Merge branch 'develop' into azure_ad_authentication_failed_during_mfa…

…_challenge

contentctl.yml

@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 4.42.0
+  version: 4.43.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU
@@ -65,15 +65,15 @@ apps:
 - uid: 742
   title: Splunk Add-on for Microsoft Windows
   appid: SPLUNK_ADD_ON_FOR_MICROSOFT_WINDOWS
-  version: 8.8.0
+  version: 9.0.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-windows_880.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-windows_900.tgz
 - uid: 5709
   title: Splunk Add-on for Sysmon
   appid: Splunk_TA_microsoft_sysmon
-  version: 4.0.1
+  version: 4.0.2
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-sysmon_401.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-sysmon_402.tgz
 - uid: 833
   title: Splunk Add-on for Unix and Linux
   appid: Splunk_TA_nix

data_sources/github.yml

@@ -9,7 +9,7 @@ sourcetype: aws:firehose:json
 supported_TA:
 - name: Splunk Add-on for Github
   url: https://splunkbase.splunk.com/app/6254
-  version: 3.0.0
+  version: 3.1.0
 fields:
 - _time
 - action

data_sources/powershell_script_block_logging_4104.yml

@@ -9,7 +9,7 @@ sourcetype: xmlwineventlog
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - ActivityID
@@ -65,21 +65,21 @@ fields:
 - user_id
 - vendor_product
 field_mappings:
-  - data_model: cim
-    data_set: Endpoint.Processes
-    mapping:
-      Computer: Processes.dest
-      Path: Processes.process_path
-      ScriptBlockId: Processes.process_id
-      ScriptBlockText: Processes.process
-      UserID: Processes.user_id
-  - data_model: ocsf
-    mapping:
-      Computer: device.hostname
-      Path: process.file.path
-      ScriptBlockId: process.uid
-      ScriptBlockText: process.cmd_line
-      UserID: actor.user.uid
+- data_model: cim
+  data_set: Endpoint.Processes
+  mapping:
+    Computer: Processes.dest
+    Path: Processes.process_path
+    ScriptBlockId: Processes.process_id
+    ScriptBlockText: Processes.process
+    UserID: Processes.user_id
+- data_model: ocsf
+  mapping:
+    Computer: device.hostname
+    Path: process.file.path
+    ScriptBlockId: process.uid
+    ScriptBlockText: process.cmd_line
+    UserID: actor.user.uid
 example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
   Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>4104</EventID><Version>1</Version><Level>5</Level><Task>2</Task><Opcode>15</Opcode><Keywords>0x0</Keywords><TimeCreated
   SystemTime='2022-05-02T12:39:41.710158900Z'/><EventRecordID>112748</EventRecordID><Correlation

data_sources/windows_active_directory_admon.yml

@@ -9,7 +9,7 @@ sourcetype: ActiveDirectory
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - Guid

data_sources/windows_event_log_application_2282.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - Channel

data_sources/windows_event_log_application_3000.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - Channel

data_sources/windows_event_log_capi2_70.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - Channel

data_sources/windows_event_log_capi2_81.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - Channel

data_sources/windows_event_log_certificateservicesclient_1007.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - ActivityID

data_sources/windows_event_log_defender_1121.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - ActivityID

data_sources/windows_event_log_defender_1122.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - ActivityID

data_sources/windows_event_log_defender_1129.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - ComputerName

data_sources/windows_event_log_defender_5007.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - Channel

data_sources/windows_event_log_printservice_316.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - ComputerName

data_sources/windows_event_log_printservice_808.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - ComputerName

data_sources/windows_event_log_remoteconnectionmanager_1149.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - ActivityID

data_sources/windows_event_log_security_1100.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - Channel

data_sources/windows_event_log_security_1102.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - Caller_User_Name

data_sources/windows_event_log_security_4624.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - ActivityID

data_sources/windows_event_log_security_4625.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - ActivityID

data_sources/windows_event_log_security_4627.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - ActivityID

data_sources/windows_event_log_security_4648.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - ActivityID

data_sources/windows_event_log_security_4662.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - AccessList

data_sources/windows_event_log_security_4663.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - AccessList

data_sources/windows_event_log_security_4672.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - ActivityID

data_sources/windows_event_log_security_4688.yml

@@ -7,11 +7,12 @@ description: Data source object for Windows Event Log Security 4688
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
-configuration: Enabling Windows event log process command line logging via group policy object https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_Windows_event_log_process_command_line_logging_via_group_policy_object
+configuration: Enabling Windows event log process command line logging via group policy
+  object https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_Windows_event_log_process_command_line_logging_via_group_policy_object
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - Caller_Domain
 - Caller_User_Name
@@ -90,39 +91,39 @@ fields:
 - vendor
 - vendor_product
 field_mappings:
-  - data_model: cim
-    data_set: Endpoint.Processes
-    mapping:
-      NewProcessId: Processes.process_id
-      NewProcessName: Processes.process_path
-      NewProcessName|endswith: Processes.process_name
-      Process_Command_Line: Processes.process
-      SubjectUserSid: Processes.user
-      ProcessId: Processes.parent_process_id
-      ParentProcessName: Processes.parent_process_path
-      ParentProcessName|endswith: Processes.parent_process_name
-      Computer: Processes.dest
-  - data_model: ocsf
-    mapping:
-      NewProcessId: process.pid
-      NewProcessName: process.file.path
-      NewProcessName|endswith: process.file.name
-      Process_Command_Line: process.cmd_line
-      SubjectUserSid: actor.user.name
-      ProcessId: actor.process.pid
-      ParentProcessName: actor.process.file.path
-      ParentProcessName|endswith: actor.process.file.name
-      Computer: device.hostname
+- data_model: cim
+  data_set: Endpoint.Processes
+  mapping:
+    NewProcessId: Processes.process_id
+    NewProcessName: Processes.process_path
+    NewProcessName|endswith: Processes.process_name
+    Process_Command_Line: Processes.process
+    SubjectUserSid: Processes.user
+    ProcessId: Processes.parent_process_id
+    ParentProcessName: Processes.parent_process_path
+    ParentProcessName|endswith: Processes.parent_process_name
+    Computer: Processes.dest
+- data_model: ocsf
+  mapping:
+    NewProcessId: process.pid
+    NewProcessName: process.file.path
+    NewProcessName|endswith: process.file.name
+    Process_Command_Line: process.cmd_line
+    SubjectUserSid: actor.user.name
+    ProcessId: actor.process.pid
+    ParentProcessName: actor.process.file.path
+    ParentProcessName|endswith: actor.process.file.name
+    Computer: device.hostname
 convert_to_log_source:
-  - data_source: Sysmon EventID 1
-    mapping:
-      NewProcessId: ProcessId #New_Process_ID in Hex
-      NewProcessName: Image
-      Process_Command_Line: CommandLine
-      SubjectUserSid: User
-      ProcessId: ParentProcessId
-      ParentProcessName: ParentImage
-      Computer: Computer
+- data_source: Sysmon EventID 1
+  mapping:
+    NewProcessId: ProcessId
+    NewProcessName: Image
+    Process_Command_Line: CommandLine
+    SubjectUserSid: User
+    ProcessId: ParentProcessId
+    ParentProcessName: ParentImage
+    Computer: Computer
 example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
   Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2024-04-23T08:48:30.449376800Z'/><EventRecordID>432820</EventRecordID><Correlation/><Execution

data_sources/windows_event_log_security_4698.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - Account_Domain

data_sources/windows_event_log_security_4699.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - Account_Domain

data_sources/windows_event_log_security_4703.yml

@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 8.9.0
+  version: 9.0.0
 fields:
 - _time
 - Caller_Domain