Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Better data source tagging #3049

Merged
merged 25 commits into from
Jul 25, 2024
Merged

Better data source tagging #3049

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
b6ae12c
Auto-update dist/* files for ESCU,BA,API via release job for tag v4.3…
Jul 1, 2024
9e0d842
improved data source field
Jul 16, 2024
fe1f820
remove dist completely
patel-bhavin Jul 17, 2024
516fd8f
re adding dist
patel-bhavin Jul 17, 2024
87108a5
Improved data sources
Jul 17, 2024
2629cf3
Release v4.36.0 - Draft release branch (Manual)
patel-bhavin Jul 17, 2024
3ea623b
Merge branch 'release_v4.36.4' into 'develop'
patel-bhavin Jul 17, 2024
1574555
CI Updates for GitLab + Github
patel-bhavin Jul 17, 2024
c9ad71c
Merge branch 'final_release_CI' into 'develop'
patel-bhavin Jul 17, 2024
7263680
added date and version to objects and changed event_names to event_so…
Jul 18, 2024
6040b0a
renamed data source and event source fields
Jul 18, 2024
68b3a66
renamed data source and event source files
Jul 19, 2024
c0774b9
Better data source handling
Jul 24, 2024
b3f2bb4
merged with develop
Jul 24, 2024
4c0d7f4
merged with develop
Jul 24, 2024
71bc0e0
Remove the stuff from dist in the PR
pyth0n1c Jul 24, 2024
0d82fcb
Fix merge conflicts
pyth0n1c Jul 24, 2024
9bb3600
Needed to change the name of the osquery macro due to a conflict with…
pyth0n1c Jul 24, 2024
7de10c7
Remove the data_source csv from lookups
pyth0n1c Jul 24, 2024
181a15a
remove the lookups/data_sources.yml
pyth0n1c Jul 24, 2024
4b92618
Branch was auto-updated.
patel-bhavin Jul 25, 2024
6c2a160
Branch was auto-updated.
patel-bhavin Jul 25, 2024
118b523
remove conflicts from pipeline by deleting
patel-bhavin Jul 25, 2024
d99d5e5
Branch was auto-updated.
patel-bhavin Jul 25, 2024
cc5904d
updating contentctl 420
patel-bhavin Jul 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
2 changes: 1 addition & 1 deletion .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:

- name: Install Python Dependencies and ContentCTL and Atomic Red Team
run: |
pip install contentctl==4.1.5
pip install contentctl==4.2.0
git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git

- name: Running build with enrichments
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/unit-testing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
- name: Install Python Dependencies and ContentCTL
run: |
python -m pip install --upgrade pip
pip install contentctl==4.1.5
pip install contentctl==4.2.0

# Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop
# Make sure we check out the PR, even if it actually lives in a fork
Expand Down
38 changes: 0 additions & 38 deletions data_sources/application/PingID.yml
View file
Open in desktop

This file was deleted.

34 changes: 0 additions & 34 deletions data_sources/application/Splunk.yml
View file
Open in desktop

This file was deleted.

98 changes: 98 additions & 0 deletions data_sources/aws_cloudfront.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
name: AWS Cloudfront
id: 780086dc-2384-45b6-ade7-56cb00105464
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for AWS Cloudfront
source: aws
sourcetype: aws:cloudfront:accesslogs
supported_TA:
- name: Splunk Add-on for Amazon Web Services (AWS)
url: https://splunkbase.splunk.com/app/1876
version: 7.4.1
fields:
- _time
- action
- app
- bytes
- bytes_in
- bytes_out
- c_ip
- c_port
- cached
- category
- client_ip
- cs_bytes
- cs_cookie
- cs_host
- cs_method
- cs_protocol
- cs_protocol_version
- cs_referer
- cs_uri_query
- cs_uri_stem
- cs_user_agent
- date
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- duration
- edge_location_name
- eventtype
- fle_encrypted_fields
- fle_status
- host
- http_content_type
- http_method
- http_user_agent
- http_user_agent_length
- index
- linecount
- punct
- response_time
- sc_bytes
- sc_content_len
- sc_content_type
- sc_range_end
- sc_range_start
- sc_status
- source
- sourcetype
- splunk_server
- src
- src_ip
- src_port
- ssl_cipher
- ssl_protocol
- status
- tag
- tag::eventtype
- time
- time_taken
- time_to_first_byte
- timeendpos
- timestartpos
- uri_path
- url
- url_domain
- url_length
- vendor_product
- x_edge_detail_result_type
- x_edge_location
- x_edge_request_id
- x_edge_response_result_type
- x_edge_result_type
- x_forwarded_for
- x_host_header
example_log: "2023-11-07\t16:58:21\tIAD55-P5\t921\t44.192.78.55\tGET\td3u5aue66f5ui4.cloudfront.net\t\
/plugins/servlet/com.jsos.shell/ShellServlet\t200\t-\tSlackbot-LinkExpanding%201.0%20(+https://api.slack.com/robots)\t\
-\t-\tLambdaGeneratedResponse\tsGwvFCkFU4qlMxatCoJRgW87P7Ee8bKQor3U6lRt6I6jaFvLC7vcPA==\t\
confluence.catjamfest.com\thttps\t232\t0.276\t-\tTLSv1.3\tTLS_AES_128_GCM_SHA256\t\
LambdaGeneratedResponse\tHTTP/1.1\t-\t-\t57232\t0.276\tLambdaGeneratedResponse\t\
text/html\t527\t-\t-"
14 changes: 14 additions & 0 deletions data_sources/aws_cloudtrail.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
name: AWS CloudTrail
id: e8ace6db-1dbd-4c72-a1fb-334684619a38
version: 1
date: '2024-07-24'
author: Patrick Bareiss, Splunk
description: Data source object for AWS CloudTrail
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
supported_TA:
- name: Splunk Add-on for Amazon Web Services (AWS)
url: https://splunkbase.splunk.com/app/1876
version: 7.4.1

126 changes: 126 additions & 0 deletions data_sources/aws_cloudtrail_assumerolewithsaml.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
name: AWS CloudTrail AssumeRoleWithSAML
id: 1e28f2a6-2db9-405f-b298-18734a293f77
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for AWS CloudTrail AssumeRoleWithSAML
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
supported_TA:
- name: Splunk Add-on for Amazon Web Services (AWS)
url: https://splunkbase.splunk.com/app/1876
version: 7.4.1
fields:
- _time
- action
- app
- awsRegion
- change_type
- command
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- dvc
- errorCode
- eventCategory
- eventID
- eventName
- eventSource
- eventTime
- eventType
- eventVersion
- eventtype
- host
- index
- linecount
- managementEvent
- msg
- object_category
- product
- punct
- readOnly
- recipientAccountId
- region
- requestID
- requestParameters.durationSeconds
- requestParameters.principalArn
- requestParameters.roleArn
- requestParameters.roleSessionName
- requestParameters.sAMLAssertionID
- resources{}.ARN
- resources{}.accountId
- resources{}.type
- responseElements.assumedRoleUser.arn
- responseElements.assumedRoleUser.assumedRoleId
- responseElements.audience
- responseElements.credentials.accessKeyId
- responseElements.credentials.expiration
- responseElements.credentials.sessionToken
- responseElements.issuer
- responseElements.nameQualifier
- responseElements.subject
- responseElements.subjectType
- signature
- source
- sourceIPAddress
- sourcetype
- splunk_server
- src
- src_ip
- src_user
- src_user_id
- src_user_type
- start_time
- status
- tag
- tag::action
- tag::eventtype
- temp_access_key
- timeendpos
- timestartpos
- user
- userAgent
- userIdentity.identityProvider
- userIdentity.principalId
- userIdentity.type
- userIdentity.userName
- user_agent
- user_arn
- user_id
- user_name
- user_role
- user_type
- vendor
- vendor_account
- vendor_product
- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "SAMLUser", "principalId":
"ZRu9MRAjiG9tvi1QBNfdI664G5A=:[email protected]", "userName": "[email protected]",
"identityProvider": "ZRu9MRAjiG9tvi1QBNfdI664G5A="}, "eventTime": "2021-01-22T03:44:16Z",
"eventSource": "sts.amazonaws.com", "eventName": "AssumeRoleWithSAML", "awsRegion":
"us-east-1", "sourceIPAddress": "72.21.217.152", "userAgent": "AWS Signin, aws-internal/3
aws-sdk-java/1.11.898 Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.275-b01
java/1.8.0_275 kotlin/1.3.72 vendor/Oracle_Corporation", "requestParameters": {"sAMLAssertionID":
"_d33ba0ad-0c88-4b83-80a6-27c08027d000", "roleSessionName": "[email protected]",
"durationSeconds": 3600, "roleArn": "arn:aws:iam::111111111111:role/rodonmicrotestrole",
"principalArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}, "responseElements":
{"subjectType": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "issuer":
"https://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/", "credentials":
{"accessKeyId": "ASIAYTOGP2RLKJXOV7VR", "expiration": "Jan 22, 2021 3:59:16 AM",
"sessionToken": "IQoJb3JpZ2luX2VjENz//////////wEaCXVzLWVhc3QtMSJGMEQCIHl/WQdLq53ULYl10fPtpeV3H7da9mOXGuIStvhdDA6kAiAdO/7rocOXAtyDV+0MJhSj/piqlqEI/BcAKm8zqBhOgiqgAwi1//////////8BEAIaDDU5MTUxMTE0NzYwNiIMAFP8GfyI/x1fKCHYKvQCznxxgKnEdcuvrr/fBLmHxEDjQ9vQxjasA8gZF8GawZ5SFH9ViKqoZh93bYkOwKqZD8cdqJIo9SYL17RGhVqxzvsjU4+QsRXTN5eGgh+LyF9EZqeCl6oCkaTJqNrXHuenzTi0yiL510LKsSckrAm8+SuwI/jQu3oE1BEcJQieAc4RjYx3II+1cUvyfRlFvR2NDfZhdWcQvAivV06KJg9c2zfCF0Agzn/YZSNvsRL5UhnKhJ2wktSvT8lR0mS3n9xR1j3iYNxVDHab180cnfkP3G6tAmxj5U29diNQrusJxKWWhr/Q9wHRdDj5dO2QUZzSymKKU/UiRJ8nyYPINaJ8XWVAPiT4QgzpMxotkvSkDLEG/brB9yEr2p7W8Y3xMGZ37qSGkuU4z9x40RU9G1XPhv27NO9aaGs/VXYTMCzWRNxnsLfNkk/DihrcaR0SclRcvs+zmfe1ZUoGnfjNYm+AIyJi4D7OrXF5/Mt46Z2y76DnULlAMJCUqYAGOpsBw4fyafV8OizX7Lebh2JRXFZsWBY1GTpyGvO5otrw++4axud44vYVi5iU5rbJxtTBm4vtJartxgXoPJFnQuat9gLrIlXhjmg+m50a5xs1Ut2UWEsWY2Duu4jA9ap7P7dYv9kIK9P2uyhsjKQhCjTpfe4I/llcupbDotYBJuvlB5n85a5kgiSriFk5zetoXQIweuYEWQZsD/AN+LE="},
"nameQualifier": "ZRu9MRAjiG9tvi1QBNfdI664G5A=", "assumedRoleUser": {"assumedRoleId":
"AROAYTOGP2RLKFUVAQAIJ:[email protected]", "arn": "arn:aws:sts::111111111111:assumed-role/rodonmicrotestrole/[email protected]"},
"subject": "[email protected]", "audience": "https://signin.aws.amazon.com/saml"},
"requestID": "e19c7a7f-cd96-4642-9ee6-2360a7b01b12", "eventID": "b25b825d-9c9b-49d3-9ecd-290dbe8f2c29",
"readOnly": true, "resources": [{"accountId": "111111111111", "type": "AWS::IAM::Role",
"ARN": "arn:aws:iam::111111111111:role/rodonmicrotestrole"}, {"accountId": "111111111111",
"type": "AWS::IAM::SAMLProvider", "ARN": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}],
"eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management",
"recipientAccountId": "111111111111"}'
Loading
Loading