From 3272e098b4a0c6f605b3c177acffaaca20f8c22c Mon Sep 17 00:00:00 2001 From: research bot Date: Thu, 31 Oct 2019 20:30:02 +0000 Subject: [PATCH] updating docs and package bits [ci skip] --- package/default/analytic_stories.conf | 2 +- package/default/analyticstories.conf | 2 +- package/default/app.conf | 2 +- package/default/macros.conf | 2 +- package/default/savedsearches.conf | 2 +- package/default/transforms.conf | 74 +++++++++++++-------------- package/default/use_case_library.conf | 2 +- 7 files changed, 43 insertions(+), 43 deletions(-) diff --git a/package/default/analytic_stories.conf b/package/default/analytic_stories.conf index 17ba2f95d6..1d36c864fe 100644 --- a/package/default/analytic_stories.conf +++ b/package/default/analytic_stories.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security-content -# On Date: 2019-10-31T17:15:19 UTC +# On Date: 2019-10-31T20:26:18 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# diff --git a/package/default/analyticstories.conf b/package/default/analyticstories.conf index 0a08334d87..3b6a16b20d 100644 --- a/package/default/analyticstories.conf +++ b/package/default/analyticstories.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security-content -# On Date: 2019-10-31T17:15:19 UTC +# On Date: 2019-10-31T20:26:18 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# diff --git a/package/default/app.conf b/package/default/app.conf index b546875b9c..7d97f190ae 100644 --- a/package/default/app.conf +++ b/package/default/app.conf @@ -4,7 +4,7 @@ is_configured = false state = enabled state_change_requires_restart = false -build = 2705 +build = 2729 [triggers] reload.analytic_stories = simple diff --git a/package/default/macros.conf b/package/default/macros.conf index 5e01efe81d..fc702d18ad 100644 --- a/package/default/macros.conf +++ b/package/default/macros.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security-content -# On Date: 2019-10-31T17:15:19 UTC +# On Date: 2019-10-31T20:26:18 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# diff --git a/package/default/savedsearches.conf b/package/default/savedsearches.conf index 63b274f58b..cb305ba66d 100644 --- a/package/default/savedsearches.conf +++ b/package/default/savedsearches.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security-content -# On Date: 2019-10-31T17:15:19 UTC +# On Date: 2019-10-31T20:26:18 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# diff --git a/package/default/transforms.conf b/package/default/transforms.conf index 61c8ff03e1..0b62c057d9 100644 --- a/package/default/transforms.conf +++ b/package/default/transforms.conf @@ -1,74 +1,74 @@ ############# # Automatically generated by generator.py in splunk/security-content -# On Date: 2019-10-31T17:15:19 UTC +# On Date: 2019-10-31T20:26:18 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# [api_call_by_user_baseline] filename = api_call_by_user_baseline.csv -description = A lookup file that will contain the baseline information for number of AWS API calls per user +# description = A lookup file that will contain the baseline information for number of AWS API calls per user [aws_service_accounts] filename = aws_service_accounts.csv -description = A lookup file that will contain AWS Service accounts +# description = A lookup file that will contain AWS Service accounts [baseline_blocked_outbound_connections] filename = baseline_blocked_outbound_connections.csv -description = A lookup file that will contain the baseline information for number of blocked outbound connections +# description = A lookup file that will contain the baseline information for number of blocked outbound connections [brandMonitoring_lookup] filename = brand_monitoring.csv default_match = false -description = A file that contains look-a-like domains for brands that you want to monitor +# description = A file that contains look-a-like domains for brands that you want to monitor match_type = WILDCARD(domain) min_matches = 1 [csc_lookup] filename = csc_lookup.csv -description = The CSC control numbers and names +# description = The CSC control numbers and names min_matches = 1 [domains] filename = domains.csv -description = A list of domains that can be whitelisted +# description = A list of domains that can be whitelisted [dynamic_dns_providers_default] filename = dynamic_dns_providers_default.csv case_sensitive_match = false -description = A list of dynammic dns providers that should not be modified +# description = A list of dynammic dns providers that should not be modified match_type = WILDCARD(dynamic_dns_domains) [dynamic_dns_providers_local] filename = dynamic_dns_providers_local.csv case_sensitive_match = false -description = A list of dynammic dns providers that can be modified +# description = A list of dynammic dns providers that can be modified match_type = WILDCARD(dynamic_dns_domains) [escu_search_id_lookup] filename = escu_search_id.csv -description = A placeholder lookup file to hold information for ESCU Usage dashboard +# description = A placeholder lookup file to hold information for ESCU Usage dashboard [isSuspiciousFileExtension_lookup] filename = suspicious_email_attachments.csv -description = A list of suspicious extensions for email attachments +# description = A list of suspicious extensions for email attachments match_type = WILDCARD(file_name) [isWindowsSystemFile_lookup] filename = system32_executables.csv default_match = false -description = A list of executable files in Windows\System32 +# description = A list of executable files in Windows\System32 min_matches = 1 [legit_domains] filename = legit_domains.csv -description = A list of legit domains to be used to whitelist possible phishing sites +# description = A list of legit domains to be used to whitelist possible phishing sites [lookup_rare_process_whitelist_default] filename = rare_process_whitelist_default.csv default_match = false case_sensitive_match = false -description = A list of rare processes that are legitimate provided by Splunk +# description = A list of rare processes that are legitimate provided by Splunk match_type = WILDCARD(process) min_matches = 1 @@ -76,121 +76,121 @@ min_matches = 1 filename = rare_process_whitelist_local.csv default_match = false case_sensitive_match = false -description = A list of rare processes that are legitimate provided by the end user +# description = A list of rare processes that are legitimate provided by the end user match_type = WILDCARD(process) min_matches = 1 [lookup_uncommon_processes_default] filename = uncommon_processes_default.csv case_sensitive_match = false -description = A list of processes that are not common +# description = A list of processes that are not common match_type = WILDCARD(process) [lookup_uncommon_processes_local] filename = uncommon_processes_local.csv case_sensitive_match = false -description = A list of processes that are not common +# description = A list of processes that are not common match_type = WILDCARD(process) [network_acl_activity_baseline] filename = network_acl_activity_baseline.csv -description = A lookup file that will contain the baseline information for number of AWS Network ACL Activity +# description = A lookup file that will contain the baseline information for number of AWS Network ACL Activity [previously_seen_S3_access_from_remote_ip] filename = previously_seen_S3_access_from_remote_ip.csv -description = A placeholder for a list of IPs that have access S3 +# description = A placeholder for a list of IPs that have access S3 [previously_seen_api_calls_from_user_roles] filename = previously_seen_api_calls_from_user_roles.csv -description = A placeholder for a list of AWS API calls for each user role +# description = A placeholder for a list of AWS API calls for each user role [previously_seen_aws_cross_account_activity] filename = previously_seen_aws_cross_account_activity.csv -description = A placeholder for a list of AWS accounts and assumed roles +# description = A placeholder for a list of AWS accounts and assumed roles [previously_seen_aws_regions] filename = previously_seen_aws_regions.csv default_match = false -description = A place holder for a list of used AWS regions +# description = A place holder for a list of used AWS regions min_matches = 1 [previously_seen_cloud_compute_creations_by_user] filename = previously_seen_cloud_compute_creations_by_user.csv default_match = false -description = A place holder for a list of users that have created cloud compute instances +# description = A place holder for a list of users that have created cloud compute instances min_matches = 1 [previously_seen_cloud_compute_images] filename = previously_seen_cloud_compute_images.csv default_match = false -description = A place holder for a list of used cloud compute images +# description = A place holder for a list of used cloud compute images min_matches = 1 [previously_seen_cloud_compute_instance_types] filename = previously_seen_cloud_compute_instance_types.csv default_match = false -description = A place holder for a list of used cloud compute instance types +# description = A place holder for a list of used cloud compute instance types min_matches = 1 [previously_seen_cloud_regions] filename = previously_seen_cloud_regions.csv default_match = false -description = A place holder for a list of used cloud compute images +# description = A place holder for a list of used cloud compute images min_matches = 1 [previously_seen_cmd_line_arguments] filename = previously_seen_cmd_line_arguments.csv -description = A placeholder for a list of cmd line arugments that been seen before +# description = A placeholder for a list of cmd line arugments that been seen before [previously_seen_ec2_modifications_by_user] filename = previously_seen_ec2_modifications_by_user.csv -description = A place holder for a list of AWS EC2 modifications done by each user +# description = A place holder for a list of AWS EC2 modifications done by each user [previously_seen_running_windows_services] filename = previously_seen_running_windows_services.csv -description = A placeholder for the list of Windows Services running +# description = A placeholder for the list of Windows Services running [prohibitedProcesses_lookup] filename = prohibited_processes.csv -description = A list of processes that have been marked as prohibited +# description = A list of processes that have been marked as prohibited [prohibited_apps_launching_cmd] filename = prohibited_apps_launching_cmd.csv -description = A list of processes that should not be launching cmd.exe +# description = A list of processes that should not be launching cmd.exe match_type = WILDCARD(prohibited_applications) [ransomware_extensions_lookup] filename = ransomware_extensions.csv default_match = false -description = A list of file extensions that are associated with ransomware +# description = A list of file extensions that are associated with ransomware min_matches = 1 [ransomware_notes_lookup] filename = ransomware_notes.csv default_match = false -description = A list of file names that are ransomware note files +# description = A list of file names that are ransomware note files match_type = WILDCARD(ransomware_notes) min_matches = 1 [s3_deletion_baseline] filename = s3_deletion_baseline.csv -description = A placeholder for the baseline information for AWS S3 deletions +# description = A placeholder for the baseline information for AWS S3 deletions [security_group_activity_baseline] filename = security_group_activity_baseline.csv -description = A placeholder for the baseline information for AWS security groups +# description = A placeholder for the baseline information for AWS security groups [security_services_lookup] filename = security_services.csv default_match = false -description = A list of services that deal with security +# description = A list of services that deal with security match_type = WILDCARD(service) min_matches = 1 [suspicious_writes_lookup] filename = suspicious_files.csv default_match = false -description = A list of suspicious file names +# description = A list of suspicious file names match_type = WILDCARD(file) min_matches = 1 diff --git a/package/default/use_case_library.conf b/package/default/use_case_library.conf index 0a08334d87..3b6a16b20d 100644 --- a/package/default/use_case_library.conf +++ b/package/default/use_case_library.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security-content -# On Date: 2019-10-31T17:15:19 UTC +# On Date: 2019-10-31T20:26:18 UTC # Author: Splunk Security Research # Contact: research@splunk.com #############