Skip to content

Commit 9c183fa

Browse files
ljstellapyth0n1cnasbench
authored
Update Analytics to Support ATT&CK v19 (#4036)
--------- Co-authored-by: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
1 parent 917fe77 commit 9c183fa

192 files changed

Lines changed: 1362 additions & 1226 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/appinspect.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ jobs:
2222
echo "- Contentctl version - $(cat requirements.txt)"
2323
pip install -r requirements.txt
2424
git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
25-
git clone --depth=1 --single-branch --branch="ATT&CK-v18.1" https://github.com/mitre/cti external_repos/cti
25+
git clone --depth=1 --single-branch --branch="master" https://github.com/mitre-attack/attack-stix-data external_repos/cti
2626
2727
- name: Running appinspect with enrichments
2828
env:

.github/workflows/build.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ jobs:
2222
echo "- Contentctl version - $(cat requirements.txt)"
2323
pip install -r requirements.txt
2424
git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
25-
git clone --depth=1 --single-branch --branch="ATT&CK-v18.1" https://github.com/mitre/cti external_repos/cti
25+
git clone --depth=1 --single-branch --branch="master" https://github.com/mitre-attack/attack-stix-data external_repos/cti
2626
2727
- name: Running build with enrichments
2828
run: |

app_template/lookups/mitre_enrichment.csv

Lines changed: 673 additions & 632 deletions
Large diffs are not rendered by default.

detections/application/cisco_asa___core_syslog_message_volume_drop.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Cisco ASA - Core Syslog Message Volume Drop
22
id: 4b4f8fdd-1f9e-45d8-9b0f-1f64c0b297a4
3-
version: 3
4-
date: '2025-10-13'
3+
version: 4
4+
date: '2026-05-04'
55
author: Bhavin Patel, Micheal Haag, Splunk
66
status: production
77
type: Hunting
@@ -47,7 +47,7 @@ tags:
4747
- ArcaneDoor
4848
asset_type: Network
4949
mitre_attack_id:
50-
- T1562
50+
- T1685
5151
product:
5252
- Splunk Enterprise
5353
- Splunk Enterprise Security

detections/application/cisco_asa___logging_disabled_via_cli.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Cisco ASA - Logging Disabled via CLI
22
id: 7b4c9f3e-5a88-4b7b-9c4b-94d8e5d67201
3-
version: 6
4-
date: '2026-04-15'
3+
version: 7
4+
date: '2026-05-04'
55
author: Bhavin Patel, Micheal Haag, Nasreddine Bencherchali, Splunk
66
status: production
77
type: TTP
@@ -72,7 +72,7 @@ tags:
7272
- Suspicious Cisco Adaptive Security Appliance Activity
7373
asset_type: Network
7474
mitre_attack_id:
75-
- T1562
75+
- T1685
7676
product:
7777
- Splunk Enterprise
7878
- Splunk Enterprise Security

detections/application/cisco_asa___logging_filters_configuration_tampering.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Cisco ASA - Logging Filters Configuration Tampering
22
id: b87b48a8-6d1a-4280-9cf1-16a950dbf901
3-
version: 4
4-
date: '2026-04-15'
3+
version: 5
4+
date: '2026-05-04'
55
author: Nasreddine Bencherchali, Splunk
66
status: production
77
type: Anomaly
@@ -83,7 +83,7 @@ tags:
8383
- Suspicious Cisco Adaptive Security Appliance Activity
8484
asset_type: Network
8585
mitre_attack_id:
86-
- T1562
86+
- T1685
8787
product:
8888
- Splunk Enterprise
8989
- Splunk Enterprise Security

detections/application/cisco_asa___logging_message_suppression.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Cisco ASA - Logging Message Suppression
22
id: 4e6c9d2a-8f3b-4c7e-9a5f-2d8b6e1c4a9f
3-
version: 4
4-
date: '2026-04-15'
3+
version: 5
4+
date: '2026-05-04'
55
author: Nasreddine Bencherchali, Splunk
66
status: production
77
type: Anomaly
@@ -69,7 +69,7 @@ tags:
6969
- ArcaneDoor
7070
asset_type: Network
7171
mitre_attack_id:
72-
- T1562.002
72+
- T1685.001
7373
- T1070
7474
product:
7575
- Splunk Enterprise

detections/application/esxi_audit_tampering.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: ESXi Audit Tampering
22
id: c48a155b-2861-417a-813c-220f5272cf01
3-
version: 3
4-
date: '2026-04-15'
3+
version: 4
4+
date: '2026-05-04'
55
author: Raven Tait, Splunk
66
status: production
77
type: TTP
@@ -35,7 +35,7 @@ tags:
3535
- Black Basta Ransomware
3636
asset_type: Infrastructure
3737
mitre_attack_id:
38-
- T1562.003
38+
- T1690
3939
- T1070
4040
product:
4141
- Splunk Enterprise

detections/application/esxi_download_errors.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: ESXi Download Errors
22
id: 515cccd0-c4d8-4427-92d9-8a8f8b5a71dc
3-
version: 3
4-
date: '2026-04-15'
3+
version: 4
4+
date: '2026-05-04'
55
author: Raven Tait, Splunk
66
status: production
77
type: Anomaly
@@ -34,7 +34,7 @@ tags:
3434
asset_type: Infrastructure
3535
mitre_attack_id:
3636
- T1601.001
37-
- T1562.001
37+
- T1685
3838
product:
3939
- Splunk Enterprise
4040
- Splunk Enterprise Security

detections/application/esxi_encryption_settings_modified.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: ESXi Encryption Settings Modified
22
id: dbbbe26f-83fe-4ee3-8b77-ccf7fbd416c8
3-
version: 3
4-
date: '2026-04-15'
3+
version: 4
4+
date: '2026-05-04'
55
author: Raven Tait, Splunk
66
status: production
77
type: TTP
@@ -33,7 +33,7 @@ tags:
3333
- Black Basta Ransomware
3434
asset_type: Infrastructure
3535
mitre_attack_id:
36-
- T1562
36+
- T1685
3737
product:
3838
- Splunk Enterprise
3939
- Splunk Enterprise Security

0 commit comments

Comments
 (0)