From 12aedfeeceba4a5b4f219b1a898e141103cf73c9 Mon Sep 17 00:00:00 2001 From: patel-bhavin <7771446+patel-bhavin@users.noreply.github.com> Date: Thu, 8 May 2025 06:58:10 +0000 Subject: [PATCH] Updated TAs --- contentctl.yml | 12 +++---- data_sources/bro_conn.yml | 2 +- data_sources/bro_dns.yml | 3 +- data_sources/bro_files.yml | 2 +- data_sources/bro_http.yml | 2 +- data_sources/bro_loaded_scripts.yml | 2 +- data_sources/bro_ntp.yml | 2 +- data_sources/bro_ocsp.yml | 2 +- data_sources/bro_ssl.yml | 2 +- data_sources/bro_weird.yml | 2 +- data_sources/bro_x509.yml | 2 +- data_sources/cisco_ai_defense_alerts.yml | 2 +- ...rewall_threat_defense_connection_event.yml | 21 ++++++++++-- ...ure_firewall_threat_defense_file_event.yml | 16 +++++++-- ...irewall_threat_defense_intrusion_event.yml | 34 +++++++++++++++++-- .../ms365_defender_incident_alerts.yml | 2 +- data_sources/ms_defender_atp_alerts.yml | 2 +- data_sources/zeek_conn.yml | 6 ++-- 18 files changed, 84 insertions(+), 32 deletions(-) diff --git a/contentctl.yml b/contentctl.yml index b1cd870f86..f7279408a2 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -44,9 +44,9 @@ apps: - uid: 7404 title: Cisco Security Cloud appid: CiscoSecurityCloud - version: 3.1.1 + version: 3.2.0 description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_311.tgz + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_320.tgz - uid: 6652 title: Add-on for Linux Sysmon appid: Splunk_TA_linux_sysmon @@ -101,9 +101,9 @@ apps: - uid: 5466 title: TA for Zeek appid: SPLUNK_TA_FOR_ZEEK - version: 1.0.8 + version: 1.0.9 description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-for-zeek_108.tgz + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-for-zeek_109.tgz - uid: 3258 title: Splunk Add-on for NGINX appid: SPLUNK_ADD_ON_FOR_NGINX @@ -185,9 +185,9 @@ apps: - uid: 6207 title: Splunk Add-on for Microsoft Security appid: Splunk_TA_MS_Security - version: 2.4.1 + version: 2.5.0 description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_241.tgz + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_250.tgz - uid: 2734 title: URL Toolbox appid: URL_TOOLBOX diff --git a/data_sources/bro_conn.yml b/data_sources/bro_conn.yml index 2344d857d7..dffc9880a1 100644 --- a/data_sources/bro_conn.yml +++ b/data_sources/bro_conn.yml @@ -15,4 +15,4 @@ sourcetype: bro:conn:json supported_TA: - name: TA for Zeek url: https://splunkbase.splunk.com/app/5466 - version: 1.0.8 + version: 1.0.9 diff --git a/data_sources/bro_dns.yml b/data_sources/bro_dns.yml index a87a59819a..495141e63e 100644 --- a/data_sources/bro_dns.yml +++ b/data_sources/bro_dns.yml @@ -16,5 +16,4 @@ sourcetype: bro:dns:json supported_TA: - name: TA for Zeek url: https://splunkbase.splunk.com/app/5466 - version: 1.0.8 - + version: 1.0.9 diff --git a/data_sources/bro_files.yml b/data_sources/bro_files.yml index 6185e27c8f..9ad5557db2 100644 --- a/data_sources/bro_files.yml +++ b/data_sources/bro_files.yml @@ -17,4 +17,4 @@ sourcetype: bro:files:json supported_TA: - name: TA for Zeek url: https://splunkbase.splunk.com/app/5466 - version: 1.0.8 + version: 1.0.9 diff --git a/data_sources/bro_http.yml b/data_sources/bro_http.yml index 02c2647022..043c5d5f99 100644 --- a/data_sources/bro_http.yml +++ b/data_sources/bro_http.yml @@ -16,4 +16,4 @@ sourcetype: bro:http:json supported_TA: - name: TA for Zeek url: https://splunkbase.splunk.com/app/5466 - version: 1.0.8 + version: 1.0.9 diff --git a/data_sources/bro_loaded_scripts.yml b/data_sources/bro_loaded_scripts.yml index 016c7beb38..ccd744f159 100644 --- a/data_sources/bro_loaded_scripts.yml +++ b/data_sources/bro_loaded_scripts.yml @@ -15,4 +15,4 @@ sourcetype: bro:loaded_scripts:json supported_TA: - name: TA for Zeek url: https://splunkbase.splunk.com/app/5466 - version: 1.0.8 + version: 1.0.9 diff --git a/data_sources/bro_ntp.yml b/data_sources/bro_ntp.yml index f76e65c2ae..7b12a4f2a8 100644 --- a/data_sources/bro_ntp.yml +++ b/data_sources/bro_ntp.yml @@ -15,4 +15,4 @@ sourcetype: bro:ntp:json supported_TA: - name: TA for Zeek url: https://splunkbase.splunk.com/app/5466 - version: 1.0.8 + version: 1.0.9 diff --git a/data_sources/bro_ocsp.yml b/data_sources/bro_ocsp.yml index fc3bd136a9..c94d1f7cbb 100644 --- a/data_sources/bro_ocsp.yml +++ b/data_sources/bro_ocsp.yml @@ -16,4 +16,4 @@ sourcetype: bro:ocsp:json supported_TA: - name: TA for Zeek url: https://splunkbase.splunk.com/app/5466 - version: 1.0.8 + version: 1.0.9 diff --git a/data_sources/bro_ssl.yml b/data_sources/bro_ssl.yml index 42a8a59910..ce00c1c7dd 100644 --- a/data_sources/bro_ssl.yml +++ b/data_sources/bro_ssl.yml @@ -16,4 +16,4 @@ sourcetype: bro:ssl:json supported_TA: - name: TA for Zeek url: https://splunkbase.splunk.com/app/5466 - version: 1.0.8 + version: 1.0.9 diff --git a/data_sources/bro_weird.yml b/data_sources/bro_weird.yml index fe5a01ce05..0288c287bb 100644 --- a/data_sources/bro_weird.yml +++ b/data_sources/bro_weird.yml @@ -16,4 +16,4 @@ sourcetype: bro:weird:json supported_TA: - name: TA for Zeek url: https://splunkbase.splunk.com/app/5466 - version: 1.0.8 + version: 1.0.9 diff --git a/data_sources/bro_x509.yml b/data_sources/bro_x509.yml index a5d7370c9e..13766ec4bd 100644 --- a/data_sources/bro_x509.yml +++ b/data_sources/bro_x509.yml @@ -16,4 +16,4 @@ sourcetype: bro:x509:json supported_TA: - name: TA for Zeek url: https://splunkbase.splunk.com/app/5466 - version: 1.0.8 + version: 1.0.9 diff --git a/data_sources/cisco_ai_defense_alerts.yml b/data_sources/cisco_ai_defense_alerts.yml index 22fd25cf51..ab8ebf0a64 100644 --- a/data_sources/cisco_ai_defense_alerts.yml +++ b/data_sources/cisco_ai_defense_alerts.yml @@ -10,5 +10,5 @@ separator: null supported_TA: - name: Cisco Security Cloud url: https://splunkbase.splunk.com/app/7404 - version: 3.1.1 + version: 3.2.0 fields: null diff --git a/data_sources/cisco_secure_firewall_threat_defense_connection_event.yml b/data_sources/cisco_secure_firewall_threat_defense_connection_event.yml index 1ca5d5e0be..33770f4364 100644 --- a/data_sources/cisco_secure_firewall_threat_defense_connection_event.yml +++ b/data_sources/cisco_secure_firewall_threat_defense_connection_event.yml @@ -3,13 +3,14 @@ id: 18878597-8f8a-4bca-a805-bfbe35e00032 version: 1 date: '2025-04-01' author: Nasreddine Bencherchali, Splunk -description: Data source object for raw connection events from Cisco Secure Firewall Threat Defense +description: Data source object for raw connection events from Cisco Secure Firewall + Threat Defense source: not_applicable sourcetype: cisco:sfw:estreamer supported_TA: - name: Cisco Security Cloud url: https://splunkbase.splunk.com/app/7404 - version: 3.1.1 + version: 3.2.0 fields: - AC_RuleAction - action @@ -115,4 +116,18 @@ output_fields: - rule - url - action -example_log: '{"EventType":"ConnectionEvent", "FirstPacketSecond":1743500734, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", "InstanceID":1, "ConnectionID":259, "AC_RuleAction":"Block", "InitiatorIP":"172.16.3.110", "ResponderIP":"142.250.191.196", "InitiatorPort":62296, "ResponderPort":443, "Protocol":"tcp", "IngressInterface":"inside", "EgressInterface":"outside", "IngressZone":"inside", "EgressZone":"outside", "IngressVRF":"Global", "EgressVRF":"Global", "FirewallPolicy":"default", "FirewallRule":"NasBlock", "PrefilterPolicy":"Default Prefilter Policy", "ClientApplication":"Firefox", "Application":"HTTPS", "WebApplication":"Google", "InitiatorPackets":3, "ResponderPackets":1, "InitiatorBytes":840, "ResponderBytes":66, "NAP_Policy":"Balanced Security and Connectivity", "SSL_Policy":"None", "SSL_FlowStatus":"Success", "SSL_CipherSuite":"Unknown", "SSL_CertFingerprint":"2fcc05c514c4cda4260531f967407cd33974340c", "SSL_Version":"Unknown", "SSL_ServerCertStatus":"Not Checked", "SSL_ActualAction":"Do Not Decrypt", "SSL_ExpectedAction":"Do Not Decrypt", "URL":"https://www.google.com", "NAT_InitiatorPort":62296, "NAT_ResponderPort":443, "NAT_InitiatorIP":"172.16.2.10", "NAT_ResponderIP":"142.250.191.196", "EVE_Fingerprint":"tls/1/(0303)(130113031302c02bc02fcca9cca8c02cc030c00ac009c013c014009c009d002f0035)[(0000)(000500050100000000)(000a000e000c001d00170018001901000101)(000b00020100)(000d0018001604030503060308040805080604010501060102030201)(0010000e000c02683208687474702f312e31)(0012)(0017)(001c00024001)(0022)(0023)(002b00050403040303)(002d00020101)(0033)(fe0d)(ff01)]", "EVE_Process":"firefox browser", "EVE_ProcessConfidencePct":100, "EVE_ThreatConfidencePct":0, "EVE_ThreatConfidenceIndex":1, "ClientAppDetector":"Encrypted Visibility"}' +example_log: '{"EventType":"ConnectionEvent", "FirstPacketSecond":1743500734, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", + "InstanceID":1, "ConnectionID":259, "AC_RuleAction":"Block", "InitiatorIP":"172.16.3.110", + "ResponderIP":"142.250.191.196", "InitiatorPort":62296, "ResponderPort":443, "Protocol":"tcp", + "IngressInterface":"inside", "EgressInterface":"outside", "IngressZone":"inside", + "EgressZone":"outside", "IngressVRF":"Global", "EgressVRF":"Global", "FirewallPolicy":"default", + "FirewallRule":"NasBlock", "PrefilterPolicy":"Default Prefilter Policy", "ClientApplication":"Firefox", + "Application":"HTTPS", "WebApplication":"Google", "InitiatorPackets":3, "ResponderPackets":1, + "InitiatorBytes":840, "ResponderBytes":66, "NAP_Policy":"Balanced Security and Connectivity", + "SSL_Policy":"None", "SSL_FlowStatus":"Success", "SSL_CipherSuite":"Unknown", "SSL_CertFingerprint":"2fcc05c514c4cda4260531f967407cd33974340c", + "SSL_Version":"Unknown", "SSL_ServerCertStatus":"Not Checked", "SSL_ActualAction":"Do + Not Decrypt", "SSL_ExpectedAction":"Do Not Decrypt", "URL":"https://www.google.com", + "NAT_InitiatorPort":62296, "NAT_ResponderPort":443, "NAT_InitiatorIP":"172.16.2.10", + "NAT_ResponderIP":"142.250.191.196", "EVE_Fingerprint":"tls/1/(0303)(130113031302c02bc02fcca9cca8c02cc030c00ac009c013c014009c009d002f0035)[(0000)(000500050100000000)(000a000e000c001d00170018001901000101)(000b00020100)(000d0018001604030503060308040805080604010501060102030201)(0010000e000c02683208687474702f312e31)(0012)(0017)(001c00024001)(0022)(0023)(002b00050403040303)(002d00020101)(0033)(fe0d)(ff01)]", + "EVE_Process":"firefox browser", "EVE_ProcessConfidencePct":100, "EVE_ThreatConfidencePct":0, + "EVE_ThreatConfidenceIndex":1, "ClientAppDetector":"Encrypted Visibility"}' diff --git a/data_sources/cisco_secure_firewall_threat_defense_file_event.yml b/data_sources/cisco_secure_firewall_threat_defense_file_event.yml index 96c82b6632..45fcaa6360 100644 --- a/data_sources/cisco_secure_firewall_threat_defense_file_event.yml +++ b/data_sources/cisco_secure_firewall_threat_defense_file_event.yml @@ -3,13 +3,14 @@ id: 19878597-8f8a-4bca-a805-bfbe35e00032 version: 1 date: '2025-04-07' author: Nasreddine Bencherchali, Splunk -description: Data source object for raw file events from Cisco Secure Firewall Threat Defense +description: Data source object for raw file events from Cisco Secure Firewall Threat + Defense source: not_applicable sourcetype: cisco:sfw:estreamer supported_TA: - name: Cisco Security Cloud url: https://splunkbase.splunk.com/app/7404 - version: 3.1.1 + version: 3.2.0 fields: - app - Application @@ -90,4 +91,13 @@ output_fields: - FileType - file_hash - SHA_Disposition -example_log: '{"EventType":"FileEvent", "EventSecond":1741199882, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", "InstanceID":1, "FirstPacketSecond":1741199881, "ConnectionID":10092, "InitiatorIP":"172.16.3.158", "ResponderIP":"85.215.35.144", "InitiatorPort":55988, "ResponderPort":80, "Protocol":"tcp", "FileDirection":"Download", "FileAction":"Malware Cloud Lookup", "FileSHA256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "SHA_Disposition":"Malware", "SperoDisposition":"Spero detection not performed on file", "ThreatName":"EICAR", "ThreatScore":76, "FileName":"csm-eicar.gif", "FileType":"EICAR", "FileSize":68, "Application":"HTTP", "ClientApplication":"Wget", "WebApplication":"Web Browsing", "FilePolicy":"Test", "FileStorageStatus":"File Size Is Too Small", "FileSandboxStatus":"File Size Is Too Small", "URI":"/csm-eicar.gif", "IngressVRF":"Global", "EgressVRF":"Global", "Device":"172.16.0.10", "DeviceIP":"172.16.0.10", "DeviceSerialNumber":"9AD5V8FSS0D"}' +example_log: '{"EventType":"FileEvent", "EventSecond":1741199882, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", + "InstanceID":1, "FirstPacketSecond":1741199881, "ConnectionID":10092, "InitiatorIP":"172.16.3.158", + "ResponderIP":"85.215.35.144", "InitiatorPort":55988, "ResponderPort":80, "Protocol":"tcp", + "FileDirection":"Download", "FileAction":"Malware Cloud Lookup", "FileSHA256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", + "SHA_Disposition":"Malware", "SperoDisposition":"Spero detection not performed on + file", "ThreatName":"EICAR", "ThreatScore":76, "FileName":"csm-eicar.gif", "FileType":"EICAR", + "FileSize":68, "Application":"HTTP", "ClientApplication":"Wget", "WebApplication":"Web + Browsing", "FilePolicy":"Test", "FileStorageStatus":"File Size Is Too Small", "FileSandboxStatus":"File + Size Is Too Small", "URI":"/csm-eicar.gif", "IngressVRF":"Global", "EgressVRF":"Global", + "Device":"172.16.0.10", "DeviceIP":"172.16.0.10", "DeviceSerialNumber":"9AD5V8FSS0D"}' diff --git a/data_sources/cisco_secure_firewall_threat_defense_intrusion_event.yml b/data_sources/cisco_secure_firewall_threat_defense_intrusion_event.yml index 527ade244c..03920b29d6 100644 --- a/data_sources/cisco_secure_firewall_threat_defense_intrusion_event.yml +++ b/data_sources/cisco_secure_firewall_threat_defense_intrusion_event.yml @@ -3,13 +3,14 @@ id: d11b67ec-1cb2-4f6f-a2d8-a099c7e15b29 version: 1 date: '2025-04-16' author: Nasreddine Bencherchali, Splunk -description: Data source object for raw intrusion events from Cisco Secure Firewall Threat Defense +description: Data source object for raw intrusion events from Cisco Secure Firewall + Threat Defense source: not_applicable sourcetype: cisco:sfw:estreamer supported_TA: - name: Cisco Security Cloud url: https://splunkbase.splunk.com/app/7404 - version: 3.1.1 + version: 3.2.0 fields: - Application - Classification @@ -156,4 +157,31 @@ output_fields: - rule - transport - app -example_log: '"EventType":"IntrusionEvent", "EventSecond":1744752707, "EventMicrosecond":709756, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", "InstanceID":1, "FirstPacketSecond":1744752707, "ConnectionID":27798, "InitiatorIP":"146.75.78.172", "ResponderIP":"172.16.3.110", "InitiatorPort":80, "ResponderPort":2604, "Protocol":"tcp", "IngressInterface":"outside", "EgressInterface":"inside", "IngressZone":"outside", "EgressZone":"inside", "PriorityID":1, "GeneratorID":1, "SignatureID":11192, "SignatureRevision":20, "Impact":5, "IntrusionRuleMessage":"FILE-EXECUTABLE download of executable content", "Classification":"Potential Corporate Policy Violation", "WebApplication":"Microsoft Update", "ClientApplication":"Parallels", "Application":"HTTP", "IntrusionPolicy":"default", "FirewallPolicy":"default", "FirewallRule":"Permit Outbound", "NAP_Policy":"Balanced Security and Connectivity", "InlineResult":"Would block", "InlineResultReason":"Intrusion Policy in \"Detection\" Inspection Mode", "IngressVRF":"Global", "EgressVRF":"Global", "HTTP_Hostname":"au.download.windowsupdate.com", "HTTP_URI":"/d/msdownload/update/software/defu/2025/04/am_delta_patch_1.427.242.0_5ac0bd95663c4357097204f23072019d82f2e8ce.exe", "SnortRuleGroups":"Rule Categories>File>Executable", "MitreAttackGroups":"MITRE>ATT&CK Framework>Enterprise>Execution>User Execution>Malicious File", "ApplicationID":676, "ApplicationProductivityIndex":3, "ApplicationRiskIndex":1, "ClientApplicationID":2802, "ClientApplicationProductivityIndex":4, "ClientApplicationRiskIndex":2, "Device":"172.16.0.10", "DeviceIP":"172.16.0.10", "DeviceSerialNumber":"9AD5V8FSS0D", "EgressInterfaceUUID":"efbb6160-f60a-11ef-a955-43d7eeccc024", "EgressZoneUUID":"efbcd7ac-f60a-11ef-a955-43d7eeccc024", "EventID":195, "FirewallPolicyUUID":"00000000-0000-0000-0000-000067fece37", "FirewallRuleID":268434433, "Hostname":"ip-172-16-0-50.us-east-2.compute.internal", "IngressInterfaceUUID":"ef9a2180-f60a-11ef-a955-43d7eeccc024", "IngressZoneUUID":"ef9c7c64-f60a-11ef-a955-43d7eeccc024", "InitiatorContinent":"North America", "InitiatorContinentCode":"na", "InitiatorCountry":"United States", "InitiatorCountryCode":"usa", "InitiatorCountryID":840, "InlineResultID":5, "InlineResultReasonID":2, "IntrusionPolicyRevUUID":"c1fab45a-f615-11ef-bd70-44d7eeccc024", "IntrusionPolicyUUID":"0210b9f5-95a7-0ed3-0000-004294971142", "NAP_PolicyUUID":"a6738542-f604-11ef-8765-a4eeeeccc024", "ProtocolID":6, "RealmID":0, "RealmName":"Invalid ID", "SensorID":2, "SnortVersionID":3, "UserID":9999997, "WebApplicationHTTP":"Microsoft Update", "WebApplicationID":731, "WebApplicationProductivityIndex":2}' \ No newline at end of file +example_log: '"EventType":"IntrusionEvent", "EventSecond":1744752707, "EventMicrosecond":709756, + "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", "InstanceID":1, "FirstPacketSecond":1744752707, + "ConnectionID":27798, "InitiatorIP":"146.75.78.172", "ResponderIP":"172.16.3.110", + "InitiatorPort":80, "ResponderPort":2604, "Protocol":"tcp", "IngressInterface":"outside", + "EgressInterface":"inside", "IngressZone":"outside", "EgressZone":"inside", "PriorityID":1, + "GeneratorID":1, "SignatureID":11192, "SignatureRevision":20, "Impact":5, "IntrusionRuleMessage":"FILE-EXECUTABLE + download of executable content", "Classification":"Potential Corporate Policy Violation", + "WebApplication":"Microsoft Update", "ClientApplication":"Parallels", "Application":"HTTP", + "IntrusionPolicy":"default", "FirewallPolicy":"default", "FirewallRule":"Permit + Outbound", "NAP_Policy":"Balanced Security and Connectivity", "InlineResult":"Would + block", "InlineResultReason":"Intrusion Policy in \"Detection\" Inspection Mode", + "IngressVRF":"Global", "EgressVRF":"Global", "HTTP_Hostname":"au.download.windowsupdate.com", + "HTTP_URI":"/d/msdownload/update/software/defu/2025/04/am_delta_patch_1.427.242.0_5ac0bd95663c4357097204f23072019d82f2e8ce.exe", + "SnortRuleGroups":"Rule Categories>File>Executable", "MitreAttackGroups":"MITRE>ATT&CK + Framework>Enterprise>Execution>User Execution>Malicious File", "ApplicationID":676, + "ApplicationProductivityIndex":3, "ApplicationRiskIndex":1, "ClientApplicationID":2802, + "ClientApplicationProductivityIndex":4, "ClientApplicationRiskIndex":2, "Device":"172.16.0.10", + "DeviceIP":"172.16.0.10", "DeviceSerialNumber":"9AD5V8FSS0D", "EgressInterfaceUUID":"efbb6160-f60a-11ef-a955-43d7eeccc024", + "EgressZoneUUID":"efbcd7ac-f60a-11ef-a955-43d7eeccc024", "EventID":195, "FirewallPolicyUUID":"00000000-0000-0000-0000-000067fece37", + "FirewallRuleID":268434433, "Hostname":"ip-172-16-0-50.us-east-2.compute.internal", + "IngressInterfaceUUID":"ef9a2180-f60a-11ef-a955-43d7eeccc024", "IngressZoneUUID":"ef9c7c64-f60a-11ef-a955-43d7eeccc024", + "InitiatorContinent":"North America", "InitiatorContinentCode":"na", "InitiatorCountry":"United + States", "InitiatorCountryCode":"usa", "InitiatorCountryID":840, "InlineResultID":5, + "InlineResultReasonID":2, "IntrusionPolicyRevUUID":"c1fab45a-f615-11ef-bd70-44d7eeccc024", + "IntrusionPolicyUUID":"0210b9f5-95a7-0ed3-0000-004294971142", "NAP_PolicyUUID":"a6738542-f604-11ef-8765-a4eeeeccc024", + "ProtocolID":6, "RealmID":0, "RealmName":"Invalid ID", "SensorID":2, "SnortVersionID":3, + "UserID":9999997, "WebApplicationHTTP":"Microsoft Update", "WebApplicationID":731, + "WebApplicationProductivityIndex":2}' diff --git a/data_sources/ms365_defender_incident_alerts.yml b/data_sources/ms365_defender_incident_alerts.yml index 4f6665ecbc..81bc243003 100644 --- a/data_sources/ms365_defender_incident_alerts.yml +++ b/data_sources/ms365_defender_incident_alerts.yml @@ -16,7 +16,7 @@ sourcetype: ms365:defender:incident:alerts supported_TA: - name: Splunk Add-on for Microsoft Security url: https://splunkbase.splunk.com/app/6207 - version: 2.4.1 + version: 2.5.0 fields: - actorName - alertId diff --git a/data_sources/ms_defender_atp_alerts.yml b/data_sources/ms_defender_atp_alerts.yml index f7429f3de6..1655a48af7 100644 --- a/data_sources/ms_defender_atp_alerts.yml +++ b/data_sources/ms_defender_atp_alerts.yml @@ -16,7 +16,7 @@ sourcetype: ms:defender:atp:alerts supported_TA: - name: Splunk Add-on for Microsoft Security url: https://splunkbase.splunk.com/app/6207 - version: 2.4.1 + version: 2.5.0 fields: - column - accountName diff --git a/data_sources/zeek_conn.yml b/data_sources/zeek_conn.yml index ed5c571b06..1c2bacc077 100644 --- a/data_sources/zeek_conn.yml +++ b/data_sources/zeek_conn.yml @@ -6,10 +6,10 @@ author: Patrick Bareiss, Splunk description: Data source object for Zeek connection logs source: bro:conn:json sourcetype: bro:conn:json -supported_TA: +supported_TA: - name: TA for Zeek url: https://splunkbase.splunk.com/app/5466 - version: 1.0.8 + version: 1.0.9 fields: - action - bytes @@ -45,7 +45,7 @@ fields: - packets - packets_in - packets_out -- product: +- product: null - proto - resp_bytes - resp_ip_bytes