-
Notifications
You must be signed in to change notification settings - Fork 375
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
another round of lookup file updates
- Loading branch information
Showing
25 changed files
with
270 additions
and
94 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,15 @@ | ||
| name: api_call_by_user_baseline | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: 6f4b0d42-5f24-4992-98f9-aebbc7ced9bf | ||
| author: Splunk Threat Research Team | ||
| lookup_type: kvstore | ||
| description: A collection that will contain the baseline information for number of | ||
| AWS API calls per user | ||
| collection: api_call_by_user_baseline | ||
| name: api_call_by_user_baseline | ||
| fields_list: arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | ||
| fields_list: | ||
| - arn | ||
| - latestCount | ||
| - numDataPoints | ||
| - avgApiCalls | ||
| - stdevApiCalls |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,10 @@ | ||
| default_match: 'false' | ||
| name: is_windows_system_file | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: ce238622-4d8f-41a4-a747-5d0adab9c854 | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| default_match: false | ||
| description: A full baseline of executable files in Windows\System32 and Windows\Syswow64, including sub-directories from Server 2016 and Windows 10. | ||
| filename: is_windows_system_file20231221.csv | ||
| min_matches: 1 | ||
| name: is_windows_system_file | ||
| case_sensitive_match: 'false' | ||
| case_sensitive_match: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,30 @@ | ||
| name: k8s_process_resource_baseline | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: 6deb2883-faf8-4f78-bf88-ad67ccc8dfc0 | ||
| author: Splunk Threat Research Team | ||
| lookup_type: kvstore | ||
| description: A place holder for a list of used Kuberntes Process Resource | ||
| collection: k8s_process_resource_baseline | ||
| name: k8s_process_resource_baseline | ||
| fields_list: host.name, k8s.cluster.name, k8s.node.name, process.executable.name, avg_process.cpu.time, avg_process.cpu.utilization, avg_process.disk.io, avg_process.disk.operations, avg_process.memory.usage, avg_process.memory.utilization, avg_process.memory.virtual, avg_process.threads, stdev_process.cpu.time, stdev_process.cpu.utilization, stdev_process.disk.io, stdev_process.disk.operations, stdev_process.memory.usage, stdev_process.memory.utilization, stdev_process.memory.virtual, stdev_process.threads, key | ||
| fields_list: | ||
| - host.name | ||
| - k8s.cluster.name | ||
| - k8s.node.name | ||
| - process.executable.name | ||
| - avg_process.cpu.time | ||
| - avg_process.cpu.utilization | ||
| - avg_process.disk.io | ||
| - avg_process.disk.operations | ||
| - avg_process.memory.usage | ||
| - avg_process.memory.utilization | ||
| - avg_process.memory.virtual | ||
| - avg_process.threads | ||
| - stdev_process.cpu.time | ||
| - stdev_process.cpu.utilization | ||
| - stdev_process.disk.io | ||
| - stdev_process.disk.operations | ||
| - stdev_process.memory.usage | ||
| - stdev_process.memory.utilization | ||
| - stdev_process.memory.virtual | ||
| - stdev_process.threads | ||
| - key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,7 @@ | ||
| description: A list of legit domains to be used as an ignore list for possible phishing sites | ||
| filename: legit_domains.csv | ||
| name: legit_domains | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: 06602f3e-0dcc-47ef-aabc-85a4ad782442 | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| description: A list of legit domains to be used as an ignore list for possible phishing sites |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,12 @@ | ||
| description: A list of suspicious bash commonly used by attackers via scripts | ||
| filename: linux_tool_discovery_process.csv | ||
| name: linux_tool_discovery_process | ||
| default_match: 'false' | ||
| match_type: WILDCARD(process) | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: f0d8b1c8-4ca0-4765-858a-ab0dea68c399 | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| description: A list of suspicious bash commonly used by attackers via scripts | ||
| default_match: false | ||
| match_type: | ||
| - WILDCARD(process) | ||
| min_matches: 1 | ||
| case_sensitive_match: 'false' | ||
| case_sensitive_match: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,12 @@ | ||
| description: A list of interesting files in a local file inclusion attack | ||
| filename: local_file_inclusion_paths.csv | ||
| name: local_file_inclusion_paths | ||
| default_match: 'false' | ||
| match_type: WILDCARD(local_file_inclusion_paths) | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: 10efe0a8-ec54-4f86-8d11-677a7ac65d64 | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| description: A list of interesting files in a local file inclusion attack | ||
| default_match: false | ||
| match_type: | ||
| - WILDCARD(local_file_inclusion_paths) | ||
| min_matches: 1 | ||
| case_sensitive_match: 'false' | ||
| case_sensitive_match: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,8 +1,14 @@ | ||
| description: A list of LOLBAS and their file path used in determining if a script or binary is valid on windows, Updated for 2024 from lolbas project. | ||
| filename: lolbas_file_path20240725.csv | ||
| name: lolbas_file_path | ||
| default_match: 'false' | ||
| match_type: WILDCARD(lolbas_file_name),WILDCARD(lolbas_file_path) | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: b88d9c91-33c6-408a-8ef0-00806932f8c5 | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| description: A list of LOLBAS and their file path used in determining if a script or binary is valid on windows, Updated for 2024 from lolbas project. | ||
| default_match: false | ||
| match_type: | ||
| - WILDCARD(lolbas_file_name) | ||
| - WILDCARD(lolbas_file_path) | ||
| min_matches: 1 | ||
| max_matches: 1 | ||
| case_sensitive_match: 'false' | ||
| case_sensitive_match: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,12 @@ | ||
| description: A list of known vulnerable drivers | ||
| filename: loldrivers.csv | ||
| name: loldrivers | ||
| default_match: 'false' | ||
| match_type: WILDCARD(driver_name) | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: a4c71880-bb4a-4e2c-9b44-be70cf181fb3 | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| description: A list of known vulnerable drivers | ||
| default_match: false | ||
| match_type: | ||
| - WILDCARD(driver_name) | ||
| min_matches: 1 | ||
| case_sensitive_match: 'false' | ||
| case_sensitive_match: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,12 @@ | ||
| case_sensitive_match: 'false' | ||
| default_match: 'false' | ||
| description: A list of rare processes that are legitimate that is provided by Splunk | ||
| filename: rare_process_allow_list_default.csv | ||
| match_type: WILDCARD(process) | ||
| min_matches: 1 | ||
| name: lookup_rare_process_allow_list_default | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: fc0c452e-47b1-4931-ba41-de5b7c6ed92b | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| case_sensitive_match: false | ||
| default_match: false | ||
| description: A list of rare processes that are legitimate that is provided by Splunk | ||
| match_type: | ||
| - WILDCARD(process) | ||
| min_matches: 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,13 @@ | ||
| case_sensitive_match: 'false' | ||
| default_match: 'false' | ||
| name: lookup_rare_process_allow_list_local | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: 7aec9c17-69b8-4a0b-8f8d-d3ea9b0e2adb | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| case_sensitive_match: false | ||
| default_match: false | ||
| description: A list of rare processes that are legitimate provided by the end user | ||
| filename: rare_process_allow_list_local.csv | ||
| match_type: WILDCARD(process) | ||
| match_type: | ||
| - WILDCARD(process) | ||
| min_matches: 1 | ||
| name: lookup_rare_process_allow_list_local | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,11 @@ | ||
| case_sensitive_match: 'false' | ||
| description: A list of processes that are not common | ||
| filename: uncommon_processes_default.csv | ||
| match_type: WILDCARD(process) | ||
| name: lookup_uncommon_processes_default | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: 486eba44-2238-4246-98ca-1ff9b6e1c023 | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| case_sensitive_match: false | ||
| description: A list of processes that are not common | ||
| match_type: | ||
| - WILDCARD(process) | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,11 @@ | ||
| case_sensitive_match: 'false' | ||
| description: A list of processes that are not common | ||
| filename: uncommon_processes_local.csv | ||
| match_type: WILDCARD(process) | ||
| name: lookup_uncommon_processes_local | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: 3ece1ae5-4389-485e-b2b9-4cafdb6924dc | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| case_sensitive_match: false | ||
| description: A list of processes that are not common | ||
| match_type: | ||
| - WILDCARD(process) | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,9 @@ | ||
| description: A lookup file that will be used to define the mandatory job for workflow | ||
| filename: mandatory_job_for_workflow.csv | ||
| name: mandatory_job_for_workflow | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: 76d805e3-b538-43c7-bd8b-f5fd62af596a | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| description: A lookup file that will be used to define the mandatory job for workflow | ||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,7 @@ | ||
| description: A lookup file that will be used to define the mandatory step for job | ||
| filename: mandatory_step_for_job.csv | ||
| name: mandatory_step_for_job | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: ac92a35c-26c4-4f6c-a005-d152b5b343b2 | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| description: A lookup file that will be used to define the mandatory step for job |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,8 @@ | ||
| name: msad_guid_lookup | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: d8812c9c-9a4c-4b4b-9995-31db35c0b8cf | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| description: A lookup file that will contain translations for AD object ace control access rights guids | ||
| filename: msad_guid_lookup.csv | ||
| name: msad_guid_lookup | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,13 @@ | ||
| description: A list of privileged Azure Active Directory roles, includes updates for 2024 and template IDs. | ||
| filename: privileged_azure_ad_roles20240807.csv | ||
| name: privileged_azure_ad_roles | ||
| default_match: 'false' | ||
| match_type: WILDCARD(azureadrole),WILDCARD(azuretemplateid) | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: 4dbf0357-b5fc-4be2-9058-804d6a60b126 | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| description: A list of privileged Azure Active Directory roles, includes updates for 2024 and template IDs. | ||
| default_match: false | ||
| match_type: | ||
| - WILDCARD(azureadrole) | ||
| - WILDCARD(azuretemplateid) | ||
| min_matches: 1 | ||
| case_sensitive_match: 'false' | ||
| case_sensitive_match: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,13 @@ | ||
| default_match: 'false' | ||
| name: ransomware_extensions_lookup | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: eaf9e6bb-55fa-4bab-89a5-b0229638c526 | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| default_match: false | ||
| description: A list of file extensions that are associated with ransomware | ||
| filename: ransomware_extensions_20241212.csv | ||
| match_type: WILDCARD(Extensions) | ||
| match_type: | ||
| - WILDCARD(Extensions) | ||
| min_matches: 1 | ||
| name: ransomware_extensions_lookup | ||
| case_sensitive_match: 'false' | ||
| case_sensitive_match: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,12 @@ | ||
| default_match: 'false' | ||
| name: ransomware_notes_lookup | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: 93d9fb06-035e-496c-91d5-7a79543ce1e1 | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| default_match: false | ||
| description: A list of file names that are ransomware note files | ||
| filename: ransomware_notes_20231219.csv | ||
| match_type: WILDCARD(ransomware_notes) | ||
| match_type: | ||
| - WILDCARD(ransomware_notes) | ||
| min_matches: 1 | ||
| name: ransomware_notes_lookup | ||
| case_sensitive_match: 'false' | ||
| case_sensitive_match: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,8 +1,15 @@ | ||
| description: A list of Remote Access Software | ||
| filename: remote_access_software20240726.csv | ||
| name: remote_access_software | ||
| default_match: 'false' | ||
| match_type: WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo) | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: f3b92ff9-667c-481f-b29d-458e10d48508 | ||
| author: Splunk Threat Research Team | ||
| lookup_type: csv | ||
| description: A list of Remote Access Software | ||
| default_match: false | ||
| match_type: | ||
| - WILDCARD(remote_utility) | ||
| - WILDCARD(remote_domain) | ||
| - WILDCARD(remote_utility_fileinfo) | ||
| min_matches: 1 | ||
| max_matches: 1 | ||
| case_sensitive_match: 'false' | ||
| case_sensitive_match: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,16 @@ | ||
| name: remote_access_software_exceptions | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: 2742e885-0706-494b-8f56-a90a3e8d33b4 | ||
| author: Splunk Threat Research Team | ||
| lookup_type: kvstore | ||
| description: A list used to provide global exceptions to remote access monitoring content. | ||
| collection: remote_access_software_exceptions | ||
| name: remote_access_software_exceptions | ||
| fields_list: _key, asset, software, exception_date, exception_ttl_days, exception, comment | ||
| fields_list: | ||
| - _key | ||
| - asset | ||
| - software | ||
| - exception_date | ||
| - exception_ttl_days | ||
| - exception | ||
| - comment |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,15 @@ | ||
| name: s3_deletion_baseline | ||
| date: 2024-12-23 | ||
| version: 2 | ||
| id: 45e5d266-f80b-43f8-b4a7-87e070da4e70 | ||
| author: Splunk Threat Research Team | ||
| lookup_type: kvstore | ||
| description: A placeholder for the baseline information for AWS S3 deletions | ||
| collection: s3_deletion_baseline | ||
| name: s3_deletion_baseline | ||
| fields_list: _key, arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | ||
| fields_list: | ||
| - _key | ||
| - arn | ||
| - latestCount | ||
| - numDataPoints | ||
| - avgApiCalls | ||
| - stdevApiCalls |
Oops, something went wrong.