updating src files [ci skip]

splunk · Feb 12, 2019 · 2338492 · 2338492
1 parent 7baf2bf
commit 2338492
Show file tree

Hide file tree

Showing 3 changed files with 1,691 additions and 1,691 deletions.
diff --git a/src/default/analytic_stories.conf b/src/default/analytic_stories.conf
@@ -48,7 +48,7 @@ data_models =
 description = Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.
 id = 2e8948a5-5239-406b-b56b-6c50ff268af4
 version = 2.0
-mappings = {"mitre_attack": ["Command and Control", "Exfiltration", "Persistence"], "cis20": ["CIS 11", "CIS 12"], "kill_chain_phases": ["Command and Control", "Actions on Objectives"], "nist": ["DE.CM", "DE.AE", "DE.DP", "PR.AC"]}
+mappings = {"mitre_attack": ["Command and Control", "Exfiltration", "Persistence"], "cis20": ["CIS 11", "CIS 12"], "kill_chain_phases": ["Command and Control", "Actions on Objectives"], "nist": ["DE.DP", "DE.AE", "DE.CM", "PR.AC"]}
 modification_date = 2018-05-21
 reference = ["https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html", "https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/"]
 providing_technologies = ["AWS", "Splunk Enterprise Security"]
@@ -930,7 +930,7 @@ data_models =
 description = Use the searches in this Analytic Story to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.
 id = 2e8948a5-5239-406b-b56b-6c50w3168af3
 version = 2.0
-mappings = {"mitre_attack": ["Exfiltration", "Credential Access", "Execution", "Initial Access"], "cis20": ["CIS 13", "CIS 14"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM", "PR.DS", "DE.DP", "PR.AC"]}
+mappings = {"mitre_attack": ["Exfiltration", "Credential Access", "Execution", "Initial Access"], "cis20": ["CIS 13", "CIS 14"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.DP", "PR.DS", "DE.CM", "PR.AC"]}
 modification_date = 2018-11-27
 reference = ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/"]
 providing_technologies = ["AWS", "Splunk Enterprise Security"]
@@ -1146,7 +1146,7 @@ data_models = ["Email"]
 description = Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets.
 id = 31337aaa-bc22-4752-b599-ef112dq1dq7a
 version = 1.0
-mappings = {"mitre_attack": ["Valid Accounts", "Create Account"], "kill_chain_phases": ["Actions on Objectives"], "cis20": ["CIS 6", "CIS 16"], "nist": ["DE.CM", "DE.AE", "DE.DP"]}
+mappings = {"mitre_attack": ["Valid Accounts", "Create Account"], "cis20": ["CIS 6", "CIS 16"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.DP", "DE.AE", "DE.CM"]}
 modification_date = 2018-10-08
 reference = ["https://www.fbi.gov/scams-and-safety/common-fraud-schemes/internet-fraud", "https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718", "https://www.otalliance.org/news-events/press-releases/online-trust-alliance-reports-doubling-cyber-incidents-2017-0"]
 providing_technologies = ["Bro", "Microsoft Exchange", "Palo Alto Firewall", "Splunk Enterprise Security", "Splunk Stream"]