Merge branch 'develop' into nterl0k-T1110.003-generic-password-spray

.github/workflows/build.yml

@@ -2,6 +2,9 @@ name: build
 on:
   pull_request:
     types: [opened, reopened, synchronize]
+  push:
+    branches:
+      - develop
 jobs:
   build:
     #Note that the CircleCI job used a Container.  The way to do this with Github Actions

.github/workflows/unit-testing.yml

@@ -7,11 +7,14 @@ jobs:
     runs-on: ubuntu-latest
     if: "!contains(github.ref, 'refs/tags/')" #don't run on tags - future steps won't run either since they depend on this job
     # needs: [validate-tag-if-present, quit-for-dependabot]
-    steps: 
+    steps:
+        #For fork PRs, always check out security_content and the PR target in security content!
         - name: Check out the repository code
           uses: actions/checkout@v4
           with:
-            ref: develop
+            repository: 'splunk/security_content' #this should be the TARGET repo of the PR. we hardcode it for now
+            ref: ${{ github.base_ref }}
+
 
         - uses: actions/setup-python@v5
           with:
@@ -24,13 +27,20 @@ jobs:
             pip install contentctl
            
         # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop
+        # Make sure we check out the PR, even if it actually lives in a fork
+        # Instructions for pulling a PR were taken from: 
+        # https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally
         - name: Run ContentCTL test for changes against target branch
           run: |
+            
             echo "Current Branch (Head Ref): ${{ github.head_ref }}"
             echo "Target Branch (Base Ref): ${{ github.base_ref }}"
             git pull > /dev/null 2>&1
-            git checkout ${{ github.head_ref }}
-            echo "The target branch for this PR is ${{ github.base_ref }}"
+            git fetch origin pull/${{ github.event.pull_request.number }}/head:${{ github.head_ref }}
+            #We must specifically get the PR's target branch from security_content, not the one that resides in the fork PR's forked repo
+            git switch ${{ github.head_ref }}
+            #git checkout ${{ github.head_ref }}
+            #echo "The target branch for this PR is ${{ github.base_ref }}"
             contentctl test --disable-tqdm --no-enable-integration-testing --post-test-behavior never_pause mode:changes --mode.target-branch ${{ github.base_ref }}
             echo "contentctl test - COMPLETED"
           continue-on-error: true
@@ -55,5 +65,4 @@ jobs:
           run: |       
             echo "This job will fail if there are failures in unit-testing"  
             python .github/workflows/format_test_results.py >> $GITHUB_STEP_SUMMARY
-            echo "The Unit testing is completed. See details in the unit-testing job summary UI "
-            
+            echo "The Unit testing is completed. See details in the unit-testing job summary UI "

README.md

@@ -2,8 +2,8 @@
 <p align="center">
     <a href="https://github.com/splunk/security_content/releases">
         <img src="https://img.shields.io/github/v/release/splunk/security_content" /></a>
-    <a href="https://github.com/splunk/security_content/actions/workflows/validate-and-build.yml/badge.svg?branch=develop">
-        <img src="https://github.com/splunk/security_content/actions/workflows/validate-and-build.yml/badge.svg?branch=develop" /></a>
+    <a href="https://github.com/splunk/security_content/actions/workflows/build.yml/badge.svg?branch=develop">
+        <img src="https://github.com/splunk/security_content/actions/workflows/build.yml/badge.svg?branch=develop" /></a>
     <a href="https://github.com/splunk/security_content">
         <img src="https://security-content.s3-us-west-2.amazonaws.com/reporting/detection_count.svg" /></a>
     <a href="https://github.com/splunk/security_content">

app_template/default/app.conf

@@ -8,7 +8,6 @@ build = 16367
 
 [triggers]
 reload.analytic_stories = simple
-reload.usage_searches = simple
 reload.use_case_library = simple
 reload.correlationsearches = simple
 reload.analyticstories = simple

contentctl.yml

@@ -13,7 +13,7 @@ app:
 enrichments: false
 build_app: true
 build_api: true
-build_ssa: true
+build_ssa: false
 build_path: dist
 test_instance:
   splunk_app_username: admin

data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml

@@ -0,0 +1,66 @@
+name: AWS CloudWatchLogs VPCflow
+id: 38a34fc4-e128-4478-a8f4-7835d51d5135
+author: Bhavin Patel, Splunk
+source: aws_cloudwatchlogs_vpcflow
+sourcetype: aws:cloudwatchlogs:vpcflow
+separator: eventName
+supported_TA:
+  name: Splunk Add-on for Amazon Web Services (AWS)
+  version: 7.4.1
+  url: https://splunkbase.splunk.com/app/1876
+event_names: []
+fields:
+- _raw
+- _time
+- account_id
+- action
+- app
+- aws_account_id
+- bytes
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_ip
+- dest_port
+- duration
+- dvc
+- end_time
+- eventtype
+- host
+- index
+- interface_id
+- linecount
+- log_status
+- packets
+- protocol
+- protocol_code
+- protocol_full_name
+- protocol_version
+- punct
+- region
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_ip
+- src_port
+- start_time
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- transport
+- user_id
+- vendor_account
+- vendor_product
+- version
+- vpcflow_action
+example_log: '2 123397614277 eni-0b0f9f261f45e6489 10.0.1.30 10.0.1.1 47254 22 17 2 98 1697608042 1697608070 ACCEPT OK'

data_sources/endpoint/Windows_Event_Log_Security.yml

@@ -45,6 +45,8 @@ event_names:
   data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4725.yml
 - event_name: Windows Event Log Security 4726
   data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4726.yml
+- event_name: Windows Event Log Security 4728
+  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4728.yml
 - event_name: Windows Event Log Security 4732
   data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4732.yml
 - event_name: Windows Event Log Security 4738

data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml

@@ -0,0 +1,88 @@
+event_name: Windows Event Log System 4728
+fields:
+- _time
+- Account_Domain
+- Account_Name
+- CategoryString
+- ComputerName
+- Error_Code
+- EventCode
+- EventType
+- Keywords
+- LogName
+- Logon_ID
+- Message
+- OpCode
+- RecordNumber
+- Security_ID
+- SourceName
+- Subject_Account_Domain
+- Subject_Account_Name
+- Subject_Logon_ID
+- Subject_Security_ID
+- Target_Account_Domain
+- Target_Account_Name
+- Target_Security_ID
+- TaskCategory
+- Type
+- action
+- app
+- body
+- category
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dest_nt_host
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- member_dn
+- member_id
+- member_nt_domain
+- msad_action
+- name
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- punct
+- result
+- session_id
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- src_user_name
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- user_name
+- vendor
+- vendor_product
+example_log: 10/09/2020 10:41:29 AM