-
Notifications
You must be signed in to change notification settings - Fork 353
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated Observable config #3061
Conversation
Discovered during splunk/contentctl#234 Not actually dependent on that to merge |
Broke this group out by filepath so the commits would be easier to review: All of these, and now, all of the repo, is not accidentally creating extra risk objects, which means extra risk events, for things we don't really want to be risk objects (process_name, parent_process_name, etc) edit: Working on a splunk/contentctl change to require either "Attacker" or "Victim" going forward, at least until we convert |
Added additional 16 changes after testing with splunk/contentctl#243:
|
I have performed an integration test on all of this content with the updated verison of contentctl Lou shared above. It looks like all updated content passes! I have attached a record of that success here. It is a TXT file as GitHub does not allow upload of YML. It contains 234 successful tests (note than non-produciton content, along with some other types, are not tested and that account for the delta between successful tests and changed content). |
Details
Update: View comments for details of rest of changes
This is the totality of detections from my first pass that would no longer have a valid RBA config with the the staged change in splunk/contentctl#204. Worth noting that all of these are currently either Deprecated or Experimental. In some cases, they already have an invalid RBA config, but are not evaluated against the "Must Have Victim in Observables" check due to their status.
Checklist
<platform>_<mitre att&ck technique>_<short description>
nomenclatureNotes For Submitters and Reviewers
build
CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.