416 files

Author: patel-bhavin

dist/DA-ESS-ContentUpdate/app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null, 
       "name": "DA-ESS-ContentUpdate", 
-      "version": "4.15.0"
+      "version": "4.16.0"
     }, 
     "author": [
       {

dist/DA-ESS-ContentUpdate/default/analyticstories.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-11-01T20:44:08 UTC
+# On Date: 2023-11-16T22:15:55 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############
@@ -10,7 +10,7 @@
 is_configured = false
 state = enabled
 state_change_requires_restart = false
-build = 20231101204321
+build = 20231116221053
 
 [triggers]
 reload.analytic_stories = simple
@@ -26,7 +26,7 @@ reload.es_investigations = simple
 
 [launcher]
 author = Splunk
-version = 4.15.0 
+version = 4.16.0 
 description = Explore the Analytic Stories included with ES Content Updates.
 
 [ui]

dist/DA-ESS-ContentUpdate/default/app.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-11-01T20:44:08 UTC
+# On Date: 2023-11-16T22:15:55 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############

dist/DA-ESS-ContentUpdate/default/collections.conf

@@ -1,8 +1,8 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-11-01T20:44:08 UTC
+# On Date: 2023-11-16T22:15:55 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############
 [content-version]
-version = 4.15.0 
+version = 4.16.0 

dist/DA-ESS-ContentUpdate/default/content-version.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-11-01T20:44:08 UTC
+# On Date: 2023-11-16T22:15:55 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############

dist/DA-ESS-ContentUpdate/default/es_investigations.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-11-01T20:44:08 UTC
+# On Date: 2023-11-16T22:15:55 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############
@@ -117,6 +117,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [splunk_code_injection_via_custom_dashboard_leading_to_rce_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -257,6 +261,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[splunk_xss_in_highlighted_json_events_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [splunk_xss_in_monitoring_console_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -593,10 +601,18 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[azure_ad_block_user_consent_for_risky_apps_disabled_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [azure_ad_concurrent_sessions_from_different_ips_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[azure_ad_device_code_authentication_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [azure_ad_external_guest_user_invited_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -617,6 +633,18 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[azure_ad_multi_source_failed_authentications_spike_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[azure_ad_multiple_appids_and_useragents_authentication_spike_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[azure_ad_multiple_denied_mfa_requests_for_user_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [azure_ad_multiple_failed_mfa_requests_for_user_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -633,10 +661,18 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[azure_ad_new_mfa_method_registered_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [azure_ad_new_mfa_method_registered_for_user_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[azure_ad_oauth_application_consent_granted_by_user_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [azure_ad_pim_role_assigned_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -681,10 +717,22 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[azure_ad_tenant_wide_admin_consent_granted_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [azure_ad_unusual_number_of_failed_authentications_from_ip_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[azure_ad_user_consent_blocked_for_risky_application_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[azure_ad_user_consent_denied_for_oauth_application_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [azure_ad_user_enabled_and_password_reset_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -753,14 +801,6 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
-[correlation_by_repository_and_risk_filter]
-definition = search *
-description = Update this macro to limit the output results to filter out false positives.
-
-[correlation_by_user_and_risk_filter]
-definition = search *
-description = Update this macro to limit the output results to filter out false positives.
-
 [detect_aws_console_login_by_new_user_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -961,6 +1001,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[risk_rule_for_dev_sec_ops_by_repository_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [abnormally_high_aws_instances_launched_by_user_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -1005,6 +1049,14 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[correlation_by_repository_and_risk_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[correlation_by_user_and_risk_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [detect_activity_related_to_pass_the_hash_attacks_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -3897,6 +3949,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[windows_autoit3_execution_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [windows_autostart_execution_lsass_driver_registry_modification_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -3917,6 +3973,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[windows_cab_file_on_disk_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [windows_cached_domain_credentials_reg_query_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -3965,6 +4025,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[windows_conhost_with_headless_argument_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [windows_create_local_account_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -4533,6 +4597,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[windows_msiexec_spawn_windbg_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [windows_msiexec_unregister_dllregisterserver_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -5137,6 +5205,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[windows_windbg_spawning_autoit3_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [windows_winlogon_with_public_network_connection_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -5610,6 +5682,10 @@ description = customer specific splunk configurations(eg- index, source, sourcet
 definition = sourcetype=mscs:azure:audit
 description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.
 
+[azure_monitor_aad]
+definition = sourcetype=azure:monitor:aad
+description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.
+
 [azuread]
 definition = sourcetype=mscs:azure:eventhub
 description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.