Merge pull request #3007 from splunk/gitlab_release_v4.31.0

Release v4.31.0

.gitignore

@@ -10,7 +10,7 @@ dist/DA-ESS-ContentUpdate-*.tar.gz
 dist/DA-ESS-ContentUpdate.tar.gz
 dist/ContentPack-*.appinspect_api_results.html
 dist/ContentPack-*.appinspect_api_results.json
-
+atomic-red-team/
 
 # IDE
 .vscode/

.gitlab-ci.yml

@@ -1,5 +1,5 @@
 default:
-  image: docker-hub.repo.splunkdev.net/python:3.9
+  image: docker-hub.repo.splunkdev.net/python:3.11
 
 variables:
   EXTRACTO_VERSION:

.vscode/launch.json

@@ -1,76 +1,89 @@
 {
-    // Use IntelliSense to learn about possible attributes.
-    // Hover to view descriptions of existing attributes.
-    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
-    "version": "0.2.0",
     "configurations": [
         {
-            "name": "contentctl new_detection",
-            "type": "python",
+            "name": "contentctl init",
+            "type": "debugpy",
             "request": "launch",
-            "program": "${workspaceFolder}/contentctl.py",
-            "console": "integratedTerminal",
-            "justMyCode": true,
-            "args": ["-p", ".", "new_content", "-t", "detection"]
+            "program": "${workspaceFolder}/.venv/bin/contentctl",
+            "cwd": "${workspaceFolder}/../ddd/",
+            "args": [
+                "init"
+            ]
         },
         {
             "name": "contentctl validate",
-            "type": "python",
+            "type": "debugpy",
             "request": "launch",
-            "program": "${workspaceFolder}/contentctl.py",
-            "console": "integratedTerminal",
-            "justMyCode": true,
-            "args": ["-p", ".", "validate", "-pr", "ESCU"]
+            "program": "${workspaceFolder}/.venv/bin/contentctl",
+            "cwd": "${workspaceFolder}/../",
+            "args": [
+                "validate"
+            ]
         },
         {
-            "name": "contentctl generate",
-            "type": "python",
+            "name": "contentctl validate enrich",
+            "type": "debugpy",
             "request": "launch",
-            "program": "${workspaceFolder}/contentctl.py",
-            "console": "integratedTerminal",
-            "justMyCode": true,
-            "args": ["-p", ".", "generate", "-o", "dist/escu", "-pr", "ESCU"]
+            "program": "${workspaceFolder}/.venv/bin/contentctl",
+            "cwd": "${workspaceFolder}/../",
+            "args": [
+                "validate",
+                "--enrichments"
+            ]
         },
         {
-            "name": "contentctl docgen",
-            "type": "python",
+            "name": "contentctl build",
+            "type": "debugpy",
             "request": "launch",
-            "program": "${workspaceFolder}/contentctl.py",
-            "console": "integratedTerminal",
-            "justMyCode": true,
-            "args": ["-p", ".", "docgen", "-o", "docs"]
+            "program": "${workspaceFolder}/.venv/bin/contentctl",
+            "cwd": "${workspaceFolder}/../",
+            "args": [
+                "build"
+            ]
         },
         {
-            "name": "contentctl content_changer",
-            "type": "python",
+            "name": "contentctl build enrich",
+            "type": "debugpy",
             "request": "launch",
-            "program": "${workspaceFolder}/contentctl.py",
-            "console": "integratedTerminal",
-            "justMyCode": true,
-            "args": ["-p", "detections", "content_changer", "-cf", "fix_kill_chain"]
+            "program": "${workspaceFolder}/.venv/bin/contentctl",
+            "cwd": "${workspaceFolder}/../",
+            "args": [
+                "build",
+                "--enrichments"
+            ]
+        },
+        {
+            "name": "contentctl test",
+            "type": "debugpy",
+            "request": "launch",
+            "program": "${workspaceFolder}/.venv/bin/contentctl",
+            "cwd": "${workspaceFolder}/../",
+            "args": [
+                "test"
+            ]
         },
         {
-            "name": "contentctl convert",
-            "type": "python",
+            "name": "contentctl --help",
+            "type": "debugpy",
             "request": "launch",
-            "program": "${workspaceFolder}/contentctl.py",
-            "console": "integratedTerminal",
-            "justMyCode": true,
-            "args": ["-p", ".", "convert", "-dm", "ocsf", "-dp", "dev_ssa/endpoint/ssa___windows_wmiprvse_spawn_msbuild.yml", "-o", "ssa_detections/endpoint"]
+            "program": "${workspaceFolder}/.venv/bin/contentctl",
+            "cwd": "${workspaceFolder}/../",
+            "args": [
+                "--help"
+            ]
         },
         {
-            "name": "Python: Current File",
-            "type": "python",
+            "name": "contentctl test detection",
+            "type": "debugpy",
             "request": "launch",
-            "program": "${file}",
-            "console": "integratedTerminal",
+            "program": "${workspaceFolder}/.venv/bin/contentctl",
+            "cwd": "${workspaceFolder}/../",
             "args": [
-                "--path",
-                ".",
-                "--output",
-                "docs",
-                "-v"
+                "test",
+                "mode:selected",
+                "--mode.files",
+                "detections/endpoint/3cx_supply_chain_attack_network_indicators.yml"
             ]
         }
     ]
-}
+}

app_template/README.md

@@ -0,0 +1,7 @@
+# Splunk ES Content Update
+
+This subscription service delivers pre-packaged Security Content for use with Splunk Enterprise Security. Subscribers get regular updates to help security practitioners more quickly address ongoing and time-sensitive customer problems and threats.
+
+Requires Splunk Enterprise Security version 4.5 or greater.
+
+For more information please visit the [Splunk ES Content Update user documentation](https://docs.splunk.com/Documentation/ESSOC).

app_template/README/essoc_story_detail.txt

@@ -0,0 +1,15 @@
+The Analytic Story Details dashboard renders all the details of the content related to a specific analytic story which
+can be chose via the drop down
+
+Each analytic story has attributes associated with it and the following:
+______________________________________________________________________
+
+
+	Analytic Story: name of the analytic story
+	Description	; description of the analytic story
+	Search Name	: The name of the searches belonging to the chosen analytic story
+	Search	: The search query which looks for an attack pattern corresponding to the analytic story
+	Search Description: The description of the search query
+	Asset Type: The analytic story specifies what asset in the infrastructure may be compromised
+	Category: The category that the search belongs to (malware, vulnerabilities, best practices, abuse)
+	Kill Chain Phase: The kill chain phase of the attack that the search is after.

app_template/README/essoc_summary.txt

@@ -0,0 +1,24 @@
+The ES_SOC Summary Dashboard provides you a summarized view of the analytic story contents of the ES-SOC app.
+The dashboard has the following panels gives you following details
+
+1) Analytic story Summary
+ 	- Total Analytic Stories : The total number of Analytic stories in the ES-SOC application
+ 	- Total Searches: The total number of searches in ES-SOC
+ 	- Searches added last week: Number of searches added to ES-SOC in the last week.
+
+ 2) Analytic story Category: This dashboard panel summarizes the categories of the searches that the ES-SOC app contains. The categories of the analytic stories are as follow
+  	-Malware: These searches detect specific malware behavior for a particular phase of the attack kill chain. E.g. a malware’s delivery method via email or a malware’s installation behavior via registry key changes
+  	-Vulnerability: These searches detect behavior or a signature of a vulnerable software in use. These searches are not designed to replace vulnerability management or scanning systems. The purpose of these searches is to discover a vulnerability through side effects or behaviors.
+  	-Abuse: Some actions can be deemed malicious because they are unexpected, violate corporate policy or are significantly different than the actions of other users. E.g. A USB disk that is seen on multiple systems or a user that uploads excessive files to a cloud service or a database query that dumps an entire table
+  	-Best Practices:  Searches that correspond to specific guidelines from organizations like SANS or OWASP
+
+ 3) Kill Chain phases: Every analytic story has one or more searches which look for a certain kind of attack pattern/behavior. These searches have an attribute which essentially tells you what Kill chain phase does the search correspond to.
+    The numbers on the dashboard represents the number of searches correponding to each kill chain phase
+
+ 4) Analytic story table: This table gives the user a comprehensive view of some of the details of the analytic story. Some of the listed attributes are:
+  	- Analytic Story : The name of the analytic story
+  	- Description: The description of the analyttic story
+  	- Search names: The name of the searches in each analytic story
+  	- Datamodels: The name of the datamodel that the search is querying against.
+  	- Technology Examples: This field represent some examples related to the technologies required to populate the datamodels(Nessues, Cisco Firewall,etc)
+  	- Kill chain phase: The name of the kill chain phase that the search belongs to

app_template/README/essoc_usage_dashboard.txt

@@ -0,0 +1,51 @@
+######################
+ESSOC Usage Dashboard#
+######################
+
+The ESSOC Usage dashboard is designed to provide high-level insight into the usage of the ES-SOC app. It is suitable for display when providing feedback to the Splunk team or for identifying how the ES-SOC app is being used. This dashboard has two time selectors that work independently - the top time selector determines the search time range for all the single-value. And the lower time selector, determines the time range for the usage table.
+
+IMPORTANT: The user loading this dashboard must have permission to search the _audit index
+
+##################
+#Dashboard panels#
+##################
+
+Searches Ran
+
+The total number of searches in ES-SOC that were executed. This number includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch <ESSOC search_name> ‘ syntax
+
+Unique Searches
+
+The unique/distinct searches executed on the deployment. This is equivalent to the distinct count of searches run in the ES-SOC app.
+
+Most Run
+
+The total number of searches in ES-SOC that were executed. This number includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch <ESSOC search_name> ‘ syntax.
+
+Ad hoc Searches
+
+The total number of searches run from the search bar using the '| savedsearch <ESSOC search_name> ‘ syntax.
+
+Scheduled
+
+The total number of ESSOC searches run that were scheduled.
+
+Most Active User
+
+The user who executed the highest number/count of searches. This calculation includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch <ESSOC search_name> ‘ syntax.
+
+Search Run Time (seconds)
+
+Total run time of all searches executed in seconds. This calculation includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch <ESSOC search_name> ‘ syntax.
+
+Average Run Time (seconds)
+
+Average run time of all searches executed in seconds. This calculation includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch <ESSOC search_name> ‘ syntax.
+
+Max Run Time (seconds)
+
+The run time of the longest running search. This calculation includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch <ESSOC search_name> ‘ syntax.
+
+Search summary
+
+This table provides details on each search that was executed in the ESSOC app.

app_template/default/analytic_stories.conf

@@ -0,0 +1,2 @@
+### Deprecated since ESCU UI was deprecated and this conf file is no longer in use
+### Using one single file analyticstories.conf that will be used both by ES and ESCU 

app_template/default/app.conf

@@ -0,0 +1,31 @@
+## Splunk app configuration file
+
+[install]
+is_configured = false
+state = enabled
+state_change_requires_restart = false
+build = 16367
+
+[triggers]
+reload.analytic_stories = simple
+reload.usage_searches = simple
+reload.use_case_library = simple
+reload.correlationsearches = simple
+reload.analyticstories = simple
+reload.governance = simple
+reload.managed_configurations = simple
+reload.postprocess = simple
+reload.content-version = simple
+reload.es_investigations = simple
+
+[launcher]
+author = Splunk
+version = 4.9.0
+description = Explore the Analytic Stories included with ES Content Updates.
+
+[ui]
+is_visible = true
+label      = ES Content Updates
+
+[package]
+id = DA-ESS-ContentUpdate

app_template/default/commands.conf

@@ -0,0 +1,11 @@
+# deprecated please see gist: https://gist.github.com/d1vious/c4c2aae7fa7d5cbb1f24adc5f6303ac1
+#[dnstwist]
+#filename = dnstwist.py
+#chunked = true
+
+# run story functionality has been moved to: https://github.com/splunk/analytic_story_execution'
+# [runstory]
+# filename = runstory.py
+# chunked = true
+# is_risky = true
+

app_template/default/content-version.conf

@@ -0,0 +1,2 @@
+[content-version]
+version = 4.9.0

app_template/default/data/ui/nav/default.xml

@@ -0,0 +1,7 @@
+<nav search_view="search" color="#65A637">
+  <view name="escu_summary" default="true"/>
+  <view name="feedback"/>
+  <view name="search"/>
+  <view name="dashboards"/>
+  <a href="http://docs.splunk.com/Documentation/ESSOC">Docs</a>
+</nav>