Merge pull request #3018 from splunk/gitlab_release_v4.33.0

Release v4.33.0

.gitlab-ci.yml

@@ -8,19 +8,20 @@ variables:
   SKIP_DOWNSTREAM_TESTING:
     value: "False"
     description: "If true, downstream testing will be suppressed (useful for debugging or forcing a release in an emergency)."
+  ENABLE_INTEGRATION_TESTING:
+    value: "True"
+    description: "Flag indicating that integration testing should be performed. Defaults to True, may be suppressed in some workflows."
 
 stages:
-  - validate
-  - generate
-  - test
+  - build
   - app_inspect
+  - test
   - release
 
 include:
-  - local: "pipeline/.validate.yml"
-  - local: "pipeline/.generate.yml"
+  - local: "pipeline/.build.yml"
+  - local: "pipeline/.app-inspect.yml"
   - local: "pipeline/.test.yml"
-  - local: "pipeline/.app_inspect.yml"
   - local: "pipeline/.release.yml"
   - local: "pipeline/.post.yml"
 

.gitlab/merge_request_templates/release_branch.md

@@ -31,4 +31,8 @@
   * 
 
 * Are there any detections that we're promoting from validation to production in this package? If we're adding new any detections to help understand the over-firing detections, please indicate those as well
-  *
+  *
+
+#### Checklist
+* [ ] Trigger a full-package ESCU integration test and confirm there are no regressions (see manually triggered jobs on the most recent push pipeline)
+* [ ] Trigger a SSA/BA integration test and confirm there are no regressions (see manually triggered jobs on the most recent push pipeline)

contentctl.yml

@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 4.32.0
+  version: 4.33.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU

data_sources/application/PingID.yml

@@ -3,36 +3,36 @@ id: 17890675-61c1-40bd-a88e-6a8e9e246b43
 author: Patrick Bareiss, Splunk
 source: XmlWinEventLog:Security
 sourcetype: XmlWinEventLog
-separator: null
 supported_TA: {}
 event_names: []
 fields:
-- _time
-- actors{}.name
-- actors{}.type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- extracted_source
-- host
-- id
-- index
-- linecount
-- punct
-- recorded
-- resources{}.ipaddress
-- resources{}.websession
-- result.message
-- result.status
-- source
-- sourcetype
-- splunk_server
-- timeendpos
-- timestartpos
-example_log: '{"source":"PINGID","id":"b2eb1fef-651b-11ee-b38b-0ac7a554ed19","recorded":"2023-10-05T14:10:53.538Z","actors":[{"type":"user","name":"victim_user"}],"resources":[{"ipaddress":"174.235.80.142","websession":"webs_ijkF-T_bAC_G3w2TfvdpAEQeC545KFlqVFOsolCXdjo"}],"result":{"status":"SUCCESS","message":"Device
+  - _time
+  - actors{}.name
+  - actors{}.type
+  - date_hour
+  - date_mday
+  - date_minute
+  - date_month
+  - date_second
+  - date_wday
+  - date_year
+  - date_zone
+  - extracted_source
+  - host
+  - id
+  - index
+  - linecount
+  - punct
+  - recorded
+  - resources{}.ipaddress
+  - resources{}.websession
+  - result.message
+  - result.status
+  - source
+  - sourcetype
+  - splunk_server
+  - timeendpos
+  - timestartpos
+example_log:
+  '{"source":"PINGID","id":"b2eb1fef-651b-11ee-b38b-0ac7a554ed19","recorded":"2023-10-05T14:10:53.538Z","actors":[{"type":"user","name":"victim_user"}],"resources":[{"ipaddress":"174.235.80.142","websession":"webs_ijkF-T_bAC_G3w2TfvdpAEQeC545KFlqVFOsolCXdjo"}],"result":{"status":"SUCCESS","message":"Device
   Paired SMS \"Mobile 1\""}}'

data_sources/application/Splunk.yml

@@ -3,32 +3,32 @@ id: d8a2c791-460b-4756-a8e5-ecade77b21e3
 author: Patrick Bareiss, Splunk
 source: splunkd_ui_access.log
 sourcetype: splunkd_ui_access
-separator: null
 supported_TA: {}
 event_names: []
 fields:
-- _time
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- host
-- index
-- info
-- linecount
-- punct
-- source
-- sourcetype
-- splunk_server
-- timeendpos
-- timestamp
-- timestartpos
-- user
-example_log: 'Audit:[timestamp=01-25-2023 22:08:54.818, user=admin, action=search,
-  info=granted REST: /search/jobs/rt_1674684525.24/events]'
+  - _time
+  - action
+  - date_hour
+  - date_mday
+  - date_minute
+  - date_month
+  - date_second
+  - date_wday
+  - date_year
+  - date_zone
+  - dest
+  - host
+  - index
+  - info
+  - linecount
+  - punct
+  - source
+  - sourcetype
+  - splunk_server
+  - timeendpos
+  - timestamp
+  - timestartpos
+  - user
+example_log:
+  "Audit:[timestamp=01-25-2023 22:08:54.818, user=admin, action=search,
+  info=granted REST: /search/jobs/rt_1674684525.24/events]"

data_sources/cloud/AWS_Security_Hub.yml

@@ -3,117 +3,117 @@ id: b02bfbf3-294f-478e-99a1-e24b8c692d7e
 author: Patrick Bareiss, Splunk
 source: aws_securityhub_finding
 sourcetype: aws:securityhub:finding
-separator: null
 supported_TA:
   name: Splunk Add-on for Amazon Web Services (AWS)
   version: 7.4.1
   url: https://splunkbase.splunk.com/app/1876
 event_names: []
 fields:
-- _time
-- AwsAccountId
-- CreatedAt
-- Description
-- FirstObservedAt
-- GeneratorId
-- Id
-- LastObservedAt
-- ProductArn
-- ProductFields.aws/guardduty/service/action/actionType
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::S3::Bucket
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/api
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/city/cityName
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/country/countryName
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lat
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lon
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org
-- ProductFields.aws/guardduty/service/action/awsApiCallAction/serviceName
-- ProductFields.aws/guardduty/service/additionalInfo/sample
-- ProductFields.aws/guardduty/service/additionalInfo/unusual/hoursOfDay.0_
-- ProductFields.aws/guardduty/service/additionalInfo/unusual/userNames.0_
-- ProductFields.aws/guardduty/service/archived
-- ProductFields.aws/guardduty/service/count
-- ProductFields.aws/guardduty/service/detectorId
-- ProductFields.aws/guardduty/service/eventFirstSeen
-- ProductFields.aws/guardduty/service/eventLastSeen
-- ProductFields.aws/guardduty/service/resourceRole
-- ProductFields.aws/guardduty/service/serviceName
-- ProductFields.aws/securityhub/CompanyName
-- ProductFields.aws/securityhub/FindingId
-- ProductFields.aws/securityhub/ProductName
-- RecordState
-- Resources{}.Details.AwsEc2Instance.IamInstanceProfileArn
-- Resources{}.Details.AwsEc2Instance.ImageId
-- Resources{}.Details.AwsEc2Instance.IpV4Addresses{}
-- Resources{}.Details.AwsEc2Instance.LaunchedAt
-- Resources{}.Details.AwsEc2Instance.SubnetId
-- Resources{}.Details.AwsEc2Instance.Type
-- Resources{}.Details.AwsEc2Instance.VpcId
-- Resources{}.Details.AwsIamAccessKey.PrincipalId
-- Resources{}.Details.AwsIamAccessKey.PrincipalName
-- Resources{}.Details.AwsIamAccessKey.PrincipalType
-- Resources{}.Details.AwsS3Bucket.CreatedAt
-- Resources{}.Details.AwsS3Bucket.OwnerId
-- Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.KMSMasterKeyID
-- Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.SSEAlgorithm
-- Resources{}.Id
-- Resources{}.Partition
-- Resources{}.Region
-- Resources{}.Tags.GeneratedFindingInstaceTag1
-- Resources{}.Tags.GeneratedFindingInstaceTag2
-- Resources{}.Tags.GeneratedFindingInstaceTag3
-- Resources{}.Tags.GeneratedFindingInstaceTag4
-- Resources{}.Tags.GeneratedFindingInstaceTag5
-- Resources{}.Tags.GeneratedFindingInstaceTag6
-- Resources{}.Tags.GeneratedFindingInstaceTag7
-- Resources{}.Tags.GeneratedFindingInstaceTag8
-- Resources{}.Tags.GeneratedFindingInstaceTag9
-- Resources{}.Tags.foo
-- Resources{}.Type
-- SchemaVersion
-- Severity.Label
-- Severity.Normalized
-- Severity.Product
-- SourceUrl
-- Title
-- Types{}
-- UpdatedAt
-- Workflow.Status
-- WorkflowState
-- accesskey_extract
-- app
-- body
-- description
-- dest
-- dest_type
-- eventtype
-- host
-- id
-- index
-- instance_extract
-- linecount
-- punct
-- s3bucket_extract
-- severity
-- severity_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- subject
-- tag
-- tag::eventtype
-- timestamp
-- type
-- vendor_account
-- vendor_region
-example_log: '{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/guardduty","Types":["Software
+  - _time
+  - AwsAccountId
+  - CreatedAt
+  - Description
+  - FirstObservedAt
+  - GeneratorId
+  - Id
+  - LastObservedAt
+  - ProductArn
+  - ProductFields.aws/guardduty/service/action/actionType
+  - ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::S3::Bucket
+  - ProductFields.aws/guardduty/service/action/awsApiCallAction/api
+  - ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType
+  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/city/cityName
+  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/country/countryName
+  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lat
+  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lon
+  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4
+  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn
+  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg
+  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp
+  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org
+  - ProductFields.aws/guardduty/service/action/awsApiCallAction/serviceName
+  - ProductFields.aws/guardduty/service/additionalInfo/sample
+  - ProductFields.aws/guardduty/service/additionalInfo/unusual/hoursOfDay.0_
+  - ProductFields.aws/guardduty/service/additionalInfo/unusual/userNames.0_
+  - ProductFields.aws/guardduty/service/archived
+  - ProductFields.aws/guardduty/service/count
+  - ProductFields.aws/guardduty/service/detectorId
+  - ProductFields.aws/guardduty/service/eventFirstSeen
+  - ProductFields.aws/guardduty/service/eventLastSeen
+  - ProductFields.aws/guardduty/service/resourceRole
+  - ProductFields.aws/guardduty/service/serviceName
+  - ProductFields.aws/securityhub/CompanyName
+  - ProductFields.aws/securityhub/FindingId
+  - ProductFields.aws/securityhub/ProductName
+  - RecordState
+  - Resources{}.Details.AwsEc2Instance.IamInstanceProfileArn
+  - Resources{}.Details.AwsEc2Instance.ImageId
+  - Resources{}.Details.AwsEc2Instance.IpV4Addresses{}
+  - Resources{}.Details.AwsEc2Instance.LaunchedAt
+  - Resources{}.Details.AwsEc2Instance.SubnetId
+  - Resources{}.Details.AwsEc2Instance.Type
+  - Resources{}.Details.AwsEc2Instance.VpcId
+  - Resources{}.Details.AwsIamAccessKey.PrincipalId
+  - Resources{}.Details.AwsIamAccessKey.PrincipalName
+  - Resources{}.Details.AwsIamAccessKey.PrincipalType
+  - Resources{}.Details.AwsS3Bucket.CreatedAt
+  - Resources{}.Details.AwsS3Bucket.OwnerId
+  - Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.KMSMasterKeyID
+  - Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.SSEAlgorithm
+  - Resources{}.Id
+  - Resources{}.Partition
+  - Resources{}.Region
+  - Resources{}.Tags.GeneratedFindingInstaceTag1
+  - Resources{}.Tags.GeneratedFindingInstaceTag2
+  - Resources{}.Tags.GeneratedFindingInstaceTag3
+  - Resources{}.Tags.GeneratedFindingInstaceTag4
+  - Resources{}.Tags.GeneratedFindingInstaceTag5
+  - Resources{}.Tags.GeneratedFindingInstaceTag6
+  - Resources{}.Tags.GeneratedFindingInstaceTag7
+  - Resources{}.Tags.GeneratedFindingInstaceTag8
+  - Resources{}.Tags.GeneratedFindingInstaceTag9
+  - Resources{}.Tags.foo
+  - Resources{}.Type
+  - SchemaVersion
+  - Severity.Label
+  - Severity.Normalized
+  - Severity.Product
+  - SourceUrl
+  - Title
+  - Types{}
+  - UpdatedAt
+  - Workflow.Status
+  - WorkflowState
+  - accesskey_extract
+  - app
+  - body
+  - description
+  - dest
+  - dest_type
+  - eventtype
+  - host
+  - id
+  - index
+  - instance_extract
+  - linecount
+  - punct
+  - s3bucket_extract
+  - severity
+  - severity_id
+  - signature
+  - signature_id
+  - source
+  - sourcetype
+  - splunk_server
+  - subject
+  - tag
+  - tag::eventtype
+  - timestamp
+  - type
+  - vendor_account
+  - vendor_region
+example_log:
+  '{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/guardduty","Types":["Software
   and Configuration Checks/Exfiltration:S3.ObjectRead.Unusual"],"SourceUrl":"https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=6aba6b696aea10606e8b336f68d98819","Description":"Principal
   GeneratedFindingUserName read objects from S3 bucket GeneratedFindingS3Bucket in
   an unusual way.","SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:guardduty:us-east-1:802684071507:detector/48ba636359b884eb132865311fdeb317","FirstObservedAt":"2020-09-28T22:26:15.636Z","CreatedAt":"2020-09-28T22:26:15.636Z","RecordState":"ACTIVE","Title":"Unusual