remove dist

dist/DA-ESS-ContentUpdate/README.md

@@ -0,0 +1,7 @@
+# Splunk ES Content Update
+
+This subscription service delivers pre-packaged Security Content for use with Splunk Enterprise Security. Subscribers get regular updates to help security practitioners more quickly address ongoing and time-sensitive customer problems and threats.
+
+Requires Splunk Enterprise Security version 4.5 or greater.
+
+For more information please visit the [Splunk ES Content Update user documentation](https://docs.splunk.com/Documentation/ESSOC).

dist/DA-ESS-ContentUpdate/README/essoc_story_detail.txt

@@ -0,0 +1,15 @@
+The Analytic Story Details dashboard renders all the details of the content related to a specific analytic story which
+can be chose via the drop down
+
+Each analytic story has attributes associated with it and the following:
+______________________________________________________________________
+
+
+	Analytic Story: name of the analytic story
+	Description	; description of the analytic story
+	Search Name	: The name of the searches belonging to the chosen analytic story
+	Search	: The search query which looks for an attack pattern corresponding to the analytic story
+	Search Description: The description of the search query
+	Asset Type: The analytic story specifies what asset in the infrastructure may be compromised
+	Category: The category that the search belongs to (malware, vulnerabilities, best practices, abuse)
+	Kill Chain Phase: The kill chain phase of the attack that the search is after.

dist/DA-ESS-ContentUpdate/README/essoc_summary.txt

@@ -0,0 +1,24 @@
+The ES_SOC Summary Dashboard provides you a summarized view of the analytic story contents of the ES-SOC app.
+The dashboard has the following panels gives you following details
+
+1) Analytic story Summary
+ 	- Total Analytic Stories : The total number of Analytic stories in the ES-SOC application
+ 	- Total Searches: The total number of searches in ES-SOC
+ 	- Searches added last week: Number of searches added to ES-SOC in the last week.
+
+ 2) Analytic story Category: This dashboard panel summarizes the categories of the searches that the ES-SOC app contains. The categories of the analytic stories are as follow
+  	-Malware: These searches detect specific malware behavior for a particular phase of the attack kill chain. E.g. a malware’s delivery method via email or a malware’s installation behavior via registry key changes
+  	-Vulnerability: These searches detect behavior or a signature of a vulnerable software in use. These searches are not designed to replace vulnerability management or scanning systems. The purpose of these searches is to discover a vulnerability through side effects or behaviors.
+  	-Abuse: Some actions can be deemed malicious because they are unexpected, violate corporate policy or are significantly different than the actions of other users. E.g. A USB disk that is seen on multiple systems or a user that uploads excessive files to a cloud service or a database query that dumps an entire table
+  	-Best Practices:  Searches that correspond to specific guidelines from organizations like SANS or OWASP
+
+ 3) Kill Chain phases: Every analytic story has one or more searches which look for a certain kind of attack pattern/behavior. These searches have an attribute which essentially tells you what Kill chain phase does the search correspond to.
+    The numbers on the dashboard represents the number of searches correponding to each kill chain phase
+
+ 4) Analytic story table: This table gives the user a comprehensive view of some of the details of the analytic story. Some of the listed attributes are:
+  	- Analytic Story : The name of the analytic story
+  	- Description: The description of the analyttic story
+  	- Search names: The name of the searches in each analytic story
+  	- Datamodels: The name of the datamodel that the search is querying against.
+  	- Technology Examples: This field represent some examples related to the technologies required to populate the datamodels(Nessues, Cisco Firewall,etc)
+  	- Kill chain phase: The name of the kill chain phase that the search belongs to

dist/DA-ESS-ContentUpdate/README/essoc_usage_dashboard.txt

@@ -0,0 +1,51 @@
+######################
+ESSOC Usage Dashboard#
+######################
+
+The ESSOC Usage dashboard is designed to provide high-level insight into the usage of the ES-SOC app. It is suitable for display when providing feedback to the Splunk team or for identifying how the ES-SOC app is being used. This dashboard has two time selectors that work independently - the top time selector determines the search time range for all the single-value. And the lower time selector, determines the time range for the usage table.
+
+IMPORTANT: The user loading this dashboard must have permission to search the _audit index
+
+##################
+#Dashboard panels#
+##################
+
+Searches Ran
+
+The total number of searches in ES-SOC that were executed. This number includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch <ESSOC search_name> ‘ syntax
+
+Unique Searches
+
+The unique/distinct searches executed on the deployment. This is equivalent to the distinct count of searches run in the ES-SOC app.
+
+Most Run
+
+The total number of searches in ES-SOC that were executed. This number includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch <ESSOC search_name> ‘ syntax.
+
+Ad hoc Searches
+
+The total number of searches run from the search bar using the '| savedsearch <ESSOC search_name> ‘ syntax.
+
+Scheduled
+
+The total number of ESSOC searches run that were scheduled.
+
+Most Active User
+
+The user who executed the highest number/count of searches. This calculation includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch <ESSOC search_name> ‘ syntax.
+
+Search Run Time (seconds)
+
+Total run time of all searches executed in seconds. This calculation includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch <ESSOC search_name> ‘ syntax.
+
+Average Run Time (seconds)
+
+Average run time of all searches executed in seconds. This calculation includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch <ESSOC search_name> ‘ syntax.
+
+Max Run Time (seconds)
+
+The run time of the longest running search. This calculation includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch <ESSOC search_name> ‘ syntax.
+
+Search summary
+
+This table provides details on each search that was executed in the ESSOC app.

dist/DA-ESS-ContentUpdate/app.manifest

@@ -0,0 +1,46 @@
+{
+  "schemaVersion": "1.0.0", 
+  "info": {
+    "title": "ES Content Updates", 
+    "id": {
+      "group": null, 
+      "name": "DA-ESS-ContentUpdate", 
+      "version": "4.35.0"
+    }, 
+    "author": [
+      {
+        "name": "Splunk Threat Research Team", 
+        "email": "research@splunk.com", 
+        "company": "Splunk"
+      }
+    ], 
+    "releaseDate": "2024-07-02", 
+    "description": "Explore the Analytic Stories included with ES Content Updates.", 
+    "classification": {
+      "intendedAudience": null, 
+      "categories": [], 
+      "developmentStatus": null
+    }, 
+    "commonInformationModels": null, 
+    "license": {
+      "name": null, 
+      "text": null, 
+      "uri": null
+    }, 
+    "privacyPolicy": {
+      "name": null, 
+      "text": null, 
+      "uri": null
+    }, 
+    "releaseNotes": {
+      "name": null, 
+      "text": "./README.md", 
+      "uri": null
+    }
+  }, 
+  "dependencies": null, 
+  "tasks": null, 
+  "inputGroups": null, 
+  "incompatibleApps": null, 
+  "platformRequirements": null
+}

dist/DA-ESS-ContentUpdate/lookups/3cx_ioc_domains.csv

@@ -0,0 +1,39 @@
+domain,isIOC,Description
+akamaicontainer.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+akamaitechcloudservices.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+azuredeploystore.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+azureonlinecloud.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+azureonlinestorage.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+dunamistrd.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+glcloudservice.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+journalide.org,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+msedgepackageinfo.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+msstorageazure.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+msstorageboxes.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+officeaddons.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+officestoragebox.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+pbxcloudeservices.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+pbxphonenetwork.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+pbxsources.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+qwepoi123098.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+sbmsa.wiki,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+sourceslabs.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+visualstudiofactory.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+zacharryblogs.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
+www.3cx.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
+akamaitechcloudservices.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
+azureonlinestorage.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
+msedgepackageinfo.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
+glcloudservice.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
+pbxsources.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
+msstorageazure.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
+officestoragebox.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
+visualstudiofactory.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
+azuredeploystore.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
+msstorageboxes.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
+officeaddons.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
+sourceslabs.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
+zacharryblogs.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
+pbxcloudeservices.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
+pbxphonenetwork.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
+msedgeupdate.net,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/

dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.mlmodel

@@ -0,0 +1,2 @@
+algo,model,options
+MLTKContainer,"{""__mlspl_type"": [""mltkc.MLTKContainer"", ""MLTKContainer""], ""dict"": {""endpoint_url"": ""https://localhost:62645"", ""out_params"": {""params"": {""mode"": ""stage"", ""algo"": ""detect_dns_data_exfiltration_using_pretrained_model_in_dsdl""}, ""args"": [""is_exfiltration"", ""src"", ""query"", ""rank""], ""target_variable"": [""is_exfiltration""], ""feature_variables"": [""src"", ""query"", ""rank""], ""model_name"": ""detect_dns_data_exfiltration_using_pretrained_model_in_dsdl"", ""algo_name"": ""MLTKContainer"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""4000"", ""max_model_size_mb"": ""30"", ""max_score_time"": ""600"", ""use_sampling"": ""true""}, ""kfold_cv"": null}, ""feature_variables"": [""src"", ""query"", ""rank""], ""target_variable"": ""is_exfiltration""}}","{""params"": {""mode"": ""stage"", ""algo"": ""detect_dns_data_exfiltration_using_pretrained_model_in_dsdl""}, ""args"": [""is_exfiltration"", ""src"", ""query"", ""rank""], ""target_variable"": [""is_exfiltration""], ""feature_variables"": [""src"", ""query"", ""rank""], ""model_name"": ""detect_dns_data_exfiltration_using_pretrained_model_in_dsdl"", ""algo_name"": ""MLTKContainer"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""4000"", ""max_model_size_mb"": ""30"", ""max_score_time"": ""600"", ""use_sampling"": ""true""}, ""kfold_cv"": null}"

dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.mlmodel

@@ -0,0 +1,2 @@
+algo,model,options
+MLTKContainer,"{""__mlspl_type"": [""mltkc.MLTKContainer"", ""MLTKContainer""], ""dict"": {""endpoint_url"": ""https://localhost:54270"", ""out_params"": {""params"": {""mode"": ""stage"", ""algo"": ""detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl""}, ""args"": [""is_unknown"", ""text""], ""target_variable"": [""is_unknown""], ""feature_variables"": [""text""], ""model_name"": ""detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl"", ""algo_name"": ""MLTKContainer"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""4000"", ""max_model_size_mb"": ""30"", ""max_score_time"": ""600"", ""use_sampling"": ""true""}, ""kfold_cv"": null}, ""feature_variables"": [""text""], ""target_variable"": ""is_unknown""}}","{""params"": {""mode"": ""stage"", ""algo"": ""detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl""}, ""args"": [""is_unknown"", ""text""], ""target_variable"": [""is_unknown""], ""feature_variables"": [""text""], ""model_name"": ""detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl"", ""algo_name"": ""MLTKContainer"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""4000"", ""max_model_size_mb"": ""30"", ""max_score_time"": ""600"", ""use_sampling"": ""true""}, ""kfold_cv"": null}"

dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.mlmodel

@@ -0,0 +1,2 @@
+algo,model,options
+MLTKContainer,"{""__mlspl_type"": [""mltkc.MLTKContainer"", ""MLTKContainer""], ""dict"": {""endpoint_url"": ""https://localhost:58216"", ""out_params"": {""params"": {""mode"": ""stage"", ""algo"": ""detect_suspicious_processnames_using_pretrained_model_in_dsdl""}, ""args"": [""label"", ""text""], ""target_variable"": [""label""], ""feature_variables"": [""text""], ""model_name"": ""detect_suspicious_processnames_using_pretrained_model_in_dsdl"", ""algo_name"": ""MLTKContainer"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""4000"", ""max_model_size_mb"": ""30"", ""max_score_time"": ""600"", ""use_sampling"": ""true""}, ""kfold_cv"": null}, ""feature_variables"": [""text""], ""target_variable"": ""label""}}","{""params"": {""mode"": ""stage"", ""algo"": ""detect_suspicious_processnames_using_pretrained_model_in_dsdl""}, ""args"": [""label"", ""text""], ""target_variable"": [""label""], ""feature_variables"": [""text""], ""model_name"": ""detect_suspicious_processnames_using_pretrained_model_in_dsdl"", ""algo_name"": ""MLTKContainer"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""4000"", ""max_model_size_mb"": ""30"", ""max_score_time"": ""600"", ""use_sampling"": ""true""}, ""kfold_cv"": null}"

dist/DA-ESS-ContentUpdate/lookups/__mlspl_pretrained_dga_model_dsdl.mlmodel

@@ -0,0 +1,2 @@
+algo,model,options
+MLTKContainer,"{""__mlspl_type"": [""mltkc.MLTKContainer"", ""MLTKContainer""], ""dict"": {""endpoint_url"": ""https://localhost:53378"", ""out_params"": {""params"": {""mode"": ""stage"", ""algo"": ""pretrained_dga_model_dsdl""}, ""args"": [""is_dga"", ""domain""], ""target_variable"": [""is_dga""], ""feature_variables"": [""domain""], ""model_name"": ""pretrained_dga_model_dsdl"", ""algo_name"": ""MLTKContainer"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""4000"", ""max_model_size_mb"": ""30"", ""max_score_time"": ""600"", ""use_sampling"": ""true""}, ""kfold_cv"": null}, ""feature_variables"": [""domain""], ""target_variable"": ""is_dga""}}","{""params"": {""mode"": ""stage"", ""algo"": ""pretrained_dga_model_dsdl""}, ""args"": [""is_dga"", ""domain""], ""target_variable"": [""is_dga""], ""feature_variables"": [""domain""], ""model_name"": ""pretrained_dga_model_dsdl"", ""algo_name"": ""MLTKContainer"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""4000"", ""max_model_size_mb"": ""30"", ""max_score_time"": ""600"", ""use_sampling"": ""true""}, ""kfold_cv"": null}"