Merge pull request #3049 from splunk/better_data_source_tagging

Better data source tagging
splunk · Jul 25, 2024 · 7ed251e · 7ed251e
2 parents 4eb9170 + cc5904d
commit 7ed251e
Show file tree

Hide file tree

Showing 1,076 changed files with 19,028 additions and 14,855 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -23,7 +23,7 @@ jobs:
 
       - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          pip install contentctl==4.1.5
+          pip install contentctl==4.2.0
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git
       
       - name: Running build with enrichments

diff --git a/.github/workflows/unit-testing.yml b/.github/workflows/unit-testing.yml
@@ -24,7 +24,7 @@ jobs:
         - name: Install Python Dependencies and ContentCTL
           run: |
             python -m pip install --upgrade pip
-            pip install contentctl==4.1.5
+            pip install contentctl==4.2.0
            
         # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop
         # Make sure we check out the PR, even if it actually lives in a fork

diff --git a/data_sources/application/PingID.yml b/data_sources/application/PingID.yml
diff --git a/data_sources/application/Splunk.yml b/data_sources/application/Splunk.yml
diff --git a/data_sources/aws_cloudfront.yml b/data_sources/aws_cloudfront.yml
@@ -0,0 +1,98 @@
+name: AWS Cloudfront
+id: 780086dc-2384-45b6-ade7-56cb00105464
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS Cloudfront
+source: aws
+sourcetype: aws:cloudfront:accesslogs
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- bytes
+- bytes_in
+- bytes_out
+- c_ip
+- c_port
+- cached
+- category
+- client_ip
+- cs_bytes
+- cs_cookie
+- cs_host
+- cs_method
+- cs_protocol
+- cs_protocol_version
+- cs_referer
+- cs_uri_query
+- cs_uri_stem
+- cs_user_agent
+- date
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- duration
+- edge_location_name
+- eventtype
+- fle_encrypted_fields
+- fle_status
+- host
+- http_content_type
+- http_method
+- http_user_agent
+- http_user_agent_length
+- index
+- linecount
+- punct
+- response_time
+- sc_bytes
+- sc_content_len
+- sc_content_type
+- sc_range_end
+- sc_range_start
+- sc_status
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_port
+- ssl_cipher
+- ssl_protocol
+- status
+- tag
+- tag::eventtype
+- time
+- time_taken
+- time_to_first_byte
+- timeendpos
+- timestartpos
+- uri_path
+- url
+- url_domain
+- url_length
+- vendor_product
+- x_edge_detail_result_type
+- x_edge_location
+- x_edge_request_id
+- x_edge_response_result_type
+- x_edge_result_type
+- x_forwarded_for
+- x_host_header
+example_log: "2023-11-07\t16:58:21\tIAD55-P5\t921\t44.192.78.55\tGET\td3u5aue66f5ui4.cloudfront.net\t\
+  /plugins/servlet/com.jsos.shell/ShellServlet\t200\t-\tSlackbot-LinkExpanding%201.0%20(+https://api.slack.com/robots)\t\
+  -\t-\tLambdaGeneratedResponse\tsGwvFCkFU4qlMxatCoJRgW87P7Ee8bKQor3U6lRt6I6jaFvLC7vcPA==\t\
+  confluence.catjamfest.com\thttps\t232\t0.276\t-\tTLSv1.3\tTLS_AES_128_GCM_SHA256\t\
+  LambdaGeneratedResponse\tHTTP/1.1\t-\t-\t57232\t0.276\tLambdaGeneratedResponse\t\
+  text/html\t527\t-\t-"
diff --git a/data_sources/aws_cloudtrail.yml b/data_sources/aws_cloudtrail.yml
@@ -0,0 +1,14 @@
+name: AWS CloudTrail
+id: e8ace6db-1dbd-4c72-a1fb-334684619a38
+version: 1
+date: '2024-07-24'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+
diff --git a/data_sources/aws_cloudtrail_assumerolewithsaml.yml b/data_sources/aws_cloudtrail_assumerolewithsaml.yml
@@ -0,0 +1,126 @@
+name: AWS CloudTrail AssumeRoleWithSAML
+id: 1e28f2a6-2db9-405f-b298-18734a293f77
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail AssumeRoleWithSAML
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.durationSeconds
+- requestParameters.principalArn
+- requestParameters.roleArn
+- requestParameters.roleSessionName
+- requestParameters.sAMLAssertionID
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements.assumedRoleUser.arn
+- responseElements.assumedRoleUser.assumedRoleId
+- responseElements.audience
+- responseElements.credentials.accessKeyId
+- responseElements.credentials.expiration
+- responseElements.credentials.sessionToken
+- responseElements.issuer
+- responseElements.nameQualifier
+- responseElements.subject
+- responseElements.subjectType
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_user
+- src_user_id
+- src_user_type
+- start_time
+- status
+- tag
+- tag::action
+- tag::eventtype
+- temp_access_key
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.identityProvider
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- user_agent
+- user_arn
+- user_id
+- user_name
+- user_role
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "SAMLUser", "principalId":
+  "ZRu9MRAjiG9tvi1QBNfdI664G5A=:[email protected]", "userName": "[email protected]",
+  "identityProvider": "ZRu9MRAjiG9tvi1QBNfdI664G5A="}, "eventTime": "2021-01-22T03:44:16Z",
+  "eventSource": "sts.amazonaws.com", "eventName": "AssumeRoleWithSAML", "awsRegion":
+  "us-east-1", "sourceIPAddress": "72.21.217.152", "userAgent": "AWS Signin, aws-internal/3
+  aws-sdk-java/1.11.898 Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.275-b01
+  java/1.8.0_275 kotlin/1.3.72 vendor/Oracle_Corporation", "requestParameters": {"sAMLAssertionID":
+  "_d33ba0ad-0c88-4b83-80a6-27c08027d000", "roleSessionName": "[email protected]",
+  "durationSeconds": 3600, "roleArn": "arn:aws:iam::111111111111:role/rodonmicrotestrole",
+  "principalArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}, "responseElements":
+  {"subjectType": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "issuer":
+  "https://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/", "credentials":
+  {"accessKeyId": "ASIAYTOGP2RLKJXOV7VR", "expiration": "Jan 22, 2021 3:59:16 AM",
+  "sessionToken": "IQoJb3JpZ2luX2VjENz//////////wEaCXVzLWVhc3QtMSJGMEQCIHl/WQdLq53ULYl10fPtpeV3H7da9mOXGuIStvhdDA6kAiAdO/7rocOXAtyDV+0MJhSj/piqlqEI/BcAKm8zqBhOgiqgAwi1//////////8BEAIaDDU5MTUxMTE0NzYwNiIMAFP8GfyI/x1fKCHYKvQCznxxgKnEdcuvrr/fBLmHxEDjQ9vQxjasA8gZF8GawZ5SFH9ViKqoZh93bYkOwKqZD8cdqJIo9SYL17RGhVqxzvsjU4+QsRXTN5eGgh+LyF9EZqeCl6oCkaTJqNrXHuenzTi0yiL510LKsSckrAm8+SuwI/jQu3oE1BEcJQieAc4RjYx3II+1cUvyfRlFvR2NDfZhdWcQvAivV06KJg9c2zfCF0Agzn/YZSNvsRL5UhnKhJ2wktSvT8lR0mS3n9xR1j3iYNxVDHab180cnfkP3G6tAmxj5U29diNQrusJxKWWhr/Q9wHRdDj5dO2QUZzSymKKU/UiRJ8nyYPINaJ8XWVAPiT4QgzpMxotkvSkDLEG/brB9yEr2p7W8Y3xMGZ37qSGkuU4z9x40RU9G1XPhv27NO9aaGs/VXYTMCzWRNxnsLfNkk/DihrcaR0SclRcvs+zmfe1ZUoGnfjNYm+AIyJi4D7OrXF5/Mt46Z2y76DnULlAMJCUqYAGOpsBw4fyafV8OizX7Lebh2JRXFZsWBY1GTpyGvO5otrw++4axud44vYVi5iU5rbJxtTBm4vtJartxgXoPJFnQuat9gLrIlXhjmg+m50a5xs1Ut2UWEsWY2Duu4jA9ap7P7dYv9kIK9P2uyhsjKQhCjTpfe4I/llcupbDotYBJuvlB5n85a5kgiSriFk5zetoXQIweuYEWQZsD/AN+LE="},
+  "nameQualifier": "ZRu9MRAjiG9tvi1QBNfdI664G5A=", "assumedRoleUser": {"assumedRoleId":
+  "AROAYTOGP2RLKFUVAQAIJ:[email protected]", "arn": "arn:aws:sts::111111111111:assumed-role/rodonmicrotestrole/[email protected]"},
+  "subject": "[email protected]", "audience": "https://signin.aws.amazon.com/saml"},
+  "requestID": "e19c7a7f-cd96-4642-9ee6-2360a7b01b12", "eventID": "b25b825d-9c9b-49d3-9ecd-290dbe8f2c29",
+  "readOnly": true, "resources": [{"accountId": "111111111111", "type": "AWS::IAM::Role",
+  "ARN": "arn:aws:iam::111111111111:role/rodonmicrotestrole"}, {"accountId": "111111111111",
+  "type": "AWS::IAM::SAMLProvider", "ARN": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}],
+  "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management",
+  "recipientAccountId": "111111111111"}'