Skip to content

Automated Splunk TA Update 259 #3512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
patel-bhavin wants to merge 3 commits into from
Closed

Automated Splunk TA Update 259 #3512

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
12aedfe
Updated TAs
patel-bhavin May 8, 2025
fe8f197
Merge branch 'develop' into auto-ta-update-259
patel-bhavin May 8, 2025
32af2aa
Merge branch 'develop' into auto-ta-update-259
pyth0n1c May 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions contentctl.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,9 @@ apps:
- uid: 7404
title: Cisco Security Cloud
appid: CiscoSecurityCloud
version: 3.1.1
version: 3.2.0
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_311.tgz
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_320.tgz
- uid: 6652
title: Add-on for Linux Sysmon
appid: Splunk_TA_linux_sysmon
Expand Down Expand Up @@ -101,9 +101,9 @@ apps:
- uid: 5466
title: TA for Zeek
appid: SPLUNK_TA_FOR_ZEEK
version: 1.0.8
version: 1.0.9
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-for-zeek_108.tgz
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-for-zeek_109.tgz
- uid: 3258
title: Splunk Add-on for NGINX
appid: SPLUNK_ADD_ON_FOR_NGINX
Expand Down
2 changes: 1 addition & 1 deletion data_sources/bro_conn.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,4 @@ sourcetype: bro:conn:json
supported_TA:
- name: TA for Zeek
url: https://splunkbase.splunk.com/app/5466
version: 1.0.8
version: 1.0.9
3 changes: 1 addition & 2 deletions data_sources/bro_dns.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,4 @@ sourcetype: bro:dns:json
supported_TA:
- name: TA for Zeek
url: https://splunkbase.splunk.com/app/5466
version: 1.0.8

version: 1.0.9
2 changes: 1 addition & 1 deletion data_sources/bro_files.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,4 @@ sourcetype: bro:files:json
supported_TA:
- name: TA for Zeek
url: https://splunkbase.splunk.com/app/5466
version: 1.0.8
version: 1.0.9
2 changes: 1 addition & 1 deletion data_sources/bro_http.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,4 @@ sourcetype: bro:http:json
supported_TA:
- name: TA for Zeek
url: https://splunkbase.splunk.com/app/5466
version: 1.0.8
version: 1.0.9
2 changes: 1 addition & 1 deletion data_sources/bro_loaded_scripts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,4 @@ sourcetype: bro:loaded_scripts:json
supported_TA:
- name: TA for Zeek
url: https://splunkbase.splunk.com/app/5466
version: 1.0.8
version: 1.0.9
2 changes: 1 addition & 1 deletion data_sources/bro_ntp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,4 @@ sourcetype: bro:ntp:json
supported_TA:
- name: TA for Zeek
url: https://splunkbase.splunk.com/app/5466
version: 1.0.8
version: 1.0.9
2 changes: 1 addition & 1 deletion data_sources/bro_ocsp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,4 @@ sourcetype: bro:ocsp:json
supported_TA:
- name: TA for Zeek
url: https://splunkbase.splunk.com/app/5466
version: 1.0.8
version: 1.0.9
2 changes: 1 addition & 1 deletion data_sources/bro_ssl.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,4 @@ sourcetype: bro:ssl:json
supported_TA:
- name: TA for Zeek
url: https://splunkbase.splunk.com/app/5466
version: 1.0.8
version: 1.0.9
2 changes: 1 addition & 1 deletion data_sources/bro_weird.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,4 @@ sourcetype: bro:weird:json
supported_TA:
- name: TA for Zeek
url: https://splunkbase.splunk.com/app/5466
version: 1.0.8
version: 1.0.9
2 changes: 1 addition & 1 deletion data_sources/bro_x509.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,4 @@ sourcetype: bro:x509:json
supported_TA:
- name: TA for Zeek
url: https://splunkbase.splunk.com/app/5466
version: 1.0.8
version: 1.0.9
2 changes: 1 addition & 1 deletion data_sources/cisco_ai_defense_alerts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,5 @@ separator: null
supported_TA:
- name: Cisco Security Cloud
url: https://splunkbase.splunk.com/app/7404
version: 3.1.1
version: 3.2.0
fields: null
21 changes: 18 additions & 3 deletions data_sources/cisco_secure_firewall_threat_defense_connection_event.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,14 @@ id: 18878597-8f8a-4bca-a805-bfbe35e00032
version: 1
date: '2025-04-01'
author: Nasreddine Bencherchali, Splunk
description: Data source object for raw connection events from Cisco Secure Firewall Threat Defense
description: Data source object for raw connection events from Cisco Secure Firewall
Threat Defense
source: not_applicable
sourcetype: cisco:sfw:estreamer
supported_TA:
- name: Cisco Security Cloud
url: https://splunkbase.splunk.com/app/7404
version: 3.1.1
version: 3.2.0
fields:
- AC_RuleAction
- action
Expand Down Expand Up @@ -115,4 +116,18 @@ output_fields:
- rule
- url
- action
example_log: '{"EventType":"ConnectionEvent", "FirstPacketSecond":1743500734, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", "InstanceID":1, "ConnectionID":259, "AC_RuleAction":"Block", "InitiatorIP":"172.16.3.110", "ResponderIP":"142.250.191.196", "InitiatorPort":62296, "ResponderPort":443, "Protocol":"tcp", "IngressInterface":"inside", "EgressInterface":"outside", "IngressZone":"inside", "EgressZone":"outside", "IngressVRF":"Global", "EgressVRF":"Global", "FirewallPolicy":"default", "FirewallRule":"NasBlock", "PrefilterPolicy":"Default Prefilter Policy", "ClientApplication":"Firefox", "Application":"HTTPS", "WebApplication":"Google", "InitiatorPackets":3, "ResponderPackets":1, "InitiatorBytes":840, "ResponderBytes":66, "NAP_Policy":"Balanced Security and Connectivity", "SSL_Policy":"None", "SSL_FlowStatus":"Success", "SSL_CipherSuite":"Unknown", "SSL_CertFingerprint":"2fcc05c514c4cda4260531f967407cd33974340c", "SSL_Version":"Unknown", "SSL_ServerCertStatus":"Not Checked", "SSL_ActualAction":"Do Not Decrypt", "SSL_ExpectedAction":"Do Not Decrypt", "URL":"https://www.google.com", "NAT_InitiatorPort":62296, "NAT_ResponderPort":443, "NAT_InitiatorIP":"172.16.2.10", "NAT_ResponderIP":"142.250.191.196", "EVE_Fingerprint":"tls/1/(0303)(130113031302c02bc02fcca9cca8c02cc030c00ac009c013c014009c009d002f0035)[(0000)(000500050100000000)(000a000e000c001d00170018001901000101)(000b00020100)(000d0018001604030503060308040805080604010501060102030201)(0010000e000c02683208687474702f312e31)(0012)(0017)(001c00024001)(0022)(0023)(002b00050403040303)(002d00020101)(0033)(fe0d)(ff01)]", "EVE_Process":"firefox browser", "EVE_ProcessConfidencePct":100, "EVE_ThreatConfidencePct":0, "EVE_ThreatConfidenceIndex":1, "ClientAppDetector":"Encrypted Visibility"}'
example_log: '{"EventType":"ConnectionEvent", "FirstPacketSecond":1743500734, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63",
"InstanceID":1, "ConnectionID":259, "AC_RuleAction":"Block", "InitiatorIP":"172.16.3.110",
"ResponderIP":"142.250.191.196", "InitiatorPort":62296, "ResponderPort":443, "Protocol":"tcp",
"IngressInterface":"inside", "EgressInterface":"outside", "IngressZone":"inside",
"EgressZone":"outside", "IngressVRF":"Global", "EgressVRF":"Global", "FirewallPolicy":"default",
"FirewallRule":"NasBlock", "PrefilterPolicy":"Default Prefilter Policy", "ClientApplication":"Firefox",
"Application":"HTTPS", "WebApplication":"Google", "InitiatorPackets":3, "ResponderPackets":1,
"InitiatorBytes":840, "ResponderBytes":66, "NAP_Policy":"Balanced Security and Connectivity",
"SSL_Policy":"None", "SSL_FlowStatus":"Success", "SSL_CipherSuite":"Unknown", "SSL_CertFingerprint":"2fcc05c514c4cda4260531f967407cd33974340c",
"SSL_Version":"Unknown", "SSL_ServerCertStatus":"Not Checked", "SSL_ActualAction":"Do
Not Decrypt", "SSL_ExpectedAction":"Do Not Decrypt", "URL":"https://www.google.com",
"NAT_InitiatorPort":62296, "NAT_ResponderPort":443, "NAT_InitiatorIP":"172.16.2.10",
"NAT_ResponderIP":"142.250.191.196", "EVE_Fingerprint":"tls/1/(0303)(130113031302c02bc02fcca9cca8c02cc030c00ac009c013c014009c009d002f0035)[(0000)(000500050100000000)(000a000e000c001d00170018001901000101)(000b00020100)(000d0018001604030503060308040805080604010501060102030201)(0010000e000c02683208687474702f312e31)(0012)(0017)(001c00024001)(0022)(0023)(002b00050403040303)(002d00020101)(0033)(fe0d)(ff01)]",
"EVE_Process":"firefox browser", "EVE_ProcessConfidencePct":100, "EVE_ThreatConfidencePct":0,
"EVE_ThreatConfidenceIndex":1, "ClientAppDetector":"Encrypted Visibility"}'
16 changes: 13 additions & 3 deletions data_sources/cisco_secure_firewall_threat_defense_file_event.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,14 @@ id: 19878597-8f8a-4bca-a805-bfbe35e00032
version: 1
date: '2025-04-07'
author: Nasreddine Bencherchali, Splunk
description: Data source object for raw file events from Cisco Secure Firewall Threat Defense
description: Data source object for raw file events from Cisco Secure Firewall Threat
Defense
source: not_applicable
sourcetype: cisco:sfw:estreamer
supported_TA:
- name: Cisco Security Cloud
url: https://splunkbase.splunk.com/app/7404
version: 3.1.1
version: 3.2.0
fields:
- app
- Application
Expand Down Expand Up @@ -90,4 +91,13 @@ output_fields:
- FileType
- file_hash
- SHA_Disposition
example_log: '{"EventType":"FileEvent", "EventSecond":1741199882, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", "InstanceID":1, "FirstPacketSecond":1741199881, "ConnectionID":10092, "InitiatorIP":"172.16.3.158", "ResponderIP":"85.215.35.144", "InitiatorPort":55988, "ResponderPort":80, "Protocol":"tcp", "FileDirection":"Download", "FileAction":"Malware Cloud Lookup", "FileSHA256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "SHA_Disposition":"Malware", "SperoDisposition":"Spero detection not performed on file", "ThreatName":"EICAR", "ThreatScore":76, "FileName":"csm-eicar.gif", "FileType":"EICAR", "FileSize":68, "Application":"HTTP", "ClientApplication":"Wget", "WebApplication":"Web Browsing", "FilePolicy":"Test", "FileStorageStatus":"File Size Is Too Small", "FileSandboxStatus":"File Size Is Too Small", "URI":"/csm-eicar.gif", "IngressVRF":"Global", "EgressVRF":"Global", "Device":"172.16.0.10", "DeviceIP":"172.16.0.10", "DeviceSerialNumber":"9AD5V8FSS0D"}'
example_log: '{"EventType":"FileEvent", "EventSecond":1741199882, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63",
"InstanceID":1, "FirstPacketSecond":1741199881, "ConnectionID":10092, "InitiatorIP":"172.16.3.158",
"ResponderIP":"85.215.35.144", "InitiatorPort":55988, "ResponderPort":80, "Protocol":"tcp",
"FileDirection":"Download", "FileAction":"Malware Cloud Lookup", "FileSHA256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"SHA_Disposition":"Malware", "SperoDisposition":"Spero detection not performed on
file", "ThreatName":"EICAR", "ThreatScore":76, "FileName":"csm-eicar.gif", "FileType":"EICAR",
"FileSize":68, "Application":"HTTP", "ClientApplication":"Wget", "WebApplication":"Web
Browsing", "FilePolicy":"Test", "FileStorageStatus":"File Size Is Too Small", "FileSandboxStatus":"File
Size Is Too Small", "URI":"/csm-eicar.gif", "IngressVRF":"Global", "EgressVRF":"Global",
"Device":"172.16.0.10", "DeviceIP":"172.16.0.10", "DeviceSerialNumber":"9AD5V8FSS0D"}'
34 changes: 31 additions & 3 deletions data_sources/cisco_secure_firewall_threat_defense_intrusion_event.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,14 @@ id: d11b67ec-1cb2-4f6f-a2d8-a099c7e15b29
version: 1
date: '2025-04-16'
author: Nasreddine Bencherchali, Splunk
description: Data source object for raw intrusion events from Cisco Secure Firewall Threat Defense
description: Data source object for raw intrusion events from Cisco Secure Firewall
Threat Defense
source: not_applicable
sourcetype: cisco:sfw:estreamer
supported_TA:
- name: Cisco Security Cloud
url: https://splunkbase.splunk.com/app/7404
version: 3.1.1
version: 3.2.0
fields:
- Application
- Classification
Expand Down Expand Up @@ -156,4 +157,31 @@ output_fields:
- rule
- transport
- app
example_log: '"EventType":"IntrusionEvent", "EventSecond":1744752707, "EventMicrosecond":709756, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", "InstanceID":1, "FirstPacketSecond":1744752707, "ConnectionID":27798, "InitiatorIP":"146.75.78.172", "ResponderIP":"172.16.3.110", "InitiatorPort":80, "ResponderPort":2604, "Protocol":"tcp", "IngressInterface":"outside", "EgressInterface":"inside", "IngressZone":"outside", "EgressZone":"inside", "PriorityID":1, "GeneratorID":1, "SignatureID":11192, "SignatureRevision":20, "Impact":5, "IntrusionRuleMessage":"FILE-EXECUTABLE download of executable content", "Classification":"Potential Corporate Policy Violation", "WebApplication":"Microsoft Update", "ClientApplication":"Parallels", "Application":"HTTP", "IntrusionPolicy":"default", "FirewallPolicy":"default", "FirewallRule":"Permit Outbound", "NAP_Policy":"Balanced Security and Connectivity", "InlineResult":"Would block", "InlineResultReason":"Intrusion Policy in \"Detection\" Inspection Mode", "IngressVRF":"Global", "EgressVRF":"Global", "HTTP_Hostname":"au.download.windowsupdate.com", "HTTP_URI":"/d/msdownload/update/software/defu/2025/04/am_delta_patch_1.427.242.0_5ac0bd95663c4357097204f23072019d82f2e8ce.exe", "SnortRuleGroups":"Rule Categories>File>Executable", "MitreAttackGroups":"MITRE>ATT&CK Framework>Enterprise>Execution>User Execution>Malicious File", "ApplicationID":676, "ApplicationProductivityIndex":3, "ApplicationRiskIndex":1, "ClientApplicationID":2802, "ClientApplicationProductivityIndex":4, "ClientApplicationRiskIndex":2, "Device":"172.16.0.10", "DeviceIP":"172.16.0.10", "DeviceSerialNumber":"9AD5V8FSS0D", "EgressInterfaceUUID":"efbb6160-f60a-11ef-a955-43d7eeccc024", "EgressZoneUUID":"efbcd7ac-f60a-11ef-a955-43d7eeccc024", "EventID":195, "FirewallPolicyUUID":"00000000-0000-0000-0000-000067fece37", "FirewallRuleID":268434433, "Hostname":"ip-172-16-0-50.us-east-2.compute.internal", "IngressInterfaceUUID":"ef9a2180-f60a-11ef-a955-43d7eeccc024", "IngressZoneUUID":"ef9c7c64-f60a-11ef-a955-43d7eeccc024", "InitiatorContinent":"North America", "InitiatorContinentCode":"na", "InitiatorCountry":"United States", "InitiatorCountryCode":"usa", "InitiatorCountryID":840, "InlineResultID":5, "InlineResultReasonID":2, "IntrusionPolicyRevUUID":"c1fab45a-f615-11ef-bd70-44d7eeccc024", "IntrusionPolicyUUID":"0210b9f5-95a7-0ed3-0000-004294971142", "NAP_PolicyUUID":"a6738542-f604-11ef-8765-a4eeeeccc024", "ProtocolID":6, "RealmID":0, "RealmName":"Invalid ID", "SensorID":2, "SnortVersionID":3, "UserID":9999997, "WebApplicationHTTP":"Microsoft Update", "WebApplicationID":731, "WebApplicationProductivityIndex":2}'
example_log: '"EventType":"IntrusionEvent", "EventSecond":1744752707, "EventMicrosecond":709756,
"DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", "InstanceID":1, "FirstPacketSecond":1744752707,
"ConnectionID":27798, "InitiatorIP":"146.75.78.172", "ResponderIP":"172.16.3.110",
"InitiatorPort":80, "ResponderPort":2604, "Protocol":"tcp", "IngressInterface":"outside",
"EgressInterface":"inside", "IngressZone":"outside", "EgressZone":"inside", "PriorityID":1,
"GeneratorID":1, "SignatureID":11192, "SignatureRevision":20, "Impact":5, "IntrusionRuleMessage":"FILE-EXECUTABLE
download of executable content", "Classification":"Potential Corporate Policy Violation",
"WebApplication":"Microsoft Update", "ClientApplication":"Parallels", "Application":"HTTP",
"IntrusionPolicy":"default", "FirewallPolicy":"default", "FirewallRule":"Permit
Outbound", "NAP_Policy":"Balanced Security and Connectivity", "InlineResult":"Would
block", "InlineResultReason":"Intrusion Policy in \"Detection\" Inspection Mode",
"IngressVRF":"Global", "EgressVRF":"Global", "HTTP_Hostname":"au.download.windowsupdate.com",
"HTTP_URI":"/d/msdownload/update/software/defu/2025/04/am_delta_patch_1.427.242.0_5ac0bd95663c4357097204f23072019d82f2e8ce.exe",
"SnortRuleGroups":"Rule Categories>File>Executable", "MitreAttackGroups":"MITRE>ATT&CK
Framework>Enterprise>Execution>User Execution>Malicious File", "ApplicationID":676,
"ApplicationProductivityIndex":3, "ApplicationRiskIndex":1, "ClientApplicationID":2802,
"ClientApplicationProductivityIndex":4, "ClientApplicationRiskIndex":2, "Device":"172.16.0.10",
"DeviceIP":"172.16.0.10", "DeviceSerialNumber":"9AD5V8FSS0D", "EgressInterfaceUUID":"efbb6160-f60a-11ef-a955-43d7eeccc024",
"EgressZoneUUID":"efbcd7ac-f60a-11ef-a955-43d7eeccc024", "EventID":195, "FirewallPolicyUUID":"00000000-0000-0000-0000-000067fece37",
"FirewallRuleID":268434433, "Hostname":"ip-172-16-0-50.us-east-2.compute.internal",
"IngressInterfaceUUID":"ef9a2180-f60a-11ef-a955-43d7eeccc024", "IngressZoneUUID":"ef9c7c64-f60a-11ef-a955-43d7eeccc024",
"InitiatorContinent":"North America", "InitiatorContinentCode":"na", "InitiatorCountry":"United
States", "InitiatorCountryCode":"usa", "InitiatorCountryID":840, "InlineResultID":5,
"InlineResultReasonID":2, "IntrusionPolicyRevUUID":"c1fab45a-f615-11ef-bd70-44d7eeccc024",
"IntrusionPolicyUUID":"0210b9f5-95a7-0ed3-0000-004294971142", "NAP_PolicyUUID":"a6738542-f604-11ef-8765-a4eeeeccc024",
"ProtocolID":6, "RealmID":0, "RealmName":"Invalid ID", "SensorID":2, "SnortVersionID":3,
"UserID":9999997, "WebApplicationHTTP":"Microsoft Update", "WebApplicationID":731,
"WebApplicationProductivityIndex":2}'
6 changes: 3 additions & 3 deletions data_sources/zeek_conn.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@ author: Patrick Bareiss, Splunk
description: Data source object for Zeek connection logs
source: bro:conn:json
sourcetype: bro:conn:json
supported_TA:
supported_TA:
- name: TA for Zeek
url: https://splunkbase.splunk.com/app/5466
version: 1.0.8
version: 1.0.9
fields:
- action
- bytes
Expand Down Expand Up @@ -45,7 +45,7 @@ fields:
- packets
- packets_in
- packets_out
- product:
- product: null
- proto
- resp_bytes
- resp_ip_bytes
Expand Down