-
Notifications
You must be signed in to change notification settings - Fork 373
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
updating docs and package bits [ci skip]
- Loading branch information
research bot
committed
Oct 31, 2019
1 parent
8401886
commit 3272e09
Showing
7 changed files
with
43 additions
and
43 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| ############# | ||
| # Automatically generated by generator.py in splunk/security-content | ||
| # On Date: 2019-10-31T17:15:19 UTC | ||
| # On Date: 2019-10-31T20:26:18 UTC | ||
| # Author: Splunk Security Research | ||
| # Contact: [email protected] | ||
| ############# | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| ############# | ||
| # Automatically generated by generator.py in splunk/security-content | ||
| # On Date: 2019-10-31T17:15:19 UTC | ||
| # On Date: 2019-10-31T20:26:18 UTC | ||
| # Author: Splunk Security Research | ||
| # Contact: [email protected] | ||
| ############# | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| ############# | ||
| # Automatically generated by generator.py in splunk/security-content | ||
| # On Date: 2019-10-31T17:15:19 UTC | ||
| # On Date: 2019-10-31T20:26:18 UTC | ||
| # Author: Splunk Security Research | ||
| # Contact: [email protected] | ||
| ############# | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| ############# | ||
| # Automatically generated by generator.py in splunk/security-content | ||
| # On Date: 2019-10-31T17:15:19 UTC | ||
| # On Date: 2019-10-31T20:26:18 UTC | ||
| # Author: Splunk Security Research | ||
| # Contact: [email protected] | ||
| ############# | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,196 +1,196 @@ | ||
| ############# | ||
| # Automatically generated by generator.py in splunk/security-content | ||
| # On Date: 2019-10-31T17:15:19 UTC | ||
| # On Date: 2019-10-31T20:26:18 UTC | ||
| # Author: Splunk Security Research | ||
| # Contact: [email protected] | ||
| ############# | ||
|
|
||
| [api_call_by_user_baseline] | ||
| filename = api_call_by_user_baseline.csv | ||
| description = A lookup file that will contain the baseline information for number of AWS API calls per user | ||
| # description = A lookup file that will contain the baseline information for number of AWS API calls per user | ||
|
|
||
| [aws_service_accounts] | ||
| filename = aws_service_accounts.csv | ||
| description = A lookup file that will contain AWS Service accounts | ||
| # description = A lookup file that will contain AWS Service accounts | ||
|
|
||
| [baseline_blocked_outbound_connections] | ||
| filename = baseline_blocked_outbound_connections.csv | ||
| description = A lookup file that will contain the baseline information for number of blocked outbound connections | ||
| # description = A lookup file that will contain the baseline information for number of blocked outbound connections | ||
|
|
||
| [brandMonitoring_lookup] | ||
| filename = brand_monitoring.csv | ||
| default_match = false | ||
| description = A file that contains look-a-like domains for brands that you want to monitor | ||
| # description = A file that contains look-a-like domains for brands that you want to monitor | ||
| match_type = WILDCARD(domain) | ||
| min_matches = 1 | ||
|
|
||
| [csc_lookup] | ||
| filename = csc_lookup.csv | ||
| description = The CSC control numbers and names | ||
| # description = The CSC control numbers and names | ||
| min_matches = 1 | ||
|
|
||
| [domains] | ||
| filename = domains.csv | ||
| description = A list of domains that can be whitelisted | ||
| # description = A list of domains that can be whitelisted | ||
|
|
||
| [dynamic_dns_providers_default] | ||
| filename = dynamic_dns_providers_default.csv | ||
| case_sensitive_match = false | ||
| description = A list of dynammic dns providers that should not be modified | ||
| # description = A list of dynammic dns providers that should not be modified | ||
| match_type = WILDCARD(dynamic_dns_domains) | ||
|
|
||
| [dynamic_dns_providers_local] | ||
| filename = dynamic_dns_providers_local.csv | ||
| case_sensitive_match = false | ||
| description = A list of dynammic dns providers that can be modified | ||
| # description = A list of dynammic dns providers that can be modified | ||
| match_type = WILDCARD(dynamic_dns_domains) | ||
|
|
||
| [escu_search_id_lookup] | ||
| filename = escu_search_id.csv | ||
| description = A placeholder lookup file to hold information for ESCU Usage dashboard | ||
| # description = A placeholder lookup file to hold information for ESCU Usage dashboard | ||
|
|
||
| [isSuspiciousFileExtension_lookup] | ||
| filename = suspicious_email_attachments.csv | ||
| description = A list of suspicious extensions for email attachments | ||
| # description = A list of suspicious extensions for email attachments | ||
| match_type = WILDCARD(file_name) | ||
|
|
||
| [isWindowsSystemFile_lookup] | ||
| filename = system32_executables.csv | ||
| default_match = false | ||
| description = A list of executable files in Windows\System32 | ||
| # description = A list of executable files in Windows\System32 | ||
| min_matches = 1 | ||
|
|
||
| [legit_domains] | ||
| filename = legit_domains.csv | ||
| description = A list of legit domains to be used to whitelist possible phishing sites | ||
| # description = A list of legit domains to be used to whitelist possible phishing sites | ||
|
|
||
| [lookup_rare_process_whitelist_default] | ||
| filename = rare_process_whitelist_default.csv | ||
| default_match = false | ||
| case_sensitive_match = false | ||
| description = A list of rare processes that are legitimate provided by Splunk | ||
| # description = A list of rare processes that are legitimate provided by Splunk | ||
| match_type = WILDCARD(process) | ||
| min_matches = 1 | ||
|
|
||
| [lookup_rare_process_whitelist_local] | ||
| filename = rare_process_whitelist_local.csv | ||
| default_match = false | ||
| case_sensitive_match = false | ||
| description = A list of rare processes that are legitimate provided by the end user | ||
| # description = A list of rare processes that are legitimate provided by the end user | ||
| match_type = WILDCARD(process) | ||
| min_matches = 1 | ||
|
|
||
| [lookup_uncommon_processes_default] | ||
| filename = uncommon_processes_default.csv | ||
| case_sensitive_match = false | ||
| description = A list of processes that are not common | ||
| # description = A list of processes that are not common | ||
| match_type = WILDCARD(process) | ||
|
|
||
| [lookup_uncommon_processes_local] | ||
| filename = uncommon_processes_local.csv | ||
| case_sensitive_match = false | ||
| description = A list of processes that are not common | ||
| # description = A list of processes that are not common | ||
| match_type = WILDCARD(process) | ||
|
|
||
| [network_acl_activity_baseline] | ||
| filename = network_acl_activity_baseline.csv | ||
| description = A lookup file that will contain the baseline information for number of AWS Network ACL Activity | ||
| # description = A lookup file that will contain the baseline information for number of AWS Network ACL Activity | ||
|
|
||
| [previously_seen_S3_access_from_remote_ip] | ||
| filename = previously_seen_S3_access_from_remote_ip.csv | ||
| description = A placeholder for a list of IPs that have access S3 | ||
| # description = A placeholder for a list of IPs that have access S3 | ||
|
|
||
| [previously_seen_api_calls_from_user_roles] | ||
| filename = previously_seen_api_calls_from_user_roles.csv | ||
| description = A placeholder for a list of AWS API calls for each user role | ||
| # description = A placeholder for a list of AWS API calls for each user role | ||
|
|
||
| [previously_seen_aws_cross_account_activity] | ||
| filename = previously_seen_aws_cross_account_activity.csv | ||
| description = A placeholder for a list of AWS accounts and assumed roles | ||
| # description = A placeholder for a list of AWS accounts and assumed roles | ||
|
|
||
| [previously_seen_aws_regions] | ||
| filename = previously_seen_aws_regions.csv | ||
| default_match = false | ||
| description = A place holder for a list of used AWS regions | ||
| # description = A place holder for a list of used AWS regions | ||
| min_matches = 1 | ||
|
|
||
| [previously_seen_cloud_compute_creations_by_user] | ||
| filename = previously_seen_cloud_compute_creations_by_user.csv | ||
| default_match = false | ||
| description = A place holder for a list of users that have created cloud compute instances | ||
| # description = A place holder for a list of users that have created cloud compute instances | ||
| min_matches = 1 | ||
|
|
||
| [previously_seen_cloud_compute_images] | ||
| filename = previously_seen_cloud_compute_images.csv | ||
| default_match = false | ||
| description = A place holder for a list of used cloud compute images | ||
| # description = A place holder for a list of used cloud compute images | ||
| min_matches = 1 | ||
|
|
||
| [previously_seen_cloud_compute_instance_types] | ||
| filename = previously_seen_cloud_compute_instance_types.csv | ||
| default_match = false | ||
| description = A place holder for a list of used cloud compute instance types | ||
| # description = A place holder for a list of used cloud compute instance types | ||
| min_matches = 1 | ||
|
|
||
| [previously_seen_cloud_regions] | ||
| filename = previously_seen_cloud_regions.csv | ||
| default_match = false | ||
| description = A place holder for a list of used cloud compute images | ||
| # description = A place holder for a list of used cloud compute images | ||
| min_matches = 1 | ||
|
|
||
| [previously_seen_cmd_line_arguments] | ||
| filename = previously_seen_cmd_line_arguments.csv | ||
| description = A placeholder for a list of cmd line arugments that been seen before | ||
| # description = A placeholder for a list of cmd line arugments that been seen before | ||
|
|
||
| [previously_seen_ec2_modifications_by_user] | ||
| filename = previously_seen_ec2_modifications_by_user.csv | ||
| description = A place holder for a list of AWS EC2 modifications done by each user | ||
| # description = A place holder for a list of AWS EC2 modifications done by each user | ||
|
|
||
| [previously_seen_running_windows_services] | ||
| filename = previously_seen_running_windows_services.csv | ||
| description = A placeholder for the list of Windows Services running | ||
| # description = A placeholder for the list of Windows Services running | ||
|
|
||
| [prohibitedProcesses_lookup] | ||
| filename = prohibited_processes.csv | ||
| description = A list of processes that have been marked as prohibited | ||
| # description = A list of processes that have been marked as prohibited | ||
|
|
||
| [prohibited_apps_launching_cmd] | ||
| filename = prohibited_apps_launching_cmd.csv | ||
| description = A list of processes that should not be launching cmd.exe | ||
| # description = A list of processes that should not be launching cmd.exe | ||
| match_type = WILDCARD(prohibited_applications) | ||
|
|
||
| [ransomware_extensions_lookup] | ||
| filename = ransomware_extensions.csv | ||
| default_match = false | ||
| description = A list of file extensions that are associated with ransomware | ||
| # description = A list of file extensions that are associated with ransomware | ||
| min_matches = 1 | ||
|
|
||
| [ransomware_notes_lookup] | ||
| filename = ransomware_notes.csv | ||
| default_match = false | ||
| description = A list of file names that are ransomware note files | ||
| # description = A list of file names that are ransomware note files | ||
| match_type = WILDCARD(ransomware_notes) | ||
| min_matches = 1 | ||
|
|
||
| [s3_deletion_baseline] | ||
| filename = s3_deletion_baseline.csv | ||
| description = A placeholder for the baseline information for AWS S3 deletions | ||
| # description = A placeholder for the baseline information for AWS S3 deletions | ||
|
|
||
| [security_group_activity_baseline] | ||
| filename = security_group_activity_baseline.csv | ||
| description = A placeholder for the baseline information for AWS security groups | ||
| # description = A placeholder for the baseline information for AWS security groups | ||
|
|
||
| [security_services_lookup] | ||
| filename = security_services.csv | ||
| default_match = false | ||
| description = A list of services that deal with security | ||
| # description = A list of services that deal with security | ||
| match_type = WILDCARD(service) | ||
| min_matches = 1 | ||
|
|
||
| [suspicious_writes_lookup] | ||
| filename = suspicious_files.csv | ||
| default_match = false | ||
| description = A list of suspicious file names | ||
| # description = A list of suspicious file names | ||
| match_type = WILDCARD(file) | ||
| min_matches = 1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| ############# | ||
| # Automatically generated by generator.py in splunk/security-content | ||
| # On Date: 2019-10-31T17:15:19 UTC | ||
| # On Date: 2019-10-31T20:26:18 UTC | ||
| # Author: Splunk Security Research | ||
| # Contact: [email protected] | ||
| ############# | ||
|
|
||