updating package bits

package/default/analytic_stories.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security-content
-# On Date: 2019-12-11T15:59:37 UTC
+# On Date: 2019-12-16T21:48:18 UTC
 # Author: Splunk Security Research
 # Contact: research@splunk.com
 #############
@@ -744,7 +744,7 @@ creation_date = 2018-12-13
 modification_date = 2018-12-13
 id = c4b89506-fbcf-4cb7-bfd6-527e54789604
 version = 1.0
-reference = ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf?cmp=26061"]
+reference = ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", "https://thehackernews.com/2018/07/samsam-ransomware-attacks.html"]
 detection_searches = ["ESCU - Batch File Write to System32 - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule", "ESCU - File with Samsam Extension - Rule", "ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Samsam Test File Write - Rule", "ESCU - Spike in File Writes - Rule"]
 mappings = {"cis20": ["CIS 10", "CIS 12", "CIS 16", "CIS 18", "CIS 2", "CIS 3", "CIS 4", "CIS 8", "CIS 9"], "kill_chain_phases": ["Actions on Objectives", "Command and Control", "Delivery", "Installation", "Reconnaissance"], "mitre_attack": ["Command-Line Interface", "Commonly Used Port", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Exploitation of Vulnerability", "Lateral Movement", "Remote Desktop Protocol", "System Information Discovery"], "nist": ["DE.AE", "DE.CM", "ID.AM", "ID.RA", "PR.AC", "PR.DS", "PR.IP", "PR.MA", "PR.PT"]}
 investigative_searches = ["ESCU - Get Authentication Logs For Endpoint", "ESCU - Get Backup Logs For Endpoint", "ESCU - Get Notable History", "ESCU - Get Notable Info", "ESCU - Get Parent Process Info", "ESCU - Get Process Info", "ESCU - Get Process Information For Port Activity", "ESCU - Get Risk Modifiers For Endpoint", "ESCU - Get Risk Modifiers For User", "ESCU - Get Update Logs For Endpoint", "ESCU - Get User Information from Identity Table", "ESCU - Get Vulnerability Logs For Endpoint", "ESCU - Investigate Successful Remote Desktop Authentications", "ESCU - Investigate Web Activity From Host"]

package/default/macros.conf

@@ -1,14 +1,10 @@
 #############
 # Automatically generated by generator.py in splunk/security-content
-# On Date: 2019-12-11T15:59:37 UTC
+# On Date: 2019-12-16T21:48:18 UTC
 # Author: Splunk Security Research
 # Contact: research@splunk.com
 #############
 
-[NetworkACLEvents]
-definition = (eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)
-description = This is a list of AWS event names that are associated with Network ACLs
-
 [brand_abuse_dns]
 definition = lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true
 description = This macro limits the output to only domains that are in the brand monitoring lookup file
@@ -29,18 +25,18 @@ description = This macro limits the output of the query field to dynamic dns dom
 definition = lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True
 description = This is a description
 
-[ec2ModificationAPIs]
-definition = (eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=GetConsoleOutput OR eventName=GetConsoleScreenshot OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)
-description = This is a list of AWS event names that have to do with modifying Amazon EC2 instances
-
 [ec2_excessive_runinstances_mltk_input_filter]
-definition = `comment(Use this macro to add additional filters for monitoring ec2 runinstances [eg - src_user != 'someUserNameExperiencingFalsePositives'].)`
+definition = 
 description = Use this macro to add additional filters for monitoring ec2 runinstances [eg - src_user != 'someUserNameExperiencingFalsePositives'].
 
 [ec2_excessive_terminateinstances_mltk_input_filter]
-definition = `comment(Use this macro to add additional filters for monitoring ec2 terminateinstances [eg - src_user != 'someUserNameExperiencingFalsePositives'].)`
+definition = 
 description = Use this macro to add additional filters for monitoring ec2 terminateinstances [eg - src_user != 'someUserNameExperiencingFalsePositives'].
 
+[ec2_modification_api_calls]
+definition = (eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=GetConsoleOutput OR eventName=GetConsoleScreenshot OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)
+description = This is a list of AWS event names that have to do with modifying Amazon EC2 instances
+
 [evilginx_phishlets_0365]
 definition = (query=login* AND query=www*)
 description = This limits the query fields to domains that are associated with evilginx masquerading as Office 365
@@ -74,47 +70,51 @@ definition = lookup update=true lookup_rare_process_whitelist_default process as
 description = This macro is intended to whitelist processes that have been definied as rare
 
 [investigate_cloud_compute_instance_activities_output_filter]
-definition = `comment(Use this macro to add additional filters for investigating cloud compute activties)`
+definition = 
 description = Use this macro to add additional filters for investigating cloud compute activties
 
 [investigate_user_activities_in_all_cloud_region_output_filter]
-definition = `comment(Use this macro to add additional filters for investigating a specific user's cloud infrastructure activties in all cloud regions)`
+definition = 
 description = Use this macro to add additional filters for investigating a specific user's cloud infrastructure activties in all cloud regions
 
 [investigate_user_activities_in_single_cloud_region_output_filter]
-definition = `comment(Use this macro to add additional filters for investigating a specific user's cloud infrastructure activties in a specific cloud regions)`
+definition = 
 description = Use this macro to add additional filters for investigating a specific user's cloud infrastructure activties in a specific cloud regions
 
-[isWindowsSystemFile]
-definition = lookup update=true isWindowsSystemFile_lookup filename as process_name OUTPUT systemFile | search systemFile=true
+[is_windows_system_file]
+definition = lookup update=true is_windows_system_file_lookup filename as process_name OUTPUT systemFile | search systemFile=true
 description = This macro limits the output to process names that are in the Windows System directory
 
+[network_acl_events]
+definition = (eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)
+description = This is a list of AWS event names that are associated with Network ACLs
+
 [previously_seen_cloud_compute_creations_by_user_input_filter]
-definition = `comment(Use this macro to add additional filters for monitoring users that create cloud compute images)`
+definition = 
 description = Use this macro to add additional filters for monitoring users that create cloud compute images
 
 [previously_seen_cloud_compute_creations_by_user_search_window_begin_offset]
 definition = -70m@m
 description = Use this macro to determine how far into the past the window should be to determine if the user is new or not
 
 [previously_seen_cloud_compute_image_input_filter]
-definition = `comment(Use this macro to add additional filters for monitoring cloud compute images)`
+definition = 
 description = Use this macro to add additional filters for monitoring cloud compute images
 
 [previously_seen_cloud_compute_image_search_window_begin_offset]
 definition = -70m@m
 description = Use this macro to determine how far into the past the window should be to determine if the image is new or not
 
 [previously_seen_cloud_compute_instance_types_input_filter]
-definition = `comment(Use this macro to add additional filters for monitoring cloud compute instance types)`
+definition = 
 description = Use this macro to add additional filters for monitoring cloud compute instance types
 
 [previously_seen_cloud_compute_instance_types_search_window_begin_offset]
 definition = -70m@m
 description = Use this macro to determine how far into the past the window should be to determine if the instance type is new or not
 
 [previously_seen_cloud_regions_input_filter]
-definition = `comment(Use this macro to add additional filters for monitoring your cloud regions)`
+definition = 
 description = Use this macro to add additional filters for monitoring your cloud regions
 
 [previously_seen_cloud_regions_search_window_begin_offset]
@@ -141,17 +141,21 @@ description = This macro limits the output to files that have been identified as
 definition = eval domain=trim(domain,"*") | search NOT[| inputlookup domains]  NOT[ |inputlookup cim_corporate_email_domain_lookup] NOT[inputlookup cim_corporate_web_domain_lookup] | eval domain="*"+domain+"*"
 description = This macro removes valid domains from the output
 
-[runstory(1)]
-args = story_name
-definition = runstory story=$story_name$ | table name, num_search_results, description, kill_chain_phases, mitre_attack
-description = This macro takes an analytic story name and runs it
+[security_content_ctime(1)]
+args = field
+definition = `ctime($field$,"%m/%d/%Y %H:%M:%S")`
+description = convert epoch time to string
+
+[security_content_summariesonly]
+definition = summariesonly=true allow_old_summaries=true
+description = search data model's summaries only
 
-[securityGroupAPIs]
+[security_group_api_calls]
 definition = (eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)
 description = This macro is a list of AWS event names associated with security groups
 
 [suspicious_email_attachments]
-definition = lookup update=true isSuspiciousFileExtension_lookup file_name OUTPUT suspicious | search suspicious=true
+definition = lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true
 description = This macro limits the output to email attachments that have suspicious extensions
 
 [suspicious_writes]