, {\"name\": \"CVE-2021-3618\"\
- , \"uri\": \"https://security-tracker.debian.org/tracker/CVE-2021-3618\", \"severity\"\
- : \"UNDEFINED\", \"attributes\": [{\"key\": \"package_version\", \"value\": \"1.21.1-1~buster\"\
- }, {\"key\": \"package_name\", \"value\": \"nginx\"}]}], \"findingSeverityCounts\"\
- : {\"HIGH\": 2, \"MEDIUM\": 14, \"INFORMATIONAL\": 63, \"LOW\": 22, \"UNDEFINED\"\
- : 3}}}, \"requestID\": \"23c19e2d-c48b-4265-b4eb-853e7b325780\", \"eventID\": \"\
- 6c94a9b2-36dc-43f8-a6dd-4ec839ded8af\", \"readOnly\": true, \"eventType\": \"AwsApiCall\"\
- , \"managementEvent\": true, \"recipientAccountId\": \"111111111111\", \"eventCategory\"\
- : \"Management\"}"
+ files.", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-4392", "severity":
+ "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"},
+ {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:P/I:P/A:N"},
+ {"key": "CVSS2_SCORE", "value": "3.3"}]}, {"name": "CVE-2020-13776", "description":
+ "systemd through v245 mishandles numerical usernames such as ones composed of decimal
+ digits or 0x followed by hex digits, as demonstrated by use of root privileges when
+ privileges of the 0x0 user account were intended. NOTE: this issue exists because
+ of an incomplete fix for CVE-2017-1000082.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-13776",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "241-7~deb10u8"}, {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}, {"key": "CVSS2_SCORE", "value": "6.2"}]},
+ {"name": "CVE-2019-20386", "description": "An issue was discovered in button_open
+ in login/logind-button.c in systemd before 243. When executing the udevadm trigger
+ command, a memory leak may occur.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-20386",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "241-7~deb10u8"}, {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]},
+ {"name": "CVE-2019-9923", "description": "pax_decode_header in sparse.c in GNU Tar
+ before 1.32 had a NULL pointer dereference when parsing certain archives that have
+ malformed extended headers.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-9923",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "1.30+dfsg-6"}, {"key": "package_name", "value": "tar"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]},
+ {"name": "CVE-2005-2541", "description": "Tar 1.15.1 does not properly warn the
+ user when extracting setuid or setgid files, which may allow local users or remote
+ attackers to gain privileges.", "uri": "https://security-tracker.debian.org/tracker/CVE-2005-2541",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "1.30+dfsg-6"}, {"key": "package_name", "value": "tar"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, {"key": "CVSS2_SCORE", "value": "10"}]},
+ {"name": "CVE-2021-20193", "description": "A flaw was found in the src/list.c of
+ tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input
+ file to tar to cause uncontrolled consumption of memory. The highest threat from
+ this vulnerability is to system availability." , "uri": "https://security-tracker.debian.org/tracker/CVE-2021-20193",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "1.30+dfsg-6"}, {"key": "package_name", "value": "tar"}, {"key": "CVSS2_VECTOR",
+ "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]},
+ {"name": "CVE-2017-17973", "description": "** DISPUTED ** In LibTIFF 4.0.8, there
+ is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE:
+ there is a third-party report of inability to reproduce this issue.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-17973",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
+ "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value":
+ "6.8"}]}, {"name": "CVE-2020-35521", "description": "A flaw was found in libtiff.
+ Due to a memory allocation failure in tif_read.c, a crafted TIFF file can lead to
+ an abort, resulting in denial of service.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-35521",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
+ "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
+ "4.3"}]}, {"name": "CVE-2014-8130", "description": "The _TIFFmalloc function in
+ tif_unix.c in LibTIFF 4.0.3 does not reject a zero size, which allows remote attackers
+ to cause a denial of service (divide-by-zero error and application crash) via a
+ crafted TIFF image that is mishandled by the TIFFWriteScanline function in tif_write.c,
+ as demonstrated by tiffdither.", "uri": "https://security-tracker.debian.org/tracker/CVE-2014-8130",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff" }, {"key":
+ "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
+ "4.3"}]}, {"name": "CVE-2017-5563", "description": "LibTIFF version 4.0.7 is vulnerable
+ to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution
+ via a crafted bmp image to tools/bmp2tiff." , "uri": "https://security-tracker.debian.org/tracker/CVE-2017-5563",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff" }, {"key":
+ "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value":
+ "6.8"}]}, {"name": "CVE-2020-35522", "description": "In LibTIFF, there is a memory
+ malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort,
+ resulting in a remote denial of service attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-35522",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff" }, {"key":
+ "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
+ "4.3"}]}, {"name": "CVE-2017-9117", "description": "In LibTIFF 4.0.7, the program
+ processes BMP images without verifying that biWidth and biHeight in the bitmap-information
+ header match the actual input, leading to a heap-based buffer over-read in bmp2tiff.",
+ "uri": "https://security-tracker.debian.org/tracker/CVE-2017-9117", "severity":
+ "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "4.1.0+git191117-2~deb10u2"},
+ {"key": "package_name", "value": "tiff"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"},
+ {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2017-16232", "description":
+ "** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow
+ attackers to cause a denial of service (memory consumption), as demonstrated by
+ tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce
+ the issue.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-16232",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
+ "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
+ "5"}]}, {"name": "CVE-2018-10126", "description": "LibTIFF 4.0.9 has a NULL pointer
+ dereference in the jpeg_fdct_16x16 function in jfdctint.c.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-10126",
+ "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+ "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
+ "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
+ "4.3"}]}, {"name": "CVE-2021-22924", "description": "libcurl keeps previously used
+ connections in a connection pool for subsequenttransfers to reuse, if one of them
+ matches the setup.Due to errors in the logic, the config matching function did not
+ take ''issuercert'' into account and it compared the involved paths *case insensitively*,which
+ could lead to libcurl reusing wrong connections.File paths are, or can be, case
+ sensitive on many systems but not all, and caneven vary depending on used file systems.The
+ comparison also didn''t include the ''issuer cert'' which a transfer can setto qualify
+ how to verify the server certificate.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22924",
+ "severity": "UNDEFINED", "attributes": [{"key": "package_version", "value": "7.64.0-4+deb10u2"},
+ {"key": "package_name", "value": "curl" }]}, {"name": "CVE-2021-38115", "description":
+ "read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2
+ allows remote attackers to cause a denial of service (out-of-bounds read) via a
+ crafted TGA file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-38115",
+ "severity": "UNDEFINED", "attributes": [{"key": "package_version", "value": "2.2.5-5.2"},
+ {"key": "package_name", "value": "libgd2"}]}, {"name": "CVE-2021-3618", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-3618",
+ "severity": "UNDEFINED", "attributes": [{"key": "package_version", "value": "1.21.1-1~buster"},
+ {"key": "package_name", "value": "nginx"}]}], "findingSeverityCounts": {"HIGH":
+ 2, "MEDIUM": 14, "INFORMATIONAL": 63, "LOW": 22, "UNDEFINED": 3}}}, "requestID":
+ "23c19e2d-c48b-4265-b4eb-853e7b325780", "eventID": "6c94a9b2-36dc-43f8-a6dd-4ec839ded8af",
+ "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
+ "111111111111", "eventCategory": "Management"}'
diff --git a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
index 56fa1914b9..0a63249da0 100644
--- a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
+++ b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
@@ -6,91 +6,91 @@ author: Patrick Bareiss, Splunk
description: Logs an event when a request is made to get the account password policy
in AWS CloudTrail.
mitre_components:
- - User Account Authentication
- - User Account Metadata
+- User Account Authentication
+- User Account Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: GetAccountPasswordPolicy
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - desc
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters
- - responseElements
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - status
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- desc
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDASBMSCQHHTH5NDF4GD", "arn": "arn:aws:iam::111111111111:user/strt_fonder", "accountId":
"111111111111", "accessKeyId": "AKIASBMSCQHH5A5NJDM5", "userName": "strt_fonder"},
diff --git a/data_sources/aws_cloudtrail_getobject.yml b/data_sources/aws_cloudtrail_getobject.yml
index d303eb012c..2e9608547a 100644
--- a/data_sources/aws_cloudtrail_getobject.yml
+++ b/data_sources/aws_cloudtrail_getobject.yml
@@ -6,100 +6,100 @@ author: Patrick Bareiss, Splunk
description: Logs an event when a request is made to access an object stored in an
AWS S3 bucket.
mitre_components:
- - Cloud Storage Access
- - Cloud Storage Metadata
- - Cloud Storage Enumeration
+- Cloud Storage Access
+- Cloud Storage Metadata
+- Cloud Storage Enumeration
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: GetObject
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - additionalEventData.AuthenticationMethod
- - additionalEventData.CipherSuite
- - additionalEventData.SignatureVersion
- - additionalEventData.bytesTransferredIn
- - additionalEventData.bytesTransferredOut
- - additionalEventData.x-amz-id-2
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.Host
- - requestParameters.bucketName
- - requestParameters.key
- - requestParameters.x-amz-request-payer
- - resources{}.ARN
- - resources{}.accountId
- - resources{}.type
- - responseElements
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- additionalEventData.AuthenticationMethod
+- additionalEventData.CipherSuite
+- additionalEventData.SignatureVersion
+- additionalEventData.bytesTransferredIn
+- additionalEventData.bytesTransferredOut
+- additionalEventData.x-amz-id-2
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.Host
+- requestParameters.bucketName
+- requestParameters.key
+- requestParameters.x-amz-request-payer
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLCNEAQXWZV", "arn": "arn:aws:iam::111111111111:user/console", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLF5EAXXXX", "userName": "console"}, "eventTime":
diff --git a/data_sources/aws_cloudtrail_getpassworddata.yml b/data_sources/aws_cloudtrail_getpassworddata.yml
index 6644109837..ca47e32ca9 100644
--- a/data_sources/aws_cloudtrail_getpassworddata.yml
+++ b/data_sources/aws_cloudtrail_getpassworddata.yml
@@ -6,101 +6,101 @@ author: Patrick Bareiss, Splunk
description: Logs an event when a request is made to retrieve the administrator password
of an EC2 instance.
mitre_components:
- - Instance Metadata
- - User Account Authentication
+- Instance Metadata
+- User Account Authentication
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: GetPasswordData
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - errorMessage
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - reason
- - recipientAccountId
- - region
- - requestID
- - requestParameters.instanceId
- - responseElements
- - result
- - result_id
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.sessionContext.sessionIssuer.accountId
- - userIdentity.sessionContext.sessionIssuer.arn
- - userIdentity.sessionContext.sessionIssuer.principalId
- - userIdentity.sessionContext.sessionIssuer.type
- - userIdentity.sessionContext.sessionIssuer.userName
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- errorMessage
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- reason
+- recipientAccountId
+- region
+- requestID
+- requestParameters.instanceId
+- responseElements
+- result
+- result_id
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLP5AASA6I5:aws-go-sdk-1660169051746043000", "arn": "arn:aws:sts::111111111111:assumed-role/sample-role-used-by-stratus-for-ec2-password-data/aws-go-sdk-1660169051746043000",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLLY5RQXEF", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_jobcreated.yml b/data_sources/aws_cloudtrail_jobcreated.yml
index 2278f224a5..d0fbf8d5a8 100644
--- a/data_sources/aws_cloudtrail_jobcreated.yml
+++ b/data_sources/aws_cloudtrail_jobcreated.yml
@@ -5,77 +5,77 @@ date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a new job is created in AWS CloudTrail.
mitre_components:
- - Scheduled Job Creation
- - Cloud Service Metadata
+- Scheduled Job Creation
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: JobCreated
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - desc
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestParameters
- - responseElements
- - serviceEventDetails.jobArn
- - serviceEventDetails.jobEventId
- - serviceEventDetails.jobId
- - serviceEventDetails.status
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - timeendpos
- - timestartpos
- - userAgent
- - userIdentity.accountId
- - userIdentity.invokedBy
- - user_agent
- - user_group_id
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- desc
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestParameters
+- responseElements
+- serviceEventDetails.jobArn
+- serviceEventDetails.jobEventId
+- serviceEventDetails.jobId
+- serviceEventDetails.status
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- userAgent
+- userIdentity.accountId
+- userIdentity.invokedBy
+- user_agent
+- user_group_id
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"accountId": "111111111111",
"invokedBy": "s3.amazonaws.com"}, "eventTime": "2023-04-24T23:51:17Z", "eventSource":
"s3.amazonaws.com", "eventName": "JobCreated", "awsRegion": "us-west-2", "sourceIPAddress":
diff --git a/data_sources/aws_cloudtrail_modifydbinstance.yml b/data_sources/aws_cloudtrail_modifydbinstance.yml
index 99cb79f0b2..156008b8c1 100644
--- a/data_sources/aws_cloudtrail_modifydbinstance.yml
+++ b/data_sources/aws_cloudtrail_modifydbinstance.yml
@@ -6,150 +6,150 @@ author: Patrick Bareiss, Splunk
description: Logs an event when a modification is made to an AWS database instance,
such as parameters or configurations.
mitre_components:
- - Instance Modification
- - Cloud Service Modification
- - Instance Metadata
+- Instance Modification
+- Cloud Service Modification
+- Instance Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: ModifyDBInstance
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.allowMajorVersionUpgrade
- - requestParameters.applyImmediately
- - requestParameters.dBInstanceIdentifier
- - requestParameters.deletionProtection
- - requestParameters.masterUserPassword
- - responseElements.allocatedStorage
- - responseElements.autoMinorVersionUpgrade
- - responseElements.availabilityZone
- - responseElements.backupRetentionPeriod
- - responseElements.backupTarget
- - responseElements.cACertificateIdentifier
- - responseElements.copyTagsToSnapshot
- - responseElements.customerOwnedIpEnabled
- - responseElements.dBInstanceArn
- - responseElements.dBInstanceClass
- - responseElements.dBInstanceIdentifier
- - responseElements.dBInstanceStatus
- - responseElements.dBParameterGroups{}.dBParameterGroupName
- - responseElements.dBParameterGroups{}.parameterApplyStatus
- - responseElements.dBSubnetGroup.dBSubnetGroupDescription
- - responseElements.dBSubnetGroup.dBSubnetGroupName
- - responseElements.dBSubnetGroup.subnetGroupStatus
- - responseElements.dBSubnetGroup.subnets{}.subnetAvailabilityZone.name
- - responseElements.dBSubnetGroup.subnets{}.subnetIdentifier
- - responseElements.dBSubnetGroup.subnets{}.subnetStatus
- - responseElements.dBSubnetGroup.vpcId
- - responseElements.dbInstancePort
- - responseElements.dbiResourceId
- - responseElements.deletionProtection
- - responseElements.endpoint.address
- - responseElements.endpoint.hostedZoneId
- - responseElements.endpoint.port
- - responseElements.engine
- - responseElements.engineVersion
- - responseElements.enhancedMonitoringResourceArn
- - responseElements.httpEndpointEnabled
- - responseElements.iAMDatabaseAuthenticationEnabled
- - responseElements.instanceCreateTime
- - responseElements.kmsKeyId
- - responseElements.latestRestorableTime
- - responseElements.licenseModel
- - responseElements.masterUsername
- - responseElements.monitoringInterval
- - responseElements.monitoringRoleArn
- - responseElements.multiAZ
- - responseElements.networkType
- - responseElements.optionGroupMemberships{}.optionGroupName
- - responseElements.optionGroupMemberships{}.status
- - responseElements.pendingModifiedValues.masterUserPassword
- - responseElements.performanceInsightsEnabled
- - responseElements.performanceInsightsKMSKeyId
- - responseElements.performanceInsightsRetentionPeriod
- - responseElements.preferredBackupWindow
- - responseElements.preferredMaintenanceWindow
- - responseElements.publiclyAccessible
- - responseElements.storageEncrypted
- - responseElements.storageThroughput
- - responseElements.storageType
- - responseElements.vpcSecurityGroups{}.status
- - responseElements.vpcSecurityGroups{}.vpcSecurityGroupId
- - sessionCredentialFromConsole
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.sessionContext.sessionIssuer.accountId
- - userIdentity.sessionContext.sessionIssuer.arn
- - userIdentity.sessionContext.sessionIssuer.principalId
- - userIdentity.sessionContext.sessionIssuer.type
- - userIdentity.sessionContext.sessionIssuer.userName
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.allowMajorVersionUpgrade
+- requestParameters.applyImmediately
+- requestParameters.dBInstanceIdentifier
+- requestParameters.deletionProtection
+- requestParameters.masterUserPassword
+- responseElements.allocatedStorage
+- responseElements.autoMinorVersionUpgrade
+- responseElements.availabilityZone
+- responseElements.backupRetentionPeriod
+- responseElements.backupTarget
+- responseElements.cACertificateIdentifier
+- responseElements.copyTagsToSnapshot
+- responseElements.customerOwnedIpEnabled
+- responseElements.dBInstanceArn
+- responseElements.dBInstanceClass
+- responseElements.dBInstanceIdentifier
+- responseElements.dBInstanceStatus
+- responseElements.dBParameterGroups{}.dBParameterGroupName
+- responseElements.dBParameterGroups{}.parameterApplyStatus
+- responseElements.dBSubnetGroup.dBSubnetGroupDescription
+- responseElements.dBSubnetGroup.dBSubnetGroupName
+- responseElements.dBSubnetGroup.subnetGroupStatus
+- responseElements.dBSubnetGroup.subnets{}.subnetAvailabilityZone.name
+- responseElements.dBSubnetGroup.subnets{}.subnetIdentifier
+- responseElements.dBSubnetGroup.subnets{}.subnetStatus
+- responseElements.dBSubnetGroup.vpcId
+- responseElements.dbInstancePort
+- responseElements.dbiResourceId
+- responseElements.deletionProtection
+- responseElements.endpoint.address
+- responseElements.endpoint.hostedZoneId
+- responseElements.endpoint.port
+- responseElements.engine
+- responseElements.engineVersion
+- responseElements.enhancedMonitoringResourceArn
+- responseElements.httpEndpointEnabled
+- responseElements.iAMDatabaseAuthenticationEnabled
+- responseElements.instanceCreateTime
+- responseElements.kmsKeyId
+- responseElements.latestRestorableTime
+- responseElements.licenseModel
+- responseElements.masterUsername
+- responseElements.monitoringInterval
+- responseElements.monitoringRoleArn
+- responseElements.multiAZ
+- responseElements.networkType
+- responseElements.optionGroupMemberships{}.optionGroupName
+- responseElements.optionGroupMemberships{}.status
+- responseElements.pendingModifiedValues.masterUserPassword
+- responseElements.performanceInsightsEnabled
+- responseElements.performanceInsightsKMSKeyId
+- responseElements.performanceInsightsRetentionPeriod
+- responseElements.preferredBackupWindow
+- responseElements.preferredMaintenanceWindow
+- responseElements.publiclyAccessible
+- responseElements.storageEncrypted
+- responseElements.storageThroughput
+- responseElements.storageType
+- responseElements.vpcSecurityGroups{}.status
+- responseElements.vpcSecurityGroups{}.vpcSecurityGroupId
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLDF6WP4HD6:gowthamarajr@splunk.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/gowthamarajr@splunk.com",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLAKJDBQGB", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_modifyimageattribute.yml b/data_sources/aws_cloudtrail_modifyimageattribute.yml
index 67fd0edb8a..ab8bb25d87 100644
--- a/data_sources/aws_cloudtrail_modifyimageattribute.yml
+++ b/data_sources/aws_cloudtrail_modifyimageattribute.yml
@@ -6,95 +6,95 @@ author: Patrick Bareiss, Splunk
description: Logs an event when the attributes of an Amazon Machine Image (AMI) are
modified.
mitre_components:
- - Image Modification
- - Image Metadata
+- Image Modification
+- Image Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: ModifyImageAttribute
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.attributeType
- - requestParameters.imageId
- - requestParameters.launchPermission.add.items{}.userId
- - responseElements._return
- - responseElements.requestId
- - sessionCredentialFromConsole
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.sessionContext.sessionIssuer.accountId
- - userIdentity.sessionContext.sessionIssuer.arn
- - userIdentity.sessionContext.sessionIssuer.principalId
- - userIdentity.sessionContext.sessionIssuer.type
- - userIdentity.sessionContext.sessionIssuer.userName
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.attributeType
+- requestParameters.imageId
+- requestParameters.launchPermission.add.items{}.userId
+- responseElements._return
+- responseElements.requestId
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLDF6WP4HD6:bonobo@bo.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/bonobo@bo.com",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLBHIEEEPN", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
index d44c5fa436..0dec70fdf0 100644
--- a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
+++ b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
@@ -6,90 +6,90 @@ author: Patrick Bareiss, Splunk
description: Logs an event when modifications are made to the attributes of a snapshot
in AWS CloudTrail.
mitre_components:
- - Snapshot Modification
+- Snapshot Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: ModifySnapshotAttribute
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.attributeType
- - requestParameters.createVolumePermission.add.items{}.userId
- - requestParameters.snapshotId
- - responseElements._return
- - responseElements.requestId
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.attributeType
+- requestParameters.createVolumePermission.add.items{}.userId
+- requestParameters.snapshotId
+- responseElements._return
+- responseElements.requestId
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLCNEAQXWZV", "arn": "arn:aws:iam::111111111111:user/bhavin_console",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLF5EAXXXX", "userName":
diff --git a/data_sources/aws_cloudtrail_putbucketacl.yml b/data_sources/aws_cloudtrail_putbucketacl.yml
index 715cb571cb..c531275617 100644
--- a/data_sources/aws_cloudtrail_putbucketacl.yml
+++ b/data_sources/aws_cloudtrail_putbucketacl.yml
@@ -6,104 +6,104 @@ author: Patrick Bareiss, Splunk
description: Logs an event when an ACL is set or modified for an S3 bucket in AWS
CloudTrail.
mitre_components:
- - Cloud Storage Modification
- - Cloud Storage Metadata
+- Cloud Storage Modification
+- Cloud Storage Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: PutBucketAcl
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - additionalEventData.AuthenticationMethod
- - additionalEventData.CipherSuite
- - additionalEventData.SignatureVersion
- - additionalEventData.bytesTransferredIn
- - additionalEventData.bytesTransferredOut
- - additionalEventData.x-amz-id-2
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object
- - object_category
- - object_id
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.Host
- - requestParameters.accessControlList.x-amz-grant-write-acp
- - requestParameters.acl
- - requestParameters.bucketName
- - resources{}.ARN
- - resources{}.accountId
- - resources{}.type
- - responseElements
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - src_user
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- additionalEventData.AuthenticationMethod
+- additionalEventData.CipherSuite
+- additionalEventData.SignatureVersion
+- additionalEventData.bytesTransferredIn
+- additionalEventData.bytesTransferredOut
+- additionalEventData.x-amz-id-2
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object
+- object_category
+- object_id
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.Host
+- requestParameters.accessControlList.x-amz-grant-write-acp
+- requestParameters.acl
+- requestParameters.bucketName
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_user
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLNALZHZ6KX", "arn": "arn:aws:iam::111111111111:user/patrick_cli", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLJ2OYSF6E", "userName": "patrick_cli"},
diff --git a/data_sources/aws_cloudtrail_putbucketlifecycle.yml b/data_sources/aws_cloudtrail_putbucketlifecycle.yml
index e5108f5812..aa74257621 100644
--- a/data_sources/aws_cloudtrail_putbucketlifecycle.yml
+++ b/data_sources/aws_cloudtrail_putbucketlifecycle.yml
@@ -6,105 +6,105 @@ author: Patrick Bareiss, Splunk
description: Logs an event when a lifecycle configuration is added to an S3 bucket
in AWS CloudTrail.
mitre_components:
- - Cloud Storage Modification
- - Cloud Storage Metadata
+- Cloud Storage Modification
+- Cloud Storage Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: PutBucketLifecycle
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - additionalEventData.AuthenticationMethod
- - additionalEventData.CipherSuite
- - additionalEventData.SignatureVersion
- - additionalEventData.bytesTransferredIn
- - additionalEventData.bytesTransferredOut
- - additionalEventData.x-amz-id-2
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object
- - object_category
- - object_id
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.Host
- - requestParameters.LifecycleConfiguration.Rule.Expiration.Days
- - requestParameters.LifecycleConfiguration.Rule.Filter.Prefix
- - requestParameters.LifecycleConfiguration.Rule.ID
- - requestParameters.LifecycleConfiguration.Rule.Status
- - requestParameters.LifecycleConfiguration.xmlns
- - requestParameters.bucketName
- - requestParameters.lifecycle
- - resources{}.ARN
- - resources{}.accountId
- - resources{}.type
- - responseElements
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- additionalEventData.AuthenticationMethod
+- additionalEventData.CipherSuite
+- additionalEventData.SignatureVersion
+- additionalEventData.bytesTransferredIn
+- additionalEventData.bytesTransferredOut
+- additionalEventData.x-amz-id-2
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object
+- object_category
+- object_id
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.Host
+- requestParameters.LifecycleConfiguration.Rule.Expiration.Days
+- requestParameters.LifecycleConfiguration.Rule.Filter.Prefix
+- requestParameters.LifecycleConfiguration.Rule.ID
+- requestParameters.LifecycleConfiguration.Rule.Status
+- requestParameters.LifecycleConfiguration.xmlns
+- requestParameters.bucketName
+- requestParameters.lifecycle
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLKQ3U2PDY", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_putbucketreplication.yml b/data_sources/aws_cloudtrail_putbucketreplication.yml
index 779545c3e7..0da2860b07 100644
--- a/data_sources/aws_cloudtrail_putbucketreplication.yml
+++ b/data_sources/aws_cloudtrail_putbucketreplication.yml
@@ -6,117 +6,117 @@ author: Patrick Bareiss, Splunk
description: Logs an event when replication configurations are added or modified for
an S3 bucket.
mitre_components:
- - Cloud Storage Modification
+- Cloud Storage Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: PutBucketReplication
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - additionalEventData.AuthenticationMethod
- - additionalEventData.CipherSuite
- - additionalEventData.SignatureVersion
- - additionalEventData.bytesTransferredIn
- - additionalEventData.bytesTransferredOut
- - additionalEventData.x-amz-id-2
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object
- - object_category
- - object_id
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.Host
- - requestParameters.ReplicationConfiguration.Role
- - requestParameters.ReplicationConfiguration.Rule.DeleteMarkerReplication.Status
- - requestParameters.ReplicationConfiguration.Rule.Destination.Bucket
- - requestParameters.ReplicationConfiguration.Rule.Filter
- - requestParameters.ReplicationConfiguration.Rule.ID
- - requestParameters.ReplicationConfiguration.Rule.Priority
- - requestParameters.ReplicationConfiguration.Rule.Status
- - requestParameters.ReplicationConfiguration.xmlns
- - requestParameters.bucketName
- - requestParameters.replication
- - resources{}.ARN
- - resources{}.accountId
- - resources{}.type
- - responseElements
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.sessionContext.sessionIssuer.accountId
- - userIdentity.sessionContext.sessionIssuer.arn
- - userIdentity.sessionContext.sessionIssuer.principalId
- - userIdentity.sessionContext.sessionIssuer.type
- - userIdentity.sessionContext.sessionIssuer.userName
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
- - vpcEndpointId
+- _time
+- additionalEventData.AuthenticationMethod
+- additionalEventData.CipherSuite
+- additionalEventData.SignatureVersion
+- additionalEventData.bytesTransferredIn
+- additionalEventData.bytesTransferredOut
+- additionalEventData.x-amz-id-2
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object
+- object_category
+- object_id
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.Host
+- requestParameters.ReplicationConfiguration.Role
+- requestParameters.ReplicationConfiguration.Rule.DeleteMarkerReplication.Status
+- requestParameters.ReplicationConfiguration.Rule.Destination.Bucket
+- requestParameters.ReplicationConfiguration.Rule.Filter
+- requestParameters.ReplicationConfiguration.Rule.ID
+- requestParameters.ReplicationConfiguration.Rule.Priority
+- requestParameters.ReplicationConfiguration.Rule.Status
+- requestParameters.ReplicationConfiguration.xmlns
+- requestParameters.bucketName
+- requestParameters.replication
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+- vpcEndpointId
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLDF6WP4H11:bpatel@splunk.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/bpatel@splunk.com",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLJOVYQHW2", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_putbucketversioning.yml b/data_sources/aws_cloudtrail_putbucketversioning.yml
index 1d727cc4d1..a0b031cda4 100644
--- a/data_sources/aws_cloudtrail_putbucketversioning.yml
+++ b/data_sources/aws_cloudtrail_putbucketversioning.yml
@@ -6,108 +6,108 @@ author: Patrick Bareiss, Splunk
description: Logs an event when the bucket versioning state is modified in an AWS
S3 bucket.
mitre_components:
- - Cloud Storage Modification
+- Cloud Storage Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: PutBucketVersioning
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - additionalEventData.AuthenticationMethod
- - additionalEventData.CipherSuite
- - additionalEventData.SignatureVersion
- - additionalEventData.bytesTransferredIn
- - additionalEventData.bytesTransferredOut
- - additionalEventData.x-amz-id-2
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object
- - object_category
- - object_id
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.Host
- - requestParameters.VersioningConfiguration.Status
- - requestParameters.VersioningConfiguration.xmlns
- - requestParameters.bucketName
- - requestParameters.versioning
- - resources{}.ARN
- - resources{}.accountId
- - resources{}.type
- - responseElements
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.sessionContext.sessionIssuer.accountId
- - userIdentity.sessionContext.sessionIssuer.arn
- - userIdentity.sessionContext.sessionIssuer.principalId
- - userIdentity.sessionContext.sessionIssuer.type
- - userIdentity.sessionContext.sessionIssuer.userName
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
- - vpcEndpointId
+- _time
+- additionalEventData.AuthenticationMethod
+- additionalEventData.CipherSuite
+- additionalEventData.SignatureVersion
+- additionalEventData.bytesTransferredIn
+- additionalEventData.bytesTransferredOut
+- additionalEventData.x-amz-id-2
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object
+- object_category
+- object_id
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.Host
+- requestParameters.VersioningConfiguration.Status
+- requestParameters.VersioningConfiguration.xmlns
+- requestParameters.bucketName
+- requestParameters.versioning
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+- vpcEndpointId
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLDF6WP4HD6:daftpunk@splunk.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/daftpunk@splunk.com",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLAQ5VXXXX", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_putimage.yml b/data_sources/aws_cloudtrail_putimage.yml
index 713ed667e1..f5ba052aa0 100644
--- a/data_sources/aws_cloudtrail_putimage.yml
+++ b/data_sources/aws_cloudtrail_putimage.yml
@@ -6,98 +6,98 @@ author: Patrick Bareiss, Splunk
description: Logs an event when a container image is uploaded to a repository in AWS
CloudTrail.
mitre_components:
- - Image Creation
- - Image Metadata
+- Image Creation
+- Image Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: PutImage
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.imageManifest
- - requestParameters.imageManifestMediaType
- - requestParameters.imageTag
- - requestParameters.registryId
- - requestParameters.repositoryName
- - resources{}.ARN
- - resources{}.accountId
- - responseElements.image.imageId.imageDigest
- - responseElements.image.imageId.imageTag
- - responseElements.image.imageManifest
- - responseElements.image.imageManifestMediaType
- - responseElements.image.registryId
- - responseElements.image.repositoryName
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.invokedBy
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.imageManifest
+- requestParameters.imageManifestMediaType
+- requestParameters.imageTag
+- requestParameters.registryId
+- requestParameters.repositoryName
+- resources{}.ARN
+- resources{}.accountId
+- responseElements.image.imageId.imageDigest
+- responseElements.image.imageId.imageTag
+- responseElements.image.imageManifest
+- responseElements.image.imageManifestMediaType
+- responseElements.image.registryId
+- responseElements.image.repositoryName
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.invokedBy
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AAAAAAAAAAAAAAAAAAAAA", "arn": "arn:aws:iam::111111111111:user/test", "accountId":
"111111111111", "accessKeyId": "AAAAAAAAAAAAAAAAAAAAA", "userName": "test", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_putkeypolicy.yml b/data_sources/aws_cloudtrail_putkeypolicy.yml
index d291365312..597af6e6cb 100644
--- a/data_sources/aws_cloudtrail_putkeypolicy.yml
+++ b/data_sources/aws_cloudtrail_putkeypolicy.yml
@@ -9,94 +9,94 @@ source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.bypassPolicyLockoutSafetyCheck
- - requestParameters.keyId
- - requestParameters.policy
- - requestParameters.policyName
- - resources{}.ARN
- - resources{}.accountId
- - resources{}.type
- - responseElements
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.sessionContext.sessionIssuer.accountId
- - userIdentity.sessionContext.sessionIssuer.arn
- - userIdentity.sessionContext.sessionIssuer.principalId
- - userIdentity.sessionContext.sessionIssuer.type
- - userIdentity.sessionContext.sessionIssuer.userName
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.bypassPolicyLockoutSafetyCheck
+- requestParameters.keyId
+- requestParameters.policy
+- requestParameters.policyName
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
mitre_components:
- - Cloud Service Modification
+- Cloud Service Modification
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLK74OPBDR", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
index 4e7c3f9359..fb1752d56b 100644
--- a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
+++ b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
@@ -5,106 +5,106 @@ date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a network ACL entry is replaced within the AWS CloudTrail.
mitre_components:
- - Firewall Rule Modification
- - Cloud Service Modification
+- Firewall Rule Modification
+- Cloud Service Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: ReplaceNetworkAclEntry
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - direction
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - protocol
- - protocol_code
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.aclProtocol
- - requestParameters.cidrBlock
- - requestParameters.egress
- - requestParameters.networkAclId
- - requestParameters.ruleAction
- - requestParameters.ruleNumber
- - responseElements._return
- - responseElements.requestId
- - rule_action
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - src_ip_range
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.sessionContext.sessionIssuer.accountId
- - userIdentity.sessionContext.sessionIssuer.arn
- - userIdentity.sessionContext.sessionIssuer.principalId
- - userIdentity.sessionContext.sessionIssuer.type
- - userIdentity.sessionContext.sessionIssuer.userName
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- direction
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- protocol
+- protocol_code
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.aclProtocol
+- requestParameters.cidrBlock
+- requestParameters.egress
+- requestParameters.networkAclId
+- requestParameters.ruleAction
+- requestParameters.ruleNumber
+- responseElements._return
+- responseElements.requestId
+- rule_action
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_ip_range
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLF3F7BXZK", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
index d5c2a78694..b8e4d54281 100644
--- a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
+++ b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
@@ -6,91 +6,91 @@ author: Patrick Bareiss, Splunk
description: Logs an event when the default version of a resource policy in AWS is
set or changed.
mitre_components:
- - Cloud Service Modification
- - Cloud Service Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: SetDefaultPolicyVersion
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.policyArn
- - requestParameters.versionId
- - responseElements
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.policyArn
+- requestParameters.versionId
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLESDK2NOSX", "arn": "arn:aws:iam::111111111111:user/AtomicRedTeam",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLKMZDMPVA", "userName":
diff --git a/data_sources/aws_cloudtrail_stoplogging.yml b/data_sources/aws_cloudtrail_stoplogging.yml
index 934920e8fb..00d6b018a9 100644
--- a/data_sources/aws_cloudtrail_stoplogging.yml
+++ b/data_sources/aws_cloudtrail_stoplogging.yml
@@ -6,86 +6,86 @@ author: Patrick Bareiss, Splunk
description: Logs an event when a cloud service in AWS, such as CloudTrail, is deactivated
or stopped.
mitre_components:
- - Cloud Service Disable
+- Cloud Service Disable
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: StopLogging
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.name
- - responseElements
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.name
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLKQ3U2PDY", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
index 6fd33c83e7..9c9fee7893 100644
--- a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
+++ b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
@@ -5,98 +5,98 @@ date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when an AWS account's password policy is updated.
mitre_components:
- - User Account Modification
- - Cloud Service Modification
+- User Account Modification
+- Cloud Service Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: UpdateAccountPasswordPolicy
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.allowUsersToChangePassword
- - requestParameters.hardExpiry
- - requestParameters.minimumPasswordLength
- - requestParameters.requireLowercaseCharacters
- - requestParameters.requireNumbers
- - requestParameters.requireSymbols
- - requestParameters.requireUppercaseCharacters
- - responseElements
- - sessionCredentialFromConsole
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.allowUsersToChangePassword
+- requestParameters.hardExpiry
+- requestParameters.minimumPasswordLength
+- requestParameters.requireLowercaseCharacters
+- requestParameters.requireNumbers
+- requestParameters.requireSymbols
+- requestParameters.requireUppercaseCharacters
+- responseElements
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
"111111111111", "arn": "arn:aws:iam::111111111111:root", "accountId": "111111111111",
"accessKeyId": "ASIASBMSCQHHZZ4THONS", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
diff --git a/data_sources/aws_cloudtrail_updateloginprofile.yml b/data_sources/aws_cloudtrail_updateloginprofile.yml
index 911021b6d6..ee8d48a0d4 100644
--- a/data_sources/aws_cloudtrail_updateloginprofile.yml
+++ b/data_sources/aws_cloudtrail_updateloginprofile.yml
@@ -5,90 +5,90 @@ date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when an IAM user's login profile is updated.
mitre_components:
- - User Account Modification
- - User Account Authentication
+- User Account Modification
+- User Account Authentication
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: UpdateLoginProfile
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.userName
- - responseElements
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.userName
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
"111111111111", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"},
diff --git a/data_sources/aws_cloudtrail_updatesamlprovider.yml b/data_sources/aws_cloudtrail_updatesamlprovider.yml
index 3c7f55c5ea..55fb18209d 100644
--- a/data_sources/aws_cloudtrail_updatesamlprovider.yml
+++ b/data_sources/aws_cloudtrail_updatesamlprovider.yml
@@ -5,207 +5,188 @@ date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a SAML provider is updated in AWS.
mitre_components:
- - Cloud Service Modification
- - User Account Modification
- - Cloud Service Metadata
+- Cloud Service Modification
+- User Account Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: UpdateSAMLProvider
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - action
- - app
- - awsRegion
- - aws_account_id
- - change_type
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - eventtype
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.sAMLMetadataDocument
- - requestParameters.sAMLProviderArn
- - responseElements.sAMLProviderArn
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.sessionContext.attributes.creationDate
- - userIdentity.sessionContext.attributes.mfaAuthenticated
- - userIdentity.sessionContext.sessionIssuer.accountId
- - userIdentity.sessionContext.sessionIssuer.arn
- - userIdentity.sessionContext.sessionIssuer.principalId
- - userIdentity.sessionContext.sessionIssuer.type
- - userIdentity.sessionContext.sessionIssuer.userName
- - userIdentity.type
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
-example_log: "{\"eventVersion\": \"1.08\", \"userIdentity\": {\"type\": \"AssumedRole\"\
- , \"principalId\": \"AROAYTOGP2RLKFUVAQAIJ:rodsoto@rodsoto.onmicrosoft.com\", \"\
- arn\": \"arn:aws:sts::111111111111:assumed-role/rodonmicrotestrole/rodsoto@rodsoto.onmicrosoft.com\"\
- , \"accountId\": \"111111111111\", \"accessKeyId\": \"ASIAYTOGP2RLMZGPIW6C\", \"\
- sessionContext\": {\"sessionIssuer\": {\"type\": \"Role\", \"principalId\": \"AROAYTOGP2RLKFUVAQAIJ\"\
- , \"arn\": \"arn:aws:iam::111111111111:role/rodonmicrotestrole\", \"accountId\"
- : \"111111111111\", \"userName\": \"rodonmicrotestrole\"}, \"webIdFederationData\"\
- : {}, \"attributes\": {\"mfaAuthenticated\": \"false\", \"creationDate\": \"2021-01-20T03:10:32Z\"\
- }}}, \"eventTime\": \"2021-01-20T03:12:39Z\", \"eventSource\": \"iam.amazonaws.com\"\
- , \"eventName\": \"UpdateSAMLProvider\", \"awsRegion\": \"us-east-1\", \"sourceIPAddress\"\
- : \"66.176.252.11\", \"userAgent\": \"aws-internal/3 aws-sdk-java/1.11.930 Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64
- OpenJDK_64-Bit_Server_VM/25.275-b01 java/1.8.0_275 vendor/Oracle_Corporation\",
- \"requestParameters\": {\"sAMLMetadataDocument\": \"ncp+pf0e75KdoRTy1PQeu74OKXjcVNM+bnT7Ns6cwQI=J9PRCq201gGMzMtt4Ye+gsM7xOgrNvDg/usqIMvsyUy2r/MeTBz5FKCK+Okjwm49vyTWUoUioYGiwm/TD2Knv59g1zy+/OjZcmBJgDrCmksFJdkwG/fDlOZQNGuj2qh1CEKL5n6Ipy2z1dQ9XUmhhndtXNnjdZ0fJ9QWufWoxveSCLHcU7eUB9obwq96pbAp+6as0XreMNC/xPv5gDdHfKaIppsXtEwcZY7m1c25jDWqPUTQrtbVC0uryffg1Yu0JLTr646GMTzxulBSpQGRfNf5UT0bUiLtKngi++UHrngKdv3ovWwpVmY82JhG7rMDhkuWZu3LdEFvY3svNxGtsQ==MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KNNameThe
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.sAMLMetadataDocument
+- requestParameters.sAMLProviderArn
+- responseElements.sAMLProviderArn
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
+ "AROAYTOGP2RLKFUVAQAIJ:rodsoto@rodsoto.onmicrosoft.com", "arn": "arn:aws:sts::111111111111:assumed-role/rodonmicrotestrole/rodsoto@rodsoto.onmicrosoft.com",
+ "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLMZGPIW6C", "sessionContext":
+ {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLKFUVAQAIJ", "arn":
+ "arn:aws:iam::111111111111:role/rodonmicrotestrole", "accountId" : "111111111111",
+ "userName": "rodonmicrotestrole"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated":
+ "false", "creationDate": "2021-01-20T03:10:32Z"}}}, "eventTime": "2021-01-20T03:12:39Z",
+ "eventSource": "iam.amazonaws.com", "eventName": "UpdateSAMLProvider", "awsRegion":
+ "us-east-1", "sourceIPAddress": "66.176.252.11", "userAgent": "aws-internal/3 aws-sdk-java/1.11.930
+ Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.275-b01
+ java/1.8.0_275 vendor/Oracle_Corporation", "requestParameters": {"sAMLMetadataDocument":
+ "ncp+pf0e75KdoRTy1PQeu74OKXjcVNM+bnT7Ns6cwQI=J9PRCq201gGMzMtt4Ye+gsM7xOgrNvDg/usqIMvsyUy2r/MeTBz5FKCK+Okjwm49vyTWUoUioYGiwm/TD2Knv59g1zy+/OjZcmBJgDrCmksFJdkwG/fDlOZQNGuj2qh1CEKL5n6Ipy2z1dQ9XUmhhndtXNnjdZ0fJ9QWufWoxveSCLHcU7eUB9obwq96pbAp+6as0XreMNC/xPv5gDdHfKaIppsXtEwcZY7m1c25jDWqPUTQrtbVC0uryffg1Yu0JLTr646GMTzxulBSpQGRfNf5UT0bUiLtKngi++UHrngKdv3ovWwpVmY82JhG7rMDhkuWZu3LdEFvY3svNxGtsQ==MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KNNameThe
mutable display name of the user.SubjectAn
+ Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\">SubjectAn
immutable, globally unique, non-reusable identifier of the user that is unique to
the application for which a token is issued.Given
+ Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\">Given
NameFirst name of the user.SurnameLast
- name of the user.Display
+ Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\">SurnameLast
+ name of the user.Display
NameDisplay name of the user.Nick
+ Uri=\"http://schemas.microsoft.com/identity/claims/nickname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\">Nick
NameNick name of the user.Authentication
+ Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant\"
+ xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\">Authentication
InstantThe time (UTC) when the user is authenticated
to Windows Azure Active Directory.Authentication
+ Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod\"
+ xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\">Authentication
MethodThe method that Windows Azure Active
Directory uses to authenticate users.ObjectIdentifierPrimary
+ Uri=\"http://schemas.microsoft.com/identity/claims/objectidentifier\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\">ObjectIdentifierPrimary
identifier for the user in the directory. Immutable, globally unique, non-reusable.TenantIdIdentifier
- for the user's tenant.IdentityProviderIdentity
- provider for the user.EmailEmail
- address of the user.GroupsGroups
- of the user.External
+ Uri=\"http://schemas.microsoft.com/identity/claims/tenantid\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\">TenantIdIdentifier
+ for the user''s tenant.IdentityProviderIdentity
+ provider for the user.EmailEmail
+ address of the user.GroupsGroups
+ of the user.External
Access TokenAccess token issued by external
- identity provider.External
+ identity provider.External
Access Token ExpirationUTC expiration time
of access token issued by external identity provider.External
+ Uri=\"http://schemas.microsoft.com/identity/claims/openid2_id\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\">External
OpenID 2.0 IdentifierOpenID 2.0 identifier
issued by external identity provider.GroupsOverageClaimIssued
- when number of user's group claims exceeds return limit.Role
+ Uri=\"http://schemas.microsoft.com/claims/groups.link\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\">GroupsOverageClaimIssued
+ when number of user''s group claims exceeds return limit.Role
ClaimRoles that the user or Service Principal
- is attached toRoleTemplate
+ is attached toRoleTemplate
Id ClaimRole template id of the Built-in Directory
Roles that the user is a member ofhttps://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfedhttps://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfedMIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KNhttps://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfedhttps://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfedMIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KN\", \"sAMLProviderArn\": \"arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft\"\
- }, \"responseElements\": {\"sAMLProviderArn\": \"arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft\"\
- }, \"requestID\": \"83d621ad-5b33-4ff0-acf4-0043cb432844\", \"eventID\": \"51b6d859-0cc4-4591-ba76-3494f3f43832\"\
- , \"readOnly\": false, \"eventType\": \"AwsApiCall\", \"managementEvent\": true,
- \"eventCategory\": \"Management\", \"recipientAccountId\": \"111111111111\"}"
+ xmlns:wsa=\"http://www.w3.org/2005/08/addressing\">https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfedhttps://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfedMIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KNhttps://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfedhttps://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfedMIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KN", "sAMLProviderArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"},
+ "responseElements": {"sAMLProviderArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"},
+ "requestID": "83d621ad-5b33-4ff0-acf4-0043cb432844", "eventID": "51b6d859-0cc4-4591-ba76-3494f3f43832",
+ "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory":
+ "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/aws_cloudtrail_updatetrail.yml b/data_sources/aws_cloudtrail_updatetrail.yml
index 6020310ebe..33813ccfec 100644
--- a/data_sources/aws_cloudtrail_updatetrail.yml
+++ b/data_sources/aws_cloudtrail_updatetrail.yml
@@ -6,95 +6,95 @@ author: Patrick Bareiss, Splunk
description: Logs an event when an AWS CloudTrail trail is updated, typically involving
changes to settings or configuration.
mitre_components:
- - Cloud Service Modification
- - Cloud Service Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: UpdateTrail
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - app
- - awsRegion
- - aws_account_id
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - errorCode
- - eventCategory
- - eventID
- - eventName
- - eventSource
- - eventTime
- - eventType
- - eventVersion
- - host
- - index
- - linecount
- - managementEvent
- - msg
- - object_category
- - product
- - punct
- - readOnly
- - recipientAccountId
- - region
- - requestID
- - requestParameters.includeGlobalServiceEvents
- - requestParameters.isMultiRegionTrail
- - requestParameters.name
- - responseElements.includeGlobalServiceEvents
- - responseElements.isMultiRegionTrail
- - responseElements.isOrganizationTrail
- - responseElements.logFileValidationEnabled
- - responseElements.name
- - responseElements.s3BucketName
- - responseElements.trailARN
- - signature
- - source
- - sourceIPAddress
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - start_time
- - timeendpos
- - timestartpos
- - tlsDetails.cipherSuite
- - tlsDetails.clientProvidedHostHeader
- - tlsDetails.tlsVersion
- - user
- - userAgent
- - userIdentity.accessKeyId
- - userIdentity.accountId
- - userIdentity.arn
- - userIdentity.principalId
- - userIdentity.type
- - userIdentity.userName
- - userName
- - user_access_key
- - user_agent
- - user_arn
- - user_group_id
- - user_id
- - user_name
- - user_type
- - vendor
- - vendor_account
- - vendor_product
- - vendor_region
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.includeGlobalServiceEvents
+- requestParameters.isMultiRegionTrail
+- requestParameters.name
+- responseElements.includeGlobalServiceEvents
+- responseElements.isMultiRegionTrail
+- responseElements.isOrganizationTrail
+- responseElements.logFileValidationEnabled
+- responseElements.name
+- responseElements.s3BucketName
+- responseElements.trailARN
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
"accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
diff --git a/data_sources/aws_cloudwatchlogs_vpcflow.yml b/data_sources/aws_cloudwatchlogs_vpcflow.yml
index 6cd8b1cec1..535431134a 100644
--- a/data_sources/aws_cloudwatchlogs_vpcflow.yml
+++ b/data_sources/aws_cloudwatchlogs_vpcflow.yml
@@ -7,67 +7,67 @@ description: Logs an event when network traffic flow information such as source
destination IPs, ports, protocol, and action (allow/deny) is captured for VPC in
AWS.
mitre_components:
- - Network Traffic Flow
- - Network Connection Creation
+- Network Traffic Flow
+- Network Connection Creation
source: aws_cloudwatchlogs_vpcflow
sourcetype: aws:cloudwatchlogs:vpcflow
supported_TA:
- - name: Splunk Add-on for AWS
- version: 7.9.0
- url: https://splunkbase.splunk.com/app/1876
+- name: Splunk Add-on for AWS
+ version: 7.9.0
+ url: https://splunkbase.splunk.com/app/1876
fields:
- - _raw
- - _time
- - account_id
- - action
- - app
- - aws_account_id
- - bytes
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_ip
- - dest_port
- - duration
- - dvc
- - end_time
- - eventtype
- - host
- - index
- - interface_id
- - linecount
- - log_status
- - packets
- - protocol
- - protocol_code
- - protocol_full_name
- - protocol_version
- - punct
- - region
- - source
- - sourcetype
- - splunk_server
- - splunk_server_group
- - src
- - src_ip
- - src_port
- - start_time
- - tag
- - tag::action
- - tag::eventtype
- - timeendpos
- - timestartpos
- - transport
- - user_id
- - vendor_account
- - vendor_product
- - version
- - vpcflow_action
+- _raw
+- _time
+- account_id
+- action
+- app
+- aws_account_id
+- bytes
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_ip
+- dest_port
+- duration
+- dvc
+- end_time
+- eventtype
+- host
+- index
+- interface_id
+- linecount
+- log_status
+- packets
+- protocol
+- protocol_code
+- protocol_full_name
+- protocol_version
+- punct
+- region
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_ip
+- src_port
+- start_time
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- transport
+- user_id
+- vendor_account
+- vendor_product
+- version
+- vpcflow_action
example_log: 2 123397614277 eni-0b0f9f261f45e6489 10.0.1.30 10.0.1.1 47254 22 17 2
98 1697608042 1697608070 ACCEPT OK
diff --git a/data_sources/aws_security_hub.yml b/data_sources/aws_security_hub.yml
index 0173357cdf..c5ff1ade29 100644
--- a/data_sources/aws_security_hub.yml
+++ b/data_sources/aws_security_hub.yml
@@ -6,120 +6,120 @@ author: Patrick Bareiss, Splunk
description: Logs an event when AWS Security Hub identifies potential security risks
or deviations from configured best practices across AWS accounts.
mitre_components:
- - Cloud Service Metadata
- - Cloud Service Enumeration
- - Cloud Service Modification
- - Cloud Service Disable
+- Cloud Service Metadata
+- Cloud Service Enumeration
+- Cloud Service Modification
+- Cloud Service Disable
source: aws_securityhub_finding
sourcetype: aws:securityhub:finding
supported_TA:
- - name: Splunk Add-on for AWS
- url: https://splunkbase.splunk.com/app/1876
- version: 7.9.0
+- name: Splunk Add-on for AWS
+ url: https://splunkbase.splunk.com/app/1876
+ version: 7.9.0
fields:
- - _time
- - AwsAccountId
- - CreatedAt
- - Description
- - FirstObservedAt
- - GeneratorId
- - Id
- - LastObservedAt
- - ProductArn
- - ProductFields.aws/guardduty/service/action/actionType
- - ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::S3::Bucket
- - ProductFields.aws/guardduty/service/action/awsApiCallAction/api
- - ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType
- - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/city/cityName
- - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/country/countryName
- - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lat
- - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lon
- - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4
- - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn
- - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg
- - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp
- - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org
- - ProductFields.aws/guardduty/service/action/awsApiCallAction/serviceName
- - ProductFields.aws/guardduty/service/additionalInfo/sample
- - ProductFields.aws/guardduty/service/additionalInfo/unusual/hoursOfDay.0_
- - ProductFields.aws/guardduty/service/additionalInfo/unusual/userNames.0_
- - ProductFields.aws/guardduty/service/archived
- - ProductFields.aws/guardduty/service/count
- - ProductFields.aws/guardduty/service/detectorId
- - ProductFields.aws/guardduty/service/eventFirstSeen
- - ProductFields.aws/guardduty/service/eventLastSeen
- - ProductFields.aws/guardduty/service/resourceRole
- - ProductFields.aws/guardduty/service/serviceName
- - ProductFields.aws/securityhub/CompanyName
- - ProductFields.aws/securityhub/FindingId
- - ProductFields.aws/securityhub/ProductName
- - RecordState
- - Resources{}.Details.AwsEc2Instance.IamInstanceProfileArn
- - Resources{}.Details.AwsEc2Instance.ImageId
- - Resources{}.Details.AwsEc2Instance.IpV4Addresses{}
- - Resources{}.Details.AwsEc2Instance.LaunchedAt
- - Resources{}.Details.AwsEc2Instance.SubnetId
- - Resources{}.Details.AwsEc2Instance.Type
- - Resources{}.Details.AwsEc2Instance.VpcId
- - Resources{}.Details.AwsIamAccessKey.PrincipalId
- - Resources{}.Details.AwsIamAccessKey.PrincipalName
- - Resources{}.Details.AwsIamAccessKey.PrincipalType
- - Resources{}.Details.AwsS3Bucket.CreatedAt
- - Resources{}.Details.AwsS3Bucket.OwnerId
- - Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.KMSMasterKeyID
- - Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.SSEAlgorithm
- - Resources{}.Id
- - Resources{}.Partition
- - Resources{}.Region
- - Resources{}.Tags.GeneratedFindingInstaceTag1
- - Resources{}.Tags.GeneratedFindingInstaceTag2
- - Resources{}.Tags.GeneratedFindingInstaceTag3
- - Resources{}.Tags.GeneratedFindingInstaceTag4
- - Resources{}.Tags.GeneratedFindingInstaceTag5
- - Resources{}.Tags.GeneratedFindingInstaceTag6
- - Resources{}.Tags.GeneratedFindingInstaceTag7
- - Resources{}.Tags.GeneratedFindingInstaceTag8
- - Resources{}.Tags.GeneratedFindingInstaceTag9
- - Resources{}.Tags.foo
- - Resources{}.Type
- - SchemaVersion
- - Severity.Label
- - Severity.Normalized
- - Severity.Product
- - SourceUrl
- - Title
- - Types{}
- - UpdatedAt
- - Workflow.Status
- - WorkflowState
- - accesskey_extract
- - app
- - body
- - description
- - dest
- - dest_type
- - eventtype
- - host
- - id
- - index
- - instance_extract
- - linecount
- - punct
- - s3bucket_extract
- - severity
- - severity_id
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - subject
- - tag
- - tag::eventtype
- - timestamp
- - type
- - vendor_account
- - vendor_region
+- _time
+- AwsAccountId
+- CreatedAt
+- Description
+- FirstObservedAt
+- GeneratorId
+- Id
+- LastObservedAt
+- ProductArn
+- ProductFields.aws/guardduty/service/action/actionType
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::S3::Bucket
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/api
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/city/cityName
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/country/countryName
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lat
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lon
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/serviceName
+- ProductFields.aws/guardduty/service/additionalInfo/sample
+- ProductFields.aws/guardduty/service/additionalInfo/unusual/hoursOfDay.0_
+- ProductFields.aws/guardduty/service/additionalInfo/unusual/userNames.0_
+- ProductFields.aws/guardduty/service/archived
+- ProductFields.aws/guardduty/service/count
+- ProductFields.aws/guardduty/service/detectorId
+- ProductFields.aws/guardduty/service/eventFirstSeen
+- ProductFields.aws/guardduty/service/eventLastSeen
+- ProductFields.aws/guardduty/service/resourceRole
+- ProductFields.aws/guardduty/service/serviceName
+- ProductFields.aws/securityhub/CompanyName
+- ProductFields.aws/securityhub/FindingId
+- ProductFields.aws/securityhub/ProductName
+- RecordState
+- Resources{}.Details.AwsEc2Instance.IamInstanceProfileArn
+- Resources{}.Details.AwsEc2Instance.ImageId
+- Resources{}.Details.AwsEc2Instance.IpV4Addresses{}
+- Resources{}.Details.AwsEc2Instance.LaunchedAt
+- Resources{}.Details.AwsEc2Instance.SubnetId
+- Resources{}.Details.AwsEc2Instance.Type
+- Resources{}.Details.AwsEc2Instance.VpcId
+- Resources{}.Details.AwsIamAccessKey.PrincipalId
+- Resources{}.Details.AwsIamAccessKey.PrincipalName
+- Resources{}.Details.AwsIamAccessKey.PrincipalType
+- Resources{}.Details.AwsS3Bucket.CreatedAt
+- Resources{}.Details.AwsS3Bucket.OwnerId
+- Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.KMSMasterKeyID
+- Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.SSEAlgorithm
+- Resources{}.Id
+- Resources{}.Partition
+- Resources{}.Region
+- Resources{}.Tags.GeneratedFindingInstaceTag1
+- Resources{}.Tags.GeneratedFindingInstaceTag2
+- Resources{}.Tags.GeneratedFindingInstaceTag3
+- Resources{}.Tags.GeneratedFindingInstaceTag4
+- Resources{}.Tags.GeneratedFindingInstaceTag5
+- Resources{}.Tags.GeneratedFindingInstaceTag6
+- Resources{}.Tags.GeneratedFindingInstaceTag7
+- Resources{}.Tags.GeneratedFindingInstaceTag8
+- Resources{}.Tags.GeneratedFindingInstaceTag9
+- Resources{}.Tags.foo
+- Resources{}.Type
+- SchemaVersion
+- Severity.Label
+- Severity.Normalized
+- Severity.Product
+- SourceUrl
+- Title
+- Types{}
+- UpdatedAt
+- Workflow.Status
+- WorkflowState
+- accesskey_extract
+- app
+- body
+- description
+- dest
+- dest_type
+- eventtype
+- host
+- id
+- index
+- instance_extract
+- linecount
+- punct
+- s3bucket_extract
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- subject
+- tag
+- tag::eventtype
+- timestamp
+- type
+- vendor_account
+- vendor_region
example_log: '{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/guardduty","Types":["Software
and Configuration Checks/Exfiltration:S3.ObjectRead.Unusual"],"SourceUrl":"https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=6aba6b696aea10606e8b336f68d98819","Description":"Principal
GeneratedFindingUserName read objects from S3 bucket GeneratedFindingS3Bucket in
diff --git a/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml b/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
index b0f85d0cb5..034f25fb98 100644
--- a/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
+++ b/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
@@ -7,93 +7,93 @@ description: Logs the addition of an application role assignment to a service pr
in Azure Active Directory, including details about the role, service principal,
and the user or process performing the action.
mitre_components:
- - User Account Modification
- - Group Modification
- - Cloud Service Modification
- - Cloud Service Metadata
+- User Account Modification
+- Group Modification
+- Cloud Service Modification
+- Cloud Service Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Add app role assignment to service principal
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - Level
- - additional_details
- - additional_details_name
- - additional_details_value
- - category
- - command
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_type
- - durationMs
- - dvc
- - eventtype
- - host
- - id
- - identity
- - index
- - linecount
- - object_attrs
- - object_id
- - operationName
- - operationVersion
- - path_from_resourceId
- - properties.activityDateTime
- - properties.activityDisplayName
- - properties.additionalDetails{}.key
- - properties.additionalDetails{}.value
- - properties.category
- - properties.correlationId
- - properties.id
- - properties.initiatedBy.app.appId
- - properties.initiatedBy.app.displayName
- - properties.initiatedBy.app.servicePrincipalId
- - properties.initiatedBy.app.servicePrincipalName
- - properties.loggedByService
- - properties.operationType
- - properties.result
- - properties.resultReason
- - properties.targetResources{}.displayName
- - properties.targetResources{}.id
- - properties.targetResources{}.modifiedProperties{}.displayName
- - properties.targetResources{}.modifiedProperties{}.newValue
- - properties.targetResources{}.modifiedProperties{}.oldValue
- - properties.targetResources{}.type
- - properties.userAgent
- - punct
- - resourceId
- - result
- - resultSignature
- - result_id
- - signature
- - source
- - sourcetype
- - splunk_server
- - src_user_type
- - status
- - tag
- - tag::eventtype
- - tenantId
- - time
- - timeendpos
- - timestartpos
- - user_agent
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- Level
+- additional_details
+- additional_details_name
+- additional_details_value
+- category
+- command
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_type
+- durationMs
+- dvc
+- eventtype
+- host
+- id
+- identity
+- index
+- linecount
+- object_attrs
+- object_id
+- operationName
+- operationVersion
+- path_from_resourceId
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.app.appId
+- properties.initiatedBy.app.displayName
+- properties.initiatedBy.app.servicePrincipalId
+- properties.initiatedBy.app.servicePrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.userAgent
+- punct
+- resourceId
+- result
+- resultSignature
+- result_id
+- signature
+- source
+- sourcetype
+- splunk_server
+- src_user_type
+- status
+- tag
+- tag::eventtype
+- tenantId
+- time
+- timeendpos
+- timestartpos
+- user_agent
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"time": "2024-02-08T21:49:53.7643129Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam",
"operationName": "Add app role assignment to service principal", "operationVersion":
"1.0", "category": "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4",
diff --git a/data_sources/azure_active_directory_add_member_to_role.yml b/data_sources/azure_active_directory_add_member_to_role.yml
index 8a977d8625..579bd563b7 100644
--- a/data_sources/azure_active_directory_add_member_to_role.yml
+++ b/data_sources/azure_active_directory_add_member_to_role.yml
@@ -7,69 +7,69 @@ description: Logs the addition of a member to a directory role in Azure Active D
including details about the role, the member added, and the user or process performing
the action.
mitre_components:
- - Group Modification
- - Group Metadata
- - User Account Metadata
- - Cloud Service Modification
+- Group Modification
+- Group Metadata
+- User Account Metadata
+- Cloud Service Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Add member to role
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - Level
- - callerIpAddress
- - category
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - durationMs
- - host
- - index
- - linecount
- - operationName
- - operationVersion
- - properties.activityDateTime
- - properties.activityDisplayName
- - properties.category
- - properties.correlationId
- - properties.id
- - properties.initiatedBy.user.displayName
- - properties.initiatedBy.user.id
- - properties.initiatedBy.user.ipAddress
- - properties.initiatedBy.user.userPrincipalName
- - properties.loggedByService
- - properties.operationType
- - properties.result
- - properties.resultReason
- - properties.targetResources{}.displayName
- - properties.targetResources{}.id
- - properties.targetResources{}.modifiedProperties{}.displayName
- - properties.targetResources{}.modifiedProperties{}.newValue
- - properties.targetResources{}.modifiedProperties{}.oldValue
- - properties.targetResources{}.type
- - properties.targetResources{}.userPrincipalName
- - properties.userAgent
- - punct
- - resourceId
- - resultSignature
- - source
- - sourcetype
- - splunk_server
- - tenantId
- - time
- - timeendpos
- - timestartpos
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.targetResources{}.userPrincipalName
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
example_log: '{"time": "2023-04-28T16:39:51.9312625Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Add member to role", "operationVersion": "1.0", "category": "AuditLogs",
"tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs":
diff --git a/data_sources/azure_active_directory_add_owner_to_application.yml b/data_sources/azure_active_directory_add_owner_to_application.yml
index 70948b2b1f..fb97560390 100644
--- a/data_sources/azure_active_directory_add_owner_to_application.yml
+++ b/data_sources/azure_active_directory_add_owner_to_application.yml
@@ -7,74 +7,74 @@ description: Logs the addition of an owner to an application in Azure Active Dir
including details about the application, the owner added, and the user or process
performing the action.
mitre_components:
- - User Account Modification
- - Group Modification
- - Cloud Service Modification
- - Cloud Service Metadata
+- User Account Modification
+- Group Modification
+- Cloud Service Modification
+- Cloud Service Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Add owner to application
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - Level
- - callerIpAddress
- - category
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - durationMs
- - eventtype
- - host
- - index
- - linecount
- - operationName
- - operationVersion
- - properties.activityDateTime
- - properties.activityDisplayName
- - properties.additionalDetails{}.key
- - properties.additionalDetails{}.value
- - properties.category
- - properties.correlationId
- - properties.id
- - properties.initiatedBy.user.displayName
- - properties.initiatedBy.user.id
- - properties.initiatedBy.user.ipAddress
- - properties.initiatedBy.user.userPrincipalName
- - properties.loggedByService
- - properties.operationType
- - properties.result
- - properties.resultReason
- - properties.targetResources{}.displayName
- - properties.targetResources{}.id
- - properties.targetResources{}.modifiedProperties{}.displayName
- - properties.targetResources{}.modifiedProperties{}.newValue
- - properties.targetResources{}.modifiedProperties{}.oldValue
- - properties.targetResources{}.type
- - properties.targetResources{}.userPrincipalName
- - properties.userAgent
- - punct
- - resourceId
- - resultSignature
- - source
- - sourcetype
- - splunk_server
- - tag
- - tag::eventtype
- - tenantId
- - time
- - timeendpos
- - timestartpos
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- eventtype
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.targetResources{}.userPrincipalName
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- tenantId
+- time
+- timeendpos
+- timestartpos
example_log: '{"time": "2023-06-20T15:54:13.2420879Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Add owner to application", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
diff --git a/data_sources/azure_active_directory_add_service_principal.yml b/data_sources/azure_active_directory_add_service_principal.yml
index 46f3c3d7d9..c3d937cb44 100644
--- a/data_sources/azure_active_directory_add_service_principal.yml
+++ b/data_sources/azure_active_directory_add_service_principal.yml
@@ -7,69 +7,69 @@ description: Logs the creation of a new service principal in Azure Active Direct
including details about the service principal, associated application, and the user
or process performing the action.
mitre_components:
- - Cloud Service Creation
- - Cloud Service Metadata
- - User Account Metadata
- - Active Directory Object Creation
+- Cloud Service Creation
+- Cloud Service Metadata
+- User Account Metadata
+- Active Directory Object Creation
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Add service principal
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - Level
- - category
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - durationMs
- - host
- - index
- - linecount
- - operationName
- - operationVersion
- - properties.activityDateTime
- - properties.activityDisplayName
- - properties.additionalDetails{}.key
- - properties.additionalDetails{}.value
- - properties.category
- - properties.correlationId
- - properties.id
- - properties.initiatedBy.user.displayName
- - properties.initiatedBy.user.id
- - properties.initiatedBy.user.ipAddress
- - properties.initiatedBy.user.userPrincipalName
- - properties.loggedByService
- - properties.operationType
- - properties.result
- - properties.resultReason
- - properties.targetResources{}.displayName
- - properties.targetResources{}.id
- - properties.targetResources{}.modifiedProperties{}.displayName
- - properties.targetResources{}.modifiedProperties{}.newValue
- - properties.targetResources{}.modifiedProperties{}.oldValue
- - properties.targetResources{}.type
- - properties.userAgent
- - punct
- - resourceId
- - resultSignature
- - source
- - sourcetype
- - splunk_server
- - tenantId
- - time
- - timeendpos
- - timestartpos
+- _time
+- Level
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
example_log: '{"time": "2024-02-07T22:31:14.4970418Z", "resourceId": "/tenants/a417c578-c7ee-480d-a225-d48057e74df5/providers/Microsoft.aadiam",
"operationName": "Add service principal", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "a417c578-c7ee-480d-a225-d48057e74df5", "resultSignature":
diff --git a/data_sources/azure_active_directory_add_unverified_domain.yml b/data_sources/azure_active_directory_add_unverified_domain.yml
index 444d3e1a6f..01badc54df 100644
--- a/data_sources/azure_active_directory_add_unverified_domain.yml
+++ b/data_sources/azure_active_directory_add_unverified_domain.yml
@@ -6,69 +6,69 @@ author: Patrick Bareiss, Splunk
description: Logs the addition of an unverified domain to Azure Active Directory,
including details about the domain name and the user or process performing the action.
mitre_components:
- - Domain Registration
- - Cloud Service Modification
- - Cloud Service Metadata
- - Configuration Modification
+- Domain Registration
+- Cloud Service Modification
+- Cloud Service Metadata
+- Configuration Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Add unverified domain
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - Level
- - callerIpAddress
- - category
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - durationMs
- - host
- - index
- - linecount
- - operationName
- - operationVersion
- - properties.activityDateTime
- - properties.activityDisplayName
- - properties.additionalDetails{}.key
- - properties.additionalDetails{}.value
- - properties.category
- - properties.correlationId
- - properties.id
- - properties.initiatedBy.user.displayName
- - properties.initiatedBy.user.id
- - properties.initiatedBy.user.ipAddress
- - properties.initiatedBy.user.userPrincipalName
- - properties.loggedByService
- - properties.operationType
- - properties.result
- - properties.resultReason
- - properties.targetResources{}.displayName
- - properties.targetResources{}.id
- - properties.targetResources{}.modifiedProperties{}.displayName
- - properties.targetResources{}.modifiedProperties{}.newValue
- - properties.targetResources{}.modifiedProperties{}.oldValue
- - properties.userAgent
- - punct
- - resourceId
- - resultSignature
- - source
- - sourcetype
- - splunk_server
- - tenantId
- - time
- - timeendpos
- - timestartpos
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
example_log: '{"time": "2023-07-26T13:45:54.1582053Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Add unverified domain", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
diff --git a/data_sources/azure_active_directory_consent_to_application.yml b/data_sources/azure_active_directory_consent_to_application.yml
index 4222ab6a7c..4bc104a119 100644
--- a/data_sources/azure_active_directory_consent_to_application.yml
+++ b/data_sources/azure_active_directory_consent_to_application.yml
@@ -7,74 +7,74 @@ description: Logs user or admin consent to an application's permissions in Azure
Directory, including details about the application, granted permissions, and the
consenting user or process.
mitre_components:
- - User Account Modification
- - Cloud Service Modification
- - Cloud Service Metadata
- - Configuration Modification
+- User Account Modification
+- Cloud Service Modification
+- Cloud Service Metadata
+- Configuration Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Consent to application
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - Level
- - callerIpAddress
- - category
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - durationMs
- - eventtype
- - host
- - index
- - linecount
- - operationName
- - operationVersion
- - properties.activityDateTime
- - properties.activityDisplayName
- - properties.additionalDetails{}.key
- - properties.additionalDetails{}.value
- - properties.category
- - properties.correlationId
- - properties.id
- - properties.initiatedBy.user.displayName
- - properties.initiatedBy.user.id
- - properties.initiatedBy.user.ipAddress
- - properties.initiatedBy.user.userPrincipalName
- - properties.loggedByService
- - properties.operationType
- - properties.result
- - properties.resultReason
- - properties.targetResources{}.displayName
- - properties.targetResources{}.id
- - properties.targetResources{}.modifiedProperties{}.displayName
- - properties.targetResources{}.modifiedProperties{}.newValue
- - properties.targetResources{}.modifiedProperties{}.oldValue
- - properties.targetResources{}.type
- - properties.userAgent
- - punct
- - resourceId
- - resultDescription
- - resultSignature
- - source
- - sourcetype
- - splunk_server
- - tag
- - tag::eventtype
- - tenantId
- - time
- - timeendpos
- - timestartpos
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- eventtype
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.userAgent
+- punct
+- resourceId
+- resultDescription
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- tenantId
+- time
+- timeendpos
+- timestartpos
example_log: '{"time": "2023-10-27T16:14:14.9747033Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam",
"operationName": "Consent to application", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature":
diff --git a/data_sources/azure_active_directory_disable_strong_authentication.yml b/data_sources/azure_active_directory_disable_strong_authentication.yml
index 6c329d8872..72d6e69e4c 100644
--- a/data_sources/azure_active_directory_disable_strong_authentication.yml
+++ b/data_sources/azure_active_directory_disable_strong_authentication.yml
@@ -6,67 +6,67 @@ author: Patrick Bareiss, Splunk
description: Logs an event when strong authentication methods are disabled in Azure
Active Directory.
mitre_components:
- - User Account Authentication
- - User Account Modification
- - Cloud Service Modification
+- User Account Authentication
+- User Account Modification
+- Cloud Service Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Disable Strong Authentication
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - Level
- - category
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - durationMs
- - host
- - index
- - linecount
- - operationName
- - operationVersion
- - properties.activityDateTime
- - properties.activityDisplayName
- - properties.category
- - properties.correlationId
- - properties.id
- - properties.initiatedBy.user.displayName
- - properties.initiatedBy.user.id
- - properties.initiatedBy.user.ipAddress
- - properties.initiatedBy.user.userPrincipalName
- - properties.loggedByService
- - properties.operationType
- - properties.result
- - properties.resultReason
- - properties.targetResources{}.displayName
- - properties.targetResources{}.id
- - properties.targetResources{}.modifiedProperties{}.displayName
- - properties.targetResources{}.modifiedProperties{}.newValue
- - properties.targetResources{}.modifiedProperties{}.oldValue
- - properties.targetResources{}.type
- - properties.targetResources{}.userPrincipalName
- - properties.userAgent
- - punct
- - resourceId
- - resultSignature
- - source
- - sourcetype
- - splunk_server
- - tenantId
- - time
- - timeendpos
- - timestartpos
+- _time
+- Level
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.targetResources{}.userPrincipalName
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
example_log: '{"time": "2023-07-11T00:01:35.0251899Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Disable Strong Authentication", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
diff --git a/data_sources/azure_active_directory_enable_account.yml b/data_sources/azure_active_directory_enable_account.yml
index 2e3380277d..5d5105fbcb 100644
--- a/data_sources/azure_active_directory_enable_account.yml
+++ b/data_sources/azure_active_directory_enable_account.yml
@@ -5,68 +5,68 @@ date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when an Azure Active Directory account is enabled.
mitre_components:
- - User Account Modification
- - User Account Authentication
- - User Account Metadata
+- User Account Modification
+- User Account Authentication
+- User Account Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Enable account
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - Level
- - callerIpAddress
- - category
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - durationMs
- - host
- - index
- - linecount
- - operationName
- - operationVersion
- - properties.activityDateTime
- - properties.activityDisplayName
- - properties.category
- - properties.correlationId
- - properties.id
- - properties.initiatedBy.user.displayName
- - properties.initiatedBy.user.id
- - properties.initiatedBy.user.ipAddress
- - properties.initiatedBy.user.userPrincipalName
- - properties.loggedByService
- - properties.operationType
- - properties.result
- - properties.resultReason
- - properties.targetResources{}.displayName
- - properties.targetResources{}.id
- - properties.targetResources{}.modifiedProperties{}.displayName
- - properties.targetResources{}.modifiedProperties{}.newValue
- - properties.targetResources{}.modifiedProperties{}.oldValue
- - properties.targetResources{}.type
- - properties.targetResources{}.userPrincipalName
- - properties.userAgent
- - punct
- - resourceId
- - resultSignature
- - source
- - sourcetype
- - splunk_server
- - tenantId
- - time
- - timeendpos
- - timestartpos
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.targetResources{}.userPrincipalName
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
example_log: '{"time": "2023-07-24T14:28:15.2223487Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Enable account", "operationVersion": "1.0", "category": "AuditLogs",
"tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs":
diff --git a/data_sources/azure_active_directory_invite_external_user.yml b/data_sources/azure_active_directory_invite_external_user.yml
index 08726897f3..a7f115be50 100644
--- a/data_sources/azure_active_directory_invite_external_user.yml
+++ b/data_sources/azure_active_directory_invite_external_user.yml
@@ -6,67 +6,67 @@ author: Patrick Bareiss, Splunk
description: Logs an event when an external user is invited to join an Azure Active
Directory tenant.
mitre_components:
- - Active Directory Object Creation
- - User Account Creation
- - User Account Authentication
+- Active Directory Object Creation
+- User Account Creation
+- User Account Authentication
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Invite external user
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - Level
- - callerIpAddress
- - category
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - durationMs
- - host
- - index
- - linecount
- - operationName
- - operationVersion
- - properties.activityDateTime
- - properties.activityDisplayName
- - properties.additionalDetails{}.key
- - properties.additionalDetails{}.value
- - properties.category
- - properties.correlationId
- - properties.id
- - properties.initiatedBy.user.displayName
- - properties.initiatedBy.user.id
- - properties.initiatedBy.user.ipAddress
- - properties.initiatedBy.user.userPrincipalName
- - properties.loggedByService
- - properties.operationType
- - properties.result
- - properties.resultReason
- - properties.targetResources{}.displayName
- - properties.targetResources{}.id
- - properties.targetResources{}.type
- - properties.targetResources{}.userPrincipalName
- - properties.userAgent
- - punct
- - resourceId
- - resultSignature
- - source
- - sourcetype
- - splunk_server
- - tenantId
- - time
- - timeendpos
- - timestartpos
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.type
+- properties.targetResources{}.userPrincipalName
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
example_log: '{"time": "2023-07-13T00:29:59.5100003Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Invite external user", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
diff --git a/data_sources/azure_active_directory_reset_password_(by_admin).yml b/data_sources/azure_active_directory_reset_password_(by_admin).yml
index 54208cb250..9e2eacf0f5 100644
--- a/data_sources/azure_active_directory_reset_password_(by_admin).yml
+++ b/data_sources/azure_active_directory_reset_password_(by_admin).yml
@@ -6,68 +6,68 @@ author: Patrick Bareiss, Splunk
description: Logs an event when an admin resets a user's password in Azure Active
Directory.
mitre_components:
- - User Account Authentication
- - User Account Modification
- - Active Directory Object Modification
+- User Account Authentication
+- User Account Modification
+- Active Directory Object Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Reset password (by admin)
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - Level
- - callerIpAddress
- - category
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - durationMs
- - host
- - index
- - linecount
- - operationName
- - operationVersion
- - properties.activityDateTime
- - properties.activityDisplayName
- - properties.additionalDetails{}.key
- - properties.additionalDetails{}.value
- - properties.category
- - properties.correlationId
- - properties.id
- - properties.initiatedBy.user.displayName
- - properties.initiatedBy.user.id
- - properties.initiatedBy.user.ipAddress
- - properties.initiatedBy.user.userPrincipalName
- - properties.loggedByService
- - properties.operationType
- - properties.result
- - properties.resultReason
- - properties.targetResources{}.displayName
- - properties.targetResources{}.id
- - properties.targetResources{}.type
- - properties.targetResources{}.userPrincipalName
- - properties.userAgent
- - punct
- - resourceId
- - resultDescription
- - resultSignature
- - source
- - sourcetype
- - splunk_server
- - tenantId
- - time
- - timeendpos
- - timestartpos
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.type
+- properties.targetResources{}.userPrincipalName
+- properties.userAgent
+- punct
+- resourceId
+- resultDescription
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
example_log: '{"time": "2023-07-24T14:28:55.0648789Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Reset password (by admin)", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
diff --git a/data_sources/azure_active_directory_set_domain_authentication.yml b/data_sources/azure_active_directory_set_domain_authentication.yml
index c29183d14e..939da08d9f 100644
--- a/data_sources/azure_active_directory_set_domain_authentication.yml
+++ b/data_sources/azure_active_directory_set_domain_authentication.yml
@@ -6,68 +6,68 @@ author: Patrick Bareiss, Splunk
description: Logs an event when the authentication method for a domain in Azure Active
Directory is set or modified.
mitre_components:
- - Active Directory Object Modification
- - User Account Authentication
- - Cloud Service Modification
+- Active Directory Object Modification
+- User Account Authentication
+- Cloud Service Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Set domain authentication
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - Level
- - callerIpAddress
- - category
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - durationMs
- - host
- - index
- - linecount
- - operationName
- - operationVersion
- - properties.activityDateTime
- - properties.activityDisplayName
- - properties.additionalDetails{}.key
- - properties.additionalDetails{}.value
- - properties.category
- - properties.correlationId
- - properties.id
- - properties.initiatedBy.user.displayName
- - properties.initiatedBy.user.id
- - properties.initiatedBy.user.ipAddress
- - properties.initiatedBy.user.userPrincipalName
- - properties.loggedByService
- - properties.operationType
- - properties.result
- - properties.resultReason
- - properties.targetResources{}.displayName
- - properties.targetResources{}.id
- - properties.targetResources{}.modifiedProperties{}.displayName
- - properties.targetResources{}.modifiedProperties{}.newValue
- - properties.targetResources{}.modifiedProperties{}.oldValue
- - properties.userAgent
- - punct
- - resourceId
- - resultSignature
- - source
- - sourcetype
- - splunk_server
- - tenantId
- - time
- - timeendpos
- - timestartpos
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
example_log: '{"time": "2023-07-26T13:44:59.0372448Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Set domain authentication", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
diff --git a/data_sources/azure_active_directory_sign_in_activity.yml b/data_sources/azure_active_directory_sign_in_activity.yml
index d5ed7fa94d..4b8e5c152f 100644
--- a/data_sources/azure_active_directory_sign_in_activity.yml
+++ b/data_sources/azure_active_directory_sign_in_activity.yml
@@ -6,118 +6,118 @@ author: Patrick Bareiss, Splunk
description: Logs an event when a user attempts to sign into Azure Active Directory,
capturing authentication details and outcomes.
mitre_components:
- - User Account Authentication
- - Logon Session Creation
- - User Account Metadata
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Sign-in activity
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - Level
- - callerIpAddress
- - category
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - durationMs
- - host
- - identity
- - index
- - linecount
- - location
- - operationName
- - operationVersion
- - properties.alternateSignInName
- - properties.appDisplayName
- - properties.appId
- - properties.appServicePrincipalId
- - properties.authenticationDetails{}.RequestSequence
- - properties.authenticationDetails{}.StatusSequence
- - properties.authenticationDetails{}.authenticationMethod
- - properties.authenticationDetails{}.authenticationMethodDetail
- - properties.authenticationDetails{}.authenticationStepDateTime
- - properties.authenticationDetails{}.authenticationStepRequirement
- - properties.authenticationDetails{}.authenticationStepResultDetail
- - properties.authenticationDetails{}.succeeded
- - properties.authenticationProcessingDetails{}.key
- - properties.authenticationProcessingDetails{}.value
- - properties.authenticationProtocol
- - properties.authenticationRequirement
- - properties.authenticationRequirementPolicies{}.detail
- - properties.authenticationRequirementPolicies{}.requirementProvider
- - properties.autonomousSystemNumber
- - properties.clientAppUsed
- - properties.clientCredentialType
- - properties.conditionalAccessStatus
- - properties.correlationId
- - properties.createdDateTime
- - properties.crossTenantAccessType
- - properties.deviceDetail.deviceId
- - properties.deviceDetail.operatingSystem
- - properties.flaggedForReview
- - properties.homeTenantId
- - properties.id
- - properties.incomingTokenType
- - properties.ipAddress
- - properties.isInteractive
- - properties.isTenantRestricted
- - properties.location.city
- - properties.location.countryOrRegion
- - properties.location.geoCoordinates.latitude
- - properties.location.geoCoordinates.longitude
- - properties.location.state
- - properties.originalRequestId
- - properties.originalTransferMethod
- - properties.processingTimeInMilliseconds
- - properties.resourceDisplayName
- - properties.resourceId
- - properties.resourceServicePrincipalId
- - properties.resourceTenantId
- - properties.riskDetail
- - properties.riskLevelAggregated
- - properties.riskLevelDuringSignIn
- - properties.riskState
- - properties.rngcStatus
- - properties.servicePrincipalId
- - properties.signInIdentifier
- - properties.signInTokenProtectionStatus
- - properties.ssoExtensionVersion
- - properties.status.additionalDetails
- - properties.status.errorCode
- - properties.status.failureReason
- - properties.tenantId
- - properties.tokenIssuerName
- - properties.tokenIssuerType
- - properties.uniqueTokenIdentifier
- - properties.userAgent
- - properties.userDisplayName
- - properties.userId
- - properties.userPrincipalName
- - properties.userType
- - punct
- - resourceId
- - resultDescription
- - resultSignature
- - resultType
- - source
- - sourcetype
- - splunk_server
- - tenantId
- - time
- - timeendpos
- - timestartpos
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- identity
+- index
+- linecount
+- location
+- operationName
+- operationVersion
+- properties.alternateSignInName
+- properties.appDisplayName
+- properties.appId
+- properties.appServicePrincipalId
+- properties.authenticationDetails{}.RequestSequence
+- properties.authenticationDetails{}.StatusSequence
+- properties.authenticationDetails{}.authenticationMethod
+- properties.authenticationDetails{}.authenticationMethodDetail
+- properties.authenticationDetails{}.authenticationStepDateTime
+- properties.authenticationDetails{}.authenticationStepRequirement
+- properties.authenticationDetails{}.authenticationStepResultDetail
+- properties.authenticationDetails{}.succeeded
+- properties.authenticationProcessingDetails{}.key
+- properties.authenticationProcessingDetails{}.value
+- properties.authenticationProtocol
+- properties.authenticationRequirement
+- properties.authenticationRequirementPolicies{}.detail
+- properties.authenticationRequirementPolicies{}.requirementProvider
+- properties.autonomousSystemNumber
+- properties.clientAppUsed
+- properties.clientCredentialType
+- properties.conditionalAccessStatus
+- properties.correlationId
+- properties.createdDateTime
+- properties.crossTenantAccessType
+- properties.deviceDetail.deviceId
+- properties.deviceDetail.operatingSystem
+- properties.flaggedForReview
+- properties.homeTenantId
+- properties.id
+- properties.incomingTokenType
+- properties.ipAddress
+- properties.isInteractive
+- properties.isTenantRestricted
+- properties.location.city
+- properties.location.countryOrRegion
+- properties.location.geoCoordinates.latitude
+- properties.location.geoCoordinates.longitude
+- properties.location.state
+- properties.originalRequestId
+- properties.originalTransferMethod
+- properties.processingTimeInMilliseconds
+- properties.resourceDisplayName
+- properties.resourceId
+- properties.resourceServicePrincipalId
+- properties.resourceTenantId
+- properties.riskDetail
+- properties.riskLevelAggregated
+- properties.riskLevelDuringSignIn
+- properties.riskState
+- properties.rngcStatus
+- properties.servicePrincipalId
+- properties.signInIdentifier
+- properties.signInTokenProtectionStatus
+- properties.ssoExtensionVersion
+- properties.status.additionalDetails
+- properties.status.errorCode
+- properties.status.failureReason
+- properties.tenantId
+- properties.tokenIssuerName
+- properties.tokenIssuerType
+- properties.uniqueTokenIdentifier
+- properties.userAgent
+- properties.userDisplayName
+- properties.userId
+- properties.userPrincipalName
+- properties.userType
+- punct
+- resourceId
+- resultDescription
+- resultSignature
+- resultType
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
example_log: '{"time": "2023-10-24T20:13:31.4449614Z", "resourceId": "/tenants/887c9144-28b8-431b-885b-764fdeefcf62/providers/Microsoft.aadiam",
"operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs",
"tenantId": "887c9144-28b8-431b-885b-764fdeefcf62", "resultType": "50076", "resultSignature":
diff --git a/data_sources/azure_active_directory_update_application.yml b/data_sources/azure_active_directory_update_application.yml
index fe57e659f8..e82edafcca 100644
--- a/data_sources/azure_active_directory_update_application.yml
+++ b/data_sources/azure_active_directory_update_application.yml
@@ -6,68 +6,68 @@ author: Patrick Bareiss, Splunk
description: Logs an event when an application in Azure Active Directory is updated,
such as changes to its settings or permissions.
mitre_components:
- - Service Modification
- - User Account Modification
- - Cloud Service Modification
+- Service Modification
+- User Account Modification
+- Cloud Service Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Update application
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - Level
- - category
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - durationMs
- - host
- - index
- - linecount
- - operationName
- - operationVersion
- - properties.activityDateTime
- - properties.activityDisplayName
- - properties.additionalDetails{}.key
- - properties.additionalDetails{}.value
- - properties.category
- - properties.correlationId
- - properties.id
- - properties.initiatedBy.user.displayName
- - properties.initiatedBy.user.id
- - properties.initiatedBy.user.ipAddress
- - properties.initiatedBy.user.userPrincipalName
- - properties.loggedByService
- - properties.operationType
- - properties.result
- - properties.resultReason
- - properties.targetResources{}.displayName
- - properties.targetResources{}.id
- - properties.targetResources{}.modifiedProperties{}.displayName
- - properties.targetResources{}.modifiedProperties{}.newValue
- - properties.targetResources{}.modifiedProperties{}.oldValue
- - properties.targetResources{}.type
- - properties.userAgent
- - punct
- - resourceId
- - resultSignature
- - source
- - sourcetype
- - splunk_server
- - tenantId
- - time
- - timeendpos
- - timestartpos
+- _time
+- Level
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
example_log: '{"time": "2024-01-29T21:31:03.0102031Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam",
"operationName": "Update application", "operationVersion": "1.0", "category": "AuditLogs",
"tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "durationMs":
diff --git a/data_sources/azure_active_directory_update_authorization_policy.yml b/data_sources/azure_active_directory_update_authorization_policy.yml
index 34e141f92e..54dd3ca2a9 100644
--- a/data_sources/azure_active_directory_update_authorization_policy.yml
+++ b/data_sources/azure_active_directory_update_authorization_policy.yml
@@ -6,69 +6,69 @@ author: Patrick Bareiss, Splunk
description: Logs an event when an authorization policy is updated in Azure Active
Directory.
mitre_components:
- - User Account Modification
- - Group Modification
- - Active Directory Object Modification
+- User Account Modification
+- Group Modification
+- Active Directory Object Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Update authorization policy
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - Level
- - callerIpAddress
- - category
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - durationMs
- - host
- - index
- - linecount
- - operationName
- - operationVersion
- - properties.activityDateTime
- - properties.activityDisplayName
- - properties.additionalDetails{}.key
- - properties.additionalDetails{}.value
- - properties.category
- - properties.correlationId
- - properties.id
- - properties.initiatedBy.user.displayName
- - properties.initiatedBy.user.id
- - properties.initiatedBy.user.ipAddress
- - properties.initiatedBy.user.userPrincipalName
- - properties.loggedByService
- - properties.operationType
- - properties.result
- - properties.resultReason
- - properties.targetResources{}.displayName
- - properties.targetResources{}.id
- - properties.targetResources{}.modifiedProperties{}.displayName
- - properties.targetResources{}.modifiedProperties{}.newValue
- - properties.targetResources{}.modifiedProperties{}.oldValue
- - properties.targetResources{}.type
- - properties.userAgent
- - punct
- - resourceId
- - resultSignature
- - source
- - sourcetype
- - splunk_server
- - tenantId
- - time
- - timeendpos
- - timestartpos
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
example_log: '{"time": "2023-10-26T19:22:20.2814027Z", "resourceId": "/tenants/5f210575-a69b-41a7-b623-3f6d79ccd432/providers/Microsoft.aadiam",
"operationName": "Update authorization policy", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "5f210575-a69b-41a7-b623-3f6d79ccd432", "resultSignature":
diff --git a/data_sources/azure_active_directory_update_user.yml b/data_sources/azure_active_directory_update_user.yml
index 3bc111e209..26951a9695 100644
--- a/data_sources/azure_active_directory_update_user.yml
+++ b/data_sources/azure_active_directory_update_user.yml
@@ -5,69 +5,69 @@ date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a user account is updated in Azure Active Directory.
mitre_components:
- - User Account Modification
- - User Account Metadata
+- User Account Modification
+- User Account Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Update user
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - Level
- - callerIpAddress
- - category
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - durationMs
- - host
- - index
- - linecount
- - operationName
- - operationVersion
- - properties.activityDateTime
- - properties.activityDisplayName
- - properties.additionalDetails{}.key
- - properties.additionalDetails{}.value
- - properties.category
- - properties.correlationId
- - properties.id
- - properties.initiatedBy.user.displayName
- - properties.initiatedBy.user.id
- - properties.initiatedBy.user.ipAddress
- - properties.initiatedBy.user.userPrincipalName
- - properties.loggedByService
- - properties.operationType
- - properties.result
- - properties.resultReason
- - properties.targetResources{}.displayName
- - properties.targetResources{}.id
- - properties.targetResources{}.modifiedProperties{}.displayName
- - properties.targetResources{}.modifiedProperties{}.newValue
- - properties.targetResources{}.modifiedProperties{}.oldValue
- - properties.targetResources{}.type
- - properties.targetResources{}.userPrincipalName
- - properties.userAgent
- - punct
- - resourceId
- - resultSignature
- - source
- - sourcetype
- - splunk_server
- - tenantId
- - time
- - timeendpos
- - timestartpos
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.targetResources{}.userPrincipalName
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
example_log: '{"time": "2023-07-24T14:28:15.2233481Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Update user", "operationVersion": "1.0", "category": "AuditLogs",
"tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs":
diff --git a/data_sources/azure_active_directory_user_registered_security_info.yml b/data_sources/azure_active_directory_user_registered_security_info.yml
index db1c5af928..3a2ba69d86 100644
--- a/data_sources/azure_active_directory_user_registered_security_info.yml
+++ b/data_sources/azure_active_directory_user_registered_security_info.yml
@@ -6,65 +6,65 @@ author: Patrick Bareiss, Splunk
description: Logs an event when a user registers or updates their security information
in Azure Active Directory.
mitre_components:
- - User Account Modification
- - User Account Metadata
+- User Account Modification
+- User Account Metadata
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: User registered security info
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - Level
- - callerIpAddress
- - category
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - durationMs
- - host
- - index
- - linecount
- - operationName
- - operationVersion
- - properties.activityDateTime
- - properties.activityDisplayName
- - properties.category
- - properties.correlationId
- - properties.id
- - properties.initiatedBy.user.displayName
- - properties.initiatedBy.user.id
- - properties.initiatedBy.user.ipAddress
- - properties.initiatedBy.user.userPrincipalName
- - properties.loggedByService
- - properties.operationType
- - properties.result
- - properties.resultReason
- - properties.targetResources{}.displayName
- - properties.targetResources{}.id
- - properties.targetResources{}.type
- - properties.targetResources{}.userPrincipalName
- - properties.userAgent
- - punct
- - resourceId
- - resultDescription
- - resultSignature
- - source
- - sourcetype
- - splunk_server
- - tenantId
- - time
- - timeendpos
- - timestartpos
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.type
+- properties.targetResources{}.userPrincipalName
+- properties.userAgent
+- punct
+- resourceId
+- resultDescription
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
example_log: '{"time": "2023-01-30T21:11:30.8690619Z", "resourceId": "/tenants/91da745f-8abb-4a7d-ba94-5667c6f9e01a/providers/Microsoft.aadiam",
"operationName": "User registered security info", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "91da745f-8abb-4a7d-ba94-5667c6f9e01a", "resultSignature":
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
index d16b39fe67..65f6f7e767 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
@@ -5,106 +5,106 @@ date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when an Azure Automation account is created or updated.
mitre_components:
- - Cloud Service Creation
- - Cloud Service Modification
- - Cloud Service Metadata
+- Cloud Service Creation
+- Cloud Service Modification
+- Cloud Service Metadata
source: mscs:azure:audit
sourcetype: mscs:azure:audit
separator: operationName.localizedValue
separator_value: Create or Update an Azure Automation account
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - authorization.action
- - authorization.scope
- - caller
- - channels
- - claims.aio
- - claims.altsecid
- - claims.appid
- - claims.appidacr
- - claims.aud
- - claims.exp
- - claims.groups
- - claims.http://schemas.microsoft.com/claims/authnclassreference
- - claims.http://schemas.microsoft.com/claims/authnmethodsreferences
- - claims.http://schemas.microsoft.com/identity/claims/identityprovider
- - claims.http://schemas.microsoft.com/identity/claims/objectidentifier
- - claims.http://schemas.microsoft.com/identity/claims/scope
- - claims.http://schemas.microsoft.com/identity/claims/tenantid
- - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
- - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- - claims.iat
- - claims.ipaddr
- - claims.iss
- - claims.name
- - claims.nbf
- - claims.puid
- - claims.rh
- - claims.uti
- - claims.ver
- - claims.wids
- - claims.xms_tcdt
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - eventDataId
- - eventName.localizedValue
- - eventName.value
- - eventSource.localizedValue
- - eventSource.value
- - eventTimestamp
- - host
- - id
- - index
- - level
- - linecount
- - object
- - object_id
- - object_path
- - operationId
- - operationName.localizedValue
- - operationName.value
- - product
- - properties.entity
- - properties.eventCategory
- - properties.hierarchy
- - properties.message
- - punct
- - resourceGroupName
- - resourceProviderName.localizedValue
- - resourceProviderName.value
- - resourceUri
- - source
- - sourcetype
- - splunk_server
- - status
- - status.localizedValue
- - status.value
- - subStatus.value
- - submissionTimestamp
- - subscriptionId
- - timeendpos
- - timestartpos
- - user
- - user_name
- - vendor
- - vendor_product
- - vendor_res_code
+- _time
+- authorization.action
+- authorization.scope
+- caller
+- channels
+- claims.aio
+- claims.altsecid
+- claims.appid
+- claims.appidacr
+- claims.aud
+- claims.exp
+- claims.groups
+- claims.http://schemas.microsoft.com/claims/authnclassreference
+- claims.http://schemas.microsoft.com/claims/authnmethodsreferences
+- claims.http://schemas.microsoft.com/identity/claims/identityprovider
+- claims.http://schemas.microsoft.com/identity/claims/objectidentifier
+- claims.http://schemas.microsoft.com/identity/claims/scope
+- claims.http://schemas.microsoft.com/identity/claims/tenantid
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
+- claims.iat
+- claims.ipaddr
+- claims.iss
+- claims.name
+- claims.nbf
+- claims.puid
+- claims.rh
+- claims.uti
+- claims.ver
+- claims.wids
+- claims.xms_tcdt
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- eventDataId
+- eventName.localizedValue
+- eventName.value
+- eventSource.localizedValue
+- eventSource.value
+- eventTimestamp
+- host
+- id
+- index
+- level
+- linecount
+- object
+- object_id
+- object_path
+- operationId
+- operationName.localizedValue
+- operationName.value
+- product
+- properties.entity
+- properties.eventCategory
+- properties.hierarchy
+- properties.message
+- punct
+- resourceGroupName
+- resourceProviderName.localizedValue
+- resourceProviderName.value
+- resourceUri
+- source
+- sourcetype
+- splunk_server
+- status
+- status.localizedValue
+- status.value
+- subStatus.value
+- submissionTimestamp
+- subscriptionId
+- timeendpos
+- timestartpos
+- user
+- user_name
+- vendor
+- vendor_product
+- vendor_res_code
example_log: '{"authorization": {"action": "Microsoft.Automation/automationAccounts/write",
"scope": "/subscriptions/67165197-75ea-4ca3-96a5-3e23868eacd0/resourcegroups/ResourceGroup1/providers/Microsoft.Automation/automationAccounts/TestAutomationAccount"},
"caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/",
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
index 8522e7ab79..f9de2d68b5 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
@@ -6,105 +6,105 @@ author: Patrick Bareiss, Splunk
description: Logs an event when a new Azure Automation Runbook is created or an existing
one is updated.
mitre_components:
- - Scheduled Job Modification
- - Scheduled Job Creation
+- Scheduled Job Modification
+- Scheduled Job Creation
source: mscs:azure:audit
sourcetype: mscs:azure:audit
separator: operationName.localizedValue
separator_value: Create or Update an Azure Automation Runbook
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - authorization.action
- - authorization.scope
- - caller
- - channels
- - claims.aio
- - claims.altsecid
- - claims.appid
- - claims.appidacr
- - claims.aud
- - claims.exp
- - claims.groups
- - claims.http://schemas.microsoft.com/claims/authnclassreference
- - claims.http://schemas.microsoft.com/claims/authnmethodsreferences
- - claims.http://schemas.microsoft.com/identity/claims/identityprovider
- - claims.http://schemas.microsoft.com/identity/claims/objectidentifier
- - claims.http://schemas.microsoft.com/identity/claims/scope
- - claims.http://schemas.microsoft.com/identity/claims/tenantid
- - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
- - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- - claims.iat
- - claims.ipaddr
- - claims.iss
- - claims.name
- - claims.nbf
- - claims.puid
- - claims.rh
- - claims.uti
- - claims.ver
- - claims.wids
- - claims.xms_tcdt
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - eventDataId
- - eventName.localizedValue
- - eventName.value
- - eventSource.localizedValue
- - eventSource.value
- - eventTimestamp
- - host
- - id
- - index
- - level
- - linecount
- - object
- - object_id
- - object_path
- - operationId
- - operationName.localizedValue
- - operationName.value
- - product
- - properties.entity
- - properties.eventCategory
- - properties.hierarchy
- - properties.message
- - punct
- - resourceGroupName
- - resourceProviderName.localizedValue
- - resourceProviderName.value
- - resourceUri
- - source
- - sourcetype
- - splunk_server
- - status
- - status.localizedValue
- - status.value
- - subStatus.value
- - submissionTimestamp
- - subscriptionId
- - timeendpos
- - timestartpos
- - user
- - user_name
- - vendor
- - vendor_product
- - vendor_res_code
+- _time
+- authorization.action
+- authorization.scope
+- caller
+- channels
+- claims.aio
+- claims.altsecid
+- claims.appid
+- claims.appidacr
+- claims.aud
+- claims.exp
+- claims.groups
+- claims.http://schemas.microsoft.com/claims/authnclassreference
+- claims.http://schemas.microsoft.com/claims/authnmethodsreferences
+- claims.http://schemas.microsoft.com/identity/claims/identityprovider
+- claims.http://schemas.microsoft.com/identity/claims/objectidentifier
+- claims.http://schemas.microsoft.com/identity/claims/scope
+- claims.http://schemas.microsoft.com/identity/claims/tenantid
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
+- claims.iat
+- claims.ipaddr
+- claims.iss
+- claims.name
+- claims.nbf
+- claims.puid
+- claims.rh
+- claims.uti
+- claims.ver
+- claims.wids
+- claims.xms_tcdt
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- eventDataId
+- eventName.localizedValue
+- eventName.value
+- eventSource.localizedValue
+- eventSource.value
+- eventTimestamp
+- host
+- id
+- index
+- level
+- linecount
+- object
+- object_id
+- object_path
+- operationId
+- operationName.localizedValue
+- operationName.value
+- product
+- properties.entity
+- properties.eventCategory
+- properties.hierarchy
+- properties.message
+- punct
+- resourceGroupName
+- resourceProviderName.localizedValue
+- resourceProviderName.value
+- resourceUri
+- source
+- sourcetype
+- splunk_server
+- status
+- status.localizedValue
+- status.value
+- subStatus.value
+- submissionTimestamp
+- subscriptionId
+- timeendpos
+- timestartpos
+- user
+- user_name
+- vendor
+- vendor_product
+- vendor_res_code
example_log: '{"authorization": {"action": "Microsoft.Automation/automationAccounts/runbooks/write",
"scope": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook"},
"caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/",
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
index eb21ed90a8..6668b0a88d 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
@@ -5,115 +5,115 @@ date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a webhook is created or updated in Azure Automation.
mitre_components:
- - Scheduled Job Modification
- - Cloud Service Modification
- - Scheduled Job Metadata
+- Scheduled Job Modification
+- Cloud Service Modification
+- Scheduled Job Metadata
source: mscs:azure:audit
sourcetype: mscs:azure:audit
separator: operationName.localizedValue
separator_value: Create or Update an Azure Automation webhook
supported_TA:
- - name: Splunk Add-on for Microsoft Cloud Services
- url: https://splunkbase.splunk.com/app/3110
- version: 5.4.1
+- name: Splunk Add-on for Microsoft Cloud Services
+ url: https://splunkbase.splunk.com/app/3110
+ version: 5.4.1
fields:
- - _time
- - authorization.action
- - authorization.scope
- - caller
- - channels
- - claims.aio
- - claims.altsecid
- - claims.appid
- - claims.appidacr
- - claims.aud
- - claims.exp
- - claims.groups
- - claims.http://schemas.microsoft.com/claims/authnclassreference
- - claims.http://schemas.microsoft.com/claims/authnmethodsreferences
- - claims.http://schemas.microsoft.com/identity/claims/identityprovider
- - claims.http://schemas.microsoft.com/identity/claims/objectidentifier
- - claims.http://schemas.microsoft.com/identity/claims/scope
- - claims.http://schemas.microsoft.com/identity/claims/tenantid
- - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
- - claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- - claims.iat
- - claims.ipaddr
- - claims.iss
- - claims.name
- - claims.nbf
- - claims.puid
- - claims.rh
- - claims.uti
- - claims.ver
- - claims.wids
- - claims.xms_tcdt
- - correlationId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - eventDataId
- - eventName.localizedValue
- - eventName.value
- - eventSource.localizedValue
- - eventSource.value
- - eventTimestamp
- - host
- - httpRequest.clientIpAddress
- - httpRequest.clientRequestId
- - httpRequest.method
- - id
- - index
- - level
- - linecount
- - object
- - object_id
- - object_path
- - operationId
- - operationName.localizedValue
- - operationName.value
- - product
- - properties.entity
- - properties.eventCategory
- - properties.hierarchy
- - properties.message
- - properties.serviceRequestId
- - properties.statusCode
- - punct
- - resourceGroupName
- - resourceProviderName.localizedValue
- - resourceProviderName.value
- - resourceUri
- - result
- - result_id
- - source
- - sourcetype
- - splunk_server
- - src
- - status
- - status.localizedValue
- - status.value
- - subStatus.localizedValue
- - subStatus.value
- - submissionTimestamp
- - subscriptionId
- - timeendpos
- - timestartpos
- - user
- - user_name
- - vendor
- - vendor_product
- - vendor_res_code
+- _time
+- authorization.action
+- authorization.scope
+- caller
+- channels
+- claims.aio
+- claims.altsecid
+- claims.appid
+- claims.appidacr
+- claims.aud
+- claims.exp
+- claims.groups
+- claims.http://schemas.microsoft.com/claims/authnclassreference
+- claims.http://schemas.microsoft.com/claims/authnmethodsreferences
+- claims.http://schemas.microsoft.com/identity/claims/identityprovider
+- claims.http://schemas.microsoft.com/identity/claims/objectidentifier
+- claims.http://schemas.microsoft.com/identity/claims/scope
+- claims.http://schemas.microsoft.com/identity/claims/tenantid
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
+- claims.iat
+- claims.ipaddr
+- claims.iss
+- claims.name
+- claims.nbf
+- claims.puid
+- claims.rh
+- claims.uti
+- claims.ver
+- claims.wids
+- claims.xms_tcdt
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- eventDataId
+- eventName.localizedValue
+- eventName.value
+- eventSource.localizedValue
+- eventSource.value
+- eventTimestamp
+- host
+- httpRequest.clientIpAddress
+- httpRequest.clientRequestId
+- httpRequest.method
+- id
+- index
+- level
+- linecount
+- object
+- object_id
+- object_path
+- operationId
+- operationName.localizedValue
+- operationName.value
+- product
+- properties.entity
+- properties.eventCategory
+- properties.hierarchy
+- properties.message
+- properties.serviceRequestId
+- properties.statusCode
+- punct
+- resourceGroupName
+- resourceProviderName.localizedValue
+- resourceProviderName.value
+- resourceUri
+- result
+- result_id
+- source
+- sourcetype
+- splunk_server
+- src
+- status
+- status.localizedValue
+- status.value
+- subStatus.localizedValue
+- subStatus.value
+- submissionTimestamp
+- subscriptionId
+- timeendpos
+- timestartpos
+- user
+- user_name
+- vendor
+- vendor_product
+- vendor_res_code
example_log: '{"authorization": {"action": "Microsoft.Automation/automationAccounts/webhooks/write",
"scope": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook"},
"caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/",
diff --git a/data_sources/bro_conn.yml b/data_sources/bro_conn.yml
index 992da75275..1d8e4110c3 100644
--- a/data_sources/bro_conn.yml
+++ b/data_sources/bro_conn.yml
@@ -6,11 +6,10 @@ author: Jacob Delgado, SnapAttack
description: Logs network connection metadata captured by Zeek (formerly Bro), including
details such as source and destination IPs, ports, connection state, and protocol.
mitre_components:
- - Network Connection Creation
- - Network Traffic Flow
- - Response Metadata
- - Application Log Content
+- Network Connection Creation
+- Network Traffic Flow
+- Response Metadata
+- Application Log Content
source: bro:conn:json
sourcetype: bro:conn:json
supported_TA: []
-
diff --git a/data_sources/bro_dns.yml b/data_sources/bro_dns.yml
index 7d878c681b..b4deae7a6c 100644
--- a/data_sources/bro_dns.yml
+++ b/data_sources/bro_dns.yml
@@ -6,11 +6,11 @@ author: Jacob Delgado, SnapAttack
description: Logs DNS queries and responses captured by Zeek (formerly Bro), including
details such as queried domains, resolved IPs, query types, and response codes.
mitre_components:
- - Active DNS
- - Passive DNS
- - Network Traffic Content
- - Network Traffic Flow
- - Response Metadata
+- Active DNS
+- Passive DNS
+- Network Traffic Content
+- Network Traffic Flow
+- Response Metadata
source: bro:dns:json
sourcetype: bro:dns:json
supported_TA: []
diff --git a/data_sources/bro_files.yml b/data_sources/bro_files.yml
index 4cb84af9fa..20121d2067 100644
--- a/data_sources/bro_files.yml
+++ b/data_sources/bro_files.yml
@@ -7,11 +7,11 @@ description: Logs metadata about files transferred over the network captured by
(formerly Bro), including details such as file names, hashes, MIME types, and transfer
protocols.
mitre_components:
- - File Metadata
- - Network Traffic Content
- - Network Traffic Flow
- - Response Metadata
- - Application Log Content
+- File Metadata
+- Network Traffic Content
+- Network Traffic Flow
+- Response Metadata
+- Application Log Content
source: bro:files:json
sourcetype: bro:files:json
supported_TA: []
diff --git a/data_sources/bro_http.yml b/data_sources/bro_http.yml
index 59232b529e..e8e25150dc 100644
--- a/data_sources/bro_http.yml
+++ b/data_sources/bro_http.yml
@@ -6,11 +6,11 @@ author: Patrick Bareiss, Splunk
description: Logs HTTP traffic analyzed by Zeek (formerly Bro), including details
such as request methods, URLs, user agents, response codes, and headers.
mitre_components:
- - Network Traffic Content
- - Network Traffic Flow
- - Response Content
- - Response Metadata
- - Application Log Content
+- Network Traffic Content
+- Network Traffic Flow
+- Response Content
+- Response Metadata
+- Application Log Content
source: bro:http:json
sourcetype: bro:http:json
supported_TA: []
diff --git a/data_sources/bro_loaded_scripts.yml b/data_sources/bro_loaded_scripts.yml
index be17c3a7e1..2b9669bac3 100644
--- a/data_sources/bro_loaded_scripts.yml
+++ b/data_sources/bro_loaded_scripts.yml
@@ -6,10 +6,10 @@ author: Jacob Delgado, SnapAttack
description: Logs details about the scripts loaded by Zeek (formerly Bro) during initialization,
including script names and paths.
mitre_components:
- - Application Log Content
- - Configuration Modification
- - Script Execution
- - OS API Execution
+- Application Log Content
+- Configuration Modification
+- Script Execution
+- OS API Execution
source: bro:loaded_scripts:json
sourcetype: bro:loaded_scripts:json
supported_TA: []
diff --git a/data_sources/bro_ntp.yml b/data_sources/bro_ntp.yml
index b849d5d5db..727dfc5bfa 100644
--- a/data_sources/bro_ntp.yml
+++ b/data_sources/bro_ntp.yml
@@ -6,10 +6,10 @@ author: Jacob Delgado, SnapAttack
description: Logs Network Time Protocol (NTP) activity captured by Zeek (formerly
Bro), including details such as NTP requests, responses, and server metadata.
mitre_components:
- - Network Traffic Flow
- - Network Traffic Content
- - Response Metadata
- - Application Log Content
+- Network Traffic Flow
+- Network Traffic Content
+- Response Metadata
+- Application Log Content
source: bro:ntp:json
sourcetype: bro:ntp:json
supported_TA: []
diff --git a/data_sources/bro_ocsp.yml b/data_sources/bro_ocsp.yml
index 00e8942e83..316e75d352 100644
--- a/data_sources/bro_ocsp.yml
+++ b/data_sources/bro_ocsp.yml
@@ -6,11 +6,11 @@ author: Jacob Delgado, SnapAttack
description: Logs Online Certificate Status Protocol (OCSP) activity captured by Zeek
(formerly Bro), including details such as certificate validation requests and responses.
mitre_components:
- - Certificate Registration
- - Network Traffic Flow
- - Network Traffic Content
- - Response Metadata
- - Application Log Content
+- Certificate Registration
+- Network Traffic Flow
+- Network Traffic Content
+- Response Metadata
+- Application Log Content
source: bro:ocsp:json
sourcetype: bro:ocsp:json
supported_TA: []
diff --git a/data_sources/bro_ssl.yml b/data_sources/bro_ssl.yml
index a2c17d7261..b138786a0f 100644
--- a/data_sources/bro_ssl.yml
+++ b/data_sources/bro_ssl.yml
@@ -6,11 +6,11 @@ author: Jacob Delgado, SnapAttack
description: Logs SSL/TLS handshake and session details captured by Zeek (formerly
Bro), including certificates, cipher suites, and session information.
mitre_components:
- - Certificate Registration
- - Network Traffic Flow
- - Network Traffic Content
- - Response Metadata
- - Application Log Content
+- Certificate Registration
+- Network Traffic Flow
+- Network Traffic Content
+- Response Metadata
+- Application Log Content
source: bro:ssl:json
sourcetype: bro:ssl:json
supported_TA: []
diff --git a/data_sources/bro_weird.yml b/data_sources/bro_weird.yml
index 1fc72ac2de..4d46c68d74 100644
--- a/data_sources/bro_weird.yml
+++ b/data_sources/bro_weird.yml
@@ -6,11 +6,11 @@ author: Jacob Delgado, SnapAttack
description: Logs anomalous or unexpected network behaviors identified by Zeek (formerly
Bro), including protocol violations and unusual traffic patterns.
mitre_components:
- - Network Traffic Flow
- - Network Traffic Content
- - Response Metadata
- - Application Log Content
- - Host Status
+- Network Traffic Flow
+- Network Traffic Content
+- Response Metadata
+- Application Log Content
+- Host Status
source: bro:weird:json
sourcetype: bro:weird:json
supported_TA: []
diff --git a/data_sources/bro_x509.yml b/data_sources/bro_x509.yml
index 3d9d08adf7..3f23109ebd 100644
--- a/data_sources/bro_x509.yml
+++ b/data_sources/bro_x509.yml
@@ -6,11 +6,11 @@ author: Jacob Delgado, SnapAttack
description: Logs details about X.509 certificates observed in network traffic captured
by Zeek (formerly Bro), including certificate fields, validity periods, and issuers.
mitre_components:
- - Certificate Registration
- - Network Traffic Content
- - Response Metadata
- - Application Log Content
- - Host Status
+- Certificate Registration
+- Network Traffic Content
+- Response Metadata
+- Application Log Content
+- Host Status
source: bro:x509:json
sourcetype: bro:x509:json
supported_TA: []
diff --git a/data_sources/circleci.yml b/data_sources/circleci.yml
index b07ad95c84..dc231daca7 100644
--- a/data_sources/circleci.yml
+++ b/data_sources/circleci.yml
@@ -6,70 +6,70 @@ author: Patrick Bareiss, Splunk
description: Logs activities related to CI/CD pipelines executed in CircleCI, including
job execution, workflow progress, and configuration changes.
mitre_components:
- - Scheduled Job Execution
- - Scheduled Job Metadata
- - Application Log Content
- - Configuration Modification
- - Host Status
+- Scheduled Job Execution
+- Scheduled Job Metadata
+- Application Log Content
+- Configuration Modification
+- Host Status
source: circleci
sourcetype: circleci
supported_TA:
- - name: App for CircleCI
- url: https://splunkbase.splunk.com/app/5162
- version: 0.1.1
+- name: App for CircleCI
+ url: https://splunkbase.splunk.com/app/5162
+ version: 0.1.1
fields:
- - _time
- - author_name
- - avatar_url
- - branch
- - build_num
- - build_time_millis
- - build_url
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - eventtype
- - fail_reason
- - host
- - index
- - job_name
- - job_time
- - linecount
- - owners{}
- - project_slug
- - punct
- - queued_time
- - reponame
- - source
- - sourcetype
- - splunk_server
- - start_time
- - status
- - stop_time
- - tag
- - tag::eventtype
- - timedout
- - timeendpos
- - timestartpos
- - username
- - vcs.commit_time
- - vcs.committer_name
- - vcs.revision
- - vcs.subject
- - vcs.tag
- - vcs.type
- - vcs.url
- - workflows.job_id
- - workflows.job_name
- - workflows.upstream_job_ids{}
- - workflows.workflow_id
- - workflows.workflow_name
- - workflows.workspace_id
+- _time
+- author_name
+- avatar_url
+- branch
+- build_num
+- build_time_millis
+- build_url
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- eventtype
+- fail_reason
+- host
+- index
+- job_name
+- job_time
+- linecount
+- owners{}
+- project_slug
+- punct
+- queued_time
+- reponame
+- source
+- sourcetype
+- splunk_server
+- start_time
+- status
+- stop_time
+- tag
+- tag::eventtype
+- timedout
+- timeendpos
+- timestartpos
+- username
+- vcs.commit_time
+- vcs.committer_name
+- vcs.revision
+- vcs.subject
+- vcs.tag
+- vcs.type
+- vcs.url
+- workflows.job_id
+- workflows.job_name
+- workflows.upstream_job_ids{}
+- workflows.workflow_id
+- workflows.workflow_name
+- workflows.workspace_id
example_log: '{"job_time": "2021-09-02T08:13:34.273Z", "stop_time": "2021-09-02T08:13:34.273Z",
"start_time": "2021-09-02T08:10:15.829Z", "queued_time": "2021-09-02T08:10:12.764Z",
"job_name": "Unknown", "reponame": "devsecops_poc", "build_num": 94, "build_url":
diff --git a/data_sources/crowdstrike_processrollup2.yml b/data_sources/crowdstrike_processrollup2.yml
index d160cf8620..a038a6273f 100644
--- a/data_sources/crowdstrike_processrollup2.yml
+++ b/data_sources/crowdstrike_processrollup2.yml
@@ -7,109 +7,109 @@ description: Logs process-related activities captured by CrowdStrike, including
creation, termination, and metadata such as hashes, parent processes, and command-line
arguments.
mitre_components:
- - Process Creation
- - Process Termination
- - Process Metadata
- - Command Execution
- - OS API Execution
+- Process Creation
+- Process Termination
+- Process Metadata
+- Command Execution
+- OS API Execution
source: crowdstrike
sourcetype: crowdstrike:events:sensor
separator: event_simpleName
separator_value: ProcessRollup2
supported_TA:
- - name: Splunk Add-on for CrowdStrike FDR
- url: https://splunkbase.splunk.com/app/5579
- version: 2.0.3
+- name: Splunk Add-on for CrowdStrike FDR
+ url: https://splunkbase.splunk.com/app/5579
+ version: 2.0.3
fields:
- - AuthenticationId
- - AuthenticationId_meaning
- - AuthenticodeHashData
- - CommandLine
- - ConfigBuild
- - ConfigStateHash
- - EffectiveTransmissionClass
- - Entitlements
- - EventOrigin
- - ImageFileName
- - ImageSubsystem
- - ImageSubsystem_meaning
- - IntegrityLevel
- - IntegrityLevel_meaning
- - MD5HashData
- - ParentAuthenticationId
- - ParentBaseFileName
- - ParentProcessId
- - ProcessCreateFlags
- - ProcessEndTime
- - ProcessParameterFlags
- - ProcessParameterFlags_meaning
- - ProcessStartTime
- - ProcessSxsFlags
- - ProcessSxsFlags_meaning
- - RawProcessId
- - SHA1HashData
- - SHA256HashData
- - SessionId
- - SignInfoFlags
- - SignInfoFlags_meaning
- - SourceProcessId
- - SourceThreadId
- - Tags
- - TargetProcessId
- - TokenType
- - TokenType_meaning
- - UserSid
- - WindowFlags
- - WindowFlags_meaning
- - action
- - aid
- - aid_city
- - aid_computer_name
- - aid_continent
- - aid_country
- - aid_machine_domain
- - aid_os_version
- - aid_ou
- - aid_site_name
- - aid_system_product_name
- - aip
- - cid
- - dest
- - event_ingest_time
- - event_platform
- - event_simpleName
- - eventtype
- - host_res_aid
- - id
- - os
- - parent_process_exec
- - parent_process_id
- - parent_process_name
- - process
- - process_exec
- - process_hash
- - process_id
- - process_integrity_level
- - process_name
- - process_path
- - resolve_dest
- - resolve_process_integrity_level
- - tag
- - timestamp
- - user
- - user_id
- - vendor_product
+- AuthenticationId
+- AuthenticationId_meaning
+- AuthenticodeHashData
+- CommandLine
+- ConfigBuild
+- ConfigStateHash
+- EffectiveTransmissionClass
+- Entitlements
+- EventOrigin
+- ImageFileName
+- ImageSubsystem
+- ImageSubsystem_meaning
+- IntegrityLevel
+- IntegrityLevel_meaning
+- MD5HashData
+- ParentAuthenticationId
+- ParentBaseFileName
+- ParentProcessId
+- ProcessCreateFlags
+- ProcessEndTime
+- ProcessParameterFlags
+- ProcessParameterFlags_meaning
+- ProcessStartTime
+- ProcessSxsFlags
+- ProcessSxsFlags_meaning
+- RawProcessId
+- SHA1HashData
+- SHA256HashData
+- SessionId
+- SignInfoFlags
+- SignInfoFlags_meaning
+- SourceProcessId
+- SourceThreadId
+- Tags
+- TargetProcessId
+- TokenType
+- TokenType_meaning
+- UserSid
+- WindowFlags
+- WindowFlags_meaning
+- action
+- aid
+- aid_city
+- aid_computer_name
+- aid_continent
+- aid_country
+- aid_machine_domain
+- aid_os_version
+- aid_ou
+- aid_site_name
+- aid_system_product_name
+- aip
+- cid
+- dest
+- event_ingest_time
+- event_platform
+- event_simpleName
+- eventtype
+- host_res_aid
+- id
+- os
+- parent_process_exec
+- parent_process_id
+- parent_process_name
+- process
+- process_exec
+- process_hash
+- process_id
+- process_integrity_level
+- process_name
+- process_path
+- resolve_dest
+- resolve_process_integrity_level
+- tag
+- timestamp
+- user
+- user_id
+- vendor_product
field_mappings:
- - data_model: cim
- data_set: Endpoint.Processes
- mapping:
- CommandLine: Processes.process
- ImageFileName: Processes.process_path
- ParentBaseFileName: Processes.parent_process_name
- ParentProcessId: Processes.parent_process_id
- RawProcessId: Processes.process_id
- SHA256HashData: Processes.process_hash
- UserSid: Processes.user
+- data_model: cim
+ data_set: Endpoint.Processes
+ mapping:
+ CommandLine: Processes.process
+ ImageFileName: Processes.process_path
+ ParentBaseFileName: Processes.parent_process_name
+ ParentProcessId: Processes.parent_process_id
+ RawProcessId: Processes.process_id
+ SHA256HashData: Processes.process_hash
+ UserSid: Processes.user
example_log: '{"LinkName":"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start
Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk","ProcessCreateFlags":"67634196","IntegrityLevel":"12288","ParentProcessId":"5459598860","SourceProcessId":"5459598860","aip":"3.126.231.40","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-586445407-708991241-1829972403-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"3b98faafc17b47beb9027c437fceeafdf0624a1c","ParentBaseFileName":"explorer.exe","EventOrigin":"1","ImageSubsystem":"3","id":"e2210781-0e8f-47d2-bf6a-56d2c59f38ee","EffectiveTransmissionClass":"3","SessionId":"2","ShowWindowFlags":"1","Tags":"27,
40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 212205744161605,
diff --git a/data_sources/crushftp.yml b/data_sources/crushftp.yml
index 67968d73ef..597fda30f8 100644
--- a/data_sources/crushftp.yml
+++ b/data_sources/crushftp.yml
@@ -6,17 +6,17 @@ author: Patrick Bareiss, Splunk
description: Logs activities related to file transfers and user interactions in CrushFTP,
including file uploads, downloads, user authentication, and session details.
mitre_components:
- - File Access
- - File Metadata
- - User Account Authentication
- - Logon Session Metadata
- - Network Traffic Content
+- File Access
+- File Metadata
+- User Account Authentication
+- Logon Session Metadata
+- Network Traffic Content
source: crushftp
sourcetype: crushftp:sessionlogs
supported_TA: []
fields:
- - _time
- - _raw
+- _time
+- _raw
example_log: 'SESSION|05/14/2024 17:36:21.859|[HTTPS:169_52326_sMa:anonymous:10.0.1.30]
READ: *POST /WebInterface/function/?c2f=CmF1&command=zip&path=%3CINCLUDE%3Eusers/MainUsers/groups.XML%3C/INCLUDE%3E&names=/a
HTTP/1.1*'
diff --git a/data_sources/g_suite_drive.yml b/data_sources/g_suite_drive.yml
index 0d56a7944d..dac656446b 100644
--- a/data_sources/g_suite_drive.yml
+++ b/data_sources/g_suite_drive.yml
@@ -6,49 +6,49 @@ author: Patrick Bareiss, Splunk
description: Logs activities related to Google Drive in G Suite, including file creation,
modification, sharing, and access details.
mitre_components:
- - File Access
- - File Creation
- - File Modification
- - Cloud Storage Access
- - Cloud Storage Metadata
+- File Access
+- File Creation
+- File Modification
+- Cloud Storage Access
+- Cloud Storage Metadata
source: http:gsuite
sourcetype: gsuite:drive:json
supported_TA:
- - name: Splunk Add-on for Google Workspace
- url: https://splunkbase.splunk.com/app/5556
- version: 3.0.2
+- name: Splunk Add-on for Google Workspace
+ url: https://splunkbase.splunk.com/app/5556
+ version: 3.0.2
fields:
- - _time
- - email
- - host
- - index
- - ip_address
- - linecount
- - name
- - parameters.actor_is_collaborator_account
- - parameters.billable
- - parameters.doc_id
- - parameters.doc_title
- - parameters.doc_type
- - parameters.is_encrypted
- - parameters.new_value{}
- - parameters.old_value{}
- - parameters.old_visibility
- - parameters.originating_app_id
- - parameters.owner
- - parameters.owner_is_shared_drive
- - parameters.owner_is_team_drive
- - parameters.primary_event
- - parameters.target_user
- - parameters.visibility
- - parameters.visibility_change
- - punct
- - source
- - sourcetype
- - splunk_server
- - timestamp
- - type
- - unique_id
+- _time
+- email
+- host
+- index
+- ip_address
+- linecount
+- name
+- parameters.actor_is_collaborator_account
+- parameters.billable
+- parameters.doc_id
+- parameters.doc_title
+- parameters.doc_type
+- parameters.is_encrypted
+- parameters.new_value{}
+- parameters.old_value{}
+- parameters.old_visibility
+- parameters.originating_app_id
+- parameters.owner
+- parameters.owner_is_shared_drive
+- parameters.owner_is_team_drive
+- parameters.primary_event
+- parameters.target_user
+- parameters.visibility
+- parameters.visibility_change
+- punct
+- source
+- sourcetype
+- splunk_server
+- timestamp
+- type
+- unique_id
example_log: '{"type": "acl_change", "name": "change_user_access", "parameters": {"primary_event":
true, "billable": true, "visibility_change": "none", "target_user": "alberto@internal_test_email.com",
"old_value": ["none"], "new_value": ["can_edit"], "old_visibility": "private", "doc_id":
diff --git a/data_sources/g_suite_gmail.yml b/data_sources/g_suite_gmail.yml
index c89e7087fb..1d698151df 100644
--- a/data_sources/g_suite_gmail.yml
+++ b/data_sources/g_suite_gmail.yml
@@ -6,87 +6,87 @@ author: Patrick Bareiss, Splunk
description: Logs Gmail activities in G Suite, including email sending, receiving,
and access details, as well as potential security-related events.
mitre_components:
- - Application Log Content
- - User Account Metadata
- - Email Metadata
- - Cloud Service Metadata
+- Application Log Content
+- User Account Metadata
+- Email Metadata
+- Cloud Service Metadata
source: http:gsuite
sourcetype: gsuite:gmail:bigquery
supported_TA:
- - name: Splunk Add-on for Google Workspace
- url: https://splunkbase.splunk.com/app/5556
- version: 3.0.2
+- name: Splunk Add-on for Google Workspace
+ url: https://splunkbase.splunk.com/app/5556
+ version: 3.0.2
fields:
- - _time
- - action_type
- - attachment{}.file_extension_type
- - attachment{}.malware_family
- - attachment{}.sha256
- - connection_info.authenticated_domain{}.name
- - connection_info.authenticated_domain{}.type
- - connection_info.client_host_zone
- - connection_info.client_ip
- - connection_info.dkim_pass
- - connection_info.dmarc_pass
- - connection_info.dmarc_published_domain
- - connection_info.ip_geo_city
- - connection_info.ip_geo_country
- - connection_info.is_internal
- - connection_info.is_intra_domain
- - connection_info.smtp_in_connect_ip
- - connection_info.smtp_out_connect_ip
- - connection_info.smtp_out_remote_host
- - connection_info.smtp_reply_code
- - connection_info.smtp_response_reason
- - connection_info.smtp_tls_cipher
- - connection_info.smtp_tls_state
- - connection_info.smtp_tls_version
- - connection_info.smtp_user_agent_ip
- - connection_info.spf_pass
- - connection_info.tls_required_but_unavailable
- - description
- - destination{}.address
- - destination{}.rcpt_response
- - destination{}.selector
- - destination{}.service
- - destination{}.smime_decryption_success
- - destination{}.smime_extraction_success
- - destination{}.smime_parsing_success
- - destination{}.smime_signature_verification_success
- - eventtype
- - flattened_destinations
- - flattened_triggered_rule_info
- - host
- - index
- - is_policy_check_for_sender
- - is_spam
- - linecount
- - message_set{}.type
- - num_message_attachments
- - payload_size
- - punct
- - rfc2822_message_id
- - smime_content_type
- - smime_encrypt_message
- - smime_extraction_success
- - smime_packaging_success
- - smime_sign_message
- - smtp_relay_error
- - source
- - source.address
- - source.from_header_address
- - source.from_header_displayname
- - source.selector
- - source.service
- - sourcetype
- - spam_info
- - splunk_server
- - structured_policy_log_info
- - subject
- - tag
- - tag::eventtype
- - timestamp
- - upload_error_category
+- _time
+- action_type
+- attachment{}.file_extension_type
+- attachment{}.malware_family
+- attachment{}.sha256
+- connection_info.authenticated_domain{}.name
+- connection_info.authenticated_domain{}.type
+- connection_info.client_host_zone
+- connection_info.client_ip
+- connection_info.dkim_pass
+- connection_info.dmarc_pass
+- connection_info.dmarc_published_domain
+- connection_info.ip_geo_city
+- connection_info.ip_geo_country
+- connection_info.is_internal
+- connection_info.is_intra_domain
+- connection_info.smtp_in_connect_ip
+- connection_info.smtp_out_connect_ip
+- connection_info.smtp_out_remote_host
+- connection_info.smtp_reply_code
+- connection_info.smtp_response_reason
+- connection_info.smtp_tls_cipher
+- connection_info.smtp_tls_state
+- connection_info.smtp_tls_version
+- connection_info.smtp_user_agent_ip
+- connection_info.spf_pass
+- connection_info.tls_required_but_unavailable
+- description
+- destination{}.address
+- destination{}.rcpt_response
+- destination{}.selector
+- destination{}.service
+- destination{}.smime_decryption_success
+- destination{}.smime_extraction_success
+- destination{}.smime_parsing_success
+- destination{}.smime_signature_verification_success
+- eventtype
+- flattened_destinations
+- flattened_triggered_rule_info
+- host
+- index
+- is_policy_check_for_sender
+- is_spam
+- linecount
+- message_set{}.type
+- num_message_attachments
+- payload_size
+- punct
+- rfc2822_message_id
+- smime_content_type
+- smime_encrypt_message
+- smime_extraction_success
+- smime_packaging_success
+- smime_sign_message
+- smtp_relay_error
+- source
+- source.address
+- source.from_header_address
+- source.from_header_displayname
+- source.selector
+- source.service
+- sourcetype
+- spam_info
+- splunk_server
+- structured_policy_log_info
+- subject
+- tag
+- tag::eventtype
+- timestamp
+- upload_error_category
example_log: '{"action_type": 10, "rfc2822_message_id": "",
"subject": "New Order DHL0000001 - Dummy email for Detection Development", "payload_size":
6733, "source": {"address": "john@external_test_email.com", "service": "gmail-for-work",
diff --git a/data_sources/github.yml b/data_sources/github.yml
index 32ebea53e7..eaeabb40ed 100644
--- a/data_sources/github.yml
+++ b/data_sources/github.yml
@@ -6,207 +6,207 @@ author: Patrick Bareiss, Splunk
description: Logs activities on GitHub repositories, including push events, pull requests,
issue creation, and user authentication events.
mitre_components:
- - User Account Authentication
- - Configuration Modification
- - Application Log Content
- - User Account Metadata
- - Scheduled Job Metadata
+- User Account Authentication
+- Configuration Modification
+- Application Log Content
+- User Account Metadata
+- Scheduled Job Metadata
source: github
sourcetype: aws:firehose:json
supported_TA:
- - name: Splunk Add-on for Github
- url: https://splunkbase.splunk.com/app/6254
- version: 3.1.0
+- name: Splunk Add-on for Github
+ url: https://splunkbase.splunk.com/app/6254
+ version: 3.1.0
fields:
- - _time
- - action
- - host
- - index
- - linecount
- - meta
- - punct
- - source
- - sourcetype
- - splunk_server
- - timestamp
- - workflow_run.actor.avatar_url
- - workflow_run.actor.events_url
- - workflow_run.actor.followers_url
- - workflow_run.actor.following_url
- - workflow_run.actor.gists_url
- - workflow_run.actor.gravatar_id
- - workflow_run.actor.html_url
- - workflow_run.actor.id
- - workflow_run.actor.login
- - workflow_run.actor.node_id
- - workflow_run.actor.organizations_url
- - workflow_run.actor.received_events_url
- - workflow_run.actor.repos_url
- - workflow_run.actor.site_admin
- - workflow_run.actor.starred_url
- - workflow_run.actor.subscriptions_url
- - workflow_run.actor.type
- - workflow_run.actor.url
- - workflow_run.artifacts_url
- - workflow_run.cancel_url
- - workflow_run.check_suite_id
- - workflow_run.check_suite_node_id
- - workflow_run.check_suite_url
- - workflow_run.conclusion
- - workflow_run.created_at
- - workflow_run.event
- - workflow_run.head_branch
- - workflow_run.head_commit.author.email
- - workflow_run.head_commit.author.name
- - workflow_run.head_commit.committer.email
- - workflow_run.head_commit.committer.name
- - workflow_run.head_commit.id
- - workflow_run.head_commit.message
- - workflow_run.head_commit.timestamp
- - workflow_run.head_commit.tree_id
- - workflow_run.head_repository.collaborators_url
- - workflow_run.head_repository.description
- - workflow_run.head_repository.fork
- - workflow_run.head_repository.forks_url
- - workflow_run.head_repository.full_name
- - workflow_run.head_repository.hooks_url
- - workflow_run.head_repository.html_url
- - workflow_run.head_repository.id
- - workflow_run.head_repository.keys_url
- - workflow_run.head_repository.name
- - workflow_run.head_repository.node_id
- - workflow_run.head_repository.owner.avatar_url
- - workflow_run.head_repository.owner.events_url
- - workflow_run.head_repository.owner.followers_url
- - workflow_run.head_repository.owner.following_url
- - workflow_run.head_repository.owner.gists_url
- - workflow_run.head_repository.owner.gravatar_id
- - workflow_run.head_repository.owner.html_url
- - workflow_run.head_repository.owner.id
- - workflow_run.head_repository.owner.login
- - workflow_run.head_repository.owner.node_id
- - workflow_run.head_repository.owner.organizations_url
- - workflow_run.head_repository.owner.received_events_url
- - workflow_run.head_repository.owner.repos_url
- - workflow_run.head_repository.owner.site_admin
- - workflow_run.head_repository.owner.starred_url
- - workflow_run.head_repository.owner.subscriptions_url
- - workflow_run.head_repository.owner.type
- - workflow_run.head_repository.owner.url
- - workflow_run.head_repository.private
- - workflow_run.head_repository.teams_url
- - workflow_run.head_repository.url
- - workflow_run.head_sha
- - workflow_run.html_url
- - workflow_run.id
- - workflow_run.jobs_url
- - workflow_run.logs_url
- - workflow_run.name
- - workflow_run.node_id
- - workflow_run.previous_attempt_url
- - workflow_run.pull_requests{}.base.ref
- - workflow_run.pull_requests{}.base.repo.id
- - workflow_run.pull_requests{}.base.repo.name
- - workflow_run.pull_requests{}.base.repo.url
- - workflow_run.pull_requests{}.base.sha
- - workflow_run.pull_requests{}.head.ref
- - workflow_run.pull_requests{}.head.repo.id
- - workflow_run.pull_requests{}.head.repo.name
- - workflow_run.pull_requests{}.head.repo.url
- - workflow_run.pull_requests{}.head.sha
- - workflow_run.pull_requests{}.id
- - workflow_run.pull_requests{}.number
- - workflow_run.pull_requests{}.url
- - workflow_run.repository.archive_url
- - workflow_run.repository.assignees_url
- - workflow_run.repository.blobs_url
- - workflow_run.repository.branches_url
- - workflow_run.repository.collaborators_url
- - workflow_run.repository.comments_url
- - workflow_run.repository.commits_url
- - workflow_run.repository.compare_url
- - workflow_run.repository.contents_url
- - workflow_run.repository.contributors_url
- - workflow_run.repository.deployments_url
- - workflow_run.repository.description
- - workflow_run.repository.downloads_url
- - workflow_run.repository.events_url
- - workflow_run.repository.fork
- - workflow_run.repository.forks_url
- - workflow_run.repository.full_name
- - workflow_run.repository.git_commits_url
- - workflow_run.repository.git_refs_url
- - workflow_run.repository.git_tags_url
- - workflow_run.repository.hooks_url
- - workflow_run.repository.html_url
- - workflow_run.repository.id
- - workflow_run.repository.issue_comment_url
- - workflow_run.repository.issue_events_url
- - workflow_run.repository.issues_url
- - workflow_run.repository.keys_url
- - workflow_run.repository.labels_url
- - workflow_run.repository.languages_url
- - workflow_run.repository.merges_url
- - workflow_run.repository.milestones_url
- - workflow_run.repository.name
- - workflow_run.repository.node_id
- - workflow_run.repository.notifications_url
- - workflow_run.repository.owner.avatar_url
- - workflow_run.repository.owner.events_url
- - workflow_run.repository.owner.followers_url
- - workflow_run.repository.owner.following_url
- - workflow_run.repository.owner.gists_url
- - workflow_run.repository.owner.gravatar_id
- - workflow_run.repository.owner.html_url
- - workflow_run.repository.owner.id
- - workflow_run.repository.owner.login
- - workflow_run.repository.owner.node_id
- - workflow_run.repository.owner.organizations_url
- - workflow_run.repository.owner.received_events_url
- - workflow_run.repository.owner.repos_url
- - workflow_run.repository.owner.site_admin
- - workflow_run.repository.owner.starred_url
- - workflow_run.repository.owner.subscriptions_url
- - workflow_run.repository.owner.type
- - workflow_run.repository.owner.url
- - workflow_run.repository.private
- - workflow_run.repository.pulls_url
- - workflow_run.repository.releases_url
- - workflow_run.repository.stargazers_url
- - workflow_run.repository.statuses_url
- - workflow_run.repository.subscribers_url
- - workflow_run.repository.subscription_url
- - workflow_run.repository.tags_url
- - workflow_run.repository.teams_url
- - workflow_run.repository.trees_url
- - workflow_run.repository.url
- - workflow_run.rerun_url
- - workflow_run.run_attempt
- - workflow_run.run_number
- - workflow_run.run_started_at
- - workflow_run.status
- - workflow_run.triggering_actor.avatar_url
- - workflow_run.triggering_actor.events_url
- - workflow_run.triggering_actor.followers_url
- - workflow_run.triggering_actor.following_url
- - workflow_run.triggering_actor.gists_url
- - workflow_run.triggering_actor.gravatar_id
- - workflow_run.triggering_actor.html_url
- - workflow_run.triggering_actor.id
- - workflow_run.triggering_actor.login
- - workflow_run.triggering_actor.node_id
- - workflow_run.triggering_actor.organizations_url
- - workflow_run.triggering_actor.received_events_url
- - workflow_run.triggering_actor.repos_url
- - workflow_run.triggering_actor.site_admin
- - workflow_run.triggering_actor.starred_url
- - workflow_run.triggering_actor.subscriptions_url
- - workflow_run.triggering_actor.type
- - workflow_run.triggering_actor.url
- - workflow_run.updated_at
- - workflow_run.url
- - workflow_run.workflow_id
- - workflow_run.workflow_url
+- _time
+- action
+- host
+- index
+- linecount
+- meta
+- punct
+- source
+- sourcetype
+- splunk_server
+- timestamp
+- workflow_run.actor.avatar_url
+- workflow_run.actor.events_url
+- workflow_run.actor.followers_url
+- workflow_run.actor.following_url
+- workflow_run.actor.gists_url
+- workflow_run.actor.gravatar_id
+- workflow_run.actor.html_url
+- workflow_run.actor.id
+- workflow_run.actor.login
+- workflow_run.actor.node_id
+- workflow_run.actor.organizations_url
+- workflow_run.actor.received_events_url
+- workflow_run.actor.repos_url
+- workflow_run.actor.site_admin
+- workflow_run.actor.starred_url
+- workflow_run.actor.subscriptions_url
+- workflow_run.actor.type
+- workflow_run.actor.url
+- workflow_run.artifacts_url
+- workflow_run.cancel_url
+- workflow_run.check_suite_id
+- workflow_run.check_suite_node_id
+- workflow_run.check_suite_url
+- workflow_run.conclusion
+- workflow_run.created_at
+- workflow_run.event
+- workflow_run.head_branch
+- workflow_run.head_commit.author.email
+- workflow_run.head_commit.author.name
+- workflow_run.head_commit.committer.email
+- workflow_run.head_commit.committer.name
+- workflow_run.head_commit.id
+- workflow_run.head_commit.message
+- workflow_run.head_commit.timestamp
+- workflow_run.head_commit.tree_id
+- workflow_run.head_repository.collaborators_url
+- workflow_run.head_repository.description
+- workflow_run.head_repository.fork
+- workflow_run.head_repository.forks_url
+- workflow_run.head_repository.full_name
+- workflow_run.head_repository.hooks_url
+- workflow_run.head_repository.html_url
+- workflow_run.head_repository.id
+- workflow_run.head_repository.keys_url
+- workflow_run.head_repository.name
+- workflow_run.head_repository.node_id
+- workflow_run.head_repository.owner.avatar_url
+- workflow_run.head_repository.owner.events_url
+- workflow_run.head_repository.owner.followers_url
+- workflow_run.head_repository.owner.following_url
+- workflow_run.head_repository.owner.gists_url
+- workflow_run.head_repository.owner.gravatar_id
+- workflow_run.head_repository.owner.html_url
+- workflow_run.head_repository.owner.id
+- workflow_run.head_repository.owner.login
+- workflow_run.head_repository.owner.node_id
+- workflow_run.head_repository.owner.organizations_url
+- workflow_run.head_repository.owner.received_events_url
+- workflow_run.head_repository.owner.repos_url
+- workflow_run.head_repository.owner.site_admin
+- workflow_run.head_repository.owner.starred_url
+- workflow_run.head_repository.owner.subscriptions_url
+- workflow_run.head_repository.owner.type
+- workflow_run.head_repository.owner.url
+- workflow_run.head_repository.private
+- workflow_run.head_repository.teams_url
+- workflow_run.head_repository.url
+- workflow_run.head_sha
+- workflow_run.html_url
+- workflow_run.id
+- workflow_run.jobs_url
+- workflow_run.logs_url
+- workflow_run.name
+- workflow_run.node_id
+- workflow_run.previous_attempt_url
+- workflow_run.pull_requests{}.base.ref
+- workflow_run.pull_requests{}.base.repo.id
+- workflow_run.pull_requests{}.base.repo.name
+- workflow_run.pull_requests{}.base.repo.url
+- workflow_run.pull_requests{}.base.sha
+- workflow_run.pull_requests{}.head.ref
+- workflow_run.pull_requests{}.head.repo.id
+- workflow_run.pull_requests{}.head.repo.name
+- workflow_run.pull_requests{}.head.repo.url
+- workflow_run.pull_requests{}.head.sha
+- workflow_run.pull_requests{}.id
+- workflow_run.pull_requests{}.number
+- workflow_run.pull_requests{}.url
+- workflow_run.repository.archive_url
+- workflow_run.repository.assignees_url
+- workflow_run.repository.blobs_url
+- workflow_run.repository.branches_url
+- workflow_run.repository.collaborators_url
+- workflow_run.repository.comments_url
+- workflow_run.repository.commits_url
+- workflow_run.repository.compare_url
+- workflow_run.repository.contents_url
+- workflow_run.repository.contributors_url
+- workflow_run.repository.deployments_url
+- workflow_run.repository.description
+- workflow_run.repository.downloads_url
+- workflow_run.repository.events_url
+- workflow_run.repository.fork
+- workflow_run.repository.forks_url
+- workflow_run.repository.full_name
+- workflow_run.repository.git_commits_url
+- workflow_run.repository.git_refs_url
+- workflow_run.repository.git_tags_url
+- workflow_run.repository.hooks_url
+- workflow_run.repository.html_url
+- workflow_run.repository.id
+- workflow_run.repository.issue_comment_url
+- workflow_run.repository.issue_events_url
+- workflow_run.repository.issues_url
+- workflow_run.repository.keys_url
+- workflow_run.repository.labels_url
+- workflow_run.repository.languages_url
+- workflow_run.repository.merges_url
+- workflow_run.repository.milestones_url
+- workflow_run.repository.name
+- workflow_run.repository.node_id
+- workflow_run.repository.notifications_url
+- workflow_run.repository.owner.avatar_url
+- workflow_run.repository.owner.events_url
+- workflow_run.repository.owner.followers_url
+- workflow_run.repository.owner.following_url
+- workflow_run.repository.owner.gists_url
+- workflow_run.repository.owner.gravatar_id
+- workflow_run.repository.owner.html_url
+- workflow_run.repository.owner.id
+- workflow_run.repository.owner.login
+- workflow_run.repository.owner.node_id
+- workflow_run.repository.owner.organizations_url
+- workflow_run.repository.owner.received_events_url
+- workflow_run.repository.owner.repos_url
+- workflow_run.repository.owner.site_admin
+- workflow_run.repository.owner.starred_url
+- workflow_run.repository.owner.subscriptions_url
+- workflow_run.repository.owner.type
+- workflow_run.repository.owner.url
+- workflow_run.repository.private
+- workflow_run.repository.pulls_url
+- workflow_run.repository.releases_url
+- workflow_run.repository.stargazers_url
+- workflow_run.repository.statuses_url
+- workflow_run.repository.subscribers_url
+- workflow_run.repository.subscription_url
+- workflow_run.repository.tags_url
+- workflow_run.repository.teams_url
+- workflow_run.repository.trees_url
+- workflow_run.repository.url
+- workflow_run.rerun_url
+- workflow_run.run_attempt
+- workflow_run.run_number
+- workflow_run.run_started_at
+- workflow_run.status
+- workflow_run.triggering_actor.avatar_url
+- workflow_run.triggering_actor.events_url
+- workflow_run.triggering_actor.followers_url
+- workflow_run.triggering_actor.following_url
+- workflow_run.triggering_actor.gists_url
+- workflow_run.triggering_actor.gravatar_id
+- workflow_run.triggering_actor.html_url
+- workflow_run.triggering_actor.id
+- workflow_run.triggering_actor.login
+- workflow_run.triggering_actor.node_id
+- workflow_run.triggering_actor.organizations_url
+- workflow_run.triggering_actor.received_events_url
+- workflow_run.triggering_actor.repos_url
+- workflow_run.triggering_actor.site_admin
+- workflow_run.triggering_actor.starred_url
+- workflow_run.triggering_actor.subscriptions_url
+- workflow_run.triggering_actor.type
+- workflow_run.triggering_actor.url
+- workflow_run.updated_at
+- workflow_run.url
+- workflow_run.workflow_id
+- workflow_run.workflow_url
example_log: '{"action":"requested","workflow_run":{"id":2088708615,"name":"auto-update","node_id":"WFR_kwLOCa00Ec58fyoH","head_branch":"mac_os_detections","head_sha":"4049334910ea3d52a917ca35aed66d11c80ed966","run_number":9504,"event":"push","status":"queued","conclusion":null,"workflow_id":4692335,"check_suite_id":5918781611,"check_suite_node_id":"CS_kwDOCa00Ec8AAAABYMlwqw","url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615","html_url":"https://github.com/splunk/security_content/actions/runs/2088708615","pull_requests":[{"url":"https://api.github.com/repos/splunk/security_content/pulls/2131","id":893091277,"number":2131,"head":{"ref":"mac_os_detections","sha":"4049334910ea3d52a917ca35aed66d11c80ed966","repo":{"id":162346001,"url":"https://api.github.com/repos/splunk/security_content","name":"security_content"}},"base":{"ref":"develop","sha":"a7d3d1dc57f9bf36fe22e470bcf518fcc2c89283","repo":{"id":162346001,"url":"https://api.github.com/repos/splunk/security_content","name":"security_content"}}}],"created_at":"2022-04-04T08:43:15Z","updated_at":"2022-04-04T08:43:15Z","actor":{"login":"jsmith","id":8362376,"node_id":"MDQ6VXNlcjgzNjIzNzY=","avatar_url":"https://avatars.githubusercontent.com/u/8362376?v=4","gravatar_id":"","url":"https://api.github.com/users/jsmith","html_url":"https://github.com/jsmith","followers_url":"https://api.github.com/users/jsmith/followers","following_url":"https://api.github.com/users/jsmith/following{/other_user}","gists_url":"https://api.github.com/users/jsmith/gists{/gist_id}","starred_url":"https://api.github.com/users/jsmith/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/jsmith/subscriptions","organizations_url":"https://api.github.com/users/jsmith/orgs","repos_url":"https://api.github.com/users/jsmith/repos","events_url":"https://api.github.com/users/jsmith/events{/privacy}","received_events_url":"https://api.github.com/users/jsmith/received_events","type":"User","site_admin":false},"run_attempt":1,"run_started_at":"2022-04-04T08:43:15Z","triggering_actor":{"login":"jsmith","id":8362376,"node_id":"MDQ6VXNlcjgzNjIzNzY=","avatar_url":"https://avatars.githubusercontent.com/u/8362376?v=4","gravatar_id":"","url":"https://api.github.com/users/jsmith","html_url":"https://github.com/jsmith","followers_url":"https://api.github.com/users/jsmith/followers","following_url":"https://api.github.com/users/jsmith/following{/other_user}","gists_url":"https://api.github.com/users/jsmith/gists{/gist_id}","starred_url":"https://api.github.com/users/jsmith/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/jsmith/subscriptions","organizations_url":"https://api.github.com/users/jsmith/orgs","repos_url":"https://api.github.com/users/jsmith/repos","events_url":"https://api.github.com/users/jsmith/events{/privacy}","received_events_url":"https://api.github.com/users/jsmith/received_events","type":"User","site_admin":false},"jobs_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/jobs","logs_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/logs","check_suite_url":"https://api.github.com/repos/splunk/security_content/check-suites/5918781611","artifacts_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/artifacts","cancel_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/cancel","rerun_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/rerun","previous_attempt_url":null,"workflow_url":"https://api.github.com/repos/splunk/security_content/actions/workflows/4692335","head_commit":{"id":"4049334910ea3d52a917ca35aed66d11c80ed966","tree_id":"df4ddc1359be3b19f093b7a27dbf5708187743a0","message":"small
change","timestamp":"2022-04-04T08:43:01Z","author":{"name":"jsmith","email":"jsmith@evilcorp.com"},"committer":{"name":"jsmith","email":"jsmith@evilcorp.com"}},"repository":{"id":162346001,"node_id":"MDEwOlJlcG9zaXRvcnkxNjIzNDYwMDE=","name":"security_content","full_name":"splunk/security_content","private":false,"owner":{"login":"splunk","id":651467,"node_id":"MDEyOk9yZ2FuaXphdGlvbjY1MTQ2Nw==","avatar_url":"https://avatars.githubusercontent.com/u/651467?v=4","gravatar_id":"","url":"https://api.github.com/users/splunk","html_url":"https://github.com/splunk","followers_url":"https://api.github.com/users/splunk/followers","following_url":"https://api.github.com/users/splunk/following{/other_user}","gists_url":"https://api.github.com/users/splunk/gists{/gist_id}","starred_url":"https://api.github.com/users/splunk/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/splunk/subscriptions","organizations_url":"https://api.github.com/users/splunk/orgs","repos_url":"https://api.github.com/users/splunk/repos","events_url":"https://api.github.com/users/splunk/events{/privacy}","received_events_url":"https://api.github.com/users/splunk/received_events","type":"Organization","site_admin":false},"html_url":"https://github.com/splunk/security_content","description":"Splunk
Security Content","fork":false,"url":"https://api.github.com/repos/splunk/security_content","forks_url":"https://api.github.com/repos/splunk/security_content/forks","keys_url":"https://api.github.com/repos/splunk/security_content/keys{/key_id}","collaborators_url":"https://api.github.com/repos/splunk/security_content/collaborators{/collaborator}","teams_url":"https://api.github.com/repos/splunk/security_content/teams","hooks_url":"https://api.github.com/repos/splunk/security_content/hooks","issue_events_url":"https://api.github.com/repos/splunk/security_content/issues/events{/number}","events_url":"https://api.github.com/repos/splunk/security_content/events","assignees_url":"https://api.github.com/repos/splunk/security_content/assignees{/user}","branches_url":"https://api.github.com/repos/splunk/security_content/branches{/branch}","tags_url":"https://api.github.com/repos/splunk/security_content/tags","blobs_url":"https://api.github.com/repos/splunk/security_content/git/blobs{/sha}","git_tags_url":"https://api.github.com/repos/splunk/security_content/git/tags{/sha}","git_refs_url":"https://api.github.com/repos/splunk/security_content/git/refs{/sha}","trees_url":"https://api.github.com/repos/splunk/security_content/git/trees{/sha}","statuses_url":"https://api.github.com/repos/splunk/security_content/statuses/{sha}","languages_url":"https://api.github.com/repos/splunk/security_content/languages","stargazers_url":"https://api.github.com/repos/splunk/security_content/stargazers","contributors_url":"https://api.github.com/repos/splunk/security_content/contributors","subscribers_url":"https://api.github.com/repos/splunk/security_content/subscribers","subscription_url":"https://api.github.com/repos/splunk/security_content/subscription","commits_url":"https://api.github.com/repos/splunk/security_content/commits{/sha}","git_commits_url":"https://api.github.com/repos/splunk/security_content/git/commits{/sha}","comments_url":"https://api.github.com/repos/splunk/security_content/comments{/number}","issue_comment_url":"https://api.github.com/repos/splunk/security_content/issues/comments{/number}","contents_url":"https://api.github.com/repos/splunk/security_content/contents/{+path}","compare_url":"https://api.github.com/repos/splunk/security_content/compare/{base}...{head}","merges_url":"https://api.github.com/repos/splunk/security_content/merges","archive_url":"https://api.github.com/repos/splunk/security_content/{archive_format}{/ref}","downloads_url":"https://api.github.com/repos/splunk/security_content/downloads","issues_url":"https://api.github.com/repos/splunk/security_content/issues{/number}","pulls_url":"https://api.github.com/repos/splunk/security_content/pulls{/number}","milestones_url":"https://api.github.com/repos/splunk/security_content/milestones{/number}","notifications_url":"https://api.github.com/repos/splunk/security_content/notifications{?since,all,participating}","labels_url":"https://api.github.com/repos/splunk/security_content/labels{/name}","releases_url":"https://api.github.com/repos/splunk/security_content/releases{/id}","deployments_url":"https://api.github.com/repos/splunk/security_content/deployments"},"head_repository":{"id":162346001,"node_id":"MDEwOlJlcG9zaXRvcnkxNjIzNDYwMDE=","name":"security_content","full_name":"splunk/security_content","private":false,"owner":{"login":"splunk","id":651467,"node_id":"MDEyOk9yZ2FuaXphdGlvbjY1MTQ2Nw==","avatar_url":"https://avatars.githubusercontent.com/u/651467?v=4","gravatar_id":"","url":"https://api.github.com/users/splunk","html_url":"https://github.com/splunk","followers_url":"https://api.github.com/users/splunk/followers","following_url":"https://api.github.com/users/splunk/following{/other_user}","gists_url":"https://api.github.com/users/splunk/gists{/gist_id}","starred_url":"https://api.github.com/users/splunk/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/splunk/subscriptions","organizations_url":"https://api.github.com/users/splunk/orgs","repos_url":"https://api.github.com/users/splunk/repos","events_url":"https://api.github.com/users/splunk/events{/privacy}","received_events_url":"https://api.github.com/users/splunk/received_events","type":"Organization","site_admin":false},"html_url":"https://github.com/splunk/security_content","description":"Splunk
diff --git a/data_sources/google_workspace_login_failure.yml b/data_sources/google_workspace_login_failure.yml
index f853aa35f3..702959eef7 100644
--- a/data_sources/google_workspace_login_failure.yml
+++ b/data_sources/google_workspace_login_failure.yml
@@ -6,54 +6,54 @@ author: Patrick Bareiss, Splunk
description: Logs failed login attempts to Google Workspace accounts, including details
about the user, IP address, and reason for failure.
mitre_components:
- - User Account Authentication
- - Logon Session Metadata
- - User Account Metadata
- - Application Log Content
+- User Account Authentication
+- Logon Session Metadata
+- User Account Metadata
+- Application Log Content
source: gws:reports:admin
sourcetype: gws:reports:admin
separator: event.name
separator_value: login_failure
supported_TA:
- - name: Splunk Add-on for Google Workspace
- url: https://splunkbase.splunk.com/app/5556
- version: 3.0.2
+- name: Splunk Add-on for Google Workspace
+ url: https://splunkbase.splunk.com/app/5556
+ version: 3.0.2
fields:
- - _time
- - actor.email
- - actor.profileId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - etag
- - event.name
- - event.parameters{}.multiValue{}
- - event.parameters{}.name
- - event.parameters{}.value
- - event.type
- - eventtype
- - host
- - id.applicationName
- - id.customerId
- - id.time
- - id.uniqueQualifier
- - index
- - ipAddress
- - kind
- - linecount
- - punct
- - source
- - sourcetype
- - splunk_server
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
+- _time
+- actor.email
+- actor.profileId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- etag
+- event.name
+- event.parameters{}.multiValue{}
+- event.parameters{}.name
+- event.parameters{}.value
+- event.type
+- eventtype
+- host
+- id.applicationName
+- id.customerId
+- id.time
+- id.uniqueQualifier
+- index
+- ipAddress
+- kind
+- linecount
+- punct
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
example_log: '{"kind": "admin#reports#activity", "id": {"time": "2022-10-12T01:05:35.119Z",
"uniqueQualifier": "720229394436", "applicationName": "login", "customerId": "C046r85ir"},
"etag": "\"JCPRxFaiNR1s5TJ6ecIH8OpGdY4efiOYXbIB65itOzY/_lixtTooT11WXorGf6w6ElN0m0g\"",
diff --git a/data_sources/google_workspace_login_success.yml b/data_sources/google_workspace_login_success.yml
index 4f0d7d8265..3ad47e3299 100644
--- a/data_sources/google_workspace_login_success.yml
+++ b/data_sources/google_workspace_login_success.yml
@@ -6,52 +6,52 @@ author: Patrick Bareiss, Splunk
description: Logs successful login attempts to Google Workspace accounts, including
details about the user, IP address, and session metadata.
mitre_components:
- - User Account Authentication
- - Logon Session Creation
- - User Account Metadata
- - Logon Session Metadata
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Logon Session Metadata
source: gws:reports:admin
sourcetype: gws:reports:admin
separator: event.name
separator_value: login_success
supported_TA:
- - name: Splunk Add-on for Google Workspace
- url: https://splunkbase.splunk.com/app/5556
- version: 3.0.2
+- name: Splunk Add-on for Google Workspace
+ url: https://splunkbase.splunk.com/app/5556
+ version: 3.0.2
fields:
- - _time
- - actor.email
- - actor.profileId
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - etag
- - event.name
- - event.parameters{}.boolValue
- - event.parameters{}.multiValue{}
- - event.parameters{}.name
- - event.parameters{}.value
- - event.type
- - host
- - id.applicationName
- - id.customerId
- - id.time
- - id.uniqueQualifier
- - index
- - ipAddress
- - kind
- - linecount
- - punct
- - source
- - sourcetype
- - splunk_server
- - timeendpos
- - timestartpos
+- _time
+- actor.email
+- actor.profileId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- etag
+- event.name
+- event.parameters{}.boolValue
+- event.parameters{}.multiValue{}
+- event.parameters{}.name
+- event.parameters{}.value
+- event.type
+- host
+- id.applicationName
+- id.customerId
+- id.time
+- id.uniqueQualifier
+- index
+- ipAddress
+- kind
+- linecount
+- punct
+- source
+- sourcetype
+- splunk_server
+- timeendpos
+- timestartpos
example_log: '{"kind": "admin#reports#activity", "id": {"time": "2022-10-13T20:57:35.833Z",
"uniqueQualifier": "437744618349", "applicationName": "login", "customerId": "C046r85ir"},
"etag": "\"JCPRxFaiNR1s5TJ6ecIH8OpGdY4efiOYXbIB65itOzY/OgAbD-Tz8hSD1vUJWw7NLiJ5SF4\"",
diff --git a/data_sources/ivanti_vtm_audit.yml b/data_sources/ivanti_vtm_audit.yml
index 389bf9b8d9..31e1bdc95e 100644
--- a/data_sources/ivanti_vtm_audit.yml
+++ b/data_sources/ivanti_vtm_audit.yml
@@ -6,22 +6,22 @@ author: Michael Haag, Splunk
description: Logs administrative and operational activities in Ivanti Virtual Traffic
Manager (VTM), including configuration changes, user actions, and system events.
mitre_components:
- - Configuration Modification
- - Application Log Content
- - User Account Metadata
- - Host Status
- - Service Modification
+- Configuration Modification
+- Application Log Content
+- User Account Metadata
+- Host Status
+- Service Modification
source: ivanti_vtm
sourcetype: ivanti_vtm_audit
supported_TA: []
fields:
- - _time
- - IP
- - MODUSER
- - OPERATION
- - MODGROUP
- - AUTH
- - USER
- - GROUP
+- _time
+- IP
+- MODUSER
+- OPERATION
+- MODGROUP
+- AUTH
+- USER
+- GROUP
example_log: '[19/Aug/2024:19:41:22 +0000] USER=!!ABSENT!! GROUP=!!ABSENT!! AUTH=!!ABSENT!!
IP=!!ABSENT!! OPERATION=adduser MODUSER=newadmin MODGROUP=admin'
diff --git a/data_sources/kubernetes_audit.yml b/data_sources/kubernetes_audit.yml
index 89588cee18..7553357ea4 100644
--- a/data_sources/kubernetes_audit.yml
+++ b/data_sources/kubernetes_audit.yml
@@ -6,62 +6,62 @@ author: Patrick Bareiss, Splunk
description: Logs activities within a Kubernetes cluster, including API server requests,
resource access, configuration changes, and user authentication events.
mitre_components:
- - Pod Metadata
- - Pod Modification
- - Cluster Metadata
- - User Account Authentication
- - Configuration Modification
- - Application Log Content
+- Pod Metadata
+- Pod Modification
+- Cluster Metadata
+- User Account Authentication
+- Configuration Modification
+- Application Log Content
source: kubernetes
sourcetype: _json
supported_TA: []
fields:
- - _time
- - annotations.authorization.k8s.io/decision
- - annotations.authorization.k8s.io/reason
- - apiVersion
- - auditID
- - eventtype
- - host
- - index
- - kind
- - level
- - linecount
- - objectRef.apiGroup
- - objectRef.apiVersion
- - objectRef.namespace
- - objectRef.resource
- - punct
- - requestReceivedTimestamp
- - requestURI
- - responseObject.apiVersion
- - responseObject.code
- - responseObject.details.group
- - responseObject.details.kind
- - responseObject.kind
- - responseObject.message
- - responseObject.reason
- - responseObject.status
- - responseStatus.code
- - responseStatus.details.group
- - responseStatus.details.kind
- - responseStatus.message
- - responseStatus.reason
- - responseStatus.status
- - source
- - sourceIPs{}
- - sourcetype
- - splunk_server
- - stage
- - stageTimestamp
- - tag
- - tag::eventtype
- - timestamp
- - user.groups{}
- - user.uid
- - user.username
- - userAgent
- - verb
+- _time
+- annotations.authorization.k8s.io/decision
+- annotations.authorization.k8s.io/reason
+- apiVersion
+- auditID
+- eventtype
+- host
+- index
+- kind
+- level
+- linecount
+- objectRef.apiGroup
+- objectRef.apiVersion
+- objectRef.namespace
+- objectRef.resource
+- punct
+- requestReceivedTimestamp
+- requestURI
+- responseObject.apiVersion
+- responseObject.code
+- responseObject.details.group
+- responseObject.details.kind
+- responseObject.kind
+- responseObject.message
+- responseObject.reason
+- responseObject.status
+- responseStatus.code
+- responseStatus.details.group
+- responseStatus.details.kind
+- responseStatus.message
+- responseStatus.reason
+- responseStatus.status
+- source
+- sourceIPs{}
+- sourcetype
+- splunk_server
+- stage
+- stageTimestamp
+- tag
+- tag::eventtype
+- timestamp
+- user.groups{}
+- user.uid
+- user.username
+- userAgent
+- verb
example_log: '{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"582c31ab-4906-49bb-9ff9-872f980ccb84","stage":"ResponseComplete","requestURI":"/apis/batch/v1/namespaces/test2/jobs?fieldManager=kubectl-create\u0026fieldValidation=Strict","verb":"create","user":{"username":"k8s-test-user","uid":"aws-iam-authenticator:591511147606:AROAYTOGP2RLFHNBOTP5J","groups":["system:authenticated"]},"sourceIPs":["176.95.188.101"],"userAgent":"kubectl/v1.27.2
(darwin/arm64) kubernetes/7f6f68f","objectRef":{"resource":"jobs","namespace":"test2","apiGroup":"batch","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Failure","message":"jobs.batch
is forbidden: User \"k8s-test-user\" cannot create resource \"jobs\" in API group
diff --git a/data_sources/kubernetes_falco.yml b/data_sources/kubernetes_falco.yml
index cff1b27f1c..f5f7cf1762 100644
--- a/data_sources/kubernetes_falco.yml
+++ b/data_sources/kubernetes_falco.yml
@@ -6,50 +6,50 @@ author: Patrick Bareiss, Splunk
description: Logs suspicious or anomalous activities within a Kubernetes environment
detected by Falco, including system calls, file access, and network activity.
mitre_components:
- - File Access
- - Network Traffic Content
- - Process Creation
- - Process Modification
- - Application Log Content
- - Host Status
+- File Access
+- Network Traffic Content
+- Process Creation
+- Process Modification
+- Application Log Content
+- Host Status
source: kubernetes
sourcetype: kube:container:falco
supported_TA: []
fields:
- - _time
- - command
- - container_id
- - container_image
- - container_image_tag
- - container_name
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - evt_type
- - exe_flags
- - host
- - index
- - k8s_ns
- - k8s_pod_name
- - linecount
- - parent
- - proc_exepath
- - process
- - punct
- - source
- - sourcetype
- - splunk_server
- - terminal
- - timeendpos
- - timestartpos
- - user
- - user_loginuid
- - user_uid
+- _time
+- command
+- container_id
+- container_image
+- container_image_tag
+- container_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- evt_type
+- exe_flags
+- host
+- index
+- k8s_ns
+- k8s_pod_name
+- linecount
+- parent
+- proc_exepath
+- process
+- punct
+- source
+- sourcetype
+- splunk_server
+- terminal
+- timeendpos
+- timestartpos
+- user
+- user_loginuid
+- user_uid
example_log: '12:18:18.691725165: Notice A shell was spawned in a container with an
attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash
proc_exepath=/usr/lib/splunk-otel-collector/agent-bundle/bin/bash parent=runc command=bash
diff --git a/data_sources/linux_auditd_add_user.yml b/data_sources/linux_auditd_add_user.yml
index da361ede71..4fce4de435 100644
--- a/data_sources/linux_auditd_add_user.yml
+++ b/data_sources/linux_auditd_add_user.yml
@@ -7,38 +7,38 @@ description: Logs activities related to the addition of a new user account on a
system, including details about the username, UID, and the process initiating the
action.
mitre_components:
- - User Account Creation
- - User Account Metadata
- - OS API Execution
- - Application Log Content
+- User Account Creation
+- User Account Metadata
+- OS API Execution
+- Application Log Content
source: /var/log/audit/audit.log
sourcetype: linux:audit
separator: type
separator_value: ADD_USER
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
- - name: Splunk Add-on for Unix and Linux
- url: https://splunkbase.splunk.com/app/833
- version: 9.2.0
+- name: Splunk Add-on for Unix and Linux
+ url: https://splunkbase.splunk.com/app/833
+ version: 9.2.0
fields:
- - msg
- - type
- - pid
- - uid
- - auid
- - ses
- - subj
- - msg
- - op
- - id
- - exe
- - hostname
- - addr
- - terminal
- - res
- - UID
- - AUID
- - ID
-example_log: "type=ADD_USER msg=audit(1722950859.266:6994): pid=1788 uid=0 auid=1000
- ses=1 subj=unconfined msg='op=adding user id=1002 exe=\"/usr/sbin/useradd\" hostname=ar-linux1
- addr=? terminal=pts/1 res=success'UID=\"root\" AUID=\"ubuntu\" ID=\"unknown(1002)\""
+- msg
+- type
+- pid
+- uid
+- auid
+- ses
+- subj
+- msg
+- op
+- id
+- exe
+- hostname
+- addr
+- terminal
+- res
+- UID
+- AUID
+- ID
+example_log: 'type=ADD_USER msg=audit(1722950859.266:6994): pid=1788 uid=0 auid=1000
+ ses=1 subj=unconfined msg=''op=adding user id=1002 exe="/usr/sbin/useradd" hostname=ar-linux1
+ addr=? terminal=pts/1 res=success''UID="root" AUID="ubuntu" ID="unknown(1002)"'
diff --git a/data_sources/linux_auditd_execve.yml b/data_sources/linux_auditd_execve.yml
index 72433806de..c9f6bac6aa 100644
--- a/data_sources/linux_auditd_execve.yml
+++ b/data_sources/linux_auditd_execve.yml
@@ -6,24 +6,24 @@ author: Teoderick Contreras, Splunk
description: Logs the execution of processes on a Linux system, including details
about the executed command, arguments, and the initiating process.
mitre_components:
- - Command Execution
- - Process Creation
- - Process Metadata
- - OS API Execution
- - Application Log Content
+- Command Execution
+- Process Creation
+- Process Metadata
+- OS API Execution
+- Application Log Content
source: /var/log/audit/audit.log
sourcetype: linux:audit
separator: type
separator_value: EXECVE
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
- - name: Splunk Add-on for Unix and Linux
- url: https://splunkbase.splunk.com/app/833
- version: 9.2.0
+- name: Splunk Add-on for Unix and Linux
+ url: https://splunkbase.splunk.com/app/833
+ version: 9.2.0
fields:
- - msg
- - type
- - msg
- - argc
+- msg
+- type
+- msg
+- argc
example_log: 'type=EXECVE msg=audit(1723044684.257:15795): argc=3 a0="sudo" a1="LD_PRELOAD=./myfopen.so"
a2="./prog"'
diff --git a/data_sources/linux_auditd_path.yml b/data_sources/linux_auditd_path.yml
index d612530b4e..27ecc36cab 100644
--- a/data_sources/linux_auditd_path.yml
+++ b/data_sources/linux_auditd_path.yml
@@ -6,39 +6,39 @@ author: Teoderick Contreras, Splunk
description: Logs file system access events on a Linux system, including details about
file paths, permissions, and associated processes.
mitre_components:
- - File Access
- - File Metadata
- - Process Metadata
- - OS API Execution
- - Application Log Content
+- File Access
+- File Metadata
+- Process Metadata
+- OS API Execution
+- Application Log Content
source: /var/log/audit/audit.log
sourcetype: linux:audit
separator: type
separator_value: PATH
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
- - name: Splunk Add-on for Unix and Linux
- url: https://splunkbase.splunk.com/app/833
- version: 9.2.0
+- name: Splunk Add-on for Unix and Linux
+ url: https://splunkbase.splunk.com/app/833
+ version: 9.2.0
fields:
- - msg
- - type
- - item
- - name
- - inode
- - dev
- - mode
- - ouid
- - ogid
- - rdev
- - nametype
- - cap_fp
- - cap_fi
- - cap_fe
- - cap_fver
- - cap_frootid
- - OUID
- - OGID
+- msg
+- type
+- item
+- name
+- inode
+- dev
+- mode
+- ouid
+- ogid
+- rdev
+- nametype
+- cap_fp
+- cap_fi
+- cap_fe
+- cap_fver
+- cap_frootid
+- OUID
+- OGID
example_log: 'type=PATH msg=audit(1723043687.149:14898): item=1 name="/etc/ssh/ssh_config~"
inode=1292 dev=103:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0
cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"'
diff --git a/data_sources/linux_auditd_proctitle.yml b/data_sources/linux_auditd_proctitle.yml
index fbd067aed5..bd4b0ce319 100644
--- a/data_sources/linux_auditd_proctitle.yml
+++ b/data_sources/linux_auditd_proctitle.yml
@@ -6,21 +6,21 @@ author: Teoderick Contreras, Splunk
description: Logs the full command-line arguments of a process execution on a Linux
system, providing visibility into the executed command and its parameters.
mitre_components:
- - Command Execution
- - Process Metadata
- - OS API Execution
- - Application Log Content
+- Command Execution
+- Process Metadata
+- OS API Execution
+- Application Log Content
separator: type
separator_value: PROCTITLE
source: /var/log/audit/audit.log
sourcetype: linux:audit
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
- - name: Splunk Add-on for Unix and Linux
- url: https://splunkbase.splunk.com/app/833
- version: 9.2.0
+- name: Splunk Add-on for Unix and Linux
+ url: https://splunkbase.splunk.com/app/833
+ version: 9.2.0
fields:
- - proctitle
- - msg
- - type
+- proctitle
+- msg
+- type
example_log: 'type=PROCTITLE msg=audit(1722944427.844:4146): proctitle=63686D6F640037373700312E7368'
diff --git a/data_sources/linux_auditd_service_stop.yml b/data_sources/linux_auditd_service_stop.yml
index 8b1c94b0f2..e44ecf9e3e 100644
--- a/data_sources/linux_auditd_service_stop.yml
+++ b/data_sources/linux_auditd_service_stop.yml
@@ -7,36 +7,36 @@ description: Logs events related to the stoppage of a service on a Linux system,
details about the service name, the process initiating the stop, and associated
timestamps.
mitre_components:
- - Service Modification
- - Service Metadata
- - OS API Execution
- - Application Log Content
+- Service Modification
+- Service Metadata
+- OS API Execution
+- Application Log Content
separator: type
separator_value: SERVICE_STOP
source: /var/log/audit/audit.log
sourcetype: linux:audit
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
- - name: Splunk Add-on for Unix and Linux
- url: https://splunkbase.splunk.com/app/833
- version: 9.2.0
+- name: Splunk Add-on for Unix and Linux
+ url: https://splunkbase.splunk.com/app/833
+ version: 9.2.0
fields:
- - msg
- - type
- - pid
- - uid
- - auid
- - ses
- - subj
- - msg
- - comm
- - exe
- - hostname
- - addr
- - terminal
- - res
- - UID
- - AUID
-example_log: "type=SERVICE_STOP msg=audit(1722957155.494:4802): pid=1 uid=0 auid=4294967295
- ses=4294967295 subj=unconfined msg='unit=atd comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\"\
- \ hostname=? addr=? terminal=? res=success'UID=\"root\" AUID=\"unset\""
+- msg
+- type
+- pid
+- uid
+- auid
+- ses
+- subj
+- msg
+- comm
+- exe
+- hostname
+- addr
+- terminal
+- res
+- UID
+- AUID
+example_log: 'type=SERVICE_STOP msg=audit(1722957155.494:4802): pid=1 uid=0 auid=4294967295
+ ses=4294967295 subj=unconfined msg=''unit=atd comm="systemd" exe="/usr/lib/systemd/systemd"
+ hostname=? addr=? terminal=? res=success''UID="root" AUID="unset"'
diff --git a/data_sources/linux_auditd_syscall.yml b/data_sources/linux_auditd_syscall.yml
index c753a66b54..dcc8e48779 100644
--- a/data_sources/linux_auditd_syscall.yml
+++ b/data_sources/linux_auditd_syscall.yml
@@ -6,59 +6,59 @@ author: Teoderick Contreras, Splunk
description: Logs system calls made by processes on a Linux system, including details
about the syscall number, arguments, return values, and associated process metadata.
mitre_components:
- - OS API Execution
- - Process Metadata
- - Application Log Content
- - Host Status
+- OS API Execution
+- Process Metadata
+- Application Log Content
+- Host Status
source: /var/log/audit/audit.log
sourcetype: linux:audit
separator: type
separator_value: syscall
configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
supported_TA:
- - name: Splunk Add-on for Unix and Linux
- url: https://splunkbase.splunk.com/app/833
- version: 9.2.0
+- name: Splunk Add-on for Unix and Linux
+ url: https://splunkbase.splunk.com/app/833
+ version: 9.2.0
fields:
- - msg
- - type
- - msg
- - arch
- - syscall
- - success
- - exit
- - a1
- - a2
- - a3
- - items
- - ppid
- - pid
- - auid
- - uid
- - gid
- - euid
- - suid
- - fsuid
- - egid
- - sgid
- - fsgid
- - tty
- - ses
- - comm
- - exe
- - subj
- - key
- - ARCH
- - SYSCALL
- - AUID
- - UID
- - GID
- - EUID
- - SUID
- - FSUID
- - EGID
- - SGID
- - FSGID
+- msg
+- type
+- msg
+- arch
+- syscall
+- success
+- exit
+- a1
+- a2
+- a3
+- items
+- ppid
+- pid
+- auid
+- uid
+- gid
+- euid
+- suid
+- fsuid
+- egid
+- sgid
+- fsgid
+- tty
+- ses
+- comm
+- exe
+- subj
+- key
+- ARCH
+- SYSCALL
+- AUID
+- UID
+- GID
+- EUID
+- SUID
+- FSUID
+- EGID
+- SGID
+- FSGID
example_log: 'type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59
success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2
ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
diff --git a/data_sources/linux_secure.yml b/data_sources/linux_secure.yml
index e6f8b78160..77d0e1f105 100644
--- a/data_sources/linux_secure.yml
+++ b/data_sources/linux_secure.yml
@@ -6,49 +6,49 @@ author: Patrick Bareiss, Splunk
description: Logs authentication and authorization events on a Linux system, including
login attempts, SSH connections, and privilege escalation activities.
mitre_components:
- - User Account Authentication
- - Logon Session Creation
- - Logon Session Metadata
- - User Account Metadata
- - Application Log Content
+- User Account Authentication
+- Logon Session Creation
+- Logon Session Metadata
+- User Account Metadata
+- Application Log Content
source: /var/log/secure
sourcetype: linux_secure
supported_TA: []
fields:
- - _time
- - action
- - app
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - eventtype
- - host
- - index
- - linecount
- - pid
- - process
- - punct
- - source
- - sourcetype
- - splunk_server
- - src
- - src_port
- - sshd_protocol
- - tag
- - tag::action
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - user_name
- - vendor_action
- - vendor_product
+- _time
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- eventtype
+- host
+- index
+- linecount
+- pid
+- process
+- punct
+- source
+- sourcetype
+- splunk_server
+- src
+- src_port
+- sshd_protocol
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_name
+- vendor_action
+- vendor_product
example_log: 'May 27 09:28:36 ip-172-31-24-46 sshd[5617]: Accepted password for mikael
from 84.202.159.161 port 63487 ssh2'
diff --git a/data_sources/ms365_defender_incident_alerts.yml b/data_sources/ms365_defender_incident_alerts.yml
index 80e582df46..4f6665ecbc 100644
--- a/data_sources/ms365_defender_incident_alerts.yml
+++ b/data_sources/ms365_defender_incident_alerts.yml
@@ -6,236 +6,185 @@ author: Bhavin Patel, Splunk
description: Logs security incidents and correlated alerts in Microsoft 365 Defender,
including details about affected assets, threat types, and remediation steps.
mitre_components:
- - Host Status
- - User Account Metadata
- - Application Log Content
- - Malware Metadata
- - Active Directory Object Access
+- Host Status
+- User Account Metadata
+- Application Log Content
+- Malware Metadata
+- Active Directory Object Access
source: ms365_defender_incident_alerts
sourcetype: ms365:defender:incident:alerts
supported_TA:
- - name: Splunk Add-on for Microsoft Security
- url: https://splunkbase.splunk.com/app/6207
- version: 2.4.1
+- name: Splunk Add-on for Microsoft Security
+ url: https://splunkbase.splunk.com/app/6207
+ version: 2.4.1
fields:
- - actorName
- - alertId
- - app
- - assignedTo
- - body
- - category
- - classification
- - creationTime
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - description
- - dest
- - detectionSource
- - detectorId
- - determination
- - devices{}.aadDeviceId
- - devices{}.defenderAvStatus
- - devices{}.deviceDnsName
- - devices{}.firstSeen
- - devices{}.healthStatus
- - devices{}.loggedOnUsers{}.accountName
- - devices{}.loggedOnUsers{}.domainName
- - devices{}.mdatpDeviceId
- - devices{}.onboardingStatus
- - devices{}.osBuild
- - devices{}.osPlatform
- - devices{}.osProcessor
- - devices{}.rbacGroupName
- - devices{}.riskScore
- - devices{}.version
- - devices{}.vmMetadata
- - devices{}.vmMetadata.cloudProvider
- - devices{}.vmMetadata.resourceId
- - devices{}.vmMetadata.subscriptionId
- - devices{}.vmMetadata.vmId
- - entities{}.aadUserId
- - entities{}.accountName
- - entities{}.applicationId
- - entities{}.applicationName
- - entities{}.detectionStatus
- - entities{}.deviceId
- - entities{}.domainName
- - entities{}.entityType
- - entities{}.evidenceCreationTime
- - entities{}.fileName
- - entities{}.filePath
- - entities{}.ipAddress
- - entities{}.parentProcessCreationTime
- - entities{}.parentProcessFileName
- - entities{}.parentProcessFilePath
- - entities{}.parentProcessId
- - entities{}.processCommandLine
- - entities{}.processCreationTime
- - entities{}.processId
- - entities{}.remediationStatus
- - entities{}.remediationStatusDetails
- - entities{}.sha1
- - entities{}.sha256
- - entities{}.userPrincipalName
- - entities{}.userSid
- - entities{}.verdict
- - eventtype
- - firstActivity
- - host
- - id
- - incidentId
- - index
- - investigationId
- - investigationState
- - lastActivity
- - lastUpdatedTime
- - linecount
- - mitreTechniques{}
- - mitre_technique_id
- - providerAlertId
- - resolvedTime
- - serviceSource
- - severity
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - splunk_server_group
- - src
- - status
- - subject
- - tag
- - tag::app
- - tag::eventtype
- - threatFamilyName
- - timeendpos
- - timestartpos
- - title
- - type
- - user
- - user_name
- - _bkt
- - _cd
- - _eventtype_color
- - _indextime
- - _raw
- - _serial
- - _si
- - _sourcetype
- - _subsecond
- - _time
-example_log: |-
- {
- "alertId": "da638001130101730338_582949328",
- "providerAlertId": "da638001130101730338_582949328",
- "incidentId": 486,
- "serviceSource": "MicrosoftDefenderForEndpoint",
- "creationTime": "2022-09-30T05:36:50.1732198Z",
- "lastUpdatedTime": "2022-11-19T01:35:42.7033333Z",
- "resolvedTime": "2022-10-01T01:36:00.5066667Z",
- "firstActivity": "2022-09-30T05:06:43.8196597Z",
- "lastActivity": "2022-09-30T05:06:43.8196597Z",
- "title": "Suspicious URL clicked",
- "description": "A user opened a potentially malicious URL. This alert was triggered based on a Microsoft Defender for Office 365 alert.",
- "category": "InitialAccess",
- "status": "Resolved",
- "severity": "High",
- "investigationId": null,
- "investigationState": "UnsupportedAlertType",
- "classification": "TruePositive",
- "determination": "SecurityTesting",
- "detectionSource": "MTP",
- "detectorId": "359b36eb-337c-4f1c-b280-8c5e08f9c4a0",
- "assignedTo": "msftadmin@metal.m365dpoc.com",
- "actorName": null,
- "threatFamilyName": null,
- "mitreTechniques": [
- "T1566.002"
- ],
- "devices": [
- {
- "mdatpDeviceId": "c7e147cb0eb3534a4dcea5acb8e61c933713b145",
- "aadDeviceId": null,
- "deviceDnsName": "metal-win10v.metal.m365dpoc.com",
- "osPlatform": "Windows10",
- "version": "1809",
- "osProcessor": "x64",
- "osBuild": 17763,
- "healthStatus": "Active",
- "riskScore": "High",
- "rbacGroupName": "Full Auto Clients",
- "firstSeen": "2022-08-08T08:51:02.455Z",
- "tags": [
- "Full auto"
- ],
- "defenderAvStatus": "Updated",
- "onboardingStatus": "Onboarded",
- "vmMetadata": {
- "vmId": "17881b39-b03f-4a2c-9b56-078be1330bd0",
- "cloudProvider": "Unknown",
- "resourceId": "/subscriptions/29e73d07-8740-4164-a257-592a19a7b77c/resourceGroups/MSDXV2/providers/Microsoft.Compute/virtualMachines/MSDXV2-Win10V",
- "subscriptionId": "29e73d07-8740-4164-a257-592a19a7b77c"
- },
- "loggedOnUsers": [
- {
- "accountName": "hetfield",
- "domainName": "MSDXV2"
- }
- ]
- }
- ],
- "entities": [
- {
- "entityType": "Process",
- "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
- "verdict": "Suspicious",
- "remediationStatus": "None",
- "sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c",
- "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
- "fileName": "powershell.exe",
- "filePath": "",
- "processId": 7068,
- "processCommandLine": "powershell.exe -command \" $Process = New-Object System.Diagnostics.Process; $Process.StartInfo.FileName = 'https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgcajebahdi.corporatelogon.xyz%2Fab%2Fjnkmbkkdnlgedc&data=05%7C01%7Chetfield%40metal.m365dpoc.com%7Cca409616a82145bd6a5f08daa2a10255%7C1a49212958c8401191cd245285f5345c%7C0%7C0%7C638001109710345383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FyEjRS5qOd2SkJELlueibuxLFMYNjL7fz8EbuOAvFwg%3D&reserved=0'; $Process.StartInfo.UseShellExecute = $true; $Process.Start() | Out-Null; \" ",
- "processCreationTime": "2022-09-30T05:06:43.3390523Z",
- "parentProcessId": 7116,
- "parentProcessCreationTime": "2022-09-30T05:06:43.3100364Z",
- "accountName": "hetfield",
- "userSid": "S-1-5-21-2300221942-1987151257-321556088-1104"
- },
- {
- "entityType": "File",
- "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
- "verdict": "Suspicious",
- "remediationStatus": "None",
- "sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c",
- "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
- "fileName": "powershell.exe",
- "filePath": ""
- },
- {
- "entityType": "User",
- "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
- "verdict": "Suspicious",
- "remediationStatus": "None",
- "accountName": "hetfield",
- "domainName": "metal.m365dpoc",
- "userSid": "S-1-5-21-2300221942-1987151257-321556088-1104",
- "aadUserId": "e848b07a-87af-4448-9979-09f0b809c8d4",
- "userPrincipalName": "daftpunk"
- },
- {
- "entityType": "Url",
- "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
- "verdict": "Suspicious",
- "remediationStatus": "None",
- "url": "http://gcajebahdi.corporatelogon.xyz/ab/jnkmbkkdnlgedc"
- }
- ]
- }
+- actorName
+- alertId
+- app
+- assignedTo
+- body
+- category
+- classification
+- creationTime
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- description
+- dest
+- detectionSource
+- detectorId
+- determination
+- devices{}.aadDeviceId
+- devices{}.defenderAvStatus
+- devices{}.deviceDnsName
+- devices{}.firstSeen
+- devices{}.healthStatus
+- devices{}.loggedOnUsers{}.accountName
+- devices{}.loggedOnUsers{}.domainName
+- devices{}.mdatpDeviceId
+- devices{}.onboardingStatus
+- devices{}.osBuild
+- devices{}.osPlatform
+- devices{}.osProcessor
+- devices{}.rbacGroupName
+- devices{}.riskScore
+- devices{}.version
+- devices{}.vmMetadata
+- devices{}.vmMetadata.cloudProvider
+- devices{}.vmMetadata.resourceId
+- devices{}.vmMetadata.subscriptionId
+- devices{}.vmMetadata.vmId
+- entities{}.aadUserId
+- entities{}.accountName
+- entities{}.applicationId
+- entities{}.applicationName
+- entities{}.detectionStatus
+- entities{}.deviceId
+- entities{}.domainName
+- entities{}.entityType
+- entities{}.evidenceCreationTime
+- entities{}.fileName
+- entities{}.filePath
+- entities{}.ipAddress
+- entities{}.parentProcessCreationTime
+- entities{}.parentProcessFileName
+- entities{}.parentProcessFilePath
+- entities{}.parentProcessId
+- entities{}.processCommandLine
+- entities{}.processCreationTime
+- entities{}.processId
+- entities{}.remediationStatus
+- entities{}.remediationStatusDetails
+- entities{}.sha1
+- entities{}.sha256
+- entities{}.userPrincipalName
+- entities{}.userSid
+- entities{}.verdict
+- eventtype
+- firstActivity
+- host
+- id
+- incidentId
+- index
+- investigationId
+- investigationState
+- lastActivity
+- lastUpdatedTime
+- linecount
+- mitreTechniques{}
+- mitre_technique_id
+- providerAlertId
+- resolvedTime
+- serviceSource
+- severity
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- status
+- subject
+- tag
+- tag::app
+- tag::eventtype
+- threatFamilyName
+- timeendpos
+- timestartpos
+- title
+- type
+- user
+- user_name
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _subsecond
+- _time
+example_log: "{\n \"alertId\": \"da638001130101730338_582949328\",\n \"providerAlertId\"\
+ : \"da638001130101730338_582949328\",\n \"incidentId\": 486,\n \"serviceSource\"\
+ : \"MicrosoftDefenderForEndpoint\",\n \"creationTime\": \"2022-09-30T05:36:50.1732198Z\"\
+ ,\n \"lastUpdatedTime\": \"2022-11-19T01:35:42.7033333Z\",\n \"resolvedTime\"\
+ : \"2022-10-01T01:36:00.5066667Z\",\n \"firstActivity\": \"2022-09-30T05:06:43.8196597Z\"\
+ ,\n \"lastActivity\": \"2022-09-30T05:06:43.8196597Z\",\n \"title\": \"Suspicious\
+ \ URL clicked\",\n \"description\": \"A user opened a potentially malicious URL.\
+ \ This alert was triggered based on a Microsoft Defender for Office 365 alert.\"\
+ ,\n \"category\": \"InitialAccess\",\n \"status\": \"Resolved\",\n \"severity\"\
+ : \"High\",\n \"investigationId\": null,\n \"investigationState\": \"UnsupportedAlertType\"\
+ ,\n \"classification\": \"TruePositive\",\n \"determination\": \"SecurityTesting\"\
+ ,\n \"detectionSource\": \"MTP\",\n \"detectorId\": \"359b36eb-337c-4f1c-b280-8c5e08f9c4a0\"\
+ ,\n \"assignedTo\": \"msftadmin@metal.m365dpoc.com\",\n \"actorName\": null,\n\
+ \ \"threatFamilyName\": null,\n \"mitreTechniques\": [\n \"T1566.002\"\n ],\n\
+ \ \"devices\": [\n {\n \"mdatpDeviceId\": \"c7e147cb0eb3534a4dcea5acb8e61c933713b145\"\
+ ,\n \"aadDeviceId\": null,\n \"deviceDnsName\": \"metal-win10v.metal.m365dpoc.com\"\
+ ,\n \"osPlatform\": \"Windows10\",\n \"version\": \"1809\",\n \"\
+ osProcessor\": \"x64\",\n \"osBuild\": 17763,\n \"healthStatus\": \"Active\"\
+ ,\n \"riskScore\": \"High\",\n \"rbacGroupName\": \"Full Auto Clients\"\
+ ,\n \"firstSeen\": \"2022-08-08T08:51:02.455Z\",\n \"tags\": [\n \
+ \ \"Full auto\"\n ],\n \"defenderAvStatus\": \"Updated\",\n \"\
+ onboardingStatus\": \"Onboarded\",\n \"vmMetadata\": {\n \"vmId\": \"\
+ 17881b39-b03f-4a2c-9b56-078be1330bd0\",\n \"cloudProvider\": \"Unknown\"\
+ ,\n \"resourceId\": \"/subscriptions/29e73d07-8740-4164-a257-592a19a7b77c/resourceGroups/MSDXV2/providers/Microsoft.Compute/virtualMachines/MSDXV2-Win10V\"\
+ ,\n \"subscriptionId\": \"29e73d07-8740-4164-a257-592a19a7b77c\"\n },\n\
+ \ \"loggedOnUsers\": [\n {\n \"accountName\": \"hetfield\"\
+ ,\n \"domainName\": \"MSDXV2\"\n }\n ]\n }\n ],\n \"entities\"\
+ : [\n {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\":\
+ \ \"2022-09-30T05:36:50.2133333Z\",\n \"verdict\": \"Suspicious\",\n \"\
+ remediationStatus\": \"None\",\n \"sha1\": \"6cbce4a295c163791b60fc23d285e6d84f28ee4c\"\
+ ,\n \"sha256\": \"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"\
+ ,\n \"fileName\": \"powershell.exe\",\n \"filePath\": \"\",\n \"\
+ processId\": 7068,\n \"processCommandLine\": \"powershell.exe -command \\\"\
+ \ $Process = New-Object\
+ \ System.Diagnostics.Process; \
+ \ $Process.StartInfo.FileName = 'https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgcajebahdi.corporatelogon.xyz%2Fab%2Fjnkmbkkdnlgedc&data=05%7C01%7Chetfield%40metal.m365dpoc.com%7Cca409616a82145bd6a5f08daa2a10255%7C1a49212958c8401191cd245285f5345c%7C0%7C0%7C638001109710345383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FyEjRS5qOd2SkJELlueibuxLFMYNjL7fz8EbuOAvFwg%3D&reserved=0';\
+ \ $Process.StartInfo.UseShellExecute\
+ \ = $true; $Process.Start()\
+ \ | Out-Null; \\\" \
+ \ \",\n \"processCreationTime\"\
+ : \"2022-09-30T05:06:43.3390523Z\",\n \"parentProcessId\": 7116,\n \"\
+ parentProcessCreationTime\": \"2022-09-30T05:06:43.3100364Z\",\n \"accountName\"\
+ : \"hetfield\",\n \"userSid\": \"S-1-5-21-2300221942-1987151257-321556088-1104\"\
+ \n },\n {\n \"entityType\": \"File\",\n \"evidenceCreationTime\"\
+ : \"2022-09-30T05:36:50.2133333Z\",\n \"verdict\": \"Suspicious\",\n \"\
+ remediationStatus\": \"None\",\n \"sha1\": \"6cbce4a295c163791b60fc23d285e6d84f28ee4c\"\
+ ,\n \"sha256\": \"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"\
+ ,\n \"fileName\": \"powershell.exe\",\n \"filePath\": \"\"\n },\n \
+ \ {\n \"entityType\": \"User\",\n \"evidenceCreationTime\": \"2022-09-30T05:36:50.2133333Z\"\
+ ,\n \"verdict\": \"Suspicious\",\n \"remediationStatus\": \"None\",\n\
+ \ \"accountName\": \"hetfield\",\n \"domainName\": \"metal.m365dpoc\"\
+ ,\n \"userSid\": \"S-1-5-21-2300221942-1987151257-321556088-1104\",\n \
+ \ \"aadUserId\": \"e848b07a-87af-4448-9979-09f0b809c8d4\",\n \"userPrincipalName\"\
+ : \"daftpunk\"\n },\n {\n \"entityType\": \"Url\",\n \"evidenceCreationTime\"\
+ : \"2022-09-30T05:36:50.2133333Z\",\n \"verdict\": \"Suspicious\",\n \"\
+ remediationStatus\": \"None\",\n \"url\": \"http://gcajebahdi.corporatelogon.xyz/ab/jnkmbkkdnlgedc\"\
+ \n }\n ]\n}"
diff --git a/data_sources/ms_defender_atp_alerts.yml b/data_sources/ms_defender_atp_alerts.yml
index f1f68b0b7e..f7429f3de6 100644
--- a/data_sources/ms_defender_atp_alerts.yml
+++ b/data_sources/ms_defender_atp_alerts.yml
@@ -6,424 +6,274 @@ author: Bryan Pluta, Bhavin Patel, Splunk
description: Logs security alerts generated by Microsoft Defender for Endpoint, including
information about detected threats, impacted devices, and recommended actions.
mitre_components:
- - Host Status
- - Malware Metadata
- - Process Metadata
- - User Account Metadata
- - Application Log Content
+- Host Status
+- Malware Metadata
+- Process Metadata
+- User Account Metadata
+- Application Log Content
source: ms_defender_atp_alerts
sourcetype: ms:defender:atp:alerts
supported_TA:
- - name: Splunk Add-on for Microsoft Security
- url: https://splunkbase.splunk.com/app/6207
- version: 2.4.1
+- name: Splunk Add-on for Microsoft Security
+ url: https://splunkbase.splunk.com/app/6207
+ version: 2.4.1
fields:
- - column
- - accountName
- - action
- - activity
- - activityType
- - actor
- - actorName
- - alertId
- - app
- - assignedTo
- - body
- - category
- - classification
- - creationTime
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - description
- - dest
- - detectionSource
- - detectorId
- - determination
- - devices{}.aadDeviceId
- - devices{}.defenderAvStatus
- - devices{}.deviceDnsName
- - devices{}.firstSeen
- - devices{}.healthStatus
- - devices{}.loggedOnUsers{}.accountName
- - devices{}.loggedOnUsers{}.domainName
- - devices{}.mdatpDeviceId
- - devices{}.onboardingStatus
- - devices{}.osBuild
- - devices{}.osPlatform
- - devices{}.osProcessor
- - devices{}.rbacGroupName
- - devices{}.riskScore
- - devices{}.version
- - devices{}.vmMetadata
- - devices{}.vmMetadata.cloudProvider
- - devices{}.vmMetadata.resourceId
- - devices{}.vmMetadata.subscriptionId
- - devices{}.vmMetadata.vmId
- - entities{}.aadUserId
- - entities{}.accountName
- - entities{}.applicationId
- - entities{}.applicationName
- - entities{}.detectionStatus
- - entities{}.deviceId
- - entities{}.domainName
- - entities{}.entityType
- - entities{}.evidenceCreationTime
- - entities{}.fileName
- - entities{}.filePath
- - entities{}.ipAddress
- - entities{}.parentProcessCreationTime
- - entities{}.parentProcessFileName
- - entities{}.parentProcessFilePath
- - entities{}.parentProcessId
- - entities{}.processCommandLine
- - entities{}.processCreationTime
- - entities{}.processId
- - entities{}.remediationStatus
- - entities{}.remediationStatusDetails
- - entities{}.sha1
- - entities{}.sha256
- - entities{}.userPrincipalName
- - entities{}.userSid
- - entities{}.verdict
- - eventtype
- - firstActivity
- - host
- - id
- - incidentId
- - index
- - investigationId
- - investigationState
- - lastActivity
- - lastUpdatedTime
- - linecount
- - mitreTechniques{}
- - mitre_technique_id
- - providerAlertId
- - resolvedTime
- - serviceSource
- - severity
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - splunk_server_group
- - src
- - status
- - subject
- - tag
- - tag::app
- - tag::eventtype
- - threatFamilyName
- - timeendpos
- - timestartpos
- - title
- - type
- - user
- - user_name
- - _time
-example_log: |-
- {
- "id": "da47dc5671-e560-4229-984b-457564996b31_1",
- "incidentId": 989,
- "investigationId": null,
- "assignedTo": null,
- "severity": "High",
- "status": "New",
- "classification": null,
- "determination": null,
- "investigationState": "UnsupportedAlertType",
- "detectionSource": "WindowsDefenderAtp",
- "detectorId": "9c3a70ec-e18a-4f92-865a-530f73130b7c",
- "category": "LateralMovement",
- "threatFamilyName": null,
- "title": "Ongoing hands-on-keyboard attack via Impacket toolkit",
- "description": "Suspicious execution of a command via Impacket was observed on this device. This tool connects to other hosts to explore network shares and execute commands. Attackers might be attempting to move laterally across the network using this tool. This usage of Impacket has often been observed in hands-on-keyboard attacks, where ransomware and other payloads are installed on target devices.",
- "alertCreationTime": "2023-01-24T05:33:37.3245808Z",
- "firstEventTime": "2023-01-24T05:31:07.5276179Z",
- "lastEventTime": "2023-01-24T13:02:50.7831636Z",
- "lastUpdateTime": "2023-01-24T13:07:13.3233333Z",
- "resolvedTime": null,
- "machineId": "302293d9f276eae65553e5042156bce93cbc7148",
- "computerDnsName": "diytestmachine",
- "rbacGroupName": "UnassignedGroup",
- "aadTenantId": "1a492129-58c8-4011-91cd-245285f5345c",
- "threatName": null,
- "mitreTechniques": [
- "T1021.002",
- "T1047",
- "T1059.003"
- ],
- "relatedUser": {
- "userName": "User1",
- "domainName": "DIYTESTMACHINE"
- },
- "loggedOnUsers": [
- {
- "accountName": "administrator1",
- "domainName": "DIYTESTMACHINE"
- }
- ],
- "comments": [],
- "evidence": [
- {
- "entityType": "Process",
- "evidenceCreationTime": "2023-01-24T05:45:51.6833333Z",
- "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
- "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
- "fileName": "WmiPrvSE.exe",
- "filePath": "C:\\Windows\\System32\\wbem",
- "processId": 4476,
- "processCommandLine": "wmiprvse.exe -secured -Embedding",
- "processCreationTime": "2023-01-24T05:43:32.4631151Z",
- "parentProcessId": 896,
- "parentProcessCreationTime": "2023-01-24T04:44:17.1940386Z",
- "parentProcessFileName": "svchost.exe",
- "parentProcessFilePath": "C:\\Windows\\System32",
- "ipAddress": null,
- "url": null,
- "registryKey": null,
- "registryHive": null,
- "registryValueType": null,
- "registryValue": null,
- "registryValueName": null,
- "accountName": "NETWORK SERVICE",
- "domainName": "NT AUTHORITY",
- "userSid": "S-1-5-20",
- "aadUserId": null,
- "userPrincipalName": null,
- "detectionStatus": "Detected"
- },
- {
- "entityType": "User",
- "evidenceCreationTime": "2023-01-24T05:33:37.4166667Z",
- "sha1": null,
- "sha256": null,
- "fileName": null,
- "filePath": null,
- "processId": null,
- "processCommandLine": null,
- "processCreationTime": null,
- "parentProcessId": null,
- "parentProcessCreationTime": null,
- "parentProcessFileName": null,
- "parentProcessFilePath": null,
- "ipAddress": null,
- "url": null,
- "registryKey": null,
- "registryHive": null,
- "registryValueType": null,
- "registryValue": null,
- "registryValueName": null,
- "accountName": "User1",
- "domainName": "DIYTESTMACHINE",
- "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
- "aadUserId": null,
- "userPrincipalName": null,
- "detectionStatus": null
- },
- {
- "entityType": "Process",
- "evidenceCreationTime": "2023-01-24T05:33:37.4166667Z",
- "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
- "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
- "fileName": "WmiPrvSE.exe",
- "filePath": "C:\\Windows\\System32\\wbem",
- "processId": 7824,
- "processCommandLine": "wmiprvse.exe -secured -Embedding",
- "processCreationTime": "2023-01-24T05:30:50.8649791Z",
- "parentProcessId": 896,
- "parentProcessCreationTime": "2023-01-24T04:44:17.1940386Z",
- "parentProcessFileName": "svchost.exe",
- "parentProcessFilePath": "C:\\Windows\\System32",
- "ipAddress": null,
- "url": null,
- "registryKey": null,
- "registryHive": null,
- "registryValueType": null,
- "registryValue": null,
- "registryValueName": null,
- "accountName": "NETWORK SERVICE",
- "domainName": "NT AUTHORITY",
- "userSid": "S-1-5-20",
- "aadUserId": null,
- "userPrincipalName": null,
- "detectionStatus": "Detected"
- },
- {
- "entityType": "Process",
- "evidenceCreationTime": "2023-01-24T13:07:13.2233333Z",
- "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
- "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
- "fileName": "cmd.exe",
- "filePath": "C:\\Windows\\System32",
- "processId": 5500,
- "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674565222.7012053 2>&1",
- "processCreationTime": "2023-01-24T13:02:50.4661885Z",
- "parentProcessId": 756,
- "parentProcessCreationTime": "2023-01-24T13:00:35.0107475Z",
- "parentProcessFileName": "WmiPrvSE.exe",
- "parentProcessFilePath": "C:\\Windows\\System32\\wbem",
- "ipAddress": null,
- "url": null,
- "registryKey": null,
- "registryHive": null,
- "registryValueType": null,
- "registryValue": null,
- "registryValueName": null,
- "accountName": "User1",
- "domainName": "DIYTESTMACHINE",
- "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
- "aadUserId": null,
- "userPrincipalName": null,
- "detectionStatus": "Detected"
- },
- {
- "entityType": "Process",
- "evidenceCreationTime": "2023-01-24T05:33:37.4166667Z",
- "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
- "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
- "fileName": "cmd.exe",
- "filePath": "C:\\Windows\\System32",
- "processId": 8964,
- "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674538248.357367 2>&1",
- "processCreationTime": "2023-01-24T05:31:04.0743902Z",
- "parentProcessId": 7824,
- "parentProcessCreationTime": "2023-01-24T05:30:50.8649791Z",
- "parentProcessFileName": "WmiPrvSE.exe",
- "parentProcessFilePath": "C:\\Windows\\System32\\wbem",
- "ipAddress": null,
- "url": null,
- "registryKey": null,
- "registryHive": null,
- "registryValueType": null,
- "registryValue": null,
- "registryValueName": null,
- "accountName": "User1",
- "domainName": "DIYTESTMACHINE",
- "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
- "aadUserId": null,
- "userPrincipalName": null,
- "detectionStatus": "Detected"
- },
- {
- "entityType": "Process",
- "evidenceCreationTime": "2023-01-24T05:39:47.1733333Z",
- "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
- "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
- "fileName": "cmd.exe",
- "filePath": "C:\\Windows\\System32",
- "processId": 884,
- "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674538583.8648584 2>&1",
- "processCreationTime": "2023-01-24T05:36:38.826505Z",
- "parentProcessId": 7736,
- "parentProcessCreationTime": "2023-01-24T05:36:26.0524655Z",
- "parentProcessFileName": "WmiPrvSE.exe",
- "parentProcessFilePath": "C:\\Windows\\System32\\wbem",
- "ipAddress": null,
- "url": null,
- "registryKey": null,
- "registryHive": null,
- "registryValueType": null,
- "registryValue": null,
- "registryValueName": null,
- "accountName": "User1",
- "domainName": "DIYTESTMACHINE",
- "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
- "aadUserId": null,
- "userPrincipalName": null,
- "detectionStatus": "Detected"
- },
- {
- "entityType": "Process",
- "evidenceCreationTime": "2023-01-24T13:07:13.2233333Z",
- "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
- "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
- "fileName": "WmiPrvSE.exe",
- "filePath": "C:\\Windows\\System32\\wbem",
- "processId": 756,
- "processCommandLine": "wmiprvse.exe -secured -Embedding",
- "processCreationTime": "2023-01-24T13:00:35.0107475Z",
- "parentProcessId": 908,
- "parentProcessCreationTime": "2023-01-24T08:20:44.6877667Z",
- "parentProcessFileName": "svchost.exe",
- "parentProcessFilePath": "C:\\Windows\\System32",
- "ipAddress": null,
- "url": null,
- "registryKey": null,
- "registryHive": null,
- "registryValueType": null,
- "registryValue": null,
- "registryValueName": null,
- "accountName": "NETWORK SERVICE",
- "domainName": "NT AUTHORITY",
- "userSid": "S-1-5-20",
- "aadUserId": null,
- "userPrincipalName": null,
- "detectionStatus": "Detected"
- },
- {
- "entityType": "Process",
- "evidenceCreationTime": "2023-01-24T05:45:51.6833333Z",
- "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
- "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
- "fileName": "cmd.exe",
- "filePath": "C:\\Windows\\System32",
- "processId": 1140,
- "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674538878.1586335 2>&1",
- "processCreationTime": "2023-01-24T05:43:49.9375398Z",
- "parentProcessId": 4476,
- "parentProcessCreationTime": "2023-01-24T05:43:32.4631151Z",
- "parentProcessFileName": "WmiPrvSE.exe",
- "parentProcessFilePath": "C:\\Windows\\System32\\wbem",
- "ipAddress": null,
- "url": null,
- "registryKey": null,
- "registryHive": null,
- "registryValueType": null,
- "registryValue": null,
- "registryValueName": null,
- "accountName": "User1",
- "domainName": "DIYTESTMACHINE",
- "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
- "aadUserId": null,
- "userPrincipalName": null,
- "detectionStatus": "Detected"
- },
- {
- "entityType": "Process",
- "evidenceCreationTime": "2023-01-24T05:39:47.1733333Z",
- "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
- "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
- "fileName": "WmiPrvSE.exe",
- "filePath": "C:\\Windows\\System32\\wbem",
- "processId": 7736,
- "processCommandLine": "wmiprvse.exe -secured -Embedding",
- "processCreationTime": "2023-01-24T05:36:26.0524655Z",
- "parentProcessId": 896,
- "parentProcessCreationTime": "2023-01-24T04:44:17.1940386Z",
- "parentProcessFileName": "svchost.exe",
- "parentProcessFilePath": "C:\\Windows\\System32",
- "ipAddress": null,
- "url": null,
- "registryKey": null,
- "registryHive": null,
- "registryValueType": null,
- "registryValue": null,
- "registryValueName": null,
- "accountName": "NETWORK SERVICE",
- "domainName": "NT AUTHORITY",
- "userSid": "S-1-5-20",
- "aadUserId": null,
- "userPrincipalName": null,
- "detectionStatus": "Detected"
- }
- ],
- "domains": []
- }
+- column
+- accountName
+- action
+- activity
+- activityType
+- actor
+- actorName
+- alertId
+- app
+- assignedTo
+- body
+- category
+- classification
+- creationTime
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- description
+- dest
+- detectionSource
+- detectorId
+- determination
+- devices{}.aadDeviceId
+- devices{}.defenderAvStatus
+- devices{}.deviceDnsName
+- devices{}.firstSeen
+- devices{}.healthStatus
+- devices{}.loggedOnUsers{}.accountName
+- devices{}.loggedOnUsers{}.domainName
+- devices{}.mdatpDeviceId
+- devices{}.onboardingStatus
+- devices{}.osBuild
+- devices{}.osPlatform
+- devices{}.osProcessor
+- devices{}.rbacGroupName
+- devices{}.riskScore
+- devices{}.version
+- devices{}.vmMetadata
+- devices{}.vmMetadata.cloudProvider
+- devices{}.vmMetadata.resourceId
+- devices{}.vmMetadata.subscriptionId
+- devices{}.vmMetadata.vmId
+- entities{}.aadUserId
+- entities{}.accountName
+- entities{}.applicationId
+- entities{}.applicationName
+- entities{}.detectionStatus
+- entities{}.deviceId
+- entities{}.domainName
+- entities{}.entityType
+- entities{}.evidenceCreationTime
+- entities{}.fileName
+- entities{}.filePath
+- entities{}.ipAddress
+- entities{}.parentProcessCreationTime
+- entities{}.parentProcessFileName
+- entities{}.parentProcessFilePath
+- entities{}.parentProcessId
+- entities{}.processCommandLine
+- entities{}.processCreationTime
+- entities{}.processId
+- entities{}.remediationStatus
+- entities{}.remediationStatusDetails
+- entities{}.sha1
+- entities{}.sha256
+- entities{}.userPrincipalName
+- entities{}.userSid
+- entities{}.verdict
+- eventtype
+- firstActivity
+- host
+- id
+- incidentId
+- index
+- investigationId
+- investigationState
+- lastActivity
+- lastUpdatedTime
+- linecount
+- mitreTechniques{}
+- mitre_technique_id
+- providerAlertId
+- resolvedTime
+- serviceSource
+- severity
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- status
+- subject
+- tag
+- tag::app
+- tag::eventtype
+- threatFamilyName
+- timeendpos
+- timestartpos
+- title
+- type
+- user
+- user_name
+- _time
+example_log: "{\n\"id\": \"da47dc5671-e560-4229-984b-457564996b31_1\",\n\"incidentId\"\
+ : 989,\n\"investigationId\": null,\n\"assignedTo\": null,\n\"severity\": \"High\"\
+ ,\n\"status\": \"New\",\n\"classification\": null,\n\"determination\": null,\n\"\
+ investigationState\": \"UnsupportedAlertType\",\n\"detectionSource\": \"WindowsDefenderAtp\"\
+ ,\n\"detectorId\": \"9c3a70ec-e18a-4f92-865a-530f73130b7c\",\n\"category\": \"LateralMovement\"\
+ ,\n\"threatFamilyName\": null,\n\"title\": \"Ongoing hands-on-keyboard attack via\
+ \ Impacket toolkit\",\n\"description\": \"Suspicious execution of a command via\
+ \ Impacket was observed on this device. This tool connects to other hosts to explore\
+ \ network shares and execute commands. Attackers might be attempting to move laterally\
+ \ across the network using this tool. This usage of Impacket has often been observed\
+ \ in hands-on-keyboard attacks, where ransomware and other payloads are installed\
+ \ on target devices.\",\n\"alertCreationTime\": \"2023-01-24T05:33:37.3245808Z\"\
+ ,\n\"firstEventTime\": \"2023-01-24T05:31:07.5276179Z\",\n\"lastEventTime\": \"\
+ 2023-01-24T13:02:50.7831636Z\",\n\"lastUpdateTime\": \"2023-01-24T13:07:13.3233333Z\"\
+ ,\n\"resolvedTime\": null,\n\"machineId\": \"302293d9f276eae65553e5042156bce93cbc7148\"\
+ ,\n\"computerDnsName\": \"diytestmachine\",\n\"rbacGroupName\": \"UnassignedGroup\"\
+ ,\n\"aadTenantId\": \"1a492129-58c8-4011-91cd-245285f5345c\",\n\"threatName\": null,\n\
+ \"mitreTechniques\": [\n \"T1021.002\",\n \"T1047\",\n \"T1059.003\"\n],\n\"\
+ relatedUser\": {\n \"userName\": \"User1\",\n \"domainName\": \"DIYTESTMACHINE\"\
+ \n},\n\"loggedOnUsers\": [\n {\n \"accountName\": \"administrator1\",\n \"\
+ domainName\": \"DIYTESTMACHINE\"\n }\n],\n\"comments\": [],\n\"evidence\": [\n\
+ \ {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\": \"2023-01-24T05:45:51.6833333Z\"\
+ ,\n \"sha1\": \"3ea7cc066317ac45f963c2227c4c7c50aa16eb7c\",\n \"sha256\":\
+ \ \"2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3\",\n \"\
+ fileName\": \"WmiPrvSE.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\\\\\
+ wbem\",\n \"processId\": 4476,\n \"processCommandLine\": \"wmiprvse.exe -secured\
+ \ -Embedding\",\n \"processCreationTime\": \"2023-01-24T05:43:32.4631151Z\",\n\
+ \ \"parentProcessId\": 896,\n \"parentProcessCreationTime\": \"2023-01-24T04:44:17.1940386Z\"\
+ ,\n \"parentProcessFileName\": \"svchost.exe\",\n \"parentProcessFilePath\"\
+ : \"C:\\\\Windows\\\\System32\",\n \"ipAddress\": null,\n \"url\": null,\n\
+ \ \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\
+ : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\
+ accountName\": \"NETWORK SERVICE\",\n \"domainName\": \"NT AUTHORITY\",\n \
+ \ \"userSid\": \"S-1-5-20\",\n \"aadUserId\": null,\n \"userPrincipalName\"\
+ : null,\n \"detectionStatus\": \"Detected\"\n },\n {\n \"entityType\": \"\
+ User\",\n \"evidenceCreationTime\": \"2023-01-24T05:33:37.4166667Z\",\n \"\
+ sha1\": null,\n \"sha256\": null,\n \"fileName\": null,\n \"filePath\"\
+ : null,\n \"processId\": null,\n \"processCommandLine\": null,\n \"processCreationTime\"\
+ : null,\n \"parentProcessId\": null,\n \"parentProcessCreationTime\": null,\n\
+ \ \"parentProcessFileName\": null,\n \"parentProcessFilePath\": null,\n \
+ \ \"ipAddress\": null,\n \"url\": null,\n \"registryKey\": null,\n \"\
+ registryHive\": null,\n \"registryValueType\": null,\n \"registryValue\":\
+ \ null,\n \"registryValueName\": null,\n \"accountName\": \"User1\",\n \
+ \ \"domainName\": \"DIYTESTMACHINE\",\n \"userSid\": \"S-1-5-21-4215714199-1288013905-3478400915-1002\"\
+ ,\n \"aadUserId\": null,\n \"userPrincipalName\": null,\n \"detectionStatus\"\
+ : null\n },\n {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\"\
+ : \"2023-01-24T05:33:37.4166667Z\",\n \"sha1\": \"3ea7cc066317ac45f963c2227c4c7c50aa16eb7c\"\
+ ,\n \"sha256\": \"2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3\"\
+ ,\n \"fileName\": \"WmiPrvSE.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\\\
+ \\wbem\",\n \"processId\": 7824,\n \"processCommandLine\": \"wmiprvse.exe\
+ \ -secured -Embedding\",\n \"processCreationTime\": \"2023-01-24T05:30:50.8649791Z\"\
+ ,\n \"parentProcessId\": 896,\n \"parentProcessCreationTime\": \"2023-01-24T04:44:17.1940386Z\"\
+ ,\n \"parentProcessFileName\": \"svchost.exe\",\n \"parentProcessFilePath\"\
+ : \"C:\\\\Windows\\\\System32\",\n \"ipAddress\": null,\n \"url\": null,\n\
+ \ \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\
+ : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\
+ accountName\": \"NETWORK SERVICE\",\n \"domainName\": \"NT AUTHORITY\",\n \
+ \ \"userSid\": \"S-1-5-20\",\n \"aadUserId\": null,\n \"userPrincipalName\"\
+ : null,\n \"detectionStatus\": \"Detected\"\n },\n {\n \"entityType\": \"\
+ Process\",\n \"evidenceCreationTime\": \"2023-01-24T13:07:13.2233333Z\",\n \
+ \ \"sha1\": \"f1efb0fddc156e4c61c5f78a54700e4e7984d55d\",\n \"sha256\": \"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\"\
+ ,\n \"fileName\": \"cmd.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\"\
+ ,\n \"processId\": 5500,\n \"processCommandLine\": \"cmd.exe /Q /c powershell\
+ \ -NoProfile -ExecutionPolicy Bypass -File \\\"C:\\\\Users\\\\administrator1\\\\\
+ Desktop\\\\SharedFolder\\\\payload.ps1\\\" 1> \\\\\\\\127.0.0.1\\\\SharedFolder\\\
+ \\__1674565222.7012053 2>&1\",\n \"processCreationTime\": \"2023-01-24T13:02:50.4661885Z\"\
+ ,\n \"parentProcessId\": 756,\n \"parentProcessCreationTime\": \"2023-01-24T13:00:35.0107475Z\"\
+ ,\n \"parentProcessFileName\": \"WmiPrvSE.exe\",\n \"parentProcessFilePath\"\
+ : \"C:\\\\Windows\\\\System32\\\\wbem\",\n \"ipAddress\": null,\n \"url\"\
+ : null,\n \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\
+ : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\
+ accountName\": \"User1\",\n \"domainName\": \"DIYTESTMACHINE\",\n \"userSid\"\
+ : \"S-1-5-21-4215714199-1288013905-3478400915-1002\",\n \"aadUserId\": null,\n\
+ \ \"userPrincipalName\": null,\n \"detectionStatus\": \"Detected\"\n },\n\
+ \ {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\": \"2023-01-24T05:33:37.4166667Z\"\
+ ,\n \"sha1\": \"f1efb0fddc156e4c61c5f78a54700e4e7984d55d\",\n \"sha256\":\
+ \ \"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\",\n \"\
+ fileName\": \"cmd.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\",\n \
+ \ \"processId\": 8964,\n \"processCommandLine\": \"cmd.exe /Q /c powershell -NoProfile\
+ \ -ExecutionPolicy Bypass -File \\\"C:\\\\Users\\\\administrator1\\\\Desktop\\\\\
+ SharedFolder\\\\payload.ps1\\\" 1> \\\\\\\\127.0.0.1\\\\SharedFolder\\\\__1674538248.357367\
+ \ 2>&1\",\n \"processCreationTime\": \"2023-01-24T05:31:04.0743902Z\",\n \"\
+ parentProcessId\": 7824,\n \"parentProcessCreationTime\": \"2023-01-24T05:30:50.8649791Z\"\
+ ,\n \"parentProcessFileName\": \"WmiPrvSE.exe\",\n \"parentProcessFilePath\"\
+ : \"C:\\\\Windows\\\\System32\\\\wbem\",\n \"ipAddress\": null,\n \"url\"\
+ : null,\n \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\
+ : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\
+ accountName\": \"User1\",\n \"domainName\": \"DIYTESTMACHINE\",\n \"userSid\"\
+ : \"S-1-5-21-4215714199-1288013905-3478400915-1002\",\n \"aadUserId\": null,\n\
+ \ \"userPrincipalName\": null,\n \"detectionStatus\": \"Detected\"\n },\n\
+ \ {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\": \"2023-01-24T05:39:47.1733333Z\"\
+ ,\n \"sha1\": \"f1efb0fddc156e4c61c5f78a54700e4e7984d55d\",\n \"sha256\":\
+ \ \"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\",\n \"\
+ fileName\": \"cmd.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\",\n \
+ \ \"processId\": 884,\n \"processCommandLine\": \"cmd.exe /Q /c powershell -NoProfile\
+ \ -ExecutionPolicy Bypass -File \\\"C:\\\\Users\\\\administrator1\\\\Desktop\\\\\
+ SharedFolder\\\\payload.ps1\\\" 1> \\\\\\\\127.0.0.1\\\\SharedFolder\\\\__1674538583.8648584\
+ \ 2>&1\",\n \"processCreationTime\": \"2023-01-24T05:36:38.826505Z\",\n \"\
+ parentProcessId\": 7736,\n \"parentProcessCreationTime\": \"2023-01-24T05:36:26.0524655Z\"\
+ ,\n \"parentProcessFileName\": \"WmiPrvSE.exe\",\n \"parentProcessFilePath\"\
+ : \"C:\\\\Windows\\\\System32\\\\wbem\",\n \"ipAddress\": null,\n \"url\"\
+ : null,\n \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\
+ : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\
+ accountName\": \"User1\",\n \"domainName\": \"DIYTESTMACHINE\",\n \"userSid\"\
+ : \"S-1-5-21-4215714199-1288013905-3478400915-1002\",\n \"aadUserId\": null,\n\
+ \ \"userPrincipalName\": null,\n \"detectionStatus\": \"Detected\"\n },\n\
+ \ {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\": \"2023-01-24T13:07:13.2233333Z\"\
+ ,\n \"sha1\": \"3ea7cc066317ac45f963c2227c4c7c50aa16eb7c\",\n \"sha256\":\
+ \ \"2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3\",\n \"\
+ fileName\": \"WmiPrvSE.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\\\\\
+ wbem\",\n \"processId\": 756,\n \"processCommandLine\": \"wmiprvse.exe -secured\
+ \ -Embedding\",\n \"processCreationTime\": \"2023-01-24T13:00:35.0107475Z\",\n\
+ \ \"parentProcessId\": 908,\n \"parentProcessCreationTime\": \"2023-01-24T08:20:44.6877667Z\"\
+ ,\n \"parentProcessFileName\": \"svchost.exe\",\n \"parentProcessFilePath\"\
+ : \"C:\\\\Windows\\\\System32\",\n \"ipAddress\": null,\n \"url\": null,\n\
+ \ \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\
+ : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\
+ accountName\": \"NETWORK SERVICE\",\n \"domainName\": \"NT AUTHORITY\",\n \
+ \ \"userSid\": \"S-1-5-20\",\n \"aadUserId\": null,\n \"userPrincipalName\"\
+ : null,\n \"detectionStatus\": \"Detected\"\n },\n {\n \"entityType\": \"\
+ Process\",\n \"evidenceCreationTime\": \"2023-01-24T05:45:51.6833333Z\",\n \
+ \ \"sha1\": \"f1efb0fddc156e4c61c5f78a54700e4e7984d55d\",\n \"sha256\": \"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\"\
+ ,\n \"fileName\": \"cmd.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\"\
+ ,\n \"processId\": 1140,\n \"processCommandLine\": \"cmd.exe /Q /c powershell\
+ \ -NoProfile -ExecutionPolicy Bypass -File \\\"C:\\\\Users\\\\administrator1\\\\\
+ Desktop\\\\SharedFolder\\\\payload.ps1\\\" 1> \\\\\\\\127.0.0.1\\\\SharedFolder\\\
+ \\__1674538878.1586335 2>&1\",\n \"processCreationTime\": \"2023-01-24T05:43:49.9375398Z\"\
+ ,\n \"parentProcessId\": 4476,\n \"parentProcessCreationTime\": \"2023-01-24T05:43:32.4631151Z\"\
+ ,\n \"parentProcessFileName\": \"WmiPrvSE.exe\",\n \"parentProcessFilePath\"\
+ : \"C:\\\\Windows\\\\System32\\\\wbem\",\n \"ipAddress\": null,\n \"url\"\
+ : null,\n \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\
+ : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\
+ accountName\": \"User1\",\n \"domainName\": \"DIYTESTMACHINE\",\n \"userSid\"\
+ : \"S-1-5-21-4215714199-1288013905-3478400915-1002\",\n \"aadUserId\": null,\n\
+ \ \"userPrincipalName\": null,\n \"detectionStatus\": \"Detected\"\n },\n\
+ \ {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\": \"2023-01-24T05:39:47.1733333Z\"\
+ ,\n \"sha1\": \"3ea7cc066317ac45f963c2227c4c7c50aa16eb7c\",\n \"sha256\":\
+ \ \"2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3\",\n \"\
+ fileName\": \"WmiPrvSE.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\\\\\
+ wbem\",\n \"processId\": 7736,\n \"processCommandLine\": \"wmiprvse.exe -secured\
+ \ -Embedding\",\n \"processCreationTime\": \"2023-01-24T05:36:26.0524655Z\",\n\
+ \ \"parentProcessId\": 896,\n \"parentProcessCreationTime\": \"2023-01-24T04:44:17.1940386Z\"\
+ ,\n \"parentProcessFileName\": \"svchost.exe\",\n \"parentProcessFilePath\"\
+ : \"C:\\\\Windows\\\\System32\",\n \"ipAddress\": null,\n \"url\": null,\n\
+ \ \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\
+ : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\
+ accountName\": \"NETWORK SERVICE\",\n \"domainName\": \"NT AUTHORITY\",\n \
+ \ \"userSid\": \"S-1-5-20\",\n \"aadUserId\": null,\n \"userPrincipalName\"\
+ : null,\n \"detectionStatus\": \"Detected\"\n }\n],\n\"domains\": []\n}"
diff --git a/data_sources/nginx_access.yml b/data_sources/nginx_access.yml
index e24bb4163c..c7b491e28c 100644
--- a/data_sources/nginx_access.yml
+++ b/data_sources/nginx_access.yml
@@ -6,74 +6,74 @@ author: Patrick Bareiss, Splunk
description: Logs HTTP/S access events on an Nginx server, including details such
as client IP, request method, URI, response status, and user agent.
mitre_components:
- - Network Traffic Content
- - Network Traffic Flow
- - Response Metadata
- - Application Log Content
- - User Account Metadata
+- Network Traffic Content
+- Network Traffic Flow
+- Response Metadata
+- Application Log Content
+- User Account Metadata
source: /var/log/nginx/access.log
sourcetype: nginx:plus:kv
supported_TA: []
fields:
- - _time
- - action
- - app
- - bytes
- - bytes_in
- - bytes_out
- - category
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_ip
- - dest_port
- - eventtype
- - host
- - http_content_type
- - http_method
- - http_referer
- - http_user_agent
- - http_user_agent_length
- - http_x_forwarded_for
- - http_x_header
- - https
- - index
- - linecount
- - nginx_version
- - product
- - protocol
- - punct
- - request_time
- - response_time
- - server
- - site
- - source
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - status
- - status_description
- - status_type
- - tag
- - tag::eventtype
- - time_local
- - timeendpos
- - timestartpos
- - uri_path
- - url
- - url_domain
- - url_length
- - vendor
- - vendor_product
- - version
- - web_server
+- _time
+- action
+- app
+- bytes
+- bytes_in
+- bytes_out
+- category
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_ip
+- dest_port
+- eventtype
+- host
+- http_content_type
+- http_method
+- http_referer
+- http_user_agent
+- http_user_agent_length
+- http_x_forwarded_for
+- http_x_header
+- https
+- index
+- linecount
+- nginx_version
+- product
+- protocol
+- punct
+- request_time
+- response_time
+- server
+- site
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- status
+- status_description
+- status_type
+- tag
+- tag::eventtype
+- time_local
+- timeendpos
+- timestartpos
+- uri_path
+- url
+- url_domain
+- url_length
+- vendor
+- vendor_product
+- version
+- web_server
example_log: site="www.example.com" server="www.example.com" dest_port="443" dest_ip="192.0.2.1"
src="198.51.100.1" src_ip="198.51.100.1" user="-" time_local="22/Feb/2024:13:00:00
-0500" protocol="HTTP/1.1" status="200" bytes_out="1073741000" bytes_in="234" http_referer="-"
diff --git a/data_sources/o365.yml b/data_sources/o365.yml
index 3bda514d41..36c3c9bc2a 100644
--- a/data_sources/o365.yml
+++ b/data_sources/o365.yml
@@ -6,15 +6,15 @@ author: Patrick Bareiss, Splunk
description: Logs management activities in Microsoft 365, including administrative
actions, user activities, and configuration changes across various services.
mitre_components:
- - User Account Metadata
- - Cloud Service Modification
- - Application Log Content
- - Configuration Modification
- - Active Directory Object Modification
+- User Account Metadata
+- Cloud Service Modification
+- Application Log Content
+- Configuration Modification
+- Active Directory Object Modification
source: o365
sourcetype: o365:management:activity
separator: Operation
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
diff --git a/data_sources/o365_add_app_role_assignment_grant_to_user_.yml b/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
index a6e90c409a..d97086d833 100644
--- a/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
+++ b/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
@@ -6,88 +6,88 @@ author: Patrick Bareiss, Splunk
description: Logs the assignment of an application role grant to a user in Microsoft
365, including details about the role, user, and application involved.
mitre_components:
- - User Account Modification
- - Group Modification
- - Cloud Service Modification
- - Cloud Service Metadata
+- User Account Modification
+- Group Modification
+- Cloud Service Modification
+- Cloud Service Metadata
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Add app role assignment grant to user.
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - ActorContextId
- - ActorIpAddress
- - Actor{}.ID
- - Actor{}.Type
- - AzureActiveDirectoryEventType
- - ClientIP
- - CreationTime
- - ExtendedProperties{}.Name
- - ExtendedProperties{}.Value
- - Id
- - InterSystemsId
- - IntraSystemId
- - ModifiedProperties{}.Name
- - ModifiedProperties{}.NewValue
- - ModifiedProperties{}.OldValue
- - ObjectId
- - Operation
- - OrganizationId
- - RecordType
- - ResultStatus
- - SupportTicketId
- - TargetContextId
- - Target{}.ID
- - Target{}.Type
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - additionalDetails
- - app
- - authentication_service
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - event_type
- - extendedAuditEventCategory
- - extended_properties
- - host
- - index
- - linecount
- - object
- - punct
- - record_type
- - signature
- - source
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - src_user
- - status
- - timeendpos
- - timestartpos
- - user
- - user_id
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- ActorContextId
+- ActorIpAddress
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- ClientIP
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- additionalDetails
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- extendedAuditEventCategory
+- extended_properties
+- host
+- index
+- linecount
+- object
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_user
+- status
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"Actor": [{"ID": "rodsoto@rodsoto.onmicrosoft.com", "Type": 5}, {"ID":
"10037FFEA938FB92", "Type": 3}, {"ID": "74658136-14ec-4630-ad9b-26e160ff0fc6", "Type":
2}, {"ID": "User_bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "bfb8c366-0406-41a5-b3e3-328f4a3b4484",
diff --git a/data_sources/o365_add_app_role_assignment_to_service_principal_.yml b/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
index 720652a539..250a21a230 100644
--- a/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
+++ b/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
@@ -7,87 +7,87 @@ description: Logs the assignment of an application role to a service principal i
Microsoft 365, including details about the role, service principal, and application
involved.
mitre_components:
- - Cloud Service Modification
- - Cloud Service Metadata
- - User Account Metadata
- - Group Modification
+- Cloud Service Modification
+- Cloud Service Metadata
+- User Account Metadata
+- Group Modification
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Add app role assignment to service principal.
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - ActorContextId
- - Actor{}.ID
- - Actor{}.Type
- - AzureActiveDirectoryEventType
- - CreationTime
- - ExtendedProperties{}.Name
- - ExtendedProperties{}.Value
- - Id
- - InterSystemsId
- - IntraSystemId
- - ModifiedProperties{}.Name
- - ModifiedProperties{}.NewValue
- - ModifiedProperties{}.OldValue
- - ObjectId
- - Operation
- - OrganizationId
- - RecordType
- - ResultStatus
- - SupportTicketId
- - TargetContextId
- - Target{}.ID
- - Target{}.Type
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - additionalDetails
- - app
- - authentication_service
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - event_type
- - eventtype
- - extendedAuditEventCategory
- - host
- - index
- - linecount
- - object
- - punct
- - record_type
- - signature
- - source
- - sourcetype
- - splunk_server
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - user_agent
- - user_agent_change
- - user_id
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- additionalDetails
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_agent_change
+- user_id
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"CreationTime": "2024-02-08T21:49:53", "Id": "a6bee61d-8b3f-42e1-b4fa-778fb05c43ac",
"Operation": "Add app role assignment to service principal.", "OrganizationId":
"75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success",
diff --git a/data_sources/o365_add_mailboxpermission.yml b/data_sources/o365_add_mailboxpermission.yml
index 09a36817fe..191c1d0e6b 100644
--- a/data_sources/o365_add_mailboxpermission.yml
+++ b/data_sources/o365_add_mailboxpermission.yml
@@ -7,79 +7,79 @@ description: Logs the addition of mailbox permissions in Microsoft 365, includin
details about the mailbox, granted permissions, and the user or administrator performing
the action.
mitre_components:
- - User Account Modification
- - User Account Metadata
- - Active Directory Object Modification
- - Application Log Content
+- User Account Modification
+- User Account Metadata
+- Active Directory Object Modification
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Add-MailboxPermission
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - AccessRights
- - AppId
- - ClientAppId
- - ClientIP
- - CreationTime
- - ExternalAccess
- - Id
- - Identity
- - InheritanceType
- - ObjectId
- - Operation
- - OrganizationId
- - OrganizationName
- - OriginatingServer
- - Parameters{}.Name
- - Parameters{}.Value
- - RecordType
- - ResultStatus
- - SessionId
- - User
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - app
- - authentication_service
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - host
- - index
- - linecount
- - object
- - punct
- - record_type
- - signature
- - source
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - status
- - timeendpos
- - timestartpos
- - user
- - user_id
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- AccessRights
+- AppId
+- ClientAppId
+- ClientIP
+- CreationTime
+- ExternalAccess
+- Id
+- Identity
+- InheritanceType
+- ObjectId
+- Operation
+- OrganizationId
+- OrganizationName
+- OriginatingServer
+- Parameters{}.Name
+- Parameters{}.Value
+- RecordType
+- ResultStatus
+- SessionId
+- User
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- host
+- index
+- linecount
+- object
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- status
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"AppId": "", "ClientAppId": "", "ClientIP": "18.159.234.121:30395",
"CreationTime": "2020-12-15T10:18:53", "ExternalAccess": false, "Id": "bb6e31a3-e98f-493d-bbff-08d8a0e2d2b0",
"ObjectId": "jhernan", "Operation": "Add-MailboxPermission", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08",
diff --git a/data_sources/o365_add_member_to_role_.yml b/data_sources/o365_add_member_to_role_.yml
index 7a6ea65406..29145e6d5b 100644
--- a/data_sources/o365_add_member_to_role_.yml
+++ b/data_sources/o365_add_member_to_role_.yml
@@ -6,90 +6,90 @@ author: Patrick Bareiss, Splunk
description: Logs the addition of a member to a role in Microsoft 365, including details
about the role, the added member, and the user or administrator performing the action.
mitre_components:
- - Group Modification
- - Group Metadata
- - User Account Metadata
- - Cloud Service Modification
+- Group Modification
+- Group Metadata
+- User Account Metadata
+- Cloud Service Modification
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Add member to role.
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - ActorContextId
- - Actor{}.ID
- - Actor{}.Type
- - AzureActiveDirectoryEventType
- - CreationTime
- - ExtendedProperties{}.Name
- - ExtendedProperties{}.Value
- - Id
- - InterSystemsId
- - IntraSystemId
- - ModifiedProperties{}.Name
- - ModifiedProperties{}.NewValue
- - ModifiedProperties{}.OldValue
- - ObjectId
- - Operation
- - OrganizationId
- - RecordType
- - ResultStatus
- - SupportTicketId
- - TargetContextId
- - Target{}.ID
- - Target{}.Type
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - action
- - additionalDetails
- - app
- - authentication_service
- - change_type
- - command
- - dataset_name
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - event_type
- - eventtype
- - extendedAuditEventCategory
- - host
- - index
- - linecount
- - object
- - object_attrs
- - object_category
- - punct
- - record_type
- - signature
- - source
- - sourcetype
- - splunk_server
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - user_id
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- additionalDetails
+- app
+- authentication_service
+- change_type
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"CreationTime": "2023-10-20T16:50:46", "Id": "30a8b107-b190-406c-9b80-c3f5c3a29129",
"Operation": "Add member to role.", "OrganizationId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com",
diff --git a/data_sources/o365_add_owner_to_application_.yml b/data_sources/o365_add_owner_to_application_.yml
index 5c3b3c7f4b..dd7f2632d4 100644
--- a/data_sources/o365_add_owner_to_application_.yml
+++ b/data_sources/o365_add_owner_to_application_.yml
@@ -7,92 +7,92 @@ description: Logs the addition of an owner to an application in Microsoft 365, i
details about the application, the new owner, and the user or administrator performing
the action.
mitre_components:
- - User Account Modification
- - Group Modification
- - Cloud Service Modification
- - Cloud Service Metadata
+- User Account Modification
+- Group Modification
+- Cloud Service Modification
+- Cloud Service Metadata
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Add owner to application.
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - ActorContextId
- - Actor{}.ID
- - Actor{}.Type
- - AzureActiveDirectoryEventType
- - CreationTime
- - ExtendedProperties{}.Name
- - ExtendedProperties{}.Value
- - Id
- - InterSystemsId
- - IntraSystemId
- - ModifiedProperties{}.Name
- - ModifiedProperties{}.NewValue
- - ModifiedProperties{}.OldValue
- - ObjectId
- - Operation
- - OrganizationId
- - RecordType
- - ResultStatus
- - SupportTicketId
- - TargetContextId
- - Target{}.ID
- - Target{}.Type
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - action
- - additionalDetails
- - app
- - authentication_service
- - change_type
- - command
- - dataset_name
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - event_type
- - eventtype
- - extendedAuditEventCategory
- - host
- - index
- - linecount
- - object
- - object_attrs
- - object_category
- - punct
- - record_type
- - signature
- - source
- - sourcetype
- - splunk_server
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - user_agent
- - user_agent_change
- - user_id
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- additionalDetails
+- app
+- authentication_service
+- change_type
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_agent_change
+- user_id
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"CreationTime": "2023-09-07T13:42:04", "Id": "6e2c723b-8f6e-47f4-8c60-fa23ef3fccee",
"Operation": "Add owner to application.", "OrganizationId": "48203edf-5d2c-45f2-8123-a368cc8b0e51",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com",
diff --git a/data_sources/o365_add_service_principal_.yml b/data_sources/o365_add_service_principal_.yml
index 806ce7eda5..8f4af7e270 100644
--- a/data_sources/o365_add_service_principal_.yml
+++ b/data_sources/o365_add_service_principal_.yml
@@ -6,92 +6,92 @@ author: Patrick Bareiss, Splunk
description: Logs the addition of a new service principal in Microsoft 365, including
details about the associated application and the action initiator.
mitre_components:
- - Cloud Service Creation
- - Cloud Service Metadata
- - User Account Metadata
- - Active Directory Object Creation
+- Cloud Service Creation
+- Cloud Service Metadata
+- User Account Metadata
+- Active Directory Object Creation
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Add service principal.
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - ActorContextId
- - Actor{}.ID
- - Actor{}.Type
- - AzureActiveDirectoryEventType
- - CreationTime
- - ExtendedProperties{}.Name
- - ExtendedProperties{}.Value
- - Id
- - InterSystemsId
- - IntraSystemId
- - ModifiedProperties{}.Name
- - ModifiedProperties{}.NewValue
- - ModifiedProperties{}.OldValue
- - ObjectId
- - Operation
- - OrganizationId
- - RecordType
- - ResultStatus
- - SupportTicketId
- - TargetContextId
- - Target{}.ID
- - Target{}.Type
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - action
- - additionalDetails
- - app
- - authentication_service
- - change_type
- - command
- - dataset_name
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - event_type
- - eventtype
- - extendedAuditEventCategory
- - host
- - index
- - linecount
- - object_attrs
- - object_category
- - punct
- - record_type
- - signature
- - source
- - sourcetype
- - splunk_server
- - src_user
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - user_agent
- - user_agent_change
- - user_id
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- additionalDetails
+- app
+- authentication_service
+- change_type
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object_attrs
+- object_category
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- src_user
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_agent_change
+- user_id
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"CreationTime": "2024-02-07T22:31:14", "Id": "f624ed92-b4a2-4d42-aa8b-20a261d06b7f",
"Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com",
diff --git a/data_sources/o365_change_user_license_.yml b/data_sources/o365_change_user_license_.yml
index cec6ea1cc1..d26262857c 100644
--- a/data_sources/o365_change_user_license_.yml
+++ b/data_sources/o365_change_user_license_.yml
@@ -6,88 +6,88 @@ author: Patrick Bareiss, Splunk
description: Logs changes to user licenses in Microsoft 365, including additions,
removals, or updates to service plans associated with a user account.
mitre_components:
- - User Account Modification
- - User Account Metadata
- - Cloud Service Modification
- - Configuration Modification
+- User Account Modification
+- User Account Metadata
+- Cloud Service Modification
+- Configuration Modification
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Change user license.
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - ActorContextId
- - Actor{}.ID
- - Actor{}.Type
- - AzureActiveDirectoryEventType
- - CreationTime
- - ExtendedProperties{}.Name
- - ExtendedProperties{}.Value
- - Id
- - InterSystemsId
- - IntraSystemId
- - ObjectId
- - Operation
- - OrganizationId
- - RecordType
- - ResultStatus
- - SupportTicketId
- - TargetContextId
- - Target{}.ID
- - Target{}.Type
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - action
- - additionalDetails
- - app
- - authentication_service
- - change_type
- - command
- - dataset_name
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - event_type
- - eventtype
- - extendedAuditEventCategory
- - host
- - index
- - linecount
- - object
- - object_attrs
- - object_category
- - punct
- - record_type
- - signature
- - source
- - sourcetype
- - splunk_server
- - src_user
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - user_id
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- additionalDetails
+- app
+- authentication_service
+- change_type
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- src_user
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"CreationTime": "2023-09-11T15:55:46", "Id": "1e39f32d-081d-4494-994a-533b57f91df7",
"Operation": "Change user license.", "OrganizationId": "bbad9541-eb53-4533-bcef-2b76182c3b75",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com",
diff --git a/data_sources/o365_consent_to_application_.yml b/data_sources/o365_consent_to_application_.yml
index 9a8aacafcd..5698a08a0d 100644
--- a/data_sources/o365_consent_to_application_.yml
+++ b/data_sources/o365_consent_to_application_.yml
@@ -7,84 +7,84 @@ description: Logs user or administrator consent to an application's permissions
Microsoft 365, including details about the application, granted permissions, and
the consenting user or process.
mitre_components:
- - User Account Modification
- - Cloud Service Modification
- - Cloud Service Metadata
- - Configuration Modification
+- User Account Modification
+- Cloud Service Modification
+- Cloud Service Metadata
+- Configuration Modification
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Consent to application.
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - ActorContextId
- - Actor{}.ID
- - Actor{}.Type
- - AzureActiveDirectoryEventType
- - CreationTime
- - ExtendedProperties{}.Name
- - ExtendedProperties{}.Value
- - Id
- - InterSystemsId
- - IntraSystemId
- - ModifiedProperties{}.Name
- - ModifiedProperties{}.NewValue
- - ModifiedProperties{}.OldValue
- - ObjectId
- - Operation
- - OrganizationId
- - RecordType
- - ResultStatus
- - SupportTicketId
- - TargetContextId
- - Target{}.ID
- - Target{}.Type
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - additionalDetails
- - app
- - authentication_service
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - event_type
- - extendedAuditEventCategory
- - host
- - index
- - linecount
- - object
- - punct
- - record_type
- - signature
- - source
- - sourcetype
- - splunk_server
- - status
- - timeendpos
- - timestartpos
- - user
- - user_agent
- - user_agent_change
- - user_id
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- additionalDetails
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_agent_change
+- user_id
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"CreationTime": "2023-09-05T21:05:31", "Id": "5822e126-1fbc-4269-9ad6-4c1879cdbcf3",
"Operation": "Consent to application.", "OrganizationId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com",
diff --git a/data_sources/o365_disable_strong_authentication_.yml b/data_sources/o365_disable_strong_authentication_.yml
index bd40f2eca5..8682551f6c 100644
--- a/data_sources/o365_disable_strong_authentication_.yml
+++ b/data_sources/o365_disable_strong_authentication_.yml
@@ -7,85 +7,85 @@ description: Logs the disabling of strong authentication (e.g., multi-factor aut
for a user or group in Microsoft 365, including details about the affected accounts
and the action initiator.
mitre_components:
- - User Account Modification
- - Group Modification
- - Configuration Modification
- - Application Log Content
+- User Account Modification
+- Group Modification
+- Configuration Modification
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Disable Strong Authentication.
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - ActorContextId
- - ActorIpAddress
- - Actor{}.ID
- - Actor{}.Type
- - AzureActiveDirectoryEventType
- - ClientIP
- - CreationTime
- - ExtendedProperties{}.Name
- - ExtendedProperties{}.Value
- - Id
- - InterSystemsId
- - IntraSystemId
- - ModifiedProperties{}.Name
- - ModifiedProperties{}.NewValue
- - ModifiedProperties{}.OldValue
- - ObjectId
- - Operation
- - OrganizationId
- - RecordType
- - ResultStatus
- - SupportTicketId
- - TargetContextId
- - Target{}.ID
- - Target{}.Type
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - additionalDetails
- - app
- - authentication_service
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - event_type
- - extendedAuditEventCategory
- - extended_properties
- - host
- - index
- - linecount
- - object
- - punct
- - record_type
- - signature
- - source
- - sourcetype
- - splunk_server
- - status
- - timeendpos
- - timestartpos
- - user
- - user_id
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- ActorContextId
+- ActorIpAddress
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- ClientIP
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- additionalDetails
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- extendedAuditEventCategory
+- extended_properties
+- host
+- index
+- linecount
+- object
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"Actor": [{"ID": "rodsoto@rodsoto.onmicrosoft.com", "Type": 5}, {"ID":
"10037FFEA938FB92", "Type": 3}, {"ID": "User_bfb8c366-0406-41a5-b3e3-328f4a3b4484",
"Type": 2}, {"ID": "bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "User",
diff --git a/data_sources/o365_mailitemsaccessed.yml b/data_sources/o365_mailitemsaccessed.yml
index 49429c5898..e1c6afc695 100644
--- a/data_sources/o365_mailitemsaccessed.yml
+++ b/data_sources/o365_mailitemsaccessed.yml
@@ -6,81 +6,81 @@ author: Patrick Bareiss, Splunk
description: Logs access to mailbox items in Microsoft 365, including details about
the user accessing the items, the accessed content, and the method of access.
mitre_components:
- - File Access
- - User Account Metadata
- - Application Log Content
- - Active Directory Object Access
+- File Access
+- User Account Metadata
+- Application Log Content
+- Active Directory Object Access
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: MailItemsAccessed
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - AppId
- - ClientAppId
- - ClientIPAddress
- - ClientInfoString
- - CreationTime
- - ExternalAccess
- - Folders{}.FolderItems{}.InternetMessageId
- - Folders{}.FolderItems{}.SizeInBytes
- - Folders{}.Id
- - Folders{}.Path
- - Id
- - InternalLogonType
- - IsThrottled
- - LogonType
- - LogonUserSid
- - MailAccessType
- - MailboxGuid
- - MailboxOwnerSid
- - MailboxOwnerUPN
- - Operation
- - OperationCount
- - OperationProperties{}.Name
- - OperationProperties{}.Value
- - OrganizationId
- - OrganizationName
- - OriginatingServer
- - RecordType
- - ResultStatus
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - app
- - authentication_service
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dvc
- - host
- - index
- - linecount
- - punct
- - signature
- - source
- - sourcetype
- - splunk_server
- - status
- - timeendpos
- - timestartpos
- - user
- - user_id
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- AppId
+- ClientAppId
+- ClientIPAddress
+- ClientInfoString
+- CreationTime
+- ExternalAccess
+- Folders{}.FolderItems{}.InternetMessageId
+- Folders{}.FolderItems{}.SizeInBytes
+- Folders{}.Id
+- Folders{}.Path
+- Id
+- InternalLogonType
+- IsThrottled
+- LogonType
+- LogonUserSid
+- MailAccessType
+- MailboxGuid
+- MailboxOwnerSid
+- MailboxOwnerUPN
+- Operation
+- OperationCount
+- OperationProperties{}.Name
+- OperationProperties{}.Value
+- OrganizationId
+- OrganizationName
+- OriginatingServer
+- RecordType
+- ResultStatus
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dvc
+- host
+- index
+- linecount
+- punct
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"CreationTime": "2024-02-01T16:07:34", "Id": "9cef02e9-4bfa-4c73-be7d-9dad68b9cea8",
"Operation": "MailItemsAccessed", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4",
"RecordType": 50, "ResultStatus": "Succeeded", "UserKey": "100320030DF47B14", "UserType":
diff --git a/data_sources/o365_modifyfolderpermissions.yml b/data_sources/o365_modifyfolderpermissions.yml
index aca4f79957..77b5ee58cf 100644
--- a/data_sources/o365_modifyfolderpermissions.yml
+++ b/data_sources/o365_modifyfolderpermissions.yml
@@ -6,99 +6,99 @@ author: Patrick Bareiss, Splunk
description: Logs modifications to folder permissions in Microsoft 365, including
updates to access levels, user assignments, and sharing settings.
mitre_components:
- - User Account Modification
- - File Access
- - Active Directory Object Modification
- - Application Log Content
+- User Account Modification
+- File Access
+- Active Directory Object Modification
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: ModifyFolderPermissions
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - AppId
- - ClientIP
- - ClientIPAddress
- - ClientInfoString
- - CreationTime
- - ExternalAccess
- - Id
- - InternalLogonType
- - Item.Id
- - Item.ParentFolder.Id
- - Item.ParentFolder.MemberRights
- - Item.ParentFolder.MemberSid
- - Item.ParentFolder.MemberUpn
- - Item.ParentFolder.Name
- - Item.ParentFolder.Path
- - LogonType
- - LogonUserSid
- - MailboxGuid
- - MailboxOwnerSid
- - MailboxOwnerUPN
- - Operation
- - OrganizationId
- - OrganizationName
- - OriginatingServer
- - RecordType
- - ResultStatus
- - SessionId
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - action
- - app
- - authentication_service
- - change_type
- - client_info_str
- - command
- - dataset_name
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - eventtype
- - host
- - index
- - linecount
- - object
- - object_attrs
- - object_category
- - object_id
- - punct
- - record_type
- - result
- - signature
- - source
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - status
- - tag
- - tag::eventtype
- - tenant_id
- - timeendpos
- - timestartpos
- - user
- - user_agent
- - user_id
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- AppId
+- ClientIP
+- ClientIPAddress
+- ClientInfoString
+- CreationTime
+- ExternalAccess
+- Id
+- InternalLogonType
+- Item.Id
+- Item.ParentFolder.Id
+- Item.ParentFolder.MemberRights
+- Item.ParentFolder.MemberSid
+- Item.ParentFolder.MemberUpn
+- Item.ParentFolder.Name
+- Item.ParentFolder.Path
+- LogonType
+- LogonUserSid
+- MailboxGuid
+- MailboxOwnerSid
+- MailboxOwnerUPN
+- Operation
+- OrganizationId
+- OrganizationName
+- OriginatingServer
+- RecordType
+- ResultStatus
+- SessionId
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- app
+- authentication_service
+- change_type
+- client_info_str
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- eventtype
+- host
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- object_id
+- punct
+- record_type
+- result
+- signature
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- status
+- tag
+- tag::eventtype
+- tenant_id
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_id
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"CreationTime": "2023-09-07T18:19:07", "Id": "ff065c17-e638-4013-20ab-08dbafceeca1",
"Operation": "ModifyFolderPermissions", "OrganizationId": "e17879dd-24ec-44a6-be92-9dcbf6969220",
"RecordType": 2, "ResultStatus": "Succeeded", "UserKey": "10032002CC029AE9", "UserType":
diff --git a/data_sources/o365_set_company_information_.yml b/data_sources/o365_set_company_information_.yml
index e3da9d7ddd..7348172690 100644
--- a/data_sources/o365_set_company_information_.yml
+++ b/data_sources/o365_set_company_information_.yml
@@ -6,93 +6,93 @@ author: Patrick Bareiss, Splunk
description: Logs updates to organizational settings and company information in Microsoft
365, including changes to contact details, branding, and configuration policies.
mitre_components:
- - Cloud Service Modification
- - Configuration Modification
- - Cloud Service Metadata
- - Application Log Content
+- Cloud Service Modification
+- Configuration Modification
+- Cloud Service Metadata
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Set Company Information.
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - ActorContextId
- - ActorIpAddress
- - Actor{}.ID
- - Actor{}.Type
- - AzureActiveDirectoryEventType
- - ClientIP
- - CreationTime
- - ExtendedProperties{}.Name
- - ExtendedProperties{}.Value
- - Id
- - InterSystemsId
- - IntraSystemId
- - ModifiedProperties{}.Name
- - ModifiedProperties{}.NewValue
- - ModifiedProperties{}.OldValue
- - ObjectId
- - Operation
- - OrganizationId
- - RecordType
- - ResultStatus
- - SupportTicketId
- - TargetContextId
- - Target{}.ID
- - Target{}.Type
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - action
- - additionalDetails
- - app
- - authentication_service
- - change_type
- - command
- - dataset_name
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - event_type
- - eventtype
- - extendedAuditEventCategory
- - extended_properties
- - host
- - index
- - linecount
- - object
- - object_attrs
- - object_category
- - punct
- - record_type
- - signature
- - source
- - sourcetype
- - splunk_server
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - user_id
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- ActorContextId
+- ActorIpAddress
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- ClientIP
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- additionalDetails
+- app
+- authentication_service
+- change_type
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- extended_properties
+- host
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"Actor": [{"ID": "bpatel@rodsoto.onmicrosoft.com", "Type": 5}, {"ID":
"100320010208B5DC", "Type": 3}, {"ID": "User_425b75db-38be-4c7b-a474-5f0709247370",
"Type": 2}, {"ID": "425b75db-38be-4c7b-a474-5f0709247370", "Type": 2}, {"ID": "User",
diff --git a/data_sources/o365_set_mailbox.yml b/data_sources/o365_set_mailbox.yml
index 9da03f53f4..2cf75ed058 100644
--- a/data_sources/o365_set_mailbox.yml
+++ b/data_sources/o365_set_mailbox.yml
@@ -6,89 +6,89 @@ author: Patrick Bareiss, Splunk
description: Logs changes to mailbox properties in Microsoft 365, including updates
to permissions, storage quotas, and configuration settings.
mitre_components:
- - User Account Modification
- - Active Directory Object Modification
- - User Account Metadata
- - Application Log Content
+- User Account Modification
+- Active Directory Object Modification
+- User Account Metadata
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Set-Mailbox
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - AppId
- - ClientAppId
- - ClientIP
- - CreationTime
- - ExternalAccess
- - Id
- - Identity
- - ObjectId
- - Operation
- - OrganizationId
- - OrganizationName
- - OriginatingServer
- - Parameters{}.Name
- - Parameters{}.Value
- - Params
- - RecordType
- - ResultStatus
- - SessionId
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - action
- - app
- - authentication_service
- - change_type
- - command
- - dataset_name
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - eventtype
- - host
- - index
- - linecount
- - object
- - object_attrs
- - object_category
- - object_id
- - punct
- - record_type
- - result
- - signature
- - source
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - src_user
- - src_user_type
- - status
- - tag
- - tag::eventtype
- - tenant_id
- - timeendpos
- - timestartpos
- - user
- - user_id
- - vendor_account
- - vendor_product
+- _time
+- AppId
+- ClientAppId
+- ClientIP
+- CreationTime
+- ExternalAccess
+- Id
+- Identity
+- ObjectId
+- Operation
+- OrganizationId
+- OrganizationName
+- OriginatingServer
+- Parameters{}.Name
+- Parameters{}.Value
+- Params
+- RecordType
+- ResultStatus
+- SessionId
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- app
+- authentication_service
+- change_type
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- eventtype
+- host
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- object_id
+- punct
+- record_type
+- result
+- signature
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_user
+- src_user_type
+- status
+- tag
+- tag::eventtype
+- tenant_id
+- timeendpos
+- timestartpos
+- user
+- user_id
+- vendor_account
+- vendor_product
example_log: '{"AppId": "", "ClientAppId": "", "ClientIP": "18.192.200.190:52816",
"CreationTime": "2020-12-16T12:32:28", "ExternalAccess": false, "Id": "a6a52406-0912-448d-36eb-08d8a1bea6be",
"ObjectId": "bpatel", "Operation": "Set-Mailbox", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08",
diff --git a/data_sources/o365_update_application_.yml b/data_sources/o365_update_application_.yml
index 2b04a3230b..4e9728c9e5 100644
--- a/data_sources/o365_update_application_.yml
+++ b/data_sources/o365_update_application_.yml
@@ -6,92 +6,92 @@ author: Patrick Bareiss, Splunk
description: Logs updates made to applications in Microsoft 365, including changes
to configurations, permissions, and role assignments.
mitre_components:
- - Cloud Service Modification
- - Configuration Modification
- - Cloud Service Metadata
- - Application Log Content
+- Cloud Service Modification
+- Configuration Modification
+- Cloud Service Metadata
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Update application.
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - ActorContextId
- - Actor{}.ID
- - Actor{}.Type
- - AzureActiveDirectoryEventType
- - CreationTime
- - ExtendedProperties{}.Name
- - ExtendedProperties{}.Value
- - Id
- - InterSystemsId
- - IntraSystemId
- - ModifiedProperties{}.Name
- - ModifiedProperties{}.NewValue
- - ModifiedProperties{}.OldValue
- - ObjectId
- - Operation
- - OrganizationId
- - RecordType
- - ResultStatus
- - SupportTicketId
- - TargetContextId
- - Target{}.ID
- - Target{}.Type
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - action
- - additionalDetails
- - app
- - authentication_service
- - change_type
- - command
- - dataset_name
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - event_type
- - eventtype
- - extendedAuditEventCategory
- - host
- - index
- - linecount
- - object
- - object_attrs
- - object_category
- - punct
- - record_type
- - signature
- - source
- - sourcetype
- - splunk_server
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - user_agent
- - user_agent_change
- - user_id
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- additionalDetails
+- app
+- authentication_service
+- change_type
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_agent_change
+- user_id
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"CreationTime": "2023-09-01T17:16:20", "Id": "c428c85c-4fa0-4e97-9033-6a76d9dee45d",
"Operation": "Update application.", "OrganizationId": "58aee3b9-7433-46a0-b54e-2429487992a0",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com",
diff --git a/data_sources/o365_update_authorization_policy_.yml b/data_sources/o365_update_authorization_policy_.yml
index 90825eca41..1c0d97242a 100644
--- a/data_sources/o365_update_authorization_policy_.yml
+++ b/data_sources/o365_update_authorization_policy_.yml
@@ -6,84 +6,84 @@ author: Patrick Bareiss, Splunk
description: Logs changes to authorization policies in Microsoft 365, including updates
to access controls, permissions, and security settings.
mitre_components:
- - Cloud Service Modification
- - Configuration Modification
- - User Account Metadata
- - Application Log Content
+- Cloud Service Modification
+- Configuration Modification
+- User Account Metadata
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Update authorization policy.
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - ActorContextId
- - Actor{}.ID
- - Actor{}.Type
- - AzureActiveDirectoryEventType
- - CreationTime
- - ExtendedProperties{}.Name
- - ExtendedProperties{}.Value
- - Id
- - InterSystemsId
- - IntraSystemId
- - ModifiedProperties{}.Name
- - ModifiedProperties{}.NewValue
- - ModifiedProperties{}.OldValue
- - ObjectId
- - Operation
- - OrganizationId
- - RecordType
- - ResultStatus
- - SupportTicketId
- - TargetContextId
- - Target{}.ID
- - Target{}.Type
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - additionalDetails
- - app
- - authentication_service
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - event_type
- - extendedAuditEventCategory
- - host
- - index
- - linecount
- - object
- - punct
- - record_type
- - signature
- - source
- - sourcetype
- - splunk_server
- - status
- - timeendpos
- - timestartpos
- - user
- - user_agent
- - user_agent_change
- - user_id
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- additionalDetails
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_agent_change
+- user_id
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"CreationTime": "2023-10-26T19:22:20", "Id": "83774e72-313f-4d1f-8609-7d0c7bb3b4ff",
"Operation": "Update authorization policy.", "OrganizationId": "a417c578-c7ee-480d-a225-d48057e74df5",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com",
diff --git a/data_sources/o365_update_user_.yml b/data_sources/o365_update_user_.yml
index f733a674a4..c9d47f5456 100644
--- a/data_sources/o365_update_user_.yml
+++ b/data_sources/o365_update_user_.yml
@@ -6,91 +6,91 @@ author: Patrick Bareiss, Splunk
description: Logs updates to user account properties in Microsoft 365, including changes
to roles, permissions, and profile information.
mitre_components:
- - User Account Modification
- - User Account Metadata
- - Active Directory Object Modification
- - Application Log Content
+- User Account Modification
+- User Account Metadata
+- Active Directory Object Modification
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: Update user.
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - ActorContextId
- - Actor{}.ID
- - Actor{}.Type
- - AzureActiveDirectoryEventType
- - CreationTime
- - ExtendedProperties{}.Name
- - ExtendedProperties{}.Value
- - Id
- - InterSystemsId
- - IntraSystemId
- - ModifiedProperties{}.Name
- - ModifiedProperties{}.NewValue
- - ModifiedProperties{}.OldValue
- - ObjectId
- - Operation
- - OrganizationId
- - RecordType
- - ResultStatus
- - SupportTicketId
- - TargetContextId
- - Target{}.ID
- - Target{}.Type
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - action
- - additionalDetails
- - app
- - authentication_service
- - change_type
- - command
- - dataset_name
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - event_type
- - eventtype
- - extendedAuditEventCategory
- - host
- - index
- - linecount
- - object
- - object_attrs
- - object_category
- - punct
- - record_type
- - signature
- - source
- - sourcetype
- - splunk_server
- - src_user
- - status
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - user_id
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- additionalDetails
+- app
+- authentication_service
+- change_type
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- src_user
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"CreationTime": "2023-10-20T19:32:59", "Id": "d06df1c6-b3f2-4595-90b9-99b8f91811c3",
"Operation": "Update user.", "OrganizationId": "99825d50-9544-4061-8e46-68923805cbf2",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "10032002CC029AE9@splunkresearch1.onmicrosoft.com",
diff --git a/data_sources/o365_userloggedin.yml b/data_sources/o365_userloggedin.yml
index f9169deaee..4e5fbdcea2 100644
--- a/data_sources/o365_userloggedin.yml
+++ b/data_sources/o365_userloggedin.yml
@@ -6,91 +6,91 @@ author: Patrick Bareiss, Splunk
description: Logs successful login events by users in Microsoft 365, including details
about the user account, IP address, and session metadata.
mitre_components:
- - User Account Authentication
- - Logon Session Creation
- - User Account Metadata
- - Logon Session Metadata
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Logon Session Metadata
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: UserLoggedIn
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - ActorContextId
- - ActorIpAddress
- - Actor{}.ID
- - Actor{}.Type
- - ApplicationId
- - AzureActiveDirectoryEventType
- - BrowserType
- - ClientIP
- - CreationTime
- - DeviceProperties{}.Name
- - DeviceProperties{}.Value
- - ErrorNumber
- - ExtendedProperties{}.Name
- - ExtendedProperties{}.Value
- - Id
- - InterSystemsId
- - IntraSystemId
- - OS
- - ObjectId
- - Operation
- - OrganizationId
- - RecordType
- - RequestType
- - ResultStatus
- - ResultStatusDetail
- - SessionId
- - SupportTicketId
- - TargetContextId
- - Target{}.ID
- - Target{}.Type
- - UserAgent
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - app
- - authentication_service
- - command
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - event_type
- - host
- - index
- - linecount
- - object
- - punct
- - record_type
- - signature
- - source
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - status
- - timeendpos
- - timestartpos
- - user
- - user_agent
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- ActorContextId
+- ActorIpAddress
+- Actor{}.ID
+- Actor{}.Type
+- ApplicationId
+- AzureActiveDirectoryEventType
+- BrowserType
+- ClientIP
+- CreationTime
+- DeviceProperties{}.Name
+- DeviceProperties{}.Value
+- ErrorNumber
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- OS
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- RequestType
+- ResultStatus
+- ResultStatusDetail
+- SessionId
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserAgent
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- host
+- index
+- linecount
+- object
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- status
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"CreationTime": "2023-12-04T20:42:05", "Id": "52d72a62-132b-487b-bb7f-c4c119f90700",
"Operation": "UserLoggedIn", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4",
"RecordType": 15, "ResultStatus": "Success", "UserKey": "2d2f9e2c-8350-4d98-852e-3f06daaf7185",
diff --git a/data_sources/o365_userloginfailed.yml b/data_sources/o365_userloginfailed.yml
index 8f3df80a3f..1a571c469a 100644
--- a/data_sources/o365_userloginfailed.yml
+++ b/data_sources/o365_userloginfailed.yml
@@ -6,100 +6,100 @@ author: Patrick Bareiss, Splunk
description: Logs failed login attempts by users in Microsoft 365, including details
about the user account, IP address, and reason for failure.
mitre_components:
- - User Account Authentication
- - Logon Session Metadata
- - User Account Metadata
- - Application Log Content
+- User Account Authentication
+- Logon Session Metadata
+- User Account Metadata
+- Application Log Content
source: o365
sourcetype: o365:management:activity
separator: Operation
separator_value: UserLoginFailed
supported_TA:
- - name: Splunk Add-on for Microsoft Office 365
- url: https://splunkbase.splunk.com/app/4055
- version: 4.7.0
+- name: Splunk Add-on for Microsoft Office 365
+ url: https://splunkbase.splunk.com/app/4055
+ version: 4.7.0
fields:
- - _time
- - ActorContextId
- - ActorIpAddress
- - Actor{}.ID
- - Actor{}.Type
- - ApplicationId
- - AzureActiveDirectoryEventType
- - BrowserType
- - ClientIP
- - CreationTime
- - DeviceProperties{}.Name
- - DeviceProperties{}.Value
- - ErrorNumber
- - ExtendedProperties{}.Name
- - ExtendedProperties{}.Value
- - Id
- - InterSystemsId
- - IntraSystemId
- - IsCompliantAndManaged
- - LogonError
- - OS
- - ObjectId
- - Operation
- - OrganizationId
- - RecordType
- - RequestType
- - ResultStatus
- - ResultStatusDetail
- - SupportTicketId
- - TargetContextId
- - Target{}.ID
- - Target{}.Type
- - UserAgent
- - UserAuthenticationMethod
- - UserId
- - UserKey
- - UserType
- - Version
- - Workload
- - action
- - app
- - authentication_method
- - authentication_service
- - command
- - dataset_name
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_name
- - dvc
- - event_type
- - eventtype
- - host
- - index
- - linecount
- - object
- - punct
- - reason
- - record_type
- - result
- - signature
- - source
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - status
- - tag
- - tag::action
- - tag::eventtype
- - user
- - user_agent
- - user_type
- - vendor_account
- - vendor_product
+- _time
+- ActorContextId
+- ActorIpAddress
+- Actor{}.ID
+- Actor{}.Type
+- ApplicationId
+- AzureActiveDirectoryEventType
+- BrowserType
+- ClientIP
+- CreationTime
+- DeviceProperties{}.Name
+- DeviceProperties{}.Value
+- ErrorNumber
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- IsCompliantAndManaged
+- LogonError
+- OS
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- RequestType
+- ResultStatus
+- ResultStatusDetail
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserAgent
+- UserAuthenticationMethod
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- app
+- authentication_method
+- authentication_service
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- host
+- index
+- linecount
+- object
+- punct
+- reason
+- record_type
+- result
+- signature
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- status
+- tag
+- tag::action
+- tag::eventtype
+- user
+- user_agent
+- user_type
+- vendor_account
+- vendor_product
example_log: '{"CreationTime": "2023-10-10T17:08:65", "Id": "4593aac8-855f-4341-9d2a-4289146eb800",
"Operation": "UserLoginFailed", "OrganizationId": "d541aae6-6b73-4a7c-aaf0-a4de30c872bc",
"RecordType": 15, "ResultStatus": "Failed", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72",
diff --git a/data_sources/okta.yml b/data_sources/okta.yml
index 4c4de15b28..3d83e462b9 100644
--- a/data_sources/okta.yml
+++ b/data_sources/okta.yml
@@ -6,14 +6,14 @@ author: Patrick Bareiss, Splunk
description: Logs authentication and administrative activities captured by Okta, including
user login attempts, session management, and configuration changes.
mitre_components:
- - User Account Authentication
- - Logon Session Creation
- - User Account Metadata
- - Configuration Modification
- - Application Log Content
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Configuration Modification
+- Application Log Content
source: Okta
sourcetype: OktaIM2:log
supported_TA:
- - name: Splunk Add-on for Okta Identity Cloud
- url: https://splunkbase.splunk.com/app/6553
- version: 3.0.0
+- name: Splunk Add-on for Okta Identity Cloud
+ url: https://splunkbase.splunk.com/app/6553
+ version: 3.0.0
diff --git a/data_sources/osquery.yml b/data_sources/osquery.yml
index b2b1828e0f..b14df40563 100644
--- a/data_sources/osquery.yml
+++ b/data_sources/osquery.yml
@@ -6,68 +6,68 @@ author: Patrick Bareiss, Splunk
description: Logs system queries performed using osquery, including details about
processes, file access, network activity, and system configurations.
mitre_components:
- - Process Metadata
- - File Access
- - Network Traffic Content
- - Host Status
- - Application Log Content
+- Process Metadata
+- File Access
+- Network Traffic Content
+- Host Status
+- Application Log Content
source: osquery
sourcetype: osquery:results
supported_TA: []
fields:
- - _time
- - calendarTime
- - columns.cdhash
- - columns.child_pid
- - columns.cmdline
- - columns.cmdline_count
- - columns.cwd
- - columns.egid
- - columns.env
- - columns.env_count
- - columns.euid
- - columns.event_type
- - columns.exit_code
- - columns.gid
- - columns.global_seq_num
- - columns.original_parent
- - columns.parent
- - columns.path
- - columns.pid
- - columns.platform_binary
- - columns.seq_num
- - columns.signing_id
- - columns.team_id
- - columns.time
- - columns.uid
- - columns.username
- - columns.version
- - counter
- - dest
- - epoch
- - eventtype
- - host
- - hostIdentifier
- - index
- - linecount
- - name
- - numerics
- - parent_process_id
- - process_current_directory
- - process_id
- - process_path
- - punct
- - source
- - sourcetype
- - splunk_server
- - src
- - subject
- - tag
- - tag::eventtype
- - timestamp
- - unixTime
- - user_id
- - vendor_product
+- _time
+- calendarTime
+- columns.cdhash
+- columns.child_pid
+- columns.cmdline
+- columns.cmdline_count
+- columns.cwd
+- columns.egid
+- columns.env
+- columns.env_count
+- columns.euid
+- columns.event_type
+- columns.exit_code
+- columns.gid
+- columns.global_seq_num
+- columns.original_parent
+- columns.parent
+- columns.path
+- columns.pid
+- columns.platform_binary
+- columns.seq_num
+- columns.signing_id
+- columns.team_id
+- columns.time
+- columns.uid
+- columns.username
+- columns.version
+- counter
+- dest
+- epoch
+- eventtype
+- host
+- hostIdentifier
+- index
+- linecount
+- name
+- numerics
+- parent_process_id
+- process_current_directory
+- process_id
+- process_path
+- punct
+- source
+- sourcetype
+- splunk_server
+- src
+- subject
+- tag
+- tag::eventtype
+- timestamp
+- unixTime
+- user_id
+- vendor_product
example_log: '{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Tue
Mar 29 13:03:51 2022 UTC","unixTime":1648559031,"epoch":0,"counter":82,"numerics":false,"columns":{"cdhash":"f63c5fbfcf1484b20aa4407a26e087fe3fe28146","child_pid":"","cmdline":"plutil
--help ","cmdline_count":"2","cwd":"/Users/patrick","egid":"20","env":"TERM_SESSION_ID=w0t1p0:93AA9D79-7028-49F1-A93D-4EAEFB7BA6E3
diff --git a/data_sources/palo_alto_network_threat.yml b/data_sources/palo_alto_network_threat.yml
index 48d799c14e..10e7c74e79 100644
--- a/data_sources/palo_alto_network_threat.yml
+++ b/data_sources/palo_alto_network_threat.yml
@@ -6,40 +6,39 @@ author: Patrick Bareiss, Splunk
description: Logs detected threats identified by Palo Alto Networks devices, including
details about malware, intrusion attempts, and malicious network activity.
mitre_components:
- - Malware Metadata
- - Network Traffic Content
- - Network Traffic Flow
- - Application Log Content
- - Host Status
+- Malware Metadata
+- Network Traffic Content
+- Network Traffic Flow
+- Application Log Content
+- Host Status
source: pan:threat
sourcetype: pan:threat
supported_TA:
- - name: Palo Alto Networks Add-on
- url: https://splunkbase.splunk.com/app/2757
- version: 8.1.3
+- name: Palo Alto Networks Add-on
+ url: https://splunkbase.splunk.com/app/2757
+ version: 8.1.3
fields:
- - _time
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - host
- - index
- - linecount
- - punct
- - source
- - sourcetype
- - splunk_server
- - timeendpos
- - timestartpos
+- _time
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- host
+- index
+- linecount
+- punct
+- source
+- sourcetype
+- splunk_server
+- timeendpos
+- timestartpos
example_log: May 10 11:08:39 sjc.example.com 1,2022/05/10 11:08:38,013201004583,THREAT,url,2305,2022/05/10
11:08:38,2.18.4.7,1.2.3.4,2.18.4.7,1.2.3.4,service-globalprotect,,,web-browsing,vsys1,UNTRUST,UNTRUST,ethernet1/20,loopback.1,Zero,2022/05/10
11:08:38,1535535,1,32880,443,32880,20077,0x1403000,tcp,allow,"sr.example.com/mgmt/tm/util/bash",(9999),allow-URL,informational,client-to-server,7081856864553612091,0xa000000000000000,United
States,United States,0,,0,,,1,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36
- (KHTML, like Gecko) Chrome/36.0.1944.0
- Safari/537.36",,,,,,,0,177,204,178,382,,sjc1-fw-01,,,,post,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,"
+ (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36",,,,,,,0,177,204,178,382,,sjc1-fw-01,,,,post,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,"
allow-URL,computer-and-internet-info,low-risk",5283cb95-6902-41db-96c6-ef807361eba5,0,
diff --git a/data_sources/palo_alto_network_traffic.yml b/data_sources/palo_alto_network_traffic.yml
index c4673e3fe7..09515ca80d 100644
--- a/data_sources/palo_alto_network_traffic.yml
+++ b/data_sources/palo_alto_network_traffic.yml
@@ -6,39 +6,37 @@ author: Patrick Bareiss, Splunk
description: Logs network traffic events captured by Palo Alto Networks devices, including
details about sessions, protocols, and source and destination IPs.
mitre_components:
- - Network Traffic Content
- - Network Traffic Flow
- - Network Connection Creation
- - Response Metadata
- - Application Log Content
+- Network Traffic Content
+- Network Traffic Flow
+- Network Connection Creation
+- Response Metadata
+- Application Log Content
source: screenconnect_palo_traffic
sourcetype: pan:traffic
supported_TA:
- - name: Palo Alto Networks Add-on
- url: https://splunkbase.splunk.com/app/2757
- version: 8.1.3
+- name: Palo Alto Networks Add-on
+ url: https://splunkbase.splunk.com/app/2757
+ version: 8.1.3
fields:
- - _time
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - host
- - index
- - linecount
- - punct
- - source
- - sourcetype
- - splunk_server
- - timeendpos
- - timestartpos
+- _time
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- host
+- index
+- linecount
+- punct
+- source
+- sourcetype
+- splunk_server
+- timeendpos
+- timestartpos
example_log: 577 <14>1 2024-02-22T12:33:50-05:00 PALO220.ATTACK_RANGE.LAN - - - -
- 1,2024/02/22 12:33:50,012801036556,TRAFFIC,end,2305,2024/02/22
- 12:33:50,192.168.1.205,147.28.146.44,201.17.96.104,147.28.146.44,No_Vuln_Filtering_OUT,,,screenconnect,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,splunk_range,2024/02/22
+ 1,2024/02/22 12:33:50,012801036556,TRAFFIC,end,2305,2024/02/22 12:33:50,192.168.1.205,147.28.146.44,201.17.96.104,147.28.146.44,No_Vuln_Filtering_OUT,,,screenconnect,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,splunk_range,2024/02/22
12:33:50,14740,1,50624,443,11024,443,0x40005e,tcp,allow,7419,6609,810,25,2024/02/22
- 12:32:29,65,any,0,376156893,0x0,192.168.0.0-192.168.255.255,United
- States,0,14,11,tcp-fin,0,0,0,0,,PALO220,from-policy,,,0,,0,,N/A,0,0,0,0,0862e58b-4a54-436b-b3ac-ea3eccf8403b,0,0,,,,,,,
+ 12:32:29,65,any,0,376156893,0x0,192.168.0.0-192.168.255.255,United States,0,14,11,tcp-fin,0,0,0,0,,PALO220,from-policy,,,0,,0,,N/A,0,0,0,0,0862e58b-4a54-436b-b3ac-ea3eccf8403b,0,0,,,,,,,
diff --git a/data_sources/pingid.yml b/data_sources/pingid.yml
index 5b7648219f..bde7518b61 100644
--- a/data_sources/pingid.yml
+++ b/data_sources/pingid.yml
@@ -6,41 +6,41 @@ author: Patrick Bareiss, Splunk
description: Logs authentication and multi-factor authentication (MFA) events managed
by PingID, including user logins, device enrollments, and MFA challenges.
mitre_components:
- - User Account Authentication
- - Logon Session Metadata
- - User Account Metadata
- - Application Log Content
- - Host Status
+- User Account Authentication
+- Logon Session Metadata
+- User Account Metadata
+- Application Log Content
+- Host Status
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
supported_TA: []
fields:
- - _time
- - actors{}.name
- - actors{}.type
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - extracted_source
- - host
- - id
- - index
- - linecount
- - punct
- - recorded
- - resources{}.ipaddress
- - resources{}.websession
- - result.message
- - result.status
- - source
- - sourcetype
- - splunk_server
- - timeendpos
- - timestartpos
+- _time
+- actors{}.name
+- actors{}.type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- extracted_source
+- host
+- id
+- index
+- linecount
+- punct
+- recorded
+- resources{}.ipaddress
+- resources{}.websession
+- result.message
+- result.status
+- source
+- sourcetype
+- splunk_server
+- timeendpos
+- timestartpos
example_log: '{"source":"PINGID","id":"b2eb1fef-651b-11ee-b38b-0ac7a554ed19","recorded":"2023-10-05T14:10:53.538Z","actors":[{"type":"user","name":"victim_user"}],"resources":[{"ipaddress":"174.235.80.142","websession":"webs_ijkF-T_bAC_G3w2TfvdpAEQeC545KFlqVFOsolCXdjo"}],"result":{"status":"SUCCESS","message":"Device
Paired SMS \"Mobile 1\""}}'
diff --git a/data_sources/powershell_installed_iis_modules.yml b/data_sources/powershell_installed_iis_modules.yml
index 3e466057a5..ddb49cbdf7 100644
--- a/data_sources/powershell_installed_iis_modules.yml
+++ b/data_sources/powershell_installed_iis_modules.yml
@@ -6,22 +6,22 @@ author: Patrick Bareiss, Splunk
description: Logs the list of installed IIS modules retrieved using PowerShell, including
details about their names and statuses.
mitre_components:
- - Service Metadata
- - Configuration Modification
- - OS API Execution
- - Application Log Content
+- Service Metadata
+- Configuration Modification
+- OS API Execution
+- Application Log Content
source: powershell://AppCmdModules
sourcetype: Pwsh:InstalledIISModules
supported_TA: []
fields:
- - _time
- - Schema
- - host
- - index
- - linecount
- - punct
- - source
- - sourcetype
- - splunk_server
- - timestamp
+- _time
+- Schema
+- host
+- index
+- linecount
+- punct
+- source
+- sourcetype
+- splunk_server
+- timestamp
example_log: Schema="Microsoft.IIs.PowerShell.Framework.ConfigurationElementSchema"
diff --git a/data_sources/powershell_script_block_logging_4104.yml b/data_sources/powershell_script_block_logging_4104.yml
index 67794c1e47..99f3ace10f 100644
--- a/data_sources/powershell_script_block_logging_4104.yml
+++ b/data_sources/powershell_script_block_logging_4104.yml
@@ -6,92 +6,91 @@ author: Patrick Bareiss, Splunk
description: Logs detailed content of PowerShell script blocks as they are executed,
including the full command text and context for the execution.
mitre_components:
- - Script Execution
- - Command Execution
- - Process Metadata
- - OS API Execution
- - Application Log Content
+- Script Execution
+- Command Execution
+- Process Metadata
+- OS API Execution
+- Application Log Content
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 4104
supported_TA:
- - name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+- name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
- - _time
- - ActivityID
- - Channel
- - Computer
- - EventCode
- - EventData_Xml
- - EventID
- - EventRecordID
- - Guid
- - Keywords
- - Level
- - MessageNumber
- - MessageTotal
- - Name
- - Opcode
- - Path
- - ProcessID
- - RecordNumber
- - ScriptBlockId
- - ScriptBlockText
- - SystemTime
- - System_Props_Xml
- - Task
- - ThreadID
- - UserID
- - Version
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - punct
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user_id
- - vendor_product
+- _time
+- ActivityID
+- Channel
+- Computer
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- MessageNumber
+- MessageTotal
+- Name
+- Opcode
+- Path
+- ProcessID
+- RecordNumber
+- ScriptBlockId
+- ScriptBlockText
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserID
+- Version
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- punct
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
field_mappings:
- - data_model: cim
- data_set: Endpoint.Processes
- mapping:
- Computer: Processes.dest
- Path: Processes.process_path
- ScriptBlockId: Processes.process_id
- ScriptBlockText: Processes.process
- UserID: Processes.user_id
- - data_model: ocsf
- mapping:
- Computer: device.hostname
- Path: process.file.path
- ScriptBlockId: process.uid
- ScriptBlockText: process.cmd_line
- UserID: actor.user.uid
+- data_model: cim
+ data_set: Endpoint.Processes
+ mapping:
+ Computer: Processes.dest
+ Path: Processes.process_path
+ ScriptBlockId: Processes.process_id
+ ScriptBlockText: Processes.process
+ UserID: Processes.user_id
+- data_model: ocsf
+ mapping:
+ Computer: device.hostname
+ Path: process.file.path
+ ScriptBlockId: process.uid
+ ScriptBlockText: process.cmd_line
+ UserID: actor.user.uid
example_log: 4104152150x04104152150x0112748Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-270.attackrange.local154100x8000000000000000154100x80000000000000004522Microsoft-Windows-Sysmon/Operationalwin-dc-6764986.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-6764986.attackrange.local-2020-10-08
11:03:46.615{96128EA2-F212-5F7E-E400-000000007F01}2296C:\Windows\System32\cmd.exeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{96128EA2-F211-5F7E-DF00-000000007F01}4624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand
- WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==
+ Name='ParentCommandLine'>"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==
diff --git a/data_sources/sysmon_eventid_10.yml b/data_sources/sysmon_eventid_10.yml
index 6197a6a241..844e023f1a 100644
--- a/data_sources/sysmon_eventid_10.yml
+++ b/data_sources/sysmon_eventid_10.yml
@@ -6,104 +6,102 @@ author: Patrick Bareiss, Splunk
description: Logs events where one process accesses another process, typically for
memory reads or injections, including details about the source and target processes.
mitre_components:
- - Process Access
- - Process Metadata
- - Application Log Content
- - OS API Execution
+- Process Access
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 10
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- - name: Splunk Add-on for Sysmon
- url: https://splunkbase.splunk.com/app/5709
- version: 4.0.2
+- name: Splunk Add-on for Sysmon
+ url: https://splunkbase.splunk.com/app/5709
+ version: 4.0.2
fields:
- - _time
- - CallTrace
- - Channel
- - Computer
- - EventChannel
- - EventCode
- - EventData_Xml
- - EventDescription
- - EventID
- - EventRecordID
- - GrantedAccess
- - Guid
- - Keywords
- - Level
- - Name
- - Opcode
- - ProcessID
- - RecordID
- - RecordNumber
- - RuleName
- - SecurityID
- - SourceImage
- - SourceProcessGUID
- - SourceProcessId
- - SourceThreadId
- - SystemTime
- - System_Props_Xml
- - TargetImage
- - TargetProcessGUID
- - TargetProcessId
- - Task
- - ThreadID
- - TimeCreated
- - UserID
- - UtcTime
- - Version
- - action
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - granted_access
- - host
- - id
- - index
- - linecount
- - os
- - parent_process_exec
- - parent_process_guid
- - parent_process_id
- - parent_process_name
- - parent_process_path
- - process_exec
- - process_guid
- - process_id
- - process_name
- - process_path
- - punct
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user_id
- - vendor_product
+- _time
+- CallTrace
+- Channel
+- Computer
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- GrantedAccess
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SourceImage
+- SourceProcessGUID
+- SourceProcessId
+- SourceThreadId
+- SystemTime
+- System_Props_Xml
+- TargetImage
+- TargetProcessGUID
+- TargetProcessId
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- granted_access
+- host
+- id
+- index
+- linecount
+- os
+- parent_process_exec
+- parent_process_guid
+- parent_process_id
+- parent_process_name
+- parent_process_path
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
example_log: 10341000x800000000000000010341000x8000000000000000150624412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01
21:01:44.670{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe11241100x800000000000000011241100x80000000000000007712490Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-84.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-84.attackrange.localDownloads2023-02-08 13:01:11.053{0F9A6540-A70E-63E2-3091-00000000BD02}9332C:\Users\Administrator\Downloads\mimikatz_trunk\x64\mimikatz.exe9332C:\Users\Administrator\Downloads\mimikatz_trunk\x64\mimikatz.exeC:\Users\Administrator\Downloads\mimikatz_trunk\x64\CURRENT_USER_My_4_atomic@art2.local.pfx2023-02-08 13:01:11.053
diff --git a/data_sources/sysmon_eventid_12.yml b/data_sources/sysmon_eventid_12.yml
index 57e13fb712..b1fe5f0b54 100644
--- a/data_sources/sysmon_eventid_12.yml
+++ b/data_sources/sysmon_eventid_12.yml
@@ -6,102 +6,99 @@ author: Patrick Bareiss, Splunk
description: Logs the creation of a new registry key, including details about the
key name, registry path, and associated process metadata.
mitre_components:
- - Windows Registry Key Creation
- - Process Metadata
- - Application Log Content
- - OS API Execution
+- Windows Registry Key Creation
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 12
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- - name: Splunk Add-on for Sysmon
- url: https://splunkbase.splunk.com/app/5709
- version: 4.0.2
+- name: Splunk Add-on for Sysmon
+ url: https://splunkbase.splunk.com/app/5709
+ version: 4.0.2
fields:
- - _time
- - Channel
- - Computer
- - EventChannel
- - EventCode
- - EventData_Xml
- - EventDescription
- - EventID
- - EventRecordID
- - EventType
- - Guid
- - Image
- - Keywords
- - Level
- - Name
- - Opcode
- - ProcessGuid
- - ProcessID
- - ProcessId
- - RecordID
- - RecordNumber
- - RuleName
- - SecurityID
- - SystemTime
- - System_Props_Xml
- - TargetObject
- - Task
- - ThreadID
- - TimeCreated
- - UserID
- - UtcTime
- - Version
- - action
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - object_category
- - object_path
- - process_exec
- - process_guid
- - process_id
- - process_name
- - process_path
- - punct
- - registry_hive
- - registry_key_name
- - registry_path
- - severity_id
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - status
- - tag
- - tag::eventtype
- - tag::object_category
- - timeendpos
- - timestartpos
- - user_id
- - vendor_product
+- _time
+- Channel
+- Computer
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- EventType
+- Guid
+- Image
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessGuid
+- ProcessID
+- ProcessId
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- TargetObject
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- object_category
+- object_path
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- registry_hive
+- registry_key_name
+- registry_path
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- status
+- tag
+- tag::eventtype
+- tag::object_category
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
example_log: 12241200x800000000000000012241200x80000000000000001055579Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteKey2021-07-12 08:10:32.592{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112_Classes\exefile\shell\runas\command
diff --git a/data_sources/sysmon_eventid_13.yml b/data_sources/sysmon_eventid_13.yml
index d533ac7a5c..e586cf23e2 100644
--- a/data_sources/sysmon_eventid_13.yml
+++ b/data_sources/sysmon_eventid_13.yml
@@ -6,116 +6,114 @@ author: Patrick Bareiss, Splunk
description: Logs changes to a registry key, including details about the modified
key, value, and associated process.
mitre_components:
- - Windows Registry Key Modification
- - Process Metadata
- - Application Log Content
- - OS API Execution
+- Windows Registry Key Modification
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 13
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- - name: Splunk Add-on for Sysmon
- url: https://splunkbase.splunk.com/app/5709
- version: 4.0.2
+- name: Splunk Add-on for Sysmon
+ url: https://splunkbase.splunk.com/app/5709
+ version: 4.0.2
fields:
- - _time
- - Channel
- - Computer
- - Details
- - EventChannel
- - EventCode
- - EventData_Xml
- - EventDescription
- - EventID
- - EventRecordID
- - EventType
- - Guid
- - Image
- - Keywords
- - Level
- - Name
- - Opcode
- - ProcessGuid
- - ProcessID
- - ProcessId
- - RecordID
- - RecordNumber
- - RegistryValueData
- - RegistryValueType
- - RuleName
- - SecurityID
- - SystemTime
- - System_Props_Xml
- - TargetObject
- - Task
- - ThreadID
- - TimeCreated
- - UserID
- - UtcTime
- - Version
- - action
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - object_category
- - object_path
- - process_exec
- - process_guid
- - process_id
- - process_name
- - process_path
- - punct
- - registry_hive
- - registry_key_name
- - registry_path
- - registry_value_data
- - registry_value_name
- - registry_value_type
- - severity_id
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - status
- - tag
- - tag::eventtype
- - tag::object_category
- - timeendpos
- - timestartpos
- - user_id
- - vendor_product
+- _time
+- Channel
+- Computer
+- Details
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- EventType
+- Guid
+- Image
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessGuid
+- ProcessID
+- ProcessId
+- RecordID
+- RecordNumber
+- RegistryValueData
+- RegistryValueType
+- RuleName
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- TargetObject
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- object_category
+- object_path
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- registry_hive
+- registry_key_name
+- registry_path
+- registry_value_data
+- registry_value_name
+- registry_value_type
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- status
+- tag
+- tag::eventtype
+- tag::object_category
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
field_mappings:
- - data_model: cim
- data_set: Endpoint.Registry
- mapping:
- Computer: Registry.dest
- ProcessGuid: Registry.process_guid
- ProcessId: Registry.process_id
- TargetObject: Registry.registry_path
- Details: Registry.registry_value_data
+- data_model: cim
+ data_set: Endpoint.Registry
+ mapping:
+ Computer: Registry.dest
+ ProcessGuid: Registry.process_guid
+ ProcessId: Registry.process_id
+ TargetObject: Registry.registry_path
+ Details: Registry.registry_value_data
example_log: 13241300x800000000000000013241300x8000000000000000810987Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:11:04.547{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exe15241500x800000000000000015241500x8000000000000000667860Microsoft-Windows-Sysmon/Operationalproject-mumbai-hostMicrosoft-Windows-Sysmon/Operationalproject-mumbai-host-2021-04-28
20:11:34.709{ED2ECF8A-C154-6089-F967-00000000BB01}7000C:\Users\DefaultAccount\AppData\Roaming\Telegram
Desktop\Telegram.exeC:\Users\DefaultAccount\Downloads\Telegram
Desktop\Good(NLA).txt:Zone.Identifier2021-04-28
- 20:11:33.238MD5=C785C55D5FA3443A11B8417209C4B524,SHA256=D07777E0DC36EBECCE3FA9644F0F44DC4A0B7EDE0CBC1F5D33E8D6CB07AF5B5C,IMPHASH=00000000000000000000000000000000MD5=C785C55D5FA3443A11B8417209C4B524,SHA256=D07777E0DC36EBECCE3FA9644F0F44DC4A0B7EDE0CBC1F5D33E8D6CB07AF5B5C,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3
diff --git a/data_sources/sysmon_eventid_17.yml b/data_sources/sysmon_eventid_17.yml
index 17f9cba91f..b871828540 100644
--- a/data_sources/sysmon_eventid_17.yml
+++ b/data_sources/sysmon_eventid_17.yml
@@ -5,92 +5,90 @@ date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Sysmon EventID 17 logs details about the detection of a named pipe.
mitre_components:
- - Named Pipe Metadata
+- Named Pipe Metadata
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 17
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- - name: Splunk Add-on for Sysmon
- url: https://splunkbase.splunk.com/app/5709
- version: 4.0.2
+- name: Splunk Add-on for Sysmon
+ url: https://splunkbase.splunk.com/app/5709
+ version: 4.0.2
fields:
- - _time
- - Channel
- - Computer
- - EventChannel
- - EventCode
- - EventData_Xml
- - EventDescription
- - EventID
- - EventRecordID
- - EventType
- - Guid
- - Image
- - Keywords
- - Level
- - Name
- - Opcode
- - PipeName
- - ProcessGuid
- - ProcessID
- - ProcessId
- - RecordID
- - RecordNumber
- - RuleName
- - SecurityID
- - SystemTime
- - System_Props_Xml
- - Task
- - ThreadID
- - TimeCreated
- - UserID
- - UtcTime
- - Version
- - action
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - os
- - pipe_name
- - process_exec
- - process_guid
- - process_id
- - process_name
- - process_path
- - punct
- - severity_id
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user_id
- - vendor_product
+- _time
+- Channel
+- Computer
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- EventType
+- Guid
+- Image
+- Keywords
+- Level
+- Name
+- Opcode
+- PipeName
+- ProcessGuid
+- ProcessID
+- ProcessId
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- os
+- pipe_name
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
example_log: 17141700x800000000000000017141700x8000000000000000162168Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-CreatePipe2021-04-19 21:00:18.288{761B69BB-EF62-607D-B211-00000000BA01}6960\MSSE-1516-server18141800x800000000000000018141800x8000000000000000162173Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-ConnectPipe2021-04-19 21:00:19.312{761B69BB-EF62-607D-B211-00000000BA01}6960\MSSE-1516-server20342000x800000000000000020342000x80000000000000006249Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-WmiConsumerEvent2020-12-08 13:54:48.514DeletedATTACKRANGE\Administrator "AtomicRedTeam-WMIPersistence-Example"21342100x800000000000000021342100x8000000000000000151644Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-WmiBindingEvent2021-06-16 21:46:50.222ModifiedWIN-HOST-14\Administrator "CommandLineEventConsumer.Name=\"Evil
diff --git a/data_sources/sysmon_eventid_22.yml b/data_sources/sysmon_eventid_22.yml
index a40a8dc863..c8c1f78cdd 100644
--- a/data_sources/sysmon_eventid_22.yml
+++ b/data_sources/sysmon_eventid_22.yml
@@ -6,94 +6,92 @@ author: Patrick Bareiss, Splunk
description: Logs DNS query events, including details about the queried domain, source
IP, query type, and response data.
mitre_components:
- - Passive DNS
- - Active DNS
- - Network Traffic Content
- - Network Traffic Flow
- - Application Log Content
+- Passive DNS
+- Active DNS
+- Network Traffic Content
+- Network Traffic Flow
+- Application Log Content
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 22
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- - name: Splunk Add-on for Sysmon
- url: https://splunkbase.splunk.com/app/5709
- version: 4.0.2
+- name: Splunk Add-on for Sysmon
+ url: https://splunkbase.splunk.com/app/5709
+ version: 4.0.2
fields:
- - _time
- - Channel
- - Computer
- - EventChannel
- - EventCode
- - EventData_Xml
- - EventDescription
- - EventID
- - EventRecordID
- - Guid
- - Image
- - Keywords
- - Level
- - Name
- - Opcode
- - ProcessGuid
- - ProcessID
- - ProcessId
- - QueryName
- - QueryResults
- - QueryStatus
- - RecordID
- - RecordNumber
- - RuleName
- - SecurityID
- - SystemTime
- - System_Props_Xml
- - Task
- - ThreadID
- - TimeCreated
- - UserID
- - UtcTime
- - Version
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - process_exec
- - process_guid
- - process_name
- - punct
- - query
- - query_count
- - reply_code_id
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - src
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user_id
- - vendor_product
+- _time
+- Channel
+- Computer
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- Guid
+- Image
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessGuid
+- ProcessID
+- ProcessId
+- QueryName
+- QueryResults
+- QueryStatus
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- process_exec
+- process_guid
+- process_name
+- punct
+- query
+- query_count
+- reply_code_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
example_log: 22542200x800000000000000022542200x8000000000000000113892Microsoft-Windows-Sysmon/Operationalwin-dc-299.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-299.attackrange.local-2021-03-24
12:25:12.840{3CFDEE80-2F7D-605B-F50A-00000000AE01}717250.220.65.3.spam.dnsbl.sorbs.net23542300x800000000000000023542300x8000000000000000281771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01
10:57:09.814{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\Administrator354300x8000000000000000354300x8000000000000000156837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15
12:56:19.679{6820D070-1F1B-6323-E113-000000007402}5728C:\Temp\agent_tesla-deob.exe534500x8000000000000000534500x800000000000000039965Microsoft-Windows-Sysmon/Operationalwin-dc-654.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-654.attackrange.local-2021-03-16
14:01:44.004{26337912-BA32-6050-3506-00000000AE01}8672C:\Users\Public\steam.exe
diff --git a/data_sources/sysmon_eventid_6.yml b/data_sources/sysmon_eventid_6.yml
index d019cb51cf..c9d0d5d247 100644
--- a/data_sources/sysmon_eventid_6.yml
+++ b/data_sources/sysmon_eventid_6.yml
@@ -6,97 +6,94 @@ author: Patrick Bareiss, Splunk
description: Logs the loading of a driver into the kernel or user mode, including
details about the driver name, file path, and associated process metadata.
mitre_components:
- - Driver Load
- - Process Metadata
- - Application Log Content
- - OS API Execution
+- Driver Load
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 6
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- - name: Splunk Add-on for Sysmon
- url: https://splunkbase.splunk.com/app/5709
- version: 4.0.2
+- name: Splunk Add-on for Sysmon
+ url: https://splunkbase.splunk.com/app/5709
+ version: 4.0.2
fields:
- - _time
- - Channel
- - Computer
- - EventChannel
- - EventCode
- - EventData_Xml
- - EventDescription
- - EventID
- - EventRecordID
- - Guid
- - Hashes
- - ImageLoaded
- - Keywords
- - Level
- - MD5
- - Name
- - Opcode
- - ProcessID
- - RecordID
- - RecordNumber
- - RuleName
- - SHA256
- - SecurityID
- - Signature
- - SignatureStatus
- - Signed
- - SystemTime
- - System_Props_Xml
- - Task
- - ThreadID
- - TimeCreated
- - UserID
- - UtcTime
- - Version
- - action
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - os
- - process_hash
- - process_path
- - punct
- - service_signature_exists
- - service_signature_verified
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user_id
- - vendor_product
+- _time
+- Channel
+- Computer
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- Guid
+- Hashes
+- ImageLoaded
+- Keywords
+- Level
+- MD5
+- Name
+- Opcode
+- ProcessID
+- RecordID
+- RecordNumber
+- RuleName
+- SHA256
+- SecurityID
+- Signature
+- SignatureStatus
+- Signed
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- os
+- process_hash
+- process_path
+- punct
+- service_signature_exists
+- service_signature_verified
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
example_log: 644600x8000000000000000644600x800000000000000015708989Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-2022-04-04
- 17:37:04.640C:\Program
- Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sysC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sysMD5=DE7FCC77F4A503AF4CA6A47D49B3713D,SHA256=4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6trueRiverbed Technology, Inc.Valid
diff --git a/data_sources/sysmon_eventid_7.yml b/data_sources/sysmon_eventid_7.yml
index 23a3dcf3a1..8c5dcd335e 100644
--- a/data_sources/sysmon_eventid_7.yml
+++ b/data_sources/sysmon_eventid_7.yml
@@ -6,120 +6,117 @@ author: Patrick Bareiss, Splunk
description: Logs the loading of an image (module) into a process, including details
about the image name, file path, and hash information.
mitre_components:
- - Module Load
- - Process Metadata
- - File Metadata
- - Application Log Content
- - OS API Execution
+- Module Load
+- Process Metadata
+- File Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 7
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- - name: Splunk Add-on for Sysmon
- url: https://splunkbase.splunk.com/app/5709
- version: 4.0.2
+- name: Splunk Add-on for Sysmon
+ url: https://splunkbase.splunk.com/app/5709
+ version: 4.0.2
fields:
- - _time
- - Channel
- - Company
- - Computer
- - Description
- - EventChannel
- - EventCode
- - EventData_Xml
- - EventDescription
- - EventID
- - EventRecordID
- - FileVersion
- - Guid
- - Hashes
- - IMPHASH
- - Image
- - ImageLoaded
- - Keywords
- - Level
- - MD5
- - Name
- - Opcode
- - OriginalFileName
- - ProcessGuid
- - ProcessID
- - ProcessId
- - Product
- - RecordID
- - RecordNumber
- - RuleName
- - SHA256
- - SecurityID
- - Signature
- - SignatureStatus
- - Signed
- - SystemTime
- - System_Props_Xml
- - Task
- - ThreadID
- - TimeCreated
- - User
- - UserID
- - UtcTime
- - Version
- - action
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - os
- - parent_process_exec
- - parent_process_guid
- - parent_process_id
- - parent_process_name
- - parent_process_path
- - process_exec
- - process_hash
- - process_name
- - process_path
- - punct
- - service_dll_signature_exists
- - service_dll_signature_verified
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - tag
- - tag::action
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - user_id
- - vendor_product
+- _time
+- Channel
+- Company
+- Computer
+- Description
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- FileVersion
+- Guid
+- Hashes
+- IMPHASH
+- Image
+- ImageLoaded
+- Keywords
+- Level
+- MD5
+- Name
+- Opcode
+- OriginalFileName
+- ProcessGuid
+- ProcessID
+- ProcessId
+- Product
+- RecordID
+- RecordNumber
+- RuleName
+- SHA256
+- SecurityID
+- Signature
+- SignatureStatus
+- Signed
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- TimeCreated
+- User
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- os
+- parent_process_exec
+- parent_process_guid
+- parent_process_id
+- parent_process_name
+- parent_process_path
+- process_exec
+- process_hash
+- process_name
+- process_path
+- punct
+- service_dll_signature_exists
+- service_dll_signature_verified
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_id
+- vendor_product
example_log: 734700x8000000000000000734700x800000000000000045273Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localMicrosoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-09-12
08:06:31.433{8814F3F5-1C07-6500-9600-000000000E03}4440C:\Users\Administrator\AppData\Local\Temp\server.exeC:\Users\Administrator\AppData\Local\Temp\server.exe-----MD5=696CBE2CB6F7FAC5ED6262BCA51238BB,SHA256=43005D86607DC94C7D378AA1B8844947BAA03860652F2F2340266061AF12E524,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744--MD5=696CBE2CB6F7FAC5ED6262BCA51238BB,SHA256=43005D86607DC94C7D378AA1B8844947BAA03860652F2F2340266061AF12E524,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-UnavailableATTACKRANGE\Administrator
diff --git a/data_sources/sysmon_eventid_8.yml b/data_sources/sysmon_eventid_8.yml
index 086d972abf..bb8b3a983b 100644
--- a/data_sources/sysmon_eventid_8.yml
+++ b/data_sources/sysmon_eventid_8.yml
@@ -6,106 +6,104 @@ author: Patrick Bareiss, Splunk
description: Logs the creation of a new thread in a process, including details about
the thread ID, start address, and source process.
mitre_components:
- - Process Modification
- - Process Metadata
- - Application Log Content
- - OS API Execution
+- Process Modification
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
separator_value: 8
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- - name: Splunk Add-on for Sysmon
- url: https://splunkbase.splunk.com/app/5709
- version: 4.0.2
+- name: Splunk Add-on for Sysmon
+ url: https://splunkbase.splunk.com/app/5709
+ version: 4.0.2
fields:
- - _time
- - Channel
- - Computer
- - EventChannel
- - EventCode
- - EventData_Xml
- - EventDescription
- - EventID
- - EventRecordID
- - Guid
- - Keywords
- - Level
- - Name
- - NewThreadId
- - Opcode
- - ProcessID
- - RecordID
- - RecordNumber
- - RuleName
- - SecurityID
- - SourceImage
- - SourceProcessGuid
- - SourceProcessId
- - StartAddress
- - StartFunction
- - StartModule
- - SystemTime
- - System_Props_Xml
- - TargetImage
- - TargetProcessGuid
- - TargetProcessId
- - Task
- - ThreadID
- - TimeCreated
- - UserID
- - UtcTime
- - Version
- - action
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - os
- - parent_process_exec
- - parent_process_guid
- - parent_process_id
- - parent_process_name
- - parent_process_path
- - process_exec
- - process_guid
- - process_id
- - process_name
- - process_path
- - punct
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - src_address
- - src_function
- - src_module
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user_id
- - vendor_product
+- _time
+- Channel
+- Computer
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Name
+- NewThreadId
+- Opcode
+- ProcessID
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SourceImage
+- SourceProcessGuid
+- SourceProcessId
+- StartAddress
+- StartFunction
+- StartModule
+- SystemTime
+- System_Props_Xml
+- TargetImage
+- TargetProcessGuid
+- TargetProcessId
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- os
+- parent_process_exec
+- parent_process_guid
+- parent_process_id
+- parent_process_name
+- parent_process_path
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_address
+- src_function
+- src_module
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
example_log: 824800x8000000000000000824800x8000000000000000362233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-487.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-487.attackrange.local-2022-10-27
13:59:12.427{3381F800-8EB0-635A-1306-000000008A02}4864C:\Windows\SysWOW64\wermgr.exe924900x8000000000000000924900x8000000000000000190607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.localMicrosoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25
12:25:33.359{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exe\Device\HarddiskVolume1
diff --git a/data_sources/sysmon_for_linux_eventid_1.yml b/data_sources/sysmon_for_linux_eventid_1.yml
index 5850fd83d6..e8c72edc4e 100644
--- a/data_sources/sysmon_for_linux_eventid_1.yml
+++ b/data_sources/sysmon_for_linux_eventid_1.yml
@@ -6,113 +6,111 @@ author: Patrick Bareiss, Splunk
description: Logs process creation events on Linux systems, including details about
the process name, process ID, command line arguments, and parent process ID.
mitre_components:
- - Process Creation
- - Command Execution
- - Process Metadata
- - OS API Execution
- - Application Log Content
+- Process Creation
+- Command Execution
+- Process Metadata
+- OS API Execution
+- Application Log Content
source: Syslog:Linux-Sysmon/Operational
sourcetype: sysmon:linux
separator: EventID
separator_value: 1
supported_TA:
- - name: Splunk Add-on for Sysmon for Linux
- url: https://splunkbase.splunk.com/app/6652
- version: 1.0.0
+- name: Splunk Add-on for Sysmon for Linux
+ url: https://splunkbase.splunk.com/app/6652
+ version: 1.0.0
fields:
- - _time
- - Channel
- - CommandLine
- - Company
- - Computer
- - CurrentDirectory
- - Description
- - EventChannel
- - EventCode
- - EventData_Xml
- - EventDescription
- - EventID
- - EventRecordID
- - FileVersion
- - Guid
- - Hashes
- - Image
- - IntegrityLevel
- - Keywords
- - Level
- - LogonGuid
- - LogonId
- - Name
- - Opcode
- - OriginalFileName
- - ParentCommandLine
- - ParentImage
- - ParentProcessGuid
- - ParentProcessId
- - ParentUser
- - ProcessGuid
- - ProcessID
- - ProcessId
- - Product
- - RecordID
- - RuleName
- - SystemTime
- - System_Props_Xml
- - Task
- - TerminalSessionId
- - ThreadID
- - User
- - UserId
- - UtcTime
- - Version
- - action
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - eventtype
- - host
- - index
- - linecount
- - original_file_name
- - os
- - parent_process
- - parent_process_exec
- - parent_process_guid
- - parent_process_id
- - parent_process_name
- - parent_process_path
- - process
- - process_current_directory
- - process_exec
- - process_guid
- - process_hash
- - process_id
- - process_integrity_level
- - process_name
- - process_path
- - punct
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - vendor_product
-example_log: 154100x8000000000000000154100x80000000000000001926574Linux-Sysmon/Operationalar-linuxLinux-Sysmon/Operationalar-linux-2022-08-09
10:42:47.757{ec23eae3-3a27-62f2-085e-16549b550000}10268/usr/bin/sudo-11241100x800000000000000011241100x8000000000000000792913Linux-Sysmon/Operationalsysmonlinux-tcontreras-attack-range-4134Linux-Sysmon/Operationalsysmonlinux-tcontreras-attack-range-4134-2021-12-20
16:07:17.929{ec2c97d1-6aa9-61c0-3038-618238560000}5256/opt/splunkforwarder/bin/splunkd4688201331200x80200000000000004688201331200x8020000000000000362027Securityar-win-2.attackrange.localSecurityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa44C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe228202000x80000000000000228202000x800000000000001001307Applicationwin-dc-exch01.attackrange.localc:\temp\msf.dllAMD64C1000000
+ ProcessID='0' ThreadID='0'/>Applicationwin-dc-exch01.attackrange.localc:\temp\msf.dllAMD64C1000000
diff --git a/data_sources/windows_event_log_application_3000.yml b/data_sources/windows_event_log_application_3000.yml
index f7588b104a..a3dcec0bda 100644
--- a/data_sources/windows_event_log_application_3000.yml
+++ b/data_sources/windows_event_log_application_3000.yml
@@ -6,70 +6,68 @@ author: Patrick Bareiss, Splunk
description: Logs the termination of a process, including details about the process,
its termination code, and timestamp.
mitre_components:
- - Process Termination
- - Process Metadata
- - Application Log Content
- - OS API Execution
+- Process Termination
+- Process Metadata
+- Application Log Content
+- OS API Execution
source: XmlWinEventLog:Application
sourcetype: XmlWinEventLog
separator: EventCode
separator_value: 3000
supported_TA:
- - name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+- name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
- - _time
- - Channel
- - Computer
- - Error_Code
- - EventCode
- - EventData_Xml
- - EventRecordID
- - EventSourceName
- - Guid
- - Keywords
- - Level
- - Name
- - Opcode
- - ProcessID
- - Qualifiers
- - RecordNumber
- - SystemTime
- - System_Props_Xml
- - Task
- - ThreadID
- - UserID
- - Version
- - dest
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - param1
- - param2
- - param3
- - punct
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - tag
- - tag::eventtype
- - timestamp
- - user_id
- - vendor_product
+- _time
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventRecordID
+- EventSourceName
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- Qualifiers
+- RecordNumber
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserID
+- Version
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- param1
+- param2
+- param3
+- punct
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timestamp
+- user_id
+- vendor_product
example_log: 300004000x80000000000000300004000x8000000000000021334Applicationwin-host-mhaag-attack-range-117Applicationwin-host-mhaag-attack-range-117C:\Windows\System32\klist.exe001d8c3afcf370d13
diff --git a/data_sources/windows_event_log_capi2_70.yml b/data_sources/windows_event_log_capi2_70.yml
index 1ace202695..cc9a329fac 100644
--- a/data_sources/windows_event_log_capi2_70.yml
+++ b/data_sources/windows_event_log_capi2_70.yml
@@ -6,73 +6,71 @@ author: Patrick Bareiss, Splunk
description: This event log records events related to cryptographic operations, including
the deletion and export of certificates.
mitre_components:
- - Certificate Registration
- - Process Metadata
- - Application Log Content
- - OS API Execution
- - Host Status
+- Certificate Registration
+- Process Metadata
+- Application Log Content
+- OS API Execution
+- Host Status
source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 70
supported_TA:
- - name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+- name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
- - _time
- - Channel
- - Computer
- - EventCode
- - EventID
- - EventRecordID
- - Guid
- - Keywords
- - Level
- - Name
- - Opcode
- - ProcessID
- - RecordNumber
- - SystemTime
- - System_Props_Xml
- - Task
- - ThreadID
- - UserData_Xml
- - UserID
- - Version
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - punct
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user_id
- - vendor_product
+- _time
+- Channel
+- Computer
+- EventCode
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserData_Xml
+- UserID
+- Version
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- punct
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
example_log: 70047000x400000000000008070047000x4000000000000080308332Microsoft-Windows-CAPI2/Operationalwin-dc-mhaag-attack-range-84.attackrange.localMicrosoft-Windows-CAPI2/Operationalwin-dc-mhaag-attack-range-84.attackrange.local81028020x400000000000004081028020x40000000000000402400597Microsoft-Windows-CAPI2/Operationalmswin-server.attackrange.localMicrosoft-Windows-CAPI2/Operationalmswin-server.attackrange.local{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}WTD_UI_NONEWTD_STATEACTION_VERIFY2021-01-07T23:21:42.655Z2021-01-07T23:21:42.655ZThe digital signature of the object did not verify.100704000x8000000000000000100704000x80000000000000002Microsoft-Windows-CertificateServicesClient-Lifecycle-System/OperationalDESKTOP-92OQLA1112103000x8000000000000000112103000x80000000000000002975Microsoft-Windows-Windows Defender/Operationalresearchvmhaa112204000x8000000000000000112204000x80000000000000003701Microsoft-Windows-Windows Defender/Operationalresearchvmhaa500704000x8000000000000000500704000x80000000000000003726Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender
diff --git a/data_sources/windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml b/data_sources/windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml
index 66a21053dc..c0b00aad8d 100644
--- a/data_sources/windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml
+++ b/data_sources/windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml
@@ -6,47 +6,47 @@ author: Michael Haag, Splunk
description: Logs an event when a Remote Desktop Protocol (RDP) client successfully
connects to a remote host.
mitre_components:
- - Network Connection Creation
- - Logon Session Creation
+- Network Connection Creation
+- Logon Session Creation
source: WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational
sourcetype: WinEventLog
separator: EventCode
supported_TA: []
fields:
- - _time
- - Channel
- - Computer
- - EventCode
- - EventData
- - EventID
- - EventRecordID
- - EventType
- - Keywords
- - Level
- - Message
- - Opcode
- - ProcessID
- - RecordNumber
- - Security_ID
- - Src
- - Src_Host
- - Src_NT_Domain
- - Src_User
- - System_TimeCreated
- - Task
- - ThreadID
- - Type
- - User
- - UserID
- - Version
- - dest
- - dvc
- - event_id
- - host
- - source
- - sourcetype
- - tag
- - user
+- _time
+- Channel
+- Computer
+- EventCode
+- EventData
+- EventID
+- EventRecordID
+- EventType
+- Keywords
+- Level
+- Message
+- Opcode
+- ProcessID
+- RecordNumber
+- Security_ID
+- Src
+- Src_Host
+- Src_NT_Domain
+- Src_User
+- System_TimeCreated
+- Task
+- ThreadID
+- Type
+- User
+- UserID
+- Version
+- dest
+- dvc
+- event_id
+- host
+- source
+- sourcetype
+- tag
+- user
example_log: 11/21/2024 06:09:16 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational
EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED
Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore
diff --git a/data_sources/windows_event_log_printservice_316.yml b/data_sources/windows_event_log_printservice_316.yml
index 74eecb2f6a..a13491e365 100644
--- a/data_sources/windows_event_log_printservice_316.yml
+++ b/data_sources/windows_event_log_printservice_316.yml
@@ -5,59 +5,59 @@ date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when printer drivers are installed or updated on the system.
mitre_components:
- - Driver Load
- - Driver Metadata
+- Driver Load
+- Driver Metadata
source: WinEventLog:Microsoft-Windows-PrintService/Admin
sourcetype: WinEventLog
separator: EventCode
separator_value: 316
supported_TA:
- - name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+- name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
- - _time
- - ComputerName
- - EventCode
- - EventType
- - Keywords
- - LogName
- - Message
- - OpCode
- - RecordNumber
- - Sid
- - SidType
- - SourceName
- - TaskCategory
- - Type
- - User
- - category
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - punct
- - severity
- - severity_id
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - vendor_product
+- _time
+- ComputerName
+- EventCode
+- EventType
+- Keywords
+- LogName
+- Message
+- OpCode
+- RecordNumber
+- Sid
+- SidType
+- SourceName
+- TaskCategory
+- Type
+- User
+- category
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- punct
+- severity
+- severity_id
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor_product
example_log: 07/01/2021 04:20:47 PM
diff --git a/data_sources/windows_event_log_printservice_808.yml b/data_sources/windows_event_log_printservice_808.yml
index 3f73b548be..2f1c1363e4 100644
--- a/data_sources/windows_event_log_printservice_808.yml
+++ b/data_sources/windows_event_log_printservice_808.yml
@@ -6,63 +6,63 @@ author: Patrick Bareiss, Splunk
description: Logs an event when the print spooler service fails to load a printer
plug-in module.
mitre_components:
- - Module Load
- - Application Log Content
- - Service Metadata
+- Module Load
+- Application Log Content
+- Service Metadata
source: WinEventLog:Microsoft-Windows-PrintService/Admin
sourcetype: WinEventLog
separator: EventCode
separator_value: 808
supported_TA:
- - name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+- name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
- - _time
- - ComputerName
- - EventCode
- - EventType
- - Keywords
- - LogName
- - Message
- - OpCode
- - RecordNumber
- - Sid
- - SidType
- - SourceName
- - TaskCategory
- - Type
- - User
- - category
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - name
- - punct
- - severity
- - severity_id
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - subject
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - vendor_product
+- _time
+- ComputerName
+- EventCode
+- EventType
+- Keywords
+- LogName
+- Message
+- OpCode
+- RecordNumber
+- Sid
+- SidType
+- SourceName
+- TaskCategory
+- Type
+- User
+- category
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- punct
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- subject
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor_product
example_log: 07/01/2021 04:20:47 PM
diff --git a/data_sources/windows_event_log_remoteconnectionmanager_1149.yml b/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
index 00eb66eec2..17e1e81b90 100644
--- a/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
+++ b/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
@@ -5,63 +5,60 @@ date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a Remote Desktop Service session is initialized.
mitre_components:
- - Network Connection Creation
- - Logon Session Creation
- - Logon Session Metadata
-source:
- WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
+- Network Connection Creation
+- Logon Session Creation
+- Logon Session Metadata
+source: WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
sourcetype: wineventlog
separator: EventCode
separator_value: 1149
supported_TA:
- - name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+- name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
- - _time
- - ActivityID
- - Channel
- - Computer
- - EventCode
- - EventID
- - EventRecordID
- - Guid
- - Keywords
- - Level
- - Name
- - Opcode
- - ProcessID
- - RecordNumber
- - SystemTime
- - System_Props_Xml
- - Task
- - ThreadID
- - UserData_Xml
- - UserID
- - Version
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - punct
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - tag
- - tag::eventtype
- - timestamp
- - user_id
- - vendor_product
+- _time
+- ActivityID
+- Channel
+- Computer
+- EventCode
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserData_Xml
+- UserID
+- Version
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- punct
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timestamp
+- user_id
+- vendor_product
example_log: 114904000x1000000000000000114904000x10000000000000002064Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operationalar-win-1.attackrange.localAdministratorATTACKRANGE10.0.1.14
+ UserID='S-1-5-20'/>AdministratorATTACKRANGE10.0.1.14
diff --git a/data_sources/windows_event_log_security_1100.yml b/data_sources/windows_event_log_security_1100.yml
index 3c118a5dfc..f926bde8c2 100644
--- a/data_sources/windows_event_log_security_1100.yml
+++ b/data_sources/windows_event_log_security_1100.yml
@@ -5,82 +5,80 @@ date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when the event logging service has shut down.
mitre_components:
- - Host Status
- - System Configuration Changes
+- Host Status
+- System Configuration Changes
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 1100
supported_TA:
- - name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+- name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
- - _time
- - Channel
- - Computer
- - Error_Code
- - EventCode
- - EventID
- - EventRecordID
- - Guid
- - Keywords
- - Level
- - Name
- - Opcode
- - ProcessID
- - RecordNumber
- - SystemTime
- - System_Props_Xml
- - Task
- - ThreadID
- - UserData_Xml
- - Version
- - action
- - app
- - change_type
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - name
- - object_attrs
- - object_category
- - product
- - punct
- - service
- - service_name
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - status
- - subject
- - ta_windows_action
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - vendor
- - vendor_product
+- _time
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserData_Xml
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object_attrs
+- object_category
+- product
+- punct
+- service
+- service_name
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
example_log: 11000410300x402000000000000011000410300x4020000000000000140874Securityar-win-2Securityar-win-2
diff --git a/data_sources/windows_event_log_security_1102.yml b/data_sources/windows_event_log_security_1102.yml
index 3e46c4323f..d66920335f 100644
--- a/data_sources/windows_event_log_security_1102.yml
+++ b/data_sources/windows_event_log_security_1102.yml
@@ -5,88 +5,86 @@ date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when the audit log is cleared.
mitre_components:
- - User Account Modification
- - Logon Session Metadata
- - File Deletion
+- User Account Modification
+- Logon Session Metadata
+- File Deletion
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 1102
supported_TA:
- - name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+- name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
- - _time
- - Caller_User_Name
- - Channel
- - Computer
- - Error_Code
- - EventCode
- - EventID
- - EventRecordID
- - Guid
- - Keywords
- - Level
- - LogFileCleared_Xml
- - Name
- - Opcode
- - ProcessID
- - RecordNumber
- - SubjectDomainName
- - SubjectLogonId
- - SubjectUserName
- - SubjectUserSid
- - SystemTime
- - System_Props_Xml
- - Task
- - ThreadID
- - UserData_Xml
- - Version
- - action
- - app
- - change_type
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - name
- - object_attrs
- - object_category
- - product
- - punct
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - src_user
- - status
- - subject
- - ta_windows_action
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - vendor
- - vendor_product
+- _time
+- Caller_User_Name
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- LogFileCleared_Xml
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserData_Xml
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object_attrs
+- object_category
+- product
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_user
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
example_log: 11020410400x402000000000000011020410400x40200000000000001826166Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a27
diff --git a/data_sources/windows_event_log_security_4624.yml b/data_sources/windows_event_log_security_4624.yml
index 62d69f0c10..823b6f2dee 100644
--- a/data_sources/windows_event_log_security_4624.yml
+++ b/data_sources/windows_event_log_security_4624.yml
@@ -5,125 +5,124 @@ date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when an account successfully logs on to a system.
mitre_components:
- - Logon Session Creation
- - User Account Authentication
- - Logon Session Metadata
+- Logon Session Creation
+- User Account Authentication
+- Logon Session Metadata
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 4624
supported_TA:
- - name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+- name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
- - _time
- - ActivityID
- - AuthenticationPackageName
- - Caller_Domain
- - Caller_User_Name
- - Channel
- - Computer
- - ElevatedToken
- - Error_Code
- - EventCode
- - EventData_Xml
- - EventID
- - EventRecordID
- - Guid
- - ImpersonationLevel
- - IpAddress
- - IpPort
- - KeyLength
- - Keywords
- - Level
- - LmPackageName
- - LogonGuid
- - LogonProcessName
- - LogonType
- - Logon_ID
- - Logon_Type
- - Name
- - Opcode
- - ProcessID
- - ProcessId
- - ProcessName
- - RecordNumber
- - RestrictedAdminMode
- - Source_Port
- - Source_Workstation
- - SubjectDomainName
- - SubjectLogonId
- - SubjectUserName
- - SubjectUserSid
- - SystemTime
- - System_Props_Xml
- - TargetDomainName
- - TargetLinkedLogonId
- - TargetLogonId
- - TargetOutboundDomainName
- - TargetOutboundUserName
- - TargetUserName
- - TargetUserSid
- - Target_Domain
- - Target_User_Name
- - Task
- - ThreadID
- - TransmittedServices
- - Version
- - VirtualAccount
- - WorkstationName
- - action
- - app
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_nt_domain
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - name
- - process
- - process_id
- - process_name
- - process_path
- - product
- - punct
- - session_id
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - src_ip
- - src_port
- - status
- - subject
- - ta_windows_action
- - tag
- - tag::action
- - tag::app
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - user_group
- - vendor
- - vendor_product
+- _time
+- ActivityID
+- AuthenticationPackageName
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- ElevatedToken
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- ImpersonationLevel
+- IpAddress
+- IpPort
+- KeyLength
+- Keywords
+- Level
+- LmPackageName
+- LogonGuid
+- LogonProcessName
+- LogonType
+- Logon_ID
+- Logon_Type
+- Name
+- Opcode
+- ProcessID
+- ProcessId
+- ProcessName
+- RecordNumber
+- RestrictedAdminMode
+- Source_Port
+- Source_Workstation
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetLinkedLogonId
+- TargetLogonId
+- TargetOutboundDomainName
+- TargetOutboundUserName
+- TargetUserName
+- TargetUserSid
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- TransmittedServices
+- Version
+- VirtualAccount
+- WorkstationName
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- process
+- process_id
+- process_name
+- process_path
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_ip
+- src_port
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- vendor
+- vendor_product
example_log: 4624201254400x80200000000000004624201254400x8020000000000000371886Securityar-win-7.attackrange.local4625001254400x80100000000000004625001254400x8010000000000000367348Securityar-win-8.attackrange.local4627001255400x80200000000000004627001255400x8020000000000000186260Securityar-win-dc.attackrange.local4648001254400x80200000000000004648001254400x8020000000000000336567Securitywin-host-mvelazco-02713-447.attackrange.local4662001408000x80100000000000004662001408000x801000000000000021623198276Securityattack_range_dc4663101280000x80200000000000004663101280000x802000000000000010525869Securityar-win-2.attackrange.localSecurityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x6cfe7SecurityFileC:\Program
diff --git a/data_sources/windows_event_log_security_4672.yml b/data_sources/windows_event_log_security_4672.yml
index 9c507ba8bc..b56a07aae1 100644
--- a/data_sources/windows_event_log_security_4672.yml
+++ b/data_sources/windows_event_log_security_4672.yml
@@ -6,89 +6,88 @@ author: Patrick Bareiss, Splunk
description: Logs an event when a user with administrative privileges logs on to a
system.
mitre_components:
- - Logon Session Creation
- - User Account Authentication
+- Logon Session Creation
+- User Account Authentication
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 4672
supported_TA:
- - name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+- name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
- - _time
- - ActivityID
- - Caller_Domain
- - Caller_User_Name
- - Channel
- - Computer
- - Error_Code
- - EventCode
- - EventData_Xml
- - EventID
- - EventRecordID
- - Guid
- - Keywords
- - Level
- - Logon_ID
- - Name
- - Opcode
- - PrivilegeList
- - ProcessID
- - RecordNumber
- - SubjectDomainName
- - SubjectLogonId
- - SubjectUserName
- - SubjectUserSid
- - SystemTime
- - System_Props_Xml
- - Task
- - ThreadID
- - Version
- - action
- - app
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - name
- - product
- - punct
- - session_id
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - src_nt_domain
- - src_user
- - status
- - subject
- - ta_windows_action
- - tag
- - tag::action
- - tag::eventtype
- - timeendpos
- - timestartpos
- - vendor
- - vendor_product
+- _time
+- ActivityID
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- Opcode
+- PrivilegeList
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
example_log: 4672001254800x80200000000000004672001254800x8020000000000000148946Securityar-win-6.attackrange.local4688201331200x80200000000000004688201331200x8020000000000000432820Securityar-win-1Securityar-win-1NT AUTHORITY\SYSTEMAR-WIN-1$WORKGROUP0x3e70xf84C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe4703001331700x80200000000000004703001331700x8020000000000000328761Securitywin-host-ctus-attack-range-115Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91WIN-HOST-CTUS-A\AdministratorAdministrator4719001356800x80200000000000004719001356800x8020000000000000353597Securityar-win-dc.attackrange.local4724001382400x80200000000000004724001382400x8020000000000000276779Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.localTRUMAN_CLEMENTSATTACKRANGEATTACKRANGE\TRUMAN_CLEMENTSATTACKRANGE\AdministratorAdministratorATTACKRANGE4725001382400x80200000000000004725001382400x8020000000000000278771Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.localWILFORD_SUTTONATTACKRANGEATTACKRANGE\WILFORD_SUTTONATTACKRANGE\AdministratorAdministratorATTACKRANGE4726001382400x80200000000000004726001382400x8020000000000000279283Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.localLYNN_WOLFATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2445ATTACKRANGE\AdministratorAdministratorATTACKRANGE4738001382400x80200000000000004738001382400x80200000000000006389713Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.local-unprivATTACKRANGES-1-5-21-945660386-2529346225-2932127451-1112S-1-5-21-945660386-2529346225-2932127451-500AdministratorATTACKRANGE4739001356900x80200000000000004739001356900x8020000000000000394176Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.localLockout PolicyATTACKRANGEATTACKRANGE\NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE4741001382500x80200000000000004741001382500x8020000000000000143475Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.localAR-WIN-2$ATTACKRANGEATTACKRANGE\AR-WIN-2$ATTACKRANGE\AdministratorAdministratorATTACKRANGE4742001382500x80200000000000004742001382500x8020000000000000901860Securitywin-dc-root-04195-428.attackrange.localSecuritywin-dc-root-04195-428.attackrange.local-WIN-HOST-ROOT-0$ATTACKRANGES-1-5-21-199921393-3534762603-6736986-1111S-1-5-21-199921393-3534762603-6736986-500Administrator4768001433900x80100000000000004768001433900x8010000000000000391562Securitywin-dc-mvelazco-02713-392.attackrange.localSecuritywin-dc-mvelazco-02713-392.attackrange.localRXETPKZHattackrange.localNULL SIDkrbtgt/attackrange.localNULL SID0x408100104769001433700x80200000000000004769001433700x8020000000000000148521Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.localAR-WIN-2$@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-2$ATTACKRANGE\AR-WIN-2$0x408100000x174771001433900x80100000000000004771001433900x8010000000000000391511Securitywin-dc-mvelazco-02713-392.attackrange.localSecuritywin-dc-mvelazco-02713-392.attackrange.localALLISON_WATERSATTACKRANGE\ALLISON_WATERSkrbtgt/attackrange.local0x408100100x182::ffff:10.0.1.154776001433600x80100000000000004776001433600x8010000000000000391615Securitywin-dc-mvelazco-02713-392.attackrange.localSecuritywin-dc-mvelazco-02713-392.attackrange.localMICROSOFT_AUTHENTICATION_PACKAGE_V1_0KSYLEFUAWIN-HOST-MVELAZ0xc0000064
diff --git a/data_sources/windows_event_log_security_4781.yml b/data_sources/windows_event_log_security_4781.yml
index eee4c4c3f3..2e6adff3c4 100644
--- a/data_sources/windows_event_log_security_4781.yml
+++ b/data_sources/windows_event_log_security_4781.yml
@@ -6,107 +6,106 @@ author: Patrick Bareiss, Splunk
description: Logs changes made to the name of a computer account, including the old
and new names and the user performing the action.
mitre_components:
- - User Account Modification
- - User Account Metadata
- - Active Directory Object Modification
- - Application Log Content
+- User Account Modification
+- User Account Metadata
+- Active Directory Object Modification
+- Application Log Content
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 4781
supported_TA:
- - name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+- name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
- - _time
- - ActivityID
- - Caller_Domain
- - Caller_User_Name
- - CategoryString
- - Channel
- - Computer
- - Error_Code
- - EventCode
- - EventData_Xml
- - EventID
- - EventRecordID
- - Guid
- - Keywords
- - Level
- - Logon_ID
- - Name
- - NewTargetUserName
- - OldTargetUserName
- - Opcode
- - PrivilegeList
- - ProcessID
- - RecordNumber
- - SubjectDomainName
- - SubjectLogonId
- - SubjectUserName
- - SubjectUserSid
- - SystemTime
- - System_Props_Xml
- - TargetDomainName
- - TargetSid
- - Target_Domain
- - Task
- - ThreadID
- - Version
- - action
- - app
- - change_type
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dest_nt_domain
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - name
- - object
- - object_attrs
- - object_category
- - object_id
- - product
- - punct
- - result
- - session_id
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - src_nt_domain
- - src_user
- - src_user_name
- - status
- - subject
- - ta_windows_action
- - ta_windows_security_CategoryString
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user
- - user_name
- - vendor
- - vendor_product
+- _time
+- ActivityID
+- Caller_Domain
+- Caller_User_Name
+- CategoryString
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- NewTargetUserName
+- OldTargetUserName
+- Opcode
+- PrivilegeList
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetSid
+- Target_Domain
+- Task
+- ThreadID
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- punct
+- result
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- src_user_name
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_name
+- vendor
+- vendor_product
example_log: 4781001382400x80200000000000004781001382400x8020000000000000148763Securityar-win-dc.attackrange.local4794001382400x80200000000000004794001382400x8020000000000000821077Securitywin-dc-root-17044-552.attackrange.local4798001382400x80200000000000004798001382400x8020000000000000386860Securityar-win-2.attackrange.local4876001280500x80200000000000004876001280500x802000000000000015379961Securitywin-dc-mhaag-attack-range-84.attackrange.local4886001280500x80200000000000004886001280500x802000000000000015379925Securitywin-dc-mhaag-attack-range-84.attackrange.local4887001280500x80200000000000004887001280500x80200000000000001830974609Securitycert_authority.attack_range.local5136001408100x80200000000000005136001408100x80200000000000001997365Securitywin-dc-mvelazco-02713-392.attackrange.local{73C96723-504B-4F15-830A-F4DDB1C48F2E}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x95675attackrange.local%%14676CN=DANNIE_CERVANTES,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=localattackrange.local%%14676CN=DANNIE_CERVANTES,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local{15AFB68A-679C-4F5B-AC18-4D988B3B3E44}userservicePrincipalName2.5.5.12adm/srv1.attackrange.local%%14674
diff --git a/data_sources/windows_event_log_security_5137.yml b/data_sources/windows_event_log_security_5137.yml
index 9dc78ab362..b7da687fc2 100644
--- a/data_sources/windows_event_log_security_5137.yml
+++ b/data_sources/windows_event_log_security_5137.yml
@@ -6,102 +6,99 @@ author: Patrick Bareiss, Splunk
description: Logs the creation of a new Active Directory object, including details
about the object name, type, and the user performing the action.
mitre_components:
- - Active Directory Object Creation
- - Active Directory Object Modification
- - User Account Metadata
- - Application Log Content
+- Active Directory Object Creation
+- Active Directory Object Modification
+- User Account Metadata
+- Application Log Content
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 5137
supported_TA:
- - name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+- name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
- - _time
- - AppCorrelationID
- - Caller_Domain
- - Caller_User_Name
- - Channel
- - Computer
- - DSName
- - DSType
- - Error_Code
- - EventCode
- - EventData_Xml
- - EventID
- - EventRecordID
- - Guid
- - Keywords
- - Level
- - Logon_ID
- - Name
- - ObjectClass
- - ObjectDN
- - ObjectGUID
- - OpCorrelationID
- - Opcode
- - ProcessID
- - RecordNumber
- - SubjectDomainName
- - SubjectLogonId
- - SubjectUserName
- - SubjectUserSid
- - SystemTime
- - System_Props_Xml
- - Task
- - ThreadID
- - Version
- - action
- - app
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - name
- - product
- - punct
- - session_id
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - src_nt_domain
- - src_user
- - status
- - subject
- - ta_windows_action
- - tag
- - tag::action
- - tag::eventtype
- - timeendpos
- - timestartpos
- - vendor
- - vendor_product
+- _time
+- AppCorrelationID
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- DSName
+- DSType
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- ObjectClass
+- ObjectDN
+- ObjectGUID
+- OpCorrelationID
+- Opcode
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
example_log: 5137001408100x80200000000000005137001408100x8020000000000000170140Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.local{681cac8c-b5a4-48fd-be93-4339996bd94d}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=localattackrange.local%%14676CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local{3e7ae4de-29a6-41c1-b27c-bf9548b0444c}groupPolicyContainer
diff --git a/data_sources/windows_event_log_security_5140.yml b/data_sources/windows_event_log_security_5140.yml
index 4fb8bf8cc6..537ad5db65 100644
--- a/data_sources/windows_event_log_security_5140.yml
+++ b/data_sources/windows_event_log_security_5140.yml
@@ -6,119 +6,117 @@ author: Patrick Bareiss, Splunk
description: Logs access to a network share, including details about the user, share
path, and the access type.
mitre_components:
- - Network Share Access
- - File Access
- - User Account Metadata
- - Application Log Content
+- Network Share Access
+- File Access
+- User Account Metadata
+- Application Log Content
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 5140
supported_TA:
- - name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+- name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
- - _time
- - AccessList
- - AccessMask
- - Caller_Domain
- - Caller_User_Name
- - Channel
- - Computer
- - Error_Code
- - EventCode
- - EventData_Xml
- - EventID
- - EventRecordID
- - Guid
- - IpAddress
- - IpPort
- - Keywords
- - Level
- - Logon_ID
- - Name
- - ObjectType
- - Opcode
- - ProcessID
- - RecordNumber
- - ShareName
- - Source_Port
- - Source_Workstation
- - SubjectDomainName
- - SubjectLogonId
- - SubjectUserName
- - SubjectUserSid
- - SystemTime
- - System_Props_Xml
- - Task
- - ThreadID
- - Version
- - action
- - app
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - file_name
- - host
- - id
- - index
- - linecount
- - name
- - product
- - punct
- - session_id
- - signature
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - src
- - src_ip
- - src_nt_domain
- - src_nt_host
- - src_port
- - src_user
- - status
- - subject
- - ta_windows_action
- - tag
- - tag::action
- - tag::eventtype
- - timeendpos
- - timestartpos
- - vendor
- - vendor_product
+- _time
+- AccessList
+- AccessMask
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- IpAddress
+- IpPort
+- Keywords
+- Level
+- Logon_ID
+- Name
+- ObjectType
+- Opcode
+- ProcessID
+- RecordNumber
+- ShareName
+- Source_Port
+- Source_Workstation
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- file_name
+- host
+- id
+- index
+- linecount
+- name
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_nt_domain
+- src_nt_host
+- src_port
+- src_user
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
field_mappings:
- - data_model: ocsf
- mapping:
- AccessList: access_list
- AccessMask: access_mask
- AccessReason: access_result
- ShareLocalPath: file
- ObjectType: file.type
- IpAddress: src_endpoint.ip
- IpPort: src_endpoint.port
- SubjectDomainName: actor.user.domain
- SubjectUserName: actor.user.name
- SubjectLogonId: actor.session.uid
- SubjectUserSid: actor.user.uid
+- data_model: ocsf
+ mapping:
+ AccessList: access_list
+ AccessMask: access_mask
+ AccessReason: access_result
+ ShareLocalPath: file
+ ObjectType: file.type
+ IpAddress: src_endpoint.ip
+ IpPort: src_endpoint.port
+ SubjectDomainName: actor.user.domain
+ SubjectUserName: actor.user.name
+ SubjectLogonId: actor.session.uid
+ SubjectUserSid: actor.user.uid
example_log: 5140101280800x80200000000000005140101280800x8020000000000000138541Securityar-win-66.attackrange.localSecurityar-win-66.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x2f259bFile10.0.1.16498645141001408100x80200000000000005141001408100x8020000000000000670908Securitywin-dc-range-02713-392.attackrange.local5145001281100x80200000000000005145001281100x80200000000000002018939Securityar-win-dc.attackrange.localSecurityar-win-dc.attackrange.localANONYMOUS LOGONANONYMOUS
LOGONATTACKRANGE0x13ef1bFile10.0.1.1550160703604000x8080000000000000703604000x8080000000000000168530Systemar-win-dc.attackrange.localsppsvcstopped7300700070007300760063002F0031000000
+ ProcessID='588' ThreadID='2272'/>Systemar-win-dc.attackrange.localsppsvcstopped7300700070007300760063002F0031000000
diff --git a/data_sources/windows_event_log_system_7040.yml b/data_sources/windows_event_log_system_7040.yml
index 3a5f943ee0..0f26b121a0 100644
--- a/data_sources/windows_event_log_system_7040.yml
+++ b/data_sources/windows_event_log_system_7040.yml
@@ -6,86 +6,84 @@ author: Patrick Bareiss, Splunk
description: Logs changes to the start type of a Windows service, including details
about the service name, old start type, and new start type.
mitre_components:
- - Service Modification
- - Service Metadata
- - OS API Execution
- - Application Log Content
+- Service Modification
+- Service Metadata
+- OS API Execution
+- Application Log Content
source: XmlWinEventLog:System
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 7040
supported_TA:
- - name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+- name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
- - _time
- - Channel
- - Computer
- - Error_Code
- - EventCode
- - EventData_Xml
- - EventRecordID
- - EventSourceName
- - Guid
- - Keywords
- - Level
- - Name
- - Opcode
- - ProcessID
- - Qualifiers
- - RecordNumber
- - ServiceName
- - SystemTime
- - System_Props_Xml
- - Task
- - ThreadID
- - UserID
- - Version
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - param1
- - param2
- - param3
- - param4
- - product
- - punct
- - service
- - service_name
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - start_mode
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user_id
- - vendor
- - vendor_product
+- _time
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventRecordID
+- EventSourceName
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- Qualifiers
+- RecordNumber
+- ServiceName
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserID
+- Version
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- param1
+- param2
+- param3
+- param4
+- product
+- punct
+- service
+- service_name
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- start_mode
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor
+- vendor_product
example_log: 704004000x8080000000000000704004000x8080000000000000168231Systemar-win-dc.attackrange.localSystemar-win-dc.attackrange.localPrint Spoolerdemand startdisabledSpooler
diff --git a/data_sources/windows_event_log_system_7045.yml b/data_sources/windows_event_log_system_7045.yml
index a3f5ce006a..87c78b1a51 100644
--- a/data_sources/windows_event_log_system_7045.yml
+++ b/data_sources/windows_event_log_system_7045.yml
@@ -6,86 +6,84 @@ author: Patrick Bareiss, Splunk
description: Logs the successful installation of a new Windows service, including
details about the service name, executable path, and service type.
mitre_components:
- - Service Creation
- - Service Metadata
- - OS API Execution
- - Process Metadata
+- Service Creation
+- Service Metadata
+- OS API Execution
+- Process Metadata
source: XmlWinEventLog:System
sourcetype: xmlwineventlog
separator: EventCode
separator_value: 7045
supported_TA:
- - name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+- name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
- - _time
- - AccountName
- - Channel
- - Computer
- - Error_Code
- - EventCode
- - EventData_Xml
- - EventRecordID
- - EventSourceName
- - Guid
- - ImagePath
- - Keywords
- - Level
- - Name
- - Opcode
- - ProcessID
- - Qualifiers
- - RecordNumber
- - ServiceName
- - ServiceType
- - StartType
- - SystemTime
- - System_Props_Xml
- - Task
- - ThreadID
- - UserID
- - Version
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - product
- - punct
- - service
- - service_name
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - start_mode
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user_id
- - vendor
- - vendor_product
+- _time
+- AccountName
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventRecordID
+- EventSourceName
+- Guid
+- ImagePath
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- Qualifiers
+- RecordNumber
+- ServiceName
+- ServiceType
+- StartType
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserID
+- Version
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- product
+- punct
+- service
+- service_name
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- start_mode
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor
+- vendor_product
example_log: 704504000x8080000000000000704504000x8080000000000000168145Systemar-win-dc.attackrange.localSystemar-win-dc.attackrange.localKrbSCMpowershell.exe -WindowStyle
Hiddenestno'
diff --git a/data_sources/windows_event_log_taskscheduler_200.yml b/data_sources/windows_event_log_taskscheduler_200.yml
index 4a29c55df5..2348f6b3f8 100644
--- a/data_sources/windows_event_log_taskscheduler_200.yml
+++ b/data_sources/windows_event_log_taskscheduler_200.yml
@@ -6,80 +6,79 @@ author: Patrick Bareiss, Splunk
description: Logs the successful registration of a new scheduled task in Windows Task
Scheduler, including task details and configurations.
mitre_components:
- - Scheduled Job Creation
- - Scheduled Job Metadata
- - Service Creation
- - OS API Execution
+- Scheduled Job Creation
+- Scheduled Job Metadata
+- Service Creation
+- OS API Execution
source: WinEventLog:Microsoft-Windows-TaskScheduler/Operational
sourcetype: wineventlog
separator: EventCode
separator_value: 200
supported_TA:
- - name: Splunk Add-on for Microsoft Windows
- url: https://splunkbase.splunk.com/app/742
- version: 9.0.1
+- name: Splunk Add-on for Microsoft Windows
+ url: https://splunkbase.splunk.com/app/742
+ version: 9.0.1
fields:
- - _time
- - ActionName
- - ActivityID
- - Channel
- - Computer
- - EnginePID
- - Error_Code
- - EventCode
- - EventData_Xml
- - EventID
- - EventRecordID
- - Guid
- - Keywords
- - Level
- - Name
- - Opcode
- - ProcessID
- - RecordNumber
- - SystemTime
- - System_Props_Xml
- - Task
- - TaskInstanceId
- - TaskName
- - ThreadID
- - UserID
- - Version
- - app
- - date_hour
- - date_mday
- - date_minute
- - date_month
- - date_second
- - date_wday
- - date_year
- - date_zone
- - dest
- - dvc
- - dvc_nt_host
- - event_id
- - eventtype
- - host
- - id
- - index
- - linecount
- - product
- - punct
- - signature_id
- - source
- - sourcetype
- - splunk_server
- - ta_windows_action
- - tag
- - tag::eventtype
- - timeendpos
- - timestartpos
- - user_id
- - vendor
- - vendor_product
+- _time
+- ActionName
+- ActivityID
+- Channel
+- Computer
+- EnginePID
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SystemTime
+- System_Props_Xml
+- Task
+- TaskInstanceId
+- TaskName
+- ThreadID
+- UserID
+- Version
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- product
+- punct
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- ta_windows_action
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor
+- vendor_product
example_log: 2001420010x80000000000000002001420010x80000000000000004323Microsoft-Windows-TaskScheduler/Operationalar-win-dc.attackrange.local
Date: Mon, 17 Mar 2025 17:07:03 -0700
Subject: [PATCH 4/6] normalize quotes
---
data_sources/azure_active_directory_add_member_to_role.yml | 2 +-
.../azure_active_directory_add_owner_to_application.yml | 2 +-
data_sources/azure_active_directory_add_service_principal.yml | 2 +-
data_sources/azure_active_directory_add_unverified_domain.yml | 2 +-
data_sources/azure_active_directory_consent_to_application.yml | 2 +-
.../azure_active_directory_disable_strong_authentication.yml | 2 +-
data_sources/azure_active_directory_enable_account.yml | 2 +-
data_sources/azure_active_directory_invite_external_user.yml | 2 +-
.../azure_active_directory_reset_password_(by_admin).yml | 2 +-
.../azure_active_directory_set_domain_authentication.yml | 2 +-
data_sources/azure_active_directory_sign_in_activity.yml | 2 +-
data_sources/azure_active_directory_update_application.yml | 2 +-
.../azure_active_directory_update_authorization_policy.yml | 2 +-
data_sources/azure_active_directory_update_user.yml | 2 +-
.../azure_active_directory_user_registered_security_info.yml | 2 +-
...azure_audit_create_or_update_an_azure_automation_account.yml | 2 +-
...azure_audit_create_or_update_an_azure_automation_runbook.yml | 2 +-
...azure_audit_create_or_update_an_azure_automation_webhook.yml | 2 +-
data_sources/azure_monitor_activity.yml | 2 +-
data_sources/g_suite_drive.yml | 2 +-
data_sources/g_suite_gmail.yml | 2 +-
data_sources/google_workspace.yml | 2 +-
data_sources/google_workspace_login_failure.yml | 2 +-
data_sources/google_workspace_login_success.yml | 2 +-
data_sources/o365.yml | 2 +-
data_sources/o365_add_app_role_assignment_grant_to_user_.yml | 2 +-
.../o365_add_app_role_assignment_to_service_principal_.yml | 2 +-
data_sources/o365_add_mailboxpermission.yml | 2 +-
data_sources/o365_add_member_to_role_.yml | 2 +-
data_sources/o365_add_owner_to_application_.yml | 2 +-
data_sources/o365_add_service_principal_.yml | 2 +-
data_sources/o365_change_user_license_.yml | 2 +-
32 files changed, 32 insertions(+), 32 deletions(-)
diff --git a/data_sources/azure_active_directory_add_member_to_role.yml b/data_sources/azure_active_directory_add_member_to_role.yml
index 737edf7f94..361ec5afe2 100644
--- a/data_sources/azure_active_directory_add_member_to_role.yml
+++ b/data_sources/azure_active_directory_add_member_to_role.yml
@@ -1,7 +1,7 @@
name: Azure Active Directory Add member to role
id: 1660d196-127f-4678-81b2-472d51711b07
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs the addition of a member to a directory role in Azure Active Directory,
including details about the role, the member added, and the user or process performing
diff --git a/data_sources/azure_active_directory_add_owner_to_application.yml b/data_sources/azure_active_directory_add_owner_to_application.yml
index 36786bbea3..1e80420bc9 100644
--- a/data_sources/azure_active_directory_add_owner_to_application.yml
+++ b/data_sources/azure_active_directory_add_owner_to_application.yml
@@ -1,7 +1,7 @@
name: Azure Active Directory Add owner to application
id: e895ed56-7be4-4b3a-b782-ecd0f594ec4c
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs the addition of an owner to an application in Azure Active Directory,
including details about the application, the owner added, and the user or process
diff --git a/data_sources/azure_active_directory_add_service_principal.yml b/data_sources/azure_active_directory_add_service_principal.yml
index 7ec49367e7..4900077c25 100644
--- a/data_sources/azure_active_directory_add_service_principal.yml
+++ b/data_sources/azure_active_directory_add_service_principal.yml
@@ -1,7 +1,7 @@
name: Azure Active Directory Add service principal
id: fd89d337-e4c0-4162-ad13-bca36f096fe6
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs the creation of a new service principal in Azure Active Directory,
including details about the service principal, associated application, and the user
diff --git a/data_sources/azure_active_directory_add_unverified_domain.yml b/data_sources/azure_active_directory_add_unverified_domain.yml
index 961e232a61..9c65ffb874 100644
--- a/data_sources/azure_active_directory_add_unverified_domain.yml
+++ b/data_sources/azure_active_directory_add_unverified_domain.yml
@@ -1,7 +1,7 @@
name: Azure Active Directory Add unverified domain
id: d4c01fb1-3b88-46d3-bd12-9b9e256450f7
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs the addition of an unverified domain to Azure Active Directory,
including details about the domain name and the user or process performing the action.
diff --git a/data_sources/azure_active_directory_consent_to_application.yml b/data_sources/azure_active_directory_consent_to_application.yml
index e009f3279a..a3fabfa139 100644
--- a/data_sources/azure_active_directory_consent_to_application.yml
+++ b/data_sources/azure_active_directory_consent_to_application.yml
@@ -1,7 +1,7 @@
name: Azure Active Directory Consent to application
id: 4c5d6c49-53e3-4980-a4de-c63e26291ed0
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs user or admin consent to an application's permissions in Azure Active
Directory, including details about the application, granted permissions, and the
diff --git a/data_sources/azure_active_directory_disable_strong_authentication.yml b/data_sources/azure_active_directory_disable_strong_authentication.yml
index 776d4966f2..dc3b8dbf05 100644
--- a/data_sources/azure_active_directory_disable_strong_authentication.yml
+++ b/data_sources/azure_active_directory_disable_strong_authentication.yml
@@ -1,7 +1,7 @@
name: Azure Active Directory Disable Strong Authentication
id: 8f31966d-c496-496d-8837-f7fd11f31255
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when strong authentication methods are disabled in Azure
Active Directory.
diff --git a/data_sources/azure_active_directory_enable_account.yml b/data_sources/azure_active_directory_enable_account.yml
index 6490ed964a..be0208edb9 100644
--- a/data_sources/azure_active_directory_enable_account.yml
+++ b/data_sources/azure_active_directory_enable_account.yml
@@ -1,7 +1,7 @@
name: Azure Active Directory Enable account
id: cb49f3cd-04ad-415c-a5ed-9b27b2829fa7
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when an Azure Active Directory account is enabled.
mitre_components:
diff --git a/data_sources/azure_active_directory_invite_external_user.yml b/data_sources/azure_active_directory_invite_external_user.yml
index 2ed2d7c705..fca5f7cf97 100644
--- a/data_sources/azure_active_directory_invite_external_user.yml
+++ b/data_sources/azure_active_directory_invite_external_user.yml
@@ -1,7 +1,7 @@
name: Azure Active Directory Invite external user
id: d3818bd5-f283-4518-8b67-df19240c3e40
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when an external user is invited to join an Azure Active
Directory tenant.
diff --git a/data_sources/azure_active_directory_reset_password_(by_admin).yml b/data_sources/azure_active_directory_reset_password_(by_admin).yml
index c35dabeb34..aff8092dee 100644
--- a/data_sources/azure_active_directory_reset_password_(by_admin).yml
+++ b/data_sources/azure_active_directory_reset_password_(by_admin).yml
@@ -1,7 +1,7 @@
name: Azure Active Directory Reset password (by admin)
id: dcd0e4dc-68f8-4b77-a66f-89c57b3afa6b
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when an admin resets a user's password in Azure Active
Directory.
diff --git a/data_sources/azure_active_directory_set_domain_authentication.yml b/data_sources/azure_active_directory_set_domain_authentication.yml
index 0b31d97f53..70c7e43888 100644
--- a/data_sources/azure_active_directory_set_domain_authentication.yml
+++ b/data_sources/azure_active_directory_set_domain_authentication.yml
@@ -1,7 +1,7 @@
name: Azure Active Directory Set domain authentication
id: e7bcdab9-908c-40ab-ba38-5db54fa87750
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when the authentication method for a domain in Azure Active
Directory is set or modified.
diff --git a/data_sources/azure_active_directory_sign_in_activity.yml b/data_sources/azure_active_directory_sign_in_activity.yml
index 3834f3e0b6..31a32e5a30 100644
--- a/data_sources/azure_active_directory_sign_in_activity.yml
+++ b/data_sources/azure_active_directory_sign_in_activity.yml
@@ -1,7 +1,7 @@
name: Azure Active Directory Sign-in activity
id: f9ed0a3a-9e20-4198-a035-d0a29593fbe0
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a user attempts to sign into Azure Active Directory,
capturing authentication details and outcomes.
diff --git a/data_sources/azure_active_directory_update_application.yml b/data_sources/azure_active_directory_update_application.yml
index e180c237a0..23dcecde69 100644
--- a/data_sources/azure_active_directory_update_application.yml
+++ b/data_sources/azure_active_directory_update_application.yml
@@ -1,7 +1,7 @@
name: Azure Active Directory Update application
id: 2c08188a-ba25-496e-87c7-803cf28b6c90
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when an application in Azure Active Directory is updated,
such as changes to its settings or permissions.
diff --git a/data_sources/azure_active_directory_update_authorization_policy.yml b/data_sources/azure_active_directory_update_authorization_policy.yml
index 5a9cb19eb3..058f400e1a 100644
--- a/data_sources/azure_active_directory_update_authorization_policy.yml
+++ b/data_sources/azure_active_directory_update_authorization_policy.yml
@@ -1,7 +1,7 @@
name: Azure Active Directory Update authorization policy
id: c5b7ffcd-73d8-4fe5-afd8-b1218d715c0c
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when an authorization policy is updated in Azure Active
Directory.
diff --git a/data_sources/azure_active_directory_update_user.yml b/data_sources/azure_active_directory_update_user.yml
index a9e43502b0..9f99e199d8 100644
--- a/data_sources/azure_active_directory_update_user.yml
+++ b/data_sources/azure_active_directory_update_user.yml
@@ -1,7 +1,7 @@
name: Azure Active Directory Update user
id: 5495c90a-047c-4b8e-b2fe-1db6282d3872
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a user account is updated in Azure Active Directory.
mitre_components:
diff --git a/data_sources/azure_active_directory_user_registered_security_info.yml b/data_sources/azure_active_directory_user_registered_security_info.yml
index 1f3474bc88..1379b9e4f8 100644
--- a/data_sources/azure_active_directory_user_registered_security_info.yml
+++ b/data_sources/azure_active_directory_user_registered_security_info.yml
@@ -1,7 +1,7 @@
name: Azure Active Directory User registered security info
id: b63240de-8a01-4ba8-8987-89d18d4b375d
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a user registers or updates their security information
in Azure Active Directory.
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
index f6527d3d3b..d20eb1b740 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
@@ -1,7 +1,7 @@
name: Azure Audit Create or Update an Azure Automation account
id: 2ab182e7-feda-4249-9418-32710b55a885
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when an Azure Automation account is created or updated.
mitre_components:
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
index a8f5116f79..f2dbafa993 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
@@ -1,7 +1,7 @@
name: Azure Audit Create or Update an Azure Automation Runbook
id: 2bd83221-7a8b-436f-9b2b-efa1d44d009e
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a new Azure Automation Runbook is created or an existing
one is updated.
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
index e3e30003a4..a8c611852b 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
@@ -1,7 +1,7 @@
name: Azure Audit Create or Update an Azure Automation webhook
id: 575faeb2-09d0-4849-b1f6-eae241f26ff2
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when a webhook is created or updated in Azure Automation.
mitre_components:
diff --git a/data_sources/azure_monitor_activity.yml b/data_sources/azure_monitor_activity.yml
index c47465f05f..99c76ed47f 100644
--- a/data_sources/azure_monitor_activity.yml
+++ b/data_sources/azure_monitor_activity.yml
@@ -1,7 +1,7 @@
name: Azure Monitor Activity
id: 1997a515-a61a-4f78-ada9-54af34c764f2
version: 1
-date: "2025-01-13"
+date: '2025-01-13'
author: Bhavin Patel, Splunk
description:
Data source object for Azure Monitor Activity. The Splunk Add-on for
diff --git a/data_sources/g_suite_drive.yml b/data_sources/g_suite_drive.yml
index 050427ab42..0064416dbb 100644
--- a/data_sources/g_suite_drive.yml
+++ b/data_sources/g_suite_drive.yml
@@ -1,7 +1,7 @@
name: G Suite Drive
id: 5f79120f-a235-4468-bd0d-55203758ac22
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs activities related to Google Drive in G Suite, including file creation,
modification, sharing, and access details.
diff --git a/data_sources/g_suite_gmail.yml b/data_sources/g_suite_gmail.yml
index 9471a54484..2366e69b41 100644
--- a/data_sources/g_suite_gmail.yml
+++ b/data_sources/g_suite_gmail.yml
@@ -1,7 +1,7 @@
name: G Suite Gmail
id: 706c3978-41de-406b-b6e0-75bd01e12a5d
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs Gmail activities in G Suite, including email sending, receiving,
and access details, as well as potential security-related events.
diff --git a/data_sources/google_workspace.yml b/data_sources/google_workspace.yml
index 1e651b883e..cdc72f6062 100644
--- a/data_sources/google_workspace.yml
+++ b/data_sources/google_workspace.yml
@@ -1,7 +1,7 @@
name: Google Workspace
id: f1a044e3-113a-4e4d-84f2-b153ade83087
version: 1
-date: "2025-02-21"
+date: '2025-02-21'
author: Bhavin Patel, Splunk
description: Data source object for Google Workspace
source: google_workspace
diff --git a/data_sources/google_workspace_login_failure.yml b/data_sources/google_workspace_login_failure.yml
index 4a57f70c36..37b5e7dfd3 100644
--- a/data_sources/google_workspace_login_failure.yml
+++ b/data_sources/google_workspace_login_failure.yml
@@ -1,7 +1,7 @@
name: Google Workspace login_failure
id: cabec7cf-4008-4899-b47e-39c34a9a1255
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs failed login attempts to Google Workspace accounts, including details
about the user, IP address, and reason for failure.
diff --git a/data_sources/google_workspace_login_success.yml b/data_sources/google_workspace_login_success.yml
index 16beb865b8..ac11eece48 100644
--- a/data_sources/google_workspace_login_success.yml
+++ b/data_sources/google_workspace_login_success.yml
@@ -1,7 +1,7 @@
name: Google Workspace login_success
id: bffe8013-9cdf-4fe6-9c1b-6784391a4951
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs successful login attempts to Google Workspace accounts, including
details about the user, IP address, and session metadata.
diff --git a/data_sources/o365.yml b/data_sources/o365.yml
index c87c6d01cd..e3a8fe4084 100644
--- a/data_sources/o365.yml
+++ b/data_sources/o365.yml
@@ -1,7 +1,7 @@
name: O365
id: b32de97d-0074-4cca-853c-db22c392b6c0
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs management activities in Microsoft 365, including administrative
actions, user activities, and configuration changes across various services.
diff --git a/data_sources/o365_add_app_role_assignment_grant_to_user_.yml b/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
index 87d209241a..b423cfb188 100644
--- a/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
+++ b/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
@@ -1,7 +1,7 @@
name: O365 Add app role assignment grant to user.
id: ce1d7849-a1d2-47fd-b6eb-d7ef854a860c
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs the assignment of an application role grant to a user in Microsoft
365, including details about the role, user, and application involved.
diff --git a/data_sources/o365_add_app_role_assignment_to_service_principal_.yml b/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
index 8c76c22053..f701f5d05a 100644
--- a/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
+++ b/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
@@ -1,7 +1,7 @@
name: O365 Add app role assignment to service principal.
id: 785ba57a-ba7b-474e-97c8-9474e6e00b3a
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs the assignment of an application role to a service principal in
Microsoft 365, including details about the role, service principal, and application
diff --git a/data_sources/o365_add_mailboxpermission.yml b/data_sources/o365_add_mailboxpermission.yml
index eaaf573a62..73d8a6a770 100644
--- a/data_sources/o365_add_mailboxpermission.yml
+++ b/data_sources/o365_add_mailboxpermission.yml
@@ -1,7 +1,7 @@
name: O365 Add-MailboxPermission
id: 9c0babdb-bb15-449e-abba-0a9cdb3fc061
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs the addition of mailbox permissions in Microsoft 365, including
details about the mailbox, granted permissions, and the user or administrator performing
diff --git a/data_sources/o365_add_member_to_role_.yml b/data_sources/o365_add_member_to_role_.yml
index 6a582f6557..4bbd0ee8ac 100644
--- a/data_sources/o365_add_member_to_role_.yml
+++ b/data_sources/o365_add_member_to_role_.yml
@@ -1,7 +1,7 @@
name: O365 Add member to role.
id: 8b949f7c-4b5d-404f-9694-d7403c4ec096
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs the addition of a member to a role in Microsoft 365, including details
about the role, the added member, and the user or administrator performing the action.
diff --git a/data_sources/o365_add_owner_to_application_.yml b/data_sources/o365_add_owner_to_application_.yml
index f0b2874382..b1da0c1792 100644
--- a/data_sources/o365_add_owner_to_application_.yml
+++ b/data_sources/o365_add_owner_to_application_.yml
@@ -1,7 +1,7 @@
name: O365 Add owner to application.
id: da012cbf-af6e-40ee-a1ba-32a5f8da8f8a
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs the addition of an owner to an application in Microsoft 365, including
details about the application, the new owner, and the user or administrator performing
diff --git a/data_sources/o365_add_service_principal_.yml b/data_sources/o365_add_service_principal_.yml
index 145c7ea81c..b348c73689 100644
--- a/data_sources/o365_add_service_principal_.yml
+++ b/data_sources/o365_add_service_principal_.yml
@@ -1,7 +1,7 @@
name: O365 Add service principal.
id: 9c1ef9f5-bc30-4a47-a1bd-cb34484ee778
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs the addition of a new service principal in Microsoft 365, including
details about the associated application and the action initiator.
diff --git a/data_sources/o365_change_user_license_.yml b/data_sources/o365_change_user_license_.yml
index 5faab95680..9204dca910 100644
--- a/data_sources/o365_change_user_license_.yml
+++ b/data_sources/o365_change_user_license_.yml
@@ -1,7 +1,7 @@
name: O365 Change user license.
id: 1029a20d-3d0d-4fb9-b5e2-22ac5380b20a
version: 2
-date: "2025-01-23"
+date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs changes to user licenses in Microsoft 365, including additions,
removals, or updates to service plans associated with a user account.
From da5c9b9bbd7a6ec7ac65ccafc25e6a751ebe0e82 Mon Sep 17 00:00:00 2001
From: delgado-jacob <29643013+delgado-jacob@users.noreply.github.com>
Date: Tue, 18 Mar 2025 11:37:35 -0700
Subject: [PATCH 5/6] fix separator_value field
---
data_sources/aws_cloudtrail_copyobject.yml | 2 +-
data_sources/aws_cloudtrail_createtask.yml | 2 +-
data_sources/powershell_script_block_logging_4104.yml | 2 +-
data_sources/sysmon_eventid_1.yml | 2 +-
data_sources/sysmon_eventid_10.yml | 2 +-
data_sources/sysmon_eventid_11.yml | 2 +-
data_sources/sysmon_eventid_12.yml | 2 +-
data_sources/sysmon_eventid_13.yml | 2 +-
data_sources/sysmon_eventid_15.yml | 2 +-
data_sources/sysmon_eventid_17.yml | 2 +-
data_sources/sysmon_eventid_18.yml | 2 +-
data_sources/sysmon_eventid_21.yml | 2 +-
data_sources/sysmon_eventid_22.yml | 2 +-
data_sources/sysmon_eventid_23.yml | 2 +-
data_sources/sysmon_eventid_3.yml | 2 +-
data_sources/sysmon_eventid_5.yml | 2 +-
data_sources/sysmon_eventid_6.yml | 2 +-
data_sources/sysmon_eventid_7.yml | 2 +-
data_sources/sysmon_eventid_8.yml | 2 +-
data_sources/sysmon_eventid_9.yml | 2 +-
data_sources/sysmon_for_linux_eventid_1.yml | 2 +-
data_sources/windows_event_log_application_3000.yml | 2 +-
data_sources/windows_event_log_capi2_70.yml | 2 +-
data_sources/windows_event_log_capi2_81.yml | 2 +-
.../windows_event_log_certificateservicesclient_1007.yml | 2 +-
data_sources/windows_event_log_defender_1121.yml | 2 +-
data_sources/windows_event_log_defender_1122.yml | 2 +-
data_sources/windows_event_log_defender_1129.yml | 2 +-
data_sources/windows_event_log_printservice_316.yml | 2 +-
data_sources/windows_event_log_printservice_808.yml | 2 +-
data_sources/windows_event_log_remoteconnectionmanager_1149.yml | 2 +-
data_sources/windows_event_log_security_1100.yml | 2 +-
data_sources/windows_event_log_security_1102.yml | 2 +-
data_sources/windows_event_log_security_4624.yml | 2 +-
data_sources/windows_event_log_security_4625.yml | 2 +-
data_sources/windows_event_log_security_4627.yml | 2 +-
data_sources/windows_event_log_security_4648.yml | 2 +-
data_sources/windows_event_log_security_4662.yml | 2 +-
data_sources/windows_event_log_security_4663.yml | 2 +-
data_sources/windows_event_log_security_4672.yml | 2 +-
data_sources/windows_event_log_security_4688.yml | 2 +-
data_sources/windows_event_log_security_4698.yml | 2 +-
data_sources/windows_event_log_security_4699.yml | 2 +-
data_sources/windows_event_log_security_4703.yml | 2 +-
data_sources/windows_event_log_security_4719.yml | 2 +-
data_sources/windows_event_log_security_4720.yml | 2 +-
data_sources/windows_event_log_security_4724.yml | 2 +-
data_sources/windows_event_log_security_4725.yml | 2 +-
data_sources/windows_event_log_security_4726.yml | 2 +-
data_sources/windows_event_log_security_4732.yml | 2 +-
data_sources/windows_event_log_security_4738.yml | 2 +-
data_sources/windows_event_log_security_4739.yml | 2 +-
data_sources/windows_event_log_security_4741.yml | 2 +-
data_sources/windows_event_log_security_4768.yml | 2 +-
data_sources/windows_event_log_security_4769.yml | 2 +-
data_sources/windows_event_log_security_4771.yml | 2 +-
data_sources/windows_event_log_security_4776.yml | 2 +-
data_sources/windows_event_log_security_4781.yml | 2 +-
data_sources/windows_event_log_security_4876.yml | 2 +-
data_sources/windows_event_log_security_4886.yml | 2 +-
data_sources/windows_event_log_security_4887.yml | 2 +-
data_sources/windows_event_log_security_5136.yml | 2 +-
data_sources/windows_event_log_security_5137.yml | 2 +-
data_sources/windows_event_log_security_5140.yml | 2 +-
data_sources/windows_event_log_security_5141.yml | 2 +-
data_sources/windows_event_log_security_5145.yml | 2 +-
data_sources/windows_event_log_system_4720.yml | 2 +-
data_sources/windows_event_log_system_4726.yml | 2 +-
data_sources/windows_event_log_system_4728.yml | 2 +-
data_sources/windows_event_log_system_7036.yml | 2 +-
data_sources/windows_event_log_system_7040.yml | 2 +-
data_sources/windows_event_log_system_7045.yml | 2 +-
data_sources/windows_event_log_taskscheduler_200.yml | 2 +-
data_sources/windows_iis_29.yml | 2 +-
74 files changed, 74 insertions(+), 74 deletions(-)
diff --git a/data_sources/aws_cloudtrail_copyobject.yml b/data_sources/aws_cloudtrail_copyobject.yml
index 1a505ff56f..9e10225b8d 100644
--- a/data_sources/aws_cloudtrail_copyobject.yml
+++ b/data_sources/aws_cloudtrail_copyobject.yml
@@ -13,7 +13,7 @@ mitre_components:
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
-separator_values: CopyObject
+separator_value: CopyObject
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createtask.yml b/data_sources/aws_cloudtrail_createtask.yml
index f474925295..2cfea8e296 100644
--- a/data_sources/aws_cloudtrail_createtask.yml
+++ b/data_sources/aws_cloudtrail_createtask.yml
@@ -13,7 +13,7 @@ mitre_components:
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
-separator_name: CreateTask
+separator_value: CreateTask
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/powershell_script_block_logging_4104.yml b/data_sources/powershell_script_block_logging_4104.yml
index 99f3ace10f..a92378edf7 100644
--- a/data_sources/powershell_script_block_logging_4104.yml
+++ b/data_sources/powershell_script_block_logging_4104.yml
@@ -14,7 +14,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 4104
+separator_value: '4104'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/sysmon_eventid_1.yml b/data_sources/sysmon_eventid_1.yml
index ca295fd89b..82abab53f8 100644
--- a/data_sources/sysmon_eventid_1.yml
+++ b/data_sources/sysmon_eventid_1.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 1
+separator_value: '1'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_10.yml b/data_sources/sysmon_eventid_10.yml
index 844e023f1a..8afd1accf9 100644
--- a/data_sources/sysmon_eventid_10.yml
+++ b/data_sources/sysmon_eventid_10.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 10
+separator_value: '10'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_11.yml b/data_sources/sysmon_eventid_11.yml
index f0e6dee766..dc1c00aa6c 100644
--- a/data_sources/sysmon_eventid_11.yml
+++ b/data_sources/sysmon_eventid_11.yml
@@ -14,7 +14,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 11
+separator_value: '11'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_12.yml b/data_sources/sysmon_eventid_12.yml
index 5a2c89c0ec..d7253a27ee 100644
--- a/data_sources/sysmon_eventid_12.yml
+++ b/data_sources/sysmon_eventid_12.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 12
+separator_value: '12'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_13.yml b/data_sources/sysmon_eventid_13.yml
index 9af2d0673d..fa07a786fd 100644
--- a/data_sources/sysmon_eventid_13.yml
+++ b/data_sources/sysmon_eventid_13.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 13
+separator_value: '13'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_15.yml b/data_sources/sysmon_eventid_15.yml
index e679fb1ad9..c819cb661e 100644
--- a/data_sources/sysmon_eventid_15.yml
+++ b/data_sources/sysmon_eventid_15.yml
@@ -14,7 +14,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 15
+separator_value: '15'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_17.yml b/data_sources/sysmon_eventid_17.yml
index b871828540..efb671d8c5 100644
--- a/data_sources/sysmon_eventid_17.yml
+++ b/data_sources/sysmon_eventid_17.yml
@@ -9,7 +9,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 17
+separator_value: '17'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_18.yml b/data_sources/sysmon_eventid_18.yml
index f3b7854c2f..8447f15541 100644
--- a/data_sources/sysmon_eventid_18.yml
+++ b/data_sources/sysmon_eventid_18.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 18
+separator_value: '18'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_21.yml b/data_sources/sysmon_eventid_21.yml
index 8caa81e1bc..7cc11830ee 100644
--- a/data_sources/sysmon_eventid_21.yml
+++ b/data_sources/sysmon_eventid_21.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 21
+separator_value: '21'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_22.yml b/data_sources/sysmon_eventid_22.yml
index bcd9721dd8..fffc3f518a 100644
--- a/data_sources/sysmon_eventid_22.yml
+++ b/data_sources/sysmon_eventid_22.yml
@@ -14,7 +14,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 22
+separator_value: '22'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_23.yml b/data_sources/sysmon_eventid_23.yml
index 7dc515f54a..7e148df04e 100644
--- a/data_sources/sysmon_eventid_23.yml
+++ b/data_sources/sysmon_eventid_23.yml
@@ -14,7 +14,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 23
+separator_value: '23'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_3.yml b/data_sources/sysmon_eventid_3.yml
index b548310e17..04af350bfd 100644
--- a/data_sources/sysmon_eventid_3.yml
+++ b/data_sources/sysmon_eventid_3.yml
@@ -14,7 +14,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 3
+separator_value: '3'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_5.yml b/data_sources/sysmon_eventid_5.yml
index 946a3c0551..7b8abba8e9 100644
--- a/data_sources/sysmon_eventid_5.yml
+++ b/data_sources/sysmon_eventid_5.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 5
+separator_value: '5'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_6.yml b/data_sources/sysmon_eventid_6.yml
index c9d0d5d247..053de2de1d 100644
--- a/data_sources/sysmon_eventid_6.yml
+++ b/data_sources/sysmon_eventid_6.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 6
+separator_value: '6'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_7.yml b/data_sources/sysmon_eventid_7.yml
index 8c5dcd335e..8a67c2fab7 100644
--- a/data_sources/sysmon_eventid_7.yml
+++ b/data_sources/sysmon_eventid_7.yml
@@ -14,7 +14,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 7
+separator_value: '7'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_8.yml b/data_sources/sysmon_eventid_8.yml
index bb8b3a983b..1ee7641643 100644
--- a/data_sources/sysmon_eventid_8.yml
+++ b/data_sources/sysmon_eventid_8.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 8
+separator_value: '8'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_9.yml b/data_sources/sysmon_eventid_9.yml
index ba5499ae5b..f73b040876 100644
--- a/data_sources/sysmon_eventid_9.yml
+++ b/data_sources/sysmon_eventid_9.yml
@@ -14,7 +14,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
separator: EventID
-separator_value: 9
+separator_value: '9'
configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_for_linux_eventid_1.yml b/data_sources/sysmon_for_linux_eventid_1.yml
index 2027f90431..d8a01f3d5d 100644
--- a/data_sources/sysmon_for_linux_eventid_1.yml
+++ b/data_sources/sysmon_for_linux_eventid_1.yml
@@ -14,7 +14,7 @@ mitre_components:
source: Syslog:Linux-Sysmon/Operational
sourcetype: sysmon:linux
separator: EventID
-separator_value: 1
+separator_value: '1'
supported_TA:
- name: Splunk Add-on for Sysmon for Linux
url: https://splunkbase.splunk.com/app/6652
diff --git a/data_sources/windows_event_log_application_3000.yml b/data_sources/windows_event_log_application_3000.yml
index a3dcec0bda..8f24d2587e 100644
--- a/data_sources/windows_event_log_application_3000.yml
+++ b/data_sources/windows_event_log_application_3000.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Application
sourcetype: XmlWinEventLog
separator: EventCode
-separator_value: 3000
+separator_value: '3000'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_capi2_70.yml b/data_sources/windows_event_log_capi2_70.yml
index cc9a329fac..eb570c28a9 100644
--- a/data_sources/windows_event_log_capi2_70.yml
+++ b/data_sources/windows_event_log_capi2_70.yml
@@ -14,7 +14,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 70
+separator_value: '70'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_capi2_81.yml b/data_sources/windows_event_log_capi2_81.yml
index e6641f83f8..12ef5132b5 100644
--- a/data_sources/windows_event_log_capi2_81.yml
+++ b/data_sources/windows_event_log_capi2_81.yml
@@ -14,7 +14,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 81
+separator_value: '81'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_certificateservicesclient_1007.yml b/data_sources/windows_event_log_certificateservicesclient_1007.yml
index edc911da2a..f3ba7e5eaa 100644
--- a/data_sources/windows_event_log_certificateservicesclient_1007.yml
+++ b/data_sources/windows_event_log_certificateservicesclient_1007.yml
@@ -14,7 +14,7 @@ mitre_components:
source: XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
sourcetype: XmlWinEventLog
separator: EventCode
-separator_value: 1007
+separator_value: '1007'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_defender_1121.yml b/data_sources/windows_event_log_defender_1121.yml
index c1185da5d8..d24a5e359e 100644
--- a/data_sources/windows_event_log_defender_1121.yml
+++ b/data_sources/windows_event_log_defender_1121.yml
@@ -12,7 +12,7 @@ mitre_components:
source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 1121
+separator_value: '1121'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_defender_1122.yml b/data_sources/windows_event_log_defender_1122.yml
index 708c4a09aa..8c16ab4757 100644
--- a/data_sources/windows_event_log_defender_1122.yml
+++ b/data_sources/windows_event_log_defender_1122.yml
@@ -12,7 +12,7 @@ mitre_components:
source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 1122
+separator_value: '1122'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_defender_1129.yml b/data_sources/windows_event_log_defender_1129.yml
index 1e4fd843ff..41c76a99c0 100644
--- a/data_sources/windows_event_log_defender_1129.yml
+++ b/data_sources/windows_event_log_defender_1129.yml
@@ -12,7 +12,7 @@ mitre_components:
source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 1129
+separator_value: '1129'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_printservice_316.yml b/data_sources/windows_event_log_printservice_316.yml
index a13491e365..46e5fea881 100644
--- a/data_sources/windows_event_log_printservice_316.yml
+++ b/data_sources/windows_event_log_printservice_316.yml
@@ -10,7 +10,7 @@ mitre_components:
source: WinEventLog:Microsoft-Windows-PrintService/Admin
sourcetype: WinEventLog
separator: EventCode
-separator_value: 316
+separator_value: '316'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_printservice_808.yml b/data_sources/windows_event_log_printservice_808.yml
index 2f1c1363e4..c989e88ce2 100644
--- a/data_sources/windows_event_log_printservice_808.yml
+++ b/data_sources/windows_event_log_printservice_808.yml
@@ -12,7 +12,7 @@ mitre_components:
source: WinEventLog:Microsoft-Windows-PrintService/Admin
sourcetype: WinEventLog
separator: EventCode
-separator_value: 808
+separator_value: '808'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_remoteconnectionmanager_1149.yml b/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
index 17e1e81b90..c3352c16bd 100644
--- a/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
+++ b/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
@@ -11,7 +11,7 @@ mitre_components:
source: WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
sourcetype: wineventlog
separator: EventCode
-separator_value: 1149
+separator_value: '1149'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_1100.yml b/data_sources/windows_event_log_security_1100.yml
index f926bde8c2..1034fc5e50 100644
--- a/data_sources/windows_event_log_security_1100.yml
+++ b/data_sources/windows_event_log_security_1100.yml
@@ -10,7 +10,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 1100
+separator_value: '1100'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_1102.yml b/data_sources/windows_event_log_security_1102.yml
index d66920335f..b6209e3136 100644
--- a/data_sources/windows_event_log_security_1102.yml
+++ b/data_sources/windows_event_log_security_1102.yml
@@ -11,7 +11,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 1102
+separator_value: '1102'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4624.yml b/data_sources/windows_event_log_security_4624.yml
index 823b6f2dee..c27cbde9e8 100644
--- a/data_sources/windows_event_log_security_4624.yml
+++ b/data_sources/windows_event_log_security_4624.yml
@@ -11,7 +11,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4624
+separator_value: '4624'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4625.yml b/data_sources/windows_event_log_security_4625.yml
index 5fdd9b3c21..e37413ca43 100644
--- a/data_sources/windows_event_log_security_4625.yml
+++ b/data_sources/windows_event_log_security_4625.yml
@@ -10,7 +10,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4625
+separator_value: '4625'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4627.yml b/data_sources/windows_event_log_security_4627.yml
index 85b2053016..428fea6638 100644
--- a/data_sources/windows_event_log_security_4627.yml
+++ b/data_sources/windows_event_log_security_4627.yml
@@ -12,7 +12,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4627
+separator_value: '4627'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4648.yml b/data_sources/windows_event_log_security_4648.yml
index 41b1ea111d..204ee0a6ea 100644
--- a/data_sources/windows_event_log_security_4648.yml
+++ b/data_sources/windows_event_log_security_4648.yml
@@ -11,7 +11,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4648
+separator_value: '4648'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4662.yml b/data_sources/windows_event_log_security_4662.yml
index e7ab4e16cb..72241152a5 100644
--- a/data_sources/windows_event_log_security_4662.yml
+++ b/data_sources/windows_event_log_security_4662.yml
@@ -11,7 +11,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4662
+separator_value: '4662'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4663.yml b/data_sources/windows_event_log_security_4663.yml
index 0a9d7bc423..8464167492 100644
--- a/data_sources/windows_event_log_security_4663.yml
+++ b/data_sources/windows_event_log_security_4663.yml
@@ -11,7 +11,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4663
+separator_value: '4663'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4672.yml b/data_sources/windows_event_log_security_4672.yml
index b56a07aae1..c4ae46c0f1 100644
--- a/data_sources/windows_event_log_security_4672.yml
+++ b/data_sources/windows_event_log_security_4672.yml
@@ -11,7 +11,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4672
+separator_value: '4672'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4688.yml b/data_sources/windows_event_log_security_4688.yml
index 11371fe6ff..16b11249c1 100644
--- a/data_sources/windows_event_log_security_4688.yml
+++ b/data_sources/windows_event_log_security_4688.yml
@@ -10,7 +10,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4688
+separator_value: '4688'
configuration: Enabling Windows event log process command line logging via group policy
object https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_Windows_event_log_process_command_line_logging_via_group_policy_object
supported_TA:
diff --git a/data_sources/windows_event_log_security_4698.yml b/data_sources/windows_event_log_security_4698.yml
index 27406cada2..b8c7911455 100644
--- a/data_sources/windows_event_log_security_4698.yml
+++ b/data_sources/windows_event_log_security_4698.yml
@@ -10,7 +10,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4698
+separator_value: '4698'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4699.yml b/data_sources/windows_event_log_security_4699.yml
index dc83e20aa6..7f05064a8f 100644
--- a/data_sources/windows_event_log_security_4699.yml
+++ b/data_sources/windows_event_log_security_4699.yml
@@ -10,7 +10,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4699
+separator_value: '4699'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4703.yml b/data_sources/windows_event_log_security_4703.yml
index 972a05a8d9..16ea3afc90 100644
--- a/data_sources/windows_event_log_security_4703.yml
+++ b/data_sources/windows_event_log_security_4703.yml
@@ -10,7 +10,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4703
+separator_value: '4703'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4719.yml b/data_sources/windows_event_log_security_4719.yml
index 37a72cc312..6edde73b99 100644
--- a/data_sources/windows_event_log_security_4719.yml
+++ b/data_sources/windows_event_log_security_4719.yml
@@ -10,7 +10,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4719
+separator_value: '4719'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4720.yml b/data_sources/windows_event_log_security_4720.yml
index ddd763d21b..e6bca434f1 100644
--- a/data_sources/windows_event_log_security_4720.yml
+++ b/data_sources/windows_event_log_security_4720.yml
@@ -9,7 +9,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4720
+separator_value: '4720'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4724.yml b/data_sources/windows_event_log_security_4724.yml
index 133f957f91..ed2d278c99 100644
--- a/data_sources/windows_event_log_security_4724.yml
+++ b/data_sources/windows_event_log_security_4724.yml
@@ -10,7 +10,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4724
+separator_value: '4724'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4725.yml b/data_sources/windows_event_log_security_4725.yml
index 129eafcb4f..5b91ceeb40 100644
--- a/data_sources/windows_event_log_security_4725.yml
+++ b/data_sources/windows_event_log_security_4725.yml
@@ -9,7 +9,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4725
+separator_value: '4725'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4726.yml b/data_sources/windows_event_log_security_4726.yml
index 201285eee9..8ee6b298fd 100644
--- a/data_sources/windows_event_log_security_4726.yml
+++ b/data_sources/windows_event_log_security_4726.yml
@@ -9,7 +9,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4726
+separator_value: '4726'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4732.yml b/data_sources/windows_event_log_security_4732.yml
index 5cab030eb0..5f312c3965 100644
--- a/data_sources/windows_event_log_security_4732.yml
+++ b/data_sources/windows_event_log_security_4732.yml
@@ -10,7 +10,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4732
+separator_value: '4732'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4738.yml b/data_sources/windows_event_log_security_4738.yml
index 45a903eb05..b42d8f7fa2 100644
--- a/data_sources/windows_event_log_security_4738.yml
+++ b/data_sources/windows_event_log_security_4738.yml
@@ -10,7 +10,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4738
+separator_value: '4738'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4739.yml b/data_sources/windows_event_log_security_4739.yml
index 30b07c99ee..7fb6bdc459 100644
--- a/data_sources/windows_event_log_security_4739.yml
+++ b/data_sources/windows_event_log_security_4739.yml
@@ -11,7 +11,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4739
+separator_value: '4739'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4741.yml b/data_sources/windows_event_log_security_4741.yml
index 8729366be5..2caa69385e 100644
--- a/data_sources/windows_event_log_security_4741.yml
+++ b/data_sources/windows_event_log_security_4741.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4741
+separator_value: '4741'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4768.yml b/data_sources/windows_event_log_security_4768.yml
index c391a51cfe..599f027991 100644
--- a/data_sources/windows_event_log_security_4768.yml
+++ b/data_sources/windows_event_log_security_4768.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4768
+separator_value: '4768'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4769.yml b/data_sources/windows_event_log_security_4769.yml
index d8c0cf195b..518f49f8da 100644
--- a/data_sources/windows_event_log_security_4769.yml
+++ b/data_sources/windows_event_log_security_4769.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4769
+separator_value: '4769'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4771.yml b/data_sources/windows_event_log_security_4771.yml
index 7b6e030b23..0e18ca2298 100644
--- a/data_sources/windows_event_log_security_4771.yml
+++ b/data_sources/windows_event_log_security_4771.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4771
+separator_value: '4771'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4776.yml b/data_sources/windows_event_log_security_4776.yml
index 59ae2a4748..d6581e3afc 100644
--- a/data_sources/windows_event_log_security_4776.yml
+++ b/data_sources/windows_event_log_security_4776.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4776
+separator_value: '4776'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4781.yml b/data_sources/windows_event_log_security_4781.yml
index 2e6adff3c4..9daa1781ae 100644
--- a/data_sources/windows_event_log_security_4781.yml
+++ b/data_sources/windows_event_log_security_4781.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4781
+separator_value: '4781'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4876.yml b/data_sources/windows_event_log_security_4876.yml
index 2340e3fb35..8d16e695d2 100644
--- a/data_sources/windows_event_log_security_4876.yml
+++ b/data_sources/windows_event_log_security_4876.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4876
+separator_value: '4876'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4886.yml b/data_sources/windows_event_log_security_4886.yml
index bf7533d343..a38f31f8cc 100644
--- a/data_sources/windows_event_log_security_4886.yml
+++ b/data_sources/windows_event_log_security_4886.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4886
+separator_value: '4886'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4887.yml b/data_sources/windows_event_log_security_4887.yml
index 0bac032d6b..4b8188cb5d 100644
--- a/data_sources/windows_event_log_security_4887.yml
+++ b/data_sources/windows_event_log_security_4887.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4887
+separator_value: '4887'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_5136.yml b/data_sources/windows_event_log_security_5136.yml
index 1cc73e726e..048eaf46f7 100644
--- a/data_sources/windows_event_log_security_5136.yml
+++ b/data_sources/windows_event_log_security_5136.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 5136
+separator_value: '5136'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_5137.yml b/data_sources/windows_event_log_security_5137.yml
index b7da687fc2..1aa19af1d7 100644
--- a/data_sources/windows_event_log_security_5137.yml
+++ b/data_sources/windows_event_log_security_5137.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 5137
+separator_value: '5137'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_5140.yml b/data_sources/windows_event_log_security_5140.yml
index 537ad5db65..d8c6bd2297 100644
--- a/data_sources/windows_event_log_security_5140.yml
+++ b/data_sources/windows_event_log_security_5140.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 5140
+separator_value: '5140'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_5141.yml b/data_sources/windows_event_log_security_5141.yml
index cc5825f11b..d507ac5298 100644
--- a/data_sources/windows_event_log_security_5141.yml
+++ b/data_sources/windows_event_log_security_5141.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 5141
+separator_value: '5141'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_5145.yml b/data_sources/windows_event_log_security_5145.yml
index aadb0c15ea..5346b703d7 100644
--- a/data_sources/windows_event_log_security_5145.yml
+++ b/data_sources/windows_event_log_security_5145.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 5145
+separator_value: '5145'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_4720.yml b/data_sources/windows_event_log_system_4720.yml
index de3cea6a37..e5a0d75f83 100644
--- a/data_sources/windows_event_log_system_4720.yml
+++ b/data_sources/windows_event_log_system_4720.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:System
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4720
+separator_value: '4720'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_4726.yml b/data_sources/windows_event_log_system_4726.yml
index 2a4c9d93e3..b76450a928 100644
--- a/data_sources/windows_event_log_system_4726.yml
+++ b/data_sources/windows_event_log_system_4726.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:System
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4726
+separator_value: '4726'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_4728.yml b/data_sources/windows_event_log_system_4728.yml
index bf93ff45f0..b7d5ada0c2 100644
--- a/data_sources/windows_event_log_system_4728.yml
+++ b/data_sources/windows_event_log_system_4728.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:System
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 4728
+separator_value: '4728'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_7036.yml b/data_sources/windows_event_log_system_7036.yml
index 2d84bd44d8..c5eade1a31 100644
--- a/data_sources/windows_event_log_system_7036.yml
+++ b/data_sources/windows_event_log_system_7036.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:System
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 7036
+separator_value: '7036'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_7040.yml b/data_sources/windows_event_log_system_7040.yml
index 0f26b121a0..8c17c4cec7 100644
--- a/data_sources/windows_event_log_system_7040.yml
+++ b/data_sources/windows_event_log_system_7040.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:System
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 7040
+separator_value: '7040'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_7045.yml b/data_sources/windows_event_log_system_7045.yml
index 87c78b1a51..e019802f0c 100644
--- a/data_sources/windows_event_log_system_7045.yml
+++ b/data_sources/windows_event_log_system_7045.yml
@@ -13,7 +13,7 @@ mitre_components:
source: XmlWinEventLog:System
sourcetype: xmlwineventlog
separator: EventCode
-separator_value: 7045
+separator_value: '7045'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_taskscheduler_200.yml b/data_sources/windows_event_log_taskscheduler_200.yml
index 2348f6b3f8..16cec6a1f0 100644
--- a/data_sources/windows_event_log_taskscheduler_200.yml
+++ b/data_sources/windows_event_log_taskscheduler_200.yml
@@ -13,7 +13,7 @@ mitre_components:
source: WinEventLog:Microsoft-Windows-TaskScheduler/Operational
sourcetype: wineventlog
separator: EventCode
-separator_value: 200
+separator_value: '200'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_iis_29.yml b/data_sources/windows_iis_29.yml
index 9ab6d3794a..7eeb8eeb79 100644
--- a/data_sources/windows_iis_29.yml
+++ b/data_sources/windows_iis_29.yml
@@ -13,7 +13,7 @@ mitre_components:
source: IIS:Configuration:Operational
sourcetype: IIS:Configuration:Operational
separator: EventID
-separator_value: 29
+separator_value: '29'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
From 6488af7c57740c0e39da9bcb968b6c822c087f61 Mon Sep 17 00:00:00 2001
From: delgado-jacob <29643013+delgado-jacob@users.noreply.github.com>
Date: Tue, 18 Mar 2025 14:29:30 -0700
Subject: [PATCH 6/6] Add Zeek TA, fix detection source list
---
data_sources/bro_conn.yml | 5 ++++-
data_sources/bro_dns.yml | 6 +++++-
data_sources/bro_files.yml | 5 ++++-
data_sources/bro_http.yml | 5 ++++-
data_sources/bro_loaded_scripts.yml | 5 ++++-
data_sources/bro_ntp.yml | 5 ++++-
data_sources/bro_ocsp.yml | 5 ++++-
data_sources/bro_ssl.yml | 5 ++++-
data_sources/bro_weird.yml | 5 ++++-
data_sources/bro_x509.yml | 5 ++++-
detections/network/detect_outbound_ldap_traffic.yml | 3 ---
11 files changed, 41 insertions(+), 13 deletions(-)
diff --git a/data_sources/bro_conn.yml b/data_sources/bro_conn.yml
index 1d8e4110c3..2344d857d7 100644
--- a/data_sources/bro_conn.yml
+++ b/data_sources/bro_conn.yml
@@ -12,4 +12,7 @@ mitre_components:
- Application Log Content
source: bro:conn:json
sourcetype: bro:conn:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+ url: https://splunkbase.splunk.com/app/5466
+ version: 1.0.8
diff --git a/data_sources/bro_dns.yml b/data_sources/bro_dns.yml
index b4deae7a6c..a87a59819a 100644
--- a/data_sources/bro_dns.yml
+++ b/data_sources/bro_dns.yml
@@ -13,4 +13,8 @@ mitre_components:
- Response Metadata
source: bro:dns:json
sourcetype: bro:dns:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+ url: https://splunkbase.splunk.com/app/5466
+ version: 1.0.8
+
diff --git a/data_sources/bro_files.yml b/data_sources/bro_files.yml
index 20121d2067..6185e27c8f 100644
--- a/data_sources/bro_files.yml
+++ b/data_sources/bro_files.yml
@@ -14,4 +14,7 @@ mitre_components:
- Application Log Content
source: bro:files:json
sourcetype: bro:files:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+ url: https://splunkbase.splunk.com/app/5466
+ version: 1.0.8
diff --git a/data_sources/bro_http.yml b/data_sources/bro_http.yml
index e8e25150dc..02c2647022 100644
--- a/data_sources/bro_http.yml
+++ b/data_sources/bro_http.yml
@@ -13,4 +13,7 @@ mitre_components:
- Application Log Content
source: bro:http:json
sourcetype: bro:http:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+ url: https://splunkbase.splunk.com/app/5466
+ version: 1.0.8
diff --git a/data_sources/bro_loaded_scripts.yml b/data_sources/bro_loaded_scripts.yml
index 2b9669bac3..016c7beb38 100644
--- a/data_sources/bro_loaded_scripts.yml
+++ b/data_sources/bro_loaded_scripts.yml
@@ -12,4 +12,7 @@ mitre_components:
- OS API Execution
source: bro:loaded_scripts:json
sourcetype: bro:loaded_scripts:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+ url: https://splunkbase.splunk.com/app/5466
+ version: 1.0.8
diff --git a/data_sources/bro_ntp.yml b/data_sources/bro_ntp.yml
index 727dfc5bfa..f76e65c2ae 100644
--- a/data_sources/bro_ntp.yml
+++ b/data_sources/bro_ntp.yml
@@ -12,4 +12,7 @@ mitre_components:
- Application Log Content
source: bro:ntp:json
sourcetype: bro:ntp:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+ url: https://splunkbase.splunk.com/app/5466
+ version: 1.0.8
diff --git a/data_sources/bro_ocsp.yml b/data_sources/bro_ocsp.yml
index 316e75d352..fc3bd136a9 100644
--- a/data_sources/bro_ocsp.yml
+++ b/data_sources/bro_ocsp.yml
@@ -13,4 +13,7 @@ mitre_components:
- Application Log Content
source: bro:ocsp:json
sourcetype: bro:ocsp:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+ url: https://splunkbase.splunk.com/app/5466
+ version: 1.0.8
diff --git a/data_sources/bro_ssl.yml b/data_sources/bro_ssl.yml
index b138786a0f..42a8a59910 100644
--- a/data_sources/bro_ssl.yml
+++ b/data_sources/bro_ssl.yml
@@ -13,4 +13,7 @@ mitre_components:
- Application Log Content
source: bro:ssl:json
sourcetype: bro:ssl:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+ url: https://splunkbase.splunk.com/app/5466
+ version: 1.0.8
diff --git a/data_sources/bro_weird.yml b/data_sources/bro_weird.yml
index 4d46c68d74..fe5a01ce05 100644
--- a/data_sources/bro_weird.yml
+++ b/data_sources/bro_weird.yml
@@ -13,4 +13,7 @@ mitre_components:
- Host Status
source: bro:weird:json
sourcetype: bro:weird:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+ url: https://splunkbase.splunk.com/app/5466
+ version: 1.0.8
diff --git a/data_sources/bro_x509.yml b/data_sources/bro_x509.yml
index 3f23109ebd..a5d7370c9e 100644
--- a/data_sources/bro_x509.yml
+++ b/data_sources/bro_x509.yml
@@ -13,4 +13,7 @@ mitre_components:
- Host Status
source: bro:x509:json
sourcetype: bro:x509:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+ url: https://splunkbase.splunk.com/app/5466
+ version: 1.0.8
diff --git a/detections/network/detect_outbound_ldap_traffic.yml b/detections/network/detect_outbound_ldap_traffic.yml
index 43c8417a22..03e2420676 100644
--- a/detections/network/detect_outbound_ldap_traffic.yml
+++ b/detections/network/detect_outbound_ldap_traffic.yml
@@ -13,10 +13,7 @@ description: The following analytic identifies outbound LDAP traffic to external
this to access sensitive directory information, leading to data breaches or further
network compromise.
data_source:
-- Bro conn
- Palo Alto Network Traffic
-- Splunk Stream TCP
-- Splunk Stream IP
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic
where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip