Merge pull request #2983 from splunk/gitlab_release_v4.27.0

Release v4.27.0
splunk · Mar 20, 2024 · e4dd27c · e4dd27c
2 parents b32c1a6 + 90249f4
commit e4dd27c
Show file tree

Hide file tree

Showing 82 changed files with 2,578 additions and 366 deletions.
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -29,4 +29,4 @@ workflow:
     - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
     - if: $CI_COMMIT_TAG
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-    - if: $CI_COMMIT_BRANCH =~ /^release_v[0-9]+\.[0-9]+\.[0-9]+$/
+    - if: $CI_COMMIT_BRANCH =~ /^release_v[0-9]+\.[0-9]+\.[0-9]+$/
diff --git a/bin/docker_detection_tester/test_config_github_actions.json b/bin/docker_detection_tester/test_config_github_actions.json
@@ -7,13 +7,8 @@
     },
     "PALO_ALTO_NETWORKS_ADD_ON_FOR_SPLUNK": {
         "app_number": 2757,
-        "app_version": "8.0.1",
-        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/palo-alto-networks-add-on-for-splunk_802.tgz"
-    },
-    "PYTHON_FOR_SCIENTIFIC_COMPUTING_FOR_LINUX_64_BIT": {
-        "app_number": 2882,
-        "app_version": "4.1.0",
-        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/python-for-scientific-computing-for-linux-64-bit_410.tgz"
+        "app_version": "8.1.0",
+        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/palo-alto-networks-add-on-for-splunk_810.tgz"
     },
     "SPLUNK_ADD_ON_FOR_AMAZON_KINESIS_FIREHOSE": {
         "app_number": 3719,
@@ -22,23 +17,23 @@
     },
     "SPLUNK_ADD_ON_FOR_GOOGLE_CLOUD_PLATFORM": {
         "app_number": 3088,
-        "app_version": "4.1.0",
-        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-google-cloud-platform_410.tgz"
+        "app_version": "4.3.0",
+        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-google-cloud-platform_430.tgz"
     },
     "SPLUNK_ADD_ON_FOR_GOOGLE_WORKSPACE": {
         "app_number": 3110,
-        "app_version": "2.4.1",
-        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-google-workspace_251.tgz"
+        "app_version": "2.6.0",
+        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-google-workspace_260.tgz"
     },
     "SPLUNK_ADD_ON_FOR_MICROSOFT_OFFICE_365": {
         "app_number": 4055,
-        "app_version": "4.2.1",
+        "app_version": "4.3.0",
         "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-office-365_430.tgz"
     },
     "SPLUNK_ADD_ON_FOR_MICROSOFT_WINDOWS": {
         "app_number": 742,
-        "app_version": "8.5.0",
-        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-windows_870.tgz"
+        "app_version": "8.8.0",
+        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-windows_880.tgz"
     },
     "SPLUNK_ADD_ON_FOR_NGINX": {
         "app_number": 3258,
@@ -47,13 +42,13 @@
     },
     "SPLUNK_ADD_ON_FOR_STREAM_FORWARDERS": {
         "app_number": 5238,
-        "app_version": "8.1.0",
-        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-stream-forwarders_810.tgz"
+        "app_version": "8.1.1",
+        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-stream-forwarders_811.tgz"
     },
     "SPLUNK_ADD_ON_FOR_STREAM_WIRE_DATA": {
         "app_number": 5234,
-        "app_version": "8.1.0",
-        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-stream-wire-data_810.tgz"
+        "app_version": "8.1.1",
+        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-stream-wire-data_811.tgz"
     },
     "SPLUNK_ADD_ON_FOR_SYSMON": {
         "app_number": 5709,
@@ -62,18 +57,13 @@
     },
     "SPLUNK_ADD_ON_FOR_UNIX_AND_LINUX": {
         "app_number": 833,
-        "app_version": "8.8.0",
-        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-unix-and-linux_890.tgz"
-    },
-    "SPLUNK_APP_FOR_STREAM": {
-        "app_number": 1809,
-        "app_version": "8.1.0",
-        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-app-for-stream_810.tgz"
+        "app_version": "9.0.0",
+        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-unix-and-linux_900.tgz"
     },
     "SPLUNK_COMMON_INFORMATION_MODEL": {
         "app_number": 1621,
-        "app_version": "5.1.0",
-        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-common-information-model-cim_511.tgz"
+        "app_version": "5.2.0",
+        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-common-information-model-cim_520.tgz"
     },
     "SPLUNK_ES_CONTENT_UPDATE": {
         "app_number": 3449,
@@ -82,8 +72,8 @@
     },
     "SPLUNK_MACHINE_LEARNING_TOOLKIT": {
         "app_number": 2890,
-        "app_version": "5.4.0",
-        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-machine-learning-toolkit_540.tgz"
+        "app_version": "5.4.1",
+        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-machine-learning-toolkit_541.tgz"
     },
     "SPLUNK_TA_FIX_WINDOWS": {
         "app_number": 9999,
@@ -96,8 +86,8 @@
         "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-iis_120.tgz"
     },
     "SPLUNK_TA_FOR_SURICATA": {
-        "app_number": 2760,
-        "app_version": "2.3.3",
+        "app_number": 4242,
+        "app_version": "2.3.4",
         "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/ta-for-suricata_234.tgz"
     },
     "SPLUNK_TA_FOR_ZEEK": {
@@ -107,12 +97,12 @@
     },
     "SPLUNK_TA_MICROSOFT_CLOUD_SERVICES": {
         "app_number": 3110,
-        "app_version": "4.5.2",
-        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-cloud-services_510.tgz"
+        "app_version": "5.2.1",
+        "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-cloud-services_521.tgz"
     },
     "Splunk Add-on for CrowdStrike FDR": {
         "app_number": 5579,
-        "app_version": "1.3.0",
+        "app_version": "1.4.0",
         "http_path": "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-crowdstrike-fdr_140.tgz"
     },
     "URL_TOOLBOX": {

diff --git a/contentctl b/contentctl
diff --git a/detections/application/okta_user_logins_from_multiple_cities.yml b/detections/application/okta_user_logins_from_multiple_cities.yml
@@ -15,8 +15,8 @@ search: '`okta` displayMessage="User login to Okta" client.geographicalContext.c
   | `okta_user_logins_from_multiple_cities_filter` | search locations > 1'
 how_to_implement: This search is specific to Okta and requires Okta logs are being
   ingested in your Splunk deployment.
-known_false_positives: Users in your enviornment may legitmately be travelling and
-  loggin in from different locations. This search is useful for those users that should
+known_false_positives: Users in your environment may legitimately be travelling and
+  logging in from different locations. This search is useful for those users that should
   *not* be travelling for some reason, such as the COVID-19 pandemic. The search also
   relies on the geographical information being populated in the Okta logs. It is also
   possible that a connection from another region may be attributed to a login from

diff --git a/detections/application/path_traversal_spl_injection.yml b/detections/application/path_traversal_spl_injection.yml
@@ -1,7 +1,7 @@
 name: Path traversal SPL injection
 id: dfe55688-82ed-4d24-a21b-ed8f0e0fda99
-version: 1
-date: '2022-04-29'
+version: 2
+date: '2024-03-19'
 author: Rod Soto, Splunk
 status: production
 type: TTP
@@ -11,7 +11,7 @@ description: On May 3rd, 2022, Splunk published a security advisory for a Path t
   such as running arbitrary SPL queries.
 data_source: []
 search: ' `path_traversal_spl_injection` | search "\/..\/..\/..\/..\/..\/..\/..\/..\/..\/"  |
-  stats count by status clientip method uri_path uri_query | `path_traversal_spl_injection_filter`'
+  stats count by host status clientip method uri_path uri_query | `path_traversal_spl_injection_filter`'
 how_to_implement: This detection does not require you to ingest any new data. The
   detection does require the ability to search the _internal index. This search will
   provide search UI requests with path traversal parameter ("../../../../../../../../../")
@@ -34,6 +34,10 @@ tags:
   mitre_attack_id:
   - T1083
   observable:
+  - name: host
+    type: Hostname
+    role:
+    - Victim
   - name: clientip
     type: IP Address
     role:

diff --git a/detections/application/splunk_user_enumeration_attempt.yml b/detections/application/splunk_user_enumeration_attempt.yml
@@ -1,7 +1,7 @@
 name: Splunk User Enumeration Attempt
 id: 25625cb4-1c4d-4463-b0f9-7cb462699cde
-version: 1
-date: '2022-04-29'
+version: 2
+date: '2024-03-19'
 author: Lou Stella, Splunk
 status: production
 type: TTP
@@ -11,7 +11,7 @@ description: On May 3rd, 2022, Splunk published a security advisory for  usernam
   as well as actual exploitation in unpatched version of Splunk.
 data_source: []
 search: ' `splunkd_failed_auths` | stats count(user) as auths by user, src | where
-  auths>5 | stats values(user) as "Users", sum(auths) as TotalFailedAuths by src |
+  auths>5 | stats values(user) as user, sum(auths) as TotalFailedAuths by src |
   `splunk_user_enumeration_attempt_filter`'
 how_to_implement: This detection does not require you to ingest any new data. The
   detection does require the ability to search the _audit index. This detection may
@@ -33,6 +33,10 @@ tags:
   mitre_attack_id:
   - T1078
   observable:
+  - name: user
+    type: User
+    role:
+    - Victim
   - name: src
     type: IP Address
     role:

diff --git a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml
@@ -33,7 +33,7 @@ references:
 tags:
   analytic_story:
   - Compromised User Account
-  - AWS Identity and Access Management Account
+  - AWS Identity and Access Management Account Takeover
   asset_type: AWS Account
   confidence: 60
   impact: 70

diff --git a/detections/cloud/aws_credential_access_rds_password_reset.yml b/detections/cloud/aws_credential_access_rds_password_reset.yml
@@ -1,7 +1,7 @@
 name: AWS Credential Access RDS Password reset
 id: 6153c5ea-ed30-4878-81e6-21ecdb198189
-version: 1
-date: '2022-08-07'
+version: 2
+date: '2024-03-19'
 author: Gowthamaraj Rajendran, Splunk
 status: production
 type: TTP
@@ -13,7 +13,7 @@ description: The master user password for Amazon RDS DB instance can be reset us
 data_source: []
 search: '`cloudtrail` eventSource="rds.amazonaws.com" eventName=ModifyDBInstance "requestParameters.masterUserPassword"=*
   | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier)
-  as DB by sourceIPAddress awsRegion eventName userAgent| `security_content_ctime(firstTime)`|
+  as database_id by src awsRegion eventName userAgent user_arn| `security_content_ctime(firstTime)`|
   `security_content_ctime(lastTime)` | `aws_credential_access_rds_password_reset_filter`'
 how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This
   search works with AWS CloudTrail logs.
@@ -26,13 +26,17 @@ tags:
   asset_type: AWS Account
   confidence: 70
   impact: 70
-  message: $DB$ password has been reset from IP $sourceIPAddress$
+  message: $database_id$ password has been reset from IP $src$
   mitre_attack_id:
   - T1586
   - T1586.003
   - T1110
   observable:
-  - name: sourceIPAddress
+  - name: database_id
+    type: Endpoint
+    role:
+    - Victim
+  - name: src
     type: IP Address
     role:
     - Attacker

diff --git a/detections/cloud/kubernetes_nginx_ingress_lfi.yml b/detections/cloud/kubernetes_nginx_ingress_lfi.yml
@@ -1,7 +1,7 @@
 name: Kubernetes Nginx Ingress LFI
 id: 0f83244b-425b-4528-83db-7a88c5f66e48
-version: 1
-date: '2021-08-20'
+version: 2
+date: '2024-03-19'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
@@ -31,6 +31,10 @@ tags:
   mitre_attack_id:
   - T1212
   observable:
+  - name: host
+    type: Hostname
+    role:
+    - Victim
   - name: src_ip
     type: IP Address
     role:

diff --git a/detections/cloud/kubernetes_nginx_ingress_rfi.yml b/detections/cloud/kubernetes_nginx_ingress_rfi.yml
@@ -1,7 +1,7 @@
 name: Kubernetes Nginx Ingress RFI
 id: fc5531ae-62fd-4de6-9c36-b4afdae8ca95
-version: 1
-date: '2021-08-23'
+version: 3
+date: '2024-03-19'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
@@ -30,6 +30,10 @@ tags:
   mitre_attack_id:
   - T1212
   observable:
+  - name: host
+    type: Hostname
+    role:
+    - Victim
   - name: src_ip
     type: IP Address
     role:

diff --git a/detections/cloud/kubernetes_previously_unseen_process.yml b/detections/cloud/kubernetes_previously_unseen_process.yml
@@ -51,7 +51,7 @@ references:
 - https://github.com/signalfx/splunk-otel-collector-chart
 tags:
   analytic_story:
-  - Abnormal Kubernetes Behavior  using Splunk Infrastructure Monitoring
+  - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
   asset_type: Kubernetes
   confidence: 50
   impact: 50

diff --git a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml
@@ -1,7 +1,7 @@
 name: O365 Multiple Users Failing To Authenticate From Ip
 id: 8d486e2e-3235-4cfe-ac35-0d042e24ecb4
-version: 1
-date: '2023-10-10'
+version: 2
+date: '2024-03-19'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -34,6 +34,10 @@ tags:
   - T1110.003
   - T1110.004
   observable:
+  - name: user
+    type: User
+    role:
+    - Victim
   - name: src_ip
     type: IP Address
     role:

diff --git a/detections/endpoint/detect_azurehound_command_line_arguments.yml b/detections/endpoint/detect_azurehound_command_line_arguments.yml
@@ -1,7 +1,7 @@
 name: Detect AzureHound Command-Line Arguments
 id: 26f02e96-c300-11eb-b611-acde48001122
-version: 1
-date: '2021-06-01'
+version: 2
+date: '2024-03-14'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -34,7 +34,7 @@ references:
 - https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1
 tags:
   analytic_story:
-  - Discovery Techniques
+  - Windows Discovery Techniques
   asset_type: Endpoint
   confidence: 100
   impact: 80

diff --git a/detections/endpoint/detect_azurehound_file_modifications.yml b/detections/endpoint/detect_azurehound_file_modifications.yml
@@ -1,7 +1,7 @@
 name: Detect AzureHound File Modifications
 id: 1c34549e-c31b-11eb-996b-acde48001122
-version: 1
-date: '2021-06-01'
+version: 2
+date: '2024-03-14'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -31,7 +31,7 @@ references:
 - https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/AzureHound.ps1
 tags:
   analytic_story:
-  - Discovery Techniques
+  - Windows Discovery Techniques
   asset_type: Endpoint
   confidence: 90
   impact: 70

diff --git a/detections/endpoint/detect_sharphound_command_line_arguments.yml b/detections/endpoint/detect_sharphound_command_line_arguments.yml
@@ -1,7 +1,7 @@
 name: Detect SharpHound Command-Line Arguments
 id: a0bdd2f6-c2ff-11eb-b918-acde48001122
-version: 1
-date: '2021-06-01'
+version: 2
+date: '2024-03-14'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -37,7 +37,7 @@ references:
 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk
 tags:
   analytic_story:
-  - Discovery Techniques
+  - Windows Discovery Techniques
   - Ransomware
   asset_type: Endpoint
   confidence: 80